NSX Licensing Changes Under Broadcom
NSX is now largely a VCF-bundle product. Standalone NSX has been progressively restricted. For customers using NSX for micro-segmentation, software-defined networking, or zero-trust security, the licensing pathway has narrowed considerably. Here is what changed.
NSX is VMware's software-defined networking and security product. It provides network virtualisation, micro-segmentation, distributed firewalling, load balancing, and the network and security overlay that enables zero-trust architectures inside the data centre. Before the Broadcom acquisition, NSX was sold as a standalone product in multiple editions, priced per CPU, with feature sets ranging from basic network virtualisation to full advanced security.
After the acquisition, the licensing model has changed substantially. NSX as a standalone purchase has been progressively retired, with most enterprise NSX deployments now licensed inside VCF Advanced or VCF Enterprise. For customers using NSX for security — particularly micro-segmentation or zero-trust postures — the licensing change is a strategic concern, not a procurement detail.
What changed
The pre-acquisition NSX catalogue included multiple editions: NSX Standard, NSX Professional, NSX Advanced, and NSX Enterprise Plus, with various add-ons for advanced threat prevention and intrusion detection. Each edition could be purchased standalone per CPU. The catalogue is now condensed.
Current NSX availability is structured as follows. Full NSX is included inside VCF Advanced and VCF Enterprise. A restricted NSX subset is included inside VCF Standard. NSX is not included in VVF. Standalone NSX SKUs remain for some specific use cases — particularly the standalone NSX Distributed Firewall licence, intended for security-focused deployments — but the standalone offering is constrained and is not the direction the catalogue is moving.
For most enterprise customers using NSX, the practical purchase path is now VCF Advanced or above. This forces a bundle decision — customers must acquire the bundled vSphere, vSAN, and Aria components even if their primary need is NSX.
NSX feature mapping across VCF editions
The exact NSX feature set inside each VCF edition has been adjusted in catalogue revisions. The general structure as of mid-2026:
VCF Standard
Includes a restricted NSX subset suitable for basic network virtualisation. Distributed firewalling capabilities are present but constrained. Advanced threat prevention and intrusion-detection extensions are not included. For customers using NSX principally for network segmentation at the workload layer, VCF Standard can be sufficient.
VCF Advanced
Includes the full NSX functionality at the network virtualisation and distributed firewall layers, including micro-segmentation. Most enterprise NSX use cases — including zero-trust segmentation and east-west traffic security — are addressed at VCF Advanced. This is the typical commercial centrepiece for customers acquiring NSX inside VCF.
VCF Enterprise
Includes the Advanced NSX functionality plus the advanced security extensions — including intrusion detection and prevention, advanced threat analytics, and full distributed-firewall analytics. For customers building substantive in-data-centre security on NSX, Enterprise is the appropriate edition.
VCF Standard's NSX subset is too constrained for serious zero-trust deployment. VCF Enterprise's additional security extensions are valuable for customers building NSX-centred security at significant depth but represent over-buying for customers using NSX primarily for east-west segmentation. The Advanced level is where most NSX-driven decisions land.
The standalone NSX Distributed Firewall licence
For customers whose only NSX use is the distributed firewall — micro-segmentation without the full network virtualisation overlay — a standalone NSX Distributed Firewall licence has been preserved in the catalogue. This is a meaningfully cheaper purchase path than VCF Advanced and is appropriate for customers running their data-centre network outside NSX but seeking the NSX micro-segmentation capability.
The standalone DFW licence has its own pricing structure (typically per workload or per VM) and its own feature constraints (no overlay networking, limited integration with NSX-T routing capabilities). For customers whose security need is precisely micro-segmentation without networking, the standalone DFW licence can be a substantial cost saving over VCF Advanced.
Impact on customers running NSX
The licensing change affects three categories of NSX customer differently.
Customers running NSX for full network virtualisation
For customers whose data-centre networking depends on NSX overlay, VCF Advanced or Enterprise is now the required commercial path. The bundle pricing absorbs the vSphere and other components but represents a substantial increase over the pre-acquisition standalone NSX cost for many customers. The economic question is whether the bundled components provide value at the deployment scale.
Customers running NSX for micro-segmentation only
For customers whose NSX use is principally distributed firewall and micro-segmentation, the standalone NSX DFW licence may be the more economic path. The decision turns on the price differential between standalone DFW and VCF Advanced at the customer's deployment scale.
Customers running NSX as part of a multi-product estate
For customers who would acquire VCF Advanced anyway for the vSphere, vSAN, and Aria components, the NSX inclusion is functionally free. The bundle economics work in favour of customers running the full multi-product stack.
