Recommended Configuration

Maximums

NSX-T Data Center 3.2.0

Updated on January 28, 2023
 Recommended Confguration Limits

You can fnd the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
configmaxtool@vmware.com

VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

Copyright © 2021-2023 VMware, Inc. All rights reserved.Copyright and trademark information.

VMware, Inc.
2
 Recommended Confguration Limits

This Configuration Maximums tool provides the recommended configuration limits for VMware products.
When you configure, deploy and operate your virtual and physical equipment, it is highly recommended
you stay within the limits supported by your product. The limits presented in the tool are tested,
recommended limits, and are fully supported by VMware.

Disclaimer: The limits can be affected by other factors, such as hardware dependencies. For more information about the
supported hardware, see the appropriate hardware compatibility guide. It might not be possible to maximize all configuration
settings and expect your desired outcome. To ensure that you do not exceed supported configurations for your environment,
consult individual solution limits. The recommended configuration limits do not represent the theoretical possibilities of your
product.

VMware, Inc.
3
 Recommended Confguration Limits

Category Limits Description

General : Edge Nodes

A core component of NSX is the Edge node which are formed into clusters to deliver physical connectivity as well as logical
routing, load-balancing, NAT and other features.
All Manager Sizes Edge Nodes Per Cluster 10
All Manager Sizes Network Latency between Edge 10ms
Nodes part of the same Edge
Cluster
Medium NSX Manager Edge Clusters 12
Medium NSX Manager Edge Nodes 32
Large NSX Manager Edge Clusters 160
Large NSX Manager Edge Nodes 320
Bare Metal Edge Node Fast Path Physical NIC Ports 16
General : Nodes

NSX has a number of component nodes required for operation of the product. These include the NSX Manager, NSX
Controllers and Hosts that are prepared for NSX. In addition, NSX supports some vCenter objects that are discovered from
vCenter inventory.
Nodes NSX Managers 3 Please review the NSX-T Data
Center Installation Guide for details
on the various techniques on how
to deploy the NSX Manager.
Nodes Virtual Interfaces per Hypervisor 1,000 Maximum of 400 virtual interfaces
Host per hypervisor host when doing in-
place upgrades.
Nodes Compute Managers per NSX 16 Used for inventory collection.
Management Cluster Supports only vCenter compute
managers.
Nodes Physical Servers 1,024 Non-hypervisor and non-container
host machines with at least 16Gb
of RAM. Windows Servers can have
a maximum of 100 firewall rules
each.
Nodes Hosts per vSphere Cluster 96
Nodes Discovered vSphere Clusters 640
Nodes NSX Instances per Compute 1
Manager
Nodes Network Latency between NSX 10ms
Management Nodes
Nodes Network Latency between the NSX 150ms
Management Cluster and Transport
Nodes
Nodes Concurrent Graphical User Interface 5
Users per Manager
Nodes Audit Log Entries 1,000,000
Nodes Transport Nodes per NSX Instance 1600
Medium NSX Manager vSphere Clusters Prepared for NSX 5
Medium NSX Manager Hypervisor Hosts per NSX 128 Any mix of ESXi and/or KVM is
Management Cluster supported.
Large NSX Manager vSphere Clusters Prepared for NSX 256
Large NSX Manager Hypervisor Hosts per NSX 1,024 Any mix of ESXi and/or KVM is
Management Cluster supported.
Layer 2 Networking

NSX offers a layer 2 overlay networking solution as well as layer 2 bridging.

