Guides

3/9/2026

By Krzysztof Wiselka

Replacing VMware NSX: Software-Defined Networking Options After Migration

This VMware NSX alternatives guide covers the key decisions and trade-offs. VMware NSX was the product that turned network engineers into either evangelists or sworn enemies. Done correctly, NSX delivered micro-segmentation that made lateral movement in a breach almost impossible. Done poorly – or deployed purely because a vendor sold it hard – it added architectural complexity with little real-world benefit (Broadcom).

Hero image for vmware nsx alternatives softwa

Post-Broadcom, the question is moot for most Edinburgh SMEs. NSX is now part of VMware Cloud Foundation (VCF) only. If you’re migrating off ESXi, you need a replacement for whatever NSX capabilities your environment actually used (Gartner Magic Quadrant for Cloud Infrastructure).

The critical qualification is “actually used.” Many Edinburgh organisations had NSX deployed but were only using a fraction of its features. Before choosing a replacement, audit what your NSX deployment was actually doing – because the right answer depends almost entirely on that list (The Register).

TL;DR: NSX’s core functions – micro-segmentation, overlay networking, and distributed firewalling – can be replaced by a combination of open-source tools (OVN, Proxmox’s built-in SDN) and VLAN-based network segmentation for most Edinburgh SME use cases. Complex multi-site NSX-T deployments may need Nutanix Flow or Arista CloudVision as commercial replacements. Start by auditing what NSX is actually doing before choosing a replacement.

Full guide to VMware alternatives Edinburgh

What Did Your NSX Deployment Actually Do?

IDC-linked reporting says Broadcom-era VMware changes can inflate infrastructure costs by 30% to 50%, pushing more firms to review simpler and cheaper SDN alternatives, according to Gartner (2025). NSX’s capabilities span several distinct functions. Few SME deployments use all of them. The table below maps each NSX function to its replacement difficulty:

Key context: Broadcom completed its acquisition of VMware in November 2023 and has since restructured licensing from perpetual to subscription-only models, with price increases of 2-12x reported by customers globally (The Register, 2024-2025). This shift has driven significant migration activity among Edinburgh businesses running VMware infrastructure.

NSX Function	Common in Edinburgh SMEs?	Replacement Difficulty
Micro-segmentation (distributed firewall)	Medium	Low – host-based firewalls
Overlay networking (VXLAN/Geneve tunnels)	Low	Medium – OVN or VLAN redesign
Logical switching (NSX segments)	Medium	Low – VLAN switching
NSX Gateway (NAT, routing)	High	Low – pfSense/OPNsense
Load balancing (NSX LB)	Low	Low – HAProxy, Nginx, or cloud LB
NSX Intelligence (traffic analytics)	Very low	Low – skip entirely
VPN (NSX L2 VPN)	Low	Low – WireGuard or existing VPN

What we find when we audit NSX deployments: The majority of Edinburgh SME NSX installations are using NSX for three things: VLAN-equivalent logical switching, basic NAT, and a handful of firewall rules. In almost every case, those three functions can be replaced by VLAN segmentation on the physical switches plus a capable open-source firewall appliance – no SDN controller required.

What Is Option : Don’t Replace NSX – Simplify Instead?

Gartner (2025) found that 35% of VMware workloads will migrate to alternative platforms by 2028, necessitating new networking approaches. Solutions like Open vSwitch (OVS) provide robust, native firewall capabilities for KVM environments. This ensures lateral movement protection without relying on proprietary VMware code.

For Edinburgh SMEs with NSX installed primarily for segmentation and basic firewalling, the correct answer is often not to find an NSX equivalent but to redesign the network topology using VLANs and host-based firewalling.

The simplified approach:

Define your security zones (DMZ, servers, workstations, management, guest) as VLANs on your physical switches
Apply inter-VLAN routing and ACLs at the physical switch or a dedicated firewall appliance
Implement host-based firewalling using Windows Firewall (for Windows VMs) or nftables/iptables (for Linux)
Use Proxmox’s built-in firewall for VM-level rules within the hypervisor

This approach requires good VLAN discipline but eliminates the NSX controller dependency entirely. For a 50-100 VM Edinburgh deployment, this is almost always the right call.

When this is not enough:

You have 500+ VMs requiring automated firewall policy management
You need east-west traffic encryption between VMs
Compliance requires proof of network-level micro-segmentation (PCI-DSS zone isolation, for example)

What Is Option : Proxmox SDN with OVN?

The enterprise deployment data (2025) shows that If you’re migrating to Proxmox VE, its built-in SDN module – integrated with OVN (Open Virtual Network) from Proxmox 8.x onwards – provides overlay networking and logical segmentation that covers the most common NSX use cases.

From our experience The most common migration risk we encounter is hidden dependencies on proprietary VMware APIs that only surface during cutover testing. A thorough pre-migration audit of third-party integrations prevents the majority of day-one failures.

