What is VMware NSX?

Update 2021-03-01: NSX MH is long gone, NSX-V went through numerous releases and is now on the retirement track, NSX-T is the new kid on the block. Watch the NSX webinar for more details.

Answer#1: An overlay virtual networking solution providing logical bridging (aka layer-2 forwarding or switching), logical routing (aka layer-3 switching), distributed or centralized firewalls, load balancers, NAT and VPNs.

Answer#2: A merger of Nicira NVP and VMware vCNS (a product formerly known as vShield).

Oh, and did I mention it’s actually two products, not one?

VMware NSX for multi-hypervisor environment is Nicira NVP with ESXi and VXLAN enhancements:

Apart from that, the feature list closely matches existing Nicira NVP functionality: distributed L2 forwarding, distributed or centralized L2 or L3 forwarding, reflexive VM NIC ACLs, controllers and L2/L3 gateways as physical appliances.

Use cases: OpenStack and CloudStack deployments using Xen, KVM or ESXi hypervisors.

VMware NSX optimized for vSphere is a totally different beast:

  • While the overall architecture looks similar to Nicira NVP, it seems there’s no OVS or OpenFlow under the hood.
  • Hypervisor virtual switches are based on vDS switches; VXLAN encapsulation, distributed firewalls and distributed layer-3 forwarding are implemented as loadable ESXi kernel module.
  • NVP controllers run in virtual machines and are tightly integrated with vCenter through NSX manager (which replaces vShield Manager);
  • Distributed layer-3 forwarding uses a central control plane implemented in NSX Edge Distributed Router, which can run BGP, OSPF or IS-IS with the outside (physical) world;
  • Another variant of NSX Edge (Services Router) provides centralized L3 forwarding, N/S firewall, load balancing, NAT, and VPN termination;
  • Most components support IPv6 (hooray, finally!).

The Nicira NVP roots of NSX are evident. It’s also pretty easy to map how individual NSX components map into vCNS/vShield Edge: NSX Edge Services Router definitely looks like vShield Edge on steroids and the distributed firewall is probably based on vShield App.

Unfortunately, it seems that the goodies from vSphere version of NSX (routing protocols, in-kernel firewall) won’t make it to vCNS 5.5 (but let’s wait and see how the packaging/licensing looks when the products launch).

Does it all make sense?

Sure it does. VMware NSX seems to be a successful blend of two pretty mature products with loads of improvements (some of them badly needed).

Of course we have to wait to see the actual GA product (Nicira NVP aka NSX for multiple hypervisors is shipping, NSX for vSphere is promised for late 2013), but it seems that once all the wrinkles have been ironed out, VMware NSX for vSphere will be the most comprehensible virtual networking product you can get (unfortunately you can’t get your own copy of Amazon VPC).

The only problem I see is the breadth of the offering. VMware has three semi-competing partially overlapping products implementing overlay virtual networks:

  • NSX for multi-hypervisor environment using NVP controllers, NVP gateways and OVS (for Linux and ESXi environment);
  • NSX for vSphere using NVP controllers, vSphere kernel modules and NSX edge gateways;
  • vCNS with vShield App firewall and vShield Edge firewall/load balancer/router.

It will be fun to see how the three products evolve in the future and how the diverging code base will impact feature parity.


  1. Can't wait 'till sept 18 for your NSX webinar, wish it was sooner!
    1. Hope to have the materials ready and published sooner than that.
  2. Would you care to explain why NSX's bringing L3 back to a already well-spanned L2 data centre?
    1. You must be new to this blog ;) Would this help? http://blog.ipspace.net/2012/05/layer-2-network-is-single-failure.html
  3. You mention that NSX Edge provides N/S firewall - n/s presumably meaning non-stateful. However, Greg Ferro's article in network computing (http://www.networkcomputing.com/cloud-computing/vmware-nsx-game-changer-for-data-center/240160449?pgno=2) states that NSX has a stateful firewall. I'm probably confusing different aspects of the NSX solution but could you please clarify?
    1. Stupid me ... living too deep in the acronym land :((

      N/S = North/South - between the app stack and the outside world. You'd use NSX Edge there, which includes stateful firewall with active/standby failover capabilities.
    2. Ahh, that makes more sense now. Thanks.
    3. The NSX firewall feature in the vSwitch is scheduled for early next year I believe. It was covered in the briefing so I wrote about it but the details are sketchy. YMMV
  4. when the nsx product will be sold?
    from vmware website there is no nsx for evaluation, but as vCNS5.5 has also not good stuff like routing-protocol, in-kernel-firewall yet.
Add comment