NSX Licensing Guide 2026

VMware NSX Licensing: Understanding the New Model

VMware NSX is the market-leading software-defined networking and microsegmentation platform — and under Broadcom's ownership, its licensing model has been restructured alongside vSphere into per-core subscription pricing. This guide explains the new NSX licensing model, when NSX is included in VCF versus purchased separately, and how to reduce NSX costs without compromising network security.

Get NSX Licensing Review VMware Licensing Guide
Editorial note: This article is part of the Broadcom VMware Licensing Guide cluster. Rankings reflect independent editorial assessment. See also VCF bundle analysis, vSphere licensing changes, and Broadcom negotiation tactics.
500+
Engagements
11
Vendors Analysed
20+
Years Experience
Gartner
Recognised
Contents
  1. What Changed: NSX Licensing Under Broadcom
  2. NSX Editions and Feature Tiers
  3. NSX in VCF vs Standalone NSX Licensing
  4. NSX Per-Core Pricing Model
  5. Microsegmentation Licensing: The Critical Consideration
  6. NSX Federation and Multi-Site Licensing
  7. NSX Competitive Alternatives in 2026
  8. 8 NSX Cost Reduction Tactics
  9. FAQ

What Changed: NSX Licensing Under Broadcom

VMware NSX was already one of the more complex VMware licensing areas before the Broadcom acquisition — with multiple editions (NSX Data Centre Standard, Professional, Advanced, Enterprise Plus), add-on modules for specific capabilities, and different pricing for on-premises versus cloud deployments. Broadcom has simplified this complexity in one sense — there are now fewer standalone NSX purchase options — while significantly increasing the effective cost through the transition to subscription-based, per-core pricing and the bundling of NSX into VCF.

Under the pre-acquisition model, organisations could purchase NSX Data Centre licences on a perpetual basis, with annual SnS providing ongoing support and updates. NSX was priced per processor (similar to vSphere), with different per-processor prices for each edition. Organisations could also purchase NSX add-on capabilities — such as NSX Advanced Load Balancer (Avi Networks) and NSX Advanced Threat Prevention — as separate licence items on top of the base NSX Data Centre edition.

Under Broadcom's new model, NSX is no longer sold as a standalone perpetual product for new purchases. NSX is included within VCF subscriptions (all editions of VCF include NSX Data Centre Enterprise Plus capabilities), and can be purchased as a standalone subscription through Broadcom's commercial team — but on a per-core, subscription basis that mirrors the VCF pricing structure. For the full context on how NSX sits within the VCF bundle, see our VMware Cloud Foundation licensing guide.

Key Change

Organisations that previously deployed NSX Standard or Professional edition — paying a lower per-processor price for basic overlay networking without advanced security features — can no longer purchase a standalone lower-tier NSX subscription at a meaningful price reduction. The bundling of NSX Enterprise Plus into VCF effectively forces an upgrade to the highest NSX edition for all VCF customers, regardless of whether they use the advanced features.

NSX Editions and Feature Tiers

While the market availability of standalone NSX editions has narrowed under Broadcom, the technical differentiation between NSX capability levels remains relevant — primarily to determine whether VCF (which includes NSX Enterprise Plus) represents genuine value for your environment, or whether the NSX capabilities bundled in VCF are excessive relative to your actual use case.

NSX Edition / Tier Key Capabilities Core Use Case Availability (2026)
NSX Standard Overlay networking, L3 routing, basic firewall Network virtualisation without security advanced features Standalone subscription only
NSX Professional Standard + gateway firewall, L7 inspection Perimeter-focused security in virtualised environments Standalone subscription only
NSX Advanced Professional + distributed firewall, microsegmentation Zero-trust network security within the DC Standalone or via VCF
NSX Enterprise Plus Advanced + Federation, Identity Firewall, ATP integration Large-scale, multi-site, security-focused deployments Included in all VCF
NSX Advanced Load Balancer L7 load balancing, WAF, analytics Application delivery, replaces hardware LBs Separate add-on subscription
NSX Advanced Threat Prevention IDS/IPS, sandboxing, IDPS, network detection Advanced threat detection in network traffic Separate add-on subscription

