I found the time to finishing the applying iptables rules( in neutron/agent/linux/iptables_manager.py _apply_synchronized,_modify_rules) takes nearly more than half an hour( 36 minutes in my environment) when the number of active vms in cloud is more than 880.
This will lead that the time of bringing new created port up when booting an instance will take very long, and if the vif_plugging_is_fatal is true, the vif_plugging_timeout is not big enough, booting will fail.
Although optimization on _modify_rules in patch https://review.openstack.org/#/c/77549/ did help shorten the cost, but still the time is not short enough (it takes 17 minutes when the number of active vms in cloud is more than 880 in my environment).
Further optimazation on _modify_rules need be done to fit the situation of Large-scale deployment.
Can you please provide more details about how to reproduce the problem? The number of active VMs alone is not sufficient. The deployment configuration (including hardware), the security groups that are configured, etc, are all relevant.