VCF 9 – NSX VPC Part 2 – distributed Transit Gateway

How can VMware NSX 9 and VCF 9 enable VPCs without edge clusters for more flexible, cloud-like networking?

In his latest blog post, Daniel Krieger from evoila takes a deep dive into the distributed deployment model for VPCs in NSX 9 and VCF 9, showing for the first time how VPCs can operate entirely without edge clusters. Instead of relying on centralized edges, this approach uses a Distributed Transit Gateway running directly on ESXi hosts to handle routing and connectivity functions. This significantly reduces operational dependencies and brings VPC networking even closer to public cloud designs.

Daniel explains how to create a new NSX project (tenant) configured specifically for distributed mode, define external connections using VLANs, and set up private transit gateway IP blocks and subnet CIDRs. Unlike the centralized model, distributed VPCs do not have automatic SNAT capabilities and therefore private subnets do not have direct internet access by default. However, distributed routing allows efficient communication within the same VPC and across VPCs in the same tenant (depending on firewall settings).

Through extensive lab testing with Alpine Linux VMs, Daniel demonstrates the following practical connectivity scenarios:

• Intra-VPC traffic remains fully distributed on the ESXi host.
• Inter-VPC traffic within the same tenant can be routed without central edges.
• Public subnets enable external connectivity.

Furthermore, private workloads can be exposed externally using reflexive (stateless) NAT, providing similar accessibility to Elastic IPs, even without edge nodes.

A technical highlight is how the Distributed Transit Gateway transparently bridges overlay networks to physical VLANs. From an external perspective, VMs appear directly in the VLAN and can be addressed directly by routers and switches, even though they are actually in NSX overlay segments. This mechanism uses ARP replies from the DTGW to ensure precise routing and host placement.

Daniel concludes that this new distributed architecture enables tenants to deploy their own virtual network functions independently of shared edges, thereby increasing flexibility and enabling stronger multi-tenancy. Although it introduces greater design complexity, particularly with regard to traffic flows and distributed routing, it represents a significant advancement in the evolution of NSX 4.X towards a true on-premises, cloud-like networking approach.

👉 Read the full blog post here