diff --git a/releasenotes/notes/ens_support-49dbc626ba1b16be.yaml b/releasenotes/notes/ens_support-49dbc626ba1b16be.yaml
new file mode 100644
index 0000000000..9068771af1
--- /dev/null
+++ b/releasenotes/notes/ens_support-49dbc626ba1b16be.yaml
@@ -0,0 +1,8 @@
+---
+prelude: >
+    Add a configuration variable indicating that ENS transport zones can be
+    used.
+features:
+  - |
+    Add a new configuration variable ``ens_support`` to the ``nsx_v3`` section.
+    This indicates if a tenant or admin can create ENS networks.
diff --git a/vmware_nsx/common/config.py b/vmware_nsx/common/config.py
index 24d0b0907f..0e2fa124a2 100644
--- a/vmware_nsx/common/config.py
+++ b/vmware_nsx/common/config.py
@@ -434,7 +434,10 @@ nsx_v3_opts = [
                 help=_("Optional parameter defining a list switching profiles "
                        "uuids that will be attached to all neutron created "
                        "nsx ports.")),
-
+    cfg.BoolOpt('ens_support',
+                default=False,
+                help=_("(Optional) Indicates whether ENS transport zones can "
+                       "be used")),
 ]
 
 DEFAULT_STATUS_CHECK_INTERVAL = 2000
diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py
index e6a4ecd8d6..353929e79d 100644
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@@ -911,6 +911,8 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
 
         if (provider_data['switch_mode'] ==
             self.nsxlib.transport_zone.HOST_SWITCH_MODE_ENS):
+            if not cfg.CONF.nsx_v3.ens_support:
+                raise NotImplementedError(_("ENS support is disabled"))
             if net_data.get(psec.PORTSECURITY):
                 raise nsx_exc.NsxENSPortSecurity()
             # set the default port security to False
diff --git a/vmware_nsx/tests/unit/nsx_v3/test_plugin.py b/vmware_nsx/tests/unit/nsx_v3/test_plugin.py
index 395d334897..4885e6eefa 100644
--- a/vmware_nsx/tests/unit/nsx_v3/test_plugin.py
+++ b/vmware_nsx/tests/unit/nsx_v3/test_plugin.py
@@ -465,6 +465,7 @@ class TestNetworksV2(test_plugin.TestNetworksV2, NsxV3PluginTestCaseMixin):
             self.assertEqual('InvalidInput', data['NeutronError']['type'])
 
     def test_create_ens_network_with_no_port_sec(self):
+        cfg.CONF.set_override('ens_support', True, 'nsx_v3')
         providernet_args = {psec.PORTSECURITY: False}
         with mock.patch("vmware_nsxlib.v3.core_resources.NsxLibTransportZone."
                         "get_host_switch_mode", return_value="ENS"),\
@@ -481,6 +482,7 @@ class TestNetworksV2(test_plugin.TestNetworksV2, NsxV3PluginTestCaseMixin):
             self.assertFalse(res['network']['port_security_enabled'])
 
     def test_create_ens_network_with_port_sec(self):
+        cfg.CONF.set_override('ens_support', True, 'nsx_v3')
         providernet_args = {psec.PORTSECURITY: True}
         with mock.patch("vmware_nsxlib.v3.core_resources.NsxLibTransportZone."
                         "get_host_switch_mode", return_value="ENS"),\
@@ -497,6 +499,7 @@ class TestNetworksV2(test_plugin.TestNetworksV2, NsxV3PluginTestCaseMixin):
                              res['NeutronError']['type'])
 
     def test_update_ens_network(self):
+        cfg.CONF.set_override('ens_support', True, 'nsx_v3')
         providernet_args = {psec.PORTSECURITY: False}
         with mock.patch("vmware_nsxlib.v3.core_resources.NsxLibTransportZone."
                         "get_host_switch_mode", return_value="ENS"),\