Recommended Configuration

Maximums

NSX-T Data Center 3.2.2

Updated on February 07, 2023
 Recommended Confguration Limits

You can fnd the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
[email protected]

VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

Copyright © 2022-2023 VMware, Inc. All rights reserved.Copyright and trademark information.

VMware, Inc.
2
 Recommended Confguration Limits

This Configuration Maximums tool provides the recommended configuration limits for VMware products.
When you configure, deploy and operate your virtual and physical equipment, it is highly recommended
you stay within the limits supported by your product. The limits presented in the tool are tested,
recommended limits, and are fully supported by VMware.

Disclaimer: The limits can be affected by other factors, such as hardware dependencies. For more information about the
supported hardware, see the appropriate hardware compatibility guide. It might not be possible to maximize all configuration
settings and expect your desired outcome. To ensure that you do not exceed supported configurations for your environment,
consult individual solution limits. The recommended configuration limits do not represent the theoretical possibilities of your
product.

VMware, Inc.
3
 Recommended Confguration Limits

Category Limits Description

General : Edge Nodes

A core component of NSX is the Edge node which are formed into clusters to deliver physical connectivity as well as logical
routing, load-balancing, NAT and other features.
All Manager Sizes Edge Nodes Per Cluster 10
All Manager Sizes Network Latency between Edge 10ms
Nodes part of the same Edge
Cluster
Medium NSX Manager Edge Clusters 12
Medium NSX Manager Edge Nodes 32
Large NSX Manager Edge Clusters 160
Large NSX Manager Edge Nodes 320
Bare Metal Edge Node Fast Path Physical NIC Ports 16
General : Nodes

NSX has a number of component nodes required for operation of the product. These include the NSX Manager, NSX
Controllers and Hosts that are prepared for NSX. In addition, NSX supports some vCenter objects that are discovered from
vCenter inventory.
Nodes NSX Managers 3 Please review the NSX-T Data
Center Installation Guide for details
on the various techniques on how
to deploy the NSX Manager.
Nodes Virtual Interfaces per Hypervisor 1,000 Maximum of 400 virtual interfaces
Host per hypervisor host when doing in-
place upgrades.
Nodes Physical Servers 1,024 Non-hypervisor and non-container
host machines with at least 16Gb
of RAM. Windows Servers can have
a maximum of 100 firewall rules
each.
Nodes Hosts per vSphere Cluster 96
Nodes Discovered vSphere Clusters 640
Nodes NSX Instances per Compute 16
Manager
Nodes Network Latency between NSX 10ms Round-trip time
Management Nodes
Nodes Network Latency between the NSX 150ms Round-trip time
Management Cluster and Transport
Nodes
Nodes Concurrent Graphical User Interface 5
Users per Manager
Nodes Audit Log Entries 1,000,000
Nodes Transport Nodes per NSX Instance 1600
Medium NSX Manager vSphere Clusters Prepared for NSX 5
Medium NSX Manager Hypervisor Hosts per NSX 128 Any mix of ESXi and/or KVM is
Management Cluster supported.
Medium NSX Manager Compute Managers per NSX 2
Management Cluster
Large NSX Manager vSphere Clusters Prepared for NSX 256
Large NSX Manager Hypervisor Hosts per NSX 1,024 Any mix of ESXi and/or KVM is
Management Cluster supported.
Large NSX Manager Compute Managers per NSX 16
Management Cluster
Layer 2 Networking

NSX offers a layer 2 overlay networking solution as well as layer 2 bridging.

VMware, Inc.
4
 Recommended Confguration Limits

Category Limits Description

Layer 2 Networking : General

General MAC Identifiers per Overlay Logical 2,048 Exceeding the maximum MAC
Switch (VNI) identifiers per VNI may lead to
flooding and can impact packet
performance.
General MAC Identifiers per Overlay 2,048 Exceeding the maximum MAC
Segment (VNI) identifiers per VNI may lead to
flooding and can impact packet
performance.
General IP Address Bindings used in ARP 256
Discovery
Medium NSX Manager Logical Switches 1,000
Medium NSX Manager System Wide Logical Switch Ports 2,500
Medium NSX Manager Segments 1,000
Medium NSX Manager System Wide Segment Ports 2,500
Medium NSX Manager Distributed Virtual Port Groups 32,000 This DVPG limit also applies to
segments, with the formula
“Number of VDS per vCenter *
Number of vCenters * Number of
segments” which must be below
the DVPG limit.
Large NSX Manager Logical Switches 10,000
Large NSX Manager System Wide Logical Switch Ports 25,000
Large NSX Manager Segments 10,000
Large NSX Manager System Wide Segment Ports 25,000
Large NSX Manager Distributed Virtual Port Groups 160,000 This DVPG limit also applies to
segments, with the formula
“Number of VDS per vCenter *
Number of vCenters * Number of
segments” which must be below
the DVPG limit.
Layer 2 Networking : Bridging

