Deep Dive into VCF 9.1 Deployment Architecture, Platform Scope, and First Instance FQDN & IP Address Planning

One of the most important design considerations while deploying VMware Cloud Foundation is selecting the appropriate deployment model based on scalability, resiliency, and operational requirements.

VCF 9.1 introduces flexible deployment options that allow organizations to choose between a Simple Deployment Model and a High Availability (HA) Deployment Model. While both deployment models provide the core capabilities of VMware Cloud Foundation, the HA deployment adds additional clustered and replica nodes for critical services to ensure better availability and operational continuity.

The following table provides a detailed comparison of the deployment scope for each platform component across both deployment models.

VCF Installer Deployment Scope per Platform

Component Group	Component Node / Instance	VMware Cloud Foundation Simple	VMware Cloud Foundation High Availability
VMware vCenter	vCenter	Yes	Yes
VCF Operations	operations (primary node)	Yes	Yes
	operations (replica node)	No	Yes
	operations (data node)	No	Yes
	cloud proxy	Yes	Yes
	license server	Yes	Yes
VMware NSX	NSX Manager (node 1)	Yes	Yes
	NSX Manager (node 2)	No	Yes
	NSX Manager (node 3)	No	Yes
VCF Automation*	automation (node 1)	Yes	Yes
	automation (node 2)	No	Yes
	automation (node 3)	No	Yes
SDDC Manager	SDDC Manager	Yes	Yes
VCF Management Services	VCF services runtime	Yes	Yes
	Fleet lifecycle	Yes	Yes
	SDDC lifecycle	Yes	Yes
	Software depot	Yes	Yes
	Identity broker	Yes	Yes
	Salt RaaS	Yes	Yes
	Salt master	Yes	Yes
	Telemetry	Yes	Yes

---

Simple Deployment Model

The Simple deployment model is designed for:

• Smaller production environments
• Lab and test deployments
• Resource-constrained infrastructure
• Faster deployment with lower VM footprint

In this model, only the primary nodes for core services are deployed. This minimizes infrastructure consumption while still providing the complete VCF management experience.

High Availability Deployment Model

The High Availability (HA) deployment model is recommended for:

• Enterprise production environments
• Mission-critical workloads
• Large-scale cloud deployments
• Environments requiring resiliency and fault tolerance

The HA model deploys additional nodes for services such as:

• Operations
• NSX Managers
• VCF Automation
• Data and replica services

This architecture ensures service continuity even during node failures.

Why HA Deployment Matters

The HA deployment architecture significantly improves:

• Platform resiliency
• Operational uptime
• Management plane availability
• Lifecycle management continuity
• Automation service reliability

For example:

• Multiple VMware NSX Manager nodes provide clustered NSX management availability.
• Additional Operations nodes improve monitoring and analytics resiliency.
• Multiple Automation nodes enhance self-service portal and API availability.

With VMware Cloud Foundation, organizations now have greater flexibility in choosing a deployment architecture that aligns with their business and operational requirements.

The Simple deployment model offers a lightweight and faster deployment approach, while the High Availability model delivers enterprise-grade resiliency for production environments. Selecting the correct deployment model during the planning phase is critical for ensuring long-term scalability, availability, and operational success of the VCF platform.

First VCF Instance FQDNs and IP Address Requirements

During the planning and deployment phase of VMware Cloud Foundation, it is important to properly reserve Fully Qualified Domain Names (FQDNs) and IP addresses for all management components and infrastructure services.

The number of required FQDNs and IP addresses varies depending on whether you deploy the platform using the Simple Deployment Model or the High Availability (HA) Deployment Model.

The following table provides a detailed overview of the naming and IP addressing requirements for the first VCF instance deployment.

First VCF Instance FQDNs and IP Addresses

 

 

