You can set up micro-segmentation for managed workload VMs.
Do the following to apply distributed firewall rules to NSX-managed workload VMs:
- Create groups using VM names or tags or other membership criteria, for example, for web, app, DB tiers. For instructions, see Add a Group.
You can use any of the following tags for membership criteria. See Group VMs using NSX-T Data Center and Public Cloud Tags for details.
- system-defined tags
- tags from your VPC or VNet that are discovered by NSX Cloud
- or your own custom tags
- Create an East-West distributed firewall policy and rule and apply to the group you created. See Add a Distributed Firewall. You can also use Context Profiles to create rules specific to App IDs and FQDN/URLs. A predefined list of public cloud FQDN/URLs is available when you create an FQDN/URL context profile. See Layer 7 Context Profile for details.
This micro-segmentation takes effect when the inventory is either manually re-synchronized from CSM, or within about three minutes when the changes are pulled into CSM from your public cloud.