VMware Cloud Foundation 9.0.1 - VCF Operations Configuration Handbook

Overview

In VCF 9.0, VCF Operations (formerly VMware Aria Operations) is the central management console for the entire VCF platform. The SDDC Manager UI is deprecated and will be removed in a future release. VCF Operations is now the primary interface for fleet management, lifecycle management, licensing, monitoring, certificate management, password management, and Day 2 operations.

This handbook covers every post-deployment configuration step for VCF Operations after a successful VCF 9.0.1 bringup, organized into sequential phases.

Environment Reference

| Component | Address | | VCF Operations | 192.168.1.77 | | SDDC Manager | 192.168.1.125 | | vCenter Server | 192.168.1.69 (vcenter.lab.local) | | Offline Depot Server | 192.168.1.52:8443 | | ESXi Hosts | esxi01 (192.168.1.74), esxi02 (192.168.1.75), esxi03 (192.168.1.76), esxi04 (192.168.1.82) | | NSX Manager | Deployed during bringup | | Storage | vSAN across 4 hosts | | Mode | Air-gapped / Disconnected |

Phase 1: First Login and Initial Setup

1.1 Access VCF Operations

1. Open a browser and navigate to https://192.168.1.77
2. You will see the VCF Operations login page
3. Log in with the credentials configured during bringup:
   • Username: admin
   • Password: The password set during VCF Installer deployment
4. Upon first login, you land on the Fleet Management dashboard

1.2 What You See After Login

The left navigation pane displays the main sections:

• Fleet Management - Lifecycle management, depot configuration, component health
• Infrastructure Operations - Monitoring, dashboards, alerts, diagnostics
• Security & Compliance - Compliance benchmarks, drift detection
• License Management - Registration and license file management
• Administration - Integrations, accounts, access control, system settings

Note: If licensing has not been completed, some menu items may be grayed out. VCF Operations runs in evaluation mode for up to 90 days after deployment.

1.3 Initial Setup Wizard (Manual OVA Deployment Only)

If VCF Operations was deployed manually via OVA rather than through the VCF Installer, the initial setup wizard appears automatically on first access:

1. Click NEXT on the welcome page
2. Set Admin Password: Enter a new password for the admin user (minimum 8 characters, upper, lower, number, special character)
3. Select EXPRESS INSTALLATION to deploy a single-node configuration
4. Accept the EULA/license agreement
5. The wizard completes and brings you to the main VCF Operations interface

Phase 2: License Registration (Disconnected / Air-Gapped Mode)

VCF 9.0 uses a new unified subscription-based license file model. The old 25-character license keys are replaced by license files. There are only two license types: VMware Cloud Foundation (cores) and VMware vSAN (TiBs). All other components (NSX, vCenter, VCF Automation, etc.) are automatically licensed when a primary license is assigned.

2.1 Download the Registration File

Navigation: VCF Operations > License Management > Registration

1. In the left navigation, click License Management
2. Click Registration
3. In the Download Registration File card, click Download
4. Save the .jws (JSON Web Signed) file to a local machine or USB drive

2.2 Upload Registration to VCF Business Services Console

This step is performed on a machine with internet access:

1. Transfer the .jws file to a computer with internet access via USB drive or secure transfer
2. Open a browser and navigate to https://vcf.broadcom.com
3. Log in with your Broadcom Support Portal credentials
4. Select the Site ID you want to register this VCF Operations instance against
5. Upload the registration file when prompted
6. Add licenses to your license server - you must add licenses to each license server to complete registration
7. The Business Services Console generates a license file in exchange
8. Click Download to save the license file
9. Click Finish

2.3 Import the License File into VCF Operations

Navigation: VCF Operations > License Management > Registration

1. Return to VCF Operations at https://192.168.1.77
2. Navigate to License Management > Registration
3. Click Import License File
4. Click Browse and select the downloaded license file
5. Click Import
6. Upon completion, click Complete

2.4 Verify Licensing

• The license status should change from "Evaluation" to showing your valid license
• All previously grayed-out menu items become fully active
• Navigate to License Management and confirm license details show correct core counts and expiration

2.5 Ongoing License Usage Reporting (Every 180 Days)

Since the environment is air-gapped, you must manually report usage at least every 180 days:

1. Navigate to License Management > Registration
2. Click Generate Usage File and save it
3. Transfer the usage file to an internet-connected machine
4. Log in to https://vcf.broadcom.com
5. Navigate to License Management > VCF Operations Registrations
6. Find your VCF Operations instance, click the vertical ellipsis menu, select Upload Usage File
7. Upload the usage file, click Save and Next
8. The system generates an updated license file - click Download
9. Click Finish
10. Transfer the new license file back and import it via License Management > Registration > Import License File

WARNING: If license usage data is not submitted within 180 days, licenses are treated as expired. Hosts are disconnected from vCenter and workload operations are blocked. In a lab environment, set a calendar reminder.

Phase 3: Fleet Management Appliance Registration

The Fleet Management appliance handles lifecycle management functions formerly in SDDC Manager. If deployed via the VCF Installer, this may already be connected. If not:

3.1 Register Fleet Management Appliance

Navigation: https://192.168.1.77/admin/ (the Admin UI, not the main UI)

1. Open a browser and navigate to https://192.168.1.77/admin/
2. Log in as admin with your VCF Operations admin password
3. Navigate to System Status > Fleet Management section
4. Click the Connect button
5. Node Address: Enter the FQDN of the VCF Operations Fleet Management appliance
6. Admin Password: Enter the Fleet Management appliance admin password
7. Click Test Connection to verify connectivity
8. Review the security certificate presented by the appliance
9. Accept the certificate and click Next
10. Enter the VCF Operations admin password when prompted
11. Click Finish

3.2 Verify Registration

• The Fleet Management status should show as Connected in the Admin UI
• Return to the main VCF Operations UI (https://192.168.1.77)
• Navigate to Fleet Management - all fleet management capabilities should be accessible

Phase 4: Offline Depot Configuration

In VCF 9, depot functionality has moved from SDDC Manager to VCF Operations. You must configure the depot before you can download binaries for additional components. There are TWO depot configurations needed for an air-gapped environment.

Important: Only one depot connection (online OR offline) can be ACTIVE at a time. If an online depot is already configured, you must disconnect it first.

