You can set up micro-segmentation for managed workload VMs.

Note: DFW rules depend on the tags assigned to VMs. Since these tags can be modified by anyone with the appropriate public cloud permissions, NSX assumes that such users are trustworthy and the responsibility of ensuring and auditing that VMs are correctly tagged at all times lies with the public cloud network administrator.

Do the following to apply distributed firewall rules to NSX-managed workload VMs:

  1. Create groups using VM names or tags or other membership criteria, for example, for web, app, DB tiers. For instructions, see Add a Group.
    You can use any of the following tags for membership criteria. See Group VMs using NSX and Public Cloud Tags for details.
    • system-defined tags
    • tags from your VPC or VNet that are discovered by NSX Cloud
    • or your own custom tags
  2. Create an East-West distributed firewall policy and rule and apply to the group you created. See Add a Distributed Firewall. You can also use Context Profiles to create rules specific to App IDs and FQDN/URLs. A predefined list of public cloud FQDN/URLs is available when you create an FQDN/URL context profile. See Layer 7 Context Profile for details.

This micro-segmentation takes effect when the inventory is either manually re-synchronized from CSM, or within about three minutes when the changes are pulled into CSM from your public cloud.