The Quarantine Policy feature in NSX Cloud provides a threat detection mechanism for your NSX-managed workload VMs.

Quarantine Policy is implemented differently in the two VM-management modes.

Table 1. Quarantine Policy Implementation in the NSX Enforced Mode and the Native Cloud Enforced Mode
Configurations related to Quarantine Policy In the NSX Enforced Mode In the Native Cloud Enforced Mode
Default state Disabled when deploying PCG using NSX Tools. You can enable it from the PCG-deployment screen or later. See How to Enable or Disable Quarantine Policy. Always enabled. Cannot be disabled.
Auto-created security groups unique to each mode All healthy NSX-managed VMs are assigned the vm-underlay-sg security group. nsx-<NSX GUID> security groups are created for and applied to NSX-managed workload VMs that are matched with a Distributed Firewall Policy in NSX Manager
Auto-created Public Cloud Security Groups common to both modes:
The gw security groups are applied to the respective PCG interfaces in AWS and Microsoft Azure.
  • gw-mgmt-sg
  • gw-uplink-sg
  • gw-vtep-sg
The vm security groups are applied to NSX-managed VMs depending on their current state and whether Quarantine Policy is enabled or disabled:
  • default-vnet-<vnet-id>-sg in Microsoft Azure and default in AWS.
    Note: In AWS, the default security group already exists. It is not created by NSX Cloud.

General Recommendation for NSX Enforced Mode :

Start with disabled for Brownfield deployments: Quarantine Policy is disabled by default. When you already have VMs set up in your public cloud environment, use the disabled mode for Quarantine Policy until you onboard your workload VMs. This ensures that your existing VMs are not automatically quarantined.

Start with enabled for Greenfield deployments: For greenfield deployments, it is recommended that you enable Quarantine Policy to allow threat detection for your VMs to be managed by NSX Cloud.