Ansible - How many can be controlled and operation in segmented networks

I'm using the free version of Ansible at the moment. What is the maximum hosts a single Ansible controller can manage? I would assume it depends on the resources provisioned on the server but can't seem to find the docs for the free ver.

Also, in a segmented network like the example below (with a mix of Windows and Linux machines), I wasn't too sure but I assume that I need a controller for each network segment. Is this correct?:

  1. Segment A = 10.150.10.x
  2. Segment B = 10.151.15.x
  3. Segment C = 10.25.10.x

Lastly, what are the port requirements and direction for which it needs to be opened?


Ansible does not have its own daemon or protocol. Communication with remote hosts is over existing management protocols. Likely SSH for POSIX boxes, WinRM for Windows, or various http or ssh command line APIs for network gear. While I suggest the well-known ports for each, the port number can be changed in most connection plugins.

To connect various nets, consider this thing you may have heard of called a router. Possibly your security policy allows management hosts in a certain zone to remote into each of those nets. Centralizing like this tends to be easier to manage and ensure compliance on all hosts. If not allowed, sure run Ansible on hosts in each segment.

Nothing prevents running against every host in inventory. Number of hosts in one play limited by performance, there are scale up scalability limits. Default number of forks working the hosts loop is 5, will need to be increased to process in a reasonable time. Single digit thousand number of hosts is feasible, on a controller box with suitable resources. I vaguely recall from IRC someone attempting 50,000+ hosts, that many is limited by a single threaded function in ansible-core.

You don't actually need ssh to manage hosts. ansible-pull is a counter example, a different way to run. On managed hosts, install and schedule in cron ansible-pull, which downloads a playbook and runs on itself. Less need for incoming privilaged management connections. And the scalability limit is different when every host becomes an ansible controller.