Layer 2 Networking : General

VMware, Inc.
4
 Recommended Confguration Limits

Category Limits Description

General MAC Identifiers per Overlay Logical 2,048 Exceeding the maximum MAC
Switch (VNI) identifiers per VNI may lead to
flooding and can impact packet
performance.
General MAC Identifiers per Overlay 2,048 Exceeding the maximum MAC
Segment (VNI) identifiers per VNI may lead to
flooding and can impact packet
performance.
General IP Address Bindings used in ARP 256
Discovery
Medium NSX Manager Logical Switches 1,000
Medium NSX Manager System Wide Logical Switch Ports 2,500
Medium NSX Manager Segments 1,000
Medium NSX Manager System Wide Segment Ports 2,500
Medium NSX Manager Distributed Virtual Port Groups 32,000 This DVPG limit also applies to
segments, with the formula
“Number of VDS per vCenter *
Number of vCenters * Number of
segments” which must be below
the DVPG limit.
Large NSX Manager Logical Switches 10,000
Large NSX Manager System Wide Logical Switch Ports 25,000
Large NSX Manager Segments 10,000
Large NSX Manager System Wide Segment Ports 25,000
Large NSX Manager Distributed Virtual Port Groups 160,000 This DVPG limit also applies to
segments, with the formula
“Number of VDS per vCenter *
Number of vCenters * Number of
segments” which must be below
the DVPG limit.
Layer 2 Networking : Bridging

Bridging MAC Identifiers per VLAN / 2,048

Segment Pair
Bridging Bridging Profiles 128
Bridging Bridge Profiles per Edge Cluster 32
Bridging Segment to VLAN Pairs 4,096 Bridge between overlay segment
(VNI ID) and VLAN ID
Bridging Segment to VLAN Pairs per Edge 512
Node
Layer 3 Networking : DHCP

NSX provides a DHCP server and relay to deliver IP addresses to DHCP clients.
DHCP DHCP Relays 4,000
DHCP DHCP Servers in DHCP Server 10 Used by DHCP relay.
Group
DHCP DHCP Server Instances 10,000
DHCP Static Bindings per DHCP Server 8,000 https://bugzilla.eng.vmware.com/
Instance show_bug.cgi?id=2745868
DHCP DHCP Ranges / Pools per DHCP 5
Server Instance
DHCP System Wide DHCP Pools 20,000
DHCP System Wide Static Bindings 50,000 https://bugzilla.eng.vmware.com/
show_bug.cgi?id=2745868
Layer 3 Networking : Logical Routing

NSX provides a multi-tier, in-kernel distributed logical routing system.

VMware, Inc.
5
 Recommended Confguration Limits

Category Limits Description

Logical Routing Tier-0 Gateways 160 Up to 8 service routers with ECMP
in active/active high availability
mode per Tier-0 gateway. Up to 2
service routers in active/standby
high availability mode per Tier-0
gateway.
Logical Routing Tier-0 Logical Routers 160 Up to 8 service routers with ECMP
in active/active high availability
mode per Tier-0 logical router. Up to
2 service routers in active/standby
high availability mode per Tier-0
logical router.
Logical Routing Tier-1 Gateways 4,000 Up to 2 service routers in active/
standby high availability mode per
Tier-1 gateway.
Logical Routing Tier-1 Logical Routers 4,000 Up to 2 service routers in active/
standby high availability mode per
Tier-1 logical routers.
Logical Routing Tier-1 Gateways per Tier-0 Gateway 1,000 This limit applies to Tier-0 gateway
and all the configured VRF on the
Tier-0 gateway i.e. this limit is
shared for a given Tier-0 gateway
and all the configured VRFs on this
Tier-0 gateway.
Logical Routing Tier-1 Logical Routers per Tier-0 1,000
Logical Router
Logical Routing Gateways per Hypervisor Host 1,000
Logical Routing Logical Routers per Hypervisor 1,000
Host
Logical Routing Linked Segments per Tier-0 400 This limit applies to Tier-0 gateway
Gateway and all the configured VRF on the
Tier-0 gateway i.e. this limit is
shared for a given Tier-0 gateway
and all the configured VRFs on this
Tier-0 gateway.
Logical Routing Downlink per Tier-0 Logical Router 400
Logical Routing Linked Segments and Service 1,000
Interfaces per Tier-1 Gateway
Logical Routing Downlink and CSP Ports per Tier-1 1,000
Logical Router
Logical Routing VRFs per Edge Node 100 vRF Lite
Logical Routing ARP Entries per Tier-1 Gateway 50,000
Logical Routing ARP Entries per Tier-1 Logical 50,000
Router
Logical Routing Routes Per Distributed Router 1,000
Logical Routing IPv4 Routes Per Edge Node 500,000 Requires large, extra large or bare-
metal Edge nodes. ECMP (Equal
Cost Multi Path) routes will count
as a single route entry in the routing
table.
Logical Routing BGP Peers per Tier-0 Gateway 640 This limit applies to Tier-0 gateway
Service Router and all the configured VRF on the
Tier-0 gateway i.e. this limit is
shared for a given Tier-0 gateway
and all the configured VRFs on this
Tier-0 gateway.
Logical Routing BGP Peers per Tier-0 Logical Router 640
Service Router
Logical Routing Route-maps per Tier-0 Gateway 1,280

