Broadcom · Private Cloud Platform

VMware
Cloud Foundation
Version 9 VCF 9.0 / 9.1 · SDDC · Fleet · AI-Ready Private Cloud

A complete operational reference for VMware Cloud Foundation 9 — the architectural shift from SDDC Manager–centric to VCF Operations Fleet-managed platform, covering deployment, lifecycle, networking, storage, AI workloads, security, and API automation.

VCF 9.0 / 9.1 Fleet Manager NSX 9 vSAN ESA AI / GPU Workloads Tanzu / Kubernetes API-First
VCF 9 Platform Stack
⚡ VCF Operations — Unified Control Plane
Fleet Manager
License Mgmt
Identity Broker
Ops for Logs
Ops for Network
SDDC Manager
▼ orchestrates ▼
🤖 VCF Automation + Tanzu
VCF Automation
Tanzu Platform
Argo CD
AI Services
▼ runs on ▼
🌐 NSX — Software-Defined Networking
NSX Manager
NSX Edge
Distributed FW
Load Balancer
VPN
▼ compute + storage ▼
💻 vSphere + vSAN — Management & Workload
ESXi 9
vCenter 9
vSAN ESA
DRS / HA
vGPU
▼ physical ▼
🖥️ Physical Infrastructure
PowerEdge / ProLiant
NVMe / SSD
25/100GbE NICs
GPU Sleds
iDRAC / iLO
OVERVIEW

What is VMware Cloud Foundation 9?

🏗️ Platform Definition

VCF 9.0 brings a set of foundational innovations that accelerate time to value, streamline day-to-day operations, and help organizations scale with confidence. It is a fully integrated private cloud platform delivering compute, storage, networking, and automation as a single validated stack.

S
Single Integrated Stack — ESXi, vCenter, vSAN, NSX, VCF Automation, and VCF Operations shipped and validated together as one Bill of Materials (BOM). No component version guessing. Every component version validated end-to-end by Broadcom
F
Fleet-Managed — In VCF 9.x, lifecycle ownership shifts to Fleet Manager, integrated into VCF Operations, which orchestrates lifecycle for the entire platform. SDDC Manager remains but will be deprecated in a future release
O
Operations-First — VCF Operations is the primary UI and management surface. VCF Operations 9.0 handles license management across the stack for VCF 9.0. Replaces Aria Suite Lifecycle Manager as the orchestration layer
A
API-First — What was once a siloed platform with discrete APIs and fragmented automation tools is now a simplified platform with a unified, API-first consumption interface. Terraform, PowerCLI, Ansible all consume unified API contracts
🆕 VCF 9 vs VCF 5 — What Changed
CapabilityVCF 5.xVCF 9.x
Primary lifecycle UISDDC ManagerVCF Operations / Fleet
Aria managementAria Suite Lifecycle MgrFleet Manager (built-in)
Deployment toolCloud BuilderVCF Installer (OVA)
LicensingPer-product license filesVCF Operations — central
Upgrade orchestrationSDDC Manager + ASLCMFleet Manager (unified)
Management appliancesSeparate Aria appliancesVCF Operations cluster
Multi-instance mgmtLimitedFleet Manager — multi-VCF
Storage defaultvSAN OSAvSAN ESA (NVMe-only)
AI/GPU supportBasic vGPUFull AI services stack
📅 VCF 9 Release Cadence & Support Model
Release cadence3-year major release with minor releases ~every 9 months
Minor releasesVCF 9.0 → 9.1 → 9.2 → 9.3
Support model6+1 model: 6 years general + 1 year extended support
Minor release support27 months (initial) / 45 months (last minor)
VCF 9.0 GAJune 2025
VCF 9.1 GAMay 2026
Evaluation period90 days — full functionality, then must license
Upgrade path fromVCF 5.2 → VCF 9.0 (direct) · VCF 4.x must go to 5.2 first
Converge from vSphereExisting vCenter → VCF Management Domain
Air-gap supportOffline depot via UMDS
VCF 9.0 is the architectural shift — redesigned management plane, Fleet Manager, VCF Operations as primary UI.

VCF 9.1 is the optimization layer — NVMe Memory Tiering, vSAN ESA Deduplication, Kubernetes simplification, enhanced security for containers.
ARCH