Bridging MAC Identifiers per VLAN / 2,048

Segment Pair
Bridging Bridging Profiles 128
Bridging Bridge Profiles per Edge Cluster 32
Bridging Segment to VLAN Pairs 4,096 Bridge between overlay segment
(VNI ID) and VLAN ID
Bridging Segment to VLAN Pairs per Edge 512
Node
Layer 3 Networking : DHCP

NSX provides a DHCP server and relay to deliver IP addresses to DHCP clients.
DHCP DHCP Relays 4,000
DHCP DHCP Servers in DHCP Server 10 Used by DHCP relay.
Group
DHCP DHCP Server Instances 10,000
DHCP Static Bindings per DHCP Server 8,000
Instance
DHCP DHCP Ranges / Pools per DHCP 5
Server Instance
DHCP System Wide DHCP Pools 20,000
DHCP System Wide Static Bindings 50,000

VMware, Inc.
5
 Recommended Confguration Limits

Category Limits Description

Layer 3 Networking : Logical Routing

NSX provides a multi-tier, in-kernel distributed logical routing system.

Logical Routing Tier-0 Gateways 160 Up to 8 service routers with ECMP
in active/active high availability
mode per Tier-0 gateway. Up to 2
service routers in active/standby
high availability mode per Tier-0
gateway.
Logical Routing Tier-0 Logical Routers 160 Up to 8 service routers with ECMP
in active/active high availability
mode per Tier-0 logical router. Up to
2 service routers in active/standby
high availability mode per Tier-0
logical router.
Logical Routing Tier-1 Gateways per Tier-0 Gateway 1,000 This limit applies to Tier-0 gateway
and all the configured VRF on the
Tier-0 gateway i.e. this limit is
shared for a given Tier-0 gateway
and all the configured VRFs on this
Tier-0 gateway.
Logical Routing Tier-1 Logical Routers per Tier-0 1,000
Logical Router
Logical Routing Gateways per Hypervisor Host 1,000
Logical Routing Logical Routers per Hypervisor 1,000
Host
Logical Routing Linked Segments per Tier-0 400 This limit applies to Tier-0 gateway
Gateway and all the configured VRF on the
Tier-0 gateway i.e. this limit is
shared for a given Tier-0 gateway
and all the configured VRFs on this
Tier-0 gateway.
Logical Routing Downlink per Tier-0 Logical Router 400
Logical Routing Linked Segments and Service 1,000
Interfaces per Tier-1 Gateway
Logical Routing Downlink and CSP Ports per Tier-1 1,000
Logical Router
Logical Routing VRFs per Edge Node 100 vRF Lite
Logical Routing ARP Entries per Tier-1 Gateway 50,000
Logical Routing ARP Entries per Tier-1 Logical 50,000
Router
Logical Routing Routes Per Distributed Router 1,000
Logical Routing IPv4 Routes Per Edge Node 500,000 Requires large, extra large or bare-
metal Edge nodes. ECMP (Equal
Cost Multi Path) routes will count
as a single route entry in the routing
table.
Logical Routing BGP Peers per Tier-0 Gateway 640 This limit applies to Tier-0 gateway
Service Router and all the configured VRF on the
Tier-0 gateway i.e. this limit is
shared for a given Tier-0 gateway
and all the configured VRFs on this
Tier-0 gateway.
Logical Routing BGP Peers per Tier-0 Logical Router 640
Service Router
Logical Routing Route-maps per Tier-0 Gateway 1,280
Logical Routing Route-maps per Tier-0 Logical 1,280
Router
Logical Routing Route-map Rules per Route-map 1,000
Logical Routing Prefix-lists per Tier-0 Gateway 500
VMware, Inc.
6
 Recommended Confguration Limits

