Quarantine Policy Impact when Enabled

NSX Cloud manages the public cloud security group of all workload VMs in this VPC/VNet when Quarantine Policy is enabled.

Any manual changes to the security groups are reverted to the NSX Cloud-assigned security group within two minutes. If you do not want NSX Cloud to assign security groups to your VMs, add them to the User Managed list in CSM. See User Managed List for VMs.

Note: Removing the VM from the User Managed list causes the VM to revert to the NSX Cloud-assigned security group.

Table 1. NSX Cloud assignment of public cloud security groups when Quarantine Policy is enabled
Is VM tagged with `nsx.network=default` in the public cloud)?	Is VM in the User Managed list?	VM's public cloud security group when Quarntine Policy is enabled and explanation
Tagged	Not added to the User Managed List	If VM has no threats: vm-underlay-sg If VM has potential threats (see note): default-vnet-<vnet-ID>-sg in Microsoft Azure; default in AWS Note: The assignment of public cloud security groups is triggered within 90 seconds of applying the nsx.network=default tag to your workload VMs. You still need to install NSX Tools for the VMs to be NSX-managed. Until NSX Tools are installed your tagged workload VMs are quarantined. ,
Not Tagged	Not added to the User Managed List	default-vnet-<vnet-ID>-sg in Microsoft Azure; default in AWS. Untagged VMs are considered unmanaged and therefore quarantined by NSX Cloud.
Tagged	Yes, VM is in the User Managed List	Retains existing public cloud security group because NSX Cloud doesn't take action on VMs in the User Managed list.
Not Tagged	Yes, VM is in the User Managed List

The following table captures the impact on security group assignments if the Quarantine Policy was disabled at first and then you enable it:

Table 2. NSX Cloud assignment of public cloud security groups when Quarantine Policy is enabled from being disabled at first
Is VM tagged with `nsx.network=default` in the public cloud?	Is VM in the User Managed list?	VM's existing public cloud security group when Quarantine Policy is disabled	VM's public cloud security group after Quarantine Policy is enabled
Not Tagged	Not added to the User Managed List	Any existing public cloud security group	default-vnet-<vnet-ID>-sg (Microsoft Azure) Or default(AWS)
Tagged	Not added to the User Managed List	vm-underlay-sg Or default-vnet-<vnet-ID>-sg (Microsoft Azure) Or default(AWS)	Retains the NSX Cloud-assigned security group that is consistent for tagged VMs in the Quarantine enabled or disabled modes.
Tagged	Yes, VM is in the User Managed List	Any existing public cloud security group.	Retains existing public cloud security group because NSX Cloud doesn't take any action on VMs in the User Managed list.
Not Tagged	Yes, VM is in the User Managed List	Any existing public cloud security group.