VMware Cloud Foundation – A Technical Overview

VMware Cloud Foundation – A Technical Overview

While I was studying for the VMware Cloud Foundation Specialist certification, I realized that there is no one-pager available that gives you a short technical explanation of VMware Cloud Foundation.

What is VMware Cloud Foundation (VCF)?

VMware Cloud Foundation is a hybrid cloud platform that provides a full-stack hyperconverged infrastructure (HCI) that is made for modernizing data centers and deploying modern container-based applications. VCF integrates different components like vSphere (compute), vSAN (storage), NSX (networking) and some parts of the vRealize Suite in a HCI solution with infrastructure automation and software lifecycle management. The idea of VCF follows a standardized, automated and validated approach that simplifies the management of all the needed software-defined infrastructure resources.

This standardized and automated software stack provides customers consistent infrastructure and operations in a cloud operating model that can be deployed on-premises, at the edge or public cloud.

Cloud Foundation has Tanzu Standard integrated to provide a unified platform that lets virtual machines (VMs), Kubernetes and containers co-exist on the same platform.

Note: The Tanzu Standard Edition is included in the VCF Standard, Advanced and Enterprise edition

What software is being delivered in Cloud Foundation?

The BoM (bill of materials) is changing with each VCF release. Let me take the VCF 4.3 release as example to list the components and software versions:

  • VMware SDDC Manager 4.3
  • vSphere 7.0 Update 2a with Tanzu
  • vCenter Server 7.0 P03
  • vSAN 7.0 Update 2
  • NSX-T 3.1.3
  • VMware Workspace ONE Access 3.3.5
  • vRealize Log Insight 8.4
  • vRealize Operations 8.4
  • vRealize Automation 8.4.1
  • (vRealize Network Insight)

Note: VCF 4.3 deploys vRealize Lifecycle Manager (VRSLCM) 8.4.1, which then deploys and provides ongoing lifecycle management for other vRealize components. Currently, vRealize Network Insight needs to be imported manually into VRSLCM and then deployed.

Which VMware Cloud Foundation editions are available?

A VCF comparison matrix can be found here.

VMware Cloud Foundation Editions

VMware Cloud Foundation Architecture

VCF is made for greenfield deployments (brownfield not supported) and supports two different architecture models:

  • Standard Architecture
  • Consolidated Architecture

VMware Cloud Foundation Architecture

The standard architecture separates management workloads and lets them run on a dedicated management workload domain. Customer workloads are deployed on a separate virtual infrastructure workload domain (VI workload domain). Each workload domain is managed by a separate vCenter Server instance, which allows autonomous licensing and lifecycle management.


Note: The standard architecture is the recommended model, because it separates management workloads from customers workloads.

Customers with a small environment (or a PoC) can start with a consolidated architecture. This allows you to run customer and management workloads together on the same workload domain (WLD).

Note: The management workload domain’s default cluster datastore must use vSAN. Other WLDs can use vSAN, NFS, FC and vVols for the principal storage.

VMware Cloud Foundation Storage

Does VCF provide flexible workload domain sizing?

Yes, that’s possible. You can license the WLDs based on your needs and use the editions that make the most sense depending on your use cases.

VMware Cloud Foundation Flexible Licensing

How many physical nodes are required to deploy VMware Cloud Foundation?

A minimum of four physical nodes is required to start in a consolidated architecture or to build your management workload domain. Four nodes are required to ensure that the environment can tolerate a failure while another node is being updated.

VI workload domains require a minimum of three nodes.

This means, to start with a standard architecture, you need to have the requirements (and money) to start with at least seven physical nodes.

What are the minimum hardware requirements?

These minimum specs have been listed for the management WLD since VCF 4.0 (September 2020):

VMware Cloud Foundation Hardware Requirements

What about edge/remote use cases?

When you would like to deploy VMware Cloud Foundation workload domains at a remote site, you can deploy so-called “VCF Remote Clusters”. Those remote workload domains are managed by the VCF instance at the central site and you can perform the same full-stack lifecycle management for the remote sites from the central SDDC Manager.

Prerequisites to deploy remote clusters can be found here.

Does VCF support HCI Mesh?

Yes. VMware Cloud Foundation 4.2 and later supports sharing remote datastores with HCI Mesh for VI workload domains.

HCI Mesh is a software-based approach for disaggregation of compute and storage resources in vSAN. HCI Mesh brings together multiple independent vSAN clusters by enabling cross-cluster utilization of remote datastore capacity within vCenter Server. HCI Mesh enables you to efficiently utilize and consume data center resources, which provides simple storage management at scale.

What is SDDC Manager?

SDDC Manager is a preconfigured virtual appliance that is deployed in the management workload domain for creating workload domains, provisioning additional virtual infrastructure and lifecycle management of all the software-defined data center (SDDC) management components.

You use SDDC Manager in VMware Cloud Foundation to perform the following operations:

  • Commissioning or decommissioning ESXi hosts
  • Deployment of workload domains
  • Extension of clusters in the management and workload domains with ESXi hosts
  • Adding clusters to the management domain and workload domains
  • Support for network pools for host configuration in a workload domain
  • Product licenses storage
  • Deployment of vRealize Suite components.
  • Lifecycle management of the virtual infrastructure components in all workload domains, and of vRealize Suite Lifecycle Manager components.
  • Certificate management
  • Password management and rotation
  • NSX-T Edge cluster deployment in the management domain and workload domains
  • Backup configuration

VMware Cloud Foundation SDDC Manager Dashboard

How many resources does the VCF management WLD need during the bring-up process?

We know that VCF includes vSphere (ESXi and vCenter), vSAN, SDDC Manager, NSX-T and eventually some components of the vRealize Suite. The following table should give you an idea how the resource requirements look like to get VCF up and running:

VMware Cloud Foundation Resource Requirements

If you are interested to know how many resources the vRealize Suite will consume of the management workload domain , have a look at this table:

VMware Cloud Foundation Resource Requirements vRealize

How can I migrate my workloads from a non-VCF environment to a new VCF deployment?

VMware HCX provides a path to modernize from a legacy data center architecture by migrating to VMware Cloud Foundation.

VMware Cloud Foundation HCX Migration

Where can I get more information about VMware Tanzu and the Tanzu Standard edition?

