How to calculate NSX-T costs per Core

What are ‘Firewall’ and ‘Gateway Firewall’?

In NSX-T speak, the new VCF ‘Firewall’ addon is the Distributed (East-West) Firewall, and the VCF ‘Gateway Firewall’ addon is the NSX-T Gateway (North-South) Firewall.  If you are utilising either of these firewalls, using Firewall Rules or NAT Rules, then you will need to commit to your full requirement of these add-ons. (Broadcom are not allowing their 10% on-demand Core licensing bursts for Addons)

Distributed Firewall Licensing

Explanation of Distributed Firewall rules

As you are no doubt already aware, the Distributed Firewall in NSX-T is a Hypervisor kernel-based firewall, which provides policy-based enforcement and inspection at the Virtual Machine level.  By being application-aware and integrating with NSX-T services, the DFW offers granular security controls tailored to specific applications, while providing logging, monitoring, and compliance reporting capabilities.

Licensing requirements

Any Hypervisors in your environment that will host a VM that is connected to a Segment running Distributed Firewall rules, will need to be fully licensed for ‘Firewall’.  Licensing for ‘Firewall’ is on Hypervisor Cores, with the same minimum of 16 cores per physical socket as defined for the VCF Core licensing.  

Gateway Firewall Licensing

Tier 0 and Tier 1 NSX-T gateways

The NSX-T Gateway Firewall is a component that provides security and connectivity services for traffic entering or leaving the NSX-T environment. It operates at the perimeter of the NSX-T infrastructure, allowing for policy-based inspection and enforcement of traffic between external networks (such as the Internet or other data centres) and the NSX-T environment. The Gateway Firewall can enforce security policies based on application awareness, user identity, and network context, providing comprehensive protection for north-south traffic flows, while integrating seamlessly with NSX-T's overall security framework.

Licensing specifics

Licensing for ‘Gateway Firewall’ is performed on the Edge Transport Node Cores, at a cost roughly four (4) times that of a Distributed firewall; However, due to only having to license the (VM) Cores themselves, on anything but a very large deployment, this works out much cheaper than licensing Distributed Firewalling.  NOTE: Edge Transport Nodes are usually deployed as VMs, but CAN be physical servers if you require high throughput, and do not wish to double-pay for your Hypervisor CPU cores.

Examples

Let us use the following pricing in our examples:

Example 1

In the first example, the environment has four (4) Hypervisors, each has two (2) × 24 Core CPUs.  All four hypervisors need to be able to run VM’s which are on segments with Distributed Firewall rules, and we have Gateway Firewall rules running and have deployed our NSX-T Edge Transport Nodes as 2 × 4-core VMs.

VCF Core - 4 Hypervisors, 2 × 24-core CPu’s each.  2 × 24 × 4 = 48 x 4 = 192.  192 cores x 550 = $105,600/year
VCF Firewall Addon - 192 cores (from previous calculation) x 200 = $38,400/year
VCF Gateway Firewall Addon - 2 × 4-core VMs = 2 × 4 = 8 cores. 8 cores x 800 = $6,400/year
Total cost: $150,400/year

Example 2

In this environment, the customer has eight (8) hypervisors, each having two (2) x 64 core CPUs.  They wish to save some money on Licensing, so are going to only run Distributed Firewall Rules in the PCI section of their environment, and utilise Gateway Firewall between segments.  To accomplish this, they are going to tag all PCI VMs and use affinity rules to keep those VMs only on four of the eight Hypervisors.  Due to the increased Edge Firewall load, from firewalling at the gateway instead of using the DFW, the customer will deploy 2× 16-core Physical Servers as Edge Transport Nodes.

VCF Core - 8 HV, 2 × 64-core CPUs each.  2 × 64 × 8 = 128 × 8 = 1024. 1024 cores x 550 = $563,200/year
VCF Firewall Addon - 512 cores (half of the previous calculations) x 200 = $102,400/year
VCF Gateway Firewall Addon = 2 × 16-core Transport Nodes = 2 × 16 = 32 cores. 32 cores x 800 = $25,600/year

So yes, as can be seen above, the customer is saving A significant amount by restricting DFW to half of their environment.

Example 3

In this environment, a somewhat Legacy customer is looking to license their environment under the new Broadcom VMware licencing model.  They have four Hypervisors, each having two (2) x 8 Core CPUs, however must be licensed as 2 × 16 core due to VCF Minimums.  The customer is not using Distributed Firewall at all and is only using Gateway Firewall for NAT.  The customer has deployed 2 × 4-core Edge Transport Node VMs.

VCF Core - 2 × 16 core × 4 HV = 32 core × 4 HV = 128. 128 cores x 550 = $70,400
VCF Firewall Addon - Not in use
VCF Gateway Firewall Addon - 2 × 4 core = 8 core. 8 cores x 800 = $6,400/year

Note: To be perfectly frank, unless there is a specific reason to keep the older hardware, the customer would likely find they are MUCH better off buying two new 16-core Hypervisors, migrating their workload, and saving $35,200/year by only having two 16-core hypervisors in their environment.  The $35,200 saving would pay for two new Hypervisors many times over.