This feature pertains to NSX Cloud.

Forwarding Policies or Policy-Based Routing (PBR) rules define how NSX-T handles traffic from an NSX-managed VM. This traffic can be steered to NSX-T overlay or it can be routed through the cloud provider's (underlay) network.

Note: See Using NSX Cloud for details on how to manage your public cloud workload VMs with NSX-T Data Center.

Three default forwarding policies are set up automatically after you either deploy a PCG on a Transit VPC/VNet or link a Compute VPC/VNet to the Transit.

  1. One Route to Underlay for all traffic that is addressed within the Transit/Compute VPC/VNet
  2. Another Route to Underlay for all traffic destined to the metadata services of the public cloud.
  3. One Route to Overlay for all other traffic, for example, traffic that is headed outside the Transit/Compute VPC/VNet. Such traffic is routed over the NSX-T overlay tunnel to the PCG and further to its destination.
    Note:

    For traffic destined to another VPC/VNET managed by the same PCG: Traffic is routed from the source NSX-managed VPC/VNet via the NSX-T overlay tunnel to the PCG and then routed to the destination VPC/VNet.

    For traffic destined to another VPC/VNet managed by a different PCG: Traffic is routed from one NSX-managed VPC/VNet over the NSX overlay tunnel to the PCG of the source VPC/VNet and forwarded to the PCG of the destination NSX-managed VPC/VNet.

    If traffic is headed to the internet, the PCG routes it to the destination in the internet.

Micro-segmentation while Routing to Underlay

Micro-segmentation is enforced even for workload VMs whose traffic is routed to the underlay network.

If you have direct connectivity from an NSX-managed workload VM to a destination outside the managed VPC/VNet and want to bypass the PCG, set up a forwarding policy to route traffic from this VM via underlay.

When traffic is routed through the underlay network, the PCG is bypassed and therefore the north-south firewall is not encountered by traffic. However, you still have to manage rules for east-west or distributed firewall (DFW) because those rules are applied at the VM-level before reaching the PCG.

Supported Forwarding Policies and Common Use Cases

You may see a list of forwarding policies in the drop-down menu but in this release only the following forwarding policies are supported:
  • Route to Underlay
  • Route from Underlay
  • Route to Overlay

These are the common scenarios where forwarding policies are useful:

  • Route to Underlay: Access a service on underlay from an NSX-managed VM. For example, access to the AWS S3 service on the AWS underlay network.

  • Route from Underlay: Access a service hosted on an NSX-managed VM from the underlay network. For example, access from AWS ELB to the NSX-managed VM.