VMware, Inc.
6
 Recommended Confguration Limits

Category Limits Description

Logical Routing Route-maps per Tier-0 Logical 1,280
Router
Logical Routing Route-map Rules per Route-map 1,000
Logical Routing Prefix-lists per Tier-0 Gateway 500
Logical Routing Prefix-list Entries per Prefix-list 50
Logical Routing ECMP Paths 8 This limit applies independently to
Gateway Distributed Router (DR)
and Gateway Service Router (SR),
i.e. a DR can load-balance the traffic
towards 8 different SR, then on a
given SR it can have up to 8
different paths.
Logical Routing Service Ports per Trunk per Service 4,000 When used with EVPN.
Router
Logical Routing Tier-0 Gateways per Edge Node 1
Logical Routing Tier-0 Logical Routers per Edge 1
Node
Logical Routing Tier-1 Gateways per Edge Node 1,000
Logical Routing Tier-1 Logical Routers per Edge 1,000
Node
Logical Routing Combined External and Service 4,000 This limit applies to Tier-0 gateway
Interfaces per Tier-0 Gateway and all the configured VRF on the
Service Router Tier-0 gateway i.e. this limit is
shared for a given Tier-0 gateway
and all the configured VRFs on this
Tier-0 gateway.
Logical Routing Prefix-lists per Tier-0 Logical Router 500
Logical Routing IPv6 Routes Per Edge Node 100,000 ECMP (Equal Cost Multi Path)
routes will count as a single route
entry in the routing table.
Logical Routing BFD Peers per Tier-0 Gateway 320
Service Router
Logical Routing BFD Peers per Tier-0 Logical Router 320
Service Router
Logical Routing OSPFv2 Neighbors per Tier-0 40
Gateway Service Router
Logical Routing OSPFv2 Router Learned from 50,000
Neighbors per Tier-0 Gateway
Service Router
Logical Routing OSPFv2 Routes Advertised to 10,000
Neighbors
Logical Routing IPv4 Prefix-lists per NSX Domain 4,200
Logical Routing EVPN L2VNI per Tier-0 Gateway 200
Service Router
Logical Routing EVPN L3VNI per Tier-0 Gateway 200
Service Router
Logical Routing EVPN Route-Type-5 IPv4 Routes per 400,000
Tier-0 Gateway Service Router
Logical Routing EVPN Route-Type-5 IPv6 Routes per 100,000
Tier-0 Gateway Service Router
Logical Routing EVPN Route-Type-3 Routes per 600
Tier-0 Gateway Service Router
Logical Routing EVPN Route-Type-2 Routes per 800
Tier-0 Gateway Service Router
Layer 3 Networking : Multicast

Multicast System Wide Multicast Groups 2,000

VMware, Inc.
7
 Recommended Confguration Limits

Category Limits Description

Multicast Hosts Participating in Multicast 200
Networking
Multicast Virtual Interfaces per Host 80
Participating in Multicast
Networking
Multicast Logical Segments per Logical 100
Gateway Participating in Multicast
Networking
Multicast Number of IGMP Groups to which a 512 https://bugzilla.eng.vmware.com/
Virtual NIC can Join in IGMP show_bug.cgi?id=2822411
Snooping
Multicast Number of IGMP Groups to which a 16
Virtual NIC can Join in Basic Mode
Layer 3 Networking : NAT

NAT Tier-1 Logical Routers with NAT 4,000

Enabled
NAT NAT Rules per Tier-1 Logical Router 8,192
NAT System-Wide NAT Rules 25,000
NAT Tier-1 Gateways with NAT Enabled 4,000
NAT NAT Rules per Tier-1 Gateway 8,192
NAT Total NAT Connections per Edge 4,000,000 Requires Large or X-Large or Bare-
Node Metal Edge node.
Firewall : Intrusion Detection and Prevention

