In the Native Cloud Enforced Mode, NSX Cloud utilizes NSX-T Data Center Groups and Distributed Firewall rules to create corresponding Application Security Groups and Network Security Groups in Microsoft Azure and Security Groups in AWS.

All workload VMs in your VPCs/VNets onboarded in the Native Cloud Enforced Mode are NSX-managed.

Follow this workflow:
Table 1. Micro-segmentation workflow for your workload VMs in the Native Cloud Enforced Mode
Task Instructions
Create one or more Groups in NSX Manager to include workload VMs from your public cloud.

See Set up Micro-segmentation for Workload VMs in the Native Cloud Enforced Mode

See also: Group VMs using NSX-T Data Center and Public Cloud Tags

Create one or more Security Policies in NSX Manager that apply to the Group(s) you created for your public cloud workload VMs.
Remove workload VMs from the User Managed list in CSM if you want them managed by NSX-T Security Policies.
Resync your public cloud account in CSM.
From your VPC/VNet, switch to the details view in CSM for troubleshooting Security policies if there are any errors. See Current Limitations and Common Errors