In your public clouds, some configurations are set up automatically after you deploy PCG.
Some auto configurations are common to all public clouds and both NSX management modes. Other configurations are specific to either the public cloud or the NSX management mode.
Specific to AWS
The following are specific to AWS:
- In the AWS VPC, a new Type A Record Set gets added with the name nsx-gw.vmware.local into a private hosted zone in Amazon Route 53. The IP address mapped to this record matches the Management IP address of the PCG which is assigned by AWS using DHCP and will differ for each VPC. This DNS entry in the private hosted zone in Amazon Route 53 is used by NSX Cloud to resolve the PCG's IP address.
Note: When you use custom DNS domain names defined in a private hosted zone in Amazon Route 53, the DNS Resolution and DNS Hostnames attributes must be set to Yes for your VPC settings in AWS.
-
A secondary IP for the uplink interface for PCG is created. An AWS Elastic IP is associated with this secondary IP address. This configuration is for SNAT.
Specific to Microsoft Azure
The following are specific to Microsoft Azure:
- A common Resource Group is created per region, per subscription. It is named like: nsx-default-<region-name>-rg, for example: nsx-default-westus-rg. All VNets in this region share this Resource Group. This Resource Group and all the NSX-created security groups named like default-<vnet-ID>-sg are not deleted from the Microsoft Azure region after you off-board a VNet in this region from NSX Cloud.
Common to both modes and all public clouds
The following are created in all public clouds and for both NSX-management modes:
NSX Enforced Mode and
Native Cloud Enforced Mode:
-
The gw security groups are applied to the respective PCG interfaces in VPCs or VNets.
Table 1. Public Cloud Security Groups created by NSX Cloud for PCG interfaces Security Group name Description gw-mgmt-sg Gateway Management Security Group gw-uplink-sg Gateway Uplink Security Group gw-vtep-sg Gateway Downlink Security Group
Specific to Native Cloud Enforced Mode
The following security groups are created when the PCG is deployed in the Native Cloud Enforced Mode.
After workload VMs are matched with groups and corresponding security policies in
NSX Manager, security groups named like
nsx-<GUID> are created in the public cloud for each matching security policy.
Note: In AWS, Security Groups are created. In Microsoft Azure, Application Security Groups are created corresponding to Groups in
NSX Manager and Network Security Groups are created corresponding to Security Policies in
NSX Manager.
| Security Group name | Available in Microsoft Azure? | Available in AWS? | Description |
|---|---|---|---|
| default-vnet-<vnet-id>-sg | Yes | No | NSX Cloud-created security group in the common Microsoft Azure Resource Group for assigning to VMs that are not matched with a security policy in NSX. |
| default | No | Yes | An existing security group in AWS used by NSX Cloud for assigning to VMs that are not matched with a security policy in NSX. |
| vm-overlay-sg | Yes | Yes | VM overlay security group (this is not used in the current release) |
Specific to NSX Enforced Mode
The following security groups are created for workload VMs when you deploy
PCG in the
NSX Enforced Mode.
| Security Group name | Available in Microsoft Azure? | Available in AWS? | Description |
|---|---|---|---|
| default-vnet-<vnet-id>-sg | Yes | No | NSX Cloud-created security group in Microsoft Azure for threat-detection workflows in the NSX Enforced Mode |
| default | No | Yes | An existing security group in AWS used by NSX Cloud for threat-detection workflows in the NSX Enforced Mode |
| vm-underlay-sg | Yes | Yes | VM underlay security group |
| vm-overlay-sg | Yes | Yes | VM overlay security group (this is not used in the current release) |