Category Limits Description

Logical Routing Prefix-list Entries per Prefix-list 50
Logical Routing ECMP Paths 8 This limit applies independently to
Gateway Distributed Router (DR)
and Gateway Service Router (SR),
i.e. a DR can load-balance the traffic
towards 8 different SR, then on a
given SR it can have up to 8
different paths.
Logical Routing Service Ports per Trunk per Service 4,000 When used with EVPN.
Router
Logical Routing Tier-0 Gateways per Edge Node 1
Logical Routing Tier-0 Logical Routers per Edge 1
Node
Logical Routing Tier-1 Gateways per Edge Node 1,000
Logical Routing Tier-1 Logical Routers per Edge 1,000
Node
Logical Routing Combined External and Service 4,000 This limit applies to Tier-0 gateway
Interfaces per Tier-0 Gateway and all the configured VRF on the
Service Router Tier-0 gateway i.e. this limit is
shared for a given Tier-0 gateway
and all the configured VRFs on this
Tier-0 gateway.
Logical Routing Prefix-lists per Tier-0 Logical Router 500
Logical Routing IPv6 Routes Per Edge Node 100,000 ECMP (Equal Cost Multi Path)
routes will count as a single route
entry in the routing table.
Logical Routing BFD Peers per Tier-0 Gateway 320
Service Router
Logical Routing BFD Peers per Tier-0 Logical Router 320
Service Router
Logical Routing OSPFv2 Neighbors per Tier-0 40
Gateway Service Router
Logical Routing OSPFv2 Router Learned from 50,000
Neighbors per Tier-0 Gateway
Service Router
Logical Routing OSPFv2 Routes Advertised to 10,000
Neighbors
Logical Routing IPv4 Prefix-lists per NSX Domain 4,200
Logical Routing EVPN L2VNI per Tier-0 Gateway 200
Service Router
Logical Routing EVPN L3VNI per Tier-0 Gateway 200
Service Router
Logical Routing EVPN Route-Type-5 IPv4 Routes per 400,000
Tier-0 Gateway Service Router
Logical Routing EVPN Route-Type-5 IPv6 Routes per 100,000
Tier-0 Gateway Service Router
Logical Routing EVPN Route-Type-3 Routes per 600
Tier-0 Gateway Service Router
Logical Routing EVPN Route-Type-2 Routes per 800
Tier-0 Gateway Service Router
Medium NSX Manager Tier-1 Gateways 400 Up to 2 service routers in active/
standby high availability mode per
Tier-1 gateway.
Medium NSX Manager Tier-1 Logical Routers 400 Up to 2 service routers in active/
standby high availability mode per
Tier-1 logical router.

VMware, Inc.
7

Category
Large NSX Manager
Large NSX Manager
Layer 3 Networking : Multicast
Multicast
Multicast
Multicast
Multicast
Multicast
Multicast
Layer 3 Networking : NAT
NAT
NAT
NAT
NAT
NAT
NAT
Firewall : Malware Prevention
Malware Prevention
Malware Prevention
Malware Prevention
Malware Prevention
Malware Prevention
Malware Prevention
Malware Prevention
Malware Prevention
Malware Prevention
Malware Prevention
Malware Prevention
VMware, Inc.
Recommended Confguration Limits
Limits Description
Tier-1 Gateways 4,000 Up to 2 service routers in active/
standby high availability mode per
Tier-1 gateway.
Tier-1 Logical Routers 4,000 Up to 2 service routers in active/
standby high availability mode per
Tier-1 logical router.
System Wide Multicast Groups 2,000
Hosts Participating in Multicast 200
Networking
Virtual Interfaces per Host 80
Participating in Multicast
Networking
Logical Segments per Logical 100
Gateway Participating in Multicast
Networking
Number of IGMP Groups to which a 512 https://bugzilla.eng.vmware.com/
Virtual NIC can Join in IGMP show_bug.cgi?id=2822411
Snooping
Number of IGMP Groups to which a 16
Virtual NIC can Join in Basic Mode
Tier-1 Logical Routers with NAT 4,000
Enabled
NAT Rules per Tier-1 Logical Router 8,192
System-Wide NAT Rules 25,000
Tier-1 Gateways with NAT Enabled 4,000
NAT Rules per Tier-1 Gateway 8,192
Total NAT Connections per Edge 4,000,000 Requires Large or X-Large or Bare-
Node Metal Edge node.
Files Analyzed using Dynamic 15,000 Requires an Extra Large Edge Node.
Analysis/Sandboxing per Day on
Gateway Firewall
Files Analyzed using Static Analysis 100,000 Requires an Extra Large Edge Node.
per Day on Gateway Firewall
Malware Profiles on Gateway 50 Requires an Extra Large Edge Node.
Firewall
Malware Detection Rules on 500 Requires an Extra Large Edge Node.
Gateway Firewall
File Events on Gateway Firewall 100,000 Up to 14 days of events stored.
Files Analyzed using Dynamic 30,000
Analysis/Sandboxing per Day on
Distributed Firewall
Files Analyzed using Static Analysis 100,000
per Day on Distributed Firewall
Hypervisor Hosts 512
Malware Profiles on Distributed 50
Firewall
Malware Detection Rules on 1,000
Distributed Firewall
File Events on Distributed Firewall 700,000 Up to 14 days of events stored.
8
 Recommended Confguration Limits