4.1 Configure the Offline Depot for VCF Management Components

Navigation: VCF Operations > Fleet Management > Lifecycle > VCF Management > Depot Configuration

1. Navigate to Fleet Management > Lifecycle > VCF Management > Depot Configuration
2. Click Configure under the Offline Depot widget
3. Offline Depot Type: Keep as "Webserver"
4. Repository URL: Enter https://192.168.1.52:8443
5. Username: admin
6. Password: admin
7. Check "I accept the imported certificate" after reviewing the certificate details
8. Click OK

4.2 Verify Depot Connection

1. Navigate to Binary Management > Install Binaries tab
2. You should see available binaries listed for download (Operations for Logs, Operations for Networks, etc.)
3. Download status should show the binaries available for installation

4.3 Configure the Offline Depot for VCF Instance (SDDC Manager)

Navigation: VCF Operations > Fleet Management > Lifecycle > VCF Instances > (select your instance) > Depot Settings

1. Navigate to Fleet Management > Lifecycle > VCF Instances
2. Select your VCF Instance from the list
3. Click Depot Settings
4. Under Offline Depot, select Set Up
5. Enter the hostname of your depot server: 192.168.1.52:8443
6. Click Save

Note: Before configuring the SDDC Manager depot, you may need to trust the SSL certificate of your offline depot server. This was already done during the initial bringup (certificate imported into SDDC Manager's Java trust store).

Phase 5: Connect Data Sources - VCF Cloud Account

This is the critical step that connects VCF Operations to your SDDC Manager, enabling automatic monitoring of all VCF domains including vCenter, NSX, and vSAN.

5.1 Add the VMware Cloud Foundation Account

Navigation: VCF Operations > Administration > Integrations > Accounts tab > Add

1. In the left navigation, click Administration
2. Click Integrations
3. Click the Accounts tab
4. Click Add
5. On the Account Types page, select VMware Cloud Foundation
6. Fill in the following fields:
   • Name: Lab VCF Instance (or any descriptive name)
   • Description: Management Domain - Lab Environment
   • Physical Data Center: Select existing or create new by clicking the option
7. Connection Details:
   • SDDC Manager FQDN: sddc-manager.lab.local or 192.168.1.125
   • Use the FQDN rather than IP if you want VCF SSO to work properly
8. Credentials:
   • Click the Add (+) icon to create new credentials
   • Credential Name: SDDC Manager Admin
   • Username: administrator@vsphere.local (supported formats: username@domain or domain\username)
   • Password: Enter the corresponding password
   • Click OK to save the credential
9. Collector:
   • Select which VCF Operations collector or collector group manages this account
   • Ensure the SDDC Manager FQDN is reachable from the selected collector
10. Click Validate Connection
11. A certificate dialog appears - review the certificate and click OK to accept
12. Advanced Settings:
    • Enable Domain Monitoring on Creation: Toggle to True for automatic data collection on newly discovered domains
    • Configuration Limits: Optionally enter the name of a file containing VCF configuration max soft and hard limits
13. Management Options:
    • Select the option for monitoring plus license/plugin management
14. Click Add to create the account

5.2 Start Data Collection

1. On the Accounts tab, locate your new VMware Cloud Foundation account
2. Click the vertical ellipsis (three dots) menu next to the account
3. Select Start Collecting All

5.3 What Happens Automatically

After configuration, VCF Operations automatically:

• Discovers all VCF domains
• Creates vCenter adapter instances for each domain's vCenter
• Creates NSX adapter instances for each domain's NSX Manager
• Creates vSAN adapter instances for vSAN-enabled clusters
• Configures system-managed credentials for NSX 9.0 endpoints
• Begins collecting metrics, properties, and alerts from all discovered components

Note: Initial collection takes multiple cycles (standard cycle = 5 minutes). Allow 15-30 minutes for full data population.

Phase 6: Add Individual vCenter Account (If Not Auto-Discovered)

When you add a VCF account in Phase 5, vCenter accounts are normally auto-discovered. Skip this phase if auto-discovery worked. If you need to add a vCenter account manually:

6.1 Add a Standalone vCenter Account

Navigation: VCF Operations > Administration > Integrations > Accounts tab > Add

1. Click Add on the Accounts tab
2. Select vCenter from the Account Types page
3. Display Name: vcenter.lab.local - 192.168.1.69
4. Description: Management Domain vCenter
5. Physical Data Center: Select or create
6. vCenter Field: vcenter.lab.local or 192.168.1.69
7. Credentials: Click Add (+)
   • Enter administrator@vsphere.local
   • Enter the password
   • Action User (optional): Alternate credentials for operational actions (power on/off VMs)
   • Primary credential needs Performance > Modify intervals permission for VM guest metrics
8. Collector: Select the VCF Operations collector
9. Click Validate Connection and accept the certificate
10. Optional Features:
    • Activate for Operational Actions: Check to enable remediation actions
    • Activate Log Collection: Check to enable log forwarding (requires VCF Operations for Logs)
    • Activate Network and Flow: Check to enable network monitoring
11. Click Add
12. On the Accounts tab, click the vertical ellipsis menu > Start Collecting

Important: vCenter accounts do NOT start monitoring automatically. You must manually initiate data collection.

Phase 7: Verify Data Collection

7.1 Check Adapter Status

Navigation: VCF Operations > Administration > Integrations > Accounts

1. Navigate to the Accounts tab
2. For each configured account (VCF, vCenter, NSX, vSAN), verify:
   • Collection Status: Green "Collecting" (not "Stopped" or "No data receiving")
   • Collection State: "Collecting Data"
3. If any adapter shows issues, click on it to see detailed error messages

7.2 Verify Object Discovery

Navigation: VCF Operations > Infrastructure Operations > Inventory

1. Navigate to Infrastructure Operations
2. Verify the following objects have been discovered:
   • vCenter instances (vcenter.lab.local)
   • ESXi hosts (esxi01, esxi02, esxi03, esxi04)
   • Clusters (management cluster)
   • Datastores (vSAN datastore)
   • Virtual Machines (all management VMs)
   • NSX objects (NSX Manager, transport nodes)

7.3 Check VCF Health

Navigation: VCF Operations > Infrastructure Operations > VCF Health

1. Navigate to the VCF Health page
2. Verify all components show healthy status
3. VCF Health monitors: certificates, NTP synchronization, DNS reverse lookup, vCenter performance, and other critical infrastructure parameters
4. Diagnostics findings appear automatically - the Management Pack for VCF Diagnostics is auto-installed

7.4 Key Timing Notes

• Standard collection cycle: every 5 minutes
• Initial collection may take multiple cycles: 15-30 minutes
• Property-based diagnostic scans run every 4 hours
• Telegraf agent data collection interval: 4 minutes
• Cloud proxy registration can take up to 20 minutes on first boot

Phase 8: Certificate Management

VCF 9.0 introduces unified, non-disruptive TLS certificate management across all VCF components.

