VMware VCP-VCF: Cloud Foundation Architect Practice Exam
Validates designing a VMware Cloud Foundation solution: requirements and risk analysis, consolidated vs standard and multi-domain topology choices, NSX and vSAN design, and design for availability, recovery, security, and lifecycle. Focused on design decisions rather than hands-on administration.
Practice 850 exam-style VMware VCP-VCF questions with full answer explanations, then take timed mock exams that score like the real thing.
Question bank reviewed Jul 2026.
What the VMware VCP-VCF exam covers
- VCF design principles and requirements gathering111 questions
- Consolidated vs standard topology and multi-domain design170 questions
- NSX overlay and network design within VCF153 questions
- vSAN design (ESA vs OSA, availability zones)128 questions
- Availability, recovery, and security design162 questions
- Lifecycle, monitoring, and capacity design126 questions
Free VMware VCP-VCF sample questions
A sample of 10 questions with answers and explanations. Sign up free to practice all 850.
-
During requirements gathering, an architect writes: "It is assumed that the customer will provide DNS and NTP services prior to VCF bring-up." What type of documentation element is this?
- AAn assumptionCorrect
- BA constraint
- CA risk
- DA design implication
✓ Correct answer: AAn assumption is a statement the architect believes to be true for planning purposes but has not yet had formally confirmed by the customer. Stating that DNS and NTP services will be provided prior to bring-up, without confirmation, is a classic assumption that should be validated before the design proceeds to implementation.
Why the other options are wrong- BA constraint is a confirmed, fixed limitation, whereas this statement is an unconfirmed belief about what will be provided.
- CA risk describes an uncertain event with potential negative impact; while an incorrect assumption could later become a risk, as stated this is an assumption, not a risk.
- DA design implication is a consequence of a design decision, not a belief about external dependencies.
-
Which of the following are core responsibilities of SDDC Manager in a VCF 5.x environment? (Select all that apply.)
- ACommissioning and decommissioning ESXi hostsCorrect
- BPatching the guest operating systems running inside tenant virtual machines
- CCreating, expanding, and deleting workload domainsCorrect
- DDownloading and applying update/upgrade bundlesCorrect
✓ Correct answer: A, C, DSDDC Manager's scope covers host lifecycle (commission/decommission), workload domain lifecycle operations, and applying BOM-aligned update/upgrade bundles to the infrastructure and management components.
Why the other options are wrong- BGuest operating system patching inside tenant VMs is outside VCF's scope; that is handled by the tenant's own OS/patch management tools, not SDDC Manager.
-
A customer wants to deploy the management domain with the bare minimum of four hosts and the smallest possible Aria Suite footprint to save cost, with no plan to reassess sizing later. What risk should the architect highlight?
- AThe minimum four-host, smallest Aria Suite footprint design is not permitted by VCF and will fail bring-up
- BAs workload domains and Aria Suite usage grow, the undersized management domain may run out of compute, memory, or storage headroom, requiring disruptive expansion later; growth should be planned for during initial sizingCorrect
- CUndersizing only affects VI workload domains, never the management domain, since Aria Suite components are excluded from domain sizing
- DThere is no risk, since VCF automatically and non-disruptively resizes the management domain cluster as needed
✓ Correct answer: BSizing the management domain at the bare minimum without accounting for growth can lead to resource contention as more VI workload domains and Aria Suite capacity are added later. Because expanding after the fact can be more disruptive, architects should build in appropriate headroom during initial sizing based on the customer's growth plans.
Why the other options are wrong- AA minimal four-host management domain with a small Aria Suite footprint is a valid, supported bring-up configuration.
- CAria Suite components run in and consume resources of the management domain, so they are very much part of its sizing considerations.
- DVCF does not automatically expand the management domain cluster on its own; adding hosts or capacity is a deliberate design and operations action.
-
An architect is finalizing a design for a workload domain that must support future expansion to twice its initial host count without redesigning the network or storage architecture. Which planning consideration is most critical to validate during the initial design phase?
- AThat EVC is disabled from the start to simplify future host additions
- BThat the initial cluster uses the maximum possible host count on day one regardless of current workload needs
- CThat vSphere HA is disabled until the expansion occurs
- DThat the initial IP addressing, VLAN/overlay segment sizing, and vSAN datastore design have sufficient headroom to accommodate the doubled host countCorrect
✓ Correct answer: DTo expand smoothly to double the host count later without redesigning networking or storage, the architect must ensure the initial IP address ranges, VLAN or overlay segment sizes, and vSAN datastore capacity planning already account for that future scale, avoiding the need to re-architect addressing schemes or storage layout later.
Why the other options are wrong- AEVC should be planned deliberately based on anticipated CPU generation changes, not simply disabled; disabling it does not aid network or storage scalability.
- BDeploying at maximum host count immediately wastes capital and does not address the actual planning need, which is headroom in addressing and storage design, not immediate host count.
- CDisabling HA removes availability protection and has no relationship to preparing network or storage design for future scale.
-
In the NSX Distributed Firewall, which category of rules is evaluated with the highest precedence, ahead of Infrastructure, Environment, and Application rules?
- AEnvironment
- BApplication
- CInfrastructure
- DEmergencyCorrect
✓ Correct answer: DThe Distributed Firewall organizes rules into categories that are evaluated in a fixed order: Emergency, Infrastructure, Environment, and Application. Emergency rules are evaluated first so that urgent, temporary restrictions, such as blocking a compromised workload, take precedence over all other configured policy.
Why the other options are wrong- AEnvironment category rules are evaluated after Infrastructure but before Application, not ahead of Emergency.
