VMware VCAP-VCF: Cloud Foundation Design Practice Exam
Advanced, senior-level VMware Cloud Foundation design: logical and physical design of management and workload domains, advanced NSX and vSAN design (stretched clusters, ESA vs OSA, fault domains), disaster recovery and business continuity, and operations and lifecycle design. Goes beyond the VCP-VCF Architect level.
Practice 859 exam-style VMware VCAP-VCF questions with full answer explanations, then take timed mock exams that score like the real thing.
Question bank reviewed Jul 2026.
What the VMware VCAP-VCF exam covers
- Requirements, constraints, assumptions, and risks120 questions
- Logical and physical design of management and workload domains189 questions
- Advanced NSX overlay/underlay and multi-site design155 questions
- vSAN advanced design (stretched clusters, ESA/OSA, fault domains)129 questions
- Availability, disaster recovery, and business continuity design137 questions
- Operations, monitoring, and lifecycle design129 questions
Free VMware VCAP-VCF sample questions
A sample of 10 questions with answers and explanations. Sign up free to practice all 859.
-
Which TWO of the following are valid BUSINESS DRIVERS that commonly justify adopting VMware Cloud Foundation 5.x, as distinct from technical requirements themselves? (Select two.)
- AReduce time to market for new digital servicesCorrect
- BConfigure NSX Distributed Firewall rules per workload domain
- CDeploy vSAN stretched clusters across two availability zones
- DAchieve regulatory compliance across multiple jurisdictionsCorrect
✓ Correct answer: A, DBusiness drivers are the strategic motivations behind the initiative, such as agility (time to market) and regulatory compliance; they explain why the project exists rather than specifying a technical implementation.
Why the other options are wrong- BA specific NSX Distributed Firewall configuration action is a technical implementation detail, not a business motivation.
- CA specific vSAN stretched-cluster configuration is a technical design decision, not a business motivation.
-
A VCF design engagement includes the statement: 'The design must operate within the customer's existing $750,000 capital budget approved for this fiscal year.' How should this statement be classified?
- ARisk
- BRequirement
- CAssumption
- DConstraintCorrect
✓ Correct answer: DConstraints are pre-existing conditions or decisions outside the architect's control that restrict the range of viable design options; a fixed approved budget cannot be changed by the design and therefore bounds hardware, licensing, and software choices. It is not a requirement because it does not describe a needed capability, and it is not uncertain like an assumption or risk.
Why the other options are wrong- AA risk is an uncertain event with a potential negative impact; a fixed budget is a certainty, not a probabilistic threat.
- BA requirement specifies a needed capability or outcome the design must deliver; a budget limit restricts options rather than specifying a needed outcome.
- CAn assumption is an unconfirmed belief taken as true for planning; a fixed, already-approved budget is a known fact, not something unconfirmed.
-
Which three statements correctly describe vSphere DRS automation levels? (Select three.)
- AIn Manual mode, DRS generates initial placement and load-balancing recommendations but an administrator must apply themCorrect
- BDRS automation level determines whether vSphere HA admission control is enabled for the cluster
- CIn Partially Automated mode, DRS automatically places VMs at power-on but requires administrator approval for subsequent load-balancing migrationsCorrect
- DIn Fully Automated mode, DRS automatically handles both initial placement and ongoing load-balancing vMotion migrations according to the configured migration thresholdCorrect
✓ Correct answer: A, C, DManual mode only generates recommendations for both placement and load balancing, requiring the administrator to apply them. Partially automated mode auto-places VMs at power-on but still requires approval for later load-balancing moves, while fully automated mode auto-executes both initial placement and ongoing load-balancing migrations per the configured threshold.
Why the other options are wrong- BHA admission control is enabled and configured independently of the DRS automation level.
-
A cluster contains hosts of different sizes: two large hosts with double the CPU and memory capacity of the other six standard hosts. The design uses percentage-based admission control with automatic calculation based on Host Failures Cluster Tolerates = 1. Why is this preferable to manually entering a fixed percentage in this heterogeneous cluster?