8.1 View All Certificates

Navigation: VCF Operations > Fleet Management > Certificates

1. Navigate to Fleet Management > Certificates
2. Select either VCF Management or VCF Instances tab
3. View the certificate inventory showing all TLS certificates across your environment
4. Certificates are displayed for: vCenter, ESX hosts, VCF Operations, VCF Automation, Fleet Management, SDDC Manager, NSX local manager
5. Review certificate expiration dates and status alerts

8.2 Configure a Certificate Authority - Microsoft CA

Navigation: VCF Operations > Fleet Management > Certificates > Configure CA

1. Navigate to Fleet Management > Certificates
2. Select VCF Management or VCF Instances (and choose a specific instance)
3. Click Configure CA
4. Select Microsoft Certificate Authority
5. Fill in:
   • CA Server URL: Must begin with https:// and end with certsrv (e.g., https://ca.lab.local/certsrv)
   • User Name: Least-privileged service account (e.g., svc-vcf-ca)
   • Password: Service account password
   • Template Name: The issuing certificate template created in Microsoft CA
6. Click Save

8.3 Configure a Certificate Authority - OpenSSL

1. Click Configure CA
2. Select OpenSSL
3. Fill in:
   • Common Name: FQDN of SDDC Manager appliance
   • Country: Country of registration
   • Locality Name: City
   • Organization Name: Legal company name
   • Organization Unit Name: Department
   • State: Full state/province name (unabbreviated)
4. Click Save

Important: VCF management components only support Microsoft CA. VCF Instance components support both Microsoft CA and OpenSSL. You configure the CA separately for management components and instance components.

8.4 Replace Default Certificates

After configuring a CA, replace default self-signed certificates with enterprise CA-signed certificates. Certificates eligible for non-disruptive auto-renewal include: ESX SSL, vCenter machine SSL, NSX LM/VIP, SDDC Manager SSL, and VCF Operations certificates.

8.5 Enable Automatic Renewal

On the Certificates page, enable auto-renewal for supported certificates. This prevents unexpected certificate expiration.

Lab Note: In a lab with no Microsoft CA, you can continue using self-signed certificates. The certificate management UI will show certificate expiration warnings, which is normal.

Phase 9: Password Management and Rotation

VCF 9.0 provides unified password management centralized in VCF Operations, replacing the password management previously found in SDDC Manager.

9.1 View Password Status

Navigation: VCF Operations > Fleet Management > Passwords

1. Navigate to Fleet Management > Passwords
2. Select either VCF Management or VCF Instances tab
3. Select your domain to view all managed account passwords
4. The dashboard shows:
   • Account names and types (root, admin, backup, consoleuser, support, admin@local, vmware-system-user)
   • Password status (valid, expiring soon, expired)
   • Last modified dates
   • Expiration dates

9.2 Managed Components and Accounts

VCF Management Components:

• Fleet Management
• VCF Automation
• VCF Identity Broker
• VCF Operations
• VCF Operations for Logs
• VCF Operations for Networks

VCF Instance/Domain Components:

• ESX hosts
• NSX Manager
• vCenter Server
• SDDC Manager

9.3 Update a Password

1. Navigate to Fleet Management > Passwords
2. Select the component and account you want to update
3. Click Update Password
4. Enter the new desired password (this lets you specify the exact password, unlike rotation)
5. Confirm the new password
6. Click Update

This changes the password on both the server side (where the account resides) and the client side (where the account is used).

9.4 Rotate Passwords

Password rotation generates a randomized password:

1. Navigate to Fleet Management > Passwords
2. Select accounts to rotate
3. Click Rotate
4. The system generates random passwords meeting complexity requirements
5. Set the rotation interval: 30 days, 60 days, or 90 days
6. You can also deactivate the schedule
7. Only a user with the ADMIN role can perform this task

Note: Auto-rotate is automatically enabled for vCenter Server. It may take up to 24 hours to configure the auto-rotate policy for a newly deployed vCenter.

WARNING — Nested/Lab Environments: If a credential update, rotation, or remediation fails mid-operation (commonly because NSX was temporarily unreachable during a boot storm), a cascading failure occurs: the component resource gets stuck in ACTIVATING or ERROR state, stale locks accumulate in the database, and unresolved task metadata piles up — blocking all future password operations. The error messages are "Resources [host] are not available/ready", "not in ACTIVE state", or "Unable to acquire resource level lock(s)". The API cannot cancel stuck tasks. This requires a database-level fix on SDDC Manager — cleaning three tables: nsxt (status), lock, and task_metadata (resolved). See Known Issue #19 and the Troubleshooting Handbook Section 10 for the full repair procedure.

9.5 Remediate Passwords

If a password gets out of sync between SDDC Manager and the actual component:

Prerequisites:

• No workflows running or scheduled
• Required permissions: Fleet Management > Passwords > Manage and Fleet Management > Passwords > View
• One account remediated at a time

Steps:

1. Navigate to Fleet Management > Passwords
2. Select either VCF Management or VCF Instances and choose your domain
3. Select the component showing a password issue
4. Click Remediate Password
5. Enter and confirm the manually-set password (the password currently on the component)
6. Click Remediate Password to complete

Phase 10: Configure SSO / Identity and Access Management

VCF 9.0 introduces the VCF Identity Broker (VIDB), which provides federated SSO across all VCF components.

10.1 Configure VCF Single Sign-On for VCF Operations

Navigation: VCF Operations > Fleet Management > Identity & Access > VCF Management > Operations Appliance

1. Navigate to Fleet Management > Identity & Access > VCF Management
2. Select Operations Appliance
3. Click Configure
4. Select the Identity Broker instance from the dropdown
5. Accept the role assignment requirements
6. The system validates and displays the Identity Broker on the configuration list after processing

10.2 Verify Authentication Source

Navigation: VCF Operations > Administration > Control Panel > Authentication Sources

1. Navigate to Administration > Control Panel > Authentication Sources
2. Confirm that "VCF SSO" now appears in the list of available authentication sources

10.3 Import Directory Users and Groups

Navigation: VCF Operations > Administration > Control Panel > Access Control

1. Navigate to Administration > Control Panel > Access Control
2. Click the three-dot menu and select Import from Source (do NOT use the standard "Add" button - that creates local groups only)
3. Select VCF SSO as the source
4. Search for your Active Directory groups (e.g., vcf-admins, vcf-readonly)
5. Select the groups to import

10.4 Assign Permissions

1. Select the imported groups
2. Click the menu and choose Edit
3. Assign:
   • Role: The actions users can perform (e.g., Administrator, ReadOnly, ContentAdmin)
   • Scope: The objects those actions apply to (e.g., all objects, specific data centers)
4. Click Save
5. Test by logging out and logging back in using VCF SSO authentication

10.5 Add Active Directory Identity Source in vCenter

To add AD authentication to vCenter separately:

