For years, vSphere administrators managing large-scale environments relied on Enhanced Linked Mode (ELM) to achieve a single pane of glass across multiple vCenter Servers. While ELM served us well, it carried architectural baggage: brittle replication rings, strict version locksteps, and complex recovery steps if a single vCenter database became corrupted.
With the release of VMware Cloud Foundation (VCF) 9.x, VMware has officially deprecated ELM. In its place is a modernized, cloud-native architecture: vCenter Linking (also known as Linked vCenter Groups). Managed natively via VCF Operations, this new approach completely decouples multi-vCenter management from legacy database replication.
Here is a deep dive into why this change matters and how it works under the hood.
Why the Architecture Evolved: ELM vs. vCenter Linking
The shift to vCenter Linking solves the most painful lifecycle management (LCM) challenges of legacy vSphere designs.
1. Version Independence
- The Old Way (ELM): All vCenters in an ELM ring had to run identical or highly compatible build versions. Upgrading one often meant upgrading all of them in a strict, coordinated window.
- The New Way (VCF 9.x): vCenters are now decoupled. You can upgrade an individual workload domain vCenter to a newer patch without touching the others.
2. Zero Topology Downtime
- The Old Way (ELM): Breaking, rebuilding, or recovering a failed node in an ELM replication ring required meticulous snapshot planning and risked breaking the entire SSO domain.
- The New Way (VCF 9.x): Adding or removing vCenters from a group is an API-driven, non-disruptive task. If one vCenter goes offline, the remaining nodes continue to function seamlessly.
3. Modern Identity & Security
- The Old Way (ELM): Relied on heavily synchronized, local single sign-on (SSO) databases across physical locations.
- The New Way (VCF 9.x): Leverages standard token protocols (OIDC and SAML). It integrates cleanly with external Identity Providers (IdPs) like Okta, Microsoft Entra ID, and Ping Identity, eliminating the need to sync local credentials across sites.
Under the Hood: How vCenter Linking Works
Instead of peer-to-peer database synchronization, VCF 9.x introduces a brokered-identity and data-streaming framework orchestrated by VCF Operations.
The 4-Step Connection Process:
- Validation: The VCF Adapter initiates a handshake, verifying that target vCenters meet the minimum vCenter 9.0 version requirements and validating administrative access.
- Identity Brokerage: The system utilizes the VCF Identity Broker (VIDB). Instead of merging SSO domains, VIDB fetches independent SSO Domain IDs and security token services from each instance.
- Establishing Trusted Pools: Root certificates and lookup services are securely exchanged to create a cross-domain "Trusted Pool". This allows a token from one SSO domain (e.g.,
vsphere.local) to be securely exchanged for a token on another (e.g.,nsx.local) on the fly. - Asynchronous Streaming via gRPC: Rather than pulling massive database tables, the VCF adapter subscribes to a continuous, long-lived HTTP/2 stream on the vCenters using gRPC. Changes, inventory updates, and events are streamed asynchronously and incrementally in lightweight batches.
Step-by-Step Configuration Workflow
Setting up a Linked vCenter Group is entirely driven by a streamlined wizard inside the modern VCF management platform:
- Deploy VIDB: Deploy the VCF Identity Broker (VIDB) in either embedded or external cluster mode depending on your scale requirements.
- Access the Console: Log into your VCF Operations Console.
- Navigate to Linking: Go to Infrastructure Operations > Configurations > vCenter Linking.
- Create the Group: Click Create Group, name your topology, select the independent vCenter Server instances you wish to link, and authorize the cross-domain trust.
Once complete, administrators can log into a single vSphere UI and view, manage, and provision resources across all linked instances simultaneously.
The Verdict
vCenter Linking in VCF 9.x represents a massive leap forward for enterprise infrastructure stability. By separating the management plane from the data replication plane, VMware has finally removed the upgrade roadblocks that plagued large-scale vSphere environments for years.
