This method leverages NSX segments mapped to VLAN transport zones to secure traffic for workloads on the new VDS.

1. Create a VLAN Transport Zone

• Define a new VLAN transport zone in NSX Manager.
• Ensure the transport zone is unique per host switch within your transport node profile.

2. Review the Current Transport Node Profile

• Examine the existing transport node profile to understand which host switches are already configured.

3. Edit the Host Switch Configuration

• Modify the host switch section of the transport node profile to include both the original and new VDS definitions.

4. Add the Second VDS

• In the host switch configuration, add the second VDS connected to the VLAN-backed networks.

5. Create NSX VLAN Segments

• On the newly created VLAN transport zone, define NSX VLAN segments corresponding to the VLANs used by your workloads.

6. Migrate and Test

• Move a test VM from the VDS port group into the matching NSX VLAN segment.
• Validate network connectivity, such as by pinging the gateway or other VMs, to confirm segment functionality.

7. Apply Distributed Firewall (DFW) Rules

• Define and publish DFW policies to control traffic between VMs attached to the NSX segments.

8. Verify Security

• Test your policies (e.g., block ICMP between test VMs) to confirm that NSX Distributed Firewall rules are enforced as expected.