VCF 9 Architecture & Components

📦 Bill of Materials (BOM) — VCF 9.x Components
Core Infrastructure
ESXi 9.x vCenter Server 9.x vSAN ESA 9.x NSX 9.x
Operations Suite
VCF Operations Fleet Manager Identity Broker Ops for Logs Ops for Networks
Automation & Dev
VCF Automation Tanzu Platform Argo CD (native) VCF AI Services
Management
SDDC Manager 9 VCF Installer OVA Keyfactor (certs) Native Object Store
SDDC Manager 9 remains as a component within VCF 9 for core domain operations but is no longer the primary lifecycle UI. SDDC Manager will be deprecated in a future release. Fleet Manager (part of VCF Operations) is now the authoritative lifecycle engine.
📐 Platform Scale Limits — VCF 9
VCF instances per FleetMultiple — Fleet Manager manages N instances
Hosts per cluster96 (vSphere limit)
VMs per cluster8,000
Max vCPUs per VM768 vCPUs (HW version 21)
Max RAM per VM24 TB
vSAN ESA disks/hostUp to 64 NVMe disks per host
NSX manager nodes3 (HA) or 1 (Simple deployment)
VCF Ops nodes (HA)3 appliances (HA) or 1 (Simple)
Tanzu namespacesHundreds per cluster
Tenants (VCF 9.1)Hundreds of isolated tenants on shared infrastructure
🏗️ Deployment Models — Simple vs HA
S
Simple Deployment — single-node VCF Operations, single NSX Manager, single Fleet Manager. For lab, dev/test, or small environments where redundancy is not required. 1x NSX Manager · 1x VCF Ops node · 1x Fleet Manager
H
HA Deployment (Production) — When deployed using the High Availability model a minimum of 13 appliances are deployed comprising of 3x NSX Manager nodes, 3x VCF Operations nodes and 3x VCF Automation nodes. 3x NSX Mgr · 3x VCF Ops · 3x VCF Automation + Fleet + Identity
C
Converge from vSphere — The VCF Installer also contains inbuilt workflows to converge (re-use) an existing vCenter deployment to a VCF management cluster. Supports vSAN and external storage. Existing vCenter 8 + NSX 4.2 can be converted to VCF 9
E
Evaluation Mode — VCF is fully functional while the deployment is running in evaluation mode. The VCF 9 instance is required to be licensed within the first 90 days. All features work — no artificial restrictions during 90-day eval
DEPLOY

Deployment — VCF Installer & Initial Setup

⚡ VCF 9 Deployment Prerequisites
Minimum management hosts4 ESXi hosts for Management Domain
ESXi RAM per host (mgmt)384 GB recommended (HA deployment)
Storage (management)vSAN ESA (NVMe) or external SAN/NAS
Management network10GbE minimum · 25GbE recommended
vSAN network25GbE dedicated VMkernel
DNSForward + reverse DNS for all appliances
NTPAll hosts must sync to same NTP source (±1 sec)
LicensesVCF license file — applied via VCF Operations post-deploy
Installer OVADeploy VCF Installer into existing vCenter · Internet or offline depot
FIPS complianceEnable on vCenter before SDDC Manager install if FIPS required
🚀 Greenfield Deployment Flow
1
Prepare Infrastructure
Rack hosts, configure iDRAC/BMC, configure ToR switches, set up NTP/DNS. Ensure 25GbE connectivity for management + vSAN VMkernels. Install ESXi on all hosts.
2
Deploy VCF Installer OVA
Download VCF-Installer-9.x.ova from Broadcom portal. Deploy to a temporary vCenter or directly to an ESXi host. This is the bootstrap appliance.
3
Configure Deployment JSON / UI Wizard
Access VCF Installer UI on port 443. Fill deployment parameters: network config, host credentials, domain names, SDDC Manager password, NSX topology. Download and validate config JSON.
4
Run Precheck & Deploy
VCF Installer runs a comprehensive precheck: DNS, NTP, host connectivity, ESXi version. Fix any failures. Start deployment — takes 2–4 hours for full Management Domain.
5
Configure VCF Operations & Fleet
After deployment, access VCF Operations portal. Configure Fleet Manager. Deploy VCF Automation cluster. Apply licenses via VCF Operations → License Management.
6
Add Workload Domains
From VCF Operations / SDDC Manager, create Workload Domains for production VMs. Commission hosts into workload domains. Configure NSX segments and storage policies.
🔄 Converging Existing vSphere to VCF 9
1
Verify compatibility
Source must be vCenter 8.x + NSX 4.2+. All hosts must run compatible ESXi version. Supported configurations: vSAN or external storage.
2
Deploy VCF Installer into existing vCenter
Install the VCF Installer on the target vCenter. The VCF Installer is deployed into the same cluster as the residing vCenter Server appliance.
3
Run convergence wizard
Select "Convert existing vSphere" in VCF Installer. Wizard discovers vCenter, NSX, and existing clusters. Configure Management Domain parameters.
4
Validate & import
Once converged, the environment then becomes a fully functioning VCF instance which can then be managed, scaled, and lifecycle managed as VCF.
⚠ NSX node count during convergence: Converge via VCF Installer UI defaults to 3-node NSX. You can override that behavior by using JSON if single-node NSX is needed (e.g., lab environments without HA).
Import VI Workload Domains: Existing vCenter environments with NSX installed can be imported as Workload Domains. This lets you onboard existing production clusters without rebuilding.
Online or offline depot: VCF Installer supports both internet-connected (downloads from Broadcom) and air-gapped (UMDS offline depot) deployments. Configure depot URL before precheck.
FLEET

