You can configure Security Policy in NSX Manager for workload VMs in the Native Cloud Enforced Mode.

Starting in NSX-T Data Center 3.0, you can create security policies and rules in VPCs/VNets from different accounts or subscriptions.
Note: DFW rules depend on the tags assigned to VMs. Since these tags can be modified by anyone with the appropriate public cloud permissions, NSX-T Data Center assumes that such users are trustworthy and the responsibility of ensuring and auditing that VMs are correctly tagged at all times lies with the public cloud network administrator.


Verify that you have a Transit or Compute VPC/VNet in the Native Cloud Enforced Mode.


  1. In NSX Manager, edit or create Groups for workload VMs, for example, VM names starting with web, app, db, could be three separate Groups. See Add a Group for instructions. Also see Group VMs using NSX-T Data Center and Public Cloud Tags for information on using public cloud tags to create Groups for your workload VMs.

    Workload VMs that match the criteria are be added to the Group. VMs that do not match any grouping criteria are placed in the default Security Group in AWS and the default-vnet-<vnet-ID>-sg Network Security Group in Microsoft Azure.

    Note: You cannot use the Groups that are auto-created by NSX Cloud.
  2. In NSX Manager, create Distributed Firewall (DFW) rules with these Groups in the Source, Destination or Applied To fields. See Add a Distributed Firewall for instructions.
    Note: Only Stateful policies are supported for public cloud workload VMs. Stateless policies can be created in NSX Manager but they will not be matched with any Groups that contain your public cloud workload VMs.

    L7 Context Profiles are not supported for DFW rules for workload VMs in the Native Cloud Enforced Mode.

  3. In CSM, remove those VMs from the User Managed list that you want to bring under NSX management. See How to use the User Managed List for instructions.
    Note: Adding VMs to the User Managed list is a manual step that is strongly recommended in the day-0 workflow as soon as you add your public cloud inventory in CSM. If you have not added any VMs to the User Managed list, you do not need to remove them from it.
  4. For Groups and DFW rules that find a match in the public cloud, the following takes place automatically:
    1. In AWS, NSX Cloud creates a new Security Group named like nsx-<NSX GUID>.
    2. In Microsoft Azure, NSX Cloud creates an Application Security Group (ASG) corresponding with the Group created in NSX Manager and a Network Security Group (NSG) corresponding to the DFW rules that are matched with grouped workload VMs.
      NSX Cloud synchronizes NSX Manager and public cloud groups and DFW rules every 30 seconds.
  5. Resynchronize your public cloud account in CSM:
    1. Log in to CSM and go to your public cloud account.
    2. From the public cloud account, click Actions > Resync Account. Wait for the resynch to complete.
    3. Go to the VPC/VNet and click on the red-colored Errors indicator. This takes you to the instances view.
    4. Switch the view to Details if viewing in Grid and click on Failed in the Rules Realization column to view errors, if any.

What to do next

See Current Limitations and Common Errors.