If you use AWS Transit Gateway, you can deploy the PCG in any VPC and connect this VPC with the Transit Gateway.

Follow instructions at Deploy PCG in a VPC.

Any other VPCs connected to the Transit Gateway can have their workload VMs managed by NSX for micro-segmentation.

NSX Cloud does not manage networking between the Transit and Compute VPCs or the workload VMs. All NSX networking constructs are created upon PCG deployment but only the Security constructs are valid if you are working with AWS Transit Gateway. See Security Entities for a list of auto-created security policies after PCG deployment.
  • Currently only NSX Enforced Mode is supported. You must install NSX Tools in your workload VMs. See NSX Enforced Mode in the NSX Administration Guide for instructions.
  • The VPC where you deploy PCG – Transit VPC – must have the same subnets as required by a Transit VPC that is not using the AWS Transit Gateway. See Subnets Required in Your VPC/VNet to deploy PCG for details.
  • You must link compute VPCs to the Transit VPC. See Link to a Transit VPC or VNet for instructions.
  • You must ensure that workload VMs with NSX Tools installed on them have connectivity with the management subnet of the Transit VPC.
  • To utilize micro-segmentation, you must add a Forwarding Policy with the following values:
    Option Value
    Sources A Group in NSX Manager that contains all NSX-Managed VMs from your Transit and Compute VPCs
    Destinations All (0.0.0.0/0)
    Services Any
    Action Route to Underlay
    See Add or Edit Forwarding Policies in the NSX Administration Guide for details about Forwarding Policies.