Recommended Configuration

Maximums

NSX-T Data Center 3.2.3

Updated on May 26, 2023
Recommended Confguration Limits

You can fnd the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
[email protected]

VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

Copyright © 2023 VMware, Inc. All rights reserved.Copyright and trademark information.

VMware, Inc.
2
Recommended Confguration Limits

This Configuration Maximums tool provides the recommended configuration limits for VMware products.
When you configure, deploy and operate your virtual and physical equipment, it is highly recommended
you stay within the limits supported by your product. The limits presented in the tool are tested,
recommended limits, and are fully supported by VMware.

Disclaimer: The limits can be affected by other factors, such as hardware dependencies. For more information about the
supported hardware, see the appropriate hardware compatibility guide. It might not be possible to maximize all configuration
settings and expect your desired outcome. To ensure that you do not exceed supported configurations for your environment,
consult individual solution limits. The recommended configuration limits do not represent the theoretical possibilities of your
product.

VMware, Inc.
3
Recommended Confguration Limits

Category Limits Description

General : Edge Nodes

A core component of NSX is the Edge node which are formed into clusters to deliver physical connectivity as well as logical
routing, load-balancing, NAT and other features.
All Manager Sizes Edge Nodes Per Cluster 10
All Manager Sizes Network Latency between Edge 10ms
Nodes part of the same Edge
Cluster
Medium NSX Manager Edge Clusters 12
Medium NSX Manager Edge Nodes 32
Large NSX Manager Edge Clusters 160
Large NSX Manager Edge Nodes 320
Bare Metal Edge Node Fast Path Physical NIC Ports 16
General : Nodes

NSX has a number of component nodes required for operation of the product. These include the NSX Manager, NSX
Controllers and Hosts that are prepared for NSX. In addition, NSX supports some vCenter objects that are discovered from
vCenter inventory.
Nodes NSX Managers 3 Please review the NSX-T Data
Center Installation Guide for details
on the various techniques on how
to deploy the NSX Manager.
Nodes Virtual Interfaces per Hypervisor 1,000 Maximum of 400 virtual interfaces
Host per hypervisor host when doing in-
place upgrades.
Nodes Physical Servers 1,024 Non-hypervisor and non-container
host machines with at least 16Gb
of RAM. Windows Servers can have
a maximum of 100 firewall rules
each.
Nodes Hosts per vSphere Cluster 96
Nodes Discovered vSphere Clusters 640
Nodes NSX Instances per Compute 16
Manager
Nodes Network Latency between NSX 10ms Round-trip time
Management Nodes
Nodes Network Latency between the NSX 150ms Round-trip time
Management Cluster and Transport
Nodes
Nodes Concurrent Graphical User Interface 5
Users per Manager
Nodes Audit Log Entries 1,000,000
Nodes Transport Nodes per NSX Instance 1600
Medium NSX Manager vSphere Clusters Prepared for NSX 5
Medium NSX Manager Hypervisor Hosts per NSX 128 Any mix of ESXi and/or KVM is
Management Cluster supported.
Medium NSX Manager Compute Managers per NSX 2
Management Cluster
Large NSX Manager vSphere Clusters Prepared for NSX 256
Large NSX Manager Hypervisor Hosts per NSX 1,024 Any mix of ESXi and/or KVM is
Management Cluster supported.
Large NSX Manager Compute Managers per NSX 16
Management Cluster
Layer 2 Networking

NSX offers a layer 2 overlay networking solution as well as layer 2 bridging.

VMware, Inc.
4
Recommended Confguration Limits

Category Limits Description

Layer 2 Networking : General

General MAC Identifiers per Overlay Logical 2,048 Exceeding the maximum MAC
Switch (VNI) identifiers per VNI may lead to
flooding and can impact packet
performance.
General MAC Identifiers per Overlay 2,048 Exceeding the maximum MAC
Segment (VNI) identifiers per VNI may lead to
flooding and can impact packet
performance.
General IP Address Bindings used in ARP 256
Discovery
Medium NSX Manager Logical Switches 1,000
Medium NSX Manager System Wide Logical Switch Ports 2,500
Medium NSX Manager Segments 1,000
Medium NSX Manager System Wide Segment Ports 2,500
Medium NSX Manager Distributed Virtual Port Groups 32,000 This DVPG limit also applies to
segments, with the formula
“Number of VDS per vCenter *
Number of vCenters * Number of
segments” which must be below
the DVPG limit.
Large NSX Manager Logical Switches 10,000
Large NSX Manager System Wide Logical Switch Ports 25,000
Large NSX Manager Segments 10,000
Large NSX Manager System Wide Segment Ports 25,000
Large NSX Manager Distributed Virtual Port Groups 160,000 This DVPG limit also applies to
segments, with the formula
“Number of VDS per vCenter *
Number of vCenters * Number of
segments” which must be below
the DVPG limit.
Layer 2 Networking : Bridging

Bridging MAC Identifiers per VLAN / 2,048

Segment Pair
Bridging Bridging Profiles 128
Bridging Bridge Profiles per Edge Cluster 32
Bridging Segment to VLAN Pairs 4,096 Bridge between overlay segment
(VNI ID) and VLAN ID
Bridging Segment to VLAN Pairs per Edge 512
Node
Layer 3 Networking : DHCP