Category Limits Description

Firewall : Intrusion Detection and Prevention

Intrusion Detection Hypervisor Hosts 512

Intrusion Detection IDS Profiles 25 Excluding the default.
Intrusion Detection IDS Rules 1,000
Intrusion Detection Events Recorded 2,000,000 Up to 14 days of events stored.
Firewall : Identity Firewall

Identity Firewall VDI Virtual Machines per Host 250 Note that the maximum VMs per
host where both RDSH and VDI are
in present is 30.
Identity Firewall Virtual Machines using Terminal 8 Note maximum VMs per host
Services per Host where both RDSH and VDI are in
present is 30.
Identity Firewall RDSH Sessions per RDSH Virtual 75
Machine
Identity Firewall Active Directory Domains 8
Identity Firewall Active Directory Groups 200,000
Identity Firewall Hypervisor Hosts 512 For the Identity Firewall use case.
Identity Firewall Virtual Machines per NSX 15,000 For the Identity Firewall use case.
Management Cluster
Identity Firewall Total Users in all Active Directory 500,000
Domains
Identity Firewall Active Directory Groups per 600
Individual User
Firewall : Distributed Firewall

NSX provides a distributed, in-kernel hypervisor host based firewall to achieve micro-segmentation of workloads at the virtual
NIC level.
Distributed Firewall
Distributed Firewall
Distributed Firewall
Distributed Firewall
Distributed Firewall
Distributed Firewall
Distributed Firewall
Distributed Firewall
Distributed Firewall
Distributed Firewall
Logical Ports with Groups Applied 25,000
System Wide Stateful Firewall Rules 100,000
Rules per Firewall Section 1,000
Rules per Group 512
Firewall Sections 10,000 A Firewall Section equates to an
OpenStack Security Group.
Rules per Hypervisor Host 120,000 Total rules across virtual NICs on a
Hypervisor Host.
Rules per Virtual NIC 4,000
Saved Firewall Rule Configurations 100 Only for automatically created
drafts configurations.
Services 8,000
Objects per Firewall Rule 128 Total configuration objects or
groups that can be used per rule
inclusive of Source, Destination,
Services, Context Profile and Apply
To fields.

Firewall : Grouping and Tagging

NSX supports adding metadata to objects in the form of a tag.

Grouping and Tagging
Grouping and Tagging
Grouping and Tagging
Groups Based on IP Sets 10,000
IP Addresses per IP Set 4,000
Tags per Object 30 Please see other sections for
details on Tags per Virtual Machine
or Tags per Logical Port.

VMware, Inc.
9
 Recommended Confguration Limits

Category Limits Description

Grouping and Tagging IP Sets 10,000
Grouping and Tagging Groups Based on Tags 8,000
Grouping and Tagging Groups 20,000
Grouping and Tagging Static Members in a Group 500 Static members such as segments,
segment ports, virtual machines,
and physical server in a group.

Grouping and Tagging
Grouping and Tagging
Grouping and Tagging
Firewall : Gateway Firewall
Effective Members in a Group
Group Membership Criteria
Nested Level of Groups
8,000 Effective members are the result of
dynamic inclusion criteria (e.g. tag,
name) or child groups.
5 Such as tagging expression or
virtual machine.
3

NSX provides a north / south high-performance Edge based firewall.

Edge Firewall Firewall Rules per Tier-0 Logical 5,000 IP sets and groups with static
Router membership only.
Edge Firewall Firewall Rules per Tier-1 Logical 5,000 IP sets and groups with static
Router membership only.
Edge Firewall System Wide Tier-0 Logical Router 20,000 IP sets and groups with static
Firewall Rules membership only.
Edge Firewall Firewall Rules per Tier-0 Gateway 5,000 IP sets and groups with static
membership only.
Edge Firewall Firewall Rules per Tier-1 Gateway 5,000 IP sets and groups with static
membership only.
Edge Firewall System Wide Tier-1 Logical Router 55,000 IP sets and groups with static
Firewall Rules membership only.
Edge Firewall System Wide Tier-0 Gateway 20,000
Firewall Rules
Edge Firewall System Wide Tier-1 Gateway 55,000
Firewall Rules
Edge Firewall Objects per Firewall Rule 128 Total configuration objects or
groups that can be used per rule
inclusive of Source, Destination,
Services, Context Profile and Apply
To fields.
Load Balancing : Load Balancer Instances

Load Balancer Instances Small Load Balancer Instances per 1

Small Edge Node in VM Form
Factor
Load Balancer Instances Small Load Balancer Instances per 10
Medium Edge Node in VM Form
Factor
Load Balancer Instances Medium Load Balancer Instances 1
per Medium Edge Node in VM Form
Factor
Load Balancer Instances Small Load Balancer Instances per 40
Large Edge Node in VM Form
Factor
Load Balancer Instances Medium Load Balancer Instances 4
per Large Edge Node in VM Form
Factor
Load Balancer Instances Large Load Balancer Instances per 1
Large Edge Node in VM Form
Factor

