vCenter Management Evolved: Say Goodbye to ELM in VMware Cloud Foundation 9.x

For years, vSphere administrators managing large-scale environments relied on Enhanced Linked Mode (ELM) to achieve a single pane of glass across multiple vCenter Servers. While ELM served us well, it carried architectural baggage: brittle replication rings, strict version locksteps, and complex recovery steps if a single vCenter database became corrupted.

With the release of VMware Cloud Foundation (VCF) 9.x, VMware has officially deprecated ELM. In its place is a modernized, cloud-native architecture: vCenter Linking (also known as Linked vCenter Groups). Managed natively via VCF Operations, this new approach completely decouples multi-vCenter management from legacy database replication.

Here is a deep dive into why this change matters and how it works under the hood.

---

Why the Architecture Evolved: ELM vs. vCenter Linking

The shift to vCenter Linking solves the most painful lifecycle management (LCM) challenges of legacy vSphere designs.

1. Version Independence

• The Old Way (ELM): All vCenters in an ELM ring had to run identical or highly compatible build versions. Upgrading one often meant upgrading all of them in a strict, coordinated window.
• The New Way (VCF 9.x): vCenters are now decoupled. You can upgrade an individual workload domain vCenter to a newer patch without touching the others.

2. Zero Topology Downtime

• The Old Way (ELM): Breaking, rebuilding, or recovering a failed node in an ELM replication ring required meticulous snapshot planning and risked breaking the entire SSO domain.
• The New Way (VCF 9.x): Adding or removing vCenters from a group is an API-driven, non-disruptive task. If one vCenter goes offline, the remaining nodes continue to function seamlessly.

3. Modern Identity & Security

• The Old Way (ELM): Relied on heavily synchronized, local single sign-on (SSO) databases across physical locations.
• The New Way (VCF 9.x): Leverages standard token protocols (OIDC and SAML). It integrates cleanly with external Identity Providers (IdPs) like Okta, Microsoft Entra ID, and Ping Identity, eliminating the need to sync local credentials across sites.

---

Under the Hood: How vCenter Linking Works

Instead of peer-to-peer database synchronization, VCF 9.x introduces a brokered-identity and data-streaming framework orchestrated by VCF Operations.

The 4-Step Connection Process:

1. Validation: The VCF Adapter initiates a handshake, verifying that target vCenters meet the minimum vCenter 9.0 version requirements and validating administrative access.
2. Identity Brokerage: The system utilizes the VCF Identity Broker (VIDB). Instead of merging SSO domains, VIDB fetches independent SSO Domain IDs and security token services from each instance.
3. Establishing Trusted Pools: Root certificates and lookup services are securely exchanged to create a cross-domain "Trusted Pool". This allows a token from one SSO domain (e.g., vsphere.local) to be securely exchanged for a token on another (e.g., nsx.local) on the fly.
4. Asynchronous Streaming via gRPC: Rather than pulling massive database tables, the VCF adapter subscribes to a continuous, long-lived HTTP/2 stream on the vCenters using gRPC. Changes, inventory updates, and events are streamed asynchronously and incrementally in lightweight batches.

---

Step-by-Step Configuration Workflow

Setting up a Linked vCenter Group is entirely driven by a streamlined wizard inside the modern VCF management platform:

1. Deploy VIDB: Deploy the VCF Identity Broker (VIDB) in either embedded or external cluster mode depending on your scale requirements.
2. Access the Console: Log into your VCF Operations Console.
3. Navigate to Linking: Go to Infrastructure Operations > Configurations > vCenter Linking.
4. Create the Group: Click Create Group, name your topology, select the independent vCenter Server instances you wish to link, and authorize the cross-domain trust.

Once complete, administrators can log into a single vSphere UI and view, manage, and provision resources across all linked instances simultaneously.

---

The Verdict

vCenter Linking in VCF 9.x represents a massive leap forward for enterprise infrastructure stability. By separating the management plane from the data replication plane, VMware has finally removed the upgrade roadblocks that plagued large-scale vSphere environments for years.

More details: https://blogs.vmware.com/cloud-foundation/2026/06/02/vcenter-management-evolved-new-vcenter-linking-in-vmware-cloud-foundation-9-x

Component Comparison Between VCF 5.2, VCF 9.0, and VCF 9.1

As  VCF 9.1 released, so here is quick summary of VCF Components comparison.

More details can be found on: 

https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-1/deployment/vcf-management-appliances.html#GUID-2bab6de2-024a-4900-9716-7fba53ea0721-en_id-e0fe7eb4-1875-4819-dca9-c34434b2d173

Delhi VMUG – Unlocking the Future with VCF

In-Person Meetup | 20 December 2025 | Holiday Inn, Mayur Vihar, Delhi

After a long wait, VMUG Delhi NCR is thrilled to announce the return of its in-person community events. Our upcoming meetup, “Unlocking the Future with VCF”, brings together VMware professionals, architects, administrators, customers, and community enthusiasts for a day filled with learning, collaboration, and innovation.
This event marks an important milestone – the revival of our physical gatherings and the beginning of a stronger, more active Delhi VMUG chapter built on knowledge sharing and community spirit.

