Refer to these known limitations and common errors to troubleshoot managing your public cloud workload VMs in the Native Cloud Enforced Mode.

Note: The following limits are set by your public cloud:
  • The number of security groups that can be applied to a workload VM.
  • The number of rules that can be realized for a workload VM.
  • The number of rules that can be realized per security group.
  • The scope of the security group assignment, for example, the scope of the Network Security Group (NSG) in Microsoft Azure is limited to that region, whereas the scope of the Security Group (SG) in AWS is limited to that VPC.
Refer to the public cloud documentation for more information on these limits.

Current Limitations

The current release has the following limitations for DFW rules for workload VMs:

  • Nested Groups are not supported.
  • Groups without VM and/or IP address as member are not supported, for example, Segment or Logical Port based criteria are not supported.
  • Both Source and Destination as IP address or CIDR based Group is not supported.
  • Both Source and Destination as "ANY" is not supported.
  • Applied_To Group can be only Source or Destination or Source + Destination Groups. Other options are not supported.
  • Only TCP, UDP, and ICMP are supported.
Note: Only in AWS:
Deny rules created for workload VMs in your AWS VPCs are not realized on AWS because in AWS, everything is in the denied list by default. This leads to the following results in NSX-T Data Center:
  • If there is a Deny rule between VM1 and VM2 then traffic is not allowed between VM1 and VM2 because of the default AWS behavior, not because of the Deny rule. The Deny rule is not realized in AWS.
  • Assuming the following two rules are created in NSX Manager for the same VMs with rule 1 having a higher priority than rule 2:
    1. VM1 to VM2 DENY SSH
    2. VM1 to VM2 Allow SSH
    the Deny rule is ignored because it is not realized in AWS and therefore the Allow SSH rule is realized. This is contrary to expectation but a limitation because of the default AWS behavior.

Common Errors and their Resolution

Error: No NSX policy applied to VM.

If you see this error, none of the DFW rules were applied to the particular VM. Edit the rule or the Group in NSX Manager to include this VM.

Error: Stateless NSX rule is not supported.

If you see this error, it means that you have added DFW rules for public cloud workload VMs in a Stateless Security Policy. This is not supported. Create a new or use an existing Security Policy in the Stateful mode.