FQDNs and IP addresses
Before getting into the design logic, the useful planning question is simple: for each component, how many FQDNs and IP addresses does the worksheet expect?
| Component | FQDNs & IPs | IP scheme |
|---|---|---|
| vCenter | 1 FQDN Create A and PTR records for the vCenter FQDN. |
IPv4 |
| Cloud Proxy | 1 FQDN Used when VCF Operations collectors/cloud proxy components are deployed. |
IPv4 |
| NSX Manager | 4 FQDNs 1 FQDN for the NSX Manager cluster VIP and 3 FQDNs for NSX Manager appliances in HA mode. |
IPv4 |
| SDDC Manager / VCF Installer | 1 FQDN The workbook notes this might not be required if the VCF Installer is deployed on a host used for the deployment. When listed, create A and PTR records. |
IPv4 |
| VCF Operations | 3 FQDNs 1 primary node, 1 replica node, and 1 data node. The workbook also lists an optional load balancer FQDN for HA. |
IPv4 |
| VCF management services | 4 FQDNs and an IP range 1 Fleet components FQDN, 1 Instance components FQDN, 1 VCF services runtime FQDN, and 1 Identity Broker FQDN. Reserve a VCF Management Services IP range: 12 IPs minimum, 30 recommended for growth and auto-scaling. |
IPv4 |
| License Server | 1 FQDN Listed separately in the VCF management-services section of the 9.1 workbook. Create A and PTR records for the License Server FQDN. |
IPv4 |
| VCF Automation | 2 FQDNs and an IP range 1 VCF Automation FQDN and 1 VCF services runtime FQDN. The workbook also calls for a VCF Automation IP range: 4 active node addresses plus 1 rolling-upgrade address. |
IPv4 |
| vSAN | IP range, minimum 4 IP addresses Based on the minimum number of hosts. Plan additional IPs as hosts are added. No per-address DNS unless an FQDN is listed elsewhere. |
IPv4 |
| vMotion | IP range, minimum 4 IP addresses Based on the minimum number of hosts. Plan additional IPs as hosts are added. No per-address DNS unless an FQDN is listed elsewhere. |
IPv4 |
| ESXi hosts | 1 FQDN per host Each host management FQDN needs A and PTR records. The workbook includes rows for up to 16 hosts in the management-domain section. |
IPv4 |
The planning trap
"How many IPs does VCF need?" sounds simple, but it breaks down almost immediately. A small management domain without Edges, Automation, Logs, or Kubernetes is a very different planning exercise from a full VCF fleet with HA services, workload domains, NSX Edge clusters, and VKS.
The better question is:
Which VCF layers am I enabling, and which of those layers create management endpoints that need IP addresses, FQDNs, and DNS records?
The other mistake is treating every VCF 9.1 item like an appliance with one IP and one DNS name. The workbook does not model it that way. It has named endpoints that need DNS, and it also has address ranges that are consumed by the services runtime.
How to read the matrix
The workbook gives a clear DNS rule: create PTR and A records for all FQDNs listed in the Management Domain Creation, Workload Domain Creation, and Cluster Creation sections. If the workbook lists only an IP range, treat it as reserved address capacity, not as a per-address DNS requirement.
That distinction matters most in VCF 9.1. Management Services is a services layer above the base SDDC appliances. It has named endpoints, and it also has an IP range for the VCF services runtime. Components such as Software Depot, lifecycle management, Identity Broker, SALT, Real-time Data, and Log Management are enabled or sized within that services/runtime model instead of always appearing as one appliance, one IP, and one DNS name.
VCF 9.0 internal IP and DNS requirements
VCF 9.0 introduced the fleet model and a more integrated operations experience. From an IP/DNS perspective, I would plan it in these layers.
