• NSX security only deployment.
• Default DFW (Distributed Firewall) rule set to Reject or Deny.
• The vCenter database was edited and the distributed switch was deleted.
• After the edit, the vCenter was restored to the pre edit snapshot.
• VM lose connectivity on all distributed portgroups associated with the distributed switch.

VMware NSX

In an NSX security only deployment, NSX does not own the distributed portgroups.
Prior to editing the vCenter database, a snapshot of vCenter was taken, this is used to restore to a point prior to the edit in case any issue occurs.
When the vCenter DB edit was carried out, NSX polled the compute manager, this triggered a cleanup in NSX of all logical switches, which in turn lead to all DFW rules being removed on all hosts, leaving only the default DFW rule.
Virtual machines connected to the portgroups lost connection as the DFW only had the Deny/Reject rules and no rules allowed to pass traffic.

This issue is resolved in NSX-T 4.2.1.1 available at Broadcom downloads.

To workaround the issue, set the default DFW rule to allow.