VCF Operations Management Licensing

VMware Cloud Foundation (VCF) is positioned by Broadcom as an integrated software-defined data centre platform, and one of its most-cited advantages is the inclusion of the Aria operations management stack as part of the per-core subscription. The marketing message is clear: buy VCF and you get the full lifecycle, monitoring, log analytics, and automation capabilities without separately licensing Aria. The reality is more nuanced. VCF includes specific editions of specific Aria products, at specific entitlement levels, with specific deployment constraints — and customers who deploy outside those constraints, or use unbundled editions, are exposed to additional licensing and to audit findings. This article walks through what is actually licensed under VCF Operations Management, what is not, and what the audit-defence implications look like.

What VCF actually bundles in operations management

As of the current VCF SKU structure under Broadcom, the operations management capabilities included in a standard VCF subscription comprise four distinct components, each at a defined edition tier:

• Aria Operations (formerly vRealize Operations) — performance monitoring, capacity planning, cost analytics, compliance dashboards across the VCF estate. Bundled at the Advanced edition tier when consumed under VCF.
• Aria Operations for Logs (formerly vRealize Log Insight) — log aggregation, indexing, and analytics for VCF infrastructure components and a defined scope of guest workloads.
• Aria Automation (formerly vRealize Automation) — self-service catalogue, blueprint-based provisioning, multi-cloud orchestration. Bundled at a constrained scope tied to VCF resources.
• Aria Operations for Networks (formerly vRealize Network Insight, formerly Arkin) — network flow analytics, microsegmentation planning, NSX troubleshooting. Bundled only when the VCF SKU includes NSX networking, with scope tied to monitored hosts.

The word "bundled" is doing significant work here. Each of these components has separately purchasable editions outside VCF, with different feature sets and different unit metrics. The VCF entitlement is not the same thing as a standalone purchase of the equivalent product, and confusing the two is the most common source of compliance findings.

The scope problem — what counts as "VCF resources"

The most important constraint on VCF-bundled Aria entitlements is scope. The licences are valid for managing the VCF-licensed compute estate. They are not valid for managing arbitrary infrastructure outside that scope. The contractual language varies by edition and date, but the principle is consistent: the bundled Aria entitlement covers the cores you have licensed under VCF, not your entire data centre.

This creates four common compliance scenarios that surface in audits:

Scenario 1: Aria Operations monitoring non-VCF workloads. Aria Operations has connectors and management packs that let it monitor AWS, Azure, GCP, Kubernetes clusters, physical servers, network devices, and hundreds of other endpoint types. The VCF bundled entitlement does not include the right to use these external connectors at scale. Doing so requires the standalone Aria Operations Enterprise edition with appropriate add-on packs.

Scenario 2: Aria Automation provisioning to non-VCF targets. Aria Automation supports multi-cloud provisioning — AWS, Azure, GCP, Kubernetes, public cloud Kubernetes services. The VCF bundle constrains Automation usage to the VCF estate. Customers who configure Automation as their enterprise self-service portal across multi-cloud targets are typically out of scope and need standalone Automation Enterprise.

Scenario 3: Log Insight indexing non-infrastructure logs. Log Insight is often pressed into service as a general-purpose log aggregation platform — ingesting application logs, security logs, business event logs. The VCF entitlement covers infrastructure logs from VCF components and a constrained scope of guest OS logs. Wider use is a separate purchase.

Scenario 4: Aria Operations for Networks monitoring outside NSX-managed networks. Network Insight has discovery and analytics capabilities for physical networks, Cisco ACI, public cloud VPCs, and other non-VMware constructs. The VCF bundle ties the entitlement to NSX hosts; wider deployment requires the standalone product.

How Broadcom discovery picks up scope violations

The Aria products themselves are heavily instrumented. Aria Operations records every monitored object and adapter; Automation records every deployed blueprint and target; Log Insight records every ingested source; Network Insight records every monitored data source. Broadcom's audit data requests typically include these inventories and use them to compute whether the deployment fits within VCF-bundled scope.

