VCF components and licensing, line by line.

VMware Cloud Foundation is the centrepiece of Broadcom's subscription thesis: a single per-core SKU that wraps compute, storage, networking, management, automation, lifecycle, and operations into one renewal line item. That packaging is convenient for procurement and brutal for compliance. When the audit team arrives, they do not audit "VCF" — they audit each of the components inside it, against the contract you signed, with the entitlement metric that applies to each one.

This article walks through what VCF actually contains, how each component is licensed under the current Broadcom subscription model, and where audit exposure tends to sit. It is written for the customer-side licensing lead who has to defend the deployment, not for the architect choosing the topology.

What VMware Cloud Foundation is, on paper and in production

On paper, VCF is a single product. You buy a per-core subscription, you sign one order form, and you get access to a bundled estate that VMware (now Broadcom) maintains as a versioned release train. In production, VCF is a coordinating layer over a set of independent products that each predate the bundle: vSphere, vSAN, NSX, Aria (formerly vRealize), SDDC Manager, HCX, and a small set of supporting services. Each of those products has its own deployment model, its own configuration database, its own logs, and — critically — its own audit fingerprint.

When a Broadcom auditor opens a VCF environment, they do not see a single object called "VCF". They see ESXi hosts, vSAN clusters, NSX managers, Aria appliances, and SDDC Manager telemetry. Each of those is interrogated separately. The VCF SKU you bought provides the entitlement that lets you run them together, but the auditor reads usage on each component independently, and any deployment that drifts outside the bundled entitlement is treated as a separate finding.

The eight components inside the bundle

vSphere (ESXi + vCenter)

vSphere remains the foundation, even inside VCF. Every VCF deployment contains an ESXi hypervisor on every host and a vCenter Server appliance managing the cluster. Under Broadcom subscription, vSphere is licensed per physical core with a 16-core minimum per processor. Inside VCF, that core count is included in the bundle, but the auditor still counts cores at the ESXi layer. Hosts running ESXi without a corresponding VCF or vSphere subscription line are audit exposure regardless of where they sit logically.

The most common drift pattern here is hosts added to a cluster for short-duration projects — test rebuilds, capacity bursts, hardware swaps — that remain on the cluster after the project ends. Each of those hosts represents licensable cores. The VCF SKU does not absorb them automatically.

vSAN

vSAN is the software-defined storage layer. Under standalone licensing it was historically per-CPU; under Broadcom subscription it has moved to per-TiB capacity in some editions and per-core in others, depending on which VCF tier the customer is on. Inside VCF, vSAN capacity is bundled to a defined ceiling per core, and consumption above that ceiling is metered separately.

This is one of the most under-appreciated audit surfaces. A VCF customer who grew vSAN capacity faster than core count over a couple of refresh cycles will often have a measurable shortfall against the bundled entitlement. The shortfall is not visible in vCenter; it is visible in the entitlement summary, which most operators do not look at routinely.

NSX

NSX is the software-defined networking and security stack. Inside VCF it is sold in different feature tiers — Networking, Advanced, and Enterprise Plus historically; the current packaging consolidates these into VCF-bundled networking with a separately purchasable advanced security add-on. The audit-relevant question is which NSX features are enabled, not just installed.

Distributed firewalling, advanced load balancing, NSX Intelligence, and federation features routinely require entitlement beyond the bundled base. Customers who enabled these features for a particular use case and never turned them off frequently discover at audit that those features carry their own subscription requirement.

Aria Suite (formerly vRealize)

The Aria family covers operations management, automation, log management, and orchestration. The components most commonly seen are Aria Operations, Aria Automation, Aria Operations for Logs (formerly Log Insight), and Aria Automation Orchestrator. Under VCF, a defined Aria entitlement is bundled — but the bundle has historically been a subset of full Aria functionality, and additional capability is sold separately.

The audit exposure here typically comes from two patterns. The first is using Aria Operations to monitor environments outside the VCF estate — a common, sensible operational choice that nevertheless extends the entitlement requirement. The second is enabling Aria Automation features that require higher-tier licensing, often after a consulting engagement.

SDDC Manager

SDDC Manager is the orchestration plane that ties VCF together: lifecycle management, certificate management, host commissioning, and the workload domain abstraction all run through it. SDDC Manager itself does not carry separate licensing — it is included in the VCF entitlement — but the data it stores is the single most useful artefact in any VCF audit. When Broadcom asks for usage data, the SDDC Manager export is what they want, because it shows every host, every workload domain, every component version, and every configuration change over time.

HCX

HCX is VMware's workload mobility platform: it moves VMs between environments, including between on-premises VCF and the various hyperscaler VMware services. HCX comes in Connector (free) and Enterprise editions, and parts of HCX are bundled with VCF tiers while other capabilities — bulk migration, network extension, replication-assisted migration — sit in Enterprise.

Customers running cross-cloud migrations frequently enable HCX Enterprise features for the duration of a project and forget to disable them afterwards. The audit interrogation is straightforward: feature was active in the window, therefore licensable in the window.

Tanzu (where applicable)

Tanzu — the Kubernetes runtime and management stack — sits inside some VCF editions and outside others. Tanzu Kubernetes Grid is bundled with current VCF subscriptions in a defined runtime form; Tanzu Application Platform and other higher-tier offerings are separate. Customers running production Kubernetes workloads under Tanzu should treat the entitlement question as a separate sub-track inside the VCF audit, not as something automatically covered.