Fleet Manager — The New Control Plane

⚡ Fleet Manager Capabilities
L
Lifecycle Authority — In VCF 9.x, lifecycle is a core platform capability. ESXi, vCenter, NSX, and management components are upgraded as part of validated workflows, with dependency awareness built in. Fleet Management → Lifecycle → orchestrates everything
M
Multi-Instance Management — Fleet Manager manages multiple VCF instances from a single pane of glass. Each VCF instance (Management Domain + associated Workload Domains) is a managed entity. Fleet Management → VCF Instances → select any registered instance
B
Binary Management — Three places to initiate binary downloads: VCF Management components (Ops, Automation, Logs, Network), VCF Instances core components (SDDC Manager, vCenter, NSX), and ESXi components (via UMDS depot). Fleet Management → Lifecycle → Binary Management
D
Drift Detection & Config Compliance — continuously checks management component health, version drift, and configuration compliance. Triggers pre-checks before any upgrade. VCF Operations Diagnostics → findings every 4 hours
P
Pre-Upgrade Validation — SDDC Manager 9.0 includes a pre-check to validate the VCF Operations version before upgrading BOM components (NSX, vCenter, ESXi) through SDDC Manager. Upgrade VCF Operations first, then core components
🗺️ Fleet Manager Navigation
Fleet Manager URLhttps://vcf-ops-fqdn — VCF Operations portal
VCF Instances viewFleet Management → VCF Instances → lists all managed VCF deployments
Download BOM upgradesFleet Management → Lifecycle → VCF Instances → (select) → Binary Management
Download mgmt upgradesFleet Management → Lifecycle → VCF Management → Binary Management → Upgrade Binaries
Apply Fleet Mgr patchSettings → System Patches → New Patch (after snapshot of Fleet VM)
Upgrade orderFleet Manager → VCF Ops → Logs → Networks → Automation → SDDC Mgr → NSX → vCenter → ESXi
Health dashboardVCF Operations → Health → Overview (all component status)
License managementVCF Operations → License Management → apply VCF license file
Fleet Manager is the VCF 9 equivalent of Aria Suite Lifecycle Manager (ASLCM) from VCF 5.x. If upgrading from 5.x, ASLCM is still used to upgrade Aria components to VCF 9-compatible versions, then Fleet Manager takes over ownership.
DOMAINS

Management & Workload Domains

Management Domain
Hosts all VCF control-plane VMs: SDDC Manager, VCF Operations cluster, NSX Manager cluster, VCF Automation, VCF Identity Broker, vCenter Server. Highly available — uses vSAN ESA or external storage.
Min 4 hosts (HA) · Dedicated infrastructure
Workload Domains — VI Workload
Isolated vSphere clusters for production workloads. Each domain has its own vCenter Server instance and NSX configuration (or shares NSX with management). Dedicated hosts. Add/remove via SDDC Manager or Fleet Manager. Multiple per VCF instance. Each domain maps to a separate administrative boundary — different teams, SLAs, or business units.
Min 3 hosts · Can use shared or dedicated NSX · vSAN or external storage
➕ Adding a Workload Domain
1
Commission hosts into free pool
SDDC Manager → Inventory → Hosts → Commission. Enter host FQDN, credentials. Precheck runs — validates network, storage, ESXi version compatibility with BOM.
2
Create Workload Domain
SDDC Manager → Workload Domains → + Add Domain. Select domain type (VI), provide vCenter FQDN, NSX choice (new or shared), select commissioned hosts.
3
Configure network & storage
Select NSX transport zone, overlay network, vSAN storage policy (or external datastore). Configure vDS and port groups for the domain.
4
Deploy & validate
SDDC Manager deploys domain vCenter and configures NSX segments. Monitor under Lifecycle Management → Tasks. Validation run confirms domain health.
📊 Domain Configuration Reference
Domain typesVI Workload · Tanzu Workload · Management
vCenter per domain1 dedicated vCenter per workload domain
NSX sharingShare NSX with mgmt domain or deploy dedicated NSX per domain
Stretch clusterSupported — requires vSAN stretched cluster + witness
Host min per domain3 hosts (vSAN) · 1 host (external storage)
Delete domainMust remove all VMs first — decommissions hosts back to free pool
EVC modeSet at cluster creation — affects vMotion compatibility
BOM consistencyAll domains in same VCF instance share the same BOM version
NSX