NSX in VCF vs Standalone NSX Licensing

The most important commercial decision for organisations deploying NSX is whether to licence it as part of VCF or as a standalone NSX subscription. This decision has cascading implications for cost, management, and strategic flexibility:

NSX within VCF means you pay a single per-core subscription that covers vSphere, vSAN, NSX Enterprise Plus, and Aria management tools. The effective per-core cost for NSX when embedded in VCF is approximately 25–35% of the total VCF per-core price — meaning organisations that deploy all four VCF components genuinely gain cost efficiency from the bundle versus purchasing each component separately. However, if you do not use vSAN (using SAN or NAS storage instead), the VCF bundle forces you to pay for an unwanted component to access the NSX Enterprise Plus capabilities.

Standalone NSX subscription allows organisations to licence NSX separately from vSphere, which is relevant for environments that want NSX capabilities without the full VCF bundle — either because they use VVF for compute virtualisation (which does not include NSX) or because they want to apply NSX to non-VMware environments. Standalone NSX subscription pricing is per core, but the per-core cost for NSX standalone is generally higher than the NSX component cost within VCF — Broadcom has commercially incentivised the VCF bundle by making standalone purchases comparatively expensive.

The practical implication: if you use vSAN and NSX together, VCF is likely the right commercial structure. If you use NSX but not vSAN, VVF plus standalone NSX may be cheaper than VCF. If you use vSAN but not NSX in any meaningful way, VCF forces you to pay for NSX capabilities you do not use. Each scenario requires a different commercial approach — and each is an opportunity for negotiation with Broadcom's commercial team.

NSX Per-Core Pricing Model

Like vSphere, NSX has transitioned from per-processor to per-core subscription pricing. The per-core counting rules for NSX follow the same logic as vSphere — all physical cores on in-scope hosts are counted, with a minimum of 16 cores per CPU. However, there is an important nuance in NSX licence scope that differs from vSphere:

NSX is licenced based on the number of transport nodes — the hosts on which NSX is deployed and managed. A transport node is any host running NSX data plane components (ESXi hosts with NSX kernel modules installed, KVM hosts with NSX agents, bare metal servers). Not all hosts in a vSphere environment need to be NSX transport nodes — only those where NSX networking policies are applied to the workloads running on them. This creates scope management opportunities: hosts that do not run workloads requiring NSX overlay networking or distributed firewall policies do not need to be NSX transport nodes, and their cores are therefore not in the NSX licence scope.

In practice, many organisations have inadvertently deployed NSX as a transport node on all hosts in their vCenter inventory, even where workloads on those hosts do not require NSX capabilities. Auditing NSX transport node scope and removing hosts where NSX provides no value can reduce the NSX licence base by 10–30% in some environments.

Licence Unit Old Model (pre-2024) New Model (Broadcom)
Basis Per processor socket (2 sockets/licence) Per physical core
Minimum per CPU None 16 cores per CPU
Scope NSX transport nodes NSX transport nodes (same scope rule)
Licence type Perpetual + SnS Annual subscription only
Available editions Standard, Professional, Advanced, Enterprise Plus Enterprise Plus (in VCF), limited standalone tiers

Microsegmentation Licensing: The Critical Consideration

NSX's distributed firewall (DFW) capability — which enables microsegmentation of virtual machine traffic at the hypervisor kernel level — is one of the most strategically important security capabilities in a modern data centre. It allows east-west network traffic between VMs to be inspected and filtered without routing traffic through a physical or virtual network appliance, dramatically reducing the attack surface for lateral movement by threat actors. For many security teams, NSX microsegmentation is the primary justification for the NSX investment.

