VCF 9.1 Home Lab Series – Part 3: Pre-Deployment Planning

Welcome to part 3 of the VCF-9.1 home lab series. The previous post in this series discussed the VCF 9.1 high-level design and lab best practices. In this post, I will discuss the planning and preparation for deploying a VCF 9.1 fleet.

If you are not following along, I encourage you to read the earlier parts of this series from the links below:

1: Whats New in VCF 9.1

2: VCF 9.1 High-Level Design

After you have understood the VCF deployment models and the design is ready in your mind, the next step is to get familiar with the VCF Planning and Preparation Workbook. If you have been working on the VCF platform for quite some time, you already understand the importance of this workbook. The workbook is an Excel file that helps you gather the inputs required for deploying a VCF fleet. The v9.1 workbook can be downloaded from here

The VCF Installer is a ruthless validator.… Read the rest

VCF 9.1 Home Lab Series – Part 2: High-Level Design

Welcome to part 2 of the VCF-9.1 home lab series. The previous post in this series discussed the platform capabilities. In this post, I will talk about the VCF 9.1 architecture.

Understanding the architectural building blocks before you provision anything is the difference between a learning environment and a misconfigured platform you’ll rebuild three times.

The Fleet Model

VCF 9.x introduces the concept of a Fleet as the top-level organizational construct. A Fleet is managed by a common instance of VCF Operations and VCF Automation. Within a fleet, you can have one or more VCF instances, each containing one management domain and zero or more workload domains.

For a home lab, your fleet is a single-region, single-instance deployment. But architecting it with fleet semantics in mind—proper naming conventions, network segmentation, and IP allocation strategies—prepares you for realistic multi-instance designs. To learn more about the deployment topologies in VCF 9, see my previous blog here.… Read the rest

VCF 9.1 Home Lab Series – Part 1: Introduction

VCF 9.1 was released last week and created quite a buzz in the VMware community worldwide. If VCF 9.0 was the architectural reset, 9.1 is the optimization layer — the release where the new constructs introduced in 9.0 get hardened, scaled, and made operationally practical.

Over the coming posts, we’ll build a full VCF 9.1 environment from scratch in a home lab, making deliberate architectural choices at every step and explaining why—not just how. I’ll cover the management domain build, workload domain deployment, NSX design decisions, vSAN ESA configuration, VKS (vSphere Kubernetes Service), VCFA automation, and lifecycle management.

Let’s start with the foundation: what changed in 9.1, what the high-level design looks like, and the practices that distinguish production-grade thinking from home lab shortcuts.

VCF Management Services: A Unified Control Plane Runtime

The headline architectural change in 9.1 is the introduction of VCF Management Services—a common runtime that unifies the platform’s lifecycle and operational capabilities.… Read the rest

Lessons from the Field: Recovering from Orphaned Avi Controllers in VCF-9

In a VCF environment, lifecycle operations are expected to be performed through SDDC Manager/VCF Operations. However, in real-world scenarios, operational mistakes occur—especially when components are modified directly in vCenter Server rather than through the VCF control plane.

In this blog, I will walk through a failure scenario involving NSX Advanced Load Balancer (Avi) in a VCF 9 environment, where Avi controller VMs were accidentally deleted from vCenter, leaving behind stale inventory references in SDDC Manager. I will cover the issue, impact, recovery approach, and key lessons.

The Problem Scenario

In a VCF-9 environment, Avi was deployed via SDDC Manager (integrated with NSX) and was running fine. During a troubleshooting session, Avi controller nodes were deleted directly from vCenter, leaving stale entries in the SDDC Manager UI and thus preventing the redeployment of Avi.

Result: SDDC Manager still believed Avi was deployed, and NSX integration references remained. The deletion option was grayed out in the SDDC manager UI.… Read the rest

Scaling Out the VMware vDefend Security Services Platform

The VMware vDefend Security Services Platform (SSP) was built for scale-out from day one. Whether you’re expanding a proof-of-concept deployment to a production deployment, enabling ATP services (minimum 5 nodes), or going to a full-blown ten-node production deployment, the path is consistent. This post walks you through everything you need to know.

Why Scale-Out Matters for Modern Private Clouds

Traditional perimeter-based security assumed that traffic patterns were predictable and applications sat in stable locations. That world no longer exists. East-west traffic inside a VMware Cloud Foundation (VCF) private cloud can be four times greater than north-south traffic, and the volume keeps growing as application estates expand.

vDefend SSP is Broadcom’s answer to this problem: a self-contained, Kubernetes-backed security analytics platform that sits alongside NSX and processes security intelligence, network detection and response (NDR), malware prevention, and network traffic analysis (NTA). When your workloads grow, your security analytics capacity grows with them.… Read the rest

Cleanup NSX After Force Install of vDefend SSP

Recently, while deploying vDefend SSP in my nested lab, I encountered an issue in which the SSP platform became unstable as soon as I activated platform services.