Intrusion Detection Hypervisor Hosts 512

Intrusion Detection IDS Profiles 25 Excluding the default.
Intrusion Detection IDS Rules 1,000
Intrusion Detection Events Recorded 2,000,000 Up to 14 days of events stored.
Firewall : Identity Firewall

Identity Firewall VDI Virtual Machines per Host 250 Note that the maximum VMs per
host where both RDSH and VDI are
in present is 30.
Identity Firewall Virtual Machines using Terminal 8 Note maximum VMs per host
Services per Host where both RDSH and VDI are in
present is 30.
Identity Firewall RDSH Sessions per RDSH Virtual 75
Machine
Identity Firewall Active Directory Domains 8
Identity Firewall Active Directory Groups 200,000
Identity Firewall Hypervisor Hosts 512 For the Identity Firewall use case.
Identity Firewall Virtual Machines per NSX 15,000 For the Identity Firewall use case.
Management Cluster
Identity Firewall Total Users in all Active Directory 500,000
Domains
Identity Firewall Active Directory Groups per 600
Individual User
Firewall : Grouping and Tagging

NSX supports adding metadata to objects in the form of a tag.

Grouping and Tagging Groups Based on IP Sets 10,000
Grouping and Tagging IP Addresses per IP Set 4,000

VMware, Inc.
8
 Recommended Confguration Limits

Category Limits Description

Grouping and Tagging Tags per Object 30 Please see other sections for
details on Tags per Virtual Machine
or Tags per Logical Port.
Grouping and Tagging IP Sets 10,000
Grouping and Tagging Groups Based on Tags 8,000
Grouping and Tagging Groups 20,000
Grouping and Tagging Static Members in a Group 500 Static members such as segments,
segment ports, virtual machines,
and physical server in a group.

Grouping and Tagging Effective Members in a Group 8,000 Effective members are the result of
dynamic inclusion criteria (e.g. tag,
name) or child groups.
Grouping and Tagging Group Membership Criteria 5 Such as tagging expression or
virtual machine.
Grouping and Tagging Nested Level of Groups 3
Firewall : Gateway Firewall

NSX provides a north / south high-performance Edge based firewall.

Edge Firewall Firewall Rules per Tier-0 Logical 5,000 IP sets and groups with static
Router membership only.
Edge Firewall Firewall Rules per Tier-1 Logical 5,000 IP sets and groups with static
Router membership only.
Edge Firewall System Wide Tier-0 Logical Router 20,000 IP sets and groups with static
Firewall Rules membership only.
Edge Firewall Firewall Rules per Tier-0 Gateway 5,000 IP sets and groups with static
membership only.
Edge Firewall Firewall Rules per Tier-1 Gateway 5,000 IP sets and groups with static
membership only.
Edge Firewall System Wide Tier-1 Logical Router 55,000 IP sets and groups with static
Firewall Rules membership only.
Edge Firewall System Wide Tier-0 Gateway 20,000
Firewall Rules
Edge Firewall System Wide Tier-1 Gateway 55,000
Firewall Rules
Edge Firewall Objects per Firewall Rule 128 Total configuration objects or
groups that can be used per rule
inclusive of Source, Destination,
Services, Context Profile and Apply
To fields.

Firewall : Distributed Firewall

NSX provides a distributed, in-kernel hypervisor host based firewall to achieve micro-segmentation of workloads at the virtual
NIC level.
Distributed Firewall Logical Ports with Groups Applied 25,000
Distributed Firewall System Wide Stateful Firewall Rules 100,000
Distributed Firewall Rules per Firewall Section 1,000
Distributed Firewall Rules per Group 512
Distributed Firewall Firewall Sections 10,000 A Firewall Section equates to an
OpenStack Security Group.
Distributed Firewall Rules per Hypervisor Host 120,000 Total rules across virtual NICs on a
Hypervisor Host.
Distributed Firewall Rules per Virtual NIC 4,000
Distributed Firewall Saved Firewall Rule Configurations 100 Only for automatically created
drafts configurations.
Distributed Firewall Services 8,000
VMware, Inc.
9
 Recommended Confguration Limits

Category Limits Description

Distributed Firewall Objects per Firewall Rule 128 Total configuration objects or
groups that can be used per rule
inclusive of Source, Destination,
Services, Context Profile and Apply
To fields.

