NSX licensing, after the bundle shake up.

NSX stopped being a standalone product decision and became a bundle and attach decision, so the cost question is now which cores genuinely need network virtualization and security.

How is VMware NSX packaged under Broadcom in 2026?

NSX ships primarily as the networking layer of VMware Cloud Foundation, with advanced security sold separately as vDefend attach SKUs. The freestanding NSX product line that existed before the Broadcom acquisition has largely folded into this structure.

That packaging decision drives everything else. If you run VCF, you already own core NSX networking; the open question is the security attach. If you run vSphere Foundation, NSX is an upgrade conversation.

Which NSX capabilities sit in which package?

• VCF included: virtual switching, routing, basic load balancing, and the NSX manager plane.
• vDefend attach: distributed firewall, gateway firewall, and advanced threat prevention, priced per core.
• Avi load balancing: advanced application delivery, licensed separately.

What does NSX actually cost per core?

NSX cost follows the bundle: you pay VCF per core for the platform, then per core again for each vDefend attach on covered clusters, with a 16 core minimum per CPU. The published structure sits on the Broadcom software portfolio pages, but street pricing is set deal by deal.

The compounding is what surprises buyers. A dense 64 core host pays the attach on all 64 cores even if the firewall policy on it is trivial, which is why attach scoping matters more than rate negotiation.

How do you verify what NSX features actually run?

Pull distributed firewall rule counts, flow statistics, and feature flags from the NSX manager before any commercial conversation. The Broadcom technical documentation describes the operational reporting available; that output is your negotiation evidence.

How do you rightsize an NSX heavy estate?

Rightsize by cluster, not by estate. Map which clusters carry regulated workloads, exposed services, or genuine microsegmentation policy, and license the security attach there only. In our file that scoping cut attach spend 25 to 45 percent.

Treat the rest of the estate as a candidate for native vSphere controls or third party tooling. The point is not to rip NSX out; it is to stop paying advanced security rates on clusters running basic switching.

Where the common advice on NSX licensing is wrong

The standard partner guidance is to license vDefend across the whole estate for consistency, on the theory that uniform coverage simplifies operations and audits. We disagree. In roughly 12 of the 20 to 30 NSX files Morten Andersen reviewed in 2024 to 2025, uniform coverage meant paying advanced security rates on a majority of cores that ran nothing beyond default policy, and the simplification argument never survived contact with the invoice. Cluster scoped licensing with documented flow evidence passed every true up we defended. The buyer side move is to segment the estate by security requirement, license the attach where the requirement is real, and let the usage evidence carry the audit conversation.

What the engagement data shows

Three cuts of our advisory engagement file frame the rightsizing opportunity.

What levers move an NSX renewal?

Three levers move NSX economics: attach scope, core hygiene, and a credible security alternative. Rate discounts follow those levers; they rarely lead.

• Scope reduction: present the cluster map and remove the attach from clusters without security policy.
• Core consolidation: retire or merge low density hosts so the 16 core minimum stops manufacturing phantom cores.
• Alternative pressure: price third party firewalls or native controls for the clusters Broadcom wants to defend, alongside Broadcom support terms held to written commitments.

Should NSX ride the VCF renewal or stand alone?

Ride the VCF renewal. Bundling the attach decision into the platform negotiation gives you a bigger number to trade against, and Broadcom quarter end dynamics apply to the combined deal.

What to do next

Six moves cut NSX cost before the next renewal.

A sequence you can run this quarter

1. Inventory NSX feature usage by cluster from the manager plane.
2. Map clusters to real security requirements and regulated workloads.
3. Rescope vDefend attaches to the clusters that justify them.
4. Consolidate low density hosts ahead of the core count snapshot.
5. Price a third party alternative for contested clusters.
6. Fold the NSX position into the VCF renewal at quarter end.

White Paper · Broadcom / VMware

VMware Bundle Negotiation Landing

Seven buyer side levers cut a VMware VCF or VVF bundle under Broadcom: the core minimum trap, the bundle math, and where the price actually moves. Read it free.

Read the white paper

Frequently asked questions

Is NSX still sold as a standalone product in 2026?

Mostly no. NSX networking ships inside VMware Cloud Foundation, and advanced security sells as per core vDefend attach SKUs on top of the bundle.

What is the 16 core minimum and why does it matter for NSX?

Broadcom charges at least 16 cores per CPU across its VMware portfolio. Hosts with smaller processors pay for cores they do not have, on the platform and on every attach.

Can vDefend be licensed for only part of the estate?

Yes. Attach SKUs can be scoped by cluster, and cluster scoping with flow evidence cut attach spend 25 to 45 percent across our 2024 to 2025 file.

Does dropping NSX security features risk an audit problem?

Not if scope matches deployment. Document which clusters run which features and align the order form to that map before the true up, not after.

What usage evidence moves Broadcom on NSX pricing?

Distributed firewall rule counts, flow statistics, and feature flags by cluster. That evidence moved the NSX position in 7 of 10 renewals we supported.

Should NSX be negotiated separately from VCF?

No. Fold it into the VCF renewal so the combined number is on the table, then time the close against a Broadcom fiscal quarter end.