Under Broadcom's new licensing model, NSX microsegmentation (distributed firewall) requires at minimum NSX Advanced edition. It is included in NSX Enterprise Plus (which is bundled in VCF) and is available in standalone NSX Advanced subscriptions. NSX Standard and Professional do not include the distributed firewall capability, meaning organisations licenced at lower NSX tiers under the old model may need to assess whether their microsegmentation requirements are adequately covered under the new structure.

The financial implication is significant: organisations that deployed NSX primarily for microsegmentation are now paying VCF pricing (which bundles NSX Enterprise Plus with vSphere, vSAN, and Aria) rather than being able to purchase a targeted NSX Advanced licence for microsegmentation alone. If your organisation uses NSX DFW for microsegmentation but does not use vSAN or most of the other VCF components, explore whether standalone NSX Advanced subscription pricing represents better value than VCF.

Microsegmentation Alternative

For organisations where NSX microsegmentation is the primary security use case and the VCF bundle premium is not commercially justified, evaluate Illumio Core, Guardicore (now Akamai Guardicore Segmentation), or Cisco Secure Workload as alternatives. These platforms provide microsegmentation capabilities independent of the underlying hypervisor — including for non-VMware environments — at per-workload pricing models that may be more cost-effective for segmentation-focused deployments.

NSX Federation and Multi-Site Licensing

NSX Federation is the Enterprise Plus capability that allows a single management plane to govern NSX networking and security policies across multiple on-premises sites and cloud environments. For organisations with multi-datacentre infrastructure or hybrid cloud deployments, NSX Federation provides operational efficiency through centralised policy management. However, it requires NSX Enterprise Plus at all sites — a licensing requirement that significantly increases the per-site NSX cost for organisations that would otherwise only need Standard or Advanced capabilities at secondary sites.

The commercial implications of NSX Federation licensing are particularly acute for organisations with disaster recovery or passive secondary sites where NSX Enterprise Plus features beyond policy mirroring are not used. In these scenarios, the cost of licensing NSX Enterprise Plus at a DR site (for Federation compatibility) may not be justified by the operational benefits. Evaluate whether Federation's centralised management benefit outweighs the cost premium of Enterprise Plus at secondary sites, versus managing secondary-site NSX policies independently at a lower edition tier.

NSX Competitive Alternatives in 2026

NSX's position as the dominant enterprise SDN and microsegmentation platform has been somewhat disrupted by Broadcom's pricing changes, opening commercial conversations with alternatives that were previously difficult to justify against NSX's installed base and functionality advantages. The main alternatives in 2026 are:

Nutanix Flows: Nutanix's software-defined networking capability, integrated with Nutanix AHV, provides overlay networking and microsegmentation in a Nutanix-native model. For organisations migrating VMware to Nutanix AHV, Flows is the natural NSX alternative — it is included in the Nutanix subscription pricing rather than charged separately. The maturity gap versus NSX-T is real (particularly for advanced security capabilities and multi-site scenarios), but for many workload profiles Flows provides adequate coverage. See our VMware alternatives comparison for the full Nutanix analysis.

Cisco ACI / Cisco SD-WAN: For organisations already heavily invested in Cisco networking, Cisco ACI (Application Centric Infrastructure) provides data centre SDN capabilities competitive with NSX. Cisco ACI has different architectural assumptions from NSX (controller-based overlay versus NSX's kernel-distributed model) and requires ACI-capable hardware, but for Cisco-dominant environments the integrated operations story is compelling.

Open-source alternatives (OVN, Calico): OVN (Open Virtual Network) — embedded in Proxmox and available for KVM environments — provides overlay networking and basic security policies. Calico provides Kubernetes-native network policy enforcement. These are compelling for organisations with strong DevOps teams but lack the enterprise operational tooling and support ecosystem of NSX.

