diff --git a/pkg/controllers/securitypolicy/securitypolicy_controller.go b/pkg/controllers/securitypolicy/securitypolicy_controller.go
index f63a41bef..830dec59d 100644
--- a/pkg/controllers/securitypolicy/securitypolicy_controller.go
+++ b/pkg/controllers/securitypolicy/securitypolicy_controller.go
@@ -86,7 +86,7 @@ func deleteSuccess(r *SecurityPolicyReconciler, _ context.Context, o *v1alpha1.S
 	metrics.CounterInc(r.Service.NSXConfig, metrics.ControllerDeleteSuccessTotal, MetricResType)
 }
 
-func setSecurityPolicyErrorAnnotation(ctx context.Context, securityPolicy *v1alpha1.SecurityPolicy, client client.Client, info string) {
+func setSecurityPolicyErrorAnnotation(ctx context.Context, securityPolicy *v1alpha1.SecurityPolicy, isVPCEanbled bool, client client.Client, info string) {
 	if securityPolicy.Annotations == nil {
 		securityPolicy.Annotations = make(map[string]string)
 	}
@@ -94,21 +94,35 @@ func setSecurityPolicyErrorAnnotation(ctx context.Context, securityPolicy *v1alp
 		return
 	}
 	securityPolicy.Annotations[common.NSXOperatorError] = info
-	updateErr := client.Update(ctx, securityPolicy)
+
+	var updateErr error
+	if isVPCEanbled {
+		finalObj := securitypolicy.T1ToVPC(securityPolicy)
+		updateErr = client.Update(ctx, finalObj)
+	} else {
+		updateErr = client.Update(ctx, securityPolicy)
+	}
 	if updateErr != nil {
 		log.Error(updateErr, "Failed to update SecurityPolicy with error annotation")
 	}
 	log.Info("update SecurityPolicy with error annotation", "error", info)
 }
 
-func cleanSecurityPolicyErrorAnnotation(ctx context.Context, securityPolicy *v1alpha1.SecurityPolicy, client client.Client) {
+func cleanSecurityPolicyErrorAnnotation(ctx context.Context, securityPolicy *v1alpha1.SecurityPolicy, isVPCEanbled bool, client client.Client) {
 	if securityPolicy.Annotations == nil {
 		return
 	}
 	if _, exists := securityPolicy.Annotations[common.NSXOperatorError]; exists {
 		delete(securityPolicy.Annotations, common.NSXOperatorError)
 	}
-	updateErr := client.Update(ctx, securityPolicy)
+
+	var updateErr error
+	if isVPCEanbled {
+		finalObj := securitypolicy.T1ToVPC(securityPolicy)
+		updateErr = client.Update(ctx, finalObj)
+	} else {
+		updateErr = client.Update(ctx, securityPolicy)
+	}
 	if updateErr != nil {
 		log.Error(updateErr, "Failed to clean SecurityPolicy annotation")
 	}
@@ -182,13 +196,13 @@ func (r *SecurityPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		if err := r.Service.CreateOrUpdateSecurityPolicy(realObj); err != nil {
 			if errors.As(err, &nsxutil.RestrictionError{}) {
 				log.Error(err, err.Error(), "securitypolicy", req.NamespacedName)
-				setSecurityPolicyErrorAnnotation(ctx, realObj, r.Client, common.ErrorNoDFWLicense)
+				setSecurityPolicyErrorAnnotation(ctx, realObj, securitypolicy.IsVPCEnabled(r.Service), r.Client, common.ErrorNoDFWLicense)
 				updateFail(r, ctx, realObj, &err)
 				return ResultNormal, nil
 			}
 			if nsxutil.IsInvalidLicense(err) {
 				log.Error(err, err.Error(), "securitypolicy", req.NamespacedName)
-				setSecurityPolicyErrorAnnotation(ctx, realObj, r.Client, common.ErrorNoDFWLicense)
+				setSecurityPolicyErrorAnnotation(ctx, realObj, securitypolicy.IsVPCEnabled(r.Service), r.Client, common.ErrorNoDFWLicense)
 				os.Exit(1)
 			}
 			log.Error(err, "create or update failed, would retry exponentially", "securitypolicy", req.NamespacedName)
@@ -196,7 +210,7 @@ func (r *SecurityPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 			return ResultRequeue, err
 		}
 		updateSuccess(r, ctx, realObj)
-		cleanSecurityPolicyErrorAnnotation(ctx, realObj, r.Client)
+		cleanSecurityPolicyErrorAnnotation(ctx, realObj, securitypolicy.IsVPCEnabled(r.Service), r.Client)
 	} else {
 		log.Info("reconciling CR to delete securitypolicy", "securitypolicy", req.NamespacedName)
 		if controllerutil.ContainsFinalizer(obj, finalizerName) {