diff --git a/topo/node/arista/arista.go b/topo/node/arista/arista.go
index 2666b1b0..ad5442cc 100644
--- a/topo/node/arista/arista.go
+++ b/topo/node/arista/arista.go
@@ -18,6 +18,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"math"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -164,6 +165,14 @@ func (n *Node) CreateCRD(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
+	sleep := config.GetSleep()
+	if sleep > math.MaxInt32 {
+		return fmt.Errorf("sleep time %d out of range (max: %d)", sleep, math.MaxInt32)
+	}
+	linksLen := len(links)
+	if linksLen > math.MaxInt32 {
+		return fmt.Errorf("links count %d out of range (max: %d)", linksLen, math.MaxInt32)
+	}
 	device := &ceos.CEosLabDevice{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "ceoslab.arista.com/v1alpha1",
@@ -183,31 +192,43 @@ func (n *Node) CreateCRD(ctx context.Context) error {
 			InitContainerImage: config.GetInitImage(),
 			Args:               config.GetArgs(),
 			Resources:          proto.GetConstraints(),
-			NumInterfaces:      int32(len(links)),
-			Sleep:              int32(config.GetSleep()),
+			NumInterfaces:      int32(linksLen),
+			Sleep:              int32(sleep),
 		},
 	}
 	for label, v := range proto.GetLabels() {
 		device.ObjectMeta.Labels[label] = v
 	}
 	for _, service := range proto.GetServices() {
+		insidePort := service.Inside
+		if insidePort > math.MaxUint16 {
+			return fmt.Errorf("inside port %d out of range (max: %d)", insidePort, math.MaxUint16)
+		}
+		outsidePort := service.Outside
+		if outsidePort > math.MaxUint16 {
+			return fmt.Errorf("outside port %d out of range (max: %d)", outsidePort, math.MaxUint16)
+		}
 		if device.Spec.Services == nil {
 			device.Spec.Services = map[string]ceos.ServiceConfig{}
 		}
 		device.Spec.Services[service.Name] = ceos.ServiceConfig{
 			TCPPorts: []ceos.PortConfig{{
-				In:  int32(service.Inside),
-				Out: int32(service.Outside),
+				In:  int32(insidePort),
+				Out: int32(outsidePort),
 			}},
 		}
 	}
 	if cert := config.GetCert(); cert != nil {
 		if ssCert := cert.GetSelfSigned(); ssCert != nil {
+			ssCertKeySize := ssCert.KeySize
+			if ssCertKeySize > math.MaxInt32 {
+				return fmt.Errorf("ssCert.KeySize %d out of valid range", ssCertKeySize)
+			}
 			certConfig := ceos.CertConfig{
 				SelfSignedCerts: []ceos.SelfSignedCertConfig{{
 					CertName:   ssCert.CertName,
 					KeyName:    ssCert.KeyName,
-					KeySize:    int32(ssCert.KeySize),
+					KeySize:    int32(ssCertKeySize),
 					CommonName: ssCert.CommonName,
 				}},
 			}
diff --git a/topo/node/drivenets/drivenets.go b/topo/node/drivenets/drivenets.go
index a1159dd3..5fe6c129 100644
--- a/topo/node/drivenets/drivenets.go
+++ b/topo/node/drivenets/drivenets.go
@@ -22,6 +22,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"math"
 	"os"
 	"path/filepath"
 
@@ -101,8 +102,15 @@ func (n *Node) cdnosCreate(ctx context.Context) error {
 	ports := map[string]cdnosv1.ServicePort{}
 
 	for k, v := range n.Proto.Services {
+		insidePort := v.Inside
+		if insidePort > math.MaxUint16 {
+			return fmt.Errorf("inside port %d out of range (max: %d)", insidePort, math.MaxUint16)
+		}
+		if k > math.MaxUint16 {
+			return fmt.Errorf("outside port %d out of range (max: %d)", k, math.MaxUint16)
+		}
 		ports[v.Name] = cdnosv1.ServicePort{
-			InnerPort: int32(v.Inside),
+			InnerPort: int32(insidePort),
 			OuterPort: int32(k),
 		}
 	}
diff --git a/topo/node/keysight/keysight.go b/topo/node/keysight/keysight.go
index 62ff4317..bf64c76c 100644
--- a/topo/node/keysight/keysight.go
+++ b/topo/node/keysight/keysight.go
@@ -3,6 +3,7 @@ package keysight
 import (
 	"context"
 	"fmt"
+	"math"
 	"time"
 
 	ixclient "github.com/open-traffic-generator/keng-operator/api/clientset/v1beta1"
@@ -37,7 +38,7 @@ type Node struct {
 	*node.Impl
 }
 
