Last Updated On : 4-Jun-2026
An architect is planning resources for a new cluster that will be part of an existing workload
domain. The new cluster will provide resources for several new workloads, including a
mission-critical application consisting of five resource-intensive virtual machines.
The following requirements were provided for the new cluster:
• The solution must ensure that the new workload cluster meets the company's availability
standard of N+1.
• The solution must minimize the overall investment in hardware.
Which two design recommendations should the architect make to meet the stated
requirements? (Choose two.)
A. Use automated placement rules to keep the mission-critical application virtual machines apart.
B. Use resource pools to prioritize resource for the mission-critical application virtual machines.
C. Use automated placement rules to keep the mission-critical application virtual machines together.
D. Create a cluster with six hosts.
E. Create a cluster with five hosts.
Explanation:
Option D – Create a cluster with six hosts.
N+1 availability means the cluster must tolerate one full host failure while still running all five resource-intensive VMs. With six hosts, one host can fail and the remaining five hosts provide exactly enough capacity. Five hosts cannot meet N+1 because after one failure, only four hosts remain to run five VMs.
Option A – Use automated placement rules to keep the mission-critical application virtual machines apart.
Five resource-intensive VMs should be distributed across different hosts using DRS anti-affinity rules. This prevents any single host from becoming a performance bottleneck. It also protects availability – if one host fails, only one VM is affected instead of multiple VMs.
Why Other Options are Incorrect
Option B – Use resource pools to prioritize resources.
Resource pools manage allocation but do not provide N+1 availability. Prioritization cannot create physical capacity after a host failure.
Option C – Use placement rules to keep VMs together.
Keeping five resource-intensive VMs together creates performance contention and increases risk – one host failure would impact multiple mission-critical VMs simultaneously.
Option E – Create a cluster with five hosts.
Five hosts cannot meet N+1 for five VMs. After one host fails, only four hosts remain to run all five VMs, causing immediate oversubscription.
References
ExamTopics 2V0-13.24 – Verified answers for N+1 cluster sizing
Josh Odgers VCDX – N+1 Availability Design – vSAN cluster sizing requires enough capacity to tolerate largest node failure
An architect has been tasked with designing a new VMware Cloud Foundation (VCF)
solution. The following design decisions were documented after requirements gathering
workshops with the customer:
• Deploy a VCF Fleet into each of the DC1 and DC2 datacenters.
• Deploy two VCF instances (VCF1 and VCF2) into each VCF Fleet.
• Use the existing, supported third-party solution to provide Multifactor Authentication
(MFA) for users accessing the VCF components.
The architect also documented the following information from the workshops:
• The customer wants to minimize the risk of a single operational task performed by an
administrator impacting multiple components.
• The customer wants to avoid single points of failure by using high availability
architectures.
Which two design decisions should the architect include for the authentication approach
based on the information provided? (Choose two.)
A. Use the external VCF Identity Broker model.
B. Deploy a shared VCF Identity Broker for all VCF Instances across all VCF Fleets.
C. Deploy a dedicated VCF Identity Broker for each VCF instance within a VCF Fleet.
D. Deploy a shared VCF Identity Broker for all VCF instances within a VCF Fleet.
E. Use the embedded VCF Identity Broker model.
Explanation:
Option A – Use the external VCF Identity Broker model.
The external (appliance) model deploys a three-node cluster of VCF Identity Broker (VIDB) appliances, with each node running on separate vSphere hosts . This provides built-in high availability, directly meeting the customer's requirement to avoid single points of failure. The embedded model (Option D) is integrated with a single vCenter Server and does not offer the same level of resilience .
Option C – Deploy a dedicated VCF Identity Broker for each VCF instance within a VCF Fleet.
A dedicated VIDB per instance creates the smallest possible login blast radius . An outage or operational task affecting one VIDB only impacts the single VCF instance it serves, not the other instances in the fleet. This directly satisfies the customer's requirement to minimize the risk of an administrator's task impacting multiple components. The dedicated model limits SSO scope to that instance, meaning users re-authenticate when moving across instances, but this trade-off is acceptable given the blast radius requirement .
Why Other Options are Incorrect
Option B – Deploy a shared VCF Identity Broker for all VCF Instances across all VCF Fleets.
This creates the largest possible blast radius . A single operational task or outage affecting the shared VIDB would impact authentication for all instances across both DC1 and DC2 datacenters, violating the requirement to minimize impact scope.
Option D – Use the embedded VCF Identity Broker model.
The embedded model lacks high availability as it is tied to a single vCenter Server . If that vCenter experiences issues, authentication services are disrupted. This fails the customer's requirement to avoid single points of failure.
Option E – Deploy a dedicated VCF Identity Broker for each VCF instance (paired with embedded model).