1. Log in to vCenter at https://192.168.1.69
2. Navigate to Administration > Single Sign-On > Configuration
3. Click Identity Sources > Add
4. Select Active Directory over LDAP or Active Directory (Integrated Windows Authentication)
5. Enter your AD domain details:
   • Domain name
   • Base distinguished name for users and groups
   • Primary server URL (e.g., ldap://dc01.lab.local:389)
   • Bind user distinguished name
   • Bind password
6. Click Test Connection to verify
7. Click Add to save

Phase 11: Compliance and Configuration Drift Monitoring

11.1 Access Compliance

Navigation: VCF Operations > Security & Compliance > Compliance

1. Navigate to Security & Compliance > Compliance
2. Ensure your data sources (vCenter, VCF account) are configured and collecting before proceeding

11.2 Activate VMware SDDC Benchmarks

1. On the Compliance page, locate the VMware SDDC Benchmarks section
2. Click Activate for the benchmark you want to enable
3. Available score cards:
   • vSphere Security Configuration Guide
   • vSAN Security Configuration Guide
   • NSX Security Configuration Guide
4. Select an applicable policy when prompted
5. The system activates relevant alert definitions automatically

11.3 Activate Regulatory Compliance Benchmarks

Available compliance standards built in:

• DISA Security Standards
• FISMA Security Standards
• HIPAA

Standards requiring marketplace download (.PAK file):

• PCI DSS Compliance Standards
• CIS Security Standards
• NIST SP 800-171
• NIST SP 800-53 R5

For air-gapped environments, install marketplace packs manually:

Navigation: VCF Operations > Administration > Repository

1. Navigate to Administration > Repository
2. The Add Solution wizard opens
3. Page 1: Locate and upload the .PAK file
4. Page 2: Accept the EULA and install
5. Page 3: Review the installation
6. Click Add Account to configure the newly installed integration

11.4 Configure Drift Detection

Navigation: VCF Operations > Fleet Management > Configuration Drifts > Schedule Drift Detection

1. Navigate to Fleet Management > Configuration Drifts
2. Click Schedule Drift Detection
3. Step 1 - Configuration Details: Enter a name and description for the drift check
   • You can schedule drifts only for vCenter object types
4. Step 2 - Define Scope: Select vCenter instances from the right panel and move them to the left Scope window
   • You can select a VCF folder as scope to automatically include all VCF instances in that folder
5. Step 3 - Preview Scope: Click Preview Scope to validate which vCenter instances will be included
6. Step 4 - Filtering Criteria: Apply filters and add criteria specific to the vCenter object type
7. Step 5 - Schedule: Set the desired schedule interval and click Create
8. The system creates a new job visible in the automation central page

Phase 12: Alerts and Notifications

12.1 Configure Outbound Notification Plug-Ins

Navigation: VCF Operations > Infrastructure Operations > Configurations > Outbound Settings

1. Navigate to Infrastructure Operations > Configurations
2. Click the Outbound Settings tile
3. Click Add

12.2 Standard Email Plug-In

1. Select Standard Email Plugin from the Plug-In Type dropdown
2. Instance Name: Lab Email Notifications
3. Configure SMTP settings:
   • Use Secure Connection: Enable for SSL/TLS
   • Secure Connection Type: SSL or TLS
   • Requires Authentication: Check if your SMTP requires auth
   • SMTP Host: URL or IP of email server
   • SMTP Port: 25, 465, or 587
   • Sender Email Address: vcf-ops@lab.local
   • Sender Name: VCF Operations
   • Credential Type: Basic Authentication or No Credential
   • Receiver Email Address: Default recipient
4. Click Save
5. Select the instance and click Activate

12.3 SNMP Trap Plug-In

1. Select SNMP Trap Plugin
2. Instance Name: Name for the plug-in instance
3. Destination Host: IP or FQDN of SNMP trap receiver
4. Port: Default 162
5. Community: SNMP community string (for v1/v2c)
6. For SNMPv3: provide Username, Auth Protocol (SHA-224/256/384/512), Auth Password, Privacy Protocol (AES192/256), Privacy Password
7. Engine ID: Auto-generated if omitted
8. Click Test then Save

12.4 Webhook Notification Plugin

1. Select Webhook Notification Plugin
2. Enter Instance Name and Webhook URL
3. Credential Type options: Basic Authentication, Bearer Token, OAuth, Certificate (X.509), API Key
4. Click Test and Save

12.5 Other Available Plug-Ins

• Log File
• ServiceNow
• Slack
• Network Share
• REST (deprecated)

12.6 Create Notification Rules

Navigation: VCF Operations > Infrastructure Operations > Configurations > Notifications

1. Navigate to Infrastructure Operations > Configurations
2. Click the Notifications tile
3. Click Add on the toolbar

Step 1 - Basic Details:

• Name: Rule identifier (e.g., Critical Host Alerts)
• Description: Rule purpose
• Notification Status: Toggle active/inactive
• Notification Type: Select "Alert"
• Click Next

Step 2 - Define Filtering Criteria:

• Object Scope: Object Type, specific Objects, Tags, Applications, Tiers (option to include child objects)
• Alert Scope: Alert Types/Subtypes, Alert Impact, or Alert Definition
• Criticality: Filter by severity (Critical, Immediate, Warning, Information)
• Control State: Filter by status (opened, assigned, suspended)
• Notify On: Trigger conditions (new, updated, canceled)
• Notification Heartbeat: Enable repeat notifications for active alerts
• Click Next

Step 3 - Select Outbound Method:

• Choose from configured plug-in instances
• Click Next

Step 4 - Payload Template:

• Select default or custom template
• For Email: configure Recipients, Cc/Bcc, Notify Again interval, Max Notifications, Delay to Notify
• Click Next

Step 5 - Test:

• Click Initiate Process to test
• Select an alert definition and object
• Click Validate Configuration
• Review Response and Body tabs

Step 6 - Create:

• Click Create to finalize

Phase 13: Dashboards and Reporting

13.1 Access Predefined Dashboards

Navigation: VCF Operations > Infrastructure Operations > Dashboards & Reports

1. Navigate to Infrastructure Operations > Dashboards & Reports
2. Click Manage to see all available dashboards
3. VCF Operations ships with many predefined dashboards

13.2 Key Predefined Dashboards

Overview:

• Geo-map view of globally deployed VCF instances
• Inventory sections: VCF domains, datacenters, clusters, ESX hosts, VMs
• Diagnostic Findings correlating issues across infrastructure
• Security risk highlights based on CVE and VMSA advisories

Configuration Dashboards:

• Cluster Configuration - vSphere cluster configuration requiring attention
• ESXi Configuration - ESXi host configurations needing review
• Network Configuration - vSphere distributed switch configurations
• VM Configuration - Virtual machine configurations
• vSAN Configuration - vSAN configuration details
• Workload Management - Supervisor Clusters and Namespaces

Performance Dashboards:

