NSX Controller virtual machines are the DNA of the control plane, hence it is important to take decisions on where to install and connect the controller. Lastly, we don't want the controller to get exposed to users who are leveraging NSX features; basically, no control plane attack.
It's good to know the communication protocol used between NSX Manager, controllers and NSX Edges:
Communication between controller and NSX Manager - HTTPS
Communication between Edge and controller - HTTPS
Ensure that the port requirements mentioned in the following screenshot are met for controller communication:
I know, I keep telling you this: the real power of NSX is all about controllers. How we deploy our controllers, what best practices are implemented, all makes a vital difference in NSX design. You know by now, because of overlay networks, there will be a whole bunch of design best practices...