Lessons from the Field: Recovering from Orphaned Avi Controllers in VCF-9

In a VCF environment, lifecycle operations are expected to be performed through SDDC Manager/VCF Operations. However, in real-world scenarios, operational mistakes occur—especially when components are modified directly in vCenter Server rather than through the VCF control plane.

In this blog, I will walk through a failure scenario involving NSX Advanced Load Balancer (Avi) in a VCF 9 environment, where Avi controller VMs were accidentally deleted from vCenter, leaving behind stale inventory references in SDDC Manager. I will cover the issue, impact, recovery approach, and key lessons.

The Problem Scenario

In a VCF-9 environment, Avi was deployed via SDDC Manager (integrated with NSX) and was running fine. During a troubleshooting session, Avi controller nodes were deleted directly from vCenter, leaving stale entries in the SDDC Manager UI and thus preventing the redeployment of Avi.

Result: SDDC Manager still believed Avi was deployed, and NSX integration references remained. The deletion option was grayed out in the SDDC manager UI.… Read the rest

Scaling Out the VMware vDefend Security Services Platform

The VMware vDefend Security Services Platform (SSP) was built for scale-out from day one. Whether you’re expanding a proof-of-concept deployment to a production deployment, enabling ATP services (minimum 5 nodes), or going to a full-blown ten-node production deployment, the path is consistent. This post walks you through everything you need to know.

Why Scale-Out Matters for Modern Private Clouds

Traditional perimeter-based security assumed that traffic patterns were predictable and applications sat in stable locations. That world no longer exists. East-west traffic inside a VMware Cloud Foundation (VCF) private cloud can be four times greater than north-south traffic, and the volume keeps growing as application estates expand.

vDefend SSP is Broadcom’s answer to this problem: a self-contained, Kubernetes-backed security analytics platform that sits alongside NSX and processes security intelligence, network detection and response (NDR), malware prevention, and network traffic analysis (NTA). When your workloads grow, your security analytics capacity grows with them.… Read the rest

Cleanup NSX After Force Install of vDefend SSP

Recently, while deploying vDefend SSP in my nested lab, I encountered an issue in which the SSP platform became unstable as soon as I activated platform services.

When platform services (Security Intelligence/Rule Analysis, etc.) are activated, SSP creates new pods. If, at that moment, the CPU on the worker nodes is stuck due to resource constraints on the physical host, the overall platform health degrades. The pods that make up the core service are restarted frequently, and they never come back.

You can use the SSPi diagnostic tool to have visibility into problematic worker nodes and the namespace/pods.

To view pod information, SSH to the SSPI VM and list the pods.

The SSP UI won’t let you login and throws weird errors. An example is shown below

If you attempt to query the platform status, you will see gateway timeout error.

The root cause of this problem was that each worker node is deployed with 16 vCPU, and a minimum of 4 worker nodes is deployed.… Read the rest

How to Deploy Avi 30.x/31.x in VCF 9.x

By default, VCF 9 deploys the v22.x of Avi, which is too old. To use newer versions of Avi in the VCF 9.x setup, Broadcom provides a shell script. This script uploads the newer Avi OVA and updates the SDDC Manager manifest file so that the new Avi can be selected in the SDDC Manager UI.

The shell script and helper files can be downloaded from the Avi GitHub repo

This shell script performs the following tasks:

  • Uploading the Avi bundle to the SDDC manager.
  • Uploading the SDDC manager root certificate to the NSX manager as a trusted CA.
  • Registering the Avi enforcement point in NSX Manager.

Analyze the Shell Script

The shell script (vcf_tools.sh) contains 2 helper files:

1: pvc.json: This file contains the information of the Avi install bundle name and the build number. If the build number of the Avi installer bundle that you downloaded from Broadcom’s portal is not in the JSON file, update it.… Read the rest

VMware vDefend Security Services Platform – Part 8: Segmentation Planning

Welcome to the 8th part of the VMware vDefend SSP series. In the previous post, I discussed the SSP Security Journey workflow and its stages. This post will showcase segmentation planning, which is a sub-feature of security intelligence.

If you are not following along with this series, I encourage you to read the earlier parts of this series from the links below:

1: Introduction to VMware vDefend Security Services Platform

2: Deploy & Configure SSP Instance

3: Onboard NSX Manager & Activate Platform Features

4: SSP Integration with Core Infrastructure Services

5: vDefend SSP Rule Analysis

6: Security Segmentation Report

7: Security Intelligence Overview

In the previous post, we saw that the security journey is a staged workflow, with each stage providing a different capability. After you complete a stage, you must mark it as completed and move to the next stage.

Note: I covered stage 1 in the 6th part of this series, so I am not repeating the steps.… Read the rest

VMware vDefend Security Services Platform – Part 7: Security Intelligence Walkthrough

Welcome to the 7th part of the VMware vDefend SSP series. In the previous post, I discussed the SSP Segmentation Report feature and how you can leverage it to plan micro-segmentation. This post will provide a high-level overview of the security intelligence feature and the security journey workflow.

