NSX Cloud manages the public cloud security group of all workload VMs in this VPC/VNet when Quarantine Policy is enabled.
Any manual changes to the security groups are reverted to the
NSX Cloud-assigned security group within two minutes. If you do not want
NSX Cloud to assign security groups to your VMs, add them to the User Managed list in
CSM. See
User Managed List for VMs.
Note: Removing the VM from the User Managed list causes the VM to revert to the
NSX Cloud-assigned security group.
Is VM tagged with nsx.network=default in the public cloud)? | Is VM in the User Managed list? | VM's public cloud security group when Quarntine Policy is enabled and explanation |
---|---|---|
Tagged | Not added to the User Managed List |
|
Not Tagged | Not added to the User Managed List | default-vnet-<vnet-ID>-sg in Microsoft Azure; default in AWS. Untagged VMs are considered unmanaged and therefore quarantined by NSX Cloud. |
Tagged | Yes, VM is in the User Managed List | Retains existing public cloud security group because NSX Cloud doesn't take action on VMs in the User Managed list. |
Not Tagged |
The following table captures the impact on security group assignments if the Quarantine Policy was disabled at first and then you enable it:
Is VM tagged with nsx.network=default in the public cloud? | Is VM in the User Managed list? | VM's existing public cloud security group when Quarantine Policy is disabled | VM's public cloud security group after Quarantine Policy is enabled |
---|---|---|---|
Not Tagged | Not added to the User Managed List | Any existing public cloud security group | default-vnet-<vnet-ID>-sg (Microsoft Azure) Or default(AWS) |
Tagged | Not added to the User Managed List | vm-underlay-sg Or default-vnet-<vnet-ID>-sg (Microsoft Azure) Or default(AWS) | Retains the NSX Cloud-assigned security group that is consistent for tagged VMs in the Quarantine enabled or disabled modes. |
Tagged | Yes, VM is in the User Managed List | Any existing public cloud security group. | Retains existing public cloud security group because NSX Cloud doesn't take any action on VMs in the User Managed list. |
Not Tagged |