Flow security policies match the category labels that are attached to a VM.

The policy in the question explicitly allows SSH (port 22) only for VMs whose category key/value is AppType: Admin-VM.

If the blueprint does not stamp that category on the VM at deploy-time, the VM falls under the default “block all” portion of the policy and SSH is denied.

Therefore the blueprint must be modified to assign the AppType: Admin-VM category to every Administrator VM so that the allow-SSH rule is hit.

B. AppType: Web-Servers rule allows only HTTPS; SSH remains blocked.

C. Protection policies govern snapshots/RPO, not network access; no effect on SSH connectivity.

D. Adding users to the Project changes RBAC only; it does not influence Flow security rules applied to VM traffic.

1. Nutanix Flow Network Security Guide v6.5, “Applying Categories to VMs”, pp. 23-24 – explains that security rules act on VMs with matching categories.

2. Nutanix Flow Network Security Guide v6.5, “Creating Traffic Allow Rules Based on Categories”, p. 31 – shows that only VMs with the specified category receive the permit action.

3. Nutanix Calm Administration Guide v3.6, Chap. 4 “Assigning Categories in a Blueprint”, pp. 68-69 – describes adding key/value categories (e.g., AppType: Admin-VM) to blueprint components.

4. Nutanix AOS Data Protection Guide v6.5, “Protection Policies Using Categories”, p. 12 – clarifies protection policies affect snapshots, not network ports.

5. Nutanix Prism Central Admin Guide 2022.9, “Projects and Role-Based Access Control”, p. 45 – RBAC governs user permissions, not VM traffic handling.