VMware, Inc.
10
 Recommended Confguration Limits

Category Limits Description

Load Balancer Instances
Load Balancer Instances
Load Balancer Instances
Load Balancer Instances
Load Balancer Instances
Load Balancer Instances
Load Balancer Instances
Load Balancer Instances
Load Balancing : Pool Members per Edge Node
Small Load Balancer Instances per 80
Extra Large Edge Node in VM Form
Factor
Medium Load Balancer Instances 8
per Extra Large Edge Node in VM
Form Factor
Large Load Balancer Instances per 2
Extra Large Edge Node in VM Form
Factor
Extra Large Load Balancer 1
Instances per Extra Large Edge
Node in VM Form Factor
Small Load Balancer Instances per 750
Bare-Metal Edge Node
Medium Load Balancer Instances 75
per Bare-Metal Edge Node
Large Load Balancer Instances per 18
Bare-Metal Edge Node
Extra Large Load Balancer 9
Instances per Bare-Metal Edge
Node

Pool Members per Edge Node Pool Members per Medium Edge 2,000
Node
Pool Members per Edge Node Pool Members per Large Edge 7,500
Node
Pool Members per Edge Node Pool Members per Bare-Metal Edge 30,000
Node
Pool Members per Edge Node Pool Members per Extra Large Edge 10,000
Node
Load Balancing : Pool Members

Pool Members Pool Members per Small Load 300

Balancer
Pool Members Pool Members per Medium Load 2,000
Balancer
Pool Members Pool Members per Large Load 7,500
Balancer
Pool Members Pool Members per Extra Large Load 10,000
Balancer
Load Balancing : Pools

Pools Pools per Small Load Balancer 60

Pools Pools per Medium Load Balancer 300
Pools Pools per Large Load Balancer 3,000
Pools Pools per Extra Large Load 4,000
Balancer
Load Balancing : Virtual Servers

Virtual Servers Virtual Servers per Small Load 20

Balancer
Virtual Servers Virtual Servers per Medium Load 100
Balancer
Virtual Servers Virtual Servers per Large Load 1,000
Balancer

VMware, Inc.
11
 Recommended Confguration Limits

Category Limits Description

Virtual Servers Virtual Servers per Extra Large Load 2,000
Balancer
VPN : Layer 2 VPN

L2 VPN Server Sessions per Medium Edge 128

Node in VM Form Factor
L2 VPN Server Sessions per Large Edge 256
Node in VM Form Factor
L2 VPN Client Sessions per Small Edge 1
Node in VM Form Factor
L2 VPN Client Sessions per Medium Edge 1
Node in VM Form Factor
L2 VPN Client Sessions per Large Edge 1
Node in VM Form Factor
L2 VPN Client Sessions per Bare Metal 1
Edge Node
L2 VPN Logical Segments per Session per 512
Medium Edge Node in VM Form
Factor
L2 VPN Logical Segments per Session per 512
Large Edge Node in VM Form
Factor
L2 VPN Logical Segments per Session per 512
Bare Metal Edge Node
L2 VPN Server Sessions per Extra Large 256
Edge Node in VM Form Factor
L2 VPN Server Sessions per Bare Metal 256
Edge Node
L2 VPN Client Sessions per Extra Large 1
Edge Node in VM Form Factor
L2 VPN Server Sessions per Small Edge 64
Node in VM Form Factor
VPN : IPsec VPN

IPsec VPN Sessions per Small Edge Node in 128

VM Form Factor
IPsec VPN Sessions per Medium Edge Node in 256
VM Form Factor
IPsec VPN Sessions per Large Edge Node in 512
VM Form Factor
IPsec VPN Sessions per Bare Metal Edge Node 512
IPsec VPN IPsec Tunnels per Session on 256
Medium Edge Node in VM Form
Factor
IPsec VPN IPsec Tunnels per Session on Large 256
Edge Node in VM Form Factor
IPsec VPN IPsec Tunnels per Session on Bare 512
Metal Edge Node
IPsec VPN IPsec Tunnels per Small Edge Node 2,048
in VM Form Factor
IPsec VPN IPsec Tunnels per Medium Edge 4,096
Node in VM Form Factor
IPsec VPN IPsec Tunnels per Large Edge Node 8,192
in VM Form Factor
IPsec VPN IPsec Tunnels per Bare Metal Edge 8,192
Node

