TL;DR
A complete, beginner-friendly VMware Cloud Foundation 9 lab workbook you can run like a live class. It is organized as task tables grouped into phases — from environment prep and baseline snapshots, through management-domain bring-up, a workload domain, NSX, vSAN, certificates, operations, upgrade, backup and a clean teardown. Each task lists an objective and a success-validation check — not click-by-click steps — so students learn to verify their own work the way they will have to on the job.
Who this is for
Beginners learning VCF 9 in a guided lab, and instructors who need a ready-to-assign task list. It assumes a small nested or physical lab pod (a handful of ESX hosts, supporting DNS/NTP/AD services and a depot). No prior VCF experience is required; familiarity with vSphere helps.
The fastest way to learn VMware Cloud Foundation is to build it, break it, and recover it — in that order. This workbook is written the way I run an instructor-led lab: students get an objective and a clear definition of done, then they work out the how. That mirrors real delivery work, where nobody hands you a script and the only thing that matters is whether the platform is healthy and provable.
Two disciplines run through every phase. First, snapshot before anything risky and treat snapshots as your undo button. Second, validate every task — if you cannot show it is working, it is not done. The tables below build those habits in.
How to use this workbook
- Work the phases in order; each one assumes the previous one passed its validation.
- At every Checkpoint, take a named snapshot of all appliances before continuing.
- A task is complete only when its Success validation column is satisfied — capture a screenshot as evidence.
- Level: Foundational = guided basics, Core = standard delivery skill, Stretch = optional challenge.
- Times are rough lab estimates; real-world durations vary with hardware and depot speed.
Before you start: lab prerequisites
Confirm these are in place before Phase 0. A missing prerequisite is the single most common reason a beginner lab stalls on day one.
| Prerequisite | Why it matters | Ready? |
|---|---|---|
| ESX hosts with adequate CPU/RAM/disk | Must run the management domain plus a workload domain | ☐ |
| vSAN-eligible storage devices | vSAN ESA needs supported devices and free capacity | ☐ |
| DNS with forward and reverse records | Bring-up fails without resolvable FQDNs both ways | ☐ |
| NTP from a common source | Time skew silently breaks certificates and services | ☐ |
| VLANs with jumbo frames (MTU 9000) | Management, vMotion, vSAN, TEP and uplink traffic depend on it | ☐ |
| Active Directory / Microsoft CA | Needed for SSO logins and CA-signed certificates | ☐ |
| Software depot and bundles | The installer and lifecycle manager need the binaries | ☐ |
| Snapshot capability on every VM | Your undo button for every drill in this workbook | ☐ |
Your lab pod at a glance
Before the first task, get oriented. The map below shows the components you will stand up and how they relate. Keep it next to you — most troubleshooting starts with knowing which box you are actually looking at.
The lab journey
Twelve phases take a student from an empty pod to a working, secured, monitored fleet — and back to a clean slate for the next class. The red markers are mandatory snapshot checkpoints.
Snapshot and rollback strategy
Snapshots are the single most important habit a VCF beginner can build. In a lab they turn a catastrophic mistake into a five-minute recovery; in production the same instinct becomes proper backups and change control. The strategy is simple: name a snapshot before each risky operation, and know exactly which one you would roll back to.
Phase 0 — Environment prep & baseline snapshots
Get the foundations right before touching VCF. Most failed bring-ups trace back to DNS, time, or networking that was never validated.
| # | Task & objective | Success validation | Time | Level |
|---|---|---|---|---|
| 0.1 | Confirm access to your lab pod and inventory the ESX hosts | You can reach every host management IP and record CPU/RAM/disk | 20m | Foundational |
| 0.2 | Create and verify all forward and reverse DNS records and NTP | Forward and reverse lookups resolve for every planned FQDN; hosts agree on time | 30m | Foundational |
| 0.3 | Validate the network: VLANs, gateways and jumbo frames (MTU 9000) | Ping across each VLAN succeeds and large-packet (no-fragment) test passes | 30m | Core |
| 0.4 | Checkpoint: take the snapshot clean-base on every appliance/host VM | A clean-base snapshot exists on each VM and is named consistently | 10m | Foundational |
Phase 1 — Planning & readiness
Plan before you build. Ten honest minutes in the workbook saves an hour of failed bring-up.
