If you use AWS Transit Gateway, you can deploy the PCG in any VPC and connect this VPC with the Transit Gateway.

Follow instructions at Deploy PCG in a VPC.

Any other VPCs connected to the Transit Gateway can have their workload VMs managed by NSX-T Data Center for micro-segmentation.

NSX Cloud does not manage networking between the Transit and Compute VPCs or the workload VMs. All NSX-T Data Center networking constructs are created upon PCG deployment but only the Security constructs are valid if you are working with AWS Transit Gateway. See Security Entities for a list of auto-created security policies after PCG deployment.
  • Currently only NSX Enforced Mode is supported. You must install NSX Tools in your workload VMs. See NSX Enforced Mode in the NSX-T Data Center Administration Guide for instructions.
  • The VPC where you deploy PCG – Transit VPC – must have the same subnets as required by a Transit VPC that is not using the AWS Transit Gateway. See Subnets Required in Your VPC/VNet to deploy PCG for details.
  • You must link compute VPCs to the Transit VPC. See Link to a Transit VPC or VNet for instructions.
  • You must ensure that workload VMs with NSX Tools installed on them have connectivity with the management subnet of the Transit VPC.
  • To utilize micro-segmentation, you must add a Forwarding Policy with the following values:
    Option Value
    Sources A Group in NSX Manager that contains all NSX-Managed VMs from your Transit and Compute VPCs
    Destinations All (
    Services Any
    Action Route to Underlay
    See Add or Edit Forwarding Policies in the NSX-T Data Center Administration Guide for details about Forwarding Policies.