The audit-risk profile for NSX
NSX audit risk under Broadcom turns on two principal factors.
First, NSX deployed on more cores than the underlying VCF entitlement covers. NSX is typically deployed as a host-level component, so the entitlement count is the core count of the VCF licence. Deploying NSX on hosts not covered by VCF Advanced or above is a finding.
Second, NSX features deployed beyond the edition entitlement. A customer licensed at VCF Standard cannot deploy the full distributed-firewall capability or the advanced threat-prevention extensions. The product itself enforces some of this but not all, and audit findings on feature-set overreach are common.
What NSX customers should do
Three practical actions are appropriate for customers running NSX in the current environment.
First, document current NSX deployment in detail. Hosts running NSX, cores per host, edition entitlement, features in use. This is the foundation for any renewal or audit response.
Second, evaluate the standalone DFW path. For customers whose NSX use is principally micro-segmentation, this may be the more economic vehicle. Run the comparison at realistic negotiated pricing for both paths.
Third, plan the VCF edition selection carefully. If the deployment is genuinely Advanced-functionality, do not accept a Standard licence that will surface as an audit finding. If the deployment is Standard-functionality, do not over-buy at Advanced or Enterprise. The product entitlement should match the deployment.
NSX deployment patterns and their licensing implications
NSX is used in three principal patterns, each with different licensing implications under the current catalogue.
Pattern 1: micro-segmentation only
The most common use of NSX in enterprise environments: deploying NSX Distributed Firewall to enforce east-west traffic segmentation between workloads, without using NSX overlay networking or the full Software-Defined Data Center capabilities. Under the standalone NSX DFW SKU, this pattern can be licensed efficiently without acquiring VCF. Under VCF, the DFW capability is included but the customer pays for substantial additional bundled functionality.
Pattern 2: full software-defined networking
NSX deployed as the data-centre's network overlay: virtual routers, switches, gateways, and the full SDN stack. This pattern requires the full NSX functionality and is licensed under VCF Advanced or above. The standalone NSX DFW SKU is not sufficient for this pattern; the full networking entitlement is required.
Pattern 3: NSX with advanced threat prevention
NSX deployed with intrusion detection and prevention, advanced threat analytics, and distributed-firewall analytics. This pattern requires VCF Enterprise, which includes the advanced security extensions. Customers using this pattern under a Standard or Advanced licence run an audit-finding risk.
The standalone DFW commercial dynamic
The standalone NSX Distributed Firewall licence is one of the few standalone Aria, NSX, or vSAN SKUs that has been retained meaningfully in the post-acquisition catalogue. The reason is strategic: Broadcom wants to retain NSX micro-segmentation customers without forcing them into the full VCF bundle, because the alternative is migration to competing micro-segmentation products (Illumio, Cisco Secure Workload, Akamai Guardicore) that would lose the customer entirely.
For customers whose security architecture depends on micro-segmentation and who do not need the full SDN overlay, the standalone DFW pathway is the right commercial route. The pricing is typically per workload or per VM, with a discount structure that scales with deployment size. The licensing is independent of the underlying vSphere or VCF entitlement — customers can run standalone DFW on top of either VVF or VCF.
The negotiation on standalone DFW is largely an independent commercial conversation from the underlying VMware infrastructure renewal. The customer should plan it as a separate procurement track, with separate timing, pricing, and contractual provisions.
NSX migration considerations
For customers re-evaluating NSX under the new commercial model, the alternative landscape is worth understanding. Three categories of alternatives are most commonly evaluated.
For micro-segmentation specifically, host-based agent products — Illumio Core, Cisco Secure Workload, Akamai Guardicore — provide equivalent functionality without requiring the VMware infrastructure dependency. The migration from NSX DFW to a host-based agent is non-trivial but generally tractable in twelve-to-twenty-four months for a mid-size estate.
For software-defined networking, public-cloud-native networking services (Azure Virtual WAN, AWS Transit Gateway, Google Cloud network connectivity) are alternatives for customers migrating workloads to public cloud; on-premises alternatives include Cisco ACI and Arista CloudVision. Migration from NSX networking is more substantial than micro-segmentation migration — it touches the data-centre network architecture directly — and typical timelines run two-to-three years.
For advanced threat prevention, the alternative landscape is the broader network-security market: Palo Alto, Check Point, Fortinet, and others. These are typically deployed at the network perimeter and at internal trust boundaries, with the NSX advanced-threat-prevention extensions being one option among many.
Related reading
For broader context, see the VMware licensing complete guide, VCF licensing explained, vSAN licensing, and vSphere licensing changes. For audit defence on multi-product VMware estates, see our VMware audit defence guide.