Please have a look at these articles:

What is NSX Advanced Load Balancer?

NSX Advanced Load Balancer (NSX ALB) formerly known as Avi is a solution that provides advanced load balancing capabilities for VMware Cloud Foundation.

Can I build a private hyperscaler cloud with VCF?

I would say yes! With the Multi-Instance Management feature, you can monitor multiple SDDC Manager instances from a single console.

VMware Cloud Foundation Federation

Multiple SDDC Manager instances can be monitored together by grouping them into a federation, such that each member can view information about the entire federation and the individual instances within it. Federation members can view inventory across the SDDC Manager instances in the federation as well as the available and used capacity (CPU, memory, and storage). This allows you to maintain control over the different sites and ensure that they are operating with the right degree of freedom and meeting compliance regulations for your industry. It also simplifies patch management by showing the number of patches available across sites in the global view.

Which security add-ons are available with VMware Cloud Foundation?

VMware has different workload and network security offerings to complement VCF:

Is there also a VCF subscription license?

Yes, you can purchase VCF-S (VCF Subscription) licenses as part of the VMware Cloud Universal program.

Can I get VCF as a managed service offering?

Yes, this is possible. Please have a look at Data Center as a Service based on VMware Cloud Foundation.

Where can I get more information?

Please consult the VMware Foundation 4.3 FAQ for more information about VMware Cloud Foundation. 


A Universal License and Technology to Build a Flexible Multi-Cloud

A Universal License and Technology to Build a Flexible Multi-Cloud

n November 2020 I wrote an article called “VMware Cloud Foundation And The Cloud Management Platform Simply Explained“. That piece was focused on the “why” and “when” VMware Cloud Foundation (VCF) makes sense for your organization. It also includes business values and hints that VCF is more than just about technology. Cloud Foundation is one of the most important drivers and THE enabler for to fulfill VMware’s multi-cloud strategy.

If you are not familiar enough with VMware’s multi-cloud strategy, then please have a look at my article “VMware Multi-Cloud and Hyperscale Computing” first.

To summarize the two above mentioned articles, one can say, that VMware Cloud Foundation is a software-defined data center (SDDC) that can run in any cloud. In “any cloud” means that VCF can also be consumed as a service through other cloud provider partners like:

Additionally, Cloud Foundation and the whole SDDC can be consumed as a managed offering called DCaaS or LCaaS (Data Center / Local Cloud as a service).

Let’s say a customer is convinced that a “VCF everywhere” approach is right for them and starts building up private and public clouds based on VMware’s technologies. This means that VMware Cloud Foundation now runs in their private and public cloud.

Note: This doesn’t mean that the customer cannot use native public cloud workloads and services anymore. They can simply co-exist.

The customer is at a point now where they have achieved a consistent infrastructure. What’s up next? The next logical step is to use the same automation, management and security consoles to achieve consistent operations.

A traditional VMware customer goes for the vRealize Suite now, because they would need vRealize Automation (vRA) for automation and vRealize Operations (vROps) to monitor the infrastructure.

The next topic in this customer’s journey would be application modernization, which includes topics containerization and Kubernetes. VMware’s answer for this is the Tanzu portfolio. For the sake of this example let’s go with “Tanzu Standard”, which is one of four editions available in the Tanzu portfolio (aka VMware Tanzu).

VMware Cloud Foundation

Let’s have a look at the customer’s bill of materials so far:

  • VMware Cloud Foundation on-premises (vSphere, vSAN, NSX)
  • VCF on AWS (aka VMware Cloud on AWS)
  • VMware Cloud on Dell EMC (locally managed VCF service for special edge use cases)
  • vRealize Automation
  • vRealize Operations
  • Tanzu Standard (includes Tanzu Kubernetes Grid and Tanzu Mission Control)

Looking at this list above, we see that their infrastructure is equipped with three different VMware Cloud Foundation flavours (on-prem, hyperscaler managed, locally managed) complemented by products of the vRealize Suite and the Tanzu portfolio.

This infrastructure with its different technologies, components and licenses has been built up over the past few years. But organizations are nowadays asking for more flexibility than ever. By flexibility I mean license portability and a subscription model.

VMware Cloud Universal

On 31st March 2021 VMware introduced VMware Cloud Universal (VMCU). VMCU is the answer to make the customer’s life easier, because it gives you the choice and flexibility in which clouds you want to run your infrastructure and consume VMware Cloud offerings as needed. It even allows you to convert existing on-premises VCF licenses to a VCF-subscription license.

The VMCU program includes the following technologies and licenses:

  • VMware Cloud Foundation Subscription
  • VMware Cloud on AWS
  • VMware Cloud on Dell EMC
  • vRealize Cloud Universal Enterprise Plus
  • Tanzu Standard Edition
  • VMware Success 360 (S360 is required with VMCU)

VMware Cloud Console

As Kit Kolbert, CTO VMware, said, “the idea is that VMware Cloud is everywhere that you want your applications to be”.

The VMware Cloud Console gives you view into all those different locations. You can quickly see what’s going on with a specific site or cloud landing zone, what its overall utilization looks like or if issues occur.

The Cloud Console has a seamless integration with vROps, which also helps you regarding capacity forecasting and (future) requirements (e.g., do I have enough capacity to meet my future demand?).

VMware Cloud Console

In short, it’s the central multi-cloud console to manage your global VMware Cloud environment.

vRealize Cloud Universal

What is part of vRealize Cloud Universal (vRCU) Enterprise Plus? vRCU is a SaaS management suite that combines on-premises and SaaS capabilities for automation, operations, log analytics and network visibility into a single offering. In other words, you get to decide where you want to deploy your management and operations tools. vRealize Cloud Universal comes in four editions and in VMCU you have the vRCU Enterprise Plus edition included with the following components:

vRealize Cloud Universal Editions

    Note: While vRCU standard, advanced and enterprise are sold as standalone editions today, the enterprise plus edition is only sold with VMCU (and as add-on to VMC on AWS).

    vRealize AI Cloud

    Have you ever heard of Project Magna? It is something that was announced at VMworld 2019, that provides adaptive optimization and a self-tuning engine for your data center. It was Pat Gelsinger who envisioned a so-called “self-driving data center”. Intelligence-driven data center might haven been a better term since Project Magna leverages artificial intelligence by using reinforcement learning, which combs through your data and runs thousands of scenarios that searches for the best regard output based on trial and error on the Magna SaaS analytics engine.