- BApplication category rules are evaluated last among these four categories, not first.
- CInfrastructure category rules are evaluated after Emergency, not before it.
-
During a VCF network design workshop, the customer's network team asks for the minimum MTU that must be configured on every physical switch port and uplink that carries NSX overlay traffic. What value should the architect specify as the hard minimum requirement?
- A9000 bytes
- B1600 bytesCorrect
- C1500 bytes
- D8900 bytes
✓ Correct answer: BNSX overlay traffic is Geneve encapsulated, which adds overhead to the original frame. VMware requires that every switch and uplink carrying overlay traffic support at least a 1600 byte MTU so encapsulated frames are not dropped or fragmented.
Why the other options are wrong- A9000 bytes (jumbo frames) is the recommended value for optimal performance, but it is not the mandatory minimum.
- C1500 bytes is the standard Ethernet MTU and does not leave enough headroom for Geneve encapsulation overhead.
- D8900 bytes is not a documented NSX MTU requirement.
-
A 4-node all-flash vSAN OSA cluster will use RAID-5 erasure coding for FTT=1 to store 60 TB usable. What is the minimum raw capacity required to store this data, before accounting for slack space?
- A90 TB
- B80 TBCorrect
- C120 TB
- D60 TB
✓ Correct answer: BRAID-5 erasure coding in a 3+1 configuration for FTT=1 has a capacity overhead multiplier of approximately 1.33x, so 60 TB x 1.33 equals approximately 80 TB of raw capacity.
Why the other options are wrong- AThis is closer to a 1.5x multiplier, characteristic of RAID-6 overhead, not RAID-5.
- CThis corresponds to a 2x multiplier, characteristic of RAID-1 mirroring, not RAID-5 erasure coding.
- DThis ignores the parity overhead entirely.
-
Which two justifications support designing a VCF cluster with N+1 host redundancy rather than exactly the minimum capacity needed to run current workloads? (Select two.)
- AIt guarantees protection against the loss of an entire availability zone
- BIt allows the cluster to tolerate a single host failure and still restart affected VMs without breaching admission controlCorrect
- CIt allows one host to be placed into maintenance mode (for patching or hardware service) while retaining protection against an additional, unrelated host failureCorrect
- DIt eliminates the need for vSphere HA to be enabled
✓ Correct answer: B, CN+1 capacity ensures that after a single host failure, the remaining hosts have enough resources to run all VMs within admission control limits, and it also gives operators room to place a host into maintenance mode for patching or hardware service while still being protected against an unrelated additional host failure during that window.
Why the other options are wrong- AN+1 host redundancy protects against host-level failures within a single site; it does not by itself protect against the loss of an entire availability zone, which requires a multi-site or stretched design.
- DN+1 capacity planning works together with vSphere HA; it does not remove the need to enable HA.
-
In a multi-rack VCF pod design, how should top-of-rack switching be architected to avoid a rack-level single point of failure while maintaining uplink connectivity to the spine?
- AEach rack should have its own pair of redundant top-of-rack switches, each uplinked to the spine/core layerCorrect
- BOnly the rack containing the management domain needs redundant top-of-rack switches
- CTop-of-rack switches are unnecessary if hosts connect directly to the spine
- DAll racks should share a single pair of top-of-rack switches located in one rack
✓ Correct answer: AGiving each rack its own redundant pair of top-of-rack switches, each with uplinks to the spine or core layer, ensures that a switch or uplink failure in one rack does not affect hosts in other racks, and that no single rack's networking is a dependency for hosts physically located elsewhere.
Why the other options are wrong- BAll racks running production hosts, including workload domain racks, benefit from redundant top-of-rack switching, not just the management domain rack.
- CTop-of-rack switches are a standard part of leaf-spine designs; direct host-to-spine connections are not the typical or recommended VCF physical network topology.
- DSharing one pair of top-of-rack switches across multiple racks reintroduces a single point of failure for every rack and adds unnecessary cabling distance and complexity.
-
Before applying a VCF upgrade bundle to a workload domain, an architect wants to reduce the risk of a failed upgrade mid-way through the process. Which capability of SDDC Manager should be used first?
- AManually snapshot every VM in the domain
- BDelete unused bundles from the repository to free space
- CDisable DRS on all clusters in the domain
- DRun the SDDC Manager upgrade precheck to validate component health, compatibility, and resource readiness before starting the bundleCorrect
✓ Correct answer: DSDDC Manager provides an upgrade precheck that evaluates the health of the domain's components, resource availability, and compatibility before an upgrade bundle is applied, surfacing issues the architect can remediate ahead of time. Running this precheck lowers the chance of a mid-upgrade failure.
Why the other options are wrong- AVM-level snapshots are not part of the SDDC Manager upgrade workflow and do not validate component health or compatibility.
- BFreeing repository space may help with staging bundles but does not validate the domain's readiness for the upgrade.
- CDisabling DRS is not a precheck action and would remove the automation needed to evacuate hosts during the rolling upgrade.
VMware VCP-VCF practice exam FAQ
How many questions are in the VMware VCP-VCF practice exam on CertGrid?
CertGrid has 850 practice questions for VMware VCP-VCF: Cloud Foundation Architect, covering 6 exam domains. The real VMware VCP-VCF exam has about 60 questions.
What is the passing score for VMware VCP-VCF?
The VMware VCP-VCF exam passing score is 600, and you have about 135 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.
Are these official VMware VCP-VCF exam questions?
No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of VMware VCP-VCF: Cloud Foundation Architect, with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.
Can I practice VMware VCP-VCF for free?
Yes. You can start practicing VMware VCP-VCF: Cloud Foundation Architect for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.