Part 4: VCF Architecture Deep Dive

VCF Architecture: How It All Fits Together

Understanding VCF architecture means understanding the relationships between its four pillars: compute (vSphere), storage (vSAN), networking (NSX), and management (SDDC Manager). These components are not just installed together — they’re tightly integrated, with SDDC Manager acting as the orchestration layer that knows about every component in the stack.

The Domain Model: Foundation of VCF Design

The entire VCF architecture is organized around the concept of domains. A domain is a logical grouping of ESXi hosts that share a vCenter Server instance and an NSX deployment. There are two types:

Management Domain

The management domain is mandatory and is the first thing deployed during VCF bring-up. It hosts all the infrastructure management workloads:

• SDDC Manager virtual appliance (the orchestration engine)
• vCenter Server (manages all hosts in the management domain)
• NSX Manager cluster (3 NSX Manager VMs for HA)
• NSX Edge cluster (for management domain networking — optional but recommended)
• Cloud Builder (only during initial bring-up; decommissioned after)
• Optional: Aria Suite components (Operations, Automation, Log Insight)

Minimum hosts: 4 ESXi hosts (to maintain vSAN redundancy during a host failure)

The management domain is critical — if it goes down, you lose the ability to manage workload domains, but existing workload VMs continue running unaffected.

VI Workload Domain

Workload domains (also called VI Workload Domains or Virtual Infrastructure Workload Domains) are created after the management domain and host actual business workloads. Each workload domain has:

• Its own dedicated vCenter Server instance (deployed and managed by SDDC Manager)
• Its own NSX deployment (deployed and managed by SDDC Manager)
• Dedicated ESXi hosts (can be added/removed via SDDC Manager)
• Dedicated vSAN cluster(s)

Minimum hosts per workload domain: 3 (for vSAN cluster with FTT=1)

Workload domains provide isolation — VMs in Domain A cannot directly communicate with VMs in Domain B without explicit network policy. This isolation makes workload domains ideal for separating Dev, Test, and Production environments, or for multi-tenant scenarios.

SDDC Manager Deep Dive

SDDC Manager is arguably the most important component in VCF. It’s a Linux-based virtual appliance deployed during bring-up that maintains a complete inventory of your VCF environment and drives all Day 1 and Day 2 operations.

SDDC Manager Responsibilities

• Inventory database — Tracks every host, cluster, domain, vCenter, NSX manager, and their exact software versions.
• Network Pools — Manages IP address pools for vSAN VMkernel adapters, NSX TEP (Tunnel Endpoint) adapters, and vMotion VMkernel adapters. When you add a host to a cluster, SDDC Manager automatically assigns IPs from the relevant pool.
• Lifecycle Manager (LCM) — Downloads update bundles from Broadcom’s depot, validates them against your BOM, and orchestrates patching of all components in the correct order (NSX → ESXi → vCenter → SDDC Manager).
• Certificate Authority — Issues and rotates TLS certificates for all managed components (vCenter, NSX, ESXi) using either its internal CA or an external Microsoft CA or HashiCorp Vault.
• Password Management — Rotates credentials for all service accounts (vCenter admin, NSX admin, etc.) on a schedule.
• Workload Domain Lifecycle — Creates, expands, contracts, and deletes workload domains. Adding a workload domain automatically deploys a new vCenter Server and NSX instance.

VCF Network Architecture

VCF requires a very specific physical network setup. Understanding this is critical for hardware planning.

VLAN Requirements

Each ESXi host in VCF requires these VMkernel VLANs:

• Management VLAN — ESXi management (vmk0), SDDC Manager, vCenter, NSX Managers communicate on this VLAN.
• vMotion VLAN — Live migration of VMs between hosts.
• vSAN VLAN — vSAN storage traffic (requires jumbo frames, MTU 9000).
• NSX TEP VLAN — NSX Tunnel Endpoint traffic for overlay networking (requires jumbo frames, MTU 9000).
• NSX Edge TEP VLAN — Separate TEP VLAN for NSX Edge nodes (uplink to physical routers).
• Uplink VLANs — VLANs for T0 gateway uplinks to physical routers (for external connectivity).

NSX Overlay Architecture

Every VM network in VCF is an NSX overlay segment by default. Physical switches only see VXLAN/Geneve encapsulated traffic on TEP VLANs. The advantages: VM networks can be created in seconds with no physical switch configuration changes, micro-segmentation happens at the ESXi host level (distributed firewall), and IP addressing is fully flexible.

vSAN Architecture in VCF

vSAN creates a distributed storage cluster across all hosts in a domain. All disk I/O is handled by the vSAN storage policy defined per-VM. VCF supports two vSAN architectures (covered in detail in Part 7):

• OSA (Original Storage Architecture) — Uses disk groups with a cache tier (NVMe/SSD) and capacity tier (SAS/SATA SSD). Available on broader hardware.
• ESA (Express Storage Architecture) — NVMe-only, no cache tier, storage pools. Delivers 4–8x better performance than OSA but requires NVMe-only hosts.

Component Version Matrix (VCF 9.1)

Broadcom Documentation

• VCF 9.1 Architecture Documentation
• SDDC Manager Overview — TechDocs
• VCF Management Domain Architecture
• VMware Configuration Maximums (Config Max Tool)