Component	Category	Simple Deployment FQDNs and IP Addresses	High Availability Deployment FQDNs and IP Addresses
vCenter	vCenter	1 FQDN	1 FQDN
NSX Manager	NSX Manager nodes	1 FQDN	3 FQDNs
	NSX Manager Cluster VIP	1 FQDN	1 FQDN
SDDC Manager	SDDC Manager	1 FQDN	1 FQDN
vSAN	vSAN Network	1 IP Address for each host	1 IP Address for each host
vMotion	vMotion Network	1 IP Address for each host	1 IP Address for each host
VCF Operations	Primary node	1 FQDN	1 FQDN
	Replica node	-	1 FQDN
	Data node	-	1 FQDN
	Load balancer (Optional)	-	1 FQDN
	Cloud Proxy	1 FQDN	1 FQDN
	License Server	1 FQDN	1 FQDN
VCF Automation	VCF Automation	1 FQDN	1 FQDN
	VCF services runtime	1 FQDN	1 FQDN
	VCF Automation nodes	5 IP Addresses	5 IP Addresses
VCF Management Services	Fleet components	1 FQDN	1 FQDN
	Instance components	1 FQDN	1 FQDN
	VCF services runtime	1 FQDN	1 FQDN
	VCF services runtime nodes	12 IP Addresses minimum 30 IP Addresses for Day-N expansion operations	12 IP Addresses minimum 30 IP Addresses for Day-N expansion operations
	Identity broker	1 FQDN	1 FQDN
	Log management*	1 FQDN 6 IP Addresses 2 IP Addresses for each additional replica	1 FQDN 6 IP Addresses 2 IP Addresses for each additional replica
	Real-time metrics*	6 IP Addresses	6 IP Addresses
VCF Operations for Networks	Platform node*	1 IP Address	1 IP Address
	Collector node*	1 IP Address	1 IP Address

* Component deployment is a Day-N operation

** Do not use capital letters in the FQDN.

DNS Planning

Proper DNS planning is mandatory before starting the deployment of VMware Cloud Foundation. Every component requiring an FQDN must have:

• Forward DNS resolution
• Reverse DNS resolution
• Reachable network connectivity
• Reserved static IP assignments

High Availability Requires Additional Resources

The HA deployment model requires:

• Additional FQDNs for clustered services
• More management IP addresses
• Additional load balancing endpoints
• Increased network planning

For example:

• VMware NSX requires three NSX Manager node FQDNs in HA mode.
• VCF Operations introduces replica and data nodes for resiliency.
• Additional IP pools are required for runtime services and future Day-N operations.

Day-N Expansion Readiness

VCF 9.1 reserves additional IP addresses for future scalability and lifecycle operations. This simplifies:

• Deploying additional services later
• Enabling optional capabilities
• Expanding automation and management services
• Future workload domain growth

Accurate DNS and IP address planning is one of the most critical prerequisites for a successful VMware Cloud Foundation deployment.

Organizations deploying the High Availability model should carefully size and reserve additional networking resources to support clustered infrastructure services, operational scalability, and Day-N expansion activities.

Top of Form

 

Bottom of Form

 

Understanding VKS Cluster Deployment Phases in VMware Cloud Foundation 9

Modern private cloud platforms are evolving rapidly, and Kubernetes has become a core requirement for running modern applications. With VMware Cloud Foundation (VCF) and VMware vSphere Kubernetes Service (VKS), deploying Kubernetes clusters is no longer just about creating virtual machines. The complete deployment workflow is highly automated and driven through multiple orchestration phases.

The deployment architecture shown in the image explains how a VKS cluster is created step-by-step, starting from topology generation all the way to worker node availability. Understanding these phases is very important for administrators because it helps in troubleshooting deployment issues, validating infrastructure readiness, and understanding how Kubernetes components interact with vSphere infrastructure.

VKS Cluster Deployment Overview

The deployment workflow is divided into four major phases:

1. Phase 1 – Topology Custom Resource Generation
2. Phase 2 – Infrastructure Provisioning
3. Phase 3 – Control Plane Deployment
• Phase 3a – Control Plane Bootstrap
• Phase 3b – Control Plane VM Provisioning
• Phase 3c – Node Bootstrap
4. Phase 4 – Worker Provisioning

Each phase performs a dedicated function in preparing and deploying the Kubernetes cluster.

Phase 1 – Topology Custom Resource Generation

This is the starting point of the entire deployment workflow.

In this phase, Kubernetes custom resources are generated to define the cluster topology and desired state. These resources are consumed later by Cluster API (CAPI) and vSphere infrastructure providers.

The major components involved are:

• Cluster
• Machine Deployment
• Machine Set
• Kubeadm Control Plane
• vSphere Cluster

Cluster Object

The Cluster object acts as the primary Kubernetes resource representing the Kubernetes cluster being deployed.

It defines:

• Cluster identity
• Networking configuration
• Kubernetes version
• Infrastructure references
• Control plane references

This object becomes the central orchestration point for all subsequent deployment tasks.

Machine Deployment

The Machine Deployment resource defines the desired worker node deployment configuration.

