Multi-tenancy, self-service, networking isolation, storage economics, fleet operations — curated for the CSP lens.
VCF 9.1 is arguably the most CSP-significant VCF release in recent memory. The networking story alone — edge-free distributed connectivity, VPC isolation policies, EVPN/VXLAN peering — rewrites the playbook for multi-tenant service delivery. But the improvements span every layer: storage economics, Kubernetes density, fleet operations, and cyber recovery. Here are the 20 features that matter most if you’re running — or planning to run — a VMware-powered cloud service.
VCD → VCF Automation Migration Tool
This is the feature VCD-based CSPs have been waiting for. VCF 9.1 introduces a native migration path from VMware Cloud Director to VCF Automation. VMs are imported from OrgVDC resource pools directly into vSphere Namespaces. Supervisors, Clusters, Regions, Projects, and Namespaces are auto-created and mapped to existing VCD constructs. Network boundaries of OrgVDC are migrated to NSX VPC — preserving tenant isolation through the transition.
Unblocks the single biggest migration concern for VCD-based providers. Automated construct mapping dramatically reduces migration effort, tenant downtime, and the professional services cost of transitioning to the VCF Automation operating model.
Self-Service Namespace Creation with Guardrails
Organization admins can now delegate vSphere Namespace creation to Project Admins on a self-service basis. The governance layer is granular: admins define which Regions, Namespace Classes, Connectivity Profiles, Subnets, Infrastructure Policies, VPCs, and Service Engine Groups are available to each project. Tenants consume within those boundaries without filing tickets.
Every namespace creation ticket that disappears from a CSP’s queue is margin improvement. Self-service with admin-defined guardrails is the operational model CSPs need — tenant autonomy without infrastructure risk.
Upfront Pricing Estimates & Tenant Notifications
Tenants now see real-time pricing estimates before deploying catalog items, VMs, and VKS clusters. Consumption reports, infrastructure alerts, and critical operation notifications are surfaced directly in the VCF Automation UI. Providers configure which alerts and reports are visible to tenants.
Transparent showback/chargeback is fundamental to CSP economics. When tenants see cost before they click “deploy,” billing disputes drop, resource waste decreases, and self-service confidence goes up.
Project-Scoped Content Libraries
A new form of content library scoped to specific projects within an organization. Admins can restrict VM image availability so that only the users and resources of a given project can access particular images. Canonical Ubuntu images are now available as validated, subscribed content — provider-controlled.
Image governance per tenant project. CSPs curate approved OS images without cross-tenant leakage — essential for regulated tenants and for CSPs offering tiered service catalogs.
VPC Connectivity Policies — Community, Promiscuous, Isolated
VCF 9.1 introduces connectivity policies that control inter-VPC communication within a tenant project — without firewall rules. Community: VPCs in the same community talk to each other. Promiscuous: talks to any VPC. Isolated: only communicates with promiscuous VPCs. These can be mixed within a project for precise segmentation.
Multi-tier tenant networking (dev/staging/prod isolation, shared-services patterns) handled by policy rather than per-rule firewalls. Reduces CSP networking configuration overhead per tenant from hours to minutes.
Transit Gateway Advanced Connectivity
CTGW is now decoupled from Tier-0. VCF 9.1 supports HA mode per CTGW, multiple CTGWs and DTGWs per project, and multiple external connections per CTGW. For outbound traffic, tenants get full control over which Tier-0 is used, where SNAT is applied, and which External IP block is consumed.
Per-project external connectivity with independent Tier-0 selection eliminates the shared gateway bottleneck. CSPs can model complex tenant topologies — multi-ISP, multi-region, dedicated uplinks — on shared infrastructure.
Distributed Transit Gateway with EVPN/VXLAN
Peer directly with the physical fabric using industry-standard EVPN/VXLAN. This decouples the control and data plane for north-south traffic — VMs get direct N/S connectivity without traffic tromboning through Edge appliances. No edge lifecycle, no edge provisioning, no edge scaling headaches.
Edge VM sprawl is one of the top operational pain points at CSP scale. DTGW with EVPN/VXLAN eliminates it entirely for N/S traffic — better latency, fewer failure domains, dramatically simpler operations.