NSX provides a DHCP server and relay to deliver IP addresses to DHCP clients.
DHCP DHCP Relays 4,000
DHCP DHCP Servers in DHCP Server 10 Used by DHCP relay.
Group
DHCP Static Bindings per DHCP Server 8,000
Instance
DHCP DHCP Ranges / Pools per DHCP 5
Server Instance
DHCP System Wide Static Bindings 50,000
Medium NSX Manager DHCP Server Instances 2,000
Medium NSX Manager System Wide DHCP Pools 4,000
Large NSX Manager DHCP Server Instances 10,000

VMware, Inc.
5
Recommended Confguration Limits

Category Limits Description

Large NSX Manager System Wide DHCP Pools 20,000
Layer 3 Networking : Logical Routing

NSX provides a multi-tier, in-kernel distributed logical routing system.

Logical Routing Tier-0 Gateways 160 Up to 8 service routers with ECMP
in active/active high availability
mode per Tier-0 gateway. Up to 2
service routers in active/standby
high availability mode per Tier-0
gateway.
Logical Routing Tier-0 Logical Routers 160 Up to 8 service routers with ECMP
in active/active high availability
mode per Tier-0 logical router. Up to
2 service routers in active/standby
high availability mode per Tier-0
logical router.
Logical Routing Tier-1 Gateways per Tier-0 Gateway 1,000 This limit applies to Tier-0 gateway
and all the configured VRF on the
Tier-0 gateway i.e. this limit is
shared for a given Tier-0 gateway
and all the configured VRFs on this
Tier-0 gateway.
Logical Routing Tier-1 Logical Routers per Tier-0 1,000
Logical Router
Logical Routing Gateways per Hypervisor Host 1,000
Logical Routing Logical Routers per Hypervisor 1,000
Host
Logical Routing Linked Segments per Tier-0 400 This limit applies to Tier-0 gateway
Gateway and all the configured VRF on the
Tier-0 gateway i.e. this limit is
shared for a given Tier-0 gateway
and all the configured VRFs on this
Tier-0 gateway.
Logical Routing Downlink per Tier-0 Logical Router 400
Logical Routing Linked Segments and Service 1,000
Interfaces per Tier-1 Gateway
Logical Routing Downlink and CSP Ports per Tier-1 1,000
Logical Router
Logical Routing VRFs per Edge Node 100 vRF Lite
Logical Routing ARP Entries per Tier-1 Gateway 50,000
Logical Routing ARP Entries per Tier-1 Logical 50,000
Router
Logical Routing Routes Per Distributed Router 1,000
Logical Routing IPv4 Routes Per Edge Node 500,000 Requires large, extra large or bare-
metal Edge nodes. ECMP (Equal
Cost Multi Path) routes will count
as a single route entry in the routing
table.
Logical Routing Route-maps per Tier-0 Gateway 1,280
Logical Routing Route-maps per Tier-0 Logical 1,280
Router
Logical Routing Route-map Rules per Route-map 1,000
Logical Routing Prefix-lists per Tier-0 Gateway 500
Logical Routing Prefix-list Entries per Prefix-list 50

VMware, Inc.
6
Recommended Confguration Limits

Category Limits Description

Logical Routing ECMP Paths 8 This limit applies independently to
Gateway Distributed Router (DR)
and Gateway Service Router (SR),
i.e. a DR can load-balance the traffic
towards 8 different SR, then on a
given SR it can have up to 8
different paths.
Logical Routing Service Ports per Trunk per Service 4,000 When used with EVPN.
Router
Logical Routing Tier-0 Gateways per Edge Node 1
Logical Routing Tier-0 Logical Routers per Edge 1
Node
Logical Routing Tier-1 Gateways per Edge Node 1,000
Logical Routing Tier-1 Logical Routers per Edge 1,000
Node
Logical Routing Combined External and Service 4,000 This limit applies to Tier-0 gateway
Interfaces per Tier-0 Gateway and all the configured VRF on the
Service Router Tier-0 gateway i.e. this limit is
shared for a given Tier-0 gateway
and all the configured VRFs on this
Tier-0 gateway.
Logical Routing Prefix-lists per Tier-0 Logical Router 500
Logical Routing IPv6 Routes Per Edge Node 100,000 ECMP (Equal Cost Multi Path)
routes will count as a single route
entry in the routing table.
Logical Routing OSPFv2 Neighbors per Tier-0 40
Gateway Service Router
Logical Routing OSPFv2 Router Learned from 50,000
Neighbors per Tier-0 Gateway
Service Router
Logical Routing OSPFv2 Routes Advertised to 10,000
Neighbors
Logical Routing IPv4 Prefix-lists per NSX Domain 4,200
Logical Routing EVPN L2VNI per Tier-0 Gateway 200
Service Router
Logical Routing EVPN L3VNI per Tier-0 Gateway 200
Service Router
Logical Routing EVPN Route-Type-5 IPv4 Routes per 400,000
Tier-0 Gateway Service Router
Logical Routing EVPN Route-Type-5 IPv6 Routes per 100,000
Tier-0 Gateway Service Router
Logical Routing EVPN Route-Type-3 Routes per 600
Tier-0 Gateway Service Router
Logical Routing EVPN Route-Type-2 Routes per 800
Tier-0 Gateway Service Router
Medium NSX Manager Tier-1 Gateways 400 Up to 2 service routers in active/
standby high availability mode per
Tier-1 gateway.
Medium NSX Manager Tier-1 Logical Routers 400 Up to 2 service routers in active/
standby high availability mode per
Tier-1 logical router.
Large NSX Manager Tier-1 Gateways 4,000 Up to 2 service routers in active/
standby high availability mode per
Tier-1 gateway.
Large NSX Manager Tier-1 Logical Routers 4,000 Up to 2 service routers in active/
standby high availability mode per
Tier-1 logical router.