If you are not following along with this series, I encourage you to read the earlier parts of this series from the links below:

1: Introduction to VMware vDefend Security Services Platform

2: Deploy & Configure SSP Instance

3: Onboard NSX Manager & Activate Platform Features

4: SSP Integration with Core Infrastructure Services

5: vDefend SSP Rule Analysis

6: Security Segmentation Report

Security Intelligence is an SSP feature that provides tools for planning network segmentation, visualizing traffic patterns, and monitoring data flows across applications, enabling the planning and implementation of micro-segmentation at scale.

Security Intelligence delivers two primary capabilities:

  • Visual representation of network components, including security groups, virtual machines, IP addresses, and traffic flows.
Read the rest

VMware vDefend Security Services Platform – Part 6: Security Segmentation Report

Welcome to the 6th part of the VMware vDefend SSP series. In the previous post, I discussed the SSP Rule Analysis feature. This post focuses on the SSP Segmentation Report.

If you are not following along with this series, I encourage you to read the earlier parts of this series from the links below:

1: Introduction to VMware vDefend Security Services Platform

2: Deploy & Configure SSP Instance

3: Onboard NSX Manager & Activate Platform Features

4: SSP Integration with Core Infrastructure Services

5: vDefend SSP Rule Analysis

Traditional security architectures often resemble fortified castles—strong perimeter walls with limited internal protections. Once adversaries breach these external defences, they can navigate through internal networks with minimal resistance. This reality makes network segmentation not just a best practice but a critical security requirement.

Effective segmentation minimizes attack surfaces, protects sensitive data, and helps organizations meet regulatory compliance standards. However, implementing segmentation without proper visibility and measurement can lead to incomplete protection or operational complexity.… Read the rest

VMware vDefend Security Services Platform – Part 5: SSP Rule Analysis

Welcome to the 5th part of the VMware vDefend SSP series. In the previous post, I discussed SSP integration with core infrastructure.  This post focuses on demonstrating the Rule Analysis feature of SSP.

If you are not following along with this series, I encourage you to read the earlier parts of this series from the links below:

1: Introduction to VMware vDefend Security Services Platform

2: Deploy & Configure SSP Instance

3: Onboard NSX Manager & Activate Platform Features

4: SSP Integration with Core Infrastructure Services

What is SSP Rule Analysis?

The rule analysis feature automatically analyzes DFW rules to identify inefficiencies and security misconfigurations. It helps optimize policies by flagging issues such as duplicate, redundant, or overly permissive rules, contributing to a more robust and efficient security posture.

The main benefits of the rule analysis feature are outlined below:

  • Improves Security Posture: Identifies potential security misconfigurations and improves the overall security posture of the DFW.
Read the rest

VMware vDefend Security Services Platform – Part 4: SSP Integration with Core Infrastructure Services

Welcome to the 4th part of the VMware vDefend SSP series. In the previous post, I discussed NSX Manager onboarding in SSP and activating platform features.

This post focuses on demonstrating how to integrate SSP with core infrastructure services, such as Syslog, LDAP, and SFTP.

If you are not following along with this series, I encourage you to read the earlier parts of this series from the links below:

1: Introduction to VMware vDefend Security Services Platform

2: Deploy & Configure SSP Instance

3: Onboard NSX Manager & Activate Platform Features

SSP Integration with Syslog

To integrate the vDefend Security Services Platform (SSP) with a syslog server, you must configure the SSP to forward its log messages to the remote server through its web interface.

Log in to the SSP web interface using admin credentials and navigate to the System > Server Configurations > Syslog Server Configuration tab. Click Add Server.… Read the rest

VMware vDefend Security Services Platform – Part 3: Onboard NSX & Activate Platform Features

Welcome to the 3rd part of the VMware vDefend SSP series. In the previous post, I discussed the deployment of the SSP installer and the SSP instance. This post focuses on demonstrating how to activate the platform features.

If you are not following along, I encourage you to read the earlier parts of this series from the links below:

1: Introduction to VMware vDefend Security Services Platform

2: Deploy & Configure SSP Instance

Onboard NSX Manager

The first step in configuring the SSP instance is to onboard NSX Manager. To do so, login to the SSP instance by typing https://<ssp-fqdn>/ and entering the admin credentials set during the deployment.

Enter the workload domain NSX Manager IP/FQDN, NSX Enterprise Admin credentials, and the NSX Manager SSL certificate.

Note: If VIP is configured for NSX Manager, upload the MGMT_CLUSTER REST VIP certificate. Otherwise, the node REST API certificate.

SSP checks the NSX manager compatibility with the SSP instance.… Read the rest