WilliamLam.com

VCF 9.1 - Deploying VCF Operations for Networks to non-Management Network

06.10.2026 by William Lam // Leave a Comment

Thanks to a fellow colleague, Abdullah, who reached out after coming across my blog posts (HERE and HERE) on how to deploy VCF Management Services (VCFMS) and VCF Automation (VCFA) on a non-management network as part of a VMware Cloud Foundation (VCF) 9.1 upgrade. Using the same techniques, he was able to successfully deploy VCF Operations for Networks on a non-management network, which I thought was worth sharing an updated script with the broader community.

Similar to VCFMS and VCFA, VCF Operations for Networks (VON) is deployed using the Fleet Lifecycle Management (LCM) workflow in VCF Operations and, by default, both the platform and collector nodes are deployed onto the management network.

As you have probably guessed, we can use the Fleet LCM API to override this behavior and deploy VON on a non-management network!

[Read more...]

VCF 9.1 - Quick Tip: Forgot to Retrieve Auto-Generated Passwords from VCF Installer?

06.09.2026 by William Lam // 2 Comments

After completing a VMware Cloud Foundation (VCF) 9.1 deployment using the VCF Installer UI, users can view and download the auto-generated passwords for all VCF components before exiting the deployment workflow and logging into VCF Operations.

What if you forgot to make a note of the passwords? 😅

[Read more...]

VCF 9.1 - Configuring vSphere Supervisor to use VCF Identity Broker (IDB) for External Identity Federation

06.08.2026 by William Lam // Leave a Comment

The majority of VMware Cloud Foundation 9.1 components can automatically be configured when enabling VCF Single Sign-On (SSO), with the exception of VCF Operations HCX, Log Management (formally VCF Operations for Logs) and VCF Operations for Networks.

These additional VCF components can still be configured to use VCF SSO, however users must first create a new OIDC Client Application from the VCF Identity Broker before completing the VCF SSO configuration for those respective components.

This ability to create custom OIDC Client Application from the VCF Identity Broker brings up an interesting capability for those using vSphere Supervisor and have not deployed VCF Automation (VCFA). vSphere Supervisor can support external identity federation and you would typically create an OIDC Client from your identity provider (e.g. Keycloak). For simplicity purposes, especially for lab or PoC purposes, you could take advantage of the VCF Identity Broker to simply use it as the IdP for vSphere Supervisor and get the benefit of having a single OIDC Client from your IdP.

Note: When VCFA is deployed and configured to use your vSphere Supervisor, it actually becomes the IdP interface where you would then configure your external IdP within VCFA Tenant Portals and VCF Identity Broker is not involved at all to cleanly separate infrastructure configuration from tenant configurations.

[Read more...]