VMware, Inc.
7
Recommended Confguration Limits

Category Limits Description

Large Edge Node BGP Peers per Tier-0 Gateway 640 This limit applies to Tier-0 gateway
Service Router Service Router (SR), or a single
Large Edge VM, and all the
configured VRF on the Tier-0
gateway i.e. this limit is shared for a
given Tier-0 gateway and all the
configured VRFs on this Tier-0
gateway.
Large Edge Node BGP Peers per Tier-0 Logical Router 640 This limit applies to Tier-0 gateway
Service Router Service Router (SR), or a single
Large Edge VM, and all the
configured VRF on the Tier-0
gateway i.e. this limit is shared for a
given Tier-0 gateway and all the
configured VRFs on this Tier-0
gateway.
Large Edge Node BFD Peers per Tier-0 Gateway 320
Service Router
Large Edge Node BFD Peers per Tier-0 Logical Router 320
Service Router
Layer 3 Networking : Multicast

Multicast System Wide Multicast Groups 2,000

Multicast Hosts Participating in Multicast 200
Networking
Multicast Virtual Interfaces per Host 80
Participating in Multicast
Networking
Multicast Logical Segments per Logical 100
Gateway Participating in Multicast
Networking
Multicast Number of IGMP Groups to which a 512 https://bugzilla.eng.vmware.com/
Virtual NIC can Join in IGMP show_bug.cgi?id=2822411
Snooping
Multicast Number of IGMP Groups to which a 16
Virtual NIC can Join in Basic Mode
Layer 3 Networking : NAT

NAT NAT Rules per Tier-1 Logical Router 8,192

NAT NAT Rules per Tier-1 Gateway 8,192
NAT Total NAT Connections per Edge 4,000,000 Requires Large or X-Large or Bare-
Node Metal Edge node.
Medium NSX Manager System-Wide NAT Rules 4,096
Medium NSX Manager Tier-1 Logical Routers with NAT 400
Enabled
Medium NSX Manager Tier-1 Gateways with NAT Enabled 400
Large NSX Manager System-Wide NAT Rules 25,000
Large NSX Manager Tier-1 Logical Routers with NAT 4,000
Enabled
Large NSX Manager Tier-1 Gateways with NAT Enabled 4,000
Firewall : Malware Prevention

Malware Prevention Files Analyzed using Dynamic 15,000 Requires an Extra Large Edge Node.
Analysis/Sandboxing per Day on
Gateway Firewall
Malware Prevention Files Analyzed using Static Analysis 100,000 Requires an Extra Large Edge Node.
per Day on Gateway Firewall

VMware, Inc.
8
Recommended Confguration Limits

Category Limits Description

Malware Prevention Malware Profiles on Gateway 50 Requires an Extra Large Edge Node.
Firewall
Malware Prevention Malware Detection Rules on 500 Requires an Extra Large Edge Node.
Gateway Firewall
Malware Prevention File Events on Gateway Firewall 100,000 Up to 14 days of events stored.
Malware Prevention Files Analyzed using Dynamic 30,000
Analysis/Sandboxing per Day on
Distributed Firewall
Malware Prevention Files Analyzed using Static Analysis 100,000
per Day on Distributed Firewall
Malware Prevention Hypervisor Hosts 512
Malware Prevention Malware Profiles on Distributed 50
Firewall
Malware Prevention Malware Detection Rules on 1,000
Distributed Firewall
Malware Prevention File Events on Distributed Firewall 700,000 Up to 14 days of events stored.
Firewall : Intrusion Detection and Prevention

Intrusion Detection Hypervisor Hosts 512

Intrusion Detection IDS Profiles 25 Excluding the default.
Intrusion Detection IDS Rules 1,000
Intrusion Detection Events Recorded 2,000,000 Up to 14 days of events stored.
Firewall : Identity Firewall

Identity Firewall VDI Virtual Machines per Host 250 Note that the maximum VMs per
host where both RDSH and VDI are
in present is 30.
Identity Firewall Virtual Machines using Terminal 8 Note maximum VMs per host
Services per Host where both RDSH and VDI are in
present is 30.
Identity Firewall RDSH Sessions per RDSH Virtual 75
Machine
Identity Firewall Hypervisor Hosts 512 For the Identity Firewall use case.
Identity Firewall Virtual Machines per NSX 15,000 For the Identity Firewall use case.
Management Cluster
Identity Firewall Total Users in all Active Directory 500,000
Domains
Identity Firewall Active Directory Groups per 600
Individual User
Medium NSX Manager Active Directory Domains 2
Medium NSX Manager Active Directory Groups 50,000
Large NSX Manager Active Directory Domains 8
Large NSX Manager Active Directory Groups 200,000
Firewall : Distributed Firewall

