diff --git a/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/NsxGuestNetworkGuru.java b/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/NsxGuestNetworkGuru.java
index 8cf1d283fc71..9c153283b80a 100644
--- a/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/NsxGuestNetworkGuru.java
+++ b/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/NsxGuestNetworkGuru.java
@@ -39,6 +39,7 @@
 import com.cloud.network.guru.GuestNetworkGuru;
 import com.cloud.network.vpc.VpcVO;
 import com.cloud.offering.NetworkOffering;
+import com.cloud.offerings.NetworkOfferingVO;
 import com.cloud.offerings.dao.NetworkOfferingServiceMapDao;
 import com.cloud.user.Account;
 import com.cloud.user.dao.AccountDao;
@@ -227,7 +228,9 @@ public NicProfile allocate(Network network, NicProfile nic, VirtualMachineProfil
             throw new CloudRuntimeException(msg);
         }
 
-        if (isNull(network.getVpcId())) {
+        NetworkOfferingVO networkOfferingVO = networkOfferingDao.findById(network.getNetworkOfferingId());
+
+        if (isNull(network.getVpcId()) && networkOfferingVO.getNsxMode().equals(NetworkOffering.NsxMode.NATTED.name())) {
             long domainId = domain.getId();
             long accountId = account.getId();
             long dataCenterId = zone.getId();
diff --git a/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java
index a816a70cdf36..4be933aaf110 100644
--- a/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/firewall/FirewallManagerImpl.java
@@ -701,7 +701,7 @@ public boolean applyFirewallRules(List<FirewallRuleVO> rules, boolean continueOn
         for (FirewallRuleVO rule : rules) {
             // validate rule - for NSX
             long networkId = rule.getNetworkId();
-            validateNsxConstraints(networkId, rule.getProtocol(), rule.getIcmpType(), rule.getIcmpCode());
+            validateNsxConstraints(networkId, rule);
             // load cidrs if any
             rule.setSourceCidrList(_firewallCidrsDao.getSourceCidrs(rule.getId()));
             rule.setDestinationCidrsList(_firewallDcidrsDao.getDestCidrs(rule.getId()));
@@ -723,18 +723,28 @@ public boolean applyFirewallRules(List<FirewallRuleVO> rules, boolean continueOn
         return true;
     }
 
-    private void validateNsxConstraints(long networkId, String protocol, Integer icpmType, Integer icmpCode) {
+    private void validateNsxConstraints(long networkId, FirewallRuleVO rule) {
+        String protocol = rule.getProtocol();
         final Network network = entityManager.findById(Network.class, networkId);
         final DataCenter dc = entityManager.findById(DataCenter.class, network.getDataCenterId());
         final NsxProviderVO nsxProvider = nsxProviderDao.findByZoneId(dc.getId());
         if (Objects.isNull(nsxProvider)) {
             return;
         }
-        if (NetUtils.ICMP_PROTO.equals(protocol.toLowerCase(Locale.ROOT)) && (icpmType == -1 || icmpCode == -1)) {
+
+        if (NetUtils.ICMP_PROTO.equals(protocol.toLowerCase(Locale.ROOT)) && (rule.getIcmpType() == -1 || rule.getIcmpCode() == -1)) {
             String errorMsg = "Passing -1 for ICMP type is not supported for NSX enabled zones";
             s_logger.error(errorMsg);
             throw new InvalidParameterValueException(errorMsg);
         }
+
+        if (List.of(NetUtils.TCP_PROTO, NetUtils.UDP_PROTO).contains(protocol.toLowerCase(Locale.ROOT)) &&
+                (Objects.isNull(rule.getSourcePortStart()) || Objects.isNull(rule.getSourcePortEnd())) &&
+            State.Add.equals(rule.getState())) {
+            String errorMsg = "Source start and end ports are required to be passed";
+            s_logger.error(errorMsg);
+            throw new InvalidParameterValueException(errorMsg);
+        }
     }
 
     @Override
diff --git a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java
index e8049a2271e2..4669f00070d9 100644
--- a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java
+++ b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java
@@ -1246,16 +1246,16 @@ private Map<Service, Provider> getServicesAndProvidersForNSXNetwork(NetworkOffer
         serviceProviderMap.put(Service.Dhcp, routerProvider);
         serviceProviderMap.put(Service.Dns, routerProvider);
         serviceProviderMap.put(Service.UserData, routerProvider);
+        if (forVpc) {
+            serviceProviderMap.put(Service.NetworkACL, Provider.Nsx);
+        } else {
+            serviceProviderMap.put(Service.Firewall, Provider.Nsx);
+        }
         if (nsxMode == NetworkOffering.NsxMode.NATTED) {
             serviceProviderMap.put(Service.SourceNat, Provider.Nsx);
             serviceProviderMap.put(Service.StaticNat, Provider.Nsx);
             serviceProviderMap.put(Service.PortForwarding, Provider.Nsx);
             serviceProviderMap.put(Service.Lb, Provider.Nsx);
-            if (forVpc) {
-                serviceProviderMap.put(Service.NetworkACL, Provider.Nsx);
-            } else {
-                serviceProviderMap.put(Service.Firewall, Provider.Nsx);
-            }
         }
         return serviceProviderMap;
     }