The infrastructure providing network connectivity to an HCX deployment (the Underlay) must meet the minimum requirements. The underlay includes any intermediate system that is customer managed, cloud provider managed, or part of an Internet service provider network.

What Is the Network Underlay

A network underlay provides the physical or logical connectivity on which HCX transport packets are tunneled, where an HCX transport packet contains an overlay header. The underlay network does not need to be aware that it is carrying HCX transport packets. This includes the physical routing infrastructure on the customer data center and (if applicable) the cloud provider infrastructure, and any physical network services joining the connected locations.


A network underlay can vary from high-bandwidth low-latency private paths between server racks in a data center, to lower-bandwidth higher-latency Internet based connectivity. In this document, the term "network underlay" encompasses all elements that affect the performance characteristics of an underlay, including the servers and network devices and connections between the vSphere environments. The network underlay requirements must be satisfied when considering all elements of the underlay.

VPN Based Network Underlays

Virtual Private Networks are frequently used for creating secure data center connections to private and public vSphere clouds over the Internet. SDWAN and custom tunneling solutions are used over the internet to improve data traffic transmissions. The SDWAN, VPN, and other tunneling solutions are collectively referred to as VPN in this document.

The network underlay includes connections with VPN configurations. The network underlay requirements must be satisfied when considering all elements of the underlay.


General Network Underlay Requirements for HCX

HCX supports multiple uplinks and each uplink can be connected to a different network underlay. Examples of different network underlays include private line, public Internet, and multi-homed connectivity.


The following table summarizes the requirements from the Network Underlay to use the HCX migration and extension services:

  • This table applies to HCX Migration and Extension Overlays (HCX Service Mesh appliances).

  • This table does not apply to HCX Connector or HCX Cloud Manager or the management connections.

HCX Requirement ID

Requirement Summary

Requirement Details


IP Addressing & IP Reachability

A valid IP addressing and IP connectivity for end to end communication between the HCX Uplink IP.


Bandwidth, Loss and Latency, MTU

All underlays must comply with minimum parameters requirements for services to be supported at the minimum performance level. The minimum requirement applies to all network underlays and is provided in the next table.

MTU configuration must be applied to the HCX Network Profile prior to deploying the HCX IX/WO appliances. If the MTU is changed on existing appliances, the appliances must be redeployed.

  • MTU 1150 – 9000 is valid for IX (no WANOPT).
  • MTU 1150 – 1500 is valid for IX (with WANOPT).
  • HCX 4.2+ is required when configuring MTU lower than 1350.


Source Network Address Translation (SNAT)

Outbound IP NAT

SNAT is not required, but can be used to translate HCX Uplink private IP packets to public IP addresses for connections over the Internet.

SNAT can only be applied to the HCX Initiator (the HCX source appliances).


Destination Network Address Translation (DNAT)

Inbound IP NAT

Load Balancing

Reverse Proxy

Inbound DNAT, LB, or reverse proxy configurations in the underlay are not supported for the HCX Migration and Extension Transport tunnels.



Any VPN configuration in the network path is treated agnostically as an underlay, and is supported as long as the measured underlay parameters meet the documented requirements.

Any additional encapsulation and performance degradation, overhead, or cost in addition to the characteristics of the underlay they ride on should be considered when measuring underlay outcomes.

HCX does not support VPN configurations where the NSX Tier-0 router provides the VPN termination AND connectivity to the HCX uplinks via NSX Service Insertion.

HCX version 4.2 is required for network underlays with VPN configurations.

Minimum Network Underlay Requirements for HCX

HCX has network underlay minimums for HCX migration and disaster recovery operations. HCX operations with lesser performance than the minimum values are not supported.

The values provided are the minimums for individual operations at minimum performance.

  • Minimizing latency, loss, jitter results in improved migration performance outcomes.

  • Parallel HCX operations (migration and extension) result in increased bandwidth requirements.

Network Parameter

HCX vMotion

Replication Assisted vMotion

Bulk Migration & DR (Protection)

OS Assisted Migration

Min Bandwidth (Mbps)





Min MTU (bytes)

(1350 if version < HCX 4.2)





Max Packet Loss (%)





Max Latency (ms)





Bandwidth distribution with HCX on a network underlay can be visualized as a set of nested pipes, where the underlay network is the main channel. HCX and non-HCX traffic is carried through main channel. Migration and Network Extension traffic can be thought of as separate pipelines through the HCX channel. The Network Extension pipe provides the throughput for all the extended network traffic. The migration pipe handles the vMotion, Bulk, Protection, and OS Assisted migration service traffic.


The number of parallel migrations allowed depends on the bandwidth of the migration pipe.