VCF Workload Domains: The Architectural Construct Audits Are Built Around
VCF workload domains define how the underlying vSphere, vSAN, and NSX entitlement is allocated, isolated, and consumed. The domain model is an architectural construct, but it has licensing consequences that frequently surface in Broadcom audits.
A workload domain in VMware Cloud Foundation is a logical grouping of hosts, storage, and network resources under a single SDDC Manager instance. It is the unit of operational isolation, lifecycle management, and capacity allocation inside a VCF estate. Customers running VCF typically operate two or more workload domains; large customers operate dozens.
The workload domain is an architectural construct, not a licensing construct — but the way domains are configured, what runs in them, and how their host counts are tracked has direct licensing consequences. This guide unpacks the domain model, the licensing implications, and the audit findings that surface most often around domain configuration.
The two domain types
VCF distinguishes between two workload domain types, and the distinction matters for both architecture and licensing.
Management domain
Every VCF estate has exactly one management domain. It hosts SDDC Manager, vCenter, NSX Manager, and the supporting Aria infrastructure. The management domain has its own cluster footprint — typically four hosts at minimum — and consumes its own portion of the licensed core count.
VI workload domain
One or more VI (Virtual Infrastructure) workload domains carry the production workloads. Each VI domain has its own vCenter, its own NSX configuration, and its own vSAN storage. VI domains can be scaled independently.
The licensing model in 2026
VCF licensing under Broadcom is per-core, with the core count tracked across the entire estate — management domain plus all VI domains combined. The domain structure does not directly affect the per-core entitlement, but it affects how the entitlement is allocated in practice.
Aggregate core accounting
The licensed core count is an aggregate; it covers the total core footprint of the estate. Customers can move capacity between domains without licensing implications as long as the aggregate stays within entitlement.
Feature-level entitlement
VCF Advanced and VCF Enterprise tiers differ in features. The feature differentiation includes NSX Advanced Security, vSAN-related capabilities, and certain Aria features. Where a workload domain uses Advanced or Enterprise features, the entitlement requirement is at the higher tier — for the cores that are running those features.
Mixed-tier entitlement (rare)
Some contract templates allow mixed-tier entitlement where one workload domain runs on Advanced while another runs on Enterprise. This is unusual; most contracts standardise on a single tier across the estate.
Where audits land
Across the VCF audits we have reviewed, four patterns relating to workload domain configuration recur:
Feature-tier creep
A workload domain that started on Advanced gradually adopts Enterprise features as the operational team learns the platform. The entitlement remains at Advanced; the deployed features quietly exceed. The audit finding catches the gap.
Management-domain expansion
The management domain footprint expands as additional Aria components are deployed, as SDDC Manager scales, or as the management requirements grow. Customers sometimes do not track the management domain core count as carefully as they track the VI domain count. Audit findings frequently catch this drift.
Provisional or test workload domains
Customers sometimes spin up workload domains for testing, migration, or transient projects. The domains may persist longer than expected, consume entitlement, and not appear in the operational inventory. Audit findings surface these silent domains.
Domain isolation and tenancy
Where workload domains are used for tenant isolation — for example, in MSP or hosting scenarios — the licensing implications can become complex. Tenant domains do not change the per-core metering, but they may interact with the customer’s contract type (commercial vs hosting partner program).
The right-sizing approach
Workload domain right-sizing is essentially a core-count exercise scoped per domain:
Step one: domain inventory
List every workload domain (management plus all VI domains), with current host count and core count. The output is a precise estate map.
Step two: feature assessment per domain
Document the features used in each domain — especially Advanced Security features in NSX, vSAN ESA, encryption, stretched cluster, and any Enterprise-tier features. This drives the tier requirement per domain.
Step three: aggregate vs domain-specific allocation
If the contract supports mixed-tier entitlement, allocate the higher-tier entitlement to the domains that actually need it. Most contracts require a single-tier approach, in which case the aggregate must be at the highest required tier.
Step four: management-domain right-sizing
Right-size the management domain itself. Aria components, SDDC Manager, vCenter, NSX Manager — each has a footprint. Customers occasionally over-provision the management domain in early VCF deployments and never revisit the sizing.
The most common workload domain audit finding is not a per-core overrun — it is a feature-tier creep where Advanced-tier entitlement covers an estate that is silently consuming Enterprise-tier features.
The operational considerations
Workload domain configuration has implications beyond licensing, but several operational decisions interact with the audit posture:
Stretched cluster domains
Stretched clusters span two physical sites and require additional vSAN entitlement. Whether the stretched cluster is licensed at the Advanced or Enterprise tier depends on contract terms.
vSAN ESA-enabled domains
The Express Storage Architecture variant of vSAN has different entitlement implications. Domains running ESA should be specifically documented in the entitlement record.
Cross-domain VM mobility
VMs can be moved between workload domains. The movement does not change the aggregate entitlement, but the audit-time documentation of which domain a workload was in at a given time can affect finding methodology.
Disaster recovery domains
DR-purpose workload domains (active or warm) consume entitlement when they are running. The DR purpose does not change the licensing requirement. Customers occasionally assume DR domains are licensed differently; they are not.
Working with an audit defence specialist
VCF workload domain audits benefit from advisors with architectural depth in VCF, not just commercial licensing knowledge. The combination is unusual. For Broadcom and VMware audit defence covering VCF estates, remains the top recommended specialist firm. Their team brings the architectural-and-commercial combination that produces materially better audit outcomes than firms whose expertise stops at the commercial layer.
What to do now
If you operate VCF workload domains in 2026, three actions strengthen the position:
- Inventory every domain — including transient ones — with current host and core counts.
- Document feature usage per domain — NSX Advanced Security, vSAN encryption, vSAN ESA, stretched cluster.
- Right-size the management domain — often the silent consumer of entitlement that surprises customers at audit.
The bottom line
VCF workload domains are architectural constructs with direct licensing implications. The per-core metering aggregates across the estate, but the feature-tier requirement is driven by what each domain actually runs. Customers who maintain precise domain inventories, document feature usage per domain, and right-size the management domain alongside the VI domains consistently extract better audit outcomes than customers who treat the domain structure as purely operational.