Distributed Firewall Service Ports per Service 15 Port ranges are treated as two
ports.
Load Balancing : Pool Members per Edge Node

Pool Members per Edge Node Pool Members per Medium Edge 2,000
Node
Pool Members per Edge Node Pool Members per Large Edge 7,500
Node
Pool Members per Edge Node Pool Members per Bare-Metal Edge 30,000
Node
Pool Members per Edge Node Pool Members per Extra Large Edge 10,000
Node
Load Balancing : Load Balancer Instances

Load Balancer Instances Small Load Balancer Instances per 1

Small Edge Node in VM Form
Factor
Load Balancer Instances Small Load Balancer Instances per 10
Medium Edge Node in VM Form
Factor
Load Balancer Instances Medium Load Balancer Instances 1
per Medium Edge Node in VM Form
Factor
Load Balancer Instances Small Load Balancer Instances per 40
Large Edge Node in VM Form
Factor
Load Balancer Instances Medium Load Balancer Instances 4
per Large Edge Node in VM Form
Factor
Load Balancer Instances Large Load Balancer Instances per 1
Large Edge Node in VM Form
Factor
Load Balancer Instances Small Load Balancer Instances per 80
Extra Large Edge Node in VM Form
Factor
Load Balancer Instances Medium Load Balancer Instances 8
per Extra Large Edge Node in VM
Form Factor
Load Balancer Instances Large Load Balancer Instances per 2
Extra Large Edge Node in VM Form
Factor
Load Balancer Instances Extra Large Load Balancer 1
Instances per Extra Large Edge
Node in VM Form Factor
Load Balancer Instances Small Load Balancer Instances per 750
Bare-Metal Edge Node
Load Balancer Instances Medium Load Balancer Instances 75
per Bare-Metal Edge Node
Load Balancer Instances Large Load Balancer Instances per 18
Bare-Metal Edge Node
Load Balancer Instances Extra Large Load Balancer 9
Instances per Bare-Metal Edge
Node

VMware, Inc.
10
 Recommended Confguration Limits

Category Limits Description

Load Balancing : Pool Members

Pool Members Pool Members per Small Load 300

Balancer
Pool Members Pool Members per Medium Load 2,000
Balancer
Pool Members Pool Members per Large Load 7,500
Balancer
Pool Members Pool Members per Extra Large Load 10,000
Balancer
Load Balancing : Pools

Pools Pools per Small Load Balancer 60

Pools Pools per Medium Load Balancer 300
Pools Pools per Large Load Balancer 3,000
Pools Pools per Extra Large Load 4,000
Balancer
Load Balancing : Virtual Servers

Virtual Servers Virtual Servers per Small Load 20

Balancer
Virtual Servers Virtual Servers per Medium Load 100
Balancer
Virtual Servers Virtual Servers per Large Load 1,000
Balancer
Virtual Servers Virtual Servers per Extra Large Load 2,000
Balancer
VPN : Layer 2 VPN

L2 VPN Server Sessions per Medium Edge 128

Node in VM Form Factor
L2 VPN Server Sessions per Large Edge 256
Node in VM Form Factor
L2 VPN Client Sessions per Small Edge 1
Node in VM Form Factor
L2 VPN Client Sessions per Medium Edge 1
Node in VM Form Factor
L2 VPN Client Sessions per Large Edge 1
Node in VM Form Factor
L2 VPN Client Sessions per Bare Metal 1
Edge Node
L2 VPN Logical Segments per Session per 512
Medium Edge Node in VM Form
Factor
L2 VPN Logical Segments per Session per 512
Large Edge Node in VM Form
Factor
L2 VPN Logical Segments per Session per 512
Bare Metal Edge Node
L2 VPN Server Sessions per Extra Large 256
Edge Node in VM Form Factor
L2 VPN Server Sessions per Bare Metal 256
Edge Node
L2 VPN Client Sessions per Extra Large 1
Edge Node in VM Form Factor

