It looks like HCX does not have some of the security controls we need yet (it really has none). So we are looking for alternatives to stretch Layer 2 into VMC.
For some background, we have multiple business units. Some have their own vCenter. Each has a folder on VMC to run some workloads in VMC. HCX however has to be paired with a cloudadmin account. This allows someone to login to HCX on the on-prem side, enumerate every VM in VMC and then replicate it down to their local vCenter. With secured servers this breaks all kinds of security guidelines for us. And there does not seem to be a way to disable the "DR" tab in HCX.
So we need an alternative. Can this be done with native NSX or other Layer2 VPN? What are the supported solutions here?