- AAutomatic calculation always reserves exactly 1/N of cluster resources regardless of host sizing
- BAutomatic calculation derives the reserved percentage from the actual resources of the largest host(s) needed to cover the tolerated failures, correctly sizing the reservation for a heterogeneous cluster rather than assuming equally sized hostsCorrect
- CAutomatic calculation disables the need for vSphere HA entirely
- DManual entry is not supported at all for percentage-based admission control
✓ Correct answer: BRather than assuming all hosts are equally sized, vCenter's automatic calculation derives the percentage from the real resources of the host(s) needed to cover the configured number of tolerated failures. This avoids under-reserving capacity in a cluster where some hosts are much larger than others.
Why the other options are wrong- AAssuming a simple 1/N reservation regardless of host size is exactly the simplistic behavior the automatic, size-aware calculation improves upon.
- CAutomatic calculation adjusts the reserved percentage; it does not disable vSphere HA.
- DManual percentage entry is supported; it is simply less accurate than automatic calculation for heterogeneous clusters.
-
A partner site needs IPsec connectivity to exactly two well-known, unchanging /24 subnets, and the customer's design standard avoids running a dynamic routing protocol over the tunnel to minimize operational complexity. Which NSX IPsec VPN mode fits best?
- ARoute-based VPN with OSPF.
- BRoute-based VPN with BGP over a virtual tunnel interface.
- CPolicy-based VPN, defining explicit local/peer traffic selectors for the two known subnets.Correct
- DL2 VPN.
✓ Correct answer: CPolicy-based IPsec VPN defines explicit traffic selectors for a fixed set of local and peer subnets and requires no dynamic routing protocol, making it the simplest fit when only two unchanging subnets need connectivity and the design standard avoids dynamic routing over the tunnel.
Why the other options are wrong- ANSX route-based IPsec VPN uses BGP over the VTI, not OSPF, and this option still introduces the dynamic routing complexity the design wants to avoid.
- BRoute-based VPN with BGP is preferred when subnets change frequently or dynamic failover is needed, which contradicts the stated preference to avoid dynamic routing.
- DL2 VPN extends a Layer 2 segment between sites; it does not address routed IPsec connectivity to specific remote subnets.
-
A design team is documenting the underlay MTU requirement for a new NSX overlay deployment. Guest VM traffic uses the standard 1500 byte MTU. Which underlay MTU value should the design specify as the minimum for all switches, routers, VDS uplinks, and TEP interfaces that carry Geneve encapsulated traffic, with a higher value recommended for headroom?
- A1600 minimum, with 1700 recommendedCorrect
- B1518 minimum, with 1522 recommended
- C9000 minimum, with no lower value supported
- D1500 minimum, with 1550 recommended
✓ Correct answer: AGeneve encapsulation adds header overhead to the original frame, so a path carrying 1500 byte guest frames needs a larger MTU end to end to avoid fragmentation of the encapsulated packet. VMware's standard guidance is a minimum of 1600 bytes across every switch, router, VDS uplink, and TEP interface in the path, with 1700 bytes recommended to leave headroom for future overlay features.
Why the other options are wrong- B1518 and 1522 correspond to Ethernet frame sizes with 802.1Q tagging, not the MTU headroom needed for Geneve encapsulation.
- C9000 byte jumbo frames are an optional performance optimization for high throughput workloads, not the mandatory minimum MTU for Geneve to function.
- D1500 is the standard Ethernet MTU for the inner guest frame; it does not account for the Geneve encapsulation overhead added on top of it.
-
In a vSAN stretched cluster storage policy, what does a Primary level of Failures To Tolerate (PFTT) of 1 combined with the Site Disaster Tolerance option Dual site mirroring represent?
- AProtection against exactly three simultaneous host failures in a single site
- BSite level protection, where a full copy of the object is mirrored across both the Preferred and Secondary sitesCorrect
- CLocal RAID 5 erasure coding protection within a single site only
- DA policy that pins all data to the Preferred site with no cross site redundancy
✓ Correct answer: BThe Primary level of Failures To Tolerate governs site level protection in a stretched cluster. Setting it to 1 with Dual site mirroring places a full mirror copy of the object at each of the two data sites, so the object survives the complete loss of either site.