VMware, Inc.
11
 Recommended Confguration Limits

Category Limits Description

L2 VPN Server Sessions per Small Edge 64
Node in VM Form Factor
VPN : IPsec VPN

IPsec VPN Sessions per Small Edge Node in 128

VM Form Factor
IPsec VPN Sessions per Medium Edge Node in 256
VM Form Factor
IPsec VPN Sessions per Large Edge Node in 512
VM Form Factor
IPsec VPN Sessions per Bare Metal Edge Node 512
IPsec VPN IPsec Tunnels per Session on 256
Medium Edge Node in VM Form
Factor
IPsec VPN IPsec Tunnels per Session on Large 256
Edge Node in VM Form Factor
IPsec VPN IPsec Tunnels per Session on Bare 512
Metal Edge Node
IPsec VPN IPsec Tunnels per Small Edge Node 2,048
in VM Form Factor
IPsec VPN IPsec Tunnels per Medium Edge 4,096
Node in VM Form Factor
IPsec VPN IPsec Tunnels per Large Edge Node 8,192
in VM Form Factor
IPsec VPN IPsec Tunnels per Bare Metal Edge 8,192
Node
IPsec VPN Sessions per Extra Large Edge 512
Node in VM Form Factor
IPsec VPN IPsec Tunnels per Extra Large Edge 4,096
Node in VM Form Factor
IPsec VPN IPsec Tunnels per Session on Extra 256
Large Edge Node in VM Form
Factor
Guest Introspection

Guest Introspection Virtual Machines per Host 250

Guest Introspection Application Virtual Machines per 40
Host
Guest Introspection Hosts 512 For the guest introspection use
case.
Guest Introspection System Wide Virtual Machines 15,000 For the guest introspection use
case.
Cloud Native : vSphere with Kubernetes

vSphere with Kubernetes Hypervisor Hosts 500 ESXi hypervisor hosts only.
vSphere with Kubernetes vSphere (ESXi) Clusters Enabled 50
with vSphere with Kubernetes per
NSX Instance
vSphere with Kubernetes Supervisor Namespaces per NSX 500
Instance
vSphere with Kubernetes vSphere Pods (PodVM) per NSX 15,000
Instance
vSphere with Kubernetes Services of Type Cluster IP across 5,000 Distributed Load Balancer Virtual
per NSX Instance Servers
vSphere with Kubernetes Services Exposed via Ingress per 4,000 Layer 7 Rules on Edge Load
NSX Instance Balancer

VMware, Inc.
12
 Recommended Confguration Limits

Category Limits Description

vSphere with Kubernetes Services of Type Load Balancer per 3,250 Layer 4 Virtual Servers on Edge
NSX Instance Load Balancer
vSphere with Kubernetes Network Policies per NSX Instance 10,000
vSphere with Kubernetes Firewall Rules across all Network 100,000
Policies per NSX Instance
vSphere with Kubernetes Hypervisor Hosts per Supervisor 64 ESXi hypervisor hosts only.
Cluster
vSphere with Kubernetes vSphere Pods (PodVM) per 8,000
Supervisor Cluster
vSphere with Kubernetes Services of Type ClusterIP in one 2,000 Distributed Load Balancer Virtual
Supervisor Cluster Servers
vSphere with Kubernetes Services Exposed via Service of 1,000 Layer 4 Virtual Servers on Edge
Type Load Balancer in one Load Balancer
Supervisor Cluster
vSphere with Kubernetes Services Exposed via Ingress in one 2,000 Layer 7 Rules on Edge Load
Supervisor Cluster Balancer
vSphere with Kubernetes Policies in one Supervisor Cluster 5,000
vSphere with Kubernetes Firewall Rules in one Network 900
Policy
vSphere with Kubernetes Firewall Rules across all Network 50,000
Policies in one Supervisor Cluster
Cloud Native : Tanzu Kubernetes Grid Integrated