Supporting services and add-ons

The final group is the long tail of supporting components: Site Recovery Manager, vSphere Replication, Skyline diagnostics, Cloud Director (for some service providers), and a handful of niche tools. Each has its own entitlement model. Inside VCF some are bundled, some are separate. The bundle composition has also shifted across the 4.x → 5.x VCF version transition and across pricing changes during 2024 and 2025, which makes it possible — and common — for customers to have legitimate uncertainty about what they actually own.

How VCF is licensed under the current subscription model

Broadcom's VCF subscription is built on three principles that procurement teams should anchor on.

Per-core, with minimums. The unit of entitlement is the physical core, with a 16-core minimum per CPU. A two-socket host with 12-core CPUs is licensed at 32 cores, not 24. A two-socket host with 24-core CPUs is licensed at 48 cores. Customers running a mix of core counts across an estate will see weighted-average pricing in their commercial offer but core-by-core counting at audit.

Bundled feature entitlement, with carve-outs. A VCF subscription includes a defined set of features from each component — but not every feature of every component. The feature carve-outs are spelled out in the VCF Product Guide, which is the document the auditor will use as their reference. Customers who only have the order form and not the Product Guide are at an asymmetric disadvantage.

Term and renewal mechanics. Subscription terms are typically three or five years, with renewal pricing not contractually locked unless explicitly negotiated. The default renewal posture is at the then-current list price, which has consistently been higher than the original deal. Multi-year price-lock clauses are achievable but require deliberate negotiation up front.

Where audit exposure tends to sit

Across the VCF audits we have visibility into, exposure clusters in five places.

1. Cores beyond the entitlement

Hosts added since the original VCF deal — capacity expansions, project clusters, refresh hosts running in parallel with their predecessors — are the single most common finding. The cause is rarely intentional; it is usually that operational change happened faster than procurement caught up.

2. Components not in your tier

Features enabled that require a higher VCF tier than the one purchased. Distributed firewall, NSX Advanced Security, Aria Operations Enterprise features, and HCX Enterprise features are the recurring examples. The technical lead enables them because they solve a problem; the entitlement implication is not visible at the UI layer.

3. Capacity beyond bundled limits

vSAN capacity that has grown faster than the per-core bundled ceiling. This is the quietest source of exposure because it does not generate an obvious warning anywhere in vCenter; it shows up only when entitlement is reconciled against actual capacity.

4. Environments outside the licensed scope

Aria Operations monitoring non-VCF environments. Site Recovery Manager protecting workloads in a sister datacentre with separate licensing. NSX policies applied to environments outside the VCF cluster. These are entitlement extensions that auditors price separately.

5. Edition mismatch on legacy entitlement

Customers who came from VMware Enterprise Plus + a vSAN + an NSX entitlement and were told that "your existing licenses convert into VCF" sometimes carry an under-stated entitlement into the subscription world. The conversion math is not always conservative, and the original perpetual entitlement may have been broader than the subscription replacement.

What the contract should say (and often does not)

Three contractual clauses make a meaningful difference to the audit defensibility of a VCF deployment, and we recommend customers verify them every renewal.

First, the scope of audit clause: how much notice Broadcom must give, what entities and environments are in scope, what data they may request, and whether you may use an independent third party to validate findings. Default clauses are usually broader than customers realise and tighter than they need to be.

Second, the True-Up methodology: how a usage shortfall is converted into a financial settlement. Default language leaves Broadcom wide latitude. Negotiated language can lock in current list price, exclude transient usage, and require methodology approval before settlement.

Third, the price protection clauses: what happens at renewal, what happens if a product moves between editions or tiers, and what happens if Broadcom retires a feature you depend on. None of this is default; all of it is negotiable; almost none of it appears in standard order forms unless explicitly added.

Practical implications for licensing leads

Three habits separate the customers who defend VCF well from those who do not.

The first is keeping a current, internal map of what is enabled in your VCF estate, not just what is deployed. Components installed but not used are typically not audit exposure; features enabled and configured are. The difference matters and the only way to see it is to look at configuration state on each component, not just inventory.

The second is reconciling vSAN capacity and core count quarterly. This is the single highest-yield habit because the drift is silent and the audit cost is meaningful. A quarterly reconciliation surfaces the trend long before it becomes a finding.

The third is keeping the VCF Product Guide, the order form, and the audit clause in the same folder, version-controlled, accessible to the same handful of people. When an audit notice arrives, the time between "we got a letter" and "we have an evidence-based view of our position" is the variable that most predicts settlement outcome.

How the bundle is likely to evolve

The VCF bundle composition is not static. Broadcom has shifted what is in and out of the VCF subscription several times since the acquisition closed, and that pattern is likely to continue. Two trends are particularly relevant for customers signing multi-year subscriptions.

The first trend is bundling more: capabilities that were previously add-on SKUs are quietly absorbed into the base subscription. This is generally good for customers, but only if the negotiated price reflects the broader bundle rather than the original narrower one.

The second trend is moving advanced security and observability features behind higher tiers. Features that customers used to take for granted as part of "the VMware stack" are increasingly gated by edition. Customers who designed their architectures around assumed availability of these features should re-verify which tier they actually need.

The right defensive posture is to negotiate not just the price but the bundle composition — explicitly listing the included features in the order form and capping the upside if Broadcom moves a feature behind a higher tier mid-term.

Closing

VCF is sold as one product and audited as eight. The customers who fare best are the ones who understand the components individually, keep their entitlement model current, and treat the VCF subscription as a contract to be defended rather than a renewal to be processed. The defence work is not glamorous — it is reconciliation, documentation, and clause review — but it is the work that turns a six-figure audit finding into a two-figure-percentage settlement, and it is the work that compounds across the term of a multi-year subscription.