NSX Cloud manages the public cloud security group of all workload VMs in this VPC/VNet when Quarantine Policy is enabled.

Any manual changes to the security groups are reverted to the NSX Cloud-assigned security group within two minutes. If you do not want NSX Cloud to assign security groups to your VMs, add them to the User Managed list in CSM. See User Managed List for VMs.
Note: Removing the VM from the User Managed list causes the VM to revert to the NSX Cloud-assigned security group.

Table 1. NSX Cloud assignment of public cloud security groups when Quarantine Policy is enabled
Is VM tagged with nsx.network=default in the public cloud)? Is VM in the User Managed list? VM's public cloud security group when Quarntine Policy is enabled and explanation
Tagged Not added to the User Managed List
  • If VM has no threats: vm-underlay-sg
  • If VM has potential threats (see note): default-vnet-<vnet-ID>-sg in Microsoft Azure; default in AWS
    Note: The assignment of public cloud security groups is triggered within 90 seconds of applying the nsx.network=default tag to your workload VMs. You still need to install NSX Tools for the VMs to be NSX-managed. Until NSX Tools are installed your tagged workload VMs are quarantined.
,
Not Tagged Not added to the User Managed List default-vnet-<vnet-ID>-sg in Microsoft Azure; default in AWS. Untagged VMs are considered unmanaged and therefore quarantined by NSX Cloud.
Tagged Yes, VM is in the User Managed List Retains existing public cloud security group because NSX Cloud doesn't take action on VMs in the User Managed list.
Not Tagged

The following table captures the impact on security group assignments if the Quarantine Policy was disabled at first and then you enable it:

Table 2. NSX Cloud assignment of public cloud security groups when Quarantine Policy is enabled from being disabled at first
Is VM tagged with nsx.network=default in the public cloud? Is VM in the User Managed list? VM's existing public cloud security group when Quarantine Policy is disabled VM's public cloud security group after Quarantine Policy is enabled
Not Tagged Not added to the User Managed List Any existing public cloud security group default-vnet-<vnet-ID>-sg (Microsoft Azure) Or default(AWS)
Tagged Not added to the User Managed List vm-underlay-sg Or default-vnet-<vnet-ID>-sg (Microsoft Azure) Or default(AWS) Retains the NSX Cloud-assigned security group that is consistent for tagged VMs in the Quarantine enabled or disabled modes.
Tagged Yes, VM is in the User Managed List Any existing public cloud security group. Retains existing public cloud security group because NSX Cloud doesn't take any action on VMs in the User Managed list.
Not Tagged