NSX supports a wide range of networking and security solutions.

NSX was designed specifically to support diverse data center environments at scale and provide robust capabilities for containers and the cloud.


NSX Configuration Maximums are now included in VMware Configuration Maximums.

Networking and Connectivity Features

NSX provides all the networking capabilities required by workloads running in the SDDC. These capabilities allow you to:

  • Deploy networks (L2, L3, and isolated) and define subnets and gateways for the workloads that will reside there.
    • L2VPNs extend your on-premises L2 domains to the SDDC, enabling workload migration without IP address changes.
    • Route-based IPsec VPNs can connect to on-premises networks, VPCs, or other SDDCs. Route-based VPNs use BGP to learn new routes as networks become available.
    • Policy-based IPsec VPNs can also be used to connect to on-premises networks, VPCs, or other SDDCs.
    • Isolated networks have no uplinks, and provide access only to those VMs connected to them.
  • Use AWS Direct Connect (DX) to carry traffic between on-premises and SDDC networks over high bandwidth, low latency connectivity. You can optionally use a route-based VPN as backup for DX traffic.
  • Enable native DHCP selectively for network segments or use DHCP relay to link with an on-premises IPAM solution.
  • Create multiple DNS zones, allowing use of different DNS servers for network subdomains.
  • Take advantage of distributed routing, managed by an NSX kernel module running on the host where the workload resides, so workloads can efficiently communicate with each other.

Security Features

NSX security features include network address translation (NAT) and advanced firewall capabilities.

  • Source NAT (SNAT) is automatically applied to all workloads in the SDDC to enable Internet access. To provide a secure environment, Internet access is blocked at edge firewalls, but firewall policy can be changed to allow managed access. You can also request a public IP for workloads and create custom NAT policies for them.
  • Edge firewalls run on the management and compute gateways. These stateful firewalls examine all traffic into and out of the SDDC.
  • Distributed Firewall (DFW) is a stateful firewall that runs on all SDDC hosts. It provides protection for traffic within the SDDC and enables micro-segmentation to allow fine-grained control over traffic between workloads.

Network Operations Tools

NSX also provides several popular network operations management tools.

  • Port mirroring can send mirrored traffic from a source to a destination appliance in the SDDC or your on-premises network.
  • IPFIX supports segment-specific network traffic analysis by sending traffic flows to an IPFIX collector.