Introduction With the evolution of VMware Cloud Foundation (VCF) 9.x , Broadcom introduced several foundational platform changes aimed at improving security, scalability, and lifecycle consistency across private cloud environments. One of the most critical yet frequently misunderstood components is VMware Identity Broker (VIDB) . This article provides an end-to-end, practical understanding of VIDB, covering: Why VIDB exists and the problem it solves How VIDB works internally Where VIDB is deployed in VCF High availability and security design Multi-site architecture (Site 1 / Site 2) Embedded or on HA-Cluster? Operati onal behavior and lifecycle management Common misconceptions and pitfalls FAQ explanations This guide is written for architects, consultants, and advanced VCF practitioners who want clarity—not marketing. What Is VMware Identity Broker (VIDB)? VMware Identity Broker (VIDB) is a centralized identity federation and trust-broker service introduced with VCF 9.x . In simple ...

Networking takes a quantum leap toward isolation and self-service with VCF 9, as VMware introduces Virtual Private Clouds. This is natively built on NSX, thereby redefining multitenant, secure, and scalable networking for enterprise private clouds. credit: Broadcom The focus of this article is specifically VCF 9 networking with VPCs: what they are, how they work, and why they matter from an architect's perspective. What is a VPC in VCF 9...... With VCF 9, a VPC in VMware is a logically isolated networking construct in NSX that provides: Strong tenant isolation Independent IP addressing Decentralized ownership of networking Secure, scalable application connectivity Think of a VPC as a private cloud inside your private cloud-very much along the lines of AWS or Azure VPCs, but full-on-prem and NSX-driven. Why VMware did introduce VPCs in VCF 9? Traditional NSX designs relied on Shared Tier-0/Tier-1 topologies, which worked-but scaled poorly for large enterprises and service providers....

 NSX-T brings an evaluation into SDN space whether it's networking, security or even monitoring the environment. During its long journey starting from acquiring this product from Nicira Network by VMware to date, we have seen several enhancements evolving into this product. From NSX-V to NSX-T and now rebranded to NSX starting from version 4. x this product is all set on the customer expectation whether it's a startup or a multi-billion Fortune 500 organization. In this article, we will discuss one of NSX new offerings in NSX ver 4.1 which is NSX Project or multi-site tenancy. Before starting into this let's draft a hypothetical or fictitious scenario... In an organization called Virtualvmx, there were 3 tenancies: Alpha Beta Gama All the above 3 tenants have some compliance guidelines for their organization where one tenant should not expose its networking component inside NSX with other tenants like Layer 2 networking which includes segment, security policies, T1 routers ...

Tunnel endpoints are essential in VMware NSX-T  for managing network connectivity across different environments. They handle the encapsulation and decapsulation of network traffic as it moves between overlay and underlay networks. Here are the key aspects of tunnel endpoints in NSX-T. Its uses in both East-West as well as North-South traffic communication. Geneve Tunneling Protocol : NSX-T uses the Geneve tunneling protocol for encapsulating overlay traffic. Geneve offers a flexible and extensible framework, ensuring efficient and secure communication among virtual machines (VMs) and NSX-T logical networks. Tunnel Endpoint (TEP) IP Addresses: Each hypervisor host or NSX-T Edge node is assigned a unique TEP IP address as its tunnel endpoint. These addresses are used for encapsulating and decapsulating overlay traffic between different endpoints. Overlay Transport Zone (OTZ) : An Overlay Transport Zone defines the scope of network communication within an overlay infrastructure. TEP I...

NSX-T is VMware's network virtualization and security platform, which enables the creation of virtual networks and security policies that are decoupled from physical network hardware. VMware has been investing heavily in NSX-T in recent years, and it is considered a critical component of VMware's broader cloud management and automation portfolio. The future of NSX-T looks promising, as it continues to evolve and expand its capabilities to support modern cloud and application architectures. Some of the key trends that are likely to shape the future of NSX-T include: NSX-T is an essential component of VMware's vision for software-defined networking (SDN) and network virtualization, which aims to make it easier for organizations to build and manage complex network environments. Some of the key features and capabilities of NSX-T include: Network virtualization: NSX-T enables the creation of virtual networks that are decoupled from physical network hardware. This allows organiza...