VMware, Inc.
12
 Recommended Confguration Limits

Category Limits Description

IPsec VPN Sessions per Extra Large Edge 512
Node in VM Form Factor
IPsec VPN IPsec Tunnels per Extra Large Edge 4,096
Node in VM Form Factor
IPsec VPN IPsec Tunnels per Session on Extra 256
Large Edge Node in VM Form
Factor
Guest Introspection

Guest Introspection Virtual Machines per Host 250

Guest Introspection Application Virtual Machines per 40
Host
Guest Introspection Hosts 512 For the guest introspection use
case.
Guest Introspection System Wide Virtual Machines 15,000 For the guest introspection use
case.
Cloud Native : Tanzu Application Service

NSX integrates with Tanzu Application Service and provides logical networking and security to Cloud Foundry applications.
Tanzu Application Service Cloud Foundry Orgs 900
Tanzu Application Service Cloud Foundry Spaces 5,000
Tanzu Application Service Cloud Foundry Applications 10,000
Tanzu Application Service Cloud Foundry Application 25,000
Instances
Tanzu Application Service Cloud Foundry Application Security 5,000
Groups
Tanzu Application Service Cloud Foundry Rules Across all 20,000
Application Security Groups
Tanzu Application Service Cloud Foundry Network Policies 5,000
Tanzu Application Service Cloud Foundry Diego Cells 300
Tanzu Application Service Overlay Logical Switches 900
Tanzu Application Service Logical Ports with Firewall Enabled 25,000
Tanzu Application Service Tier-0 Logical Routers 2
Tanzu Application Service Tier-1 Logical Routers 900
Tanzu Application Service Networking and Security Groups 10,000
with Tags
Tanzu Application Service System Wide Firewall Rules 30,000
Tanzu Application Service Firewall Sections 10,000
Tanzu Application Service Rules per Firewall Section 4
Cloud Native : vSphere with Kubernetes

vSphere with Kubernetes Hypervisor Hosts 500 ESXi hypervisor hosts only.
vSphere with Kubernetes vSphere (ESXi) Clusters Enabled 50
with vSphere with Kubernetes per
NSX Instance
vSphere with Kubernetes Supervisor Namespaces per NSX 500
Instance
vSphere with Kubernetes vSphere Pods (PodVM) per NSX 15,000
Instance
vSphere with Kubernetes Services of Type Cluster IP across 5,000 Distributed Load Balancer Virtual
per NSX Instance Servers
vSphere with Kubernetes Services Exposed via Ingress per 4,000 Layer 7 Rules on Edge Load
NSX Instance Balancer
vSphere with Kubernetes Services of Type Load Balancer per 3,250 Layer 4 Virtual Servers on Edge
NSX Instance Load Balancer
VMware, Inc.
13
 Recommended Confguration Limits

Category Limits Description

vSphere with Kubernetes Network Policies per NSX Instance 10,000
vSphere with Kubernetes Firewall Rules across all Network 100,000
Policies per NSX Instance
vSphere with Kubernetes Hypervisor Hosts per Supervisor 64 ESXi hypervisor hosts only.
Cluster
vSphere with Kubernetes vSphere Pods (PodVM) per 8,000
Supervisor Cluster
vSphere with Kubernetes Services of Type ClusterIP in one 2,000 Distributed Load Balancer Virtual
Supervisor Cluster Servers
vSphere with Kubernetes Services Exposed via Service of 1,000 Layer 4 Virtual Servers on Edge
Type Load Balancer in one Load Balancer
Supervisor Cluster
vSphere with Kubernetes Services Exposed via Ingress in one 2,000 Layer 7 Rules on Edge Load
Supervisor Cluster Balancer
vSphere with Kubernetes Policies in one Supervisor Cluster 5,000
vSphere with Kubernetes Firewall Rules in one Network 900
Policy
vSphere with Kubernetes Firewall Rules across all Network 50,000
Policies in one Supervisor Cluster
Cloud Native : Tanzu Kubernetes Grid Integrated