Why This VMUG Meetup Matters
The technology landscape is evolving rapidly, with multi-cloud adoption, modern applications, container platforms, and automation shaping the future of IT. VMware Cloud Foundation (VCF) now stands at the center of this transformation.
Through this event, we aim to enable practitioners to:

• Understand the transition from traditional vSphere environments to VCF

• Explore modern Kubernetes platforms like VKS

• Learn real-world migration strategies with HCX

• Connect with peers, experts, and leaders in the VMware community

Whether you are new to VMware technologies or a seasoned professional, this meetup promises valuable insights and meaningful interactions.

📅 Event Details
📍 Venue: Holiday Inn New Delhi Mayur Vihar, New Delhi – 110091
📆 Date: Saturday, 20 December 2025
🕒 Time: 9:30 AM – 3:00 PM IST

📝 Agenda: https://tinyurl.com/vmugdelhiagenda
9:30 AM – 10:00 AM Registration & Networking
Kick off the morning by meeting fellow VMUG community members and interacting with peers and industry experts.

10:00 AM – 10:15 AM Introductions by VMUG Leaders
Abhishek Agarwal & Saroop Singh, the new Delhi NCR community leaders, will welcome the attendees and outline the vision for the chapter.

10:15 AM – 11:15 AM Keynote Session: Simplified Journey from vSphere to VCF
A deep dive into why organizations are embracing VCF and how they can transition smoothly from existing vSphere deployments.

11:15 AM – 11:30 AM – Tea Break

11:45 AM – 12:45 PM VKS Overview & Use Cases
Discover how VMware Kubernetes Services (VKS) simplifies modern app deployment and offers enterprise-grade container management.

12:45 PM – 1:45 PM Workload Migration Overview using HCX
Learn about real-world usage of HCX for seamless workload mobility, datacenter consolidation, and cloud transitions.

1:45 PM – 2:45 PM – Lunch Break

2:45 PM – 3:00 PM Quiz & Closing Note
A short fun quiz followed by concluding remarks from VMUG leaders and community announcements and Giveaways!

Why You Should Attend
✔ Exclusive technical sessions delivered by experts
✔ Real-world use cases & architectural insights
✔ Interact with VMware practitioners, partners & customers
✔ Be part of an active, growing Delhi NCR tech community
✔ A great opportunity to expand your network
✔ Fun, learning, and community engagement—all in one place!

🔗 Register Now
Grab your seat for the year’s most anticipated community meetup!
👉 https://tinyurl.com/vmugdelhi2025

🌐 Become a VMUG Member
If you aren’t already part of the global VMUG family, sign up today—it’s free!
👉 www.vmug.com

Join Us and Be Part of the Revival
The return of in-person VMUG Delhi NCR marks the beginning of an exciting new chapter. We look forward to reconnecting with the community, sharing knowledge, and building a collaborative ecosystem that accelerates
everyone’s VMware journey.

See you on 20th December at Holiday Inn, Mayur Vihar, New Delhi.

VCF 5.x and VCF9.0 Component Comparison

VMware by Broadcom has announced the release of VMware Cloud Foundation 9.0, making it an ideal time to review and compare the key component from the VCF 5.x to VCF 9.0

Find more details on VCF 9.0 : Click here

Create a Custom ESXi ISO Image along with vendor Add-on Using vSphere Lifecycle Manager

In case Custom Image with required build and version not available from Server Hardware OEM, you can create a custom ESXi ISO that incorporates vendor add-ons (such as those from HPE, Dell, Cisco, etc.) even if the specific ESXi build or version you're targeting hasn't been released by the hardware OEM yet. This approach allows you to leverage the latest security patches while still benefiting from the vendor-specific enhancements.

1. Import ESXi Patch and Vendor Add-on to vLCM Depot

Prerequisites:

• Ensure you have the necessary privileges.

• Obtain the correct versions of ESXi offline bundle depot zip file and vendor add-on zip file from Broadcom download portal.

Steps:

1. Log in to the vSphere Client.

2. Navigate to Menu > Lifecycle Manager.

3. Go to the Image Depot tab.

4. Click Actions > Import Updates.

5. In the Import Updates dialog:

   • Click Browse and select the ESXi patch ZIP file.

   • Click Browse again and select the vendor add-on ZIP file 

   • Click OK 

Note: Ensure the ZIP files are compatible with your vSphere version.

Click lifecycle manager on below page:

Then after selecting image Depot click on action menu and then click on Import Updates, repeat this task for ESXi Depot zip file and then Vendor Add-on zip file as per your Hardware.

2. Create Temporary Cluster with Single Image Management

1. In the vSphere Client, navigate to Menu > Hosts and Clusters.

2. Right-click on the datacenter and select New Cluster.

3. Enter a name for the cluster (e.g., Temp-Custom-ISO-Cluster).

4. Check the box "Manage all hosts in the cluster with a single image".

5. Under chose how to setup custom image - Compose a new image like below:

Click Next and then choose the ESXi version and add-on along with correct version which you imported in Task 1:

Click Next and then Finish.

