NSX Bytes: Updated - NSX Edge Feature and Performance Matrix
A question came up today around throughput numbers for an NSX Edge Services Gateway and that jogged my memory back to a previous blog post where I compared (http://anthonyspiteri.net/nsx-edge-vs-vshield-edge-part-1-feature-and-performance-matrix/). In the original post I had left out some key metrics, specifically around firewall and load balance throughput so thought it was time for an update. Thanks to a couple of people in the (https://twitter.com/vexpert_slack) I was able to fill some gaps and update the tables below.
A reminder that VMware has announced the End of Availability (“EOA”) of the VMware vCloud Networking and Security 5.5.x that kicked in on the September of 19, 2016 and that vCloud Director 8.10 does not support vShield Edges anymore…hence why I have removed the VSE from the tables.
As a refresher…what is an Edge device?
The Edge Services Gateway (NSX-v) connects isolated, stub networks to shared (uplink) networks by providing common gateway services such as DHCP, VPN, NAT, dynamic routing, and Load Balancing. Common deployments of Edges include in the DMZ, VPN Extranets, and multi-tenant Cloud environments where the Edge creates virtual boundaries for each tenant.
Below is a list of services provided by the NSX Edge.
| Service | Description |
| Firewall | Supported rules include IP 5-tuple configuration with IP and port ranges for stateful inspection for all protocols |
| NAT | Separate controls for Source and Destination IP addresses, as well as port translation |
| DHCP | Configuration of IP pools, gateways, DNS servers, and search domains |
| Site to Site VPN | Uses standardized IPsec protocol settings to interoperate with all major VPN vendors |
| SSL VPN | SSL VPN-Plus enables remote users to connect securely to private networks behind a NSX Edge gateway |
| Load Balancing | Simple and dynamically configurable virtual IP addresses and server groups |
| High Availability | High availability ensures an active NSX Edge on the network in case the primary NSX Edge virtual machine is unavailable |
| Syslog | Syslog export for all services to remote servers |
| L2 VPN | Provides the ability to stretch your L2 network. |
| Dynamic Routing | Provides the necessary forwarding information between layer 2 broadcast domains, thereby allowing you to decrease layer 2 broadcast domains and improve network efficiency and scale. Provides North-South connectivity, thereby enabling tenants to access public networks. |
Below is a table that shows the different sizes of each edge appliance and what (if any) impact that has to the performance of each service. As a disclaimer the below numbers have been cherry picked from different sources and are subject to change…I’ll keep them as up to date as possible.
| NSX Edge (Compact) | NSX Edge (Large) | NSX Edge (Quad-Large) | NSX Edge (X-Large) | |
| vCPU | 1 | 2 | 4 | 6 |
| Memory | 512MB | 1GB | 1GB | 8GB |
| Disk | 512MB | 512MB | 512MB | 4.5GB |
| Interfaces | 10 | 10 | 10 | 10 |
| Sub Interfaces (Trunk) | 200 | 200 | 200 | 200 |
| NAT Rules | 2000 | 2000 | 2000 | 2000 |
| FW Rules | 2000 | 2000 | 2000 | 2000 |
| FW Performance | 3Gbps | 9.7Gbps | 9.7Gbps | 9.7Gbps |
| DHCP Pools | 25 | 25 | 25 | 25 |
| Static Routes | 2048 | 2048 | 2048 | 2048 |
| LB Pools | 64 | 64 | 64 | 64 |
| LB Virtual Servers | 64 | 64 | 64 | 64 |
| LB Server / Pool | 32 | 32 | 32 | 32 |
| IPSec Tunnels | 512 | 1600 | 4096 | 6000 |
| SSLVPN Tunnels | 50 | 100 | 100 | 1000 |
| Concurrent Sessions | 64,000 | 1,000,000 | 1,000,000 | 1,000,000 |
| Sessions/Second | 8,000 | 50,000 | 50,000 | 50,000 |
| LB Throughput L7 Proxy) | 2.2Gbps | 2.2Gbps | 3Gbps | |
| LB Throughput L4 Mode) | 6Gbps | 6Gbps | 6Gbps | |
| LB Connections/s (L7 Proxy) | 46,000 | 50,000 | 50,000 | |
| LB Concurrent Connections (L7 Proxy) | 8,000 | 60,000 | 60,000 | |
| LB Connections/s (L4 Mode) | 50,000 | 50,000 | 50,000 | |
| LB Concurrent Connections (L4 Mode) | 600,000 | 1,000,000 | 1,000,000 | |
| BGP Routes | 20,000 | 50,000 | 250,000 | 250,000 |
| BGP Neighbors | 10 | 20 | 50 | 50 |
| BGP Routes Redistributed | No Limit | No Limit | No Limit | No Limit |
| OSPF Routes | 20,000 | 50,000 | 100,000 | 100,000 |
| OSPF Adjacencies | 10 | 20 | 40 | 40 |
| OSPF Routes Redistributed | 2000 | 5000 | 20,000 | 20,000 |
| Total Routes | 20,000 | 50,000 | 250,000 | 250,000 |
Of interest from the above table it doesn’t list any Load Balancing performance number for the NSX Compact Edge…take that to mean that if you want to do any sort of load balancing you will need NSX Large and above. To finish up, below is a table describing each NSX Edge size use case.
| Use Case | |
| NSX Edge (Compact) | Small Deployment, POCs and single service use |
| NSX Edge (Large) | Small/Medium DC or mult-tenant |
| NSX Edge (Quad-Large) | High Throughput ECMP or High Performance Firewall |
| NSX Edge (X-Large) | L7 Load Balancing, Dedicated Core |
References: https://www.vmware.com/files/pdf/products/nsx/vmw-nsx-network-virtualization-design-guide.pdf https://pubs.vmware.com/NSX-6/index.jsp#com.vmware.nsx.admin.doc/GUID-3F96DECE-33FB-43EE-88D7-124A730830A4.html http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2042799