Tanzu Kubernetes Grid Integrated Kubernetes PODs 50,000

(Management Plane API)
Tanzu Kubernetes Grid Integrated
(Management Plane API)
Tanzu Kubernetes Grid Integrated
(Management Plane API)
Tanzu Kubernetes Grid Integrated
(Management Plane API)
Tanzu Kubernetes Grid Integrated
(Management Plane API)
Tanzu Kubernetes Grid Integrated
(Management Plane API)
Tanzu Kubernetes Grid Integrated
(Management Plane API)
Tanzu Kubernetes Grid Integrated
(Management Plane API)
Tanzu Kubernetes Grid Integrated
(Management Plane API)
Tanzu Kubernetes Grid Integrated
(Management Plane API)
Tanzu Kubernetes Grid Integrated
(Management Plane API)
Tanzu Kubernetes Grid Integrated
(Management Plane API)
Tanzu Kubernetes Grid Integrated
(Management Plane API)
Tanzu Kubernetes Grid Integrated
(Management Plane API)
Tanzu Kubernetes Grid Integrated
(Management Plane API)
Tanzu Kubernetes Grid Integrated
(Management Plane API)
Tanzu Kubernetes Grid Integrated
(Policy API)
Kubernetes Clusters 160
Kubernetes Namespaces 900 Dedicated Tier-1 Gateway per
Namespace.
Kubernetes Worker Nodes 1,000 In single Kubernetes cluster or
system wide across all clusters.
PODs per Kubernetes Worker Node 100
Kubernetes Network Policies 5,000
Hypervisor Hosts 200
Kubernetes Worker Nodes per 200
Hypervisor Host
Containers / PODs per Hypervisor 2,000 On ESXi 6.7 hosts (The limit on
Host ESXi 6.5 is 1,000.)
L7 Kubernetes Services via Ingress 60
Resource per Small Load Balancer
L7 Kubernetes Services via Ingress 300
Resource per Medium Load
Balancer
L7 Kubernetes Services via Ingress 512
Resource per Large Load Balancer
L4 Kubernetes Services per Small 20 Automatically scales after reaching
Load Balancer this limit.
L4 Kubernetes Services per 100 Automatically scales after reaching
Medium Load Balancer this limit.
L4 Kubernetes Services per Large 1,000 Automatically scales after reaching
Load Balancer this limit.
Kubernetes Namespaces with 4,000 Namespaces with shared Tier-1
Shared Tier-1 Gateway Gateway per Kubernetes cluster.
Kubernetes PODs 25,000

VMware, Inc.
14
 Recommended Confguration Limits

Category Limits Description

Tanzu Kubernetes Grid Integrated
(Policy API)
Tanzu Kubernetes Grid Integrated
(Policy API)
Tanzu Kubernetes Grid Integrated
(Policy API)
Tanzu Kubernetes Grid Integrated
(Policy API)
Tanzu Kubernetes Grid Integrated
(Policy API)
Tanzu Kubernetes Grid Integrated
(Policy API)
Tanzu Kubernetes Grid Integrated
(Policy API)
Tanzu Kubernetes Grid Integrated
(Policy API)
Tanzu Kubernetes Grid Integrated
(Policy API)
Tanzu Kubernetes Grid Integrated
(Policy API)
Tanzu Kubernetes Grid Integrated
(Policy API)
Tanzu Kubernetes Grid Integrated
(Policy API)
Tanzu Kubernetes Grid Integrated
(Policy API)
Tanzu Kubernetes Grid Integrated
(Policy API)
Tanzu Kubernetes Grid Integrated
(Policy API)
Network Introspection : N-S for Tier-1 Gateways
Kubernetes Clusters 80
Kubernetes Namespaces 900 Dedicated Tier-1 Gateway per
Namespace.
Kubernetes Worker Nodes 250 In single Kubernetes cluster or
system wide across all clusters.
PODs per Kubernetes Worker Node 100
Kubernetes Network Policies 2,500
Hypervisor Hosts 100
Kubernetes Worker Nodes per 100
Hypervisor Host
Containers / PODs per Hypervisor 2,000 On ESXi 6.7 hosts (The limit on
Host ESXi 6.5 is 1,000.)
L7 Kubernetes Services via Ingress 60
Resource per Small Load Balancer
L7 Kubernetes Services via Ingress 255
Resource per Medium Load
Balancer
L7 Kubernetes Services via Ingress 255
Resource per Large Load Balancer
L4 Kubernetes Services per Small 20 Automatically scales after reaching
Load Balancer this limit.
L4 Kubernetes Services per 100 Automatically scales after reaching
Medium Load Balancer this limit.
L4 Kubernetes Services per Large 1,000 Automatically scales after reaching
Load Balancer this limit.
Kubernetes Namespaces with 2,000 Namespaces with shared Tier-1
Shared Tier-1 Gateway Gateway per Kubernetes cluster.

N-S for Tier-1 Gateways Partner Services 4 Registration of different partner

services.
N-S for Tier-1 Gateways Service Virtual Machines 200 Consisting of 100 pairs with one
pair per Tier-1 Gateway.
N-S for Tier-1 Gateways Network Introspection Policies 1,000
N-S for Tier-1 Gateways Network Introspection Redirection 1,000
Rules per Policy
N-S for Tier-1 Gateways Network Introspection Redirection 10,000
Rules
Network Introspection : E-W