| Layer | Component | How many IPs | What needs DNS | Required when |
|---|---|---|---|---|
| Base management domain | ESXi management vmk | N, one management IP per host |
N host FQDNs with forward and reverse DNS |
Always |
| Base management domain | VCF Installer appliance | 1 |
1 appliance FQDN; forward/reverse DNS strongly recommended |
Initial deployment / bring-up |
| Base management domain | Management vCenter | 1 |
1 vCenter FQDN with forward and reverse DNS |
Always |
| Base management domain | SDDC Manager / VCF Operations Fleet Management | 1 primary management endpoint, plus any appliance-specific service IPs |
Primary endpoint FQDN and any appliance/service FQDNs; forward/reverse DNS | Always for VCF-managed lifecycle/fleet operations |
| Base management domain | NSX Manager | 1 for single-node, or 4 for clustered: three nodes plus VIP |
Single-node: one FQDN. Clustered: three node FQDNs plus VIP FQDN, all forward/reverse DNS | Always when NSX is part of the domain |
| Host infrastructure | vMotion vmk | N, one IP per host |
No normal FQDN requirement | Always in most VCF designs |
| Host infrastructure | vSAN vmk | N, one IP per host |
No normal FQDN requirement | When vSAN is used |
| Host infrastructure | Host TEPs | N x T, where T is TEPs per host |
No normal FQDN requirement | When NSX overlay networking is used |
| Cloud services | VCF Operations | 1 for simple, or node IPs plus endpoint/VIP for HA |
Endpoint FQDN; HA also needs node FQDNs. Use forward/reverse DNS | When deployed as part of the fleet |
| Cloud services | VCF Operations Collector | C, one IP per collector |
C collector FQDNs; forward/reverse DNS recommended |
When using remote or dedicated collectors |
| Cloud services | VCF Automation | 1 for simple, or node IPs plus endpoint/VIP for clustered deployment |
Endpoint FQDN; clustered deployment also needs node FQDNs. Use forward/reverse DNS | When VCFA is deployed |
| Cloud services | VCF Operations for Logs | Node IPs, plus endpoint/VIP IP if clustered or load-balanced | Log endpoint FQDN and node FQDNs; forward/reverse DNS | When logs are deployed |
| Network services | NSX Edge management | E, one management IP per Edge node |
E Edge management FQDNs; forward/reverse DNS recommended |
When Edges are deployed |
| Network services | NSX Edge TEPs and uplinks | E x T Edge TEP IPs plus E x U uplink IPs |
No normal FQDN requirement | When Edges provide north-south or routed services |
| Kubernetes | Supervisor / VKS | Control plane IPs plus 1 API endpoint, ingress pool, and egress pool |
API endpoint FQDN required; ingress DNS or wildcard usually required | When Kubernetes is enabled |
| Expansion | VI workload domains | Repeat the formulas for hosts, vCenter, NSX, Edges, and Kubernetes | Repeat appliance/service FQDN and forward/reverse DNS requirements | For each workload domain |
VCF 9.1 internal IP and DNS requirements
VCF 9.1 keeps the same basic infrastructure shape, but the planning worksheet gets more service-oriented. The major difference is not that vCenter or NSX suddenly disappear. The difference is that VCF management services, licensing, depot, and activation workflows become more visible as platform services that also need to be planned.
| Layer | Component | How many IPs | What needs DNS | Required when |
|---|---|---|---|---|
| Base management domain | ESXi management vmk | N, one management IP per host |
N host FQDNs with forward and reverse DNS |
Always |
| Base management domain | VCF Installer appliance | 1 |
1 appliance FQDN; forward/reverse DNS strongly recommended |
Initial deployment / bring-up |
| Base management domain | Management vCenter | 1 |
1 vCenter FQDN with forward and reverse DNS |
Always |
| Base management domain | SDDC Manager / VCF Operations Fleet Management | 1 primary management endpoint, plus any appliance-specific service IPs |
Primary endpoint FQDN and any appliance/service FQDNs; forward/reverse DNS | Always for VCF-managed lifecycle/fleet operations |
| Base management domain | NSX Manager | 1 for single-node, or 4 for clustered: three nodes plus VIP |
Single-node: one FQDN. Clustered: three node FQDNs plus VIP FQDN, all forward/reverse DNS | Always when NSX is part of the domain |
| Management services | VCF management services / services runtime | 4 named endpoints plus a Management Services IP range of minimum 12 IPs, or 30 for growth and auto-scaling |
A and PTR records for the four named endpoints: Fleet components, Instance component, Identity Broker, and VCF services runtime. The range itself is not a list of per-address DNS records. | When using the 9.1 management services model |
| Management services | VCF License Server | 1 named endpoint IP |
1 license service FQDN with A and PTR records |
VCF 9.1 licensing model |
| Management services | Fleet Depot Service | Represented in the services/runtime model rather than just a one-off installer setting | Use DNS for whatever named depot/fleet endpoint the deployment exposes | When using 9.1 depot/fleet depot workflows |
| Host infrastructure | vMotion vmk | N, one IP per host |
No normal FQDN requirement | Always in most VCF designs |
| Host infrastructure | vSAN vmk | N, one IP per host |
No normal FQDN requirement | When vSAN is used |
| Host infrastructure | Host TEPs | N x T, where T is TEPs per host |
No normal FQDN requirement | When NSX overlay networking is used |
| Cloud services | VCF Operations | 1 for simple, or node IPs plus endpoint/VIP for HA |
Endpoint FQDN; HA also needs node FQDNs. Use forward/reverse DNS | When VCFO is deployed |
| Cloud services | VCF Operations Collector | C, one IP per collector |
C collector FQDNs; forward/reverse DNS recommended |
When using remote or dedicated collectors |
| Cloud services | VCF Automation | Named VCFA endpoint(s) plus the VCF Automation IP range; workbook note says 4 active node addresses and 1 rolling-upgrade address |
A and PTR records for named VCFA endpoint(s); the automation range is not listed as per-node DNS records | When VCFA is deployed |
| Cloud services | VCF Operations for Logs | Node IPs, plus endpoint/VIP IP if clustered or load-balanced | Log endpoint FQDN and node FQDNs; forward/reverse DNS | When logs are deployed |
| Network services | NSX Edge management | E, one management IP per Edge node |
E Edge management FQDNs; forward/reverse DNS recommended |
When Edges are deployed |
| Network services | NSX Edge TEPs and uplinks | E x T Edge TEP IPs plus E x U uplink IPs |
No normal FQDN requirement | When Edges provide north-south or routed services |
| Kubernetes | Supervisor / VKS | Control plane IPs plus 1 API endpoint, ingress pool, and egress pool |
API endpoint FQDN required; ingress DNS or wildcard usually required | When Kubernetes is enabled |
| Expansion | VI workload domains | Repeat the formulas for hosts, vCenter, NSX, Edges, and Kubernetes | Repeat appliance/service FQDN and forward/reverse DNS requirements | For each workload domain |
What changed from 9.0 to 9.1
The clean way to compare 9.0 and 9.1 is not to pretend every component changed. Most of the core infrastructure planning remains familiar: hosts need management IPs, vCenter needs DNS, NSX needs management endpoints, and workload domains repeat the pattern.