    The first instantiation began with vSAN (today also known as vRAI Cloud vSAN Optimizer), where Magna will collect data, learn from it, and make decisions that will automatically self-tune your infrastructure to drive greater performance and efficiencies.

    Today, this SaaS service is called vRealize AI Cloud.

    vRealize AI Cloud vSAN vRealize AI (vRAI) learns about your operating environments, application demands and adapts to changing dynamics, ensuring optimization per stated KPI. vRAI Cloud is only available on vRealize Operations Cloud via the vRealize Cloud Universal subscription.

    VMware Skyline

    VMware Skyline as a support service that automatically collects, aggregates, and analyzes product usage data, which proactively identifies potential problems and helps the VMware support engineers to improve the resolution time. Skyline is included in vRealize Cloud Universal because it just makes sense. A lot of customers have asked for unifying the self-service experience between Skyline and vRealize Operations Cloud. And many customers are using Skyline and vROps side by side today.

    Users can now be proactive and perform troubleshooting in a single SaaS workflow. This means customers save more time by automating Skyline proactive remediations in vROps Cloud. But Skyline supports vSphere, vSAN, NSX, vRA, VCF and VMware Horizon as well.

    VMware Cloud Universal Use Cases

    As already mentioned, VMCU makes very much sense if you are building a hybrid or multi-cloud architecture with a consistent (VMware) infrastructure. VMCU, vRCU and the Tanzu portfolio help you to create a unified control plane for your cloud infrastructure.

    Other use cases could be cloud migration or cloud bursting scenarios. If we switch back to the fictive customer before, we could use VMCU to convert existing VCF licenses to VCF-S (subscription) licenses, which in the end allow you to build a VMware-based Cloud on top of AWS (other public cloud providers are coming very soon!) for example.

    Another good example is to achieve the same service and operating model on-prem as in the public cloud: a fully managed consumable infrastructure. Meaning, to move from a self-built and self-managed VCF infrastructure to something like VMC on Dell EMC.

    How can I get VMCU?

    There is no monthly subscription model and VMware only supports one-year or three-year terms. Customers will need to sign an Enterprise License Agreement (ELA) and purchase VMCU SPP credits.

    Note: SPP credits purchased out of the program are not allowed to be used within the VMCU program!

    After purchasing the VMCU SPP credits and VMware Cloud onboarding and organization setup, you can select the infrastructure offerings to consume your SPP credits. This can be done via the VMware Cloud Console.


    I hope this article was useful to get a better understanding about VMware Cloud Universal. It might seem a little bit complex, but that’s not true. VMCU makes your life easier and helps you to build and license a globally distributed cloud infrastructure based on VMware technology.

    VCF Subscription 




    10 Things You Didn’t Know About VMware Tanzu

    10 Things You Didn’t Know About VMware Tanzu

    While I was working with one of the largest companies in the world during the past year, I learned a lot about VMware Tanzu and NSX Advanced Load Balancer (formerly known as Avi). Application modernization and the containerization of applications are very complex topics.

    Customers are looking for ways to “free” their apps from infrastructure and want to go cloud-native by using/building microservices, containers and Kubernetes. VMware has a large portfolio to support you on your application modernization journey, which is the Tanzu portfolio. A lot of people still believe that Tanzu is a product – it’s not a product. Tanzu is more than just a Kubernetes runtime and as soon as people like me from VMware explain you the capabilities and possibilities of Tanzu, one tends to become overwhelmed at first.

    Why? VMware’s mission is always to abstract things and make things easier for you but this doesn’t mean you can skip a lot of the questions and topics that should be discussed:

    • Where should your containers and microservices run?
    • Do you have a multi-cloud strategy?
    • How do you want to manage your Kubernetes clusters?
    • How do you build your container images?
    • How do you secure the whole application supply chain?
    • Have you thought about vulnerability scanning for the components you use to build the containers?
    • What kind of policies would you like to set on application, network and storage level?
    • Do you need persistent storage for your containers?
    • Should it be a vSphere platform only or are you also looking at AKS, EKS, GKE etc.?
    • How are you planning to automate and configure “things”?
    • Which kind of databases or data services do you use?
    • Have you already got a tool for observability?

    With these kind of questions, you and I would figure out together, which Tanzu edition makes the most sense for you. Looking at the VMware Tanzu website, you’ll find four different Tanzu editions:

    VMware Tanzu Editions

    If you click on one of the editions, you get the possibility to compare them:

    Tanzu Editions Comparison

    Based on the capabilities listed above, customers would like to know the differences between Tanzu Standard and Advanced. Believe me, there is a lot of information I can share with you to make your life easier and to understand the Tanzu portfolio better. 🙂

    1) VMware Tanzu Standard and Advanced Features and Components

    Let’s start looking at the different capabilities and components that come with Tanzu Standard and Advanced:

    Tanzu Std vs Adv

    Tanzu Standard focuses very much on Kubernetes multi-cloud and multi-cluster management (Tanzu Kubernetes Grid with Tanzu Mission Control aka TMC), Tanzu Advanced adds a lot of capabilities to build your applications (Tanzu Application Catalog, Tanzu Build Service).

    2) Tanzu Mission Control Standard and Advanced

    Maybe you missed it in the screenshot before. Tanzu Standard comes with Tanzu Mission Control Standard, Tanzu Advanced is equipped with Tanzu Mission Control Advanced.

    Note: Announced at VMworld 2021, there is now even a third edition called Tanzu Mission Control Essentials, that was specifically made for VMware Cloud offerings such as VMC on AWS.

    I must mention here, that you could leverage the “free tier” of Tanzu Mission Control called TMC Starter. It can be combined with the Tanzu Community Edition (also free) for example or with existing clusters from other providers (AKS, GKE, EKS).

