The Policy Migration feature enables NSX distributed firewall rules to be moved from an on-premises vCenter to a vCloud Air virtual data center.

Policy Migration is possible when you use low-downtime migration or vMotion to move a virtual machine over a network stretched with the High Throughput Layer 2 Concentrator.

The on-premises data center must be running NSX 6.2.2 or greater.

In vSphere, the security policy is a single NSX Section which can contain many rules. There can be only one Section (policy) per Org vDC.

You can name a Set of IP addresses or MAC addresses to participate in the policy. The name of the MAC Set or IP Set cannot exceed 218 characters.

All rules in a Section must have a unique name. Do not leave a rule name blank.

Supported rules specify Layer 3 IP addresses or IP Sets, or Layer 2 MAC addresses or MAC Sets as the source or destination.


Rules that specify security groups or application groups for the source or destination are not migrated.

Any change to the migrated policy is propagated to all VMs that use the policy.