Tanzu Kubernetes Grid Integrated Kubernetes PODs 50,000

(TKGI)
Tanzu Kubernetes Grid Integrated Kubernetes Clusters 160
(TKGI)
Tanzu Kubernetes Grid Integrated Kubernetes Namespaces 900 Dedicated Tier-1 Gateway per
(TKGI) Namespace.
Tanzu Kubernetes Grid Integrated Kubernetes Worker Nodes 650 In single Kubernetes cluster or
(TKGI) system wide across all clusters.
Tanzu Kubernetes Grid Integrated PODs per Kubernetes Worker Node 100
(TKGI)
Tanzu Kubernetes Grid Integrated Kubernetes Network Policies 5,000
(TKGI)
Tanzu Kubernetes Grid Integrated Hypervisor Hosts 200
(TKGI)
Tanzu Kubernetes Grid Integrated Kubernetes Worker Nodes per 100
(TKGI) Hypervisor Host
Tanzu Kubernetes Grid Integrated Containers / PODs per Hypervisor 2,000 On ESXi 6.7 hosts (The limit on
(TKGI) Host ESXi 6.5 is 1,000.)
Tanzu Kubernetes Grid Integrated L7 Kubernetes Services via Ingress 60
(TKGI) Resource per Small Load Balancer
Tanzu Kubernetes Grid Integrated L7 Kubernetes Services via Ingress 300
(TKGI) Resource per Medium Load
Balancer
Tanzu Kubernetes Grid Integrated L7 Kubernetes Services via Ingress 512
(TKGI) Resource per Large Load Balancer
Tanzu Kubernetes Grid Integrated L4 Kubernetes Services per Small 20 Automatically scales after reaching
(TKGI) Load Balancer this limit.
Tanzu Kubernetes Grid Integrated L4 Kubernetes Services per 100 Automatically scales after reaching
(TKGI) Medium Load Balancer this limit.
Tanzu Kubernetes Grid Integrated L4 Kubernetes Services per Large 1,000 Automatically scales after reaching
(TKGI) Load Balancer this limit.
Tanzu Kubernetes Grid Integrated Kubernetes Namespaces with 4,000 Namespaces with shared Tier-1
(TKGI) Shared Tier-1 Gateway Gateway per Kubernetes cluster.

VMware, Inc.
13
 Recommended Confguration Limits

Category Limits Description

Cloud Native : Tanzu Application Service

NSX integrates with Tanzu Application Service and provides logical networking and security to Cloud Foundry applications.
Tanzu Application Service Cloud Foundry Orgs 900
Tanzu Application Service Cloud Foundry Spaces 5,000
Tanzu Application Service Cloud Foundry Applications 10,000
Tanzu Application Service Cloud Foundry Application 25,000
Instances
Tanzu Application Service Cloud Foundry Application Security 5,000
Groups
Tanzu Application Service Cloud Foundry Rules Across all 20,000
Application Security Groups
Tanzu Application Service Cloud Foundry Network Policies 5,000
Tanzu Application Service Cloud Foundry Diego Cells 300
Tanzu Application Service Overlay Logical Switches 900
Tanzu Application Service Logical Ports with Firewall Enabled 25,000
Tanzu Application Service Tier-0 Logical Routers 2
Tanzu Application Service Tier-1 Logical Routers 900
Tanzu Application Service Hypervisor Hosts 200 Only ESXi hypervisor hosts are
supported.
Tanzu Application Service Networking and Security Groups 10,000
with Tags
Tanzu Application Service System Wide Firewall Rules 30,000
Tanzu Application Service Firewall Sections 10,000
Tanzu Application Service Rules per Firewall Section 4
Tanzu Application Service Rules per Hypervisor Host 800 Only ESXi hypervisor hosts are
supported.
Tanzu Application Service Containers / Application Instance 250 Only ESXi hypervisor hosts are
per Hypervisor Host supported.
Network Introspection : N-S for Tier-0 Gateways

N-S for Tier-0 Gateways Service Insertion Services 4 Registration of different partner
services.
N-S for Tier-0 Gateways Service Virtual Machines 8 Consisting of four pairs with one
pair per Edge node.
N-S for Tier-0 Gateways Network Introspection Policies 1,000
N-S for Tier-0 Gateways Network Introspection Redirection 1,000
Rules per Policy
N-S for Tier-0 Gateways Network Introspection Redirection 10,000
Rules
Network Introspection : N-S for Tier-1 Gateways

N-S for Tier-1 Gateways Partner Services 4 Registration of different partner

services.
N-S for Tier-1 Gateways Service Virtual Machines 200 Consisting of 100 pairs with one
pair per Tier-1 Gateway.
N-S for Tier-1 Gateways Network Introspection Policies 1,000
N-S for Tier-1 Gateways Network Introspection Redirection 1,000
Rules per Policy
N-S for Tier-1 Gateways Network Introspection Redirection 10,000
Rules
Network Introspection : E-W