It controls:

• Number of worker nodes
• Worker node scaling
• Worker node upgrade strategy
• Rolling update behaviours

This works similarly to a Kubernetes Deployment object but is used for virtual machine lifecycle management.

Machine Set

The Machine Set resource is automatically generated from the Machine Deployment.

Responsibilities include:

• Creating worker node machines
• Maintaining desired node count
• Replacing failed worker nodes
• Ensuring node consistency

The Machine Set continuously monitors worker node availability.

Kubeadm Control Plane

The Kubeadm Control Plane (KCP) object defines the Kubernetes control plane configuration.

It includes:

• API server configuration
• etcd deployment settings
• Control plane node count
• Bootstrap specifications
• Kubernetes initialization parameters

KCP is responsible for ensuring the Kubernetes control plane remains healthy and highly available.

vSphere Cluster

The vSphere Cluster object maps Kubernetes cluster deployment requirements to the underlying vSphere infrastructure.

It provides:

• Datacenter references
• Datastore selection
• Cluster placement policies
• Network references
• Resource pool configuration

This creates the bridge between Kubernetes orchestration and vSphere infrastructure resources.

Phase 2 – Infrastructure Provisioning

Once the cluster topology is defined, infrastructure provisioning begins.

This phase prepares the required networking and VM infrastructure services before Kubernetes nodes are deployed.

Key components:

• SubnetSet
• VMService
• Infra Ready State

SubnetSet

The SubnetSet resource allocates networking resources required by Kubernetes nodes.

This includes:

• IP allocation
• Network attachment
• Pod network preparation
• Service network preparation

Subnet readiness is extremely important because Kubernetes nodes cannot initialize without proper networking.

VMService

The VMService provides virtual machine lifecycle services for Kubernetes nodes.

Responsibilities include:

• VM creation
• VM power operations
• Resource allocation
• Storage attachment
• VM metadata injection

VMService integrates directly with the Supervisor environment and vSphere infrastructure.

Infra Ready State

After networking and infrastructure services are successfully configured, the deployment reaches the Infra Ready state.

This indicates:

• Networking is operational
• Infrastructure services are reachable
• VM provisioning services are functional
• Deployment prerequisites are satisfied

Only after this validation does the deployment proceed to control plane provisioning.

Phase 3 – Control Plane Deployment

This is one of the most critical stages in VKS cluster deployment.

The Kubernetes control plane is responsible for cluster orchestration, API management, scheduling, and overall cluster health.

Phase 3 is divided into three sub-phases:

• Phase 3a – Control Plane Bootstrap
• Phase 3b – Control Plane VM Provisioning
• Phase 3c – Node Bootstrap

Phase 3a – Control Plane Bootstrap

This phase initializes the Kubernetes control plane configuration.

Key components:

• kubeadmConfig
• Machine CP
• Secret
• SubnetPort

kubeadmConfig

The kubeadmConfig resource contains bootstrap instructions used to initialize Kubernetes.

It defines:

• Kubernetes version
• Cluster initialization commands
• Certificates
• API server settings
• kubelet configuration

This configuration is later injected into the control plane VM.

Machine CP

The Machine CP object represents the control plane machine definition.

It defines:

• VM sizing
• Placement policies
• Bootstrap references
• Infrastructure references

This object acts as the orchestration layer for control plane VM creation.

Secret

The Secret resource stores sensitive deployment data.

Examples include:

• Kubernetes certificates
• Authentication tokens
• kubeconfig files
• Encryption data

Secrets are automatically consumed during bootstrap operations.

SubnetPort

The SubnetPort resource assigns networking interfaces and IP addresses to the control plane node.

This ensures:

• Control plane VM connectivity
• API server reachability
• Cluster communication

Phase 3b – Control Plane VM Provisioning

After bootstrap configuration is ready, the actual control plane VM is deployed.

Main components:

• vSphereMachine
• VirtualMachine

vSphereMachine

The vSphereMachine object defines the infrastructure-specific VM configuration.

It contains:

• VM template references
• Datastore selection
• CPU and memory allocation
• Network attachment
• Storage policies

This object interacts directly with vSphere APIs.

Virtual Machine

The Virtual Machine object represents the actual VM deployed in vSphere.

Once powered on:

• kubeadm bootstrap begins
• Kubernetes binaries initialize
• etcd starts
• API server comes online

At this stage, the Kubernetes control plane starts becoming operational.

Phase 3c – Node Bootstrap

This phase completes Kubernetes initialization.