NSX Software-Defined Networking

🌐 NSX in VCF 9 — Architecture
T
Transport Zones — logical boundary for overlay networking. Overlay (GENEVE encapsulation, host-to-host tunnels) and VLAN-backed. VCF creates default transport zones during deployment. Overlay TZ for VM-to-VM east-west · VLAN TZ for uplinks + physical
S
Segments — NSX equivalent of port groups. Overlay segments stretch across all transport nodes — no VLAN dependency. Connect VMs to segments for SDN connectivity. NSX Manager → Networking → Segments → + Add Segment
T0
Tier-0 Gateway — connects overlay to physical network. Runs BGP/OSPF to ToR switches for dynamic routing. Active-Active or Active-Standby HA modes. Hosted on NSX Edge nodes. T0 peers with physical ToR via BGP — advertises overlay prefixes
T1
Tier-1 Gateway — tenant-level routing gateway. Connected uplink to T0. Provides SNAT, DNAT, load balancing, and firewall for workloads on attached segments. 1 T1 per tenant or application zone recommended
FW
Distributed Firewall (DFW) — stateful micro-segmentation at the vNIC level. Policies enforced at the hypervisor kernel — traffic never leaves the host for east-west inspection. NSX Manager → Security → Distributed Firewall → Policies
IDS
NSX IDS/IPS — distributed intrusion detection and prevention. Signature-based + anomaly detection per VM workload. No appliance bottleneck — scales with host count. Security → IDS/IPS → Enable per cluster and configure signature set
🔧 NSX Edge Cluster
E
NSX Edge Nodes — VM or bare-metal appliances that provide North-South routing (T0), load balancing, VPN, and NAT. Deployed in clusters of 2+ for HA. VM form factor: Small (2vCPU/4GB) → XL (44vCPU/64GB)
BM
Bare-Metal Edge — physical Edge nodes for high-throughput scenarios (10Gbps+ NAT, high-volume load balancing). Required for some carrier-grade and AI/HPC workloads. Bare-metal Edge requires dedicated physical server — not a VM
BGP
BGP Configuration — T0 Gateway peers with ToR switches via BGP. VCF Networking automates Edge uplink configuration. Configure AS numbers and peer addresses. NSX Manager → Networking → Tier-0 Gateways → BGP → Add BGP Neighbor
Edge deploymentSDDC Manager → Network Settings → Add NSX Edge Cluster
Min edge nodes HA2 nodes (active-standby) — place on different hosts
ECMP (active-active)Up to 8 Edge nodes for ECMP load sharing on T0
VSAN

vSAN ESA & Storage in VCF 9

💾 vSAN Express Storage Architecture (ESA)
E
NVMe-Only Design — single-tier, no cache/capacity split. All disks are NVMe. Up to 64 NVMe disks per host. Higher performance and simpler capacity management than OSA disk groups. Eliminates disk group concept — all NVMe contributes to one pool
D
vSAN Global Deduplication (VCF 9.1) — vSAN global deduplication and enhanced compression will reduce storage TCO by up to 39%. Dedup works across entire cluster — not per disk group. VCF 9.1: simultaneous encryption + dedup now supported
M
NVMe Memory Tiering (VCF 9.1 Enhanced) — NVMe memory tiering was introduced in VCF 9.0 and it worked. VCF 9.1 introduces a unified memory model where hot data remains in DRAM and colder pages are offloaded to NVMe, increasing effective memory capacity without impacting application behavior. VCF 9.1: no reboot required to enable · software mirroring added
P
Storage Policy-Based Management (SPBM) — define FTT, RAID level, compression, dedup, encryption per workload via storage policies. Assign at VM provisioning time. FTT=1 RAID-1: 3 hosts min · FTT=1 RAID-5: 4 hosts · FTT=2 RAID-6: 6 hosts
S
Stretched Cluster — synchronous replication across two sites. Witness appliance at third site for quorum. RPO=0 for site failures. Configure via SDDC Manager stretch workflow. Max 15ms RTT between sites · Witness can be very small VM
📊 vSAN ESA vs OSA Comparison
FeaturevSAN OSA (Legacy)vSAN ESA (VCF 9)
Disk typeSSD cache + HDD/SSD capNVMe only
Disk groupsRequired (1 cache + N cap)None — flat pool
Max disks/host3564 NVMe
DeduplicationPer disk groupGlobal (cluster-wide)
Encryption + DedupMutually exclusiveSimultaneous (VCF 9.1)
Memory tieringNot supportedNVMe memory tiering
RAID-5/6Yes (FTT=1/2)Yes + improved performance
TCO benefitBaselineUp to 42% server cost reduction
🗄️ External Storage Support
NFS 4.1Supported for all workload types · Session trunking for multipath
iSCSIBlock storage via software iSCSI initiator
Fibre ChannelVMFS 6 datastores on FC LUNs
NVMe-oF (TCP/FC)Supported in vSphere 9 / VCF 9
vVolsPer-VM policy via VASA provider on array
Mixed storageMgmt domain on vSAN + workload domain on external = supported
🪣 Native Object Storage — VCF 9.1 Tech Preview
S3
S3-Compatible Object Storage — Native Object Storage (tech preview in VCF 9.1) brings S3-compatible storage natively into the platform. No external object storage appliance required. Eliminates need for MinIO or external S3 for platform-native use cases
AI
AI/ML Model Storage — object storage enables efficient storage and retrieval of AI model weights, training datasets, and inference artifacts directly within the VCF platform. Integrates with VCF Private AI Services stack
⚠ Tech Preview status in VCF 9.1: Native Object Storage is not yet GA. Do not use for production workloads without understanding preview support limitations. Expected to GA in a future VCF 9.x minor release.
Tanzu Marketplace integration also arrives in VCF 9.1 — provides a curated path to certified middleware, including databases and middleware for AI/ML workloads, deployable directly from the platform catalog.
AUTO