NSX provides a distributed, in-kernel hypervisor host based firewall to achieve micro-segmentation of workloads at the virtual
NIC level.
Distributed Firewall Logical Ports with Groups Applied 25,000
Distributed Firewall System Wide Stateful Firewall Rules 100,000
Distributed Firewall Rules per Firewall Section 1,000
Distributed Firewall Rules per Group 512
Distributed Firewall Firewall Sections 10,000 A Firewall Section equates to an
OpenStack Security Group.
Distributed Firewall Rules per Hypervisor Host 120,000 Total rules across virtual NICs on a
Hypervisor Host.
VMware, Inc.
9
Recommended Confguration Limits

Category Limits Description

Distributed Firewall Rules per Virtual NIC 4,000
Distributed Firewall Saved Firewall Rule Configurations 100 Only for automatically created
drafts configurations.
Distributed Firewall Services 8,000
Distributed Firewall Objects per Firewall Rule 128 Total configuration objects or
groups that can be used per rule
inclusive of Source, Destination,
Services, Context Profile and Apply
To fields.

Distributed Firewall Service Ports per Service 15 Port ranges are treated as two
ports.
Firewall : Grouping and Tagging

NSX supports adding metadata to objects in the form of a tag.

Grouping and Tagging IP Addresses per IP Set 4,000
Grouping and Tagging Tags per Object 30 Please see other sections for
details on Tags per Virtual Machine
or Tags per Logical Port.
Grouping and Tagging Groups Based on Tags 8,000
Grouping and Tagging Static Members in a Group 500 Static members such as segments,
segment ports, virtual machines,
and physical server in a group.

Grouping and Tagging Effective Members in a Group 8,000 Effective members are the result of
dynamic inclusion criteria (e.g. tag,
name) or child groups.
Grouping and Tagging Group Membership Criteria 5 Such as tagging expression or
virtual machine.
Grouping and Tagging Nested Level of Groups 3
Medium NSX Manager Groups 10,000
Medium NSX Manager Groups Based on IP Sets 5,000
Medium NSX Manager IP Sets 5,000
Large NSX Manager Groups 20,000
Large NSX Manager Groups Based on IP Sets 10,000
Large NSX Manager IP Sets 10,000
Firewall : Gateway Firewall

NSX provides a north / south high-performance Edge based firewall.

Edge Firewall Firewall Rules per Tier-0 Logical 5,000 IP sets and groups with static
Router membership only.
Edge Firewall Firewall Rules per Tier-1 Logical 5,000 IP sets and groups with static
Router membership only.
Edge Firewall System Wide Tier-0 Logical Router 20,000 IP sets and groups with static
Firewall Rules membership only.
Edge Firewall Firewall Rules per Tier-0 Gateway 5,000 IP sets and groups with static
membership only.
Edge Firewall Firewall Rules per Tier-1 Gateway 5,000 IP sets and groups with static
membership only.
Edge Firewall System Wide Tier-1 Logical Router 55,000 IP sets and groups with static
Firewall Rules membership only.
Edge Firewall System Wide Tier-0 Gateway 20,000
Firewall Rules
Edge Firewall System Wide Tier-1 Gateway 55,000
Firewall Rules

VMware, Inc.
10
Recommended Confguration Limits

Category Limits Description

Edge Firewall Objects per Firewall Rule 128 Total configuration objects or
groups that can be used per rule
inclusive of Source, Destination,
Services, Context Profile and Apply
To fields.
Load Balancing : Load Balancer Instances

Load Balancer Instances Small Load Balancer Instances per 1

Small Edge Node in VM Form
Factor
Load Balancer Instances Small Load Balancer Instances per 10
Medium Edge Node in VM Form
Factor
Load Balancer Instances Medium Load Balancer Instances 1
per Medium Edge Node in VM Form
Factor
Load Balancer Instances Small Load Balancer Instances per 40
Large Edge Node in VM Form
Factor
Load Balancer Instances Medium Load Balancer Instances 4
per Large Edge Node in VM Form
Factor
Load Balancer Instances Large Load Balancer Instances per 1
Large Edge Node in VM Form
Factor
Load Balancer Instances Small Load Balancer Instances per 80
Extra Large Edge Node in VM Form
Factor
Load Balancer Instances Medium Load Balancer Instances 8
per Extra Large Edge Node in VM
Form Factor
Load Balancer Instances Large Load Balancer Instances per 2
Extra Large Edge Node in VM Form
Factor
Load Balancer Instances Extra Large Load Balancer 1
Instances per Extra Large Edge
Node in VM Form Factor
Load Balancer Instances Small Load Balancer Instances per 750
Bare-Metal Edge Node
Load Balancer Instances Medium Load Balancer Instances 75
per Bare-Metal Edge Node
Load Balancer Instances Large Load Balancer Instances per 18
Bare-Metal Edge Node
Load Balancer Instances Extra Large Load Balancer 9
Instances per Bare-Metal Edge
Node
Load Balancing : Pool Members per Edge Node

Pool Members per Edge Node Pool Members per Medium Edge 2,000
Node
Pool Members per Edge Node Pool Members per Large Edge 7,500
Node
Pool Members per Edge Node Pool Members per Bare-Metal Edge 30,000
Node
Pool Members per Edge Node Pool Members per Extra Large Edge 10,000
Node
Load Balancing : Pool Members

