VMware Study Guide

VMware Cloud Foundation Administrator Study Guide

The VMware Cloud Foundation Administrator exam validates your ability to deploy, configure, and operate a VMware Cloud Foundation (VCF) software-defined data center - covering the integrated vSphere, vSAN, and NSX stack, SDDC Manager lifecycle automation, workload domains, networking, and storage. It is aimed at administrators and engineers who manage VCF environments day to day, including bring-up, host commissioning, upgrades, and ongoing operations. The 120-minute exam has roughly 663 questions in the bank, with a scaled passing score of 600.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5

Practice VMware Cloud Foundation Administrator questions free Create free account

Domain 1: VCF Architecture

Key concepts you must know · 128 practice questions

VMware Cloud Foundation is a full-stack SDDC platform that bundles vSphere (compute), vSAN (storage), NSX (networking/security), and SDDC Manager (lifecycle) as a single validated, integrated solution.
The three software-defined pillars are vSphere for compute, vSAN for storage, and NSX for networking and security; SDDC Manager adds lifecycle automation on top.
SDDC Manager is the central management and automation plane: it orchestrates bring-up, host commissioning, workload-domain provisioning, and lifecycle (LCM) operations like firmware and software upgrades.
Bring-up is the automated first deployment performed by VMware Cloud Builder, which reads the deployment parameter workbook, validates prerequisites, and bootstraps the management domain.
The deployment parameter workbook is an Excel (.xlsx) file (convertible to a JSON spec) that supplies all network, host, password, and naming inputs Cloud Builder needs for bring-up.
The management domain is deployed during bring-up and hosts the core management VMs: vCenter Server, NSX Manager nodes, and SDDC Manager.
A consolidated architecture lets management and tenant workloads share a single cluster to minimize hardware cost, suitable for small or edge sites; a standard architecture separates them.
VMware Aria (formerly vRealize Suite) adds cloud management and operations: Aria Automation for self-service provisioning, Aria Operations for monitoring and capacity planning, and Aria Operations for Logs for log analytics.
Validated interoperability, automated lifecycle, and consistent operations are the core value of VCF - they reduce complexity, risk, and the chance of unsupported version combinations.
Dedicated VLANs and VMkernel networks per traffic type (management, vMotion, vSAN, overlay/TEP) with Network I/O Control improve performance predictability over shared NICs.
Identity is integrated through vCenter Single Sign-On, which can federate to an external identity provider such as Active Directory or LDAP.
SDDC Manager provides centralized password management and rotation for VCF component credentials (ESXi, vCenter, NSX, and more).
Useful host commands: 'vmware -v' prints the ESXi product name and exact build number; 'esxcli system ntp set --server=ntp1.lab.local --enabled=true' configures and enables NTP.
The SoS diagnostic utility at '/opt/vmware/sddc-support/sos --health-check' runs a health-collection across VCF components for troubleshooting and support bundles.

Domain 2: Workload Domains

Key concepts you must know · 117 practice questions

The management domain is the first workload domain, created during Cloud Builder bring-up; it runs a dedicated vSphere cluster with vSAN and hosts vCenter, SDDC Manager, and NSX Manager nodes.
A Virtual Infrastructure (VI) workload domain is a logically isolated unit for tenant/production workloads, consisting of one or more vSphere clusters, its own dedicated vCenter Server, vSAN storage, and NSX networking.
Each VI workload domain has its own vCenter Server instance, so a fault, patch, or change in one domain does not affect other domains.
Before a host can join a workload-domain cluster it must be commissioned in SDDC Manager, which validates hardware compatibility, ESXi version, network/DNS/NTP reachability, and credentials.
Workload domains deliver isolation (separate security/lifecycle boundaries) plus standardized automated provisioning of compute, storage, and network together as one operation.
vSAN is the default principal storage for workload domains, though supplemental storage such as NFS, VMFS/FC, or vVols can also be attached.
Hosts are added to a cluster via SDDC Manager (after commissioning) and reclaimed by decommissioning them after workloads are evacuated.
Decommissioning underutilized hosts after evacuation reclaims hardware from an over-provisioned domain; reducing host count to forecasted demand controls cost.
vSphere DRS continuously balances VM placement across hosts; running DRS in fully automated mode optimizes performance and utilization during contention.
Resource pools with CPU/memory shares, limits, and reservations prevent a noisy VM from starving others and let you prioritize critical workloads.
Right-sizing VM CPU and memory to observed utilization and reclaiming oversized allocations is a primary lever for improving workload-domain efficiency.
'esxcli vsan cluster get' reports a host's vSAN cluster membership, sub-cluster UUID, and node role (master/agent/backup).
'esxcli vsan storage list' shows each vSAN-claimed disk and whether it is a cache or capacity device; 'esxcli storage core device list' verifies device eligibility.
PowerCLI 'Set-VMHost -VMHost esxi01 -State Maintenance' places a host into maintenance mode so it can be evacuated for patching or decommissioning.