Microsoft Azure Virtual Network / Azure Stack HCI SDN: For organisations migrating to Azure or Azure Stack HCI, Azure's networking capabilities replace NSX's role. Azure Virtual Network provides network isolation, and Azure Firewall / Network Security Groups provide policy enforcement. The model is different from NSX (cloud-native versus hypervisor-embedded SDN) but provides equivalent functional coverage for most workload requirements in Azure environments.

8 NSX Cost Reduction Tactics

Tactic 01
Audit NSX Transport Node Scope Before Renewal
Before any NSX renewal negotiation, audit which hosts are configured as NSX transport nodes and whether each transport node is genuinely required. Hosts running workloads that do not use NSX overlay networking, distributed firewall policies, or logical switching can be removed from NSX transport node scope. Reducing the transport node count reduces the licenceable core count. In environments where NSX was deployed broadly without granular scoping, transport node count reductions of 15–25% are achievable through scope right-sizing.
Tactic 02
Challenge the VCF Bundle If You Don't Use vSAN
If your environment uses external SAN or NAS storage and does not deploy vSAN, you are paying for vSAN capabilities within VCF that provide zero value. Use this as a negotiation argument for VVF plus standalone NSX pricing, or for a modified VCF per-core price that reflects the fact that only two of VCF's four components (vSphere and NSX) are actively used. Broadcom's commercial teams have approved custom pricing structures for accounts that can technically demonstrate non-use of VCF bundle components. This requires a formal technical justification document.
Tactic 03
Model Competitive Alternatives and Use Them as Leverage
Commissioning a formal evaluation of Nutanix Flows, Cisco ACI, or open-source SDN alternatives creates the competitive pressure necessary for Broadcom to offer meaningful NSX pricing concessions. The evaluation need not conclude with a decision to migrate — its primary function is to create credible commercial risk for Broadcom. A written evaluation comparing NSX capabilities versus an alternative at a documented cost delta is a powerful negotiating tool. The more credible the alternative evaluation, the more significant the commercial response from Broadcom's account team.
Tactic 04
Negotiate NSX Advanced Load Balancer Separately
NSX Advanced Load Balancer (formerly Avi Networks) is a separate subscription add-on and should always be negotiated independently from the core NSX or VCF subscription. Many enterprises have hardware load balancers (F5, Citrix) or use cloud-native load balancers for their application delivery needs — meaning NSX ALB is duplicative rather than additive. If NSX ALB is in scope but underutilised, negotiate its removal from the renewal. Standalone NSX ALB add-on pricing can be reduced 20–40% with competitive pressure from F5 BIG-IP, Citrix ADC, or cloud-native alternatives.
Tactic 05
Evaluate DR Site NSX Federation Requirements
If NSX Federation is deployed to provide centralised management of secondary/DR sites, evaluate whether the Federation benefit justifies Enterprise Plus licensing at those sites. For passive DR sites where operational efficiency gains from centralised management are limited, consider whether site-local NSX management at Advanced tier is sufficient — saving the Enterprise Plus premium per core at the secondary site. This is particularly impactful for organisations with large DR environments or multiple secondary sites.
Tactic 06
Link NSX Renewal to VCF Renewal for Combined Discount
If you renew VCF and standalone NSX components separately, Broadcom's commercial teams have less visibility of the total account value. Consolidating the NSX and VCF renewal into a single commercial negotiation — presenting the full account spend — typically enables deeper discounting than piecemeal renewals. This is the mirror of the "disaggregate to understand economics" principle: once you understand the economics, aggregate the renewal for maximum commercial leverage.
Tactic 07
Negotiate NSX Advanced Threat Prevention Separately
NSX Advanced Threat Prevention (ATP) — providing IDS/IPS and network sandboxing within NSX — is a premium add-on that should be evaluated against dedicated network security alternatives. Palo Alto Cortex XSOAR, Darktrace, and Vectra AI provide overlapping network threat detection capabilities, often with broader coverage than NSX ATP (which is limited to east-west traffic within the NSX fabric). If NSX ATP is in your current renewal, challenge its inclusion with competitive threat detection alternatives. Even if you retain NSX ATP, demonstrating active evaluation of alternatives consistently achieves pricing reductions.
Tactic 08
Engage Specialist Advisory for NSX Renewals Over £200k
For NSX renewal values exceeding £200,000 annually, specialist advisory provides measurable return on investment through market intelligence on what Broadcom accepts for equivalent environments, technical scope challenge methodology, and escalation access to Broadcom commercial leadership. The combination of transport node scope reduction, edition tier challenge, and commercial negotiation typically achieves 20–35% savings on NSX renewal cost with professional advisory support. See our top VMware negotiation firm rankings.