| # | Task & objective | Success validation | Time | Level |
|---|---|---|---|---|
| 1.1 | Complete the sizing / bill-of-materials worksheet for the lab | Planned resources meet VCF 9 minimums with headroom recorded | 30m | Core |
| 1.2 | Fill the deployment parameter workbook (IPs, VLANs, FQDNs, passwords) | Every field populated; no duplicate IPs or names | 40m | Core |
| 1.3 | Pre-stage the install media and depot bundles | VCF Installer image and required bundles are present and checksummed | 20m | Foundational |
Phase 2 — Management domain bring-up
Note
This is the phase where beginners feel the magic — a single workflow deploys vCenter, SDDC Manager, NSX and VCF Operations together. Make them snapshot first (Task 2.1). When a bring-up fails midway, a rollback to pre-bringup plus a corrected workbook is far faster than chasing a half-built domain.
| # | Task & objective | Success validation | Time | Level |
|---|---|---|---|---|
| 2.1 | Checkpoint: snapshot all appliances as pre-bringup | Named snapshot present on every host/appliance | 10m | Foundational |
| 2.2 | Deploy the VCF Installer appliance | Installer UI is reachable and healthy | 30m | Core |
| 2.3 | Load the workbook and run configuration validation | All pre-checks pass with no red items | 30m | Core |
| 2.4 | Run the management-domain bring-up | Workflow completes; vCenter, SDDC Manager, NSX and VCF Operations all healthy | 90m+ | Core |
| 2.5 | Log in to the VCF Operations console and locate Fleet Management | Fleet dashboard loads and shows the new instance as healthy | 15m | Foundational |
Phase 3 — First VI workload domain
| # | Task & objective | Success validation | Time | Level |
|---|---|---|---|---|
| 3.1 | Commission the additional ESX hosts for the workload domain | Hosts appear in inventory as available/unassigned and pass validation | 30m | Core |
| 3.2 | Checkpoint: snapshot as pre-WLD | Named snapshot present | 10m | Foundational |
| 3.3 | Create a VI workload domain backed by vSAN ESA | Domain shows Active with its own vCenter and NSX | 60m | Core |
| 3.4 | Deploy a test VM into the workload domain | VM powers on, gets an IP, and is reachable | 20m | Foundational |
Phase 4 — Networking with NSX
| # | Task & objective | Success validation | Time | Level |
|---|---|---|---|---|
| 4.1 | Deploy an NSX Edge cluster | Edges deployed and the cluster is healthy | 40m | Core |
| 4.2 | Create a Tier-0 gateway and establish north-south connectivity | Uplink/peering is up; external networks reachable | 40m | Stretch |
| 4.3 | Create a Tier-1 gateway and an overlay segment; attach the test VM | VM on the segment reaches its gateway and beyond | 30m | Core |
| 4.4 | Apply a distributed firewall rule between two VMs | Blocked traffic is denied and allowed traffic passes, as designed | 30m | Stretch |
Phase 5 — Storage with vSAN ESA
Storage is where resilience is proven, not assumed. The host-failure drill is the whole point of this phase.
| # | Task & objective | Success validation | Time | Level |
|---|---|---|---|---|
| 5.1 | Review vSAN ESA cluster health and capacity | Skyline/health checks are green; capacity understood | 20m | Foundational |
| 5.2 | Create a storage policy (e.g. FTT=1) and assign it to the test VM | VM reports compliant with the new policy | 20m | Core |
| 5.3 | Drill (snapshot first): put a host in maintenance mode to simulate failure | Objects resync and remain accessible; no data loss observed | 30m | Stretch |
Phase 6 — Certificates & identity
Note
Pair this phase with the deep-dive in Generating Certificates End to End in VCF 9. Students do the tasks here; the article explains the why behind each one.