• vSAN OSA Performance - read/write latency, contention, utilization
• vSAN ESA Performance - for Express Storage Architecture
• Out-of-the-box infrastructure health monitoring

Capacity Dashboards:

• Time remaining before resources are projected to run out
• VM-level capacity analysis with drill-down

Storage Operations:

• Active storage alerts (critical and warning)
• vSAN cluster capacity usage and health scores
• Performance KPIs

Security Operations Dashboard:

• User authentication and permissions overview
• Host and VM encryption status
• vSAN cluster encryption
• CVE violation advisories
• Certificate health monitoring

Skyline Operational Overview:

• Proactive monitoring and recommendation dashboard

Energy Efficiency Dashboards:

• Energy Efficiency with Virtualization
• Energy Efficient Clusters and Infrastructure
• Environmental Impact of Idle VMs

13.3 Create a New Dashboard

1. From the left menu, click Dashboards & Reports
2. Click New Dashboard
3. Dashboard Name: Enter a name
   • Using a forward slash (/) in the name creates a folder hierarchy (e.g., Lab/Overview)
4. The dashboard canvas opens for widget placement

13.4 Add and Configure Widgets

1. On the dashboard canvas, click Add Widget or drag from the widget panel
2. Available widget types:
   • Metric Chart - visualize specific metrics over time
   • View - display tabular data
   • Health Chart - show health status
   • Sparkline - compact trend visualization
   • Mashup Chart - combine multiple data sources
   • Rolling View - auto-scrolling data display
3. For each widget, click the pencil icon to configure:
   • Select the data source (object type, specific object)
   • Choose metrics to display
   • Set time range
   • Configure visual options
4. Widget Interactions: Set data from one widget as a filter to display related information on another widget

13.5 Share and Manage Dashboards

• Share: Click the share icon to share with specific user groups
• Favorites: Mark frequently used dashboards as favorites
• Dashboard Home: Set a dashboard as your home page (up to 5 dashboards can be added to Product Home)
• Time Range: Default is 6 hours; options include 1h, 6h, 24h, 7d, or custom

Phase 14: Deploy VCF Operations for Logs

VCF Operations for Logs is not deployed automatically during initial bringup. It must be deployed as a Day 2 operation.

Known Issue — Self-Signed Certificate SAN Mismatch: The Fleet Management deployment wizard's "Generate self-signed certificate" option may produce a certificate whose SAN entries do not match the node FQDN/IP, causing a precheck error: "Certificate validation for component vrli:vrli-master — The hosts in the certificate doesn't match with the provided/product hosts." The workaround is to generate a custom certificate with OpenSSL and import it. See Phase 14.1a.

14.1 Deploy via Fleet Management

Navigation: VCF Operations > Fleet Management > Lifecycle > VCF Management > Components

Prerequisites: Depot must be configured (Phase 4) and the operations-logs binary must be downloaded via Binary Management > INSTALL BINARIES tab.

Note: The operations-logs OVA (Operations-Logs-Appliance-9.0.1.0.24960345.ova) and PAK must be present in the offline depot under PROD\COMP\VRLI\. If the download fails with 404, verify the files exist in the depot directory and the HTTPS depot server is running.

1. Navigate to Fleet Management > Lifecycle > VCF Management
2. Under the Components section, click Add next to operations-logs
3. Select New Installation
4. Select deployment type: Simple for lab environments
5. Certificate Configuration:
   • Recommended: Import a custom certificate generated with proper SANs (see Phase 14.1a)
   • Alternative: Generate self-signed certificate (may fail precheck — see warning above)
6. VM Location & OS Configuration:
   • Select vCenter, cluster, VM network, and datastore
   • Click Edit Server Selection to choose DNS and NTP servers
7. Component Configuration:
   • Click Add Password to set default password (15+ characters, must include special characters !@#$%^&*)
   • Node Size: Small (for lab)
   • FIPS Mode: Disable for lab
   • VM Compatibility: Update to latest hardware version
   • Time Sync: Select NTP servers
   • Enter VM Name, FQDN, and IP Address for the node
8. Run Precheck validation
9. Click Deploy
10. Monitor deployment until completion

14.1a Certificate Workaround: Generate Custom Certificate

If the wizard's self-signed certificate fails precheck validation, generate a proper certificate with OpenSSL on SDDC Manager (SSH as vcf, then su - to root):

Step 1 — Verify DNS resolution:

nslookup logs.lab.local 192.168.1.230
nslookup 192.168.1.242 192.168.1.230
ping -c 2 logs.lab.local

Step 2 — Create OpenSSL config and generate certificate:

cat > /tmp/vrli-cert.cnf << 'EOF'
[req]
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = v3_req
x509_extensions = v3_req

[dn]
C = US
ST = California
L = Lab
O = Lab
OU = VCF
CN = logs.lab.local

[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = logs.lab.local
DNS.2 = logs
IP.1 = 192.168.1.242
EOF

openssl req -x509 -nodes -days 730 -newkey rsa:4096 \
  -keyout /tmp/vrli.key -out /tmp/vrli.crt \
  -config /tmp/vrli-cert.cnf

Step 3 — Verify SANs are correct:

openssl x509 -in /tmp/vrli.crt -noout -text | grep -A5 "Subject Alternative Name"
# Expected: DNS:logs.lab.local, DNS:logs, IP Address:192.168.1.242

Step 4 — Transfer cert to workstation:

Display the certificate and key, then copy-paste into local files (vrli.crt and vrli.key):

cat /tmp/vrli.crt
cat /tmp/vrli.key

Step 5 — Import in Fleet Management wizard:

1. In the deployment wizard's Certificate step, select Import
2. Upload vrli.crt (certificate) and vrli.key (private key) — must be PEM format
3. Continue to Component Configuration and complete the deployment as described in Phase 14.1
4. Run Precheck — should pass with the custom certificate

14.2 Initial Configuration (Manual OVA Deployment)

If deployed manually via OVA rather than Fleet Management:

1. Open browser to https://<logs-appliance-FQDN>
2. Select START NEW DEPLOYMENT
3. Set Admin Password: Enter password for the admin account (linked to Super Admin role)
4. Optionally provide an email address
5. Time Configuration: Set NTP synchronization settings
   • Click TEST to verify NTP connectivity
   • Click SAVE AND CONTINUE
6. SMTP Configuration: (Optional) Configure email server for alerts
   • Skip if not needed in lab - click SAVE AND CONTINUE
7. SSL Certificate: (Optional) Upload custom SSL certificate in PEM format
   • Skip to use default self-signed certificate - click SAVE AND CONTINUE
8. Configuration is complete

14.3 Integrate with VCF Operations

This step registers the VCF Operations for Logs appliance with VCF Operations so that logs appear in the Infrastructure Operations > Analyze dashboards.