Domain 3: Networking with NSX

Key concepts you must know · 141 practice questions

NSX provides VCF's software-defined networking and security: overlay segments using Geneve encapsulation, Tier-0/Tier-1 logical routing, and the Distributed Firewall for micro-segmentation.
Overlay (Geneve) segments create logical Layer 2 networks decoupled from the physical VLAN/underlay, so VMs on the same segment communicate regardless of which host or rack they reside on.
A Tier-0 gateway runs on NSX Edge nodes and handles north-south traffic, peering with physical upstream routers via BGP or static routing.
A Tier-1 gateway sits below Tier-0 and aggregates tenant/segment networks; a common multi-tenant design is a shared Tier-0 upstream with a separate Tier-1 per tenant for isolation.
The Distributed Firewall (DFW) runs as a kernel module in each ESXi host and enforces policy at every VM's virtual NIC, so even VMs on the same segment are filtered (east-west micro-segmentation).
Distributed routing also runs in the hypervisor kernel, so east-west traffic between VMs on the same host need not hairpin to a central appliance.
Micro-segmentation best practices are tag-based dynamic security groups plus a default-deny posture, written against NSX Security Groups and Tags rather than static IPs.
NSX Edge nodes host Tier-0 (and optionally service Tier-1) gateways; choose an Edge form factor sized to actual throughput rather than always deploying the largest.
NSX Advanced Load Balancer (Avi) provides L4-L7 load balancing as the recommended VCF load-balancing solution.
The overlay transport network requires jumbo frames - set MTU to 1600 or higher end-to-end (physical switches and VMkernel TEP interfaces) to accommodate Geneve encapsulation overhead.
Troubleshoot TEP/overlay reachability with 'vmkping ++netstack=vxlan -d -s 1572 <remote-TEP>' to confirm MTU and connectivity without fragmentation.
'esxcli network ip interface ipv4 get -i vmk10' shows the IP configuration of the overlay TEP VMkernel interface.
'vsipioctl getrules -f <filter-name>' dumps the realized DFW rules applied to a specific VM's vNIC filter for verification.
On NSX Edge, 'get logical-router <uuid> route' displays the routing table of a Tier-0/Tier-1 gateway for north-south troubleshooting.

Domain 4: Lifecycle and Operations

Key concepts you must know · 182 practice questions

SDDC Manager's Lifecycle Management (LCM) module orchestrates patching and upgrades for the entire stack - ESXi, vCenter, NSX, vSAN, and SDDC Manager itself - using validated bundles from the VMware depot.
A bundle is a curated, digitally signed archive of one or more component updates that have been jointly tested for interoperability; SDDC Manager downloads, stages, and applies it.
The VCF Bill of Materials (BOM) and interoperability matrix define the exact jointly validated versions of each component, so updates only arrive through bundles that keep the environment supported.
LCM enforces the correct upgrade order - typically SDDC Manager first, then NSX, then vCenter, then ESXi hosts - so every component always runs a compatible version.
Upgrade the management domain first, then VI workload domains, following SDDC Manager's validated sequence.
Before any upgrade, run SDDC Manager prechecks (DNS, NTP, certificate validity, cluster/vSAN health, component connectivity) and confirm current backups of SDDC Manager, vCenter, and NSX exist.
Rolling upgrades evacuate hosts one at a time using maintenance mode and DRS, so workloads keep running while each host is patched.
Aria Operations (vRealize Operations) monitors VCF health, performance, and capacity, and supports what-if/right-sizing analysis for capacity planning.
Aria Operations for Logs (vRealize Log Insight) aggregates and analyzes logs across VCF components for troubleshooting and audit.
Management resilience comes from vSphere HA, redundant networking, and regular file-based backups of the management VMs.
Configure ESXi remote syslog with 'esxcli system syslog config set --loghost=tcp://logserver:514' followed by 'esxcli system syslog reload' to apply.
Manage VCSA services with 'vmon-cli' - for example 'vmon-cli --list' to enumerate services and 'vmon-cli --restart vpxd' to restart the vCenter service daemon.
Back up vCenter with file-based backup via the VAMI or backup.py, and use the SDDC Manager SoS utility to collect support and diagnostic data.
Enter host maintenance from the CLI with 'esxcli system maintenanceMode set --enable true' before patching or hardware service.

