• NSX Distributed Firewall (DFW) is used at the source site.
• In the Distributed Firewall rules, a group that includes the source network of the L2 Extension as a group member is utilized. 
  • For example, an allow rule where this group is applied to the "Source" column.
• An Any/Any/Drop rule exists at the end of the Distributed Firewall rules.
• The virtual machine to be migrated is originally connected to the NSX segment that serves as the source network.

VMware NSX
VMware HCX
VMware Cloud on AWS

This is a matter of design rather than a functional defect.

After the virtual machine is migrated from the source site to the destination site, the virtual machine connects to the destination network of the L2 Extension and is no longer connected to the NSX segment on the source site.

As a result, the virtual machine is removed from the group membership on the source site.

By being removed from the group membership, the virtual machine falls out of the scope of the Distributed Firewall rule on the source site, and communication is blocked by the drop rule.

Review the design of groups that use NSX segments as group members.

As a temporary workaround, add an IP address range that includes the IP address of the virtual machine being migrated to the group as a group member.

仮想マシンを対向サイトに移行した後、HCX L2 延伸を経由する通信が疎通しなくなります。