Navigation: VCF Operations UI (https://vcf-ops.lab.local) > Administration > Control Panel > Operations-Logs Appliance Integration

Prerequisites:

• VCF Operations for Logs is deployed and accessible at https://logs.lab.local
• Port 9543 (SSL) is open from VCF Operations to the logs appliance
• Admin credentials for VCF Operations for Logs

Steps:

1. Log in to VCF Operations at https://vcf-ops.lab.local
2. Navigate to Administration > Control Panel
3. Locate the Operations-Logs Appliance Integration tile (may also appear as Log Management)
4. Click Edit or Configure on the tile
5. Enter the connection details:
   • Host: logs.lab.local (or 192.168.1.242)
   • Port: 9543 (default SSL port for log ingestion API)
   • Username: admin
   • Password: The admin password set during VCF Operations for Logs deployment
6. Click Validate Connection — wait for the green checkmark confirming connectivity
7. Click Save

Verification:

• The tile should show Connected status
• Navigate to Infrastructure Operations > Analyze — the log analysis page should now be accessible (it may show "No data" until log collection is enabled in Phase 14.4)

Troubleshooting: If validation fails, verify: (1) DNS resolution of logs.lab.local from the VCF Operations appliance, (2) port 9543 is reachable (curl -k https://logs.lab.local:9543), (3) the admin password is correct. If the logs appliance was deployed via Fleet Management, the admin account may use the password set during the Fleet Management deployment wizard.

14.4 Enable Log Collection

After integrating the logs appliance (Phase 14.3), enable centralized log collection for vCenter, ESXi hosts, and NSX. This configures the VCF components to forward syslog/event data to VCF Operations for Logs.

Method A — Centralized Log Collection Page (Recommended)

Navigation: VCF Operations > Infrastructure Operations > Configurations > Log Collection

1. Navigate to Infrastructure Operations > Configurations
2. Click the Log Collection card
3. You will see cards for each component type:
   • vCenter — collects events, tasks, and alarms
   • ESX — configures ESXi host syslog forwarding
   • VCF Operations — platform self-logging
   • VCF Operations for Networks — network component logging (if deployed)
4. For each component, click Edit log sources
5. Toggle log collection On for the desired instances (e.g., vcenter.lab.local)
6. Click Save

Note: ESXi host syslog forwarding is configured automatically when you enable vCenter log collection — the setting propagates to all hosts managed by that vCenter.

Method B — Via VCF Account (vcf-lab)

Navigation: VCF Operations > Administration > Integrations > Accounts

1. Navigate to Administration > Integrations > Accounts
2. Locate the vcf-lab account (VMware Cloud Foundation Adapter — status: Collecting)
3. Click the ellipsis (three dots) > Edit
4. Select the Domains tab
5. Expand the mgmt domain — you should see:
   • vcenter.lab.local — VMware vCenter
   • vcenter.lab.local - vSAN — vSAN Adapter
   • nsx-vip.lab.local — NSX-T Adapter
6. Click Activate Log Collection (checkbox or toggle for the mgmt domain)
7. Click Save
8. Verify: the Accounts page should show the log collection status updating

Verification:

• Wait 5–10 minutes for initial log ingestion
• Navigate to Infrastructure Operations > Analyze — search for recent logs
• Check VCF Operations for Logs UI at https://logs.lab.local > Explore Logs — you should see incoming log entries from vCenter and ESXi hosts
• On the Accounts page, the vcf-lab account should show log collection as active

Note: The log collection configuration for vCenter adapter instances is NOT included in configuration export/import operations. If you ever restore a VCF Operations backup, you must re-enable log collection manually.

14.4a Fix Stopped Adapters (If Present)

If the Accounts page shows stopped adapters, investigate before enabling log collection:

Steps to re-activate a stopped adapter:

1. On the Accounts page, click the ellipsis next to the stopped adapter > Edit
2. Re-enter the credentials (username/password)
3. If prompted about certificate trust, click Accept Certificate to trust the new cert
4. Click Validate Connection
5. Click Save
6. The adapter should transition from Stopped to Collecting within a few minutes

14.5 Configure SDDC Manager Log Forwarding (Manual)

As of VCF 9.0, SDDC Manager log forwarding is not configured automatically through the centralized log collection feature. It must be set up manually via syslog configuration.

Option A — Configure Syslog via SDDC Manager CLI

SSH to SDDC Manager as vcf, then su - to root:

# Test connectivity to VCF Operations for Logs
curl -k https://logs.lab.local:9543

# Configure syslog forwarding (cfapi ingestion)
# Check if syslog is already configured
cat /etc/rsyslog.d/*.conf | grep -i logs.lab.local

# Add syslog forwarding rule
cat > /etc/rsyslog.d/90-vrli.conf << 'EOF'
# Forward all logs to VCF Operations for Logs via TCP+TLS
*.* @@logs.lab.local:514
EOF

# Restart rsyslog
systemctl restart rsyslog
systemctl status rsyslog

Option B — Deploy VCF Operations for Logs Agent

1. Download the liagent (Log Insight Agent) package from the VCF Operations for Logs UI:
   • Log in to https://logs.lab.local
   • Navigate to Administration > Agents
   • Download the Linux RPM agent package
2. Transfer to SDDC Manager:

   # From your workstation (or use the SSH cat trick for restricted shell):
   ssh vcf@sddc-manager.lab.local "cat > /tmp/VMware-Log-Insight-Agent.rpm" < VMware-Log-Insight-Agent.rpm
   

3. SSH to SDDC Manager, switch to root, and install:

   rpm -ivh /tmp/VMware-Log-Insight-Agent.rpm
   

4. Configure the agent to point to VCF Operations for Logs:

   cat > /var/lib/loginsight-agent/liagent.ini << 'EOF'
   [server]
   hostname=logs.lab.local
   port=9543
   ssl=yes
   ssl_accept_any=yes
   
   [filelog|sddc-manager-syslog]
   directory=/var/log
   include=*.log;messages;syslog
   EOF
   

5. Start the agent:

   systemctl enable liagentd
   systemctl start liagentd
   systemctl status liagentd
   

Verification:

• On VCF Operations for Logs (https://logs.lab.local), navigate to Explore Logs
• Filter by source: sddc-manager.lab.local or 192.168.1.241
• You should see log entries appearing within a few minutes

Note: Ensure port 9543 (SSL) from SDDC Manager (192.168.1.241) to VCF Operations for Logs (192.168.1.242) is open. In this nested lab environment, both VMs are on the same flat 192.168.1.0/24 network, so no firewall rules should be needed.

Phase 15: NSX Monitoring Integration

15.1 Automatic Discovery via VCF Account

When you configure a VCF Cloud Account (Phase 5), NSX adapters are automatically discovered and configured for all domains that have NSX deployed. No manual configuration is needed.