E-W Partner Services 8

E-W Service Virtual Machines in a 512 Eight service virtual machines per
Cluster Based Deployment hypervisor host.
E-W Network Introspection Policies 1,000
E-W Network Introspection Redirection 1,000
Rules per Policy
E-W Network Introspection Redirection 10,000
Rules
Medium NSX Manager Service Chains 4 Four services per chain.
Large NSX Manager Service Chains 24 Four services per chain.
Network Introspection : N-S for Tier-0 Gateways

VMware, Inc.
15
 Recommended Confguration Limits

Category Limits Description

N-S for Tier-0 Gateways
N-S for Tier-0 Gateways
N-S for Tier-0 Gateways
N-S for Tier-0 Gateways
N-S for Tier-0 Gateways
Network Introspection : General
Service Insertion Services 4 Registration of different partner
services.
Service Virtual Machines 8 Consisting of four pairs with one
pair per Edge node.
Network Introspection Policies 1,000
Network Introspection Redirection 1,000
Rules per Policy
Network Introspection Redirection 10,000
Rules

General Logical Ports with Network 25,000

Introspection Enabled
General Hosts with Network Introspection 512 Hypervisor hosts that participate in
Rules Enabled redirecting traffic to service virtual
machines.
General Logical Ports per Host with 1,000
Network Introspection Enabled
Federation : General

General Locations 8
General Hypervisor Hosts Across all 1,024
Locations
General Network Latency between Global 500ms Round-trip time
Manager Active Cluster and Global
Manager Standby Cluster
General Network Latency between Global 500ms Round-trip time
Manager Active Cluster and Local
Manager Cluster
General Network Latency between Local 500ms Round-trip time
Manager Clusters across Different
Locations
General Network Latency between Remote 150ms Round-trip time
TEPs across Different Locations
Federation : Networking

Networking RTEP-RTEP Tunnels per Edge Node 120

Federation : Layer 2

Layer 2 Global Segments 2,000 Stretched and Non-Stretched Global

Segments
Layer 2 Stretched Segments 2,000 Stretched segments and local
segments can't exceed maximum
local segments.
Layer 2 Stretched Segments Ports 34,000 Number of ports across stretched
segments for all locations.
Layer 2 MAC Identifiers per Overlay 1,024
Segment (VNI)
Layer 2 Global Segment Ports 60,000 Number of ports across stretched
and non-stretched segments for all
locations
Federation : Layer 3

Layer 3 Number of Locations per Stretched 4

Tier-0 Gateway
Layer 3 Stretched Tier-0 Gateways per 24
Location

VMware, Inc.
16

Category
Layer 3
Layer 3
Layer 3
Federation : DHCP
DHCP
Federation : Grouping and Tagging
Grouping and Tagging
Grouping and Tagging
Grouping and Tagging
Grouping and Tagging
Grouping and Tagging
Grouping and Tagging
Grouping and Tagging
Grouping and Tagging
Grouping and Tagging
Federation : Global Firewall
Global Firewall
Global Firewall
Federation : Distributed Firewall
Distributed Firewall
Distributed Firewall
Distributed Firewall
Distributed Firewall
Federation : Gateway Firewall
Gateway Firewall
VMware, Inc.
Recommended Confguration Limits
Limits Description
Locations per Stretched Tier-1 4
Gateway
Stretched Tier-1 Gateways per 620
Location
Tier-1 Gateways across all 620 Consisting of 2 Service Routers in
Locations Active/Standby mode
DHCP Server Instances 4,000
Groups Based on Tags across all 8,000 Total number of [Location +
Locations Regional + Global Region] Groups
based on Tag.
Groups across Locations 10,000 Total number of [Location +
Regional + Global Region] Groups
of all Type.
Global Groups based on Tag 5,400 Total number of Global Region
Groups based on Tag.
Global Groups 6,000 Total number of Global Region
Groups of all Type.
Groups based on Tags per Location 4,000 Total number of Location specific
Groups based on Tags per
Location.
Groups per Location 5,000 Total number of Location specific
Groups of all Type per Location.
Groups Based on IP Sets across all 3,900 Total number of [Location +
Locations Regional + Global Region] Groups
based on IP Sets.
Virtual Machines per Group 9,000 Satisfying the tagging expression.
Note that this assumes one virtual
interface per virtual machine. It is
possible to have virtual machines
with more than one virtual
interface. Total virtual interfaces
must not be more than 9,000.
VMs with Tag Replication Across 5,000 Total number of VMs with at least
Local Managers one tag replicated across Local
Manager
Federation Wide Rules per Section 1,000
Federation Wide Firewall Sections 7,000
Federation wide Stateful Firewall 50,000
Rules
Stateful Firewall Rules across all 50,000 Rules applied to all locations.
Global Firewall Policies
Stateful Firewall Rules Applied to a 19,000
Location
Logical Ports with Security Groups 60,000
Applied
Federation Wide Gateway Firewall 6,800
Rules
17