The default configuration on TPCF on NSX creates a SNAT rule on the T0 router via NCP each time an org is created. This is normal behavior. 

After this configuration, SNAT rule is not created on T0, and the floating IP pool designated for SNAT does allocate an IP after org creation. Also Containers within the org have no connectivity outside NSX T0 designated for the foundation. 

NCP logs on Diego DB VM show entries similar to:

[nsx@6876 comp="nsx-container-ncp" subcomp="ncp" level="WARNING"] vmware_nsxlib.v3.client The HTTP request returned error code 400, whereas 201/200 response codes were expected. Response body {'httpStatus': 'BAD_REQUEST', 'error_code': 508035, 'module_name': 'policy', 'error_message': 'Invalid NAT rule action SNAT for HA mode ACTIVE_ACTIVE. Only REFLEXIVE action is supported on ACTIVE-ACTIVE stateless router.'}

[nsx@6876 comp="nsx-container-ncp" subcomp="ncp" level="ERROR" security="True" errorCode="NCP00044"] nsx_ujo.ncp.nsx.policy.nsxapi create_t0_snat_rule failed, cause: Unexpected error from backend manager (['nsxt-fqdn']) for PATCH policy/api/v1/infra/tier-0s/edge-gw-t0/nat/USER/nat-rules/nat_rule-ID: Invalid NAT rule action SNAT for HA mode ACTIVE_ACTIVE. Only REFLEXIVE action is supported on ACTIVE-ACTIVE stateless router.

TPCF 6.x

TPCF 10.x

Configure the T0 as Active-Passive in NSX-T.