You can configure Security Policy in NSX Manager for workload VMs in the Native Cloud Enforced Mode.
Note: DFW rules depend on the tags assigned to VMs. Since these tags can be modified by anyone with the appropriate public cloud permissions, NSX-T Data Center assumes that such users are trustworthy and the responsibility of ensuring and auditing that VMs are correctly tagged at all times lies with the public cloud network administrator.
Prerequisites
Verify that you have a Transit or Compute VPC/VNet in the Native Cloud Enforced Mode.