Introduction
With the release of VMware Cloud Foundation (VCF) 9.0,
VMware has continued to enhance its approach to delivering private cloud
infrastructure that is secure, scalable, and easier to manage. One of the most
significant changes in VCF 9.0 is the introduction of a new automation model
designed to support multi-tenancy, better resource governance, and clearer
separation between provider and tenant responsibilities. This new model is
centered around three core organizational constructs: All App Organization,
VM App Organization, and Provider App Organization. In this blog,
we explore each of these in detail, understand their role in the overall
architecture, and provide best practices for implementation.
Understanding the VCF 9.0 Automation Framework
VCF 9.0 introduces an evolved automation framework that
builds on VMware Aria Automation (formerly vRealize Automation). Rather than
treating automation as a one-size-fits-all component, VCF 9.0 allows
infrastructure providers and tenants to operate in well-defined, segregated
environments. This segregation ensures better governance, scalability, and
alignment with enterprise and service provider use cases.
The automation experience in VCF 9.0 is delivered through
three automation apps:
- All
App Organization
- VM
App Organization
- Provider
App Organization
Each organization type has distinct responsibilities and
capabilities, and together they help build a secure and scalable private cloud
ecosystem.
1. All App Organization
The All App Org is the default or root organizational entity
in the VCF 9.0 automation framework. It is typically managed by the
infrastructure provider or cloud admin and is responsible for managing shared
infrastructure and global services.
Key Functions:
- Manage
and onboard cloud accounts (such as vCenter, NSX, storage).
- Define
global content such as blueprints, templates, and policies.
- Create
and manage infrastructure projects across all tenants.
- Set
up tagging strategies and resource placement policies.
- Maintain
centralized governance and access control.
Typical Use Case: A platform team managing a single
or multi-tenant private cloud infrastructure, where global templates and
catalogs are created once and shared across tenant organizations.
Important Limitation: You cannot add the same
vCenter Server to multiple organizations (All App Org, VM App Org, or Provider
App Org) simultaneously. vCenter can only be onboarded to one organization due
to resource ownership and inventory synchronization limitations. Attempting to
do so may lead to duplication errors, inventory sync issues, and policy
enforcement conflicts.
2. VM App Organization
The VM App Org is designed for tenant teams or business
units within an enterprise that require self-service provisioning, resource
control, and automation tailored to their specific use case.
Key Functions:
- Allows
tenants to manage their own infrastructure projects.
- Users
can deploy workloads using scoped catalog items.
- Provides
isolation through dedicated projects, roles, and permissions.
- Enables
granular control over resource usage and deployment behavior.
Typical Use Case: A large enterprise with separate
Dev, QA, and Production teams using VCF to deploy and manage their workloads
independently. Each team is given its own VM App Org with access to tailored
templates and policies.
Best Practices:
- Use
separate folders, clusters, and tags to isolate tenant environments.
- Implement
quota and lease policies to control resource usage.
- Define
tenant-specific cloud templates that inherit from All App Org catalog
items.
3. Provider App Organization
The Provider App Org serves cloud providers or MSPs who are
managing multiple tenants and want centralized visibility and control without
exposing the underlying infrastructure directly to the tenants.
Key Functions:
- Provides
a control plane for service providers.
- Allows
onboarding and management of multiple VM App Orgs.
- Supports
service brokering, billing integration, and centralized policy
enforcement.
- Delegated
administration without giving full infrastructure access.
Typical Use Case: A managed service provider hosting
multiple customer environments on a single VCF instance, offering self-service
capabilities while maintaining control over the infrastructure.
Key Advantages:
- Simplifies
tenant lifecycle management.
- Enhances
compliance by isolating responsibilities.
- Facilitates
cross-tenant visibility for operational insights.
Architectural Considerations
When planning a VCF 9.0 deployment, careful thought must be
given to how vCenter, NSX, and other infrastructure components are mapped to
organizations. Below are some considerations:
- A
single vCenter can be onboarded to only one automation
organization.
- NSX
segments and transport zones must be scoped to appropriate domains and
orgs.
- Projects
act as logical containers within orgs and can further segment workloads.
- Content
sharing between orgs must be explicitly configured and governed.
Common Pitfalls to Avoid:
- Attempting
to onboard a single vCenter into both All App Org and VM App Org.
- Using
global tags without a naming convention, leading to conflicts.
- Over-provisioning
access rights across orgs.
Conclusion
VMware Cloud Foundation 9.0 significantly improves
automation capabilities by introducing a well-structured, multi-org framework
that supports both enterprise and service provider use cases. By understanding
and effectively utilizing the All App, VM App, and Provider App organizations,
customers can achieve better resource control, enhanced security, and
operational scalability. As always, planning the organization structure, access
model, and resource boundaries in advance is critical for a successful VCF automation
deployment.
Stay tuned for a follow-up blog where we'll walk through a
real-world deployment scenario using all three organization types in VCF 9.0.