VMware, Inc.
11
Recommended Confguration Limits

Category Limits Description

Pool Members Pool Members per Small Load 300
Balancer
Pool Members Pool Members per Medium Load 2,000
Balancer
Pool Members Pool Members per Large Load 7,500
Balancer
Pool Members Pool Members per Extra Large Load 10,000
Balancer
Load Balancing : Pools

Pools Pools per Small Load Balancer 60

Pools Pools per Medium Load Balancer 300
Pools Pools per Large Load Balancer 3,000
Pools Pools per Extra Large Load 4,000
Balancer
Load Balancing : Virtual Servers

Virtual Servers Virtual Servers per Small Load 20

Balancer
Virtual Servers Virtual Servers per Medium Load 100
Balancer
Virtual Servers Virtual Servers per Large Load 1,000
Balancer
Virtual Servers Virtual Servers per Extra Large Load 2,000
Balancer
VPN : Layer 2 VPN

L2 VPN Server Sessions per Medium Edge 128

Node in VM Form Factor
L2 VPN Server Sessions per Large Edge 256
Node in VM Form Factor
L2 VPN Client Sessions per Small Edge 1
Node in VM Form Factor
L2 VPN Client Sessions per Medium Edge 1
Node in VM Form Factor
L2 VPN Client Sessions per Large Edge 1
Node in VM Form Factor
L2 VPN Client Sessions per Bare Metal 1
Edge Node
L2 VPN Logical Segments per Session per 512
Medium Edge Node in VM Form
Factor
L2 VPN Logical Segments per Session per 512
Large Edge Node in VM Form
Factor
L2 VPN Logical Segments per Session per 512
Bare Metal Edge Node
L2 VPN Server Sessions per Extra Large 256
Edge Node in VM Form Factor
L2 VPN Server Sessions per Bare Metal 256
Edge Node
L2 VPN Client Sessions per Extra Large 1
Edge Node in VM Form Factor
L2 VPN Server Sessions per Small Edge 64
Node in VM Form Factor

VMware, Inc.
12
Recommended Confguration Limits

Category Limits Description

VPN : IPsec VPN

IPsec VPN Sessions per Small Edge Node in 128

VM Form Factor
IPsec VPN Sessions per Medium Edge Node in 256
VM Form Factor
IPsec VPN Sessions per Large Edge Node in 512
VM Form Factor
IPsec VPN Sessions per Bare Metal Edge Node 512
IPsec VPN IPsec Tunnels per Session on 256
Medium Edge Node in VM Form
Factor
IPsec VPN IPsec Tunnels per Session on Large 256
Edge Node in VM Form Factor
IPsec VPN IPsec Tunnels per Session on Bare 512
Metal Edge Node
IPsec VPN IPsec Tunnels per Small Edge Node 2,048
in VM Form Factor
IPsec VPN IPsec Tunnels per Medium Edge 4,096
Node in VM Form Factor
IPsec VPN IPsec Tunnels per Large Edge Node 8,192
in VM Form Factor
IPsec VPN IPsec Tunnels per Bare Metal Edge 8,192
Node
IPsec VPN Sessions per Extra Large Edge 512
Node in VM Form Factor
IPsec VPN IPsec Tunnels per Extra Large Edge 4,096
Node in VM Form Factor
IPsec VPN IPsec Tunnels per Session on Extra 256
Large Edge Node in VM Form
Factor
Guest Introspection

Guest Introspection Virtual Machines per Host 250

Guest Introspection Application Virtual Machines per 40
Host
Guest Introspection Hosts 512 For the guest introspection use
case.
Guest Introspection System Wide Virtual Machines 15,000 For the guest introspection use
case.
Cloud Native : Tanzu Application Service

NSX integrates with Tanzu Application Service and provides logical networking and security to Cloud Foundry applications.
Tanzu Application Service Cloud Foundry Orgs 900
Tanzu Application Service Cloud Foundry Spaces 5,000
Tanzu Application Service Cloud Foundry Applications 10,000
Tanzu Application Service Cloud Foundry Application 25,000
Instances
Tanzu Application Service Cloud Foundry Application Security 5,000
Groups
Tanzu Application Service Cloud Foundry Rules Across all 20,000
Application Security Groups
Tanzu Application Service Cloud Foundry Network Policies 5,000
Tanzu Application Service Cloud Foundry Diego Cells 300
Tanzu Application Service Overlay Logical Switches 900