While dedicated per instance is correct for blast radius, this answer is incomplete because it does not specify the external/appliance model. The external model is required to achieve high availability. Additionally, the embedded model cannot be used with a dedicated VIDB per instance in a way that meets both requirements simultaneously.
References
Broadcom TechDocs – Appliance VCF Identity Broker Model – External 3-node cluster provides HA, recommended for multi-instance environments
Broadcom TechDocs – Single VCF Instance Single Sign-On Model – Dedicated VIDB per instance creates small blast radius
As part of the initial design workshop, one of the customer stakeholders has stated the
following:
• All Virtual Machines must be encrypted.
How would the architect classify this statement?
A. A Risk
B. A Constraint
C. A Requirement
D. An Assumption
Explanation:
In solution architecture documentation, statements are classified into distinct categories based on their nature and binding commitment.
Option C – A Requirement.
A requirement is a documented need or expectation that the solution must satisfy. The statement "All Virtual Machines must be encrypted" directly meets the definition of a requirement because:
It is a mandatory condition imposed by the stakeholder
The solution must implement VM encryption to be acceptable
It is specific, measurable, and actionable
Non-compliance would constitute a failed design
This statement is not open to negotiation or interpretation. The architect must design VM encryption into every workload domain and virtual machine within the VCF environment.
Why Other Options are Incorrect
Option A – A Risk.
A risk is an uncertain event that may negatively impact the project if it occurs. Encryption is a stated mandate, not an uncertainty. For example, "VM encryption may cause performance overhead" would be a risk. The original statement is a firm requirement.
Option B – A Constraint.
A constraint is a fixed limitation or boundary imposed on the solution, such as budget caps, regulatory mandates, or technology restrictions (e.g., "Must use existing hardware" or "Only FIPS 140-3 validated encryption is allowed"). While encryption could be considered a constraint, the statement is expressed as an action or capability expected from the solution ("must be encrypted"), which aligns more closely with a functional requirement. However, in strict classification, a requirement and a constraint can overlap. VMware exam context treats direct "must be" statements from stakeholders as requirements unless they limit design choices to a specific fixed element.
Option D – An Assumption.
An assumption is something believed to be true without proof, such as "The customer will supply encryption keys" or "Hardware supports AES-NI instructions." The statement given is a stated expectation, not an unverified belief.
References
VMware Solution Architecture Framework – Requirements Classification – Differentiates requirements, constraints, risks, and assumptions in design workshops
TOGAF Architecture Content Framework – Requirements are stakeholder needs that the architecture must meet
Which type of storage is used by VKS pods to store non-persistent data?
A. Container image storage
B. vSphere local storage
C. Object storage
D. Ephemeral storage
Explanation:
In VMware vSphere Kubernetes Service (VKS), pods use different storage types for different purposes. Non-persistent data—data that does not need to survive pod restarts or redeployments—is stored in ephemeral storage.
Why ephemeral storage is correct:
Ephemeral storage is tied to the pod's lifecycle. When a pod is created, the container runtime allocates temporary storage for logs, scratch space, cached files, and other transient data. This storage disappears when the pod terminates. By default, VKS nodes include 20 GiB of ephemeral storage available at the root filesystem (/) .
Kubernetes follows the principle that containers are ephemeral by default—when a pod restarts, its local filesystem is removed . Ephemeral storage aligns with this stateless design pattern.
Why other options are incorrect
Option A – Container image storage:
This stores the read-only container images (layers) used to launch pods, not the runtime data generated by running containers. Image storage is separate from pod-local storage.
Option B – vSphere local storage:
This refers to datastores backed by local disks on ESXi hosts. While VKS can use vSphere storage for persistent volumes (stateful data), non-persistent pod data does not use vSAN or VMFS datastores—it uses the node's root disk.
Option C – Object storage:
Object storage (like S3-compatible storage) is used for blobs, backups, or persistent application data accessed via APIs. It is not the default location for a pod's temporary runtime files.
References
Broadcom Knowledge Base – Increase Ephemeral Storage on VKS Node – Documents default 20 GiB ephemeral storage and its behavior
Portworx – Chapter 5: Storage: From vSAN to Container-Native Storage – Explains ephemeral storage lifecycle and persistent vs. non-persistent data in Kubernetes
An architect responsible for creating the automation design for a VMware Cloud
Foundation (VCF) Private Cloud is reviewing the notes from a customer design workshop.
The customer has provided the following information:
• The customer's existing fleet management instance will be upgraded to maintain the
existing process for virtual machine deployments.
• The customer would like to limit the total active resource consumption per VCF
Automation user.
• The customer would like to ensure requests meet company requirements prior to
deployment for certain users.
A combination of which two VCF Automation policies should the architect recommend to
meet the customer's stated requirements? (Choose two.)
A. IaaS Policy
B. Approval Policy
C. Resource Quota Policy
D. Deployment Limit Policy
E. Lease Policy
Explanation:
Option B