| # | Task & objective | Success validation | Time | Level |
|---|---|---|---|---|
| 6.1 | View the fleet certificate inventory and expiry alerts | You can list each component cert and its expiry date | 15m | Foundational |
| 6.2 | Configure a Certificate Authority (Microsoft CA or OpenSSL) | CA saves successfully and is selectable | 30m | Core |
| 6.3 | Generate a CSR and replace a component certificate | Browser trusts the endpoint with no warning | 30m | Core |
| 6.4 | Enable automatic certificate renewal | Auto-renew toggle shows enabled for the component | 10m | Foundational |
| 6.5 | Connect an identity source and test SSO login | An AD/LDAP user logs in with the expected role | 25m | Core |
Phase 7 — Operations & monitoring
If you cannot see it, you cannot run it. Get comfortable living inside VCF Operations.
| # | Task & objective | Success validation | Time | Level |
|---|---|---|---|---|
| 7.1 | Explore VCF Operations dashboards for the fleet | Live metrics are flowing for hosts, domains and services | 20m | Foundational |
| 7.2 | Create an alert/notification and trigger it | The alert fires and is delivered to the configured target | 20m | Core |
| 7.3 | Review capacity and cost / reclaimable-resource views | You can identify reclaimable capacity and explain it | 20m | Core |
Phase 8 — Lifecycle management & upgrade
| # | Task & objective | Success validation | Time | Level |
|---|---|---|---|---|
| 8.1 | Review current vs target versions in the fleet | Version inventory is accurate and a target is chosen | 15m | Foundational |
| 8.2 | Checkpoint: snapshot as pre-upgrade and confirm a backup exists | Named snapshot present and a successful backup is on record | 15m | Core |
| 8.3 | Run upgrade prechecks | Prechecks pass with all blockers resolved | 30m | Core |
| 8.4 | Apply an upgrade/patch bundle to a component | Component reports the new version and stays healthy | 60m+ | Stretch |
Phase 9 — Backup, restore & DR
A backup you have never restored is a wish. Prove it in the lab.
| # | Task & objective | Success validation | Time | Level |
|---|---|---|---|---|
| 9.1 | Configure scheduled backups for SDDC Manager and VCF Operations | A backup job runs and reports success to the target | 30m | Core |
| 9.2 | Validate a backup (integrity / test restore in the lab) | Restore test completes and data is verified intact | 40m | Stretch |
Day-2 operations runbook
Deployment is day one; everything after go-live is day two. These recurring tasks keep a VCF 9 fleet healthy, secure and current. Unlike the build phases, day-2 work is a rhythm — assign it on a cadence and hold the same validation discipline.
Note
Day-2 is a rhythm, not a phase. Automate the daily checks where you can and reserve human time for capacity, security and change. The same dashboards you used to build the fleet are the ones that keep it healthy.
