Integrating NSX-T and VMware Carbon Black Workload


Learn how to use the new NSX tagging feature available in the latest release of the Carbon Black Cloud Workload appliance.  Watch the below video for a step-by-step tutorial on integration and operationalization of the NSX-T tagging capabilities.


To enable the integration you must be a customer of the following products:

  • Cloud Workload Protection (1.1 Appliance Version or Higher)
  • NSX-T (3.1.3 Version or Higher)
  • The VM workload must be on an NSX N-VDS (opaque network) to have the Apply NSX Tag option available.

Carbon Black Cloud Configuration

In order to enable connectivity between NSX and Carbon Black Cloud you must upgrade to the latest 1.1 Appliance version. For instructions on upgrading your Appliance, review the instructions here.

You can verify your Appliance version either in vSphere or in the Carbon Black Cloud.

In the Carbon Black Cloud navigate to Settings > API Access > Select your CWP Appliance hyperlink for more details and verify the Appliance version is 1.1 or higher.

Graphical user interface, application, Teams</p>
<p>Description automatically generated

If you have not previously configured your CWP Appliance, review the set-up instructions here.


Connecting NSX to the CWP Appliance

Once you have upgraded to the 1.1+ Appliance version in vSphere under Appliance > Registration, you will now have a new field indicating NSX details.

Connect NSX with the CWP Appliance by selecting your desired NSX hostname and selecting Register.

Graphical user interface, text, application, email</p>
<p>Description automatically generated

Once you register your NSX details and credentials, a successful connection will show in the configuration details as ‘Connected’.

Graphical user interface, text, application, email</p>
<p>Description automatically generated

This will register the appliance with vCenter as well as NSX.

You can verify the connected state in Carbon Black Cloud as well.

Settings > API Access > Select the CWP Appliance hyperlink and verify NSX-Connectivity as TRUE.

Graphical user interface, application, Teams</p>
<p>Description automatically generated

NSX Configuration

Once the appliance is successfully registered and NSX-Connectivity is TRUE, pivot into the NSX Console to review the changes updated automatically by the CWP Appliance.

NSX Groups

The integration between CWP and NSX will create 3 custom groups within NSX.

  • CB-NSX-Custom-Group
  • CB-NSX-Isolate-Group
  • CB-NSX-Quarantine-Group

Graphical user interface, table</p>
<p>Description automatically generated

NSX Context Profile

This newly created context profile allows for communication to the CBC even while in an NSX-Quarantined state.

Graphical user interface, application</p>
<p>Description automatically generated

NSX Distributed Firewall

The connection between the CWP Appliance and NSX will create 3 additional firewall rules.

  • CB-NSX-Isolate | Deny all traffic rule where it will drop all communication to the desired targets.
  • CB-NSX-Quarantine | Allows DHCP, and DNS traffic as well as communication to the Carbon Black Cloud backed based on the Context Profile automatically created, and deny all other traffic.
  • CB-NSX-Custom | This rule is to allow administrators to create their own custom actions; the default is a deny all traffic rule where it will drop all communication to the desired targets.

Graphical user interface, application</p>
<p>Description automatically generated

Operationalizing NSX & Carbon Black Cloud

Now that the configuration has been completed you are now ready to operationalize the integration. Through the CBC console through the Actions panel on the right hand side you are now able to select ‘Apply NSX Tag’ and this will trigger the appropriate rules within NSX to isolate, quarantine or take custom Firewall actions.

Action on VM Workload Inventory 

Graphical user interface, application, Teams</p>
<p>Description automatically generated

Action from Alerts Panel

Alerts Panel Actions

Summary and Additional Resources

Additional Resources


The following updates were made to this guide:


Description of Changes


  • Guide was published.

About the Author and Contributors

Dale McKay is a technology evangelist and strategist with deep expertise in security, virtualization, and networking. He has extensive knowledge of a variety of technologies for meeting the strategic and tactical needs of clients. He has strong real-world, hands-on skills in cybersecurity, with his focus being on implementing policies and operating procedures that help his customers address their cybersecurity demands. He is an experienced leader in determining client needs, delivering solutions, and building relationships.

  • Dale McKay, Senior Technical Marketing Architect, Network and Advanced Security Business Group, VMware


Your feedback is valuable.

To comment on this paper, contact VMware Security Business Unit Technical Marketing at





Associated Content

home-carousel-icon From the action bar MORE button.

Filter Tags

Carbon Black Cloud Workload Document API and Integration Intermediate Integrate