NSX. The hidden audit surface.

NSX has become the second-largest source of Broadcom audit exposure after vSphere. Distributed firewall, advanced load balancing, and the NSX Networking versus NSX Networking and Security split have produced compliance gaps in nearly every enterprise we have assessed. We defend, assess, and negotiate the NSX estate.

How NSX licensing works now.

Under Broadcom, NSX is sold either as a standalone product or — far more commonly — bundled inside VMware Cloud Foundation. Standalone NSX is priced per core, with editions covering Networking only, or Networking and Security including the distributed firewall, IDS/IPS, and advanced load balancer (formerly Avi). The bundle-versus-standalone distinction is rarely understood by the network teams operating the platform.

Customers who deployed NSX-T or NSX Data Center before the Broadcom acquisition often hold entitlement language that no longer aligns with how the product is sold. That misalignment is contestable, but only if a buyer recognises it before the audit response window closes.

What auditors pull first.

For NSX, Broadcom auditors typically request the NSX Manager inventory export, the transport node list, the distributed firewall rule count, the load balancer object configuration, and any Avi controller deployment details. They cross-reference this against the cores under NSX management on each host and compare it to the entitlement on file.

The reconstruction often produces a higher used-core count than the buyer expects, because NSX is licensed against every host where a transport node is active — not against the workloads protected by the firewall.

Three NSX audit traps.

Networking-only edition with security features enabled

Distributed firewall rules, IDS signatures, or endpoint policies enabled on a Networking-only entitlement trigger an edition-uplift claim across every NSX-managed host in the environment.

Transport nodes outside scoped clusters

NSX transport nodes deployed on management or edge clusters not part of the original entitlement scope are routinely flagged. The audit treats NSX as a per-host product, not a per-workload product.

Avi Load Balancer counted as separate product

The legacy Avi Networks load balancer, now NSX Advanced Load Balancer, is sometimes treated as a separate product line in audit, generating a parallel claim on top of the core NSX entitlement.

Defences we use in NSX engagements.

NSX claims tend to be the most technically dense part of a Broadcom audit. Most of the value of a defence comes from disputing the auditor's reconstruction of which hosts are NSX-managed and at what edition.

Transport node versus consumer host distinction

Distributed firewall enablement scope challenge

IDS/IPS signature subscription versus product entitlement

Edge node consolidation and minimum-edge rules

NSX-V to NSX-T migration transition entitlement

Avi controller versus NSX ALB attribution

VCF NSX inclusion versus standalone double-count

Multi-site federation and cross-domain entitlement

Container Plug-in (NCP) and Antrea entitlement boundaries

VPN and gateway throughput tier challenges

Manager and controller cluster non-production exemption

Decommissioned transport node evidence

Per-core minimum applicability to legacy entitlement

Public cloud NSX deployment (NSX-AWS, NSX-Azure) carve-outs

Bundle attribution where features are already entitled elsewhere

Partner-deployed and managed-service environment scope

Where NSX savings tend to land

In documented NSX engagements the largest single reduction usually comes from challenging the edition uplift — proving that distributed firewall rules existed before the entitlement was downgraded, or that the rules were enabled by NSX defaults rather than active configuration. The second largest reduction often comes from removing edge and management hosts from the NSX-managed count, where they were never carrying production workloads. The third comes from the Avi versus NSX ALB single-product argument.

NSX licensing questions.

Is NSX always included in VCF?

NSX is bundled in VCF, but the included edition is contractually defined and does not always match what the customer has deployed. A VCF customer running NSX Advanced Load Balancer features may still need standalone ALB licensing depending on the VCF SKU purchased and the deployment scale.

Do we license NSX per host or per workload?

NSX is licensed per core on the hosts where transport nodes are deployed. Workload count is not the metric. This catches buyers who assumed a per-VM model based on partner-led estimates given before the Broadcom acquisition.

Does the distributed firewall require a higher edition?

Yes. The distributed firewall is part of the NSX Networking and Security edition. Enabling firewall rules on a Networking-only entitlement is the single most common edition-uplift trigger we see in audit.

Can we keep NSX-V running under our existing contract?

Existing NSX-V perpetual entitlements remain valid for use but receive no further updates. Migration to NSX-T or NSX is a commercial decision driven by support, security, and architecture — not by compliance alone.

How does NSX appear in audit if it is bundled in VCF?

When NSX is delivered through VCF, the audit usually treats VCF as the licensable unit and NSX configuration as evidence of consumption. Standalone NSX claims still appear where NSX was deployed outside the VCF footprint or before VCF was contracted.

NSX. The hidden audit surface.

How NSX licensing works now.

What auditors pull first.

Three NSX audit traps.

Defences we use in NSX engagements.

Where NSX savings tend to land

NSX licensing questions.

NSX in your audit scope?
Don't reply alone.

NSX. The hidden audit surface.

How NSX licensing works now.

What auditors pull first.

Three NSX audit traps.

Defences we use in NSX engagements.

Where NSX savings tend to land

NSX licensing questions.

NSX in your audit scope?Don't reply alone.

NSX in your audit scope?
Don't reply alone.