VCF 9 – NSX VPC Part 1 – centralized Transit Gateway

How can VMware NSX 9 and VCF 9 enable truly flexible, cloud-like virtual networks on-premises?

In his latest blog post, Daniel Krieger from evoila explores the powerful new Virtual Private Cloud (VPC) capabilities introduced in VMware NSX 9 and VCF 9 – a feature that is now front and center in the user interface and no longer hidden in the background.

At the heart of this new approach is the Default Transit Gateway, which acts as a central routing element. Instead of attaching VPCs directly to a T0 router or VRF as in previous versions, they now connect through this transit gateway. This design allows multiple VPCs within the same project to communicate via private transit networks while remaining isolated from external access.

Daniel provides a step-by-step walkthrough: configuring network connectivity and IP blocks, creating connectivity and service profiles, and finally setting up the VPCs themselves. He explains the different subnet types in detail:

• Private VPC subnets, which are only accessible within the VPC.
• Private – Transit Gateway subnets, enabling communication between VPCs in the same project.
• Public subnets, which require external routing and provide external connectivity.

Through detailed lab tests with Alpine Linux VMs, Daniel demonstrates how intra-VPC, inter-VPC, and external communication work in practice. The article also highlights how easily an external IP can be assigned to a VM in a private subnet – similar to an “Elastic IP” – making workloads externally reachable if needed.

Daniel concludes that VMware NSX 9 and VCF 9 represent a major leap toward true multi-tenancy and on-premises cloud-like networking. The article offers deep technical insights as well as practical guidance for admins, architects, and anyone interested in modernizing their NSX environments.

👉 Read the full blog post here