  Bidirectional forward detection (BFD) is the protocol designed for detecting fast forwarding path failure detection various media types, encapsulations, topologies and routing protocols. BFD helps in providing a consistent failure detection method.  In NSX-T environment where Edge node in edge cluster exchange its BFD keep-alive status on management and tunnel (TEP/overlay) interface to get proper communication among each Edge/host transport nodes in NSX-T environment.                                                       Fig:1 (Credit: vmware.com) eg: When the standby Edge node on T0 gateway fails to receive keep-alive status on both (management & tunnels) interfaces then in that case its not going to become active as its already in standby state. What its looses is its interface communication either from management of overlay. Some feat...

NSX-T Data Center included two types of firewalls: Distributed Firewall    ( for east-west traffic ) Gateway Firewall        ( for north-south traffic )                                              Fig:1 (credit: vmware.com) The distributed firewall is a hypervisor, kernel-embedded stateful firewall:  It resides in the kernel of the hypervisor and outside the guest OS of the VM.  It controls the I/O path to and from the vNIC. The gateway firewall is used for north-south traffic between the NSX-T gateways and the physical network: Its is also called as perimeter firewall protect to and from the physical environment. It applies to Tier-0 and Tier-1 gateway uplinks and service interfaces.  It support both Tier-0 and Tier-1 gateway. If its applies to Tier-0 or Tier-1 gateway then HA status of that gateway should be active-standby. It...

  This article explains how to extract the logs from NSX-T Edge nodes from CLI. Let's view the steps involved: 1) Login to NSX-T  Edge node using CLI from admin credentials. 2) Use of  " get support-bundle " for Log extraction. get support-bundle command will extract the complete logs from NSX-T manager/Edge nodes. nsx-manager-1> get support-bundle file support-bundle.tgz 3) Last step is to us e of " copy file support-bundle.tgz url " command. copy file will forward your collected logs from the NSX-T manager to the destination(URL) host from where you can download the logs. copy file support.bundle.tgz url scp://root@192.168.11.15/tmp Here, the URL specified is the ESXi host ( 192.168.11.15) under /tmp partition where logs will be copied and from there one can extract it for further log review. Happy Learning.  :)

NSX-T BGP Neighbor validation  BGP is one of the most popular options for establishing routing adjacencies between NSX and existing networks. It can be configured on the Tier-0 Logical Router . This article demonstrates various ways from where you can validate the BGP Neighbor status from T0 to its associated ToR switches into the rack. Let's get started.. Methods from where one could validate BGP status are as below. Using NSX-T Manager UI From NSX-T Edge CLI First thing first, let's discuss using NSX-T Manager UI method. Login to NSX-T Manager UI Click on MANAGER mode Click on Network Select the desired T0 Gateway > Action > Generate BGP Summary This will show the BGP Connection status.  If Connection status is showing as "ESTABLISHED". This means that T0 router has successfully peering with ToR switch. The second method where you can validate the BGP Connection status is from NSX-T Edge nodes. Steps involved: Login to NSX-T Edge node using SSH Get into the lo...

There is various enhancement done in NSX-T version 3.0 by VMware.  Let's talk about architecture change in NSX-T version 3.0 Some of the below changes were made concerning the internal communication mechanism within the NSX-T components.  T hey are: Architecture ramp-up: NSX Manager and its cluster communicate with their transport nodes through APH Server ( Appliance Proxy Hub ) NSX Manager communicates with NSX-Proxy through port 1234. CCP (Central control plane) communicates with NSX-Proxy through port 1235 . RabbitMQ messaging is replaced with NSX-RPC between the management plane and CCP.     Add caption   Alarm and Events   In NSX-T version 3.0, there is an introduction of Alerts and Events which help in the active monitoring of different components of the environment.   Network Topology UI   In NSX-T 3.0 there is a view of the network topology which gives a diagram of each component of NSX-T.  This view gives about numbers of VM connecte...