When platform services (Security Intelligence/Rule Analysis, etc.) are activated, SSP creates new pods. If, at that moment, the CPU on the worker nodes is stuck due to resource constraints on the physical host, the overall platform health degrades. The pods that make up the core service are restarted frequently, and they never come back.

You can use the SSPi diagnostic tool to have visibility into problematic worker nodes and the namespace/pods.

To view pod information, SSH to the SSPI VM and list the pods.

The SSP UI won’t let you login and throws weird errors. An example is shown below

If you attempt to query the platform status, you will see gateway timeout error.

The root cause of this problem was that each worker node is deployed with 16 vCPU, and a minimum of 4 worker nodes is deployed.… Read the rest

How to Deploy Avi 30.x/31.x in VCF 9.x

By default, VCF 9 deploys the v22.x of Avi, which is too old. To use newer versions of Avi in the VCF 9.x setup, Broadcom provides a shell script. This script uploads the newer Avi OVA and updates the SDDC Manager manifest file so that the new Avi can be selected in the SDDC Manager UI.

The shell script and helper files can be downloaded from the Avi GitHub repo

This shell script performs the following tasks:

  • Uploading the Avi bundle to the SDDC manager.
  • Uploading the SDDC manager root certificate to the NSX manager as a trusted CA.
  • Registering the Avi enforcement point in NSX Manager.

Analyze the Shell Script

The shell script (vcf_tools.sh) contains 2 helper files:

1: pvc.json: This file contains the information of the Avi install bundle name and the build number. If the build number of the Avi installer bundle that you downloaded from Broadcom’s portal is not in the JSON file, update it.… Read the rest

VMware vDefend Security Services Platform – Part 8: Segmentation Planning

Welcome to the 8th part of the VMware vDefend SSP series. In the previous post, I discussed the SSP Security Journey workflow and its stages. This post will showcase segmentation planning, which is a sub-feature of security intelligence.

If you are not following along with this series, I encourage you to read the earlier parts of this series from the links below:

1: Introduction to VMware vDefend Security Services Platform

2: Deploy & Configure SSP Instance

3: Onboard NSX Manager & Activate Platform Features

4: SSP Integration with Core Infrastructure Services

5: vDefend SSP Rule Analysis

6: Security Segmentation Report

7: Security Intelligence Overview

In the previous post, we saw that the security journey is a staged workflow, with each stage providing a different capability. After you complete a stage, you must mark it as completed and move to the next stage.

Note: I covered stage 1 in the 6th part of this series, so I am not repeating the steps.… Read the rest

VMware vDefend Security Services Platform – Part 7: Security Intelligence Walkthrough

Welcome to the 7th part of the VMware vDefend SSP series. In the previous post, I discussed the SSP Segmentation Report feature and how you can leverage it to plan micro-segmentation. This post will provide a high-level overview of the security intelligence feature and the security journey workflow.

If you are not following along with this series, I encourage you to read the earlier parts of this series from the links below:

1: Introduction to VMware vDefend Security Services Platform

2: Deploy & Configure SSP Instance

3: Onboard NSX Manager & Activate Platform Features

4: SSP Integration with Core Infrastructure Services

5: vDefend SSP Rule Analysis

6: Security Segmentation Report

Security Intelligence is an SSP feature that provides tools for planning network segmentation, visualizing traffic patterns, and monitoring data flows across applications, enabling the planning and implementation of micro-segmentation at scale.

Security Intelligence delivers two primary capabilities:

  • Visual representation of network components, including security groups, virtual machines, IP addresses, and traffic flows.
Read the rest

VMware vDefend Security Services Platform – Part 6: Security Segmentation Report

Welcome to the 6th part of the VMware vDefend SSP series. In the previous post, I discussed the SSP Rule Analysis feature. This post focuses on the SSP Segmentation Report.

If you are not following along with this series, I encourage you to read the earlier parts of this series from the links below:

1: Introduction to VMware vDefend Security Services Platform

2: Deploy & Configure SSP Instance

3: Onboard NSX Manager & Activate Platform Features

4: SSP Integration with Core Infrastructure Services

5: vDefend SSP Rule Analysis

Traditional security architectures often resemble fortified castles—strong perimeter walls with limited internal protections. Once adversaries breach these external defences, they can navigate through internal networks with minimal resistance. This reality makes network segmentation not just a best practice but a critical security requirement.

Effective segmentation minimizes attack surfaces, protects sensitive data, and helps organizations meet regulatory compliance standards. However, implementing segmentation without proper visibility and measurement can lead to incomplete protection or operational complexity.… Read the rest