For Aria Operations specifically, the audit teams look at the adapter list, the monitored object counts, and the per-adapter resource consumption. A customer with a VCF subscription for 500 cores of compute should not, ordinarily, be monitoring 30,000 objects across public cloud and physical infrastructure with adapters that point outside the VCF estate. When the ratios are out of band, additional licensing is typically claimed.

For Automation, the discovery is in the deployed cloud accounts and provisioning targets. An Automation instance configured with AWS, Azure, and on-premises Kubernetes endpoints, regularly provisioning into all three, is hard to argue is constrained to the VCF estate. The defensible position requires either documented constraints on usage or a separate Automation entitlement.

Edition mismatches — Advanced vs Enterprise

VCF bundles Aria Operations at the Advanced edition. Aria Operations Enterprise adds capabilities — broader compliance frameworks, advanced cost analytics, certain integrations, expanded reporting. Customers who configure Enterprise features in their VCF-bundled Aria Operations instance, perhaps following recommended configuration guides or VMware professional services scripts, can find themselves using features that the VCF bundle does not include.

The audit finding here is subtle. The customer paid for VCF, which includes Aria Operations. The customer is using Aria Operations. But the customer is using a feature that requires Enterprise, and the VCF bundle only includes Advanced. The remediation is either disabling the feature or paying for the Enterprise upgrade across the relevant estate.

This pattern repeats across the operations management stack. Each product has multiple editions. The VCF bundle is at a specific edition. Using above-edition features is a finding.

The "Aria Suite" question

Many customers historically purchased the vRealize Suite (now Aria Suite) as a standalone bundle, before VCF or in addition to VCF. The Aria Suite has its own edition tiers (Standard, Advanced, Enterprise) and its own unit metric (portable licence units, or PLUs). The interaction between an Aria Suite entitlement and a VCF bundle is a frequent source of confusion.

The general principle: if a customer holds both a VCF subscription and a separate Aria Suite entitlement, the entitlements are additive but not equivalent. The Aria Suite can be deployed outside the VCF scope; the VCF-bundled Aria is constrained to the VCF scope. Customers should not assume that the Aria Suite entitlement extends to cover VCF-bundled capabilities, or vice versa.

Where the customer migrated from Aria Suite to VCF as part of the Broadcom transition, the legacy Aria Suite entitlement may have lapsed or been converted. The contract documentation determines what remains. A common audit finding is continued use of Aria Suite Enterprise capabilities (e.g. Enterprise-only adapters in Aria Operations) after the Aria Suite entitlement has lapsed and only the VCF Advanced bundle remains.

Aria SaaS vs on-premises

Broadcom is steering the operations management stack toward SaaS delivery — Aria Operations Cloud, Aria Automation Cloud, and so on. The VCF bundle entitlements include both on-premises and SaaS variants in most editions, but the licensing mechanics differ. SaaS instances are tracked by Broadcom directly, with usage telemetry that flows back to Broadcom. On-premises instances are tracked by the customer and surfaced in audit data requests.

For audit defence, the implication is that SaaS over-consumption is hard to contest after the fact — Broadcom has its own usage data. On-premises over-consumption is contestable to the extent that the customer can produce its own deployment records that explain or refute Broadcom's findings. Hybrid deployments (some Aria SaaS, some on-premises) are the most complex; the customer needs records of both.

Practical defence steps

Inventory all Aria deployments against the VCF entitlement

The first step is a deployment inventory. For each Aria product, document the deployed instances, the editions in use, the monitored or managed scope (objects, adapters, cloud accounts, log sources, network data sources), and the resource consumption. Map each against the VCF entitlement — specifically, which cores the entitlement covers and which Aria editions are included for those cores.

Classify each deployment as in-scope, out-of-scope, or ambiguous

In-scope deployments are those that fit cleanly within the VCF-bundled entitlement. Out-of-scope deployments are clearly outside (Automation provisioning to AWS targets, Network Insight monitoring physical Cisco infrastructure, Log Insight ingesting application logs at scale). Ambiguous deployments are those where the contract language could be argued either way; these require legal review.

Decide on the path for each out-of-scope and ambiguous deployment

Three paths: bring the deployment into scope (reconfigure to fit the VCF bundle), buy the standalone entitlement to cover the additional scope, or document a position that the deployment fits within the contractual language. The third option is the highest-risk and requires legal review.

