NSX Bytes: Updated – NSX Edge Feature and Performance Matrix
A reminder that VMware announced the End of Availability (“EOA”) of the VMware vCloud Networking and Security 5.5.x that kicked in on the September of 19, 2016 and that from vCloud Director 8.10 and above vShield Edges are no longer supported…hence why I don’t have the VSE listed in the tables. For those still running VSEs for what ever reason, you can reference my original post here.
As a refresher…what is an Edge device?
The Edge Services Gateway (NSX-v) connects isolated, stub networks to shared (uplink) networks by providing common gateway services such as DHCP, VPN, NAT, dynamic routing, and Load Balancing. Common deployments of Edges include in the DMZ, VPN Extranets, and multi-tenant Cloud environments where the Edge creates virtual boundaries for each tenant.
The following relates to ESG maximums per NSX and ESXi maximums.
|ESGs per NSX Manager||2,000|
|ESGs per ESXi Host||250|
|ESG Interfaces||10 (Including Internal, Uplink and Trunk)|
The ESG gives you access to all NSX Edge services such as firewall, NAT, DHCP, VPN, load balancing, and high availability. You can install multiple ESG virtual appliances in a datacenter. Each ESG virtual appliance can have a total of ten uplink and internal network interfaces. With a trunk, an ESG can have up to 200 subinterfaces. The internal interfaces connect to secured port groups and act as the gateway for all protected virtual machines in the port group. The subnet assigned to the internal interface can be a publicly routed IP space or a NATed/routed RFC 1918 private space. Firewall rules and other NSX Edge services are enforced on traffic between network interfaces.
Below is a list of services provided by the NSX Edge.
|Firewall||Supported rules include IP 5-tuple configuration with IP and port ranges for stateful inspection for all protocols|
|NAT||Separate controls for Source and Destination IP addresses, as well as port translation|
|DHCP||Configuration of IP pools, gateways, DNS servers, and search domains|
|Site to Site VPN||Uses standardized IPsec protocol settings to interoperate with all major VPN vendors|
|SSL VPN||SSL VPN-Plus enables remote users to connect securely to private networks behind a NSX Edge gateway|
|Load Balancing||Simple and dynamically configurable virtual IP addresses and server groups|
|High Availability||High availability ensures an active NSX Edge on the network in case the primary NSX Edge virtual machine is unavailable|
|Syslog||Syslog export for all services to remote servers|
|L2 VPN||Provides the ability to stretch your L2 network.|
|Dynamic Routing||Provides the necessary forwarding information between layer 2 broadcast domains, thereby allowing you to decrease layer 2 broadcast domains and improve network efficiency and scale. Provides North-South connectivity, thereby enabling tenants to access public networks.|
Below is a table that shows the different sizes of each edge appliance and what (if any) impact that has to the performance of each service. As a disclaimer the below numbers have been cherry picked from different sources and are subject to change.
|NSX Edge (Compact)||NSX Edge (Large)||NSX Edge (Quad-Large)||NSX Edge (X-Large)|
|Disk||512MB||512MB||512MB||4.5GB + 4GB|
|Sub Interfaces (Trunk)||200||200||200||200|
|LB Virtual Servers||64||64||64||1,024|
|LB Server / Pool||32||32||32||32|
|LB Health Checks||320||320||320||3,072|
|LB Application Rules||4,096||4,096||4,096||4,096|
|L2VPN Clients Hub to Spoke||5||5||5||5|
|L2VPN Networks per Client/Server||200||200||200||200|
|SSLVPN Private Networks||16||16||16||16|
|LB Throughput L7 Proxy)||2.2Gbps||2.2Gbps||3Gbps|
|LB Throughput L4 Mode)||6Gbps||6Gbps||6Gbps|
|LB Connections/s (L7 Proxy)||46,000||50,000||50,000|
|LB Concurrent Connections (L7 Proxy)||8,000||60,000||60,000|
|LB Connections/s (L4 Mode)||50,000||50,000||50,000|
|LB Concurrent Connections (L4 Mode)||600,000||1,000,000||1,000,000|
|BGP Routes Redistributed||No Limit||No Limit||No Limit||No Limit|
|OSPF LSA Entries Max 750 Type-1||20,000||50,000||100,000||100,000|
|OSPF Routes Redistributed||2000||5000||20,000||20,000|
Of interest from the above table it doesn’t list any Load Balancing performance number for the NSX Compact Edge…take that to mean that if you want to do any sort of load balancing you will need NSX Large and above. To finish up, below is a table describing each NSX Edge size use case.
|NSX Edge (Compact)||Small Deployment, POCs and single service use|
|NSX Edge (Large)||Small/Medium DC or mult-tenant|
|NSX Edge (Quad-Large)||High Throughput ECMP or High Performance Firewall|
|NSX Edge (X-Large)||L7 Load Balancing, Dedicated Core|
The Quad Large model is suitable for high performance firewall abilities and the X-Large is suitable for both high performance load balancing and routing. You can convert between NSX Edge service gateway sizes upon demand using a non-disruptive upgrade process, so the recommendation is to begin with the Large model and scale up if necessary. A Large NSX Edge service gateway is suitable for medium firewall performance but as detailed later, the NSX Edge service gateway does not perform the majority of firewall functions.