Daily
| # | Task & objective | Success validation | Time | Level |
|---|---|---|---|---|
| D.1 | Review the fleet health dashboard | All domains and hosts green; any alert triaged | 10m | Foundational |
| D.2 | Check active and failed tasks and workflows | No stuck or failed workflows outstanding | 10m | Foundational |
| D.3 | Review certificate and password expiry alerts | Nothing inside the warning window left unhandled | 5m | Foundational |
| D.4 | Confirm the latest backup succeeded | Most recent backup job reports success | 5m | Foundational |
Weekly
| # | Task & objective | Success validation | Time | Level |
|---|---|---|---|---|
| D.5 | Review capacity and reclaimable resources | Trend understood; reclaim candidates flagged | 20m | Core |
| D.6 | Check vSAN health and resync status | Health green; no lingering resync activity | 15m | Core |
| D.7 | Review NSX gateway, tunnel and firewall logs | No unexpected drops or down tunnels | 20m | Core |
| D.8 | Check the depot for new patches and bundles | Available updates identified and assessed | 15m | Core |
Monthly & periodic
| # | Task & objective | Success validation | Time | Level |
|---|---|---|---|---|
| D.9 | Rotate or retrieve managed account passwords | Accounts rotated per policy; vault updated | 30m | Core |
| D.10 | Verify certificate auto-renewal and expiries | Auto-renew on; nothing expiring unmanaged | 20m | Core |
| D.11 | Run a restore test from a recent backup | Restore completes and data verified intact | 40m | Stretch |
| D.12 | Review users, roles and access (RBAC / SSO) | Access matches least-privilege policy | 30m | Core |
| D.13 | Apply pending patches in a maintenance window | Components updated; fleet healthy afterward | 60m+ | Stretch |
As needed: scaling, change & advanced
| # | Task & objective | Success validation | Time | Level |
|---|---|---|---|---|
| D.14 | Commission and add a host to a cluster | Host added; cluster healthy and balanced | 30m | Core |
| D.15 | Expand or add a workload domain | New or expanded domain shows Active | 60m | Core |
| D.16 | Scale management / Operations nodes out | Scale-out completes; services stay healthy | 45m | Stretch |
| D.17 | Operate a vSphere Supervisor namespace (optional) | Namespace ready; a test workload deploys | 45m | Stretch |
| D.18 | Publish a self-service item via VCF Automation (optional) | A catalog item deploys end to end | 45m | Stretch |
Phase 10 — Troubleshooting drills
Watch out
These drills intentionally break things. Snapshot before every one, and assign each student a different fault so they cannot copy each other. The skill being graded is diagnosis from logs and tasks — not guessing.
| # | Task & objective | Success validation | Time | Level |
|---|---|---|---|---|
| 10.1 | Inject a fault (e.g. wrong DNS or a stopped service) after snapshotting | Symptom is reproduced and clearly described | 15m | Core |
| 10.2 | Diagnose using tasks, logs and health checks | Root cause is identified with supporting evidence | 30m | Stretch |
| 10.3 | Recover — fix forward, or roll back to the last good snapshot | Service restored and validated healthy again | 20m | Core |
Phase 11 — Teardown & reset
Leave the pod exactly as you found it so the next student starts clean.
| # | Task & objective | Success validation | Time | Level |
|---|---|---|---|---|
| 11.1 | Decommission the VI workload domain cleanly | Domain removed; hosts released; no orphaned objects | 30m | Core |
| 11.2 | Revert all appliances to the clean-base snapshot | Pod matches its pre-lab state and is ready for the next student | 20m | Foundational |
Common beginner mistakes
- Skipping snapshots because nothing has gone wrong yet — until it does.
- Forgetting reverse DNS records; forward-only resolution passes a quick test but fails bring-up.
- Mis-casing the Microsoft CA template name — it is case-sensitive.
- Leaving MTU at 1500 on TEP/vSAN networks and chasing phantom performance issues.
- Marking a task done without capturing validation evidence.
Competency sign-off
Use this rubric to confirm a student is job-ready on the fundamentals before they leave the lab. Each competency must be demonstrated and validated, not just attempted.
| Competency | Demonstrated by | Signed off |
|---|---|---|
| Deployment | Management domain + a workload domain, both Active | ☐ |
| Networking | T0/T1, an overlay segment and a working firewall rule | ☐ |
| Storage | A vSAN policy applied and a survived host-failure drill | ☐ |
| Security | CA-signed certificate installed and SSO login working | ☐ |
| Operations | Dashboards read, an alert created, capacity explained | ☐ |
| Lifecycle | Prechecks passed and a component upgraded | ☐ |
| Resilience | Backup taken, restore validated, snapshot rollback performed | ☐ |
Run the phases in order, snapshot at every checkpoint, and insist on validation evidence for each task, and a beginner finishes this workbook able to deploy, secure, operate and recover a VCF 9 fleet with confidence. For the conceptual background behind each phase, point students to the VCF 9 Complete Guide.
About The Author