VCF Automation, Tanzu & Kubernetes

🤖 VCF Automation
P
Unified Developer Portal — Developers hit one endpoint for IaC — Terraform providers, REST APIs, or VCF Automation blueprints — without the need to juggle add-ons. Replaces Aria Automation — same engine, renamed and integrated
B
Blueprints / Infrastructure Templates — define VM, container, and multi-tier application topologies in YAML or GUI canvas. Parameterized for environment-specific deployments. VCF Automation → Design → Cloud Templates
T
Terraform Provider — full Terraform provider for VCF automation. Manage VMs, networks, storage policies, and Tanzu namespaces via IaC. State managed externally. registry.terraform.io/providers/vmware/vcf
A
Ansible Integration — VMware Ansible Collection for VCF 9. Playbooks can deploy VMs, configure NSX segments, manage VCF lifecycle operations. galaxy.ansible.com/vmware/vcf
R
Service Catalog & ITSM — self-service catalog for end users. Integrates with ServiceNow for approval workflows. IT governance without manual provisioning tickets. VCF Automation → Consume → Catalog
☸️ Tanzu Platform — Kubernetes in VCF 9
S
Supervisor Cluster — vSphere cluster with Kubernetes control plane embedded. Enabled via vSphere with Tanzu feature toggle in VCF workload domain. Provides namespace isolation. Supervisor runs on the ESXi hosts via the VMkernel — no separate infra
TK
Tanzu Kubernetes Grid (TKG) — managed Kubernetes clusters deployed from the Supervisor. Use TKC (Tanzu Kubernetes Cluster) YAMLs to provision conformant K8s clusters in minutes. kubectl get tkc -n namespace — list all TKG clusters
AR
Native Argo CD Integration — Integrated Argo CD and native CI/CD hooks push container code from repo to production with no external scaffolding. GitOps-native delivery pipeline. No separate Argo CD install needed — embedded in VCF Automation
VM+K
VMs and Containers Side-by-Side — Run bare-metal-fast VMs and fully-managed Kubernetes side-by-side. Shared compute pool, shared NSX networking, shared vSAN storage — unified resource management. VMs and pods share the same vSphere cluster and storage policies
VCF 9.1
Simplified K8s for Traditional Ops Teams — VCF 9.1 reduces Kubernetes operational complexity. Cluster lifecycle (upgrade, scale) managed via VCF Automation blueprints, not raw kubectl. One-click cluster upgrades via VCF Automation catalog items
AI

AI & GPU Workload Support

🧠 VCF Private AI Services
G
GPU Passthrough & vGPU — NVIDIA vGPU with time-slicing and MIG (Multi-Instance GPU) support. Share a single physical GPU across multiple VMs or dedicate for high-performance inference. NVIDIA vGPU drivers + vSphere host config — no separate installer
AI
VCF AI Services Stack — integrated inference serving, model management, and AI pipeline orchestration. Integrates with NVIDIA NIM microservices for enterprise LLM deployment. VCF Automation → VCF AI Services → deploy inference endpoint
M
MLPerf Validation — VCF 9.0 validated with MLPerf Inference v5 Benchmark results (April 2025), establishing private cloud performance benchmarks for production AI inference workloads. Validated on NVIDIA H100 / H200 GPU configurations
S
Sovereign AI — Data-residency tags, geo-fencing policies, and automated certificate rotation can now be a part of every cluster spec. Enforce data sovereignty for regulated AI workloads. Critical for financial services, healthcare, and government AI use cases
⚡ NVMe Memory Tiering — VCF 9.1
H
Hot/Cold Memory Tiering — Enhanced NVMe Memory Tiering introduces a unified memory model where hot data remains in DRAM and colder pages are offloaded to NVMe, increasing effective memory capacity without impacting application behavior. Transparent to guest OS — no application changes required
C
Cost Reduction — Features like Enhanced NVMe Memory Tiering and vSAN ESA Deduplication can reduce server costs by up to 42% and lower storage TCO by up to 39%. Key TCO driver — run more AI workloads on same hardware
NR
No Reboot (VCF 9.1) — NVMe memory tiering was introduced in VCF 9.0 and it required a reboot to enable. VCF 9.1 eliminates the reboot requirement. Enable on running hosts without maintenance window. Also adds native software mirroring for NVMe memory tier
Supported NVMe tiersIntel Optane PMem (where available) · Standard NVMe SSDs
Memory expansion ratioUp to 4:1 effective memory expansion (workload dependent)
Ideal workloadsLLM inference · large in-memory databases · analytics
LCM

