NSX T1 Gateway — SR vs DR and Edge Cluster Residency

NSX-T T1 Gateway: Does a T1 Without an SR Still Live on the Edge Cluster?

📅 Published by Farrukh Hanif 🏷 NSX-T  |  VMware  |  VCF  |  Networking

If a T1 Gateway has no Services Router (SR), where does north-south traffic actually go? And does the T1 even touch the Edge cluster? This is one of those NSX-T concepts that catches people out — and understanding it is fundamental to designing efficient overlay networks.

The Two Components of Every NSX-T Gateway

Every Tier-0 and Tier-1 Gateway in NSX-T is logically made up of two distinct functional components:

• Distributed Router (DR) — runs on every transport node (hypervisor) that hosts a connected workload segment. It handles east-west routing entirely in the data plane of the host, with no hairpinning through a centralised appliance.
• Services Router (SR) — a centralised component instantiated on the Edge cluster. It handles stateful services that cannot be distributed: NAT, load balancing, stateful gateway firewall, and VPN termination.

The key insight is this: the SR is optional on a T1. NSX-T will only instantiate a T1 SR on the Edge cluster if you configure a service that actually requires it. Without such a service, the T1 remains a purely distributed router.

Architecture Diagram

The Short Answer

No — a T1 without an SR does not reside on the Edge cluster at all. The T1 DR continues to operate on every hypervisor hosting a connected segment, but there is no Edge component, no Edge Edge Node allocated, and no traffic path through the Edge for that T1.

So How Does North-South Traffic Flow?

This is where the design becomes elegant. When a VM on a T1-without-SR needs to reach an external destination, the forwarding path is entirely local to the hypervisor until it hits the T0's Edge SR:

T1 with SR (stateful services enabled)

VM → T1 DR (local hypervisor) → T1 SR (Edge cluster — NAT/LB/FW processed here) → T0 SR (Edge cluster) → Physical network

T1 without SR (no stateful services)

VM → T1 DR (local hypervisor) → T0 DR (same hypervisor — no Edge hop for T1) → T0 SR (Edge cluster — uplink to physical) → Physical network

The packet never leaves the hypervisor for T1 routing. The T0 DR, also running distributed on every transport node, receives the handoff from the T1 DR locally and then forwards to the T0 SR on the Edge for the external uplink. This is a significant efficiency gain — it means one fewer hop through the Edge cluster for every north-south flow from that T1.

When Does a T1 Get an SR?

NSX-T automatically instantiates a T1 SR on the Edge cluster when you configure any of the following on that T1:

Service	SR Required?	Reason
NAT (SNAT/DNAT)	Yes	Stateful connection tracking required
Load Balancing	Yes	Connection state must be centralised
Gateway Firewall (stateful)	Yes	Session table cannot be distributed
IPsec VPN termination	Yes	Crypto and tunnel state is centralised
Simple routing (no services)	No	DR handles all east-west; T0 handles N/S uplink
Distributed Firewall (DFW)	No	DFW is kernel-level on each hypervisor, independent of gateways

East-West Traffic: Always Fully Distributed

Regardless of whether an SR exists or not, east-west routing between segments connected to the same T1 is always handled entirely within the T1 DR on the local hypervisor. If VM-A on Segment-A pings VM-B on Segment-B, and both segments are on the same T1, the packet goes:

VM-A (Hypervisor-1) → T1 DR (Hypervisor-1, routes to Segment-B) → Geneve tunnel (if VM-B is on a different host) → VM-B

No Edge cluster involvement at all. This is the whole point of the distributed routing architecture — it keeps high-volume lateral traffic off the Edge nodes entirely.

💡 Design Principle The SR is not a "better" or "more capable" version of the DR. It is a separate, narrowly-scoped component that exists only to host stateful services that fundamentally cannot be distributed. Avoid treating it as the default routing path.

Practical Design Guidance

Do not add an SR to a T1 unless you need it

Over-provisioning SRs is a common anti-pattern. Every T1 SR you create consumes Edge Node capacity — memory, CPU, and a pinned Edge Node path. If your workloads just need routing between segments and outbound internet access (handled by NAT on the T0), there is no reason to instantiate a T1 SR.

NAT design: T0 or T1?

You can configure NAT on either the T0 or a T1. If you put NAT on the T0, your T1s can remain SR-free. This is often the right call in smaller environments. In larger multi-tenant designs, T1-level NAT gives you isolation per-tenant at the cost of each T1 needing its own SR on the Edge.

Edge cluster sizing implications

Each T1 SR is placed on an Edge Node in the Edge cluster. If you have 20 T1 gateways all with SRs, your Edge cluster needs to be sized to handle the aggregate stateful service load from all 20. This is a critical input to Edge cluster sizing — count your SRs, not just your T1 count.

⚠ VCF Lab Note In a VCF 9 home lab with constrained Edge cluster resources (such as deploying Edge VMs on an R630 with 368GB RAM), keeping T1 gateways SR-free wherever possible will significantly reduce your Edge node memory footprint and leave headroom for additional NSX services.

Verifying SR Status via NSX Manager

You can quickly confirm whether a T1 has an SR instantiated from the NSX Manager UI:

1. Go to Networking > Tier-1 Gateways
2. Click the three-dot menu on your T1 and select View and manage gateway
3. Under Routing, check whether an SR is listed and which Edge Node it is placed on

Via the NSX CLI on an Edge Node, you can also run:

# On the Edge Node NSX CLI
get logical-routers

# Look for your T1's SR component (VRF type: SERVICE_ROUTER_TIER1)
# If only a DISTRIBUTED_ROUTER_TIER1 appears for your T1, no SR is instantiated

Summary

The presence or absence of an SR on a T1 is not about capability — the T1 DR always exists and always routes. The SR is strictly a function of whether you need stateful services. Without stateful services, the T1 is a lean, fully distributed router with no Edge footprint. North-south traffic traverses the T1 DR locally and is handed off directly to the T0 DR on the same hypervisor, which then forwards to the T0 SR on the Edge for the physical uplink.

Understanding this architecture is essential for anyone designing NSX-T environments — whether you are sitting the VCIX-NV exam, designing a multi-tenant VCF deployment, or simply trying to understand why your Edge nodes are under pressure.

💬 Questions or corrections? Drop a comment below or reach out on LinkedIn. I document real lab deployments, architecture decisions, and exam prep as part of my journey to a Principal Cloud Architect role in 2026.

Tags: NSX-T VMware VCF VCF 9 NSX Gateway T1 Gateway Edge Cluster Overlay Network VCIX-NV Cloud Architecture

FH

Farrukh Hanif

NSX/VCF Engineer at NatWest Group with 15+ years of VMware, NSX-T, VCF, and cloud infrastructure experience. VCIX6-NV | VCP-VCF9 | VCAP-NV Design | CKA | CKS | AWS SA Pro. Building a VCF 9 home lab and documenting the journey. Connect on LinkedIn.