VMware, Inc.
13
Recommended Confguration Limits

Category Limits Description

Tanzu Application Service Logical Ports with Firewall Enabled 25,000
Tanzu Application Service Tier-0 Logical Routers 2
Tanzu Application Service Tier-1 Logical Routers 900
Tanzu Application Service Hypervisor Hosts 200
Tanzu Application Service Networking and Security Groups 10,000
with Tags
Tanzu Application Service System Wide Firewall Rules 30,000
Tanzu Application Service Firewall Sections 10,000
Tanzu Application Service Rules per Firewall Section 4
Tanzu Application Service Rules per Hypervisor Host 800
Tanzu Application Service Containers / Application Instance 250
per Hypervisor Host
Cloud Native : vSphere with Kubernetes

vSphere with Kubernetes Hypervisor Hosts 500 ESXi hypervisor hosts only.
vSphere with Kubernetes vSphere (ESXi) Clusters Enabled 50
with vSphere with Kubernetes per
NSX Instance
vSphere with Kubernetes Supervisor Namespaces per NSX 500
Instance
vSphere with Kubernetes vSphere Pods (PodVM) per NSX 15,000
Instance
vSphere with Kubernetes Services of Type Cluster IP across 5,000 Distributed Load Balancer Virtual
per NSX Instance Servers
vSphere with Kubernetes Services Exposed via Ingress per 4,000 Layer 7 Rules on Edge Load
NSX Instance Balancer
vSphere with Kubernetes Services of Type Load Balancer per 3,250 Layer 4 Virtual Servers on Edge
NSX Instance Load Balancer
vSphere with Kubernetes Network Policies per NSX Instance 10,000
vSphere with Kubernetes Firewall Rules across all Network 100,000
Policies per NSX Instance
vSphere with Kubernetes Hypervisor Hosts per Supervisor 64 ESXi hypervisor hosts only.
Cluster
vSphere with Kubernetes vSphere Pods (PodVM) per 8,000
Supervisor Cluster
vSphere with Kubernetes Services of Type ClusterIP in one 2,000 Distributed Load Balancer Virtual
Supervisor Cluster Servers
vSphere with Kubernetes Services Exposed via Service of 1,000 Layer 4 Virtual Servers on Edge
Type Load Balancer in one Load Balancer
Supervisor Cluster
vSphere with Kubernetes Services Exposed via Ingress in one 2,000 Layer 7 Rules on Edge Load
Supervisor Cluster Balancer
vSphere with Kubernetes Policies in one Supervisor Cluster 5,000
vSphere with Kubernetes Firewall Rules in one Network 900
Policy
vSphere with Kubernetes Firewall Rules across all Network 50,000
Policies in one Supervisor Cluster
Cloud Native : Tanzu Kubernetes Grid Integrated

Tanzu Kubernetes Grid Integrated Kubernetes PODs 50,000

(Management Plane API)
Tanzu Kubernetes Grid Integrated Kubernetes Clusters 160
(Management Plane API)
Tanzu Kubernetes Grid Integrated Kubernetes Namespaces 900 Dedicated Tier-1 Gateway per
(Management Plane API) Namespace.
VMware, Inc.
14
Recommended Confguration Limits

Category Limits Description

Tanzu Kubernetes Grid Integrated Kubernetes Worker Nodes 1,000 In single Kubernetes cluster or
(Management Plane API) system wide across all clusters.
Tanzu Kubernetes Grid Integrated PODs per Kubernetes Worker Node 100
(Management Plane API)
Tanzu Kubernetes Grid Integrated Kubernetes Network Policies 5,000
(Management Plane API)
Tanzu Kubernetes Grid Integrated Hypervisor Hosts 200
(Management Plane API)
Tanzu Kubernetes Grid Integrated Kubernetes Worker Nodes per 200
(Management Plane API) Hypervisor Host
Tanzu Kubernetes Grid Integrated Containers / PODs per Hypervisor 2,000 On ESXi 6.7 hosts (The limit on
(Management Plane API) Host ESXi 6.5 is 1,000.)
Tanzu Kubernetes Grid Integrated L7 Kubernetes Services via Ingress 60
(Management Plane API) Resource per Small Load Balancer
Tanzu Kubernetes Grid Integrated L7 Kubernetes Services via Ingress 300
(Management Plane API) Resource per Medium Load
Balancer
Tanzu Kubernetes Grid Integrated L7 Kubernetes Services via Ingress 512
(Management Plane API) Resource per Large Load Balancer
Tanzu Kubernetes Grid Integrated L4 Kubernetes Services per Small 20 Automatically scales after reaching
(Management Plane API) Load Balancer this limit.
Tanzu Kubernetes Grid Integrated L4 Kubernetes Services per 100 Automatically scales after reaching
(Management Plane API) Medium Load Balancer this limit.
Tanzu Kubernetes Grid Integrated L4 Kubernetes Services per Large 1,000 Automatically scales after reaching
(Management Plane API) Load Balancer this limit.
Tanzu Kubernetes Grid Integrated Kubernetes Namespaces with 4,000 Namespaces with shared Tier-1
(Management Plane API) Shared Tier-1 Gateway Gateway per Kubernetes cluster.
Tanzu Kubernetes Grid Integrated Kubernetes PODs 25,000
(Policy API)
Tanzu Kubernetes Grid Integrated Kubernetes Clusters 80
(Policy API)
Tanzu Kubernetes Grid Integrated Kubernetes Namespaces 900 Dedicated Tier-1 Gateway per
(Policy API) Namespace.
Tanzu Kubernetes Grid Integrated Kubernetes Worker Nodes 250 In single Kubernetes cluster or
(Policy API) system wide across all clusters.
Tanzu Kubernetes Grid Integrated PODs per Kubernetes Worker Node 100
(Policy API)
Tanzu Kubernetes Grid Integrated Kubernetes Network Policies 2,500
(Policy API)
Tanzu Kubernetes Grid Integrated Hypervisor Hosts 100
(Policy API)
Tanzu Kubernetes Grid Integrated Kubernetes Worker Nodes per 100
(Policy API) Hypervisor Host
Tanzu Kubernetes Grid Integrated Containers / PODs per Hypervisor 2,000 On ESXi 6.7 hosts (The limit on
(Policy API) Host ESXi 6.5 is 1,000.)
Tanzu Kubernetes Grid Integrated L7 Kubernetes Services via Ingress 60
(Policy API) Resource per Small Load Balancer
Tanzu Kubernetes Grid Integrated L7 Kubernetes Services via Ingress 255
(Policy API) Resource per Medium Load
Balancer
Tanzu Kubernetes Grid Integrated L7 Kubernetes Services via Ingress 255
(Policy API) Resource per Large Load Balancer
Tanzu Kubernetes Grid Integrated L4 Kubernetes Services per Small 20 Automatically scales after reaching
(Policy API) Load Balancer this limit.
Tanzu Kubernetes Grid Integrated L4 Kubernetes Services per 100 Automatically scales after reaching
(Policy API) Medium Load Balancer this limit.