Facing an NSX renewal under Broadcom?

We audit NSX transport node scope, challenge VCF bundle appropriateness, and negotiate NSX pricing with Broadcom's commercial team.
Get NSX Review

Frequently Asked Questions

Does my VCF subscription include all NSX features including IDS/IPS?
VCF subscriptions include NSX Data Centre Enterprise Plus, which covers overlay networking, distributed firewall (microsegmentation), NSX Federation, and Identity Firewall. NSX Advanced Threat Prevention (which adds IDS/IPS, sandboxing, and network detection capabilities) is a separate add-on not included in the base VCF subscription. If you are using NSX IDS/IPS features, verify whether your current NSX ATP add-on subscription is explicitly included in your VCF renewal proposal — it is frequently omitted and needs to be negotiated separately.
Can I deploy NSX in a non-VMware environment?
Yes. NSX can be deployed on KVM-based hypervisors and bare metal Linux servers as well as VMware vSphere. This multi-hypervisor capability is commercially relevant for organisations running mixed hypervisor environments — NSX can provide consistent network policy enforcement across VMware and non-VMware hosts. However, the licensing is still per physical core of the NSX transport nodes, and standalone NSX subscription pricing applies for non-vSphere transport nodes. This can be relevant for organisations evaluating partial VMware to Linux/KVM migrations where consistent microsegmentation policy is required.
What is the difference between NSX-T and NSX-V? Does this affect licensing?
NSX-V (NSX for vSphere) was the earlier VMware-specific NSX product, tightly integrated with vSphere and managed through vCenter. NSX-T (NSX Transformer) is the current product — a multi-hypervisor SDN platform with its own management plane (NSX Manager) independent of vCenter. VMware ended general support for NSX-V, and Broadcom does not offer new NSX-V subscriptions. All new NSX deployments and renewals are on NSX-T architecture. From a licensing perspective, there is no distinction in how per-core pricing is calculated — both are per physical core of transport nodes.
How does NSX licensing interact with VMware to Azure migration?
For organisations migrating VMware workloads to Azure VMware Solution (AVS), NSX-T is included in the AVS service — there is no separate NSX licence required for AVS transport nodes. For workloads migrated to native Azure IaaS, NSX is replaced by Azure Virtual Network (VNet) and Azure Firewall / NSGs for policy enforcement. In both cases, migration reduces the on-premises NSX transport node count, which directly reduces the NSX subscription base at renewal. Coordinate on-premises NSX transport node decommissioning with your Azure migration waves to maximise the per-core reduction at the next renewal. See our VMware to Azure migration guide for the full context.

NSX Licensing Review

Independent NSX transport node audit, bundle challenge, and Broadcom renewal negotiation support.

Related VMware Guides

VMware Licensing Guide (Pillar) VCF Bundle Analysis vSphere Per-Core Changes Broadcom Negotiation Tactics VMware to Azure Migration

Top Ranked Firms

#1 Redress Compliance →

500+ engagements, Gartner recognised. NSX and VCF renewal specialists.

Need Help with an NSX Renewal?

Our advisors provide NSX transport node audits, VCF bundle challenge methodology, and Broadcom commercial negotiation support for enterprise NSX deployments.

Get NSX Review View Top Firms
Weekly Intelligence

Stay ahead of vendor pricing changes — join 4,200+ procurement leads.