This will create a new cluster with Image as per tour ESXi Version Build along with Vendor Add-on.

Select cluster in the left pane under Host and Cluster Menu and then click on updates tab:

On this page in the top right corner click on three dots and then choose Export :

Below page select ISO and click on Export, make sure there is no pop-up blocker. if so accept and then you can retry the same.

This will download the ISO file which will have ESXi version along with Vendor-On.

3. Delete Temporary Cluster

1. In the vSphere Client, navigate to Menu > Hosts and Clusters.

2. Right-click on Cluster you created in above step (e.g., Temp-Custom-ISO-Cluster). and delete the same.

More details: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-5-2-and-earlier/5-2/create-a-custom-esxi-iso-image-using-vsphere-lifecycle-manager.html

How to Replace vCenter Machine SSL Certificate with a Custom Certificate

When managing a vCenter Server, it is important to ensure your certificates are properly configured for secure communication. This blog will walk you through the process of replacing the default machine SSL certificate with your own custom certificate in VMware vCenter.

Prerequisites:

1. Custom Certificate: You should already have your custom SSL certificate, private key, and root CA certificate ready.
2. Backup: Always take an offline snapshot of your vCenter Server Appliance (vCSA) before proceeding, especially if the vCenter is part of an Enhanced Linked Mode (ELM) configuration. This ensures you can revert back if anything goes wrong.

Steps to Replace the vCenter Machine SSL Certificate:

1. Take an Offline Snapshot of vCenter

If you’re working in a vCenter Cluster (ELM), make sure to take an offline snapshot of all vCenter Servers in the cluster before starting the process. This ensures you can roll back to a stable state if needed.

2. Log in to vCenter Appliance (vCSA)

Connect to your vCenter Server Appliance via SSH. If SSH is not enabled, enable it from the vCenter Appliance Management Interface (VAMI).

3. Launch the VMware Certificate Manager

Once logged in, navigate to the VMware Certificate Manager utility to replace the SSL certificate.

For vCenter Server 6.x/7.x/8.x Appliance, run the following command:

/usr/lib/vmware-vmca/bin/certificate-manager

4. Select Option 1: Replace Machine SSL Certificate with Custom Certificate

After launching the Certificate Manager, select Option 1 to replace the machine SSL certificate with your custom certificate.

1) Replace Machine SSL certificate with custom certificate

When prompted, enter the administrator@vsphere.local password to authenticate.

5. Select Option 2: Import Custom Certificate

Next, choose Option 2 to import your custom certificate since you already have the custom certificate prepared.

6. Enter Directories for Certificate Files

You will now be asked to provide the location of your certificate files. Make sure you have the following ready:

• Machine SSL Certificate (machine_name_ssl.cer)
• Private Key (machine_name_ssl.key)
• Root CA Certificate (Root64.cer)

Enter the paths of these files when prompted:

• Machine SSL Certificate (e.g., /tmp/ssl/machine_name_ssl.cer)
• Private Key (e.g., /tmp/ssl/machine_name_ssl.key)
• Signing Certificate (Root CA Certificate) (e.g., /tmp/ssl/Root64.cer)

For example:

Provide a valid custom certificate for Machine SSL:
/tmp/ssl/machine_name_ssl.cer

Provide a valid custom key for Machine SSL:
/tmp/ssl/machine_name_ssl.key

Provide the signing certificate of the Machine SSL certificate:
/tmp/ssl/Root64.cer

7. Confirm the Changes

After entering the file paths, the utility will prompt you to confirm the replacement of the existing certificates. Answer Yes (Y) to proceed.

8. Restart vCenter Services

The certificate replacement process will replace the old SSL certificate with your custom one. Once completed, vCenter services will automatically restart to apply the new certificate.

9. Verify the New SSL Certificate

After the vCenter services restart, verify that the new certificate is applied by logging into the vSphere Client (Web UI) and checking the SSL certificate in your browser. You should now see your custom certificate instead of the default self-signed VMware certificate.

---

Important Notes:

• If you have multiple vCenter servers in an Enhanced Linked Mode (ELM) configuration, ensure that you replace the machine SSL certificates on all vCenter instances in the ELM configuration.
• Make sure the root CA certificate is trusted by all clients and devices that will communicate with the vCenter Server.
• Always take a snapshot of your vCenter appliance before making any changes to the certificates.

By following these steps, you will replace the default SSL certificates with your custom ones, ensuring secure communications for your vCenter environment.

More details: you can also look in to VMware KB316601

Check SSH port connection using curl from VMware Appliances

Login to appliance using correct credential, once you logged in run below command and replace x.x.x.x with your target ip and Port with port number you want to check connectivity.

root@myserver [ ~ ]# curl -v telnet://x.x.x.x:Port
* Trying x.x.x.x:Port...
* Connected to x.x.x.x (x.x.x.x) port Port (#0)
^C

if port reachable you will get connected status. else it will keep trying but not able to connect.