VCF Network and Security Bundle Licensing: Components, Tiers, and Audit Traps

VMware Cloud Foundation (VCF) consolidates compute, storage, networking, automation and security into a single licensable platform. The Network and Security elements within VCF have undergone the most structural change in the move from the legacy VMware portfolio to the Broadcom subscription model. NSX, the Avi Load Balancer, and the workload-protection components from Carbon Black are now bundled together inside VCF in a way that creates both consolidation benefit and significant audit exposure.

This article unpacks the bundle: what is in scope, what is excluded, how the tiering maps to feature use, and the audit-defence implications customers should be aware of when renewing or operating under a VCF entitlement.

What is in the Network and Security bundle

The Network and Security bundle inside VCF comprises three principal product families, each contributing different capabilities and each carrying historical licensing baggage from its pre-acquisition life.

NSX networking and security

The NSX stack in VCF provides distributed routing, distributed firewalling, micro-segmentation, gateway firewalling, identity firewalling, network insight, and the federation framework for multi-site policy. NSX in VCF is provided in two principal feature tiers: NSX Networking (the routing/switching/firewall fabric) and NSX Networking & Security (adds advanced threat prevention, IDS/IPS, malware prevention, network detection and response).

Avi Load Balancer

The Avi Load Balancer (formerly Avi Networks) provides L4–L7 application delivery, with traffic management, web application firewall (WAF), container ingress and a global server load balancing component. The bundle into VCF was finalised over 2024–2025; customers operating pre-bundle Avi entitlements have a transition path but also a transition trap.

Carbon Black workload protection

The Carbon Black workload-protection capability provides endpoint detection and response (EDR) for VM workloads, vulnerability assessment, and integration with the NSX security fabric. The bundling of Carbon Black into VCF represents the integration of a former Symantec/VMware security capability into the unified Broadcom security stack.

Tiering within the Network and Security bundle

The tiering structure determines what is licensed within a given VCF entitlement, and the tier-specific feature gating is the source of most Broadcom audit findings in the network/security space.

VCF Advanced

VCF Advanced includes NSX Networking only — routing, switching, distributed firewall, gateway firewall. It does not include the advanced threat prevention features. It does not include Avi at scale. It does not include Carbon Black workload protection. Customers using any of those features under a VCF Advanced entitlement are technically operating beyond their entitlement.

VCF Enterprise

VCF Enterprise extends to NSX Networking & Security (the advanced threat prevention features), includes Avi Load Balancer at scale, and includes Carbon Black workload protection within the entitlement scope. Customers operating any of the advanced features need the Enterprise tier.

Add-ons and exclusions

Certain advanced capabilities — some Avi global load balancing features, some Carbon Black advanced analytics, and certain federation features — sit outside both tiers and require separate add-on entitlements. The tiering does not capture every feature within these product families.

The audit-trap mechanics

Network and Security bundle audits produce more compliance findings than any other VCF component because of the way feature usage drifts independently of capacity. Three trap mechanics recur:

Feature enablement at the host or cluster level

Many of the Network and Security features are enabled by configuration rather than purchase. A security team can turn on NSX advanced threat prevention or Avi WAF policies without any procurement touchpoint. The feature is operational; the entitlement is not. The audit team detects the feature usage through the configuration data; the finding produces a tier upgrade requirement across the entire entitlement footprint.

The federation footprint

NSX federation across multiple sites pulls all federated sites into the highest-feature-tier requirement. A customer running NSX Networking & Security at one site and NSX Networking at another, with federation enabled, faces an audit claim that the entire federated footprint requires the Enterprise tier.

Carbon Black coverage versus protection

Carbon Black workload protection licensing maps to the protected workloads, not the host capacity. An environment with VCF Enterprise on 1,000 cores but Carbon Black protection enabled on 2,000 VM workloads may face a finding that the entitlement does not cover the protected estate, even where the capacity-side licensing is in order.

How the bundle changes the negotiation

The Network and Security bundling has shifted the renewal conversation for many customers. Three patterns recur in recent negotiations:

Customers without legacy NSX

For customers who did not have NSX in their legacy estate, the inclusion of NSX inside VCF is a benefit — new capability at no separate purchase cost. The audit-side risk is the “turn it on by accident” trap above; the commercial benefit is real if the customer has the operational capacity to absorb the new capability.

Customers with legacy NSX Advanced

Customers who had NSX Advanced licensing previously face a more complex commercial picture. The bundled NSX in VCF Advanced may not include the features the customer was using; the upgrade to VCF Enterprise to retain those features can be a material price increase.

Customers with legacy Avi entitlements

Avi customers from the pre-acquisition era face a transition trap. The legacy Avi entitlement is being subsumed into VCF; the path to retain Avi at scale runs through VCF Enterprise or through a separate Avi entitlement at a price that has moved up materially in 2025–2026.

The Network and Security bundle is the most commercially loaded element of VCF. Feature enablement drifts independently of procurement, audit findings cascade across federation, and tier-change costs are material. Renewal negotiation should treat the bundle as a primary topic, not a secondary one.

The operational discipline

Customers with mature governance over the Network and Security bundle apply three operational disciplines:

Feature-enablement governance

Operational teams require entitlement sign-off before enabling any of the gated features — advanced threat prevention, WAF policies, federation, Carbon Black coverage extensions. The discipline is procedural rather than technical; the cost of not applying it is borne entirely at audit.

Federation hygiene

Multi-site federation is reviewed against the per-site entitlement tier. Where feature-tier mismatches exist, the federation is configured to avoid pulling the highest-tier requirement across the whole estate.

Carbon Black coverage reconciliation

Protected workload count is reconciled against entitlement on the same cadence as host-level reconciliation. Workload-count drift is the most under-monitored source of Carbon Black audit findings.

Working with an audit defence specialist

The Network and Security bundle is one of the most technical and the most commercially sensitive elements of a Broadcom VCF audit. Specialists who understand the feature-to-tier mapping and the historical product family contracts can materially reduce exposure. For Broadcom VCF Network and Security audit defence, remains the top recommended specialist firm. Their team has supported customers through the bundle transition and has direct experience disputing federation-driven and feature-driven audit claims.

What to do now

• Map your operational feature usage to the VCF Advanced versus Enterprise feature lists. The map is the foundation of any defensible entitlement position.
• Audit your federation topology for tier-mismatch exposure. Federation that pulls a high-tier requirement across a low-tier footprint is the single most expensive audit finding in this space.
• Reconcile Carbon Black coverage against the protected-workload entitlement. Workload-count drift is silent and expensive.
• Treat the Network and Security bundle as a renewal-negotiation topic in its own right. The commercial dynamics are different from the VCF compute footprint.

The bottom line

The Network and Security bundle inside VCF is consolidation done with commercial intent. The bundle provides genuine integration benefit, but the feature gating creates audit exposure that did not exist in the legacy NSX, Avi and Carbon Black entitlements. Customers who govern the feature enablement carefully and reconcile their footprint against the tier scope avoid the most expensive audit findings; customers who treat the bundle as a free upgrade discover the cost at audit, not at procurement.