• Virtual machines (VMs) connected to an NSX overlay segment are unable to load or access any web pages.
• The issue is specifically observed when VMs are on NSX overlay segments, not on VLAN-backed port groups.
• Initial troubleshooting confirms that the VMs can successfully ping their default gateway and public DNS servers (e.g., 8.8.8.8), indicating basic network reachability.

VMware NSX

• Initial diagnostics confirmed that VMs could successfully access web services within the same and across subnets, provided they were connected to the same Top of Rack (ToR) switch. This validated that both the NSX configuration and the ToR switch were functioning correctly for local and intra-switch communications.

• Further connection tests were conducted from the VM on the NSX overlay segment to web services located in the upstream network, specifically those beyond the physical firewall. These attempts consistently failed. This failure indicated that the cause of the issue resided within the upstream network infrastructure, outside of the NSX domain and beyond the ToR switch, pointing towards external network devices like a physical firewall.

• The problem was resolved by the user's security team, who identified and corrected misconfigurations within the physical firewall settings.
• Once the appropriate rules or policies were adjusted on the physical firewall, VMs on the NSX overlay segment were able to successfully access external web pages and the internet.