VCF Network Virtualization Licensing

Network virtualization is one of the most opaque corners of the VCF subscription model. Broadcom has consolidated VMware NSX functionality into the VCF bundle, but the way NSX entitlements are scoped, measured, and audited varies materially across VCF tiers — and the differences have direct cost implications. Customers who do not understand how VCF network virtualization licensing actually works can over-pay materially or, conversely, deploy into a configuration that triggers compliance findings.

This article explains the structure of network virtualization licensing within VCF, how it differs from standalone NSX, what counts and what does not, and where the common audit traps lie. Customers running large NSX estates inside or alongside VCF deployments will benefit from specialist advice — for that, we recommend , who run VMware network-virtualization licensing defence as part of their core practice.

The pre-Broadcom NSX licensing model

Standalone NSX was historically licensed in two main tiers: NSX Data Center Standard, Advanced, and Enterprise Plus (later consolidated into NSX Networking and NSX Security tiers). Licensing was per-CPU or per-virtual-machine depending on the product variant and the deployment context. Customers either purchased NSX as a standalone product against their vSphere estate, or attached it as part of a VMware Cloud Foundation perpetual licence stack.

The model was reasonably transparent: a customer with an entitlement count knew which hosts could run NSX, which features were enabled, and how scale-out was treated. Audit exposure on NSX was real but well-understood — the typical compliance gap was around feature usage (running Advanced features on a Standard entitlement) or scale-out beyond purchased capacity.

What VCF subscription changed

VCF subscription bundles network virtualization functionality into the broader VCF entitlement, with scope varying by VCF tier. The visible change is that NSX functionality is no longer purchased separately — it is included. The less visible change is that the scope of included NSX functionality varies in ways that customers must read the entitlement document carefully to understand.

The implication: a customer migrating from standalone NSX Data Center Enterprise Plus to VCF subscription does not automatically get equivalent NSX functionality. Some features previously available in NSX Enterprise Plus may not be included in the customer's VCF tier. Other features that were previously add-ons may now be included. The mapping is rarely one-to-one.

What is included in VCF tiers

VCF subscription tiers include NSX functionality at different scopes. The base VCF subscription generally includes core NSX networking (logical switches, distributed routing, gateway services) but may exclude or limit some of the more advanced functionality (advanced load balancing, advanced firewall features, federation, multi-site). Higher VCF tiers expand the included NSX scope progressively.

Customers must read the specific entitlement document attached to their subscription. The "included NSX functionality" varies between contracts even within the same nominal VCF tier, depending on negotiation outcomes and contract date. Customers who assume parity with their previous NSX entitlement frequently miss material differences.

Measurement units and counting

VCF subscription is typically measured in core-units (TiB for storage, CPU cores for compute), and the included NSX scope follows the same unit. A customer with a VCF entitlement covering 1,024 cores can run NSX functionality across those 1,024 cores within the entitlement scope. NSX deployments outside the entitled cores are non-compliant.

The audit-relevant detail is that NSX consumption is measured against the host on which it is deployed, not against the virtual machines themselves. A customer running NSX on host A and not on host B is consuming NSX entitlement only for host A. Audit tools should be able to enumerate NSX-enabled hosts, and customer documentation should support that.

Functional carve-outs

Specific NSX features are carved out of the standard VCF entitlement and require additional purchase. The carve-outs vary by contract and by VCF tier, but the recurring categories include: advanced load-balancing (NSX Advanced Load Balancer / Avi); NSX federation across multiple sites; advanced firewall features (IDS/IPS, malware analysis); and certain analytics and visibility features (NSX Intelligence).

Customers should map their actual NSX feature usage against the carve-outs in their specific contract. Where carve-out features are in use without an explicit entitlement, the customer has a compliance exposure that audit teams routinely identify.

Multi-site and federation licensing

Federation across multiple NSX deployments is one of the most contested licensing areas. Standalone NSX historically licensed federation as an add-on; VCF subscription treats it differently depending on the tier and the contract. Customers operating multi-site NSX deployments — for example, a primary datacentre and a DR site, or a multi-region production deployment — should verify that the federation use is covered by the entitlement.

The audit risk on federation usage is material because the deployment pattern is visible from any reasonable discovery tool. Auditors who see federation activity will check the entitlement, and customers without explicit federation coverage will be flagged.

Container and cloud workload coverage

NSX functionality extends into container networking through NSX-T integration with Kubernetes (Antrea, Tanzu integration) and into hybrid-cloud through VMware Cloud on AWS, Azure VMware Solution, and similar services. Whether these uses are covered by the VCF entitlement varies by deployment pattern and contract terms.

The current pattern from Broadcom is that on-premises container networking through NSX is typically covered, but hyperscaler-deployed NSX functionality requires explicit coverage in the cloud service agreement. Customers running hybrid deployments should verify both the on-prem entitlement and the cloud-service NSX coverage.

NSX Advanced Load Balancer (Avi)

The Avi product (rebranded NSX Advanced Load Balancer) is one of the more common audit findings. Avi was historically a separately licensed product, and Broadcom has retained that separation under VCF. Many customers who use Avi alongside NSX in their VCF estate do not have explicit Avi entitlements, and audit teams routinely flag this.

The defence position depends on the specific contract. Some VCF tiers do include limited Avi functionality (basic load balancing); customers using only basic functionality may be able to defend. Customers using advanced Avi features (WAF, security analytics, advanced traffic management) typically need explicit Avi licensing.

Audit detection methods

Broadcom audit teams use several detection methods for NSX usage. The most common are: vCenter inventory exports that show NSX-enabled hosts and their feature configuration; NSX Manager exports that show federation links, advanced security policy usage, and analytics integration; third-party discovery tools that enumerate logical switches, routing instances, and gateway services; and host-level inspection (esxcli or equivalent) that confirms NSX kernel modules are loaded.

