VMware Cloud Foundation Home Page Modern Apps VCF Platform Workloads

VMware Cloud Foundation 9.0: Purpose-Built for App Modernization

In today’s constantly evolving digital landscape, organizations face increasing pressure to modernize and protect their applications. IT continues to navigate complex transitions, simultaneously maintaining traditional applications while deploying modern workloads and cloud-native architectures. Challenges such as managing diverse environments, ensuring robust and consistent security, achieving regulatory compliance, and simplifying operational complexity remain constant hurdles. Amid critical trends like AI apps, containerization, hybrid cloud adoption, and compliance requirements, it becomes increasingly clear that adopting a unified platform is essential. But not just any platform will do – VMware Cloud Foundation was purpose-built for app modernization.

VMware Cloud Foundation (VCF) 9.0 uniquely addresses these challenges by offering a comprehensive cloud platform to streamline both modern and traditional workloads. At its core is the time-proven and industry-leading virtualization platform, vSphere, hyperconverged storage by vSAN, and networking by NSX, making it the obvious choice for organizations pursuing a trusted platform for application modernization.

Kubernetes and VM Workloads Running in Harmony

It’s 2025 yet containers and virtual machines [still] largely exist in isolated silos, each with a distinct set of management tools, policies, and associated skillsets (yes, Kubernetes was supposed to solve this a decade ago, but here we are). VCF 9.0 changes this paradigm through the vSphere Supervisor, an embedded runtime which exposes a set of services for VMs (VM Service) and container management (vSphere Kubernetes Service (VKS)). These services enable cloud admins and platform engineers alike to operate within a unified interface to dramatically simplify tasks like provisioning, policy enforcement, and operations for all workloads.

Modern apps ecosystem in VCF

Great, but how does this help VMs?

The VM Service in VCF 9.0 provides a Kubernetes-native method of provisioning and managing virtual machines directly through the vSphere Supervisor. Exposed as a set of Custom Resource Definitions (CRDs), the VM Service lets users define and deploy VMs using standard Kubernetes YAML manifests via the VirtualMachine resource. These VMs are instantiated from templates stored in Content Libraries, allowing operators to centrally manage and curate enterprise-approved base images (e.g. CentOS, Ubuntu, Windows Server). Resource specifications – such as CPU, memory, disk size, guest OS customization, and attached storage – are also declared in the manifest. Once provisioned, VCF handles full lifecycle operations including attaching to the desired network(s) via NSX-backed segments and integration with Cloud-Native Storage (CNS) for persistent volumes in vSAN.

A Bridge to App Modernization

In the context of app modernization, the VM Service acts as a powerful bridge between legacy systems and cloud-native architectures. It allows organizations to onboard workloads that cannot yet be containerized – such as stateful monoliths, middleware systems, or off-the-shelf software – into a Kubernetes-controlled environment behind a declarative API. This enables platform teams to enforce uniform access controls, resource quotas, security policies, and automation workflows across both VMs and containers within the same namespace and management fabric. 

vSphere Supervisor services stack

Platform Engineers and consumers benefit from a consistent GitOps approach, treating VM-based infrastructure as code alongside containerized microservices. VCF Automation provides hybrid runtime workflows, policies, access controls, and declarative cluster management while operators gain deep visibility and governance through VCF Operations. This hybrid model accelerates modernization by enabling incremental refactoring of apps without forcing a full re-platforming upfront.

Lifecycle and Operations for All Apps

Modern applications demand rapid deployment cycles to drive business agility. “Swivel chair management” – managing and/or consuming disparate environments with disparate tools – is the status quo and leaves a lot to be desired. VCF 9.0 introduced a comprehensive self-service cloud portal in VCF Automation that empowers platform engineers and consumers to autonomously manage Kubernetes clusters, VM instances, or a hybrid of both. Each service comes with built-in governance, lifecycle management, and a robust policy engine. The recent addition of VKS cluster management (previously Tanzu Mission Control) further elevates VCF’s capabilities by centralizing multi-cluster Kubernetes management and allowing consistent enforcement of security, compliance, and operational policies across all clusters, irrespective of their location. This provides organizations with streamlined governance, visibility and significantly reduced administrative overhead.