The major operation here is:

CP Init

Control Plane Initialization performs:

• etcd cluster initialization
• Kubernetes API startup
• Controller Manager startup
• Scheduler startup
• Certificate generation
• Cluster token creation

Once completed:

• Kubernetes API becomes reachable
• Cluster management becomes available
• Worker node provisioning can begin

This is effectively the point where the Kubernetes cluster becomes alive.

 

Phase 4 – Worker Provisioning

After the control plane is operational, worker nodes are deployed.

Key components include:

• KubeadminConfig
• Machine Worker
• vSphereMachine
• VirtualMachine
• SubnetPort
• Available State

Machine Worker

The Machine Worker object defines worker node specifications.

It controls:

• Worker node sizing
• Scaling policies
• Bootstrap references
• Infrastructure references

Worker Node Bootstrap

Worker nodes receive bootstrap configuration from the control plane using kubeadm join operations.

This process includes:

• Fetching cluster certificates
• Registering with API server
• Installing kubelet
• Joining Kubernetes cluster

vSphereMachine and VirtualMachine

Just like control plane deployment, worker nodes are provisioned as virtual machines in vSphere.

These VMs are:

• Attached to Kubernetes networking
• Configured using bootstrap metadata
• Registered into the Kubernetes cluster

Available State

Once worker nodes successfully join the cluster, the deployment reaches the Available state.

This confirms:

• Control plane is healthy
• Worker nodes are operational
• Kubernetes services are functional
• Cluster is ready for workloads

Understanding the Complete Workflow

The complete deployment sequence can be summarized as:

1. Cluster topology definitions are generated
2. Infrastructure resources are prepared
3. Control plane configuration is initialized
4. Control plane VMs are deployed
5. Kubernetes API becomes operational
6. Worker nodes are provisioned
7. Worker nodes join the cluster
8. Cluster reaches available state

Why These Deployment Phases Matter

Understanding these phases is extremely useful for:

Troubleshooting

Administrators can identify exactly where deployment failures occur:

• Topology generation issues
• Infrastructure readiness problems
• VM provisioning failures
• Bootstrap failures
• Node join issues

Operational Visibility

Each phase provides visibility into:

• Infrastructure readiness
• Cluster initialization
• Networking dependencies
• VM lifecycle state

Better Design Planning

Understanding the workflow helps architects design:

• Scalable Kubernetes environments
• Reliable infrastructure layouts
• High availability configurations
• Efficient network planning

The VKS cluster deployment workflow inside VMware Cloud Foundation is designed with a layered and highly automated architecture. Instead of manually deploying Kubernetes components, VKS orchestrates infrastructure provisioning, control plane initialization, networking, VM deployment, and worker node onboarding through a structured deployment pipeline.

Each phase in the deployment process has a very specific responsibility, and together they create a reliable, scalable, and enterprise-ready Kubernetes platform on top of VMware infrastructure.

For administrators working with VMware Cloud Foundation and VKS, understanding these deployment phases is essential for successful implementation, troubleshooting, and lifecycle management of Kubernetes environments.

 

Exploring Automation and Self-Service Enhancements in VMware Cloud Foundation 9.1

With every new release, VMware Cloud Foundation continues to improve how organizations consume and operate private cloud infrastructure. In the recently announced VCF 9.1 release, one of the major focus areas is automation and self-service capabilities designed to simplify private cloud operations and improve deployment efficiency.

As highlighted in the official VMware Cloud Foundation 9.1 Automation announcement, the new release introduces several enhancements around runtime services, Kubernetes lifecycle management, faster provisioning workflows, and tenant networking automation.

In this blog, I will walk through the key automation and self-service improvements introduced with VMware Cloud Foundation 9.1.

Runtime Services Architecture in VCF 9.1

One of the important architectural updates in VCF 9.1 is the introduction of three dedicated runtime service options:

• VM Service
• Container Service
• VMware vSphere Kubernetes Service (VKS)

This runtime service segmentation provides a more structured and service-oriented approach for private cloud consumption. Instead of managing all workloads through a single runtime layer, administrators can now align services based on workload and operational requirements.

The update enables organizations to consume virtualization and Kubernetes services independently while continuing to operate under the VMware Cloud Foundation platform. From an operational perspective, this model also improves clarity for infrastructure teams managing different workload types across the environment.

Additionally, VCF 9.1 simplifies container adoption by offering a dedicated Container Service with lifecycle management capabilities. Organizations can deploy and manage containers without requiring deep Kubernetes expertise, while still having a clear migration path toward full Kubernetes-based platforms using VKS.