-func (n *Node) newCRD() *ixiatg.IxiaTG {
+func (n *Node) newCRD() (*ixiatg.IxiaTG, error) {
 	log.Infof("Creating new ixia CRD for node: %v", n.Name())
 	ixiaCRD := &ixiatg.IxiaTG{
 		TypeMeta: metav1.TypeMeta{
@@ -62,9 +63,17 @@ func (n *Node) newCRD() *ixiatg.IxiaTG {
 	}
 
 	for _, svc := range n.GetProto().Services {
+		insidePort := svc.Inside
+		if insidePort > math.MaxUint16 {
+			return nil, fmt.Errorf("inside port %d out of range (max: %d)", insidePort, math.MaxUint16)
+		}
+		outsidePort := svc.Outside
+		if outsidePort > math.MaxUint16 {
+			return nil, fmt.Errorf("outside port %d out of range (max: %d)", outsidePort, math.MaxUint16)
+		}
 		ixiaCRD.Spec.ApiEndPoint[svc.Name] = ixiatg.IxiaTGSvcPort{
-			In:  int32(svc.Inside),
-			Out: int32(svc.Outside),
+			In:  int32(insidePort),
+			Out: int32(outsidePort),
 		}
 	}
 	for name, ifc := range n.GetProto().Interfaces {
@@ -74,7 +83,7 @@ func (n *Node) newCRD() *ixiatg.IxiaTG {
 		})
 	}
 	log.V(2).Infof("Created new ixia CRD for node %s: %+v", n.Name(), ixiaCRD)
-	return ixiaCRD
+	return ixiaCRD, nil
 }
 
 func (n *Node) getCRD(ctx context.Context) (*ixiatg.IxiaTG, error) {
@@ -131,7 +140,10 @@ func (n *Node) TopologySpecs(ctx context.Context) ([]*topologyv1.Topology, error
 	log.Infof("Getting interfaces for ixia node resource %s ...", n.Name())
 	desiredState := "INITIATED"
 
-	crd := n.newCRD()
+	crd, err := n.newCRD()
+	if err != nil {
+		return nil, err
+	}
 	log.Infof("Creating custom resource for ixia (desiredState=%s) ...", desiredState)
 	c, err := ixclient.NewForConfig(n.RestConfig)
 	if err != nil {
diff --git a/topo/node/node.go b/topo/node/node.go
index bb875ad4..478abf02 100644
--- a/topo/node/node.go
+++ b/topo/node/node.go
@@ -478,10 +478,17 @@ func (n *Impl) CreateService(ctx context.Context) error {
 		if v.Outside != 0 {
 			log.Warningf("Outside should not be set by user. The key is used as the target external port")
 		}
+		nodePort := v.NodePort
+		if nodePort > math.MaxUint16 {
+			return fmt.Errorf("node port %d out of range (max: %d)", k, math.MaxUint16)
+		}
+		if k > math.MaxUint16 {
+			return fmt.Errorf("service port %d out of range (max: %d)", k, math.MaxUint16)
+		}
 		sp := corev1.ServicePort{
 			Protocol:   "TCP",
 			Port:       int32(k),
-			NodePort:   int32(v.NodePort),
+			NodePort:   int32(nodePort),
 			TargetPort: intstr.FromInt(int(v.Inside)),
 			Name:       v.Name,
 		}
diff --git a/topo/node/openconfig/openconfig.go b/topo/node/openconfig/openconfig.go
index 554aad04..455b7e6e 100644
--- a/topo/node/openconfig/openconfig.go
+++ b/topo/node/openconfig/openconfig.go
@@ -21,6 +21,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"math"
 
 	tpb "github.com/openconfig/kne/proto/topo"
 	"github.com/openconfig/kne/topo/node"
@@ -104,8 +105,15 @@ func (n *Node) lemmingCreate(ctx context.Context) error {
 	ports := map[string]lemmingv1.ServicePort{}
 
 	for k, v := range n.Proto.Services {
+		insidePort := v.Inside
+		if insidePort > math.MaxUint16 {
+			return fmt.Errorf("inside port %d out of range (max: %d)", insidePort, math.MaxUint16)
+		}
+		if k > math.MaxUint16 {
+			return fmt.Errorf("outside port %d out of range (max: %d)", k, math.MaxUint16)
+		}
 		ports[v.Name] = lemmingv1.ServicePort{
-			InnerPort: int32(v.Inside),
+			InnerPort: int32(insidePort),
 			OuterPort: int32(k),
 		}
 	}