Fleet management and tenancy with VCF Automation

To complement this, VCF Operations provides predictive analytics, capacity forecasting, and proactive health monitoring, substantially simplifying day-to-day operational activities. Integrated observability offers unparalleled visibility across VM and Kubernetes environments, providing detailed, real-time metrics and analytics at namespace and cluster levels to empower platform teams to quickly pinpoint issues, predict bottlenecks, and maintain high service levels. The latest release expands these capabilities into vSphere Supervisor, VM Service, and VKS based workloads. 

Observability

Observability and performance monitoring are enhanced through the integration of Istio Service Mesh and Prometheus. Istio acts as a transparent service mesh layer, injecting sidecar proxies into each pod, enabling deep visibility into east-west traffic, service dependencies, request latencies, and error rates – all independent of application-level code. This service-to-service telemetry can be exported to Prometheus, which continuously scrapes metrics from Istio endpoints and application-level Prometheus agents. The metrics are then exposed via standard PromQL queries, enabling real-time visualization and alerting.

Sticking to the “one platform for all workloads” theme, Prometheus within VCF 9.0 can also monitor VM workloads using node exporters. VM-based workloads deployed via the VM Service can be instrumented to emit Prometheus-compatible metrics or be monitored through infrastructure-level integrations, bridging the gap between traditional VM performance metrics and modern container telemetry. Working together, VCF’s unified observability stack enables platform teams to correlate network traffic patterns (Istio), service-level metrics (Prometheus), and infrastructure health (VCF Operations) across both VM and Kubernetes workloads. This is essential for operating applications across hybrid runtimes, enforcing SLOs, and optimizing resource usage in a multi-tenant platform.

Apps Love Intrinsic Security and Compliance

I’m not sure it’s technically the apps that love security, but everyone around them does. Or has to. Security and compliance are fundamental yet often burdensome (and expensive) requirements. That burden is compounded as disparate platforms and environments have to be secured with any resemblance of consistency. There is a direct correlation between environment diversity and increased risk.

“ My production apps don’t need to be secure…or compliant ”
– Unemployed Engineer

To counter this reality, VCF 9.0 delivers a deeply integrated, defense-in-depth security architecture for all workloads by leveraging a unified platform and capabilities that span vSphere, NSX, vSAN, Operations, and Automation. Let’s highlight a few:

  • At VCF’s core, vSphere provides secure boot, TPM 2.0, vTPM, and VM encryption to protect the confidentiality and integrity of VM workloads.
  • vSphere Supervisor and VCF Automation enable Kubernetes-native RBAC, namespace isolation, and workload identity using VCF SSO or OIDC providers.
  • VKS namespaces inherit granular access policies, storage limits, and compute quotas, enforcing tenant boundaries across Kubernetes and VM workloads. VKS Multi-cluster management brings compliance and policy governance across multi-cluster environments with OPA/Gatekeeper-based policy engines, CIS benchmark checks, and cluster configuration drift detection.
  • VCF Operations provides audit trails, SIEM integration, identity-aware alerting, and compliance dashboards that provide telemetry for regulatory frameworks like PCI-DSS, HIPAA, and NIST.
  • To round things out, vSAN provides storage-level encryption and compliance with data protection standards, such as FIPS 140-2, policy-driven encryption at rest, encryption for data in flight, and deduplication-aware integrity checks. 

Network Security

On the networking front, NSX delivers enhanced workload security and connectivity, zero-trust security through its distributed firewall, micro-segmentation, and east-west traffic control, down to pod-level granularity. Virtual Private Clouds (VPCs) extend the platform’s multi-tenancy and isolation capabilities by enabling secure, software-defined boundaries within a shared infrastructure. 

