If you open a VCF 9 deployment console with VCF 5.x reflexes, you’re lost in thirty seconds. SDDC Manager is no longer the entry point, the eleven licenses became two, and several taken-for-granted features are gone. It’s not an upgrade: it’s an architectural reset.
Who this article is for
For cloud architects and senior VCF engineers who already know vSphere, NSX, and VCF 5.x. Goal: map the delta and design decisions before any adoption project. Reference: VCF 9.0.2 (GA January 2026).
The rupture in three points
Broadcom applied its standard playbook to the VMware portfolio: radical simplification, SKU consolidation, pruning legacy features. VCF 9 is the visible translation on the private cloud side — a unified platform for VMs, Kubernetes, and AI workloads, with a coherent operational model.
The trade-off is an intentional rupture with several historical design patterns:
- Refactored hierarchy — Fleet / Instance / Private Cloud replace workload domains
- Shifted center of gravity — VCF Operations orchestrates, SDDC Manager executes
- Removed features — vVols, SIOC, ELM, Host Profiles, IWA: document before migration
The new three-level hierarchy
| Level | Role | VCF 5.x equivalent |
|---|---|---|
| Private Cloud | Logical consumption unit | — |
| Fleet | Governance, licensing, compliance, patching | Management domain |
| Instance | Physical deployment (clusters + vCenter) | Workload Domain |
The first question in VCF 9 is no longer “how many workload domains” but “how many Fleets, by what boundary” — geographic, regulatory, or business-driven.
Fleet: blast radius vs isolation
A global Fleet simplifies governance but concentrates config incident risk. A Fleet per region isolates further but multiplies consoles and policies to maintain. This choice commits your operational model for years — document it explicitly.
VCF Operations: the new center of gravity
VCF Operations now orchestrates the complete fleet lifecycle:
- License management and usage submission
- Certificate renewal and identity
- Fleet-wide patching and lifecycle
- Continuous compliance, monitoring, log analysis
- Native cost & capacity management (showback/chargeback, forecasting)
SDDC Manager retains an executor role — no longer the orchestrator. For organizations relying on Aria Operations + custom extensions, the switch represents both simplification and loss of customization.
The least-known clause of VCF 9
License usage submission is mandatory every 180 days. Overdue = hosts disconnect from vCenter, no new workloads possible (existing keeps running). In air-gapped mode, it’s manual. Integrate this into operational RACI from design — it’s not optional.
VCF Automation: the unified self-service layer
The Aria Automation replacement, rethought to integrate the Fleet model. Two portals structure the experience:
Provider Portal
Platform administrator: organizations, capacity allocations, global policies, multi-tenant management.
Organization Portal
Consumer: projects, blueprints, catalog items, VM deployments, VKS, VPC, volumes, secrets.
The catalog covers VMs, Kubernetes (VKS), networks (VPC), persistent volumes, secrets, databases (DSM), Harbor registries. Entry points: UI, CLI, REST API, and a Kubernetes IaaS API exposing resources via kubectl — key for GitOps teams.
VCF Automation is mandatory for any multi-tenant deployment and strongly recommended for industrialization.
Virtual Private Cloud: accessible networking
Identity Broker: unified authentication at Fleet level
VCF 9 introduces a unified Identity Broker supporting SAML and OIDC, applied globally except ESX and SDDC Manager which retain local configuration. Single source of truth for audit and compliance.
The trade-off: removal of Integrated Windows Authentication (IWA). Environments relying on IWA for vCenter must migrate to LDAPS or external identity federation.
IAM migration: anticipate
If your environment uses IWA for vCenter, scoping migration to Identity Federation — ideally on your enterprise IdP (Entra ID, Okta, Ping) — is a prerequisite to the VCF 9 project, not an end-of-project deliverable.
What disappeared in VCF 9
Never assume a VCF 5.x feature is present in VCF 9 without explicit verification in release notes.
What arrived: the features that matter
FIPS 140-3 by default
Non-disablable. All components (vCenter, ESX, NSX) in FIPS mode. Validate for third-party integrations.
NVMe memory tiering
Flash NVMe as 2nd tier. Ideal for JVM-heavy, analytics, HFT. Slower tier — not free RAM.
vMotion for AI
Live migration of GPU-heavy workloads with near-zero downtime. Significant shift for AI on VCF.
Global deduplication
Cluster-wide scope vs disk-level. Real capacity gains without post-process performance impact.
Automatic vTopology
Detection and correction of misconfigured vCPU/vNUMA. End of a recurring support ticket source.
1 GbE management (9.0.2)
Officially supported for import workflows. Unblocks brownfield sites without 10 GbE budget.
7 design decisions to settle before adopting
1. How many Fleets?
Geographic, regulatory, or business — one axis, assumed. Commits governance for years.
2. Connected or air-gapped?
Impacts licensing (auto vs manual submission), patch management, and observability.
3. VPC or NSX direct?
VPC by default, NSX direct for exceptions. Document cases that shift to NSX direct.
4. VCF Automation from day 1?
Yes if multi-tenant or strong IaC needs. After if starting single-tenant with non-automation team.
5. Greenfield or brownfield?
9.0.2 improved import workflows including 1 GbE networks. Brownfield option genuinely viable.
6. Converge or rebuild?
Official path since vSphere 8. Evaluate by age and technical debt of existing environment.
7. Identity Federation: which IdP?
Entra ID, Okta, Ping — decision with IAM team, not in platform silo.
Each deserves a dedicated chapter in your architecture document. Without formal arbitration, it’s a deployment, not an architecture project.
Conclusion: three things to remember
New hierarchy
Fleet / Instance / Private Cloud — VCF 5.x workload domains are no longer the right mental model.
Recentered hubs
VCF Operations orchestrates, VCF Automation exposes self-service. SDDC Manager is no longer the entry point. RACI must reflect this.
Non-trivial removals
vVols, SIOC, ELM, Host Profiles, IWA — catalog early to avoid migration surprises.
Series continuation
Next articles will explore two concrete topics: deploying your first VKS cluster on VCF 9 and automating VCF Automation with Terraform (full GitOps guide with the three official providers).
VCF 9.1 — What's new (mini-series)
VCF 9.1 is GA (May 2026). A dedicated 4-part series covers all major changes: Infrastructure efficiency & TCO · Networking & scale · Kubernetes & self-service · Security & resilience.
For further reading: Broadcom’s VCF 9.0 Release Notes, the Paths to Adoption guide on the VCF Blog, and from the community William Lam and vrealize.it deep-dives.