    What’s the difference between TMC Standard and Advanced? Let’s check the TMC feature comparison chart:

    • TMC Adv provides “custom roles”
    • TMC Adv lets you configure more policies (security policies – custom, images policies, networking policies, quota policies, custom policies, policy insights)
    • With Tanzu Mission Control Advanced you also get “CIS Benchmark inspections”

    What if I want Tanzu Standard (Kubernetes runtime with Tanzu Mission Control and some open- source software) but not the complete feature set of Tanzu Mission Control Advanced? Let me answer that question a little bit later. 🙂

    3) NSX Advanced Load Balancer Essentials vs. Enterprise (aka Avi Essentials vs. Enterprise)

    Yes, there are also different NSX ALB editions included in Tanzu Standard and Advanced. The NSX ALB Essentials edition is not something that you can buy separately, and it’s only included in the Tanzu Standard edition.

    The enterprise edition of NSX ALB is part of Tanzu Advanced but it can also be bought as a standalone product.

    Here are the capabilities and differences between NSX ALB Essentials and Enterprise:

    NSX ALB Essentials vs. Enterprise

    So, the Avi Enterprise edition provides a fully-featured version of NSX Advanced Load Balancer while Avi Essentials only provides L4 LB services for Tanzu.

    Note: Customers can create as many NSX ALB / Avi Service Engines (SEs) as required with the Essentials edition and you still have the possibility to set up a 3-node NSX ALB controller cluster.

    Important: It is not possible to mix the NSX ALB controllers from the Essentials and Enterprise edition. This means, that a customer, that has NSX ALB Essentials included in Tanzu Standard, and has another department using NSX ALB Enterprise for another use case, needs to run separate controller clusters. While the controllers don’t cost you anything, there is obviously some additional compute footprint coming with this constraint.

    FYI, there is also a cloud-managed option for the Avi Controllers with Avi SaaS.

    What if I want the complete feature set of NSX ALB Enterprise? Let’s put this question also aside for a moment.

    4) Container Ingress with Contour vs. NSX ALB Enterprise

    Ingress is a very important component of Kubernetes and let’s you configure how an application can or should be accessed. It is a set of routing rules that describe how traffic is routed to an application inside of a Kubernetes cluster. So, getting an application up and running is only the half side of the story. The application still needs a way for users to access it. If you would like to know more about “ingress”, I can recommend this short introduction video.

    While Contour is a great open-source project, Avi provides much more enterprise-grade features like L4 LB, L7 ingress, security/WAF, GSLB and analytics. If stability, enterprise support, resiliency, automation, elasticity and analytics are important to you, then Avi Enterprise is definitely the better fit.

    To keep it simple: If you are already thinking about NSX ALB Enterprise, then you could use it for K8s Ingress/LB and so much other use cases and services! 🙂  

    5) Observability with Grafana/Prometheus vs. Tanzu Observability

    I recently wrote a blog about “modern application monitoring with VMware Tanzu and vRealize“. This article could give you a better understanding if you want to get started with open-source software or something like Tanzu Observability, which provides much more enterprise-grade features. Tanzu Observability is considered to be a fast-moving leader according to the GigaOm Cloud Observability Report.

    What if I still want Tanzu Standard only but would like to have Tanzu Observability as well? Let’s park this question as well for another minute.

    6) Open-Source Projects Support by VMware Tanzu

    The Tanzu Standard edition comes with a lot of leading open-source technologies from the Kubernetes ecosystem. There is Harbor for container registry, Contour for ingress, Grafana and Prometheus for monitoring, Velero for backup and recovery, Fluentbit for logging, Antrea and Calico for container networking, Sonobuoy for conformance testing and Cluster API for cluster lifecycle management.

    VMware Open-Source Projects

    VMware is actively contributing to these open-source projects and still wants to give customers the flexibility and choice to use and integrate them wherever and whenever you see fit. But how are these open-source projects supported by VMware? To answer this , we can have a look at the Tanzu Toolkit (included in Tanzu Standard and Advanced):

    • Tanzu Toolkit includes enterprise-level support for Harbor, Velero, Contour, and Sonobuoy
    • Tanzu Toolkit provides advisory—or best effort—guidance on Prometheus, Grafana, and Alertmanager for use with Tanzu Kubernetes Grid. Installation, upgrade, initial tooling configuration, and bug fixes are beyond the current scope of VMware’s advisory support.

    7) Tanzu Editions Licensing

    There are two options how you can license your Tanzu deployments:

    • Per CPU Licensing – Mostly used for on-prem deployments or where standalone installations are planned (dedicated workload domain with VCF). Tanzu Standard is included in all the regular VMware Cloud Foundation editions.
    • Per Core Licensing – For non-standalone on-prem and public cloud deployments, you should license Tanzu Standard and Advanced based on number of cores used by the worker and management nodes delivering K8s clusters. Constructs such as “vCPUs”, “virtual CPUs” and “virtual cores” are proxies (other names) for CPU cores.

    Tanzu Advanced is sold as a “pack” of software and VMware Cloud service offerings. Each purchased pack of Tanzu Advanced equals 20 cores. Example of 1 pack:

    • Spring Runtime: 20 cores
    • Tanzu Application Catalog: 20 cores
    • Tanzu SQL: 1 core (part of Tanzu Data Services)
    • Tanzu Build Service: 20 cores
    • Tanzu Observability: 160 PPS (sufficient to collect metrics for the infrastructure)
    • Tanzu Mission Control Advanced: 20 cores
    • Tanzu Service Mesh Advanced: 20 cores
    • NSX ALB Enterprise: 1 CPU = 1/4 Avi Service Core
    • Tanzu Standard Runtime: 20 cores

    If you need more details about these subscription licenses, please consult the VMware Product Guide (starting from page 37).

    As you can see, a lot of components (I didn’t even list all) form the Tanzu Advanced  edition. The calculation, planning and sizing for the different components require multiple discussions with your Tanzu specialist from VMware.

    8) Tanzu Standard Sizing

    Disclaimer – This sizing is based on my current understanding, and it is always recommended to do a proper sizing with your Tanzu specialists / consultants.

    So, we have learnt before that Tanzu Standard licensing is based on cores, which are “used by the worker and management nodes delivering K8s clusters”.

    As you may already know, the so-called “Supervisor Cluster” is currently formed by three control plane VMs. Looking at the validated design for Tanzu for VMware Cloud Foundation workload domains, one can also get a better understanding of the Tanzu Standard runtime sizing for vSphere-only environments.

    The three Supervisor Cluster control planes VMs have each 4 vCPUs – this means in total 12 vCPUs (cores).

