With Federation, you can deploy a tier-0 gateway that is limited to a single location, or you can stretch it across multiple locations.

Tier-0 gateways can have one of the following configurations:
  • Non-stretched tier-0 gateway.
  • Stretched active-active with primary and secondary locations.
  • Stretched active-active with all primary locations.
  • Stretched active-standby with primary and secondary locations.
    Note: Active-standby tier-0 gateways are supported starting in NSX-T Data Center 3.0.1.

Non-Stretched Tier-0 Gateway

You can create a tier-0 gateway from Global Manager that spans only one location. This is similar to creating the tier-0 gateway on the Local Manager directly, but has the advantage that you can manage it from Global Manager.

Stretched Active-Active Tier-0 Gateway with Primary and Secondary Locations

In an active-active tier-0 gateway with primary and secondary locations, the following applies:
  • All Edge nodes are active at the same time, therefore the tier-0 cannot run stateful services.
  • All traffic enters and leaves through the Edge nodes in the primary location.

If both the tier-0 gateway and the linked tier-1 gateway have primary and secondary locations, configure the same location to be primary for both gateways to reduce cross-location traffic.

Important: In this topology, NSX-T Data Center ensures that all egress traffic leaves through the primary location.

If your environment has stateful services, such as external firewall, on the physical network, you must ensure that the return traffic enters through the primary location. For example, you can add AS path prepending on the BGP peers in your secondary locations.

If you do not have stateful services on your physical network, and you choose to have asymmetric routing, you must disable Unicast Reverse Path Forwarding (uRPF) on all externally tier-0 interfaces.

Stretched Active-Active Tier-0 Gateway with All Primary Locations

In an active-active tier-0 gateway with all primary locations, the following applies:
  • All Edge nodes are active at the same time, therefore the tier-0 cannot run stateful services.
  • All traffic enters and leaves through Edge nodes in the same location as the workloads.
Important: This topology allows traffic to egress locally from each location. You must ensure that return traffic enters the same location to allow stateful services such as firewall. For example, you can configure a location-specific NAT IP so that return traffic is always routed back to the same location that it left.

Stretched Active-Standby Tier-0 Gateway with Primary and Secondary Locations

In an active-standby tier-0 gateway with primary and secondary locations, the following applies:
  • Only one Edge node is active at a time, therefore the tier-0 can run stateful services.
  • All traffic enters and leaves through the active Edge node in the primary location.
For Active Standby tier-0 gateways, the following services are supported:
  • Network Address Translation (NAT)
  • Gateway Firewall
  • DNS
  • DHCP
See Features and Configurations Supported in Federation for more information.