Lifecycle Management & Upgrades

🔄 VCF 9 Upgrade Sequence
1
Snapshot Fleet Manager VM
Always take a VM snapshot of the Fleet Manager appliance before applying any patches. This is your rollback point.
2
Upgrade Fleet Manager
Browse to Lifecycle / VCF Management / Binary Management. Select Fleet Management and download. Apply patch via Settings / System Patches → New Patch. Fleet Manager must be upgraded first.
3
Upgrade VCF Management components
In order: VCF Operations → VCF Ops for Logs → VCF Ops for Networks → VCF Automation → VCF Identity Broker. Download binaries from Fleet Management → Lifecycle → VCF Management.
4
Upgrade SDDC Manager
Browse to Fleet Management → Lifecycle → VCF Instances → (select instance) → Binary Management. Download SDDC Manager bundle. Run upgrade via SDDC Manager Client → Lifecycle Management.
5
Upgrade NSX → vCenter → ESXi
The upgrade workflow is similar to previous versions of VCF: NSX → vCenter → ESXi in that order. Each component downloaded from SDDC Manager Binary Management and scheduled via SDDC Manager.
6
Validate & repeat for workload domains
After management domain upgrade completes, run compliance check. Repeat NSX → vCenter → ESXi upgrade sequence for each workload domain. All domains must reach same BOM version.
📦 Software Depot Configuration
O
Online Depot — Fleet Manager downloads bundles directly from Broadcom depot. Requires internet access from Fleet Manager appliance. Simplest configuration. Broadcom portal credentials required in Fleet Manager settings
U
UMDS Offline Depot — For ESXi upgrade binaries, SDDC Manager connects to VCF Offline Depot at the configured URL. ESXi components are sourced from UMDS depot. https://flt-depot.domain.com/umds-patch-store — configure in settings
C
Component-Level Patching — You can pick and choose which components to apply based on the impact on your environment. If you run into a critical issue with vCenter, you do not need to apply a patch to ESX that is irrelevant. Maintenance releases have BOM updates but are narrowly scoped
⚠️ Upgrade Gotchas
!
BOM version consistency — When creating a new workload domain with shared NSX, if NSX and vCenter are at 9.0.1 while ESX is at 9.0.0, SDDC Manager fails the compatibility check. All components in a domain must reach same patch level. Upgrade ESX in source domain before sharing NSX to new domains
!
VCF Operations pre-check — The pre-check will fail if VCF Operations version is below 9.0.0.0. Always upgrade VCF Operations before core BOM components. SDDC Manager will block NSX/vCenter/ESXi upgrade if Ops version is behind
VCF 4.x → 9.0 requires interim step — If currently running VCF 4.x, the environment will first need to be upgraded to VCF 5.2 before upgrading to 9.0. 4.x → 5.2 → 9.0 — two major upgrade steps required
Aria components must go first — Before VCF core components can be upgraded, any existing Aria Automation and Aria Operations components must be upgraded to compatible versions. ASLCM still handles Aria upgrades for 5.x → 9.0 migration path
SEC

VCF 9 Security & Compliance

🛡️ Platform Security Features
VCF Identity Broker — centralized identity and SSO for all VCF components. Integrates with external IdPs: Active Directory, LDAP, SAML 2.0 (Azure AD / Entra, ADFS, Okta). VCF Ops → Identity Broker → configure directory integration
Automated Certificate Rotation — Automated certificate rotation can be a part of every cluster spec. VCF Operations manages certificate lifecycle across all managed components. Keyfactor integration for enterprise PKI — RACADM iDRAC cert automation
NSX Distributed Firewall + IDS/IPS — micro-segmentation at vNIC level. Zero-trust workload isolation without dedicated firewall appliances. Identity-based firewall policies. DFW policies survive vMotion — enforced at hypervisor, not perimeter
vSAN Encryption — data-at-rest encryption via external KMS (KMIP) or vSphere Native Key Provider. VCF 9.1: simultaneous encryption + deduplication for encrypted vSAN. vSAN ESA: enable encryption via storage policy — no reformat needed
VM Encryption + Encrypted vMotion — encrypt individual VMs independent of storage. Encrypted vMotion ensures VM data never flows unencrypted over vMotion network. VCF 9 enforces TLS 1.2+ on all management endpoints; TLS 1.3 default
ESXi Secure Boot + Lockdown Mode — enforce UEFI Secure Boot (prevents unsigned VIBs), enable Lockdown Mode Normal to block direct host access outside vCenter/Fleet management plane. Enforced via VCF Configuration Profiles — cluster-level policy
Geo-Fencing & Data Residency — Data-residency tags and geo-fencing policies ensure regulated workloads never leave a designated cluster, datacenter, or geographic boundary. Enforced via NSX policy + vSphere DRS affinity rules + tags
VCF Diagnostics (VCF 9.1) — property findings automatically generated every 4 hours, log-based findings include VMSA security advisory rules. Proactive vulnerability awareness without manual scanning. VCF Operations → Diagnostics → Findings — shows VMSA CVE exposure
🔐 RBAC & Access Control
VCF Operations rolesAdministrator · Operator · Viewer (custom roles configurable)
SDDC Manager rolesAdmin · Operator · Viewer · ServiceAccount
vCenter integrationVCF Operations SSO → vCenter RBAC unified
NSX rolesEnterprise Admin · Ops · Auditor · Security Admin
Multi-tenancyNSX Projects — isolated tenant namespaces with dedicated resources
Tenant isolation (9.1)Core tenancy improvements support hundreds of isolated tenants on shared infrastructure
⛔ Never use the VCF Operations local admin account for day-to-day operations. Create named accounts via Identity Broker → AD/LDAP integration. Local admin is break-glass only.
📋 Security Hardening Checklist
Enable Lockdown Mode (Normal) on all ESXi hosts via Configuration Profiles
Integrate Identity Broker with Active Directory — no local VCF accounts for users
Replace default self-signed TLS certs on VCF Operations, SDDC Manager, vCenter, NSX
Enable vSAN encryption with KMS or vSphere Native Key Provider
Configure NSX DFW default-deny policy per tenant/environment
Forward all VCF component syslogs to SIEM (VCF Ops for Logs → syslog forwarding)
Monitor VCF Diagnostics findings — VMSA rules alert on CVE exposure every 4 hours
Apply Broadcom Security Advisories within 72 hours for Critical severity VMSAs
API