Domain 5: Storage (vSAN)

Key concepts you must know · 95 practice questions

vSAN is the hyperconverged storage layer that aggregates host-local NVMe/SSD/HDD devices into a single shared, policy-driven datastore for all hosts in the cluster.
Storage Policy-Based Management (SPBM) assigns storage requirements per VM/VMDK through named policies rather than per-LUN provisioning, and vSAN places data to satisfy each policy.
Failures to Tolerate (FTT) sets redundancy: FTT=1 survives one host or disk failure using either RAID-1 mirroring or RAID-5 erasure coding.
RAID-1 mirroring at FTT=1 costs roughly 2x raw capacity and needs 3 hosts; RAID-5 erasure coding keeps FTT=1 with less overhead but requires a minimum of 4 hosts.
FTT=2 with RAID-1 needs 5 hosts and 3x raw overhead (three copies); RAID-6 erasure coding tolerates two failures with a minimum of 6 hosts.
A vSAN disk group consists of one cache device (read cache/write buffer) plus 1-7 capacity devices; a host can have up to five disk groups.
Deduplication and compression reduce capacity consumption for repetitive data and operate per disk group in disk-group architectures.
Thin provisioning consumes capacity only as data is written, minimizing unused allocated space; object space reservation can pre-allocate when needed.
If a cluster drops to only 3 remaining hosts, RAID-5 objects (which need 4) cannot rebuild full redundancy, risking inaccessible data on a second failure.
Address high vSAN read latency by ensuring adequate cache-tier sizing and checking the cache hit ratio; an excessive stripe width wastes cache and back-end resources without proportional gain.
A dedicated 25 GbE or higher network is recommended for modern all-flash vSAN clusters; storage policy IOPS limits can cap noisy-neighbor I/O.
Monitor with the vSAN performance service combined with Aria Operations, and run health checks via 'vsan.health.health_summary <cluster>' (RVC).
Useful CLI: 'esxcli vsan resync stats get' shows rebuild/resync progress, and 'esxcli vsan policy getdefault' displays the cluster's default storage policy.
Inspect devices with 'esxcli vsan storage list' (cache vs capacity roles) and 'esxcli storage core device smart get -d <device>' for SMART health data.

VMware Cloud Foundation Administrator exam tips

Memorize the SDDC Manager upgrade order (SDDC Manager, then NSX, then vCenter, then ESXi) and the rule that the management domain is always upgraded before VI workload domains.
Know the vSAN host-count and overhead math cold: RAID-1 FTT=1 needs 3 hosts (2x), RAID-5 needs 4, RAID-1 FTT=2 needs 5 hosts (3x), RAID-6 needs 6 - exam questions hinge on these minimums.
Distinguish the components: SDDC Manager (lifecycle/automation), Cloud Builder (one-time bring-up), and the parameter workbook (inputs). Questions often test which tool does which job.
For NSX questions, separate north-south (Tier-0 on Edge, BGP to physical) from east-west (Distributed Firewall in the kernel at each vNIC), and remember overlay needs MTU 1600+ end-to-end.
Always pair upgrade scenarios with the prerequisites: run SDDC Manager prechecks and confirm valid backups before applying any bundle - these are frequent correct answers.

Study guide FAQ

What is the difference between the management domain and a VI workload domain?

The management domain is the first domain built during bring-up and runs the VCF management VMs (vCenter, SDDC Manager, NSX Manager). A VI (Virtual Infrastructure) workload domain is created afterward to host tenant/production workloads with its own dedicated vCenter, vSAN, and NSX, giving isolation and an independent lifecycle from the management domain and other workload domains.

What does SDDC Manager actually do versus Cloud Builder?

Cloud Builder is used once to perform bring-up - it reads the parameter workbook and deploys the initial management domain. SDDC Manager is the ongoing management and automation plane: it commissions hosts, provisions workload domains and clusters, manages credentials/passwords, and orchestrates patching and upgrades using validated bundles.

How does vSAN decide how to protect my data?

Through Storage Policy-Based Management. You define a VM Storage Policy specifying Failures to Tolerate, the RAID method (mirroring or erasure coding), stripe width, and reservations, then attach it to a VM or VMDK. vSAN automatically places and maintains the required redundant components to satisfy the policy, so protection is per-object rather than per-LUN.

Why must I run prechecks before a VCF upgrade?

SDDC Manager prechecks validate environmental readiness - DNS, NTP, certificate validity, cluster and vSAN health, and component connectivity - before any bundle is applied. Combined with confirming current backups of SDDC Manager, vCenter, and NSX, this prevents failed upgrades and gives you a recovery path, which is why prechecks-plus-backups is the standard pre-upgrade step.

Test yourself: 663 VMware Cloud Foundation Administrator practice questions