15.2 Verify NSX Adapter Status

Navigation: VCF Operations > Administration > Integrations > Accounts

1. Navigate to the Accounts tab
2. Expand the VMware Cloud Foundation account
3. Find the NSX adapter listed under the management domain
4. Verify the collection status shows green "Collecting"

15.3 NSX Monitoring Features

The NSX adapter retrieves alerts and findings from NSX into VCF Operations. Supported NSX versions: 3.0 and above.

VCF 9.0 includes enhanced NSX monitoring:

• Enhanced NSX-T Edge node monitoring with new edge node metrics sub-groups
• Network operations overview with vSphere networking and NSX inventory summary
• Visibility into network alerts and trends

15.4 Configure VCF Operations for Networks (Advanced)

For deeper network monitoring capabilities:

Navigation: VCF Operations > Administration > Integrations > Repository

1. Navigate to Administration > Integrations > Repository tab
2. Find the VCF Operations for Networks management pack in Available Integrations
3. Click Activate on the management pack card
4. After activation, click Add Account to configure the adapter instance
5. Enter the connection details for your VCF Operations for Networks instance

Important: Starting from VCF 9.0, only ONE VCF Operations for Networks instance integration is supported. During deployment, VCF Operations Fleet Management integrates VCF Operations and VCF Operations for Networks automatically.

Phase 16: vSAN Monitoring

16.1 Automatic vSAN Discovery

When you configure a VCF account or vCenter account with a vSAN-enabled cluster, vSAN monitoring data is automatically collected. No separate configuration is required.

16.2 Access vSAN Storage Operations Dashboard

Navigation: VCF Operations > Infrastructure Operations > Storage Operations

1. Navigate to Infrastructure Operations > Storage Operations
2. The centralized storage dashboard shows both vSAN and non-vSAN storage types
3. View:
   • vSAN Cluster Health Score
   • Cluster type classification
   • Performance metrics: Hover on any cluster pin to see IOPS, Latency, and Throughput
   • vSAN Clusters table with detailed cluster information

16.3 Run vSAN Performance Diagnostics

1. On the Storage Operations page, click View Diagnostics or Run New Diagnostics
2. Select a cluster
3. Choose diagnostic mode:
   • Troubleshooting: For clusters with active workloads - identifies performance issues
   • Benchmarking and Optimizing: For new clusters before deploying workloads
4. Review results: cluster information, diagnostic results, remediation steps, and suggestions

Note: Diagnostic reports are available for the past 7 days only. Diagnostics run on both vSAN OSA and ESA HCI architectures.

16.4 Predefined vSAN Dashboards

Navigate to Infrastructure Operations > Dashboards & Reports and find:

• vSAN OSA Performance Dashboard - read/write latency, contention, utilization across VMs
• vSAN ESA Performance Dashboard - same metrics for Express Storage Architecture

Phase 17: Backup Configuration

17.1 Fleet-Level Backups

Navigation: VCF Operations > Fleet Management > Lifecycle > Settings > SFTP Settings

1. Navigate to Fleet Management > Lifecycle > Settings
2. Click SFTP Settings
3. Configure the SFTP server details:
   • SFTP Host: IP or FQDN of your SFTP server
   • Port: Default 22
   • Username: SFTP account username
   • Password: SFTP account password
   • Path: Directory path for backup storage
4. Click Test Connection to verify
5. Click Save
6. Navigate to Backup Settings and configure the backup schedule:
   • Backup frequency: Daily, Weekly, or Custom
   • Retention: Number of backups to keep

17.2 Instance-Level Backups

Navigation: VCF Operations > Inventory > VCF Instance > Actions > Manage VCF Instance Settings

1. Navigate to Inventory > Select your VCF Instance
2. Click Actions > Manage VCF Instance Settings
3. Click Backup Settings
4. Configure instance-specific backup parameters
5. Click Save

SDDC Manager to VCF Operations Task Migration Reference

The following tasks have moved from SDDC Manager to VCF Operations in VCF 9.0:

| Task | VCF 9.0 Location | | DNS/NTP Configuration | Inventory > VCF Instance > Actions > Manage VCF Instance Settings > Network Settings | | Workload Domain Creation | Inventory > VCF Instance > Add Workload Domain | | Backup Configuration | Fleet Management > Lifecycle > Settings | | Certificate Authority | Fleet Management > Certificates > Configure CA | | Certificate Management | Fleet Management > Certificates | | Password Management | Fleet Management > Passwords | | Network Pools | vCenter: Global Inventory > Hosts > Network Pools | | Host Commissioning | vCenter: Global Inventory > Unassigned Hosts | | Cluster Creation | vCenter: New SDDC Cluster | | Licensing | License Management (single file) |

Critical Note: While the SDDC Manager UI is still present in VCF 9.0, performing tasks there does not immediately sync to VCF Operations. Changes depend on scheduled synchronization intervals. Use VCF Operations as the primary interface.

Post-Configuration Verification Checklist

License Verification

• Navigate to License Management - confirm license is valid and not in evaluation mode
• Verify core count matches your subscription
• Set a calendar reminder for usage file submission (within 180 days)

Data Collection Verification

• Administration > Integrations > Accounts - all adapters showing green "Collecting" status
• VCF account, vCenter adapter, NSX adapter, and vSAN adapter all collecting
• Wait at least 30 minutes after initial configuration for full data population

Fleet Management Verification

• Fleet Management dashboard shows all components as healthy
• Fleet Management appliance shows "Connected" status
• Depot configuration shows connected to offline depot
• Binary Management shows available binaries

Infrastructure Operations Verification

• Infrastructure Operations > VCF Instances - shows your VCF instance with all domains
• All ESXi hosts (esxi01-04) visible in inventory
• All VMs discovered and monitored
• vSAN datastore visible and metrics collecting
• NSX components visible

VCF Health Verification

• Infrastructure Operations > VCF Health - review all health checks
• Check for certificate expiration warnings
• Check NTP synchronization status
• Check DNS reverse lookup status

Security and Compliance Verification

• Security & Compliance > Compliance - SDDC benchmarks activated
• Compliance scores generating for hosts, VMs, and network objects

Alerts Verification

• Infrastructure Operations > Alerts - review any initial alerts
• Notification plug-ins configured and activated (if applicable)
• Test at least one notification rule

Password Management Verification

• Fleet Management > Passwords - all accounts showing valid status
• No expired or soon-to-expire passwords

Certificate Management Verification

• Fleet Management > Certificates - all certificates visible
• Review expiration dates and plan for renewal

Known Issues and Gotchas (VCF Operations 9.0.1)

