Auto-created NSX-T Logical Entities

A set of logical entities are auto-created in NSX Manager.

Important: Do not delete any of these auto-created entities except if you are manually undeploying PCG. See Troubleshooting PCG Undeployment for details.

System Entities

You can see the following entities under the System tab:

Table 1. Auto-Created System Entities
Logical System Entity	How many are created?	Nomenclature	Scope
Transport Zones	Two Transport Zones are created for each Transit VPC/VNet	TZ-<VPC/VNet-ID>-OVERLAY TZ-<VPC/VNet-ID>-VLAN	Scope: Global
Edge Transport Nodes	One Edge Transport Node is created for each deployed PCG, two if deployed in high availability mode.	PublicCloudGatewayTN-<VPC/VNET-ID> PublicCloudGatewayTN-<VPC/VNET-ID>-preferred	Scope: Global
Edge Cluster	One Edge Cluster is created per deployed PCG, whether one or in a high availability pair.	PCG-cluster-<VPC/VNet-ID>	Scope: Global

Inventory Entities

The following entities are available under the Inventory tab:

Table 2. Groups
Groups	Scope
Two Groups named: cloud-default-route cloud-metadata services	Scope: Shared across all PCGs
One Group created at the Transit VPC/VNet level as a parent Group for individual segments created at the Compute VPC/VNet level. cloud-<Transit VPC/VNet ID>-all-segments	Scope: shared across all Compute VPCs/VNets
Two Groups for each Compute VPC/VNet: Network CIDR Group for all CIDRs of the Compute VPC/VNet: cloud-<Compute VPC/VNet ID>-cidr Local Segment Group for all managed segments within the Compute VPC/VNet:cloud-<Compute VPC/VNet ID>-local-segments	Scope: shared across all Compute VPC/VNets
The following Groups are created for the currently supported public cloud services: aws-dynamo-db-service-endpoint aws-elb-service-endpoint aws-rds-service-endpoint aws-s3-service-endpoint azure-cosmos-db-service-endpoint azure-load-balancer-service-endpoint azure-sql-service-endpoint azure-storage-service-endpoint	Scope: Shared across all PCGs

Note: For PCGs deployed or linked to in the Native Cloud Enforced Mode, all the workload VMs in the VPC/VNet become available under Virtual Machines in NSX Manager.

Security Entities

The following entities are available under the Security tab:

Table 3. Auto-Created Security Entities
Logical Security Entity	How many are created?	Nomenclature	Scope
Distributed Firewall (East-West)	Two per Transit VPC/VNet: Stateless Stateful	cloud-stateless-<VPC/VNet ID> cloud-stateful-<VPC/VNet ID>	Stateful rule to allow traffic within local managed segments Stateful rule to reject traffic from unmanaged VMs
Gateway Firewall (North-South)	One per Transit VPC/VNet	cloud-<Transit VPC/VNet ID>

Networking Entities

The following entities are created at different stages of onboarding and can be found under the Networking tab:

Table 4. Auto-Created Networking Entities
Onboarding Task	Logical Entities Created in NSX-T Data Center
PCG deployed on Transit VPC/VNet	Tier-0 Gateway Infra Segment (Default VLAN switch) Tier-1 router
Compute VPC or VNet linked to the Transit VPC/VNet	Tier-1 router
A workload VM with the NSX agent installed on it is tagged with the "nsx.network:default" key:value in a subnet of a compute or self-managed VPC/VNet	A Segment is created for this specific subnet of the compute or self-managed VPC or VNet Hybrid ports are created for each tagged workload VM that has the NSX agent installed on it
More workload VMs are tagged in the same subnet of the Compute or self-managed VPC/VNet	Hybrid ports are created for each tagged workload VM that has the NSX agent installed on it

Forwarding Policies

The following three forwarding rules are set up for a Compute VPC/VNet, including Self-managed Transit VPC/VNet:

Access any CIDR of the same Compute VPC over the public cloud's network (underlay)
Route traffic pertaining to public cloud metadata services over the public cloud's network (underlay)
Route everything not in the Compute VPC/VNet's CIDR block, or a known service, through the NSX-T Data Center network (overlay)