Virtual Network Appliances (VNA) — Edge-Free Network Services
A dedicated VNA Cluster now runs network services for Distributed External Connections: External IP (1:1 NAT), DHCP, NAT (SNAT/DNAT), VPC Outbound NAT (N:1 — new in 9.1), and NSX LB for Supervisor/VKS (new in 9.1) plus Avi VPC LB Plugin. Only NAT and LB traffic is redirected to VNAs — L2/L3 and External IP traffic remains fully distributed.
Network services without deploying and managing Edge VMs per tenant. The distributed data-path keeps per-tenant traffic efficient while VNAs handle only the stateful services that need them.
TGW Span + Infoblox IPAM Integration
Transit Gateway Span constrains a TGW and its subnets to selected vCenter clusters — controlling where subnets are available, where workloads can be placed, and aligning DTGW spans with external connection VLANs. Separately, Infoblox integration discovers and maps Network Containers to external IP blocks, provisions subnets/IPs using Infoblox CIDRs, and auto-registers workload IPs and FQDNs.
TGW Span gives CSPs physical network alignment per tenant cluster — critical for VLAN-constrained environments. Infoblox integration provides the single DDI source-of-truth that large CSPs already depend on, now natively integrated with VCF networking.
vSAN ESA Inline Compression (ZSTD) + Global Deduplication GA
vSAN 9.1 introduces a ZSTD-based inline compression algorithm tuned specifically for vSAN — delivering significantly higher data reduction ratios while balancing CPU utilization. Compression is now always-on. In parallel, vSAN Global Deduplication reaches GA, supporting between 3 and 64 hosts with improved processing efficiency. Crucially, Global Dedup is fully compatible with Data-at-Rest encryption — no negative impact on reduction ratios.
Direct $/TB improvement. Better compression + dedup = higher tenant density per physical disk. This is fundamental to CSP storage margin economics, especially for VDI, database, and backup workload profiles.
Auto-RAID + Effective Capacity View
Auto-RAID automatically manages optimal resilience settings per cluster using a single “vSAN ESA Auto RAID Policy” in vCenter — dynamically adjusting as cluster size changes (4-host, 6-host stretched, 2-node, single-host bootstrap). The new “effective capacity” view replaces raw capacity statistics with usable capacity and simplified space-efficiency summaries covering dedup ratio, compression ratio, thin provisioning savings, and snapshot savings.
No more manual storage policy tuning across hundreds of tenant clusters. Effective capacity view aligns with how CSPs bill and report storage — usable TB, not raw TB with overhead footnotes.
Native S3 Object Storage on vSAN — Technology Preview
Block, file, and S3-compatible object storage running on the same vSAN cluster. Multi-tenant object storage is provisioned and managed via VCF Automation or vSphere Supervisor. Scalable, resilient architecture courtesy of vSAN ESA. Available as Technology Preview in Patch 01 of VCF 9.1.
A new service tier on existing hardware. CSPs can offer S3-compatible object storage to tenants without deploying separate storage infrastructure — opening up developer-oriented and AI/ML data-lake use cases.
VKS: 500 Clusters per Supervisor + Fast Deploy
VKS now supports up to 500 Kubernetes clusters per Supervisor — a 2.6× scale increase over VCF 9.0. VKS 3.6 ships Kubernetes 1.35 (CNCF-certified, 24-month support). Fast Deploy leverages linked-clone (unencrypted VMs) and direct-mode (encrypted VMs) technologies to reduce cluster provisioning time by approximately 70% and upgrades by approximately 75%.
Dramatically higher Kubernetes tenant density per control plane instance. Fast Deploy addresses burst scenarios common in VDI and retail — and reduces time-to-revenue for new K8s tenant onboarding from 37 minutes to 11 minutes.
Container Service — CaaS Without Kubernetes
Deploy isolated, secure containers directly on vSphere Pods within vSphere Namespaces — no full Kubernetes cluster required. UI-driven provisioning and lifecycle control. Supports StatefulSets with persistent volumes and multi-container pods. Based on the proven vSphere Pods technology with VM-level isolation.
CSPs can offer a lightweight container service tier below full VKS — lower cost, faster deploy, familiar vSphere management. This broadens the addressable tenant market to teams that want containers but don’t need (or want to manage) Kubernetes.