VCF 9 API & Automation

🔌 API Architecture
U
Unified API Surface — All automation tools are now dictated by these API contracts to deliver a simple, consistent, and extensible developer experience when working with VCF. Single API endpoint — no per-product API juggling
R
REST API (Primary) — VCF Operations exposes a full REST API for all lifecycle, configuration, and monitoring operations. JSON request/response. Token authentication. https://vcf-ops-fqdn/api — Swagger UI at /api/swagger-ui.html
P
PowerCLI for VCF — All SDKs and tools including PowerCLI are delivered through the secure Broadcom Developer Portal. Install via Install-Module VMware.PowerCLI. Install-Module VMware.PowerCLI -Scope CurrentUser
SDDC Manager APIhttps://sddc-mgr-fqdn/v1/ — domain, host, cluster management
NSX APIhttps://nsx-mgr/api/v1/ — full SDN management
vCenter REST APIhttps://vcenter/api/ — VM, compute, storage management
🔧 PowerCLI — VCF 9 Common Operations
VCF Operations & Fleet
# Connect to VCF Operations Connect-VCFService -Server vcf-ops.domain.com -Credential (Get-Credential) # List all VCF instances in Fleet Get-VCFInstance # List all workload domains Get-VCFWorkloadDomain # Commission hosts for a new domain Add-VCFCommissionedHost -CommissionHostSpec $hostSpec # Create workload domain New-VCFWorkloadDomain -WorkloadDomainSpec $domainSpec # Get BOM component versions Get-VCFManager | Select version, build # List upgradeable bundles Get-VCFBundle -BundleType PATCH
🔗 REST API Examples
SDDC Manager API — PowerShell
# Authenticate to SDDC Manager $body = @{username="administrator@vsphere.local"; password="P@ss"} | ConvertTo-Json $auth = Invoke-RestMethod -Method Post \ -Uri "https://sddc-mgr/v1/tokens" \ -Body $body -ContentType "application/json" \ -SkipCertificateCheck $headers = @{Authorization="Bearer $($auth.accessToken)"} # Get all workload domains Invoke-RestMethod -Uri "https://sddc-mgr/v1/domains" \ -Headers $headers -SkipCertificateCheck # Get cluster inventory Invoke-RestMethod -Uri "https://sddc-mgr/v1/clusters" \ -Headers $headers -SkipCertificateCheck # Deploy VCF Operations component (API) Invoke-RestMethod -Method Post \ -Uri "https://sddc-mgr/v1/vcf-management-components" \ -Headers $headers -Body $componentSpec \ -ContentType "application/json"
🏗️ Terraform & Ansible
Terraform — deploy VCF workload domain
terraform { required_providers { vcf = { source = "vmware/vcf" version = "~> 9.0" } } } provider "vcf" { sddc_manager_host = "sddc-mgr.domain.com" sddc_manager_username = "administrator@vsphere.local" sddc_manager_password = var.sddc_password allow_unverified_tls = false } resource "vcf_workload_domain" "prod_wld" { name = "prod-workload-01" vcenter_configuration = { ... } nsx_configuration = { ... } cluster = { ... } }
DIAG