What Proxmox SDN + OVN gives you:

Virtual networks (analogous to NSX logical switches) without physical VLAN dependencies
Traffic isolation between tenant/project networks
Centralised firewall policies applied at the virtual switch level
DHCP and DNS services per virtual network
East-west traffic control between VMs on the same host

Configuration in Proxmox:

# Proxmox SDN is managed via the web UI (Datacenter > SDN)
# or via pvesh CLI

# Create a zone (the SDN controller scope)
pvesh create /cluster/sdn/zones --zone overlay01 --type evpn \
--peers 10.0.0.1,10.0.0.2,10.0.0.3

# Create a VNet (logical network segment)
pvesh create /cluster/sdn/vnets --vnet appservers --zone overlay01 --tag 100

# Apply configuration
pvesh set /cluster/sdn

VMs connected to the appservers VNet communicate via an OVN overlay tunnel – no physical VLAN required. Firewall rules applied to the VNet control traffic at the hypervisor level, equivalent to NSX’s distributed firewall.

Source data visualisation

Source: Virtually Pro Ltd analysis, October 2026

What Is Option : Nutanix Flow (For Nutanix AHV Migrations)?

If you’re migrating to Nutanix AHV rather than Proxmox, Nutanix Flow is the closest functional equivalent to NSX’s distributed firewall and micro-segmentation capabilities.

(enterprise deployment, 2025).

Flow is built into Nutanix AHV and managed through Prism Central. It allows policy-based micro-segmentation – you define categories (e.g., “Production Web Tier”, “Database Tier”) and apply security policies to those categories rather than individual VMs. As VMs are created or moved, they inherit the policy automatically.

Flow vs NSX comparison for Edinburgh SMEs:

Flow is simpler to configure than NSX for basic micro-segmentation use cases
Flow lacks NSX’s overlay networking depth (no VXLAN tunnel mesh equivalent)
Flow’s GUI in Prism Central is genuinely excellent – more usable than NSX Manager for most administrators
Nutanix AHV with Flow costs significantly less than VCF with NSX

What Is Option : OPNsense + VLAN Segmentation (For Most Edinburgh SMEs)?

Enterprise SDN research (2025) reports that the most practical option for Edinburgh SMEs with under 200 VMs who used NSX primarily for segmentation and east-west traffic control:

Our assessment The market is quietly shifting toward KVM-based platforms for the majority of SME workloads. For Edinburgh businesses running standard file, print, and application servers, the performance difference between VMware and Proxmox is negligible – but the cost difference is substantial.

Define your security zones as VLANs (typically 5-8 zones: management, production, DMZ, databases, workstations, guest, backup)
Deploy OPNsense as your perimeter and inter-VLAN firewall (runs as a VM on Proxmox or Hyper-V)
Apply host-based firewalling on sensitive VMs using Windows Firewall Advanced or nftables
Use network tapping (via a managed switch port mirror or an IDS VM) for traffic visibility

A different way to think about it: NSX’s micro-segmentation value came from preventing lateral movement after a breach – an attacker who compromises one VM can’t reach the database tier because NSX blocks east-west traffic. You can achieve the same outcome with VLAN segmentation and inter-VLAN ACLs on your physical switches. It’s less elegant and requires network hardware that supports per-VLAN ACLs, but for a 50-VM Edinburgh SME, the practical protection is comparable at near-zero additional cost.

Cyber security guide for Edinburgh businesses

How Do You Migrate Planning: Documenting Your NSX Configuration?

According to enterprise SDN research (2025), before decommissioning NSX, export your configuration. You’ll use this to rebuild firewall rules and segment policies on the replacement platform.

# Export NSX-T configuration via REST API
curl -k -u admin:password https://nsxmanager/api/v1/firewall/sections \
-H "Content-Type: application/json" > nsx-firewall-export.json

# Export logical switch configurations
curl -k -u admin:password https://nsxmanager/api/v1/logical-switches \
-H "Content-Type: application/json" > nsx-logical-switches.json

Map each NSX firewall section to an equivalent VLAN ACL or host-based firewall rule. This documentation work is time-consuming but essential – unexplained connectivity failures after migration are almost always due to an NSX firewall rule that was never translated.

Frequently Asked Questions

What is the open-source equivalent of VMware NSX?

The closest open-source equivalent is OVN (Open Virtual Network) – an overlay networking system built on Open vSwitch that provides logical switching, routing, and basic firewalling across hypervisor hosts. Proxmox VE 8.x integrates OVN natively. For smaller Edinburgh deployments, VLAN segmentation combined with pfSense or OPNsense covers 80-90% of typical NSX use cases at zero licensing cost.

Does Proxmox support NSX-equivalent micro-segmentation?

Proxmox’s built-in firewall (configurable per-VM and per-cluster) provides basic micro-segmentation – you can write inbound/outbound rules at the VM level, the node level, or the datacenter level. For policy-based segmentation that automatically follows VM categories (like NSX tags), Proxmox requires OVN integration or a third-party overlay such as Calico for containerised workloads.

Can I keep NSX running after migrating off ESXi?

No. NSX requires vSphere as its hypervisor. NSX does not run on Proxmox, Hyper-V, or KVM. When you migrate VMs off ESXi, NSX must be decommissioned simultaneously or in a parallel phased migration where some workloads remain on vSphere during the transition.

Is the complexity of NSX actually worth replacing like-for-like?

For most Edinburgh SMEs with under 200 VMs, no. The architectural complexity NSX introduced was often unjustified by the security benefit in environments that could achieve equivalent segmentation with VLANs and firewall ACLs. The businesses that genuinely miss NSX after migration are those with 500+ VMs, automated policy management requirements, or PCI-DSS micro-segmentation compliance mandates. For most SMEs, simpler is better.

Related Guides

See the OVN documentation for detailed configuration guides.

VMware NSX Alternatives for Edinburgh Businesses