When you deploy the PCG on your Transit VPC/VNet or when you link a Compute VPC/VNet to a Transit, NSX Cloud creates default Security Policies and DFW rules therein for NSX-managed workload VMs.
The two stateless rules are for DHCP access and they do not affect access to your workload VMs.
The two stateful rules are as follows:
DFW Rules created by NSX Cloud under Policy: cloud-stateful-cloud-<VPC/VNet ID> | Properties |
---|---|
cloud-<VPC/VNet ID>-managed | Allows access to the VMs within the same VPC/VNet. |
cloud-<VPC/VNet ID>-inbound | Blocks access to NSX-managed VMs from anywhere outside the VPC/VNet. |
Note: Do not edit any of the default rules.
You can create a copy of the existing inbound rule, adjust the sources and destinations, and set to Allow. Place the Allow rule above the default Reject rule. You can also add new policies and rules. See Add a Distributed Firewall for instructions.