    The three Tanzu Kubernetes Cluster worker nodes (small size) have each 2 vCPUs – this means in total 6 vCPUs (cores).

    My conclusion here is that you need to license at least 18 cores to get started with Tanzu Standard.

    Caution: William Lam wrote about the possibility to deploy single or dual node Supervisor Cluster control plane VMs. It is technically possible to reduce the numbers of control plane VMs, but it is not officially supported by VMware. We need to wait until this feature becomes available in the future.

    It would be very beneficial for customers with a lot of edge locations or smaller locations in general. If you can reduce the Supervisor Cluster down to two control plane VMs only, the initial deployment size would only need 14 vCPUs (cores).

    9) NSX Advanced Load Balancer Sizing and Licensing

    General licensing instructions for Avi aka NSX ALB (Enterprise) can be found here

    NSX ALB is licensed based on cores consumed by the Avi Service Engines. As already said before, you won’t be charged for the Avi Controllers and itt is possible to add new licenses to the ALB Controller at any time. Avi Enterprise licensing is based on so-called Service Cores. This means, one vCPU or core equals one Service Core.

    Avi as a standalone product has only one edition, the fully-featured Enterprise edition. Depending on your needs and the features (LB, GSLB, WAF, analytics, K8s ingress, throughput, SSL TPS etc.) you use, you’ll calculate the necessary amount of Service Cores.

    It is possible to calculate and assign more or less than 1 Service Core per Avi Service Engine:

    • 25 Mbps throughput (bandwidth) = 0.4 Service Cores
    • 200 Mbps throughput = 0.7 Service Cores

    Example: A customer wants to deploy 10 Service Engines with 25MB and 4 Service Engines with 200MB. These numbers would map to 10*0.4 Service Cores + 4*0.7 Services Cores, which give us a total of 6.8 Service Cores. In this case you would by 7 Service Cores. 

    10) Tanzu for Kubernetes Operations (TKO)

    Now it’s time to answer the questions we parked before:

    • What if I want Tanzu Standard (Kubernetes runtime with Tanzu Mission Control and some open- source software) but not the complete feature set of Tanzu Mission Control Advanced?
    • What if I want the complete feature set of NSX ALB Enterprise?
    • What if I still want Tanzu Standard only but would like to have Tanzu Observability as well?

    Before we do that, let me quickly show you one slide from the VMworld 2021 session Make Your Move to Multi-Cloud Kubernetes with VMware Tanzu [APP3117]:

    VMworld 2021 Tanzu for Kubernetes Operations Megan Bruce presented this slide and said, that you need a consistent Kubernetes runtime to start your multi-cloud Kubernetes journey with VMware Tanzu, so that you can lifecycle (deploy, manage and upgrade) clusters consistently. This capabilities starts with Tanzu Kubernetes Grid.

    The next component you need is a way to manage your platform and having a centralized management plane that provides centralized visibility and control over your platform, that is used and consumed by distributed teams. That is provided by Tanzu Mission Control.

    How do you effectively monitor and troubleshoot issues faster, and how do you stitch services together and protect your data both at rest and in transit across cloud? That would be Tanzu Observability and Tanzu Service Mesh.

    Finally, VMware can also help you to implement global load balancing and provides advanced traffic routing with NSX Advanced Load Balancer.

    The different Tanzu products I just highlighted, are all SaaS based offerings and form the global Tanzu control plane you would get with Tanzu Advanced. But how can you get these components if you want to build this standardized control plane and have a mix of Tanzu Standard and Advanced? What if I want something in between Tanzu Std and Adv before I move later to the complete Tanzu Adv edition?

    Well, the answer to this and the questions above is “Tanzu for Kubernetes Ops” (TKO)!

    I believe it hasn’t been officially announced at VMworld, but TKO is a new soft-bundle. It does NOT come as one standalone SKU for customers yet, but for sure this is where VMware is heading to. Let me summarize the components of this bundle (it’s not a new edition) for you:

    • Tanzu Standard Runtime (includes Tanzu Kubernetes Grid + open-source software), licensed per core
    • Tanzu Mission Control Advanced, licensed per core
    • Tanzu Observability, licensed based on PPS (minimum of 1000 PPS required)
    • Tanzu Service Mesh Advanced, licensed based on core
    • Antrea Advanced, licensed based on core
    • NSX ALB (Avi) Enterprise, licensed based on service cores

    Does this BOM answer all our questions? YES! 🙂

    The cool thing about it? You don’t need to choose all the components. Just pick what makes sense for you. Example: You can start with the Tanzu Standard Runtime, TMC Advanced, Tanzu Observability and NSX ALB Enterprise, and go for Tanzu Service Mesh whenever the time is right.

    Maybe you already started with the public cloud offerings like AKS, EKS and GKE and need a consistent control plane? Then Tanzu and TKO are still good choices for you. There’s also a pretty new “VMware Tanzu for Kubernetes Operations on vSphere Reference Design” available!


    Wherever you are on your application modernization journey, VMware and their Tanzu portfolio got your back covered. Not matter if you want to start small, make your first steps and experiences with open-source projects, or if you want to have a complete set with the Tanzu Advanced edition, VMware offers the right options and flexibility.

    I hope my learnings from this customer engagement help you to better understand the Tanzu portfolio and its capabilities.

    Please leave your comments and thoughts below. 🙂

    Modern Application Monitoring with VMware Tanzu and vRealize

    Modern Application Monitoring with VMware Tanzu and vRealize

    The complexity of applications has increased because of new cloud technologies and new application architectures. Since organizations adopt and embrace the DevOps mindset, developers and IT operations are closer than ever. Developers are now part of the team operating the distributed systems.

    Businesses must figure out how they know about system failures and need to have an understanding “what” is broken (symptom) and “why” (possible cause) something is broken.

    Let’s talk about application performance management (APM) and enterprise observability. 🙂


    It was around the year 2012 or 2013 when I had to introduce a new monitoring solution for a former employer who was a cloud service provider. I think Nagios was the state-of-the-art technology back then and I replaced it PRTG Network Monitor from Paessler.

    When we onboarded a new customer infrastructure or application, the process was always the same. I had to define the metrics to collect and then put those metrics on a dashboard. It was very important to set alerts based on thresholds or conditions. Everyone knew back then that this approach wasn’t the best, but we didn’t have any other choice.

