VMware NSX

It is stated that when a VM moves from one host to another, both the rules table and the connection table for DFW move with it. However, if the "Applied To" field is set to Distributed Firewall, then the rule table isn't really moving with the VM, right? Since the rules are already configured on every host. Therefore it will only be the Connection table that movies with the VM. Is my understanding correct?

Also, what happens when a VM moves to another host but the Applied To field doesn't cover that host? In other words, rule is Applied To ESXi 1 & ESXi 2, but the VM moves to ESXi 3. In that case, I am assuming the Applied To field will have to be updated in order to have the correct rules applied on the ESXi 3?

Thanks!!

The rules are applied to the DFW slot in the I/O chain associated with vNIC of the VM (unless of course they are Edge rules).  When using the "Applied to" field, the rule set is applied only to a VM when it exists in the context specified.  If the VM leaves the context specified in the "Applied To" setting of the rule, then the rule is no longer applied to the VM.

Yes, if you specify that Applied To field as two hosts in a cluster, add a third host to the cluster, and not update the Applied To field, you could result in DRS migrating a VM to the host that does not is not listed in the Applied To field.  In that case, it's best to apply to the cluster, rather than the host.