Unified Fleet IAM & Management
VCF 9.1 delivers end-to-end IAM with VCF-level roles across all components — vCenter, NSX, Operations, Automation, Logs, Networks, HCX, and Orchestration — all brokered through VIDB (Identity Broker). Unified password policies with vault integration, bulk certificate management (generate CSRs, renew, import across the fleet), and OAuth/API token access for programmatic automation. Custom VCF roles can be provisioned across vCenter and VCF instances.
Single identity plane for the entire VCF estate. CSPs managing multi-instance fleets get consistent RBAC, password governance, and certificate rotation at scale — replacing the fragmented per-instance identity management that doesn’t survive operational audits.
Centralized LCM — 4× Parallel Upgrades
Lifecycle Management is now part of the VCF Services Platform with a unified software depot secured via OAuth token. Optimized precheck workflows and a 4× improvement in parallel cluster upgrade operations — centrally managed from VCF Operations. One place to download and manage binaries, and quickly assess health and upgrade readiness across the fleet.
CSPs running hundreds of clusters can upgrade 4× faster in parallel. Single depot and centralized LCM eliminates the maintenance-window sprawl that plagues large CSP environments — turning a weekend-long upgrade cycle into an overnight operation.
Flexible Licensing — License Server + Aggregated Usage
VCF components are automatically licensed via vCenter when configured in connected mode. A dedicated license server offloads license logic from VCF Operations. Multiple licenses can be applied directly to a vCenter and its connected components. Aggregated license usage for ESX 8.x and 9.x. On-prem license appliance available for air-gapped or sovereign environments.
CSPs with mixed-version estates (VCF 5.x through 9.x) get aggregated license management across generations. Override licenses support unique CSP scenarios — trial tenants, PoC environments, and tiered service offerings with differentiated entitlements.
On-Premises Cyber Recovery Clean Room
Full ransomware protection and recovery on customer-owned infrastructure — no cloud dependency. The solution extends vSAN Protection and Recovery to provide on-prem clean room capabilities with push-button vDefend-based network isolation, EDR integration (Carbon Black included by default, CrowdStrike BYOL supported), guided restore point selection, VM analysis and validation in the isolated environment, and orchestrated failback workflows.
CSPs can offer “Cyber Recovery as a Service” as a premium tier — fully on-prem, data-sovereign, with clean room isolation that satisfies regulated industries prohibiting cloud-based recovery. The EDR vendor choice (Carbon Black or CrowdStrike) aligns with whatever the tenant already runs.
Security Posture Management & Compliance Automation
Fleet-wide compliance assessments using built-in benchmarks — enable benchmarks, assign to policies, clone and modify rules to suit requirements. Run assessments on-demand, view and filter results, export to PDF/CSV, and perform one-click remediation to infrastructure objects. Confidential Computing visibility through the SecOps dashboard (AMD SEV-SNP, Intel TDX). VCF-wide audit trails with standardized log architecture for security forensics.
Automated compliance reporting for regulated tenants (FIPS 140-3, STIG, custom benchmarks). One-click remediation across the fleet reduces CSP audit preparation from weeks to hours. The audit trail becomes a sellable compliance artifact for tenants in financial services and government.
VCF Edge — 5,000 Hosts, 256 Parallel Upgrades, ZTP + GitOps
Fleet capacity doubled to 5,000 ESX hosts per instance. Parallel upgrade scale increased 4× from 64 to 256 clusters. Zero Touch Provisioning uses UEFI HTTPS Boot with TPM and Secure Boot support — hosts inherit desired-state image and configuration from the cluster, no TFTP required. Day-0 activation scripts configure vSphere clusters, Supervisor, and FLB. Argo CD-based GitOps provides pull-based workload delivery with drift detection and auto-correction. Flexible 1/2/3+ node topologies with full air-gap support.
CSPs serving retail, telco, or industrial edge can scale to thousands of sites with lights-out ZTP and GitOps delivery. 256 parallel upgrades make fleet-wide patching operationally viable — a requirement for edge CSPs where site-by-site maintenance windows are physically impossible.
The CSP Takeaway
VCF 9.1 is a platform release, not just a feature release. The networking overhaul (DTGW, VNAs, VPC policies, EVPN/VXLAN) alone justifies the upgrade for any CSP running multi-tenant workloads. Layer on the VCD migration tool, self-service namespaces, storage economics improvements, and fleet-scale operations — and this is the release that brings VCF’s cloud operating model to parity with what CSPs have been building manually around VCD for years.
Leave a Reply