NSX licensing. VCF, VVF add on, vDefend.

NSX is the VMware networking and security plane. Bundled inside VCF. Available as add on to VVF. Critical for estates using microsegmentation or software defined networking.

NSX is the VMware networking and security plane. Software defined networking, microsegmentation, and distributed firewall capabilities all sit inside NSX. The licensing changed under Broadcom and the path now depends on whether the customer runs VCF, VVF, or a hybrid.

This brief decodes NSX licensing in 2026. The scope of NSX. How it bundles inside VCF. How it sits as an add on to VVF. The vDefend security replacement. Pricing posture. And the alternative networking platforms gaining traction.

Read this alongside the VMware licensing guide, the VCF vs VVF decision, and the Broadcom VMware knowledge hub.

What NSX actually covers

Networking plane

NSX provides software defined networking. Virtual switches, routers, load balancers, and gateways defined in software.

Replaces or augments physical network hardware in the data center.

Security plane

• Distributed firewall. Microsegmentation at the workload level.
• IDS and IPS. Intrusion detection and prevention.
• Threat prevention. Network based threat detection.
• Identity firewall. User based access control.

Multi cloud networking

NSX extends to public cloud through VMware Cloud on AWS and similar offerings.

Hybrid networking estates use NSX as the common control plane across on premises and cloud.

Bundling inside VCF

Bundled rate covers NSX

VCF subscription includes NSX with no separate licensing line.

The per core VCF rate covers vSphere, vSAN, NSX, Aria Operations, Aria Automation, and HCX.

Module activation

• NSX must be deployed. Bundled does not mean automatic.
• Network team training required. NSX expertise differs from traditional networking.
• Aria Operations integration. Monitoring NSX through the Aria stack.
• Identity integration. NSX consumes identity sources.

Why VCF customers should use NSX

Customers paying the VCF rate are paying for NSX whether they use it or not.

Not using NSX is a missed return on the bundle. The microsegmentation alone often justifies the activation.

Standalone NSX paths

Legacy NSX retired

The legacy standalone NSX SKUs were retired in the Broadcom SKU consolidation.

Existing perpetual NSX entitlements remain valid but receive no support beyond SnS expiry.

NSX add on to VVF

• Available where the customer needs NSX without the full VCF stack.
• Prices per core.
• Negotiated rates of $40 to $80 per core per year.
• Targeted at estates that need software defined networking but not vSAN or Aria Automation.

Migration from legacy

Customers on legacy standalone NSX who renew now move to NSX inside VCF or NSX as add on to VVF.

The migration typically involves a SKU swap at renewal with possible credit for remaining legacy term.

vDefend and security

What vDefend replaces

vDefend replaces the legacy NSX security SKUs as the security add on path.

Bundles distributed firewall, IDS, IPS, and threat prevention.

vDefend scope

• Distributed firewall. Microsegmentation.
• IDS and IPS. Intrusion detection and prevention.
• Advanced threat prevention. Network based threat detection.
• Identity firewall. User based access control.
• Network sandbox. Malware analysis.

vDefend pricing

vDefend prices per core. Negotiated rates of $40 to $80 per core depending on volume and bundle adjacency.

Often added to VVF estates that need security without the full VCF bundle.

NSX inside VCF is zero marginal cost. NSX outside VCF is 20 to 40 percent on top of VVF. The networking decision is also the bundle decision.

Pricing posture across the Redress book

Inside VCF

NSX inside VCF is effectively zero marginal cost. The bundled VCF rate covers it.

Activating NSX on VCF estates delivers value at no additional licensing spend.

Outside VCF

• NSX add on or vDefend. $40 to $80 per core per year.
• Strategic deal floor. $30 to $50 per core for large estates.
• Volume tier thresholds. 1,000 and 10,000 core breakpoints apply.
• Term and payment discounts. Three year all upfront delivers the floor.

Total NSX exposure

Estates running NSX inside VCF pay nothing additional. Estates running NSX as add on to VVF pay 20 to 40 percent on top of the VVF rate.

The exposure is a key input to the VCF vs VVF decision.

Alternative networking platforms

Cisco ACI

Cisco Application Centric Infrastructure. Strong fit for Cisco hardware estates.

Replaces NSX networking but not the VMware security plane fully.

Arista CloudVision

• Arista hardware native. Fits Arista heavy estates.
• Strong on observability and automation.
• Less coverage on microsegmentation. Requires complement.

Hyperscaler native

AWS VPC, Azure Virtual Network, Google VPC. Cloud first estates often use the native networking and security planes.

Hybrid estates run NSX on prem and hyperscaler native in cloud.

Open source

• OVN and OVS. Open Virtual Network and Open vSwitch.
• Cilium. Kubernetes native networking and security.
• Calico. Kubernetes networking and microsegmentation.

Suggested reading

• VCF vs VVF Decision. Cross vendor reading from the wider library.
• VMware Licensing Guide 2026. Cross vendor reading from the wider library.
• VCF Pricing 2026. Cross vendor reading from the wider library.
• Broadcom VMware Knowledge Hub. Cross vendor reading from the wider library.

What to do next

1. Audit current NSX use. Microsegmentation, distributed firewall, software defined networking.
2. Decide whether NSX matters. Critical or optional for the estate.
3. Score the bundle implication. NSX use favors VCF.
4. Compare vDefend exposure. Add on cost on VVF estates.
5. Plan the migration from legacy NSX. Renewal year SKU swap.
6. Score the alternatives. Cisco ACI, Arista, hyperscaler native, open source.
7. Run the calculator. Use the VCF migration cost estimator with NSX scope.

Frequently asked questions

Is NSX included in VCF?

Yes. VCF subscription includes NSX with no separate licensing line. The per core VCF rate covers vSphere, vSAN, NSX, Aria Operations, Aria Automation, and HCX. Activation still requires deployment and network team capability.

Can I get NSX with VVF?

Yes, as an add on. NSX add on to VVF prices per core at $40 to $80 per core per year on negotiated enterprise rates. vDefend replaces the security focused legacy NSX SKUs.

What is vDefend?

vDefend is the Broadcom security add on that replaces the legacy NSX security SKUs. Includes distributed firewall, IDS, IPS, advanced threat prevention, identity firewall, and network sandbox. Prices per core.

Are legacy standalone NSX licenses still supported?

Existing perpetual NSX entitlements remain valid but receive no support beyond SnS expiry. The legacy standalone NSX SKUs were retired in the Broadcom SKU consolidation. New licensing moves to NSX inside VCF or NSX as add on to VVF.

Should we use NSX if we have VCF?

Usually yes. Customers paying the VCF rate are paying for NSX whether they use it or not. The microsegmentation and distributed firewall capabilities often justify activation alone. Not using NSX is a missed return on the bundle.

What are the credible alternatives to NSX?

Cisco ACI for Cisco heavy estates. Arista CloudVision for Arista heavy estates. Hyperscaler native networking for cloud first programs. Open source options like OVN, Cilium, and Calico for container heavy estates.

How does Redress engage on NSX licensing?

Redress runs NSX scoring inside the Vendor Shield subscription and the Renewal Program. Engagements cover NSX use audit, bundle implication, vDefend modelling, and alternative platform scoring.