    PRTG Sensor View

    If an IP was not pingable or a specific port of a server or application was down for 60 seconds, an alert popped up and an e-mail had been sent to the IT helpdesk. And in the dashboard you could see sensors switching from a green to a red state.

    To simplify the troubleshooting process and to have some a logical application view, I had to create some dependencies between sensors. This was probably the only way to create something like an application (dependency) mapping.

    When users worked on a virtual desktop or on a Windows Terminal Server, we “measured” the user experience and application performance based on network latency and server resource usage based on CPU and RAM mostly.


    Observability enables you to drill down into the distributed services and systems (hardware components, containers, microservices) that make up an application.

    Monitoring and observability are not the same thing. As described before, monitoring is the process of collection metrics and alerts that one can monitor the health and performance of components like network devices, databases, servers or VMs.

    Observability helps you to understand complex architectures and interactions between elements in this architecture. It also allows you to troubleshoot performance issues, identify root causes for failures faster and helps you to optimize your cloud native infrastructure and applications.

    In other words, observability can help you to speed up mean time to detection (MTTD) and mean time to resolution (MTTR) for infrastructure and application failures.

    There are three golden telemetry signals to achieve observability (source):

    • Logs: Logs are the abiding records of discrete events that can identify unpredictable behavior in a system and provide insight into what changed in the system’s behavior when things went wrong. It’s highly recommended to ingest logs in a structured way, such as in JSON format so that log visualization systems can auto-index and make logs easily queryable.
    • Metrics: Metrics are considered as the foundations of monitoring. They are the measurements or simply the counts that are aggregated over a period of time. Metrics will tell you how much of the total amount of memory is used by a method, or how many requests a service handles per second.
    • Traces: A single trace displays the operation as it moves from one node to another in a distributed system for an individual transaction or request. Traces enable you to dig into the details of particular requests to understand which components cause system errors, monitor flow through the modules, and discover the bottlenecks in the performance of the system.

    Tanzu Observability Tracing

    When using observability during app development, it can also improve the developer experience and productivity.

    Tanzu Observability Services

    The VMware Tanzu portfolio currently has four different editions:

    Different Tanzu Observability services are available for different components and Tanzu editions.

    Tanzu Standard Observability

    Tanzu Standard includes the leading open-source projects Prometheus and Grafana for platform monitoring (and Fluent Bit for log forwarding).

    Tanzu Kubernetes Grid provides monitoring with the open-source Prometheus and Grafana services. You deploy these services on your cluster and can then take advantage of Grafana visualizations and dashboards. As part of the integration, you can set up Alertmanager to send alerts to Slack or use custom Webhooks alert notifications.

    Tanzu Kubernetes Grid architecture

    Tanzu Standard Observability is comprised of:

    • Fluent Bit is an open-source log processor and forwarder which allows you to collect any data like metrics and logs from different sources, enrich them with filters and send them to multiple destinations. It’s the preferred choice for containerized environments like Kubernetes.
    • Grafana is a multi-platform open-source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.
    • Prometheus is a free software application used for event monitoring and alerting. It records real-time metrics in a time series database built using a HTTP pull model, with flexible queries and real-time alerting.

    Note: VMware only provides advisory (best effort) guidance on Prometheus and Grafana for use with Tanzu Kubernetes Grid. The installation, configuration and upgrades are beyond the current scope of VMware’s advisory support.

    Tanzu Advanced Observability

    In May 2017 VMware acquired Wavefront which is now part of the Tanzu portfolio and called “Tanzu Observability” (TO).

    TO is a SaaS-based metrics monitoring and analytics platform that handles enterprise-scale requirements of modern cloud native application.

    Compared to the Grafana/Prometheus, one would say that Tanzu Observability is a true enterprise-grade observability platform. According to the GigaOm Cloud Observability Report VMware Tanzu Observability is one of the strong leaders among Dynatrace and Splunk just to name a few.

    Tanzu Observability is best suited for large organization and provides a consumption-based pricing that is based on the rate at which you send metric data to Tanzu Observability during the course of each month. This gives you the flexibility to start with any size want and scale up/down as needed. It’s not dependent on number of hosts or the number of users. 

    Tanzu Observability CIO Dashboard

    Tanzu Observability allows you to collect data from different sources and provides integrations to over 250 technologies including different public clouds, web application and services, big data frameworks, data stores, other monitoring tools, operating systems / hosts, and many more.

    Tanzu Observability Integrations

    While data retention with Prometheus is limited to a maximum of 14 days, VMware allows you to send Prometheus data to Tanzu Observability for long-term data retention (up to 18 months at full granularity).

    Just announced at VMworld 2021, VMware has added artificial intelligence and machine learning (AI/ML) root cause capabilities…

    Tanzu Observability AI Powered Root Cause Analysis

    …and created an integration between Tanzu Observability and vRealize Operations Cloud.

    Through this integration, developers and SREs can now view vRealize Operations Cloud metrics alongside all the metrics, histograms, and traces collected by Tanzu Observability from other sources for a more holistic view of business-critical applications and infrastructure.

    If you are attending VMworld, check out the sessions below to learn more about Tanzu Observability.

    • APP1308: Observability for Modern Application and Kubernetes Environments
    • APP2648: Implement Observability for Kubernetes Clusters and Workloads in Minutes
    • VI2630: Best Practices and Reference Framework for Implementing Observability
    • UX2551: Move from Traditional Monitoring to Observability and SRE – Design Studio
    • VMTN2810: Lost in Containers? Enhance Observability with Actionable Visualization
    • 2965: Kubernetes Cluster Operations, Monitoring and Observability
    • 2957: Build a Data Analytics Platform in Minutes Using Deployment Blueprints
    • APP2677: Meet the Experts: VMware Tanzu Observability by Wavefront
    • VMTN3230: Observe Application internals Holistically
    • VI1448: Take a Modern Approach to Achieve Application Resiliency
    • APP1319: Transforming Customer Experiences with VMware’s App Modernization Platform

    Integration with other Tanzu Products

    Tanzu Observability is fully integrated within the Tanzu family with OOTB integrations with:

    Kubernetes Monitoring in vRealize Operations

    Tanzu Observability provides “Kubernetes Observability” and OOTB integrations with RedHat OpenShift, Azure Kubernetes Service (AKS), Amazon EKS and Google GKE for example.