Document the position before discovery

Audit findings are easier to defend when the customer's position pre-dates the audit. A documented, dated entitlement review showing the customer's interpretation of the VCF Aria scope is materially more credible than an interpretation produced after Broadcom asked questions. Make the documentation regular — annual or semi-annual review with sign-off.

Common over-deployment patterns

From engagements we have run, the most common over-deployment patterns are:

• Aria Operations monitoring the entire data centre — including AWS, Azure, GCP, physical servers, network devices — under a VCF subscription that only entitles VCF compute scope
• Aria Automation as the enterprise self-service portal — provisioning into multi-cloud targets — under a VCF subscription
• Log Insight as the central log aggregation platform — ingesting application logs, security logs, business logs — beyond VCF infrastructure logs
• Network Insight monitoring non-VMware networks — Cisco ACI, public cloud VPCs, physical switches — under a VCF NSX bundle
• Enterprise-edition features in use — advanced cost analytics, expanded compliance frameworks — under a VCF bundle that includes Advanced

Each of these is a defensible position with the right contract language and the right interpretation. None is defensible if the customer has not documented a position and Broadcom raises it cold.

Pricing implications when out-of-scope is found

The remediation pricing for out-of-scope Aria usage is typically the list price for the relevant standalone edition, applied to the in-use scope, often backdated to the start of use. Aria Operations Enterprise, Aria Automation Enterprise, and Log Insight at extended scope are not cheap; remediation invoices in the seven figures are common when out-of-scope usage has run for two or three years across a large estate.

The negotiation lever is usually trade-up to a larger VCF entitlement, or to one of the broader Aria Suite bundles, in exchange for waiver of historical claim. This is a standard play and Broadcom is generally willing — provided the customer is positioned to demonstrate that they understand the entitlement and have a credible path to compliance going forward.

The transition from vRealize naming

Most customers still have documentation that references vRealize Operations, vRealize Automation, vRealize Log Insight, and vRealize Network Insight. The product capabilities are largely unchanged; the names changed to Aria. For audit defence purposes, contract language referring to vRealize products applies to the corresponding Aria products. Customers should not assume that the rename created or eliminated entitlements.

Where the rename coincided with a SKU restructure (which it did, in some cases), the entitlement scope may have changed. Compare the legacy product name and edition against the current Aria SKU and verify that the migration preserved the customer's expected entitlement scope.

Frequently asked questions

Does VCF include all Aria products at all editions?

No. VCF includes specific Aria products at specific editions with specific scope. Aria Operations is bundled at Advanced, with scope tied to VCF cores. Aria Automation is bundled at a constrained scope. Log Insight is bundled for VCF infrastructure logs. Network Insight is bundled when NSX is included. Enterprise features and out-of-scope usage require separate purchase.

Can we use the VCF-bundled Aria Operations to monitor our AWS estate?

Generally no, beyond a token amount. The VCF entitlement covers the VCF compute estate. Monitoring AWS at scale through Aria Operations adapters typically requires the standalone product. Validate against the specific contract; the language has evolved across VCF editions.

What if our Aria deployment was inherited from a pre-Broadcom vRealize Suite licence?

The vRealize Suite entitlement, if still active, may cover deployments outside VCF scope. If the Suite entitlement was retired or converted as part of the Broadcom transition, only the VCF-bundled scope remains. Check the contractual record.

How does Broadcom measure Aria over-deployment?

Through the Aria products themselves — adapter lists, monitored object counts, cloud account configurations, log source counts, network data source counts. These data points are surfaced in audit data requests and compared against the VCF entitlement.

What is the typical remediation cost for an Aria scope finding?

Varies with deployment size. For a mid-sized enterprise with significant out-of-scope Aria Operations or Automation usage, six- to seven-figure remediation claims are typical. Negotiation usually resolves these via trade-up to broader entitlements rather than backdated invoices.

Should we maintain a separate Aria Suite entitlement alongside VCF?

It depends on usage. If significant Aria deployment is outside the VCF compute scope (multi-cloud, physical, third-party), separate Aria Suite entitlements are worth pricing. If all Aria deployment fits within VCF scope and edition, the VCF bundle is sufficient.