Why the other options are wrong- APFTT values describe site level mirroring, not a count of tolerated host failures within one site.
- CRAID 5 erasure coding within a site describes local, Secondary level FTT protection, not the Primary (site level) setting.
- DPinning data to the Preferred site with no redundancy describes an affinity policy with PFTT=0, the opposite of this setting.
-
Which two are valid VM data replication mechanisms that VMware Live Site Recovery can orchestrate for workload domain DR? (select two)
- ANSX Federation universal segment stretching
- BArray-based replication via a certified Storage Replication Adapter (SRA)Correct
- CSDDC Manager configuration backup
- DHost-based replication via vSphere ReplicationCorrect
✓ Correct answer: B, DVMware Live Site Recovery orchestrates VM recovery using either array-based replication through a certified Storage Replication Adapter or host-based replication through vSphere Replication; both move VM disk data to the recovery site for orchestrated failover.
Why the other options are wrong- ANSX Federation stretches network constructs such as segments and gateways; it does not replicate VM disk data.
- CSDDC Manager configuration backup protects management appliance configuration, not workload VM data.
-
A recovery plan needs to trigger a monitoring-system update immediately after a database VM powers on at the recovery site, before dependent application VMs start. What recovery plan feature supports this?
- AvSAN fault domain configuration
- BPer-VM pre-power-on and post-power-on custom scripts/steps within the recovery planCorrect
- CNSX Tier-0 route redistribution
- DProtection group datastore mapping
✓ Correct answer: BRecovery plans support per-VM custom scripts or command steps that run before or after a given VM powers on, which can be used to notify monitoring systems or perform other actions precisely at the needed point in the recovery sequence.
Why the other options are wrong- AFault domain configuration is a vSAN availability construct, not a recovery plan feature.
- CRoute redistribution is an NSX routing configuration concept, unrelated to recovery plan scripting.
- DDatastore mapping concerns storage placement for array-based protection groups, not scripted actions around power-on.
-
An architect wants to reduce the chance of upgrade prechecks failing on the day of a planned maintenance window. What proactive lifecycle design practice best supports this goal?
- ARelying exclusively on the vendor's release notes instead of running any environment-specific precheck
- BRunning the precheck exactly once, at the moment SDDC Manager is first deployed, and never again
- CEstablishing a recurring schedule for running SDDC Manager health checks and prechecks outside of active upgrade windows, so configuration drift, certificate issues, or failed components are identified and remediated continuously rather than discovered only during upgrade planningCorrect
- DDisabling password expiration policies entirely so credential-related precheck failures can never occur
✓ Correct answer: CRunning SDDC Manager health checks and prechecks on a recurring cadence, independent of any specific upgrade, surfaces configuration drift, certificate problems, or component health issues early, so they can be remediated well before they would otherwise surface as blocking failures during an upgrade precheck.
Why the other options are wrong- AIncorrect; generic release notes cannot substitute for environment-specific precheck results, which reflect the actual current state.
- BIncorrect; running the precheck only once at initial deployment provides no ongoing visibility into drift that accumulates over time.
- DIncorrect; disabling password expiration removes a security control and does not represent sound proactive lifecycle design.
VMware VCAP-VCF practice exam FAQ
How many questions are in the VMware VCAP-VCF practice exam on CertGrid?
CertGrid has 859 practice questions for VMware VCAP-VCF: Cloud Foundation Design, covering 6 exam domains. The real VMware VCAP-VCF exam has about 60 questions.
What is the passing score for VMware VCAP-VCF?
The VMware VCAP-VCF exam passing score is 600, and you have about 135 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.
Are these official VMware VCAP-VCF exam questions?
No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of VMware VCAP-VCF: Cloud Foundation Design, with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.
Can I practice VMware VCAP-VCF for free?
Yes. You can start practicing VMware VCAP-VCF: Cloud Foundation Design for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.