    Tanzu Observability Kubernetes Monitoring

    vRealize Operations (vROps) is also able to monitor multiple Kubernetes environments like VMware Tanzu Kubernetes Grid, RedHat OpenShift, Amazon EKS, Azure AKS or Google GKE. That is made possible with the vROps Management Pack for Kubernetes.

    Using vRealize Operations Management Pack for Kubernetes (needs vROps 8.1 or later), you can monitor, troubleshoot, and optimize the capacity management for Kubernetes clusters. Below some of the additional capabilities that this management pack delivers:

    • Auto-discovery of Tanzu Kubernetes Grid (TKG) or Tanzu Mission Control (TMC) Kubernetes clusters.
    • Complete visualization of Kubernetes cluster topology, including namespaces, clusters, replica sets, nodes, pods, and containers.
    • Performance monitoring for Kubernetes clusters.
    • Out-of-the-box dashboards for Kubernetes constructs, which include inventory and configuration.
    • Multiple alerts to monitor the Kubernetes clusters.
    • Mapping Kubernetes nodes with virtual machine objects.
    • Report generation for capacity, configuration, and inventory metrics for clusters or pods.

    vRealize Operations K8s Monitoring

    Note: Kubernetes monitoring is available in vRealize Operations Advanced.

    There is also a Prometheus integration, that enables vRealize Operations Manager to retrieve metrics directly from Prometheus:

    Diagram Description automatically generated

    Note: vRealize Operations can also integrate with your existing application performance management systems. vROps offers integrations with App Dynamics, DataDog, Dynatrace and New Relic.


    There are different options available within the VMware Tanzu and vRealize when it comes to Kubernetes operations, monitoring and observability.

    Depending on your current needs and toolset you’ll have different options and integration possibilities. 

    VMware’s portfolio gives you the choice to use open-source software like Grafana/Prometheus, leverage an existing vRealize Operations deployment or to get an enterprise-grade observability and analytics platform like Tanzu Observability.

    If you are looking for and end-to-end monitoring stack aka 360-degree visibility for your K8s environments and clouds, VMware Tanzu and the vRealize Suite give you the following products:

    1. Applications – Tanzu Observability
    2. Kubernetes Cluster – Tanzu Observability, vRealize Operations, vRealize Network Insight, vRealize Log Insight
    3. Network Layer – vRealize Operations, vRealize Network Insight, vRealize Log Insight
    4. Virtualization Layer – vRealize Operations, vRealize Network Insight, vRealize Log Insight


    VMworld 2021 – Summary of VMware Projects

    VMworld 2021 – Summary of VMware Projects

    On day 1 of VMworld 2021 we have heard and seen a lot of super exciting announcements. I believe everyone is excited about all the news and innovations VMware has presented so far.

    I’m not going to summarize all the news from day 1 or day 2 but thought it might be helpful to have an overview of all the VMware projects that have been mentioned during the general session and solution keynotes.

    Project Cascade

    VMware Project Cascade

    Project Cascade will provide a unified Kubernetes interface for both on-demand infrastructure (IaaS) and containers (CaaS) across VMware Cloud – available through an open command line interface (CLI), APIs, or a GUI dashboard.  Project Cascade will be built on an open foundation, with the open-sourced VM Operator as the first milestone delivery for Project Cascade that enables VM services on VMware Cloud.

    VMworld 2021 session: Solution Keynote: The VMware Multi-Cloud Computing Infrastructure Strategy of 2021 [MCL3217]

    Project Capitola

    VMware Project Capitola

    Project Capitola is a software-defined memory implementation that will aggregate tiers of different memory types such as DRAM, PMEM, NVMe and other future technologies in a cost-effective manner, to deliver a uniform consumption model that is transparent to applications.

    VMworld 2021 session: Introducing VMware Project Capitola: Unbounding the ‘Memory Bound’ [MCL1453] and How vSphere Is Redefining Infrastructure For Running Apps In the Multi-Cloud Era [MCL2500]

    Project Ensemble

    VMware Project Ensemble

    Project Ensemble integrates and automates multi-cloud management with vRealize. This means that all the different VMware cloud management capabilities—self-service, elasticity, metering, and more—are in one place. You can access all the data, analytics, and workflows to easily manage your cloud deployments at scale.

    VMworld 2021 session: Introducing Project Ensemble Tech Preview [MCL1301]

    Project Arctic

    VMware Project Arctic

    Project Arctic is “the next evolution of vSphere” and is about bringing your own hardware while taking advantage of VMware Cloud offerings to enable a hybrid cloud experience. Arctic natively integrates cloud connectivity into vSphere and establishes hybrid cloud as the default operating model.

    VMworld 2021 session: What’s New in vSphere [APP1205] and How vSphere Is Redefining Infrastructure For Running Apps In the Multi-Cloud Era [MCL2500]

    Project Monterey

    VMware Project Monterey

    Project Monterey was announced in the VMworld 2020 keynote. It is about SmartNICs that will redefine the data center with decoupled control and data planes for management, networking, storage and security for VMware ESXi hosts and bare-metal systems.

    VMworld 2021 session: 10 Things You Need to Know About Project Monterey [MCL1833] and How vSphere Is Redefining Infrastructure For Running Apps In the Multi-Cloud Era [MCL2500]

    Project Iris

    I don’t remember anymore which session mentioned Project Iris but it is about the following:

    Project Iris discovers and analyzes an organization’s full app portfolio; recommends which apps to rehost, replatform, or refactor; and enables customers to adapt their own transformation journey for each app, line of business, or data center.

    Project Pacific

    Project Pacific was announced at VMworld 2019. It is about re-architecting vSphere to integrate and embed Kubernetes and is known as “vSphere with Tanzu” (or TKGS) today. In other words, Project Pacific transformed vSphere into a Kubernetes-native platform with an Kubernetes control plane integrated directly into ESXi and vCenter. Pacific is part of the Tanzu portofolio.