E-W Partner Services 8

VMware, Inc.
14
 Recommended Confguration Limits

Category Limits Description

E-W Service Virtual Machines in a 512 Eight service virtual machines per
Cluster Based Deployment hypervisor host.
E-W Network Introspection Policies 1,000
E-W Network Introspection Redirection 1,000
Rules per Policy
E-W Network Introspection Redirection 10,000
Rules
Medium NSX Manager Service Chains 4 Four services per chain.
Large NSX Manager Service Chains 24 Four services per chain.
Network Introspection : General

General Logical Ports with Network 25,000

Introspection Enabled
General Hosts with Network Introspection 512 Hypervisor hosts that participate in
Rules Enabled redirecting traffic to service virtual
machines.
General Logical Ports per Host with 1,000
Network Introspection Enabled
Federation : General

General Locations 8
General Hypervisor Hosts Across all 1,024
Locations
Federation : Networking

Networking RTEP-RTEP Tunnels per Edge Node 120

Federation : Layer 2

Layer 2 Global Segments 2,000

Layer 2 Stretched Segments 2,000 Stretched segments and local
segments can't exceed maximum
local segments.
Layer 2 Stretched Segments Ports 34,000 Number of ports across stretched
segments for all locations.
Layer 2 MAC Identifiers per Overlay 1,024
Segment (VNI)
Layer 2 Global Segment Ports 60,000 Number of ports across stretched
and non-stretched segments for all
locations
Federation : Layer 3

Layer 3 Number of Locations per Stretched 4

Tier-0 Gateway
Layer 3 Stretched Tier-0 Gateways per 24
Location
Layer 3 Locations per Stretched Tier-1 4
Gateway
Layer 3 Stretched Tier-1 Gateways per 620
Location
Layer 3 Tier-1 Gateways across all 620 Consisting of 2 Service Routers in
Locations Active/Standby mode
Federation : DHCP

DHCP DHCP Server Instances 4,000

Federation : Grouping and Tagging

VMware, Inc.
15
 Recommended Confguration Limits

Category Limits Description

Grouping and Tagging Groups Based on Tags across all 8,000 Total number of [Location +
Locations Regional + Global Region] Groups
based on Tag.
Grouping and Tagging Groups across Locations 10,000 Total number of [Location +
Regional + Global Region] Groups
of all Type.
Grouping and Tagging Global Groups based on Tag 5,400 Total number of Global Region
Groups based on Tag.
Grouping and Tagging Global Groups 6,000 Total number of Global Region
Groups of all Type.
Grouping and Tagging Groups based on Tags per Location 4,000 Total number of Location specific
Groups based on Tags per
Location.
Grouping and Tagging Groups per Location 5,000 Total number of Location specific
Groups of all Type per Location.
Grouping and Tagging Groups Based on IP Sets across all 3,900 Total number of [Location +
Locations Regional + Global Region] Groups
based on IP Sets.
Grouping and Tagging Virtual Machines per Group 9,000 Satisfying the tagging expression.
Note that this assumes one virtual
interface per virtual machine. It is
possible to have virtual machines
with more than one virtual
interface. Total virtual interfaces
must not be more than 9,000.
Grouping and Tagging VMs with Tag Replication Across 5,000 Total number of VMs with at least
Local Managers one tag replicated across Local
Manager
Federation : Global Firewall

Global Firewall Federation Wide Rules per Section 1,000

Global Firewall Federation Wide Firewall Sections 7,000
Federation : Distributed Firewall

Distributed Firewall Federation wide Stateful Firewall 50,000

Rules
Distributed Firewall Stateful Firewall Rules across all 50,000 Rules applied to all locations.
Global Firewall Policies
Distributed Firewall Stateful Firewall Rules Applied to a 19,000
Location
Distributed Firewall Logical Ports with Security Groups 60,000
Applied
Federation : Gateway Firewall

Gateway Firewall Federation Wide Gateway Firewall 6,800

Rules

VMware, Inc.
16