Container Service Lifecycle Management

Another major enhancement highlighted in the VCF Automation 9.1 announcement is the addition of lifecycle management capabilities for Container Service directly from the automation interface.

According to the published blog, administrators can now perform the following operations through the interface:

• Deploy containers
• Configure container environments
• Monitor container workloads
• Upgrade container deployments
• Delete container environments

This provides a centralized operational experience for container lifecycle management inside VMware Cloud Foundation.

Instead of relying on multiple management workflows, administrators can now perform lifecycle operations from a unified automation platform.

The enhancement is focused on improving operational consistency while simplifying day-to-day container management activities.

Fast Deploy Capability for VM and VKS Provisioning

Provisioning speed is another area where VCF 9.1 introduces significant improvements.

The release adds Fast Deploy capabilities for both VM provisioning and VMware vSphere Kubernetes Service (VKS) cluster deployments.

For organizations deploying Kubernetes environments at scale, deployment time and upgrade windows are critical operational factors. VMware has highlighted substantial improvements in both deployment and upgrade workflows for VKS clusters.

VKS Cluster Deployment Improvements

According to the official announcement:

• VKS cluster deployment time has been reduced from 37 minutes to 11 minutes.
• This represents a 69% improvement in deployment speed.

Reducing cluster deployment time helps accelerate infrastructure readiness for Kubernetes-based workloads and development environments.

Faster provisioning also improves operational agility for infrastructure teams handling frequent cluster requests.

VKS Cluster Upgrade Improvements

VCF 9.1 also introduces major improvements in cluster upgrade workflows.

As published in the official blog:

• VKS cluster upgrade time has been reduced from 6.9 hours to 1.7 hours.
• This delivers approximately a 75% improvement in upgrade efficiency.

Cluster upgrades are often one of the more time-consuming operational activities in Kubernetes environments. Reducing upgrade duration can help simplify lifecycle operations and reduce maintenance windows for infrastructure administrators.

Self-Service Networking and Tenant Automation Enhancements

Along with runtime and provisioning improvements, VCF 9.1 also expands networking automation and tenant self-service capabilities.

The release introduces several new networking-related automation features, including:

• Tenant IP address pre-allocation
• Multiple external connections
• Multiple transit gateways per tenant
• Direct data center access
• VPN deployment
• Gateway firewall support
• Shared subnet capabilities
• VLAN extension support

These enhancements are designed to provide additional flexibility for tenant networking and private cloud connectivity requirements.

Tenant IP Address Pre-Allocation

VCF 9.1 introduces tenant IP address pre-allocation capabilities as part of the self-service networking enhancements.

This helps streamline IP management workflows during tenant provisioning and deployment operations.

Multiple External Connections

The release also adds support for multiple external connections.

This enhancement provides additional flexibility for connectivity requirements across different tenant or application environments.

Multiple Transit Gateways Per Tenant

Another networking enhancement introduced in VCF 9.1 is support for multiple transit gateways per tenant.

This capability expands networking design flexibility for environments requiring segmented or multi-path connectivity models.

VPN Deployment and Gateway Firewall Support

VCF 9.1 further expands networking automation with support for:

• VPN deployment
• Gateway firewall capabilities

These additions enhance networking configuration and connectivity management directly through the automation platform.

Shared Subnets and VLAN Extensions

The release also introduces support for:

• Shared subnets
• VLAN extensions

These capabilities further improve networking flexibility for tenant environments and workload connectivity scenarios.

The VMware Cloud Foundation 9.1 release continues to enhance automation and self-service capabilities across private cloud environments.

Based on the official VMware announcement, the release focuses on:

• Runtime service separation
• Container lifecycle management
• Faster VM and VKS provisioning workflows
• Improved VKS upgrade efficiency
• Expanded tenant networking automation capabilities

The Fast Deploy enhancements for VMware vSphere Kubernetes Service (VKS) are one of the key highlights of this release, especially with the significant reduction in deployment and upgrade times.

At the same time, the additional networking automation capabilities continue to improve flexibility for self-service private cloud operations within VMware Cloud Foundation environments.

Designing Supervisor Zone Architecture in VMware Kubernetes Service

As organizations modernize their infrastructure to support cloud-native applications, Kubernetes has become a foundational platform. With VMware Kubernetes Service running natively on vSphere, enterprises can now seamlessly integrate Kubernetes into their existing virtualized environments.

However, a successful deployment is not just about enabling Kubernetes—it requires careful architectural planning. One of the most critical design aspects is the Supervisor Zone Model, which determines how control plane components and workloads are distributed across the infrastructure.