VMware, Inc.
15
Recommended Confguration Limits

Category Limits Description

Tanzu Kubernetes Grid Integrated L4 Kubernetes Services per Large 1,000 Automatically scales after reaching
(Policy API) Load Balancer this limit.
Tanzu Kubernetes Grid Integrated Kubernetes Namespaces with 2,000 Namespaces with shared Tier-1
(Policy API) Shared Tier-1 Gateway Gateway per Kubernetes cluster.
Network Introspection : N-S for Tier-1 Gateways

N-S for Tier-1 Gateways Partner Services 4 Registration of different partner

services.
N-S for Tier-1 Gateways Service Virtual Machines 200 Consisting of 100 pairs with one
pair per Tier-1 Gateway.
N-S for Tier-1 Gateways Network Introspection Policies 1,000
N-S for Tier-1 Gateways Network Introspection Redirection 1,000
Rules per Policy
N-S for Tier-1 Gateways Network Introspection Redirection 10,000
Rules
Network Introspection : E-W

E-W Partner Services 8

E-W Service Virtual Machines in a 512 Eight service virtual machines per
Cluster Based Deployment hypervisor host.
E-W Network Introspection Policies 1,000
E-W Network Introspection Redirection 1,000
Rules per Policy
E-W Network Introspection Redirection 10,000
Rules
Medium NSX Manager Service Chains 4 Four services per chain.
Large NSX Manager Service Chains 24 Four services per chain.
Network Introspection : N-S for Tier-0 Gateways

N-S for Tier-0 Gateways Service Insertion Services 4 Registration of different partner
services.
N-S for Tier-0 Gateways Service Virtual Machines 8 Consisting of four pairs with one
pair per Edge node.
N-S for Tier-0 Gateways Network Introspection Policies 1,000
N-S for Tier-0 Gateways Network Introspection Redirection 1,000
Rules per Policy
N-S for Tier-0 Gateways Network Introspection Redirection 10,000
Rules
Network Introspection : General

General Logical Ports with Network 25,000

Introspection Enabled
General Hosts with Network Introspection 512 Hypervisor hosts that participate in
Rules Enabled redirecting traffic to service virtual
machines.
General Logical Ports per Host with 1,000
Network Introspection Enabled
Federation : General

Medium NSX Global Manager Locations 4

Medium NSX Global Manager Hypervisor Hosts Across all 128
Locations
Medium NSX Global Manager Network Latency between Global 500ms Round-trip time
Manager Active Cluster and Global
Manager Standby Cluster

VMware, Inc.
16
Recommended Confguration Limits

Category Limits Description

Medium NSX Global Manager Network Latency between Global 500ms Round-trip time
Manager Active Cluster and Local
Manager Cluster
Medium NSX Global Manager Network Latency between Local 500ms Round-trip time
Manager Clusters across Different
Locations
Medium NSX Global Manager Network Latency between Remote 150ms Round-trip time
TEPs across Different Locations
Large NSX Global Manager Locations 8
Large NSX Global Manager Hypervisor Hosts Across all 1,024
Locations
Large NSX Global Manager Network Latency between Global 500ms Round-trip time
Manager Active Cluster and Global
Manager Standby Cluster
Large NSX Global Manager Network Latency between Global 500ms Round-trip time
Manager Active Cluster and Local
Manager Cluster
Large NSX Global Manager Network Latency between Local 500ms Round-trip time
Manager Clusters across Different
Locations
Large NSX Global Manager Network Latency between Remote 150ms Round-trip time
TEPs across Different Locations
Large NSX Global Manager Physical Servers 500 Non-hypervisor and non-container
host machines with at least 16Gb
of RAM. Windows Servers can have
a maximum of 100 firewall rules
each.
Federation : Networking

Large NSX Global Manager RTEP-RTEP Tunnels per Edge Node 120
Federation : Layer 2

