Modern enterprises and cloud providers face increasing challenges in delivering secure, scalable, and isolated network environments. VMware NSX-T addresses these challenges with VRF Lite, a feature introduced in NSX-T 3.0 that enables routing isolation without the complexity of deploying multiple Tier-0 gateways. This blog provides a deep dive into VRF Lite, covering architecture,
configuration workflows, best practices, advanced use cases, and troubleshooting tips.
As we know, NSX T solutions have can have only on T0 gateway per Edge cluster. VRF Lite (Virtual Routing and Forwarding Lite) is a mechanism that allows multiple isolated routing instances within a single Tier-0 gateway. Each VRF acts as a child gateway, inheriting properties from the parent Tier-0, such as Edge cluster, HA mode, and BGP configuration.
This design significantly reduces resource consumption and operational complexity.
Traditionally, multi-tenant architecture required deploying separate Tier-0 gateways for each tenant for better isolated network and security, Deploying more Edge cluster resources will complicate management. VRF Lite consolidates these requirements, enabling:
- Routing isolation for multiple tenants.
- Support for overlapping IP address spaces.
- Simplified network design for large-scale environments.
Resource Efficiency: Consolidates multiple VRFs under one Tier-0 gateway, reducing Edge node
- Multi-Tenancy: Supports up to 100 VRFs per Edge cluster.
- Overlapping IP Support: Tenants can reuse IP ranges without NAT.
- Simplified Design: Reduces complexity in large-scale deployments.
- Inter-VRF Routing: Achievable via route leaking or physical routing.
Multi-Tenancy without VRF lite in NSX T:
Multi-Tenancy with VRF lite in NSX T:
Although a Tier-0 VRF gateway has an HA mode, it does not have an independent mechanism to respond to communication failures. Its failover behaviour depends entirely on the parent Tier-0 gateway.
If a Tier-0 VRF gateway loses connectivity to a neighbour but the parent Tier-0 gateway does not meet the failover criteria, the VRF gateway will not fail over.
The only scenario where a VRF gateway will fail over is when the parent Tier-0 gateway performs a failover.
Architecture Overview
The architecture consists of:
- Edge cluster/VMs – that hosting the T0 gateway instances
- Parent Tier-0 Gateway: Main routing entity with HA configuration
- Child VRF Gateways: Isolated routing tables for tenants inside existing T0 gateway instances
- Each VRF can be configured with different network uplink and can be connected Physical routers
Each VRF gateway operates as a logical router with its own routing table, BGP sessions, and uplink
interfaces. The parent Tier-0 gateway maintains global settings, while VRFs inherit these
configurations. VLAN-backed segments allow traffic separation at the physical layer, ensuring isolation
Cloud Service Providers: A CSP hosts multiple customers with overlapping IP ranges. Deploy VRF Lite to isolate routing per customer without separate Tier-0 gateways, Similar to our VCFaaS in IBM cloud. This will reduces hardware footprint and simplifies operations.
Enterprise Multi-Tenancy: Large enterprise with multiple departments requiring isolation. Use VRFs for each department, simplifying network design. Enables overlapping IP spaces and centralized management.
Hybrid Cloud Deployments: Extend on-prem workloads to public cloud while maintaining isolation. VRF Lite ensures consistent routing policies across environments. Seamless integration between private and public clouds.
Managed Services: MSPs providing network services to multiple clients. VRF Lite allows logical separation without physical hardware duplication. Cost savings and operational efficiency.