The defence response is to maintain customer-controlled inventory documentation that establishes the entitled scope. Where the customer's inventory aligns with the contract entitlement, the audit defence is generally strong. Where it does not, the customer should engage independent advisors before responding to the audit data request.

Renewal and negotiation leverage

NSX entitlement scope is a meaningful negotiation point at VCF renewal. Customers with specific NSX feature requirements (federation, advanced load balancing, container networking) should explicitly negotiate scope in the renewal rather than accept the standard template. Broadcom commercial teams have demonstrated flexibility on scope where the customer articulates specific requirements.

The leverage is greatest for customers who can credibly threaten to deploy non-Broadcom networking alternatives. Cisco ACI, Arista's solutions, native cloud networking, and open-source SDN options provide meaningful alternative paths that strengthen the customer's negotiating position.

What good NSX entitlement language looks like

A well-structured VCF agreement with strong NSX coverage should include: explicit scope statement covering the customer's actual NSX feature usage; multi-site federation coverage where applicable; container networking coverage explicit; load balancing coverage explicit (with carve-outs clearly identified); and a usage-data-protection clause that limits Broadcom's audit-discovery rights to what is contractually necessary.

Customers who negotiate these provisions report meaningfully reduced audit risk on NSX usage. The negotiation cost is small relative to the long-tail audit-exposure reduction.

NSX upgrade implications under VCF

NSX major version upgrades have specific implications under VCF subscription that customers should understand. NSX 3.x to 4.x upgrades, and subsequent feature upgrades, may affect the scope of included functionality under the customer's specific VCF tier. Some features available in earlier NSX versions are repositioned as advanced features in later versions, requiring additional entitlement that may not be in the customer's current VCF contract.

Customers planning NSX upgrades should review the feature scope of the target version against their current VCF entitlement before upgrading. The audit risk on inadvertent advanced-feature usage post-upgrade is material. Independent specialist review of the upgrade plan against the entitlement is a small investment for the protection it provides.

NSX security feature licensing

NSX security features — distributed firewall, IDS/IPS, malware analysis, network detection and response — are a major area of audit attention. Some of these features are included in standard VCF tiers; others require explicit advanced security entitlement. The boundary between included and excluded security features is one of the most contractually contested areas of VCF.

Customers running NSX security features should map their feature usage against the contractual scope explicitly. Where advanced security features are deployed without explicit entitlement, the audit exposure is high and the customer should plan remediation through either feature reduction or additional licensing.

Hybrid cloud NSX deployment

NSX deployed in hybrid cloud configurations — on-premises plus VMware Cloud on AWS, plus Azure VMware Solution — creates compliance complexity. The on-premises NSX usage may be covered by the customer's VCF entitlement, while the cloud-deployed NSX usage may be covered (or not) by the cloud service agreement. The interaction between the two coverage scopes is rarely clean, and audit findings frequently arise from the boundary.

Customers running hybrid NSX should explicitly document which deployment is covered by which entitlement, and should review the documentation periodically as cloud usage shifts.

NSX consumption analytics in customer hands

NSX itself produces extensive operational and consumption analytics that customers should maintain in customer-controlled tooling. The analytics include feature usage patterns, traffic flow data, security policy enforcement statistics, and configuration history. Customers who maintain this data themselves have a defensive baseline for any audit conversation. Customers who allow the analytics to remain only in Broadcom-controlled or auditor-controlled systems lose the defensive baseline.

The customer-controlled analytics should be extracted regularly (weekly or monthly) and stored in customer infrastructure. The investment is modest. The defensive value is substantial.

Contract amendments after VCF deployment

Customers who deploy VCF and subsequently discover scope gaps — for example, advanced security features in use that are not entitled in the contract — should pursue contract amendment rather than wait for audit. Proactive amendment is materially cheaper than reactive remediation. Broadcom typically prices proactive scope expansion at a discount to audit-driven remediation; the difference can be 30-50% of the eventual cost.

The trigger for amendment is regular self-audit: at least annually, the customer should compare deployed NSX feature usage against contracted scope and identify any gaps. Where gaps exist, the customer should remediate proactively rather than hope they remain undetected.

Frequently asked questions

Is NSX always included in VCF subscription?

Core NSX functionality is generally included in VCF subscription tiers, but the scope of included functionality varies by tier and by specific contract. Advanced features, federation, and certain integrations may not be included and require explicit entitlement. Customers should not assume that VCF subscription gives equivalent functionality to their previous standalone NSX entitlement.

Does the customer's VCF entitlement cover container networking?

Generally yes for on-premises container networking through NSX-T integration with Kubernetes. Hyperscaler-deployed container networking may require additional coverage through the cloud service agreement. The specific scope should be verified against the contract.

What happens if the customer is using Avi without explicit Avi entitlement?

Some VCF tiers include limited Avi functionality (basic load balancing). Customers using only basic functionality may be able to defend against an audit finding. Customers using advanced Avi features typically need explicit Avi licensing and should expect Broadcom to require remediation through additional purchase.

How is NSX federation usage detected in an audit?

NSX Manager exports show federation links between sites, and any reasonable discovery tool will surface federation usage. Broadcom audit teams routinely check for federation patterns and verify against entitlement. Customers running federation without explicit coverage should expect the audit to identify the issue.

Should NSX entitlement scope be negotiated at renewal?

Yes. The default VCF template scope is often narrower than customers actually need, and negotiation at renewal is the natural moment to align scope with actual usage. Customers who skip the negotiation step typically discover the misalignment later through audit findings, by which point the leverage is much weaker.