Medium NSX Global Manager Global Segments 150 Stretched and Non-Stretched Global
Segments
Medium NSX Global Manager Global Segment Ports 5,000 Number of ports across stretched
and non-stretched segments for all
locations
Medium NSX Global Manager Stretched Segments 150 Stretched segments and local
segments can't exceed maximum
local segments.
Medium NSX Global Manager Stretched Segment Ports 5,000 Number of ports across stretched
segments for all locations.
Medium NSX Global Manager MAC Identifiers per Overlay 1,024
Segment (VNI)
Large NSX Global Manager Global Segments 2,000 Stretched and Non-Stretched Global
Segments
Large NSX Global Manager Global Segment Ports 60,000 Number of ports across stretched
and non-stretched segments for all
locations
Large NSX Global Manager Stretched Segments 2,000 Stretched segments and local
segments can't exceed maximum
local segments.
Large NSX Global Manager Stretched Segment Ports 34,000 Number of ports across stretched
segments for all locations.
Large NSX Global Manager MAC Identifiers per Overlay 1,024
Segment (VNI)
Federation : Layer 3

VMware, Inc.
17
Recommended Confguration Limits

Category Limits Description

Layer 3 Number of Locations per Stretched 4
Tier-0 Gateway
Layer 3 Stretched Tier-0 Gateways per 24
Location
Layer 3 Locations per Stretched Tier-1 4
Gateway
Layer 3 Stretched Tier-1 Gateways per 620
Location
Layer 3 Tier-1 Gateways across all 620 Consisting of 2 Service Routers in
Locations Active/Standby mode
Federation : DHCP

DHCP DHCP Server Instances 4,000

Federation : Grouping and Tagging

Medium NSX Global Manager Groups Based on Tags across all 900 Total number of [Location +
Locations Regional + Global Region] Groups
based on Tag.
Medium NSX Global Manager Groups across Locations 2,500 Total number of [Location +
Regional + Global Region] Groups
of all Type.
Medium NSX Global Manager Global Groups based on Tag 900 Total number of Global Region
Groups based on Tag.
Medium NSX Global Manager Global Groups 2,500 Total number of Global Region
Groups of all Type.
Medium NSX Global Manager Groups based on Tags per Location 900 Total number of Location specific
Groups based on Tags per
Location.
Medium NSX Global Manager Groups per Location 2,500 Total number of Location specific
Groups of all Type per Location.
Medium NSX Global Manager Groups Based on IP Sets across all 300 Total number of [Location +
Locations Regional + Global Region] Groups
based on IP Sets.
Medium NSX Global Manager Virtual Machines per Group 2,500 Satisfying the tagging expression.
Note that this assumes one virtual
interface per virtual machine. It is
possible to have virtual machines
with more than one virtual
interface. Total virtual interfaces
must not be more than the
published limit.
Medium NSX Global Manager VMs with Tag Replication Across 5,000 Total number of VMs with at least
Local Managers one tag replicated across Local
Manager.
Large NSX Global Manager Groups Based on Tags across all 8,000 Total number of [Location +
Locations Regional + Global Region] Groups
based on Tag.
Large NSX Global Manager Groups across Locations 10,000 Total number of [Location +
Regional + Global Region] Groups
of all Type.
Large NSX Global Manager Global Groups based on Tag 5,400 Total number of Global Region
Groups based on Tag.
Large NSX Global Manager Global Groups 6,000 Total number of Global Region
Groups of all Type.
Large NSX Global Manager Groups based on Tags per Location 4,000 Total number of Location specific
Groups based on Tags per
Location.
Large NSX Global Manager Groups per Location 5,000 Total number of Location specific
Groups of all Type per Location.

VMware, Inc.
18
Recommended Confguration Limits

Category Limits Description

Large NSX Global Manager Groups Based on IP Sets across all 3,900 Total number of [Location +
Locations Regional + Global Region] Groups
based on IP Sets.
Large NSX Global Manager Virtual Machines per Group 9,000 Satisfying the tagging expression.
Note that this assumes one virtual
interface per virtual machine. It is
possible to have virtual machines
with more than one virtual
interface. Total virtual interfaces
must not be more than the
published limit.
Large NSX Global Manager VMs with Tag Replication Across 5,000 Total number of VMs with at least
Local Managers one tag replicated across Local
Manager.
Federation : Global Firewall

Medium NSX Global Manager Federation Wide Rules per Section 1,000
Medium NSX Global Manager Federation Wide Firewall Sections 1,000
Large NSX Global Manager Federation Wide Rules per Section 1,000
Large NSX Global Manager Federation Wide Firewall Sections 7,000
Federation : Distributed Firewall

Medium NSX Global Manager Federation wide Stateful Firewall 7,000

Rules
Medium NSX Global Manager Stateful Firewall Rules across all 7,300 Rules applied to all locations.
Global Firewall Policies
Medium NSX Global Manager Stateful Firewall Rules Applied to a 7,300
Location
Medium NSX Global Manager Logical Ports with Security Groups 5,000
Applied
Large NSX Global Manager Federation wide Stateful Firewall 50,000
Rules
Large NSX Global Manager Stateful Firewall Rules across all 50,000 Rules applied to all locations.
Global Firewall Policies
Large NSX Global Manager Stateful Firewall Rules Applied to a 19,000
Location
Large NSX Global Manager Logical Ports with Security Groups 60,000
Applied
Federation : Gateway Firewall

Medium NSX Global Manager Federation Wide Gateway Firewall 2,900

Rules
Large NSX Global Manager Federation Wide Gateway Firewall 6,800
Rules

VMware, Inc.
19