A VPC in VCF is a logically isolated networking and security domain that provides dedicated compute, storage, and networking policies to tenants or application groups. Unlike traditional VLAN-based segmentation, VPCs are implemented using NSX overlay networking, allowing for scalable, programmable, and granular control over traffic flows, IP addressing, and access policies. VPCs in VCF bring cloud-native network isolation and governance into on-prem environments, empowering platform teams to enforce robust, app-level security boundaries while maintaining operational agility and centralized control.

In summary, VCF delivers full-stack, zero-trust security by design, with consistent policy enforcement, identity management, and observability across domains. This makes it uniquely suited for securing modern Kubernetes workloads in multi-tenant, mission-critical enterprise environments.

Apps Love Availability and Resiliency

Modern applications demand continuous availability, especially in mission-critical environments. In VCF 9.0, vSAN Stretched Clusters provide high availability and fault tolerance for both VM and Kubernetes workloads by extending a single vSAN datastore across two geographically separated sites (fault domains). This architecture enables active-active data replication and automatic failover across sites, ensuring that workloads remain available even in the event of a full site failure. For VM workloads, vSAN Stretched Clusters replicate VM namespace, VMDK, and configuration data between sites using synchronous replication, enabling zero RPO (Recovery Point Objective) and near-zero RTO (Recovery Time Objective). VM placement can be optimized using affinity rules, while vSphere HA and DRS automatically restart or migrate workloads to the surviving site upon failure detection.

Cloud Native Storage

For Kubernetes workloads running on the vSphere Supervisor or VKS, vSAN Stretched Clusters protect both the control plane and data plane components (e.g. pods, persistent volumes). The underlying vSAN storage is consumed via Cloud Native Storage (CNS), allowing PVCs to be dynamically provisioned with site-aware storage policies. These policies ensure that container volumes (backed by vSAN objects) are synchronously replicated across both sites, enabling stateful workloads to remain resilient against infrastructure outages. Combined with anti-affinity rules for Kubernetes nodes and pods, stretched vSAN clusters ensure workloads are both highly available and fault-domain aware. This is critical for production-grade multi-zone application deployments that require seamless continuity and data integrity without manual intervention.

Apps Love Extensibility and Open Source Integration

VCF offers deep extensibility and open-source integration through the combined capabilities of vSphere Supervisor, VKS Multi-cluster management, and VCF Automation. VKS, built on the vSphere Supervisor, enables the deployment of Kubernetes Clusters that adhere to upstream Kubernetes standards and support extensible APIs such as Custom Resource Definitions (CRDs), admission controllers, and dynamic webhooks. These clusters are fully compatible with open-source CNCF tooling like Helm, Prometheus, Istio, cert-manager, and external-dns, allowing DevOps teams to leverage the rich Kubernetes ecosystem natively. VKS also supports CSI (Container Storage Interface) and CNI (Container Network Interface) plugins, enabling integration with cloud-native storage and networking extensions.

GitOps Integration

VCF Automation with VKS multi-cluster management supports GitOps-based lifecycle management and integration with open policy agents (OPA) for Kubernetes security and compliance. Developers and SRE’s can incorporate existing pipeline tools via Kubernetes-native APIs.

GitOps Integration

Together, these capabilities offer a highly extensible, open-source–friendly Kubernetes platform that doesn’t compromise on compliance, observability, or multi-tenancy, enabling platform teams to innovate rapidly while maintaining control.

In Summary

VMware Cloud Foundation 9.0 delivers the critical capabilities for running modern apps and accelerating app modernization objectives by providing:

  • a unified operational model for VM and Kubernetes workloads
  • comprehensive automation for simplified operational management and rapid application deployment
  • robust, real-time security and compliance frameworks
  • enhanced availability through multi-zone stretched clusters
  • flexible extensibility and open-source integration supporting diverse ecosystems

Stay tuned for focused content and deeper dives into several of these concepts, highlighting specific apps, architectures and best practices.

To learn more:

Jad El-Zein

Technology leader with 15+ years at VMware and over 26 years of experience in the IT industry, ranging from driving tech vision, strategy and implementation to leading the research and…

Related Articles