Troubleshooting & Common Issues

🔧 Common Issues & Resolutions
!
SDDC Manager upgrade blocked — "VCF Operations version below 9.0" — SDDC Manager performs pre-check to validate VCF Operations version. If the Aria Operations plugin is in a failed state or version is not updated, update the plugin: Aria Operations UI → Administration → Integrations → Accounts → locate VCF account → Edit → Manage Integration → Enable toggle → Save. VCF Ops must be upgraded to 9.x before any BOM component upgrades
!
BOM version mismatch blocking new workload domain — When creating a new workload domain with shared NSX, if NSX and vCenter are at 9.0.1 while ESX is at 9.0.0, SDDC Manager fails the compatibility check. Workaround: upgrade ESX in the domain that provides the shared NSX to the corresponding version. All hosts in a domain must be at the same BOM patch level
!
VCF Automation deployment fails at "Stage 4: Deploy Appliance Cluster" — Error: "Not all ESXi Hosts in the cluster are connected to the datastore." Workaround: Deploy the appliances to a cluster where all ESXi hosts are connected to the target vSAN datastore. Ensure vSAN or all host paths to shared storage are healthy before deploying VCF Automation
!
SDDC Manager cannot download compatibility file in air-gapped env — In an environment without connectivity to the Internet, SDDC Manager cannot download the compatibility file from vvs.broadcom.com. Configure offline depot / UMDS and set the depot URL in SDDC Manager settings. Administration → Depot Settings → configure offline depot URL
NSX account expiry causing workflow failures — NSX accounts must have password expiry set to "9999" days. Setting empty expiry causes SDDC Manager workflow issues if an empty expiry time is returned from NSX. Set via NSX API or UI — never use empty/null expiry on SDDC-managed accounts
Fleet Manager upgrade not showing new binaries — Fleet Manager must be at the target version before it can see new component binaries. If binaries don't appear: verify internet connectivity (or UMDS), refresh the depot under Binary Management → Sync. Fleet Management → Lifecycle → VCF Management → Binary Management → Sync
📋 Key Log Locations & Diagnostics
SDDC Manager logs/var/log/vmware/vcf/ on SDDC Manager appliance (SSH)
/var/log/vmware/vcf/sddc-manager/
VCF Operations logsVCF Operations → Administration → Support Bundle → Generate
Fleet Manager logsSettings → System Patches → Patch history & logs
NSX Manager logsNSX Manager → System → Support Bundle
ESXi logs/var/log/vmkernel.log · /var/log/hostd.log on ESXi SSH
VCF DiagnosticsVCF Operations → Diagnostics → Findings (refreshed every 4h)
Upgrade task logsSDDC Manager → Lifecycle Management → Tasks → view log
SDDC Manager API — check task status
# List all active tasks Invoke-RestMethod -Uri "https://sddc-mgr/v1/tasks" \ -Headers $headers -SkipCertificateCheck | Select-Object -ExpandProperty elements | Where-Object {$_.status -ne "Successful"} | Select name, status, subStatus, creationTimestamp # Get specific task details Invoke-RestMethod -Uri "https://sddc-mgr/v1/tasks/{taskId}" \ -Headers $headers -SkipCertificateCheck # Check host commissioning status Invoke-RestMethod -Uri "https://sddc-mgr/v1/hosts" \ -Headers $headers -SkipCertificateCheck | Select-Object -ExpandProperty elements | Select hostName, status, validationStatus
⚡ VCF 9 Quick Reference — Key Endpoints & Paths
ComponentAccess URL / PathPurpose
VCF Operationshttps://vcf-ops-fqdnPrimary management UI — Fleet, lifecycle, licensing, health
Fleet ManagerVCF Operations → Fleet ManagementMulti-instance lifecycle, binary download, upgrade orchestration
SDDC Managerhttps://sddc-mgr-fqdnDomain lifecycle, host commissioning, cluster management
SDDC Manager APIhttps://sddc-mgr-fqdn/v1/REST API for all SDDC Manager operations
VCF Automationhttps://vcf-auto-fqdnBlueprints, catalog, service broker, Argo CD
NSX Managerhttps://nsx-mgr-fqdnNetworking, DFW, Edge, T0/T1 gateways
vCenter Serverhttps://vcenter-fqdnVM management, cluster config, vSAN management
VCF Ops for LogsVCF Operations → LogsCentralized log aggregation, search, alerting
Identity BrokerVCF Operations → IdentitySSO, IdP integration, certificate management
Upgrade BinariesFleet Mgmt → Lifecycle → VCF Management → Binary MgmtDownload Ops, Automation, Logs, Networks upgrades
SDDC BOM BinariesFleet Mgmt → Lifecycle → VCF Instances → [instance] → Binary MgmtDownload SDDC Mgr, NSX, vCenter bundles
ESXi BinariesFleet Mgmt → Lifecycle → VCF Instances → [instance] → Binary Mgmt → ESXiDownload ESXi upgrade images via UMDS
Swagger UIhttps://sddc-mgr-fqdn/swagger-ui.htmlInteractive API documentation for SDDC Manager
VCF Ops Swaggerhttps://vcf-ops-fqdn/api/swagger-ui.htmlFleet Manager / VCF Operations API docs