NSX Cloud allows you to use the public cloud tags assigned to your workload VMs.

NSX Manager uses tags to group VMs, as do public clouds. Therefore, to facilitate grouping VMs, NSX Cloud pulls in the public cloud tags applied to your workload VMs provided they meet predefined size and reserved-words criteria, into NSX Manager.
Note: DFW rules depend on the tags assigned to VMs. Since these tags can be modified by anyone with the appropriate public cloud permissions, NSX-T Data Center assumes that such users are trustworthy and the responsibility of ensuring and auditing that VMs are correctly tagged at all times lies with the public cloud network administrator.

Tags terminology

A tag in NSX Manager refers to what is known as value in a public cloud context. The key of a public cloud tag, is referred to as scope in NSX Manager.

Components of tags

in NSX Manager

Equivalent components of tags in the public cloud





Tag Types and Limitations

NSX Cloud allows three types of tags for NSX-managed public cloud VMs.

  • System Tags: These tags are system-defined and you cannot add, edit, or delete them. NSX Cloud uses the following system tags:

    • azure:subscription_id
    • azure:region
    • azure:vm_rg
    • azure:vnet_name
    • azure:vnet_rg
    • azure:transit_vnet_name
    • azure:transit_vnet_rg
    • aws:account
    • aws:availabilityzone
    • aws:region
    • aws:vpc
    • aws:subnet
    • aws:transit_vpc
  • Discovered Tags: Tags that you have added to your VMs in the public cloud are automatically discovered by NSX Cloud and displayed for your workload VMs in NSX Manager inventory. These tags are not editable from within NSX Manager. There is no limit to the number of discovered tags. These tags are prefixed with dis:azure: to denote they are discovered from Microsoft Azure and dis:aws from AWS.

    When you make any changes to the tags in the public cloud, the changes are reflected in NSX Manager within three minutes.

    By default this feature is enabled. You can enable or disable the discovery of Microsoft Azure or AWS tags at the time of adding the Microsoft Azure subscription or AWS account.

  • User Tags: You can create up to 25 user tags. You have add, edit, delete privileges for user tags. For information on managing user tags, see Manage Tags for a VM in Manager Mode.

Table 1. Summary of Tag Types and Limitations
Tag type Tag scope or predetermined prefix Limitations Enterprise Administrator





Complete system tags:

  • azure:subscription_id
  • azure:region
  • azure:vm_rg
  • azure:vnet_name
  • azure:vnet_rg
  • aws:vpc
  • aws:availabilityzone

Scope (key): 20 characters

Tag (value): 65 characters

Maximum possible: 5

Read only Read only

Prefix for Microsoft Azure tags that are imported from your VNet:


Prefix for AWS tags that are imported from your VPC:


Scope (key): 20 characters

Tag (value): 65 characters

Maximum allowed: unlimited

Note: The limits on characters excludes the prefix dis:<public cloud name>. Tags that exceed these limits are not reflected in NSX Manager.

Tags with the prefix nsx are ignored.

Read only Read only

User tags can have any scope (key) and value within the allowed number of characters, except:

  • the scope (key) prefix dis:azure: or dis:aws:
  • the same scope (key) as system tags

Scope (key): 30 characters

Tag (value): 65 characters

Maximum allowed: 25

Add/Edit/Delete Read only

Examples of Discovered Tags

Note: Tags are in the format key=value for the public cloud and scope=tag in NSX Manager.
Table 2.

Public Cloud tag for the workload VM

Discovered by NSX Cloud? Equivalent NSX Manager tag for the workload VM
Name=Developer Yes dis:azure:Name=Developer
ValidDisTagKeyLength=ValidDisTagValue Yes dis:azure:ValidDisTagKeyLength=ValidDisTagValue
Abcdefghijklmnopqrstuvwxyz=value2 No (key exceeds 20 chars) none
tag3=AbcdefghijklmnopqrstuvwxyzAb23690hgjgjuytreswqacvbcdefghijklmnopqrstuvwxyz No (value exceeds 65 characters) none
nsx.name=Tester No (key has the prefix nsx) none

How to use Tags in NSX Manager