1. Relationships not updated after 2nd collection cycle in management packs built with the Management Pack Builder
2. Custom network adapters do not start after VCF Operations and VCF Operations for Networks are updated to VCF 9.0 - workaround required
3. VCF Operations for Networks stops collecting metrics when NSX is being upgraded from 4.2.1 to 9.0
4. Manually stopped adapter instances start collecting after a management pack upgrade
5. Binary downloads from depot may intermittently fail - retry the download if it disappears
6. Fleet Management appliance root password must be 15+ characters or precheck will fail
7. Only one VCF Operations for Networks instance is supported starting in VCF 9.0
8. Log collection configuration for vCenter adapters is NOT included in configuration export/import operations
9. In disconnected mode, if license usage data is not submitted within 180 days, licenses expire, hosts disconnect from vCenter, and workload operations are blocked
10. Do not configure NTP during OVF deployment (KB 374792) - configure it in the setup wizard instead, as it can cause first-boot failures
11. Password rotation options from VCF 5.x are not fully available in VCF Operations yet - use SDDC Manager API as workaround for some rotation tasks
12. After workload domain redeployment, the vCenter/vSAN adapter may enter a Warning state
13. Infrastructure Health Adapter "no data receiving" — If the System Managed Credential for SDDC Manager is empty or stale, the health adapter silently fails to collect. Fix: Administration → Integrations → SDDC Manager → ROTATE credential (or uncheck System Managed and set manually) → VALIDATE CONNECTION → SAVE → reboot appliance. The adapter's UI stop/start alone is insufficient; a full appliance reboot is required for the adapter to pick up the new credential
14. Adapter log paths changed in VCF Ops 9.x — Logs are at /storage/log/vcops/log/adapters/<AdapterName>/, NOT the legacy /var/log/vmware/vcops/adapters/ path from older Aria Operations versions
15. NSX adapter warnings when NSX is powered off — The health adapter logs PKIX and connectivity errors every collection cycle if NSX Manager is unreachable. These are expected and clear automatically once NSX is powered back on
16. NSX adapter PKIX cert trust failure — VCF Operations doesn't trust NSX's self-signed cert. Fix: export NSX cert with openssl s_client, import into /usr/java/jre-vmware-17/lib/security/cacerts (password changeit) with keytool -importcert, reboot appliance. The legacy JRE path /usr/java/jre-vmware/ does not exist on VCF Ops 9.x
17. NSX System Managed Credential ROTATE fails — Unlike SDDC Manager, the NSX System Managed Credential often doesn't work. Workaround: uncheck System Managed, manually create an NSX credential (admin / password), VALIDATE, SAVE
18. Two separate NSX adapters exist — VCF section has nsx-vip.lab.local (uses VIP), NSX section has Aria Admin (uses node FQDN nsx-manager.lab.local). Both need credentials configured. The Aria Admin adapter can collect via node FQDN even when the VIP is offline during NSX boot
19. Credential Update/Rotate/Remediate fails — cascading failure — A failed credential operation (e.g., NSX unreachable during boot storm) triggers a cascade: NSX cluster stuck in ACTIVATING or ERROR state in platform.nsxt table → stale exclusive locks in platform.lock → unresolved tasks accumulate in platform.task_metadata (resolved=false) → each retry from the UI adds more stuck tasks and locks. Even after NSX fully recovers, the stuck state persists. The SDDC Manager API cannot cancel stuck tasks (returns TA_TASK_CAN_NOT_BE_RETRIED). Fix: SSH to SDDC Manager, access PostgreSQL (platform database), fix nsxt status to ACTIVE, delete from lock table, mark task_metadata as resolved, clear task_lock, then restart operationsmanager. Always set PAGER=cat before running psql to prevent pager traps in remote sessions. Full procedure in the Troubleshooting Handbook Section 10

Best Practices

Sizing

• VCF Operations comes in 5 sizes: Extra Small, Small, Medium, Large, and Extra Large
• If you have more than 1 node, all nodes must be scaled equally - no mixing of different sizes
• Network features (Network Verification, Assurance, Flow-Based Application Discovery) are only available for Extra Large brick size

Operational Best Practices

1. Use VCF Operations as the primary interface - Do not rely on the deprecated SDDC Manager UI
2. Automate wherever possible - Manual tweaks undermine VCF's infrastructure-as-code approach
3. Standardize - Embrace VCF conventions and resist customizing outside supported parameters
4. Monitor NTP carefully - Maximum time skew between platform nodes must be less than 30 seconds
5. Plan certificate automation - Leverage VCF Operations auto-renewal for certificate management
6. Configure compliance monitoring - Enable pre-defined benchmarks (PCI, ISO, HIPAA, FISMA, DISA, CIS)
7. Use configuration drift detection - Leverage fleet management template-based drift capabilities
8. Plan CMDB integration - Ensure VCF components and workloads are accurately populated in your Configuration Management Database
9. Integrate with ITSM - Connect VCF monitoring and alerts with your IT Service Management platform
10. Feed into enterprise monitoring - Push VCF operational data into overarching enterprise dashboards

Alphabetical Index

References

• VMware Cloud Foundation 9.0 Documentation: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0.html
• VCF Operations 9.0.1 Release Notes: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/release-notes/vmware-cloud-foundation-9-0-1-release-notes/vcf-operations-9-0-1-0000.html
• VCF Operations Detailed Design: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/design/design-library/vcf-operations-design.html
• VCF Operations Sizing Guidelines (KB 397782): https://knowledge.broadcom.com/external/article/397782
• Fleet Management Overview: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/overview-of-vmware-cloud-foundation-9/what-is-vmware-cloud-foundation-and-vmware-vsphere-foundation/vcf-operations-overview/fleet-management.html
• Configuring a VCF Account: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/infrastructure-operations/connect-to-data-sources/vmware-cloud-foundation.html
• Managing Certificates: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/fleet-management/certificate-management-9-0.html
• Managing Passwords: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/fleet-management/manage-passwords.html
• Licensing Overview: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/licensing/licensing-overview.html
• Notifications: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/infrastructure-operations/configuring-alerts-and-actions/notifications.html
• Dashboards: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/infrastructure-operations/dashboards-and-widgets/using-dashboards.html
• Storage Operations: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/infrastructure-operations/monitoring-storage-operations(1).html
• VCF Operations for Logs Deployment: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/deployment/deploying-a-new-vmware-cloud-foundation-or-vmware-vsphere-foundation-private-cloud-/manual-deployment-of-components-to-complete-your-vcf-platform/vcf-operations-for-logs-for-vvf-clients/start-a-new-vcf-operations-for-logs-deployment.html
• Compliance Benchmarks: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/security-and-compliance/viewing-and-configuring-compliance/measuring-compliance-of-objects.html
• Drift Detection: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/fleet-management/what-is-configuration-management/using-the-configuration-management-dashboard/scheduling-drift-detection.html

(c) 2026 Virtual Control LLC. All rights reserved.