    VMworld 2019 session: Introducing Project Pacific: Transforming vSphere into the App Platform of the Future [HBI4937BE]

    Project Santa Cruz

    VMware Project Santa Cruz

    Project Santa Cruz is a new integrated offering from VMware that adds edge compute and SD-WAN together to give you a secure, scalable, zero touch edge run time at all your edge locations. It connects your edge sites to centralized management planes for both your networking team and your cloud native infrastructure team. This solution is OCI compatible: if your app runs in a container, it can run on Santa Cruz.

    VMworld 2021 session: Solution Keynote: What’s Next? A Look inside VMware’s Innovation Engine [VI3091]

    Project Dawn Patrol

    Project Dawn Patrol

    So far, Project Dawn Patrol was only mentioned during the general session. “It will give you full visibility with a map of all your cloud assets and their dependencies”, Dormain Drewitz said.

    VMworld 2021 session: General Session: Accelerating Innovation, Strategies for Winning Across Clouds and Apps [GEN3103]

    Project Radium

    VMware Project Radium

    Last year VMware introduced vSphere Bitfusion which allow shared access to a pool of GPUs over a network. Project Radium expands the fetature set of Bitfusion to other architectures and will support AMD, Graphcore, Intel, Nvidia and other hardware vendors for AI/ML workloads.

    VMworld 2021 session: Project Radium: Bringing Multi-Architecture compute to AI/ML workloads [VI1297]

    Project IDEM

    IDEM has been described as an “easy to use management automation technology”.

    VMworld 2021 session: Solution Keynote: What’s Next? A Look inside VMware’s Innovation Engine [VI3091] and Next-Generation SaltStack: What Idem Brings to SaltStack [VI1865]

    Please comment below or let me know via Twitter or LinkedIn if I missed a new or relevant VMware project. 😉

    Must Watch VMworld Multi-Cloud Sessions

    I recently wrote a short blog about some of the sessions I recommend to customers, partners and friends.

    If you would like to know more about the VMware multi-cloud strategy and vision, have a look at some of the sessions below:

    VMworld 2021 Must Watch Sessions


    VMworld 2021 – My Content Catalog and Session Recommendation

    VMworld 2021 – My Content Catalog and Session Recommendation

    VMworld 2021 is going to happen from October 6-7, 2021 (EMEA). This year you can expect so many sessions and presentations about the options you have when combining different products together, that help you to reduce complexity, provide more automation and therefore create less overhead.

    Let me share my 5 personal favorite picks and also 5 recommended sessions based on the conversations I had with multiple customers this year.

    My 5 Personal Picks

    10 Things You Need to Know About Project Monterey [MCL1833]

    Project Monterey was announced in the VMworld 2020 keynote. There has been tremendous work done since then. Hear Niels Hagoort and Sudhansu Jain talking about SmartNICs and how they will redefine the data center with decoupled control and data planes – for ESXi hosts and bare-metal systems. They are going to cover and demo the overall architecture and use cases!

    Upskill Your Workforce with Augmented and Virtual Reality and VMware [VI1596]

    Learn from Matt Coppinger how augmented realited (AR) and virtual reality (VR) are transforming employee productivity, and how these solutions can be deployed and managed using VMware technologies. Matt is going to cover the top enterprise use cases for AR/VR as well as the challenges you might face deploying these emerging technologies. Are you interested how to architect and configure VMware technologies to deploy and manage the latest AR/VR technology, applications and content? If yes, then this session is also for you.

    Addressing Malware and Advanced Threats in the Network [SEC2027] (Tech+ Pass Only)

    I am very interested to learn more cybersecurity. With Chad Skipper VMware has an expert who can give insights on how the Network Detection and Response (NDR) capabilities if NSX Advanced Threat Prevention provide visibility, detection and prevention of advanced threats.

    60 Minutes of Non-Uniform Memory Access (NUMA) 3rd Edition [MCL1853]

    Learn more about NUMA from Frank Denneman. You are going to learn more about the underlying configuration of a virtual machine and discover the connection between the Generapl-Purpose Graphics Processing Unit (GPGPU) and the NUMA node. You will also understand after how your knowledge of NUMA concepts in your cluster can help the developer by aligning the Kubernetes nodes to the physical infrastructure with the help of VM Service.

    Mount a Robust Defense in Depth Strategy Against Ransomware [SEC1287]

    Are you interested to learn more about how to protect, detect, respond to and recover from cybersecurity attacks across all technology stacks, regardless of their purpose or location? Learn more from Amanda Blevins about the VMware solutions for end users, private clouds, public clouds and modern applications.

    5 Recommended Sessions based on Customer Conversations

    Cryptographic Agility: Preparing for Quantum Safety and Future Transition [VI1505]

    A lot of work is needed to better understand cryptographic agility and how we can address and manage the expected challenges that come with quantum computing. Hear VMware’s engineers from the Advanced Technology Group talking about the requirements of crypto agility and VMware’s recent research work on post-quantum cryptography in the VMware Unified Access Gateway (UAG) project.

    Edge Computing in the VMware Office of the CTO: Innovations on the Horizon [VI2484]

    Let Chris Wolf give you some insight into VMware’s strategic direction in support of edge computing. He is going to talk about solutions that will drive down costs while accelerating the velocity and agility in which new apps and services can be delivered to the edge.

    Delivering a Continuous Stream of More Secure Containers on Kubernetes [APP2574]

    In this session one can see how you can use two capabilities in VMware Tanzu Advanced, Tanzu Build Service and Tanzu Application Catalog, to feed a continuous stream of patched and compliant containers into your continuous delivery (CD) system. A must attend session delivered by David Zendzian, the VMware Tanzu Global Field CISO.

    A Modern Firewall For any Cloud and any Workload [SEC2688]

    VMware NSX firewall reimagines East-West security by using a distributed- and software-based approach to attach security policies to every workload in any cloud. Chris Kruegel gives you insights on how to stop lateral movement with advanced threat prevention (ATP) capabilities via IDS/IPS, sandboxing, NTA and NDR.

    A Practical Approach for End-to-End Zero Trust [SEC2733]

    Hear different the VMware CTOs Shawn Bass, Pere Monclus and Scott Lundgren talking about a zero trust approach. Shawn and the others will discuss specific capabilities that will enable customers to achieve a zero trust architecture that is aligned to the NIST guidance and covers secure access for users as well secure access to workloads.

    Enjoy VMworld 2021! 🙂