This blog provides a structured view of Supervisor Zone architecture, key design principles, and alignment with enterprise deployments.

Understanding Supervisor Zones

A Supervisor Zone represents a logical failure domain within the vSphere environment. It groups compute, storage, and networking resources to provide:

• Fault isolation
• High availability
• Predictable workload placement

These zones are conceptually similar to availability zones in public cloud platforms but are tightly integrated with on-prem infrastructure managed through vCenter Server and VMware NSX.

Supervisor Deployment Models

Depending on availability and isolation requirements, the Supervisor can be deployed using one of the following models:

1. Single Management Zone – Combined Workloads

In this model, both the Supervisor control plane and workloads run within the same zone.

Characteristics:

• Simplified deployment
• Shared resources
• Single failure domain

Use Case:
Suitable for lab environments, proof-of-concepts, or small-scale deployments.

2. Single Management Zone – Isolated Workloads

The Supervisor control plane is deployed in one zone, while workloads run in separate zones.

Characteristics:

• Logical separation of workloads
• Improved resource isolation
• Control plane remains single zone

Use Case:
Appropriate for environments requiring workload segmentation without complex infrastructure.

3. Three Management Zones – Combined Workloads

The control plane is distributed across three zones, while workloads share the same zones.

Characteristics:

• High availability for control plane
• Balanced resource utilization
• Simplified workload placement

Use Case:
Recommended for production environments where availability is a priority.

4. Three Management Zones – Isolated Workloads

The control plane spans three zones, and workloads are deployed in separate, dedicated zones.

Characteristics:

• Maximum resilience
• Strong isolation
• Enhanced performance predictability

Use Case:
Ideal for enterprise-scale, multi-tenant, and mission-critical environments.

Design Considerations

Zone Scalability

• A single Supervisor supports up to 30 zones
• Zones should align with physical or logical boundaries such as racks or availability domains

Networking and Load Balancing

All deployment models support flexible networking and load balancing options.

Networking Models:

• VPC-based networking
• NSX-backed segments
• VLAN-backed networking

Load Balancer Options:

• NSX Load Balancer
• Avi Load Balancer
• VCF-integrated load balancing

These capabilities are enabled through VMware NSX, ensuring consistent networking and security policies.

Platform Constraints

• All zones must be managed by a single vCenter Server
• Networking must be provided by a single VMware NSX instance
• Control plane virtual machines remain within management zones and cannot move across workload zones

These constraints should be considered early during the design phase to avoid rework.

VMware Cloud Foundation Alignment

In environments built on VMware Cloud Foundation, Supervisor architecture aligns with the concept of Workload Domains.

Mapping Overview

• Workload Domain → Infrastructure boundary
• Supervisor Cluster → Kubernetes control plane
• vSphere Cluster → Zone
• NSX → Networking and security layer

Deployment Lifecycle

Day-0 Deployment:

• Supervisor is enabled during workload domain creation
• Limited to a single management zone

Day-2 Operations:

• Addition of zones
• Expansion to multi-zone architecture
• Load balancer and networking adjustments

This staged approach highlights the importance of planning for future scalability.

Networking Considerations

Proper IP planning is essential for successful deployment.

Key elements include:

• Management network CIDR
• Pod CIDR
• Service CIDR
• External IP pools

In VPC-based environments, communication between Supervisor and workload clusters relies on external IP allocation, making IP planning a critical design step.

Operations and Access

VCF CLI

The VCF CLI is used for:

• Authentication
• Managing Supervisor contexts
• Generating kubeconfig files

This simplifies cluster access and operational workflows.

SSH Access

• Direct SSH access via external IP is not supported
• Access is enabled through:
• Credentials retrieved from vCenter Server
• Supervisor management network

Best Practices

• Prefer three management zones for production environments
• Use isolated workload zones for better security and performance
• Align zones with physical infrastructure design
• Plan networking and CIDR ranges in advance
• Use Day-2 operations to scale architecture as needed

Supervisor Zone design plays a critical role in determining the success of Kubernetes deployments on vSphere.

While single-zone deployments offer simplicity, multi-zone architectures provide the resilience and scalability required for enterprise workloads. By aligning Supervisor design with infrastructure capabilities and business requirements, organizations can build a robust and future-ready Kubernetes platform.

With platforms like VMware Kubernetes Service and VMware Cloud Foundation, enterprises are well-positioned to deliver consistent, scalable, and secure cloud-native environments.