The difference is that VCF 9.1 gives more weight to services that sit above the core SDDC layer.
| Area | VCF 9.0 planning view | VCF 9.1 planning view | Why it matters |
|---|---|---|---|
| Repository / depot | Installer/depot configuration is a setup task | Fleet Depot Service and activation workflows become more visible | Plan depot as a platform service, not only an installer field |
| Licensing | License handling is less visible in the IP worksheet | VCF License Server becomes a planning item | New service endpoint needs IP/FQDN/DNS consideration |
| Management services | More appliance-oriented mental model | Named endpoints plus a VCF Management Services IP range | Runbooks need to reserve both DNS-backed endpoints and non-DNS service-runtime address pools |
| VCF Operations | Fleet management and operations are central to 9.0 | Still central, with more 9.1 platform-service integration | VCFO endpoint planning remains important |
| VCF Automation | Optional but common cloud-service layer | Optional, but more tightly aligned to services model | DNS/IP requirements depend on whether it is deployed day one or later |
| Base SDDC | Hosts, vCenter, NSX, SDDC Manager/fleet management | Same base pattern | The core does not go away; the service layer expands |
The decision tree
I would build the worksheet in this order before starting a deployment.
Start with the management domain
Add ESXi management IPs and DNS
Add VCF Installer IP/FQDN
Add management vCenter IP/FQDN
Add SDDC Manager / fleet management endpoint
Add NSX Manager node IPs and VIP/FQDN
Then ask:
HA for this service?
Add node IPs/FQDNs and VIP/FQDN
NSX Edge required?
Add Edge management IPs/FQDNs
Add Edge TEP pool
Add Edge uplink IPs
VCF Operations required?
Add VCFO endpoint, node IPs, collector IPs as needed
VCF Automation required?
Add VCFA endpoint and node/service IPs as needed
Logs required?
Add log endpoint and node IPs as needed
VCF 9.1 services required?
Add the 4 named Management Services endpoints
Add the separate License Server FQDN
Reserve VCF Management Services IP Range: 12 minimum, 30 for growth
Add VCF Automation endpoint/range if VCFA is deployed
VKS/Supervisor required?
Add supervisor control plane IPs
Add Kubernetes API endpoint/FQDN
Add ingress and egress pools
Add wildcard/application DNS as needed
Workload domain required?
Repeat host, vCenter, NSX, Edge, and Kubernetes decisionsThe worksheet columns I would use
The final output should not just be a list of names. It should be a table that an engineer can hand to DNS, network, security, and the deployment team.
| Column | Why it matters |
|---|---|
| Component | vCenter, NSX Manager, VCFO, VCFA, Edge node, supervisor, and so on |
| Version scope | VCF 9.0, VCF 9.1, or both |
| Required when | Always, HA only, Edge only, Kubernetes only, optional service, workload domain |
| FQDN | The name used in deployment, certificates, operations, and runbooks |
| IP address | The actual reserved address |
| Forward DNS | FQDN resolves to the planned IP |
| Reverse DNS | IP resolves back to the expected FQDN |
| Network / VLAN / segment | Management, vMotion, vSAN, TEP, Edge uplink, ingress, or service network |
| Certificate name | Confirms the DNS name matches the endpoint users and services will hit |
| Timing | Needed before bring-up, before service deployment, or later during expansion |
The lesson
VCF 9.0 and 9.1 are close enough that it is tempting to reuse the same IP spreadsheet. That is mostly fine for the base SDDC layer, but it is not enough for the full platform.
The 9.1 planning shift is that more of the platform shows up as services: licensing, depot, management services, activation, and fleet-level operations. Those services need the same boring but critical planning as every other infrastructure endpoint: IPs, FQDNs, A records, PTR records, certificates, and clear ownership. The important wrinkle is that the VCF Management Services range is not one DNS record per address. It is a service-runtime pool, and the workbook explicitly tells you to reserve at least 12 IPs, or 30 if you want room for more components and auto-scaling.
References
- VMware Cloud Foundation 9.1 Planning and Preparation Workbook
- Operations in VMware Cloud Foundation 9.0
- Scale, Simplify, and Secure Your Private Cloud Operations with VCF 9.1
- VCF 9.1 Licensing: Programmatic, Centralized, and Built to Scale
- VMware Cloud Foundation 9.1 FAQ