VMware just released details about the latest version of NSX—6.2.2. What is interesting about this release is that it is the first that is split into tiers. The release pages are full featured, and although pricing doesn’t appear to be available yet on the website, hopefully this will be a fully public release that doesn’t require jumping through hoops to get. Since VMware acquired Nicira in 2012, the NSX product has been a bit of a dark horse, kept well stabled and not allowed out to run free. The product has been available only to selected customers and partners, presumably with high-volume sales that will support a large amount of VMware employee time in each deployment.
Unlike VMware’s other products, and tellingly vCNS (vCloud Networking and Security), NSX was a single SKU with an all-or-nothing full feature set approach. With 6.2.2, this has changed. We are now looking at VMware’s standard three-tier approach. This could be a positive step. It gives customers options, and the ability to start small and grow into the full NSX product set as their needs change. It also splits out some of the complex Service Provider features from the view of most customers, making it less intimidating and, at the same time, less like customers are paying for features they do not need.
The three tiers are Standard, Advanced, and Enterprise, to match the levels of vSphere. Standard offers the basic NSX features of distributed switching and routing, along with the necessary Edge and physical-to-virtual features to interact with legacy parts of the network. This is a feature set that I would like to see rolled into vSphere Standard in the future as the basic level of networking in a VMware environment. Although it is not explicitly mentioned, I would assume that this license includes the Distributed Switch license that is necessary for the distributed switching component, just as it does for VSAN (with all of the licensing gotchas that come with that). We also get the automation features and integration into OpenStack and vRealize.
The Advanced license gives us Active Directory integration, Edge load balancing, further automation, and Distributed Firewall. I find this an odd decision, as I can see Distributed Firewall being the crowning glory of NSX. It is, after all, the component that allows microsegmentation. In some respects, it makes a very good incentive to move from Standard to Advanced. Finally, if Distributed Firewall moved to Standard, it would also need to take Active Directory integration and the automation advances with it. This license level is the sweet spot to me for NSX for most customers.
The Enterprise license gets us all of the multi-tenant features, the cross-vCenter features, and the last of the automation. This is the level that the largest customers will need. If you need it, there really is no other alternative but to go with it. The integration with hardware VTEPs also comes in at this level, which makes sense, as only the largest of deployments will require those. Finally, this level includes the VPN features. This is a very odd decision to me. I very much hope that this feature is available à la carte for the lower levels, because many, many companies will want to make use of it. It strikes me that this feature is like the Distributed Switch in vSphere, a feature that should be in Standard, but is shifted up to Enterprise Plus in order to drive purchases of the product. With vSphere, this generally leads to companies using the Standard vSwitch and a lot of PowerShell rather than making the huge jump. This decision could just drive customers to source other solutions to the VPN needs.
The FAQ released alongside this information states that current license holders will be migrated to the Enterprise license. The new licenses come into effect immediately, and the old single-stage license is no longer available for purchase.
All in all, this is a long-overdue move from the NSX team. The decision to move Distributed Firewall up the stack I feel is odd, and it remains to be seen if the decision is the best way forward. It is only to be hoped that this is the start of NSX general availability, and that eventually these features are moved into the vSphere SKUs that they correspond to.