This feature pertains to NSX Cloud.
Forwarding Policies or Policy-Based Routing (PBR) rules define how NSX-T handles traffic from an NSX-managed VM. This traffic can be steered to NSX-T overlay or it can be routed through the cloud provider's (underlay) network.
Three default forwarding policies are set up automatically after you either deploy a PCG on a Transit VPC/VNet or link a Compute VPC/VNet to the Transit.
- Route to Underlay for all traffic that is addressed within the Transit/Compute VPC/VNet
- Route to Underlay for all traffic destined to the metadata services of the public cloud.
- Route to Overlay for all other traffic, for example, traffic that is headed outside the Transit/Compute VPC/VNet. Such traffic is routed over the NSX-T overlay tunnel to the PCG and further to its destination.
For traffic destined to another VPC/VNET managed by the same PCG: Traffic is routed from the source NSX-managed VPC/VNet via the NSX-T overlay tunnel to the PCG and then routed to the destination VPC/VNet.
For traffic destined to another VPC/VNet managed by a different PCG: Traffic is routed from one NSX-managed VPC/VNet over the NSX overlay tunnel to the PCG of the source VPC/VNet and forwarded to the PCG of the destination NSX-managed VPC/VNet.
If traffic is headed to the internet, the PCG routes it to the destination in the internet.
Micro-segmentation while Routing to Underlay
Micro-segmentation is enforced even for workload VMs whose traffic is routed to the underlay network.
If you have direct connectivity from an NSX-managed workload VM to a destination outside the managed VPC/VNet and want to bypass the PCG, set up a forwarding policy to route traffic from this VM via underlay.
When traffic is routed through the underlay network, the PCG is bypassed and therefore the north-south firewall is not encountered by traffic. However, you still have to manage rules for east-west or distributed firewall (DFW) because those rules are applied at the VM-level before reaching the PCG.
Supported Forwarding Policies and Common Use Cases
- Route to Underlay
- Route from Underlay
- Route to Overlay
These are the common scenarios where forwarding policies are useful:
Route to Underlay: Access a service on underlay from an NSX-managed VM. For example, access to the AWS S3 service on the AWS underlay network.
Route from Underlay: Access a service hosted on an NSX-managed VM from the underlay network. For example, access from AWS ELB to the NSX-managed VM.