You can install multiple NSX Edge services gateway virtual appliances in a data center. Each NSX Edge Appliance can have a total of ten uplink and internal network interfaces. The internal interfaces connect to secured port groups and act as the gateway for all protected virtual machines in the port group. The subnet assigned to the internal interface can be a publicly routed IP address space or a NATed/routed RFC 1918 private space. Firewall rules and other NSX Edge services are enforced on traffic between interfaces.

Uplink interfaces of an ESG connect to uplink port groups that have access to a shared corporate network or a service that provides access layer networking.

The following list describes feature support by interface type (internal and uplink) on an ESG.

  • DHCP: Not supported on uplink interfaces.

  • DNS Forwarder: Not supported on uplink interfaces.

  • HA: Not supported on uplink interfaces, requires at least one internal interface.

  • SSL VPN: Listener IP must belong to an uplink interface.

  • IPsec VPN: Local site IP must belong to an uplink interface.

  • L2 VPN: Only internal networks can be stretched.

The following figure shows a sample topology. The Edge Service Gateway uplink interface is connected to the physical infrastructure through the vSphere distributed switch. The Edge Service Gateway internal interface is connected to a logical router through a logical transit switch.

You can configure multiple external IP addresses for load balancing, site-to-site VPN, and NAT services.

NSX Edge supports two virtual machines for high availability, both of which are kept up-to-date with user configurations. If a heartbeat failure occurs on the primary virtual machine, the secondary virtual machine state is changed to active. As a result, one NSX Edge virtual machine is always active on the network. NSX Edge replicates the configuration of the primary appliance for the standby appliance. Two virtual machines are deployed on vCenter in the same resource pool and datastore as the appliance you configured. Local link IP addresses are assigned to HA virtual machines in the NSX Edge HA so that they can communicate with each other.


  • You must be assigned the Enterprise Administrator or NSX Administrator role.

  • Verify that the resource pool has enough capacity for the Edge Services Gateway (ESG) virtual appliance to be deployed. See System Requirements for NSX Data Center for vSphere for the resources required for each size of appliance.

  • Verify that the host clusters on which the NSX Edge Appliance will be installed are prepared for NSX. See "Prepare Host Clusters for NSX" in the NSX Installation Guide.

  • Determine if you want to enable DRS. If you create an Edge Services Gateway with HA, and DRS is enabled, DRS anti-affinity rules are created to prevent the appliances from being deployed on the same host. If DRS is not enabled at the time the appliances are created, the rules are not created and the appliances might be deployed on or moved to the same host.


  1. Log in to the vSphere Web Client, and navigate to Home > Networking & Security > NSX Edges.
  2. Click Add, and then click Edge Services Gateway.
  3. Enter name, description, and other details of the ESG.




    Enter a name for the ESG as you want it to appear in the vCenter inventory.

    Make sure that this name is unique across all ESGs within a single tenant.

    Host Name

    Optional. Enter a host name that you want to display for this ESG in the CLI.

    If you do not enter a host name, the Edge ID that is created automatically is displayed in the CLI.


    Optional. Enter a description of the ESG.

    Deploy NSX Edge

    Optional. Select this option to create an NSX Edge Appliance virtual machine.

    If you do not select this option, the ESG will not operate until a VM is deployed.

    High Availability

    Optional. Select this option to enable and configure high availability on the ESG.

  4. Specify the CLI settings and other settings of the ESG.



    User Name

    Enter a user name that you want to use for logging in to the Edge CLI.


    Enter a password that is at least 12 characters and it must satisfy these rules:

    • Must not exceed 255 characters

    • At least one uppercase letter and one lowercase letter

    • At least one number

    • At least one special character

    • Must not contain the user name as a substring

    • Must not consecutively repeat a character 3 or more times.

    Confirm password

    Reenter the password to confirm.

    SSH access

    Optional. Enable SSH access to the Edge. By default, SSH access is disabled.

    Usually, SSH access is recommended for troubleshooting purposes.

    FIPS mode

    Optional. By default, FIPS mode is disabled.

    When you enable FIPS mode, any secure communication to or from the NSX Edge uses cryptographic algorithms or protocols that are allowed by FIPS.

    Auto rule generation

    Optional. By default, this option is enabled. This option allows automatic creation of firewall rules, NAT, and routing configuration, which control traffic for certain NSX Edge services, including load balancing and VPN.

    If you disable automatic rule generation, you must manually add these rules and configurations. Auto rule generation does not create rules for data-channel traffic.

    Edge control level logging

    Optional. By default, the log level is info.

  5. Configure the deployment of the NSX Edge Appliance.
    1. Select the size of the appliance depending on your environment.

      Appliance Size



      Suitable only for laboratory or PoC environments.


      Provides more CPU, memory, and disk space than Compact, and supports a larger number of concurrent SSL VPN-Plus users.

      Quad Large

      Suitable when you need a high throughput and a high connection rate.


      Suitable for environments that have a load balancer with millions of concurrent sessions.

      See System Requirements for NSX Data Center for vSphere for the resources required for each size of appliance.

    2. Add an NSX Edge Appliance, and specify the resource details for the VM deployment.

      For example:



      Cluster/Resource Pool

      Management & Edge





      Resource Reservation

      System Managed

      See "Managing NSX Edge Appliance Resource Reservations" in the NSX Administration Guide for more information on Resource Reservation.

      If you enabled HA, you can add two appliances. If you add a single appliance, NSX Edge replicates its configuration for the standby appliance. For HA to work correctly, you must deploy both appliances on a shared data store.

  6. Configure interfaces of the ESG.
    1. Specify the name, type, and other basic interface details.




      Enter a name for the interface.


      Select either Internal or Uplink. For High Availability to work, an Edge appliance must have at least one internal interface.

      Connected To

      Select the port group or the logical switch to which you want to connect this interface to.

    2. Configure the subnets of the interface.



      Primary IP Address

      On an ESG, both IPv4 and IPv6 addresses are supported. An interface can have one primary IP address, multiple secondary IP addresses, and multiple overlapping subnets.

      If you enter more than one IP address for the interface, you can select the primary IP address.

      Only one primary IP address is allowed per interface and the Edge uses the primary IP address as the source address for locally generated traffic, for example remote syslog and operator-initiated pings.

      Secondary IP Addresses

      Enter the secondary IP address. To enter multiple IP addresses, use a comma-separated list.

      Subnet Prefix Length

      Enter the subnet mask of the interface.

    3. Specify the following options for the interface.



      MAC Addresses

      Optional. You can enter a MAC address for each interface.

      If you change the MAC address using an API call later, you must redeploy the Edge after changing the MAC address.


      The default value is 1500. You can modify the default value, if necessary.

      Proxy ARP

      Select this option if you want the ESG to answer ARP requests intended for other virtual machines.

      This option is useful, for example, when you have the same subnet on both sides of a WAN connection.

      Send ICMP Redirect

      Select this option if you want the ESG to convey routing information to the hosts.

      Reverse Path Filter

      By default, this option is set to enabled. When enabled, it verifies the reachability of the source address in packets being forwarded.

      In enabled mode, the packet must be received on the interface that the router might use to forward the return packet.

      In loose mode, the source address must appear in the routing table.

      Fence Parameters

      Configure fence parameters if you want to reuse IP and MAC addresses across different fenced environments.

      For example, in a cloud management platform (CMP), fencing allows you to run several cloud instances simultaneously with the same IP and MAC addresses isolated or "fenced".

      The following table shows an example of two NSX Edge interfaces. The uplink interface attaches the ESG to the outside world through an uplink port group on a vSphere distributed switch. The internal interface attaches the ESG to a logical transit switch to which a distributed logical router is also attached.

      Table 1. Example: NSX Edge Interfaces



      IP address

      Subnet Prefix Length

      Connected To










      NSX 6.4.4 and earlier supports a single uplink interface on the ESG. Starting with NSX 6.4.5, you can select two uplink interfaces on the ESG and enable multicast on both the interfaces. In a multi-vCenter deployment scenario, if an NSX Edge is at version 6.4.4 or earlier, you can select only one uplink interface. To select two uplink interfaces, you must upgrade the Edge to 6.4.5 or later.

  7. Configure the default gateway settings.

    For example:





    Gateway IP




    You can edit the MTU value, but it cannot be more than the configured MTU on the interface.

  8. Configure the default firewall policy.

    If you do not configure the firewall policy, the default policy is set to deny all traffic. However, the firewall is enabled on the ESG during deployment, by default.

  9. Configure ESG logging and HA parameters.
    1. Enable or disable logging on the NSX Edge Appliance.

      By default, logs are enabled on all new NSX Edge appliances. The default logging level is Info. If logs are stored locally on the ESG, logging might generate too many logs and affect the performance of your NSX Edge. For this reason, you must preferably configure remote syslog servers, and forward all logs to a centralized collector for analysis and monitoring.

    2. If you enabled high availability, configure the following HA parameters.




      Select the internal interface for which you want to configure HA parameters. By default, HA automatically selects an internal interface and automatically assigns link-local IP addresses.

      If you select ANY for interface but there are no internal interfaces configured, the UI displays an error. Two Edge appliances are created but since there is no internal interface configured, the new NSX Edge remains in standby and HA is disabled. After an internal interface is configured, HA is enabled on the NSX Edge appliance.

      Declare Dead Time

      Enter the period in seconds within which, if the backup appliance does not receive a heartbeat signal from the primary appliance, the primary appliance is considered inactive and the backup appliance takes over.

      The default interval is 15 seconds.

      Management IPs

      Optional: You can enter two management IP addresses in CIDR format to override the local link IP addresses assigned to the HA virtual machines.

      Ensure that the management IP addresses do not overlap with the IP addresses used for any other interface and do not interfere with traffic routing. Do not use an IP address that exists somewhere else on your network, even if that network is not directly attached to the appliance.

      The management IP addresses must be in the same L2/subnet and must be able to communicate with each other.

  10. Review all the ESG settings before deploying the appliance.


After the ESG is deployed, go to the Hosts and Clusters view and open the console of the NSX Edge virtual appliance. From the console, make sure that you can ping the connected interfaces.

What to do next

When you install an NSX Edge Appliance, NSX enables automatic VM startup/shutdown on the host if vSphere HA is disabled on the cluster. If the appliance VMs are later migrated to other hosts in the cluster, the new hosts might not have automatic VM startup/shutdown enabled. For this reason, when you install NSX Edge Appliances on clusters that have vSphere HA disabled, you must preferably check all hosts in the cluster to make sure that automatic VM startup/shutdown is enabled. See "Edit Virtual Machine Startup and Shutdown Settings" in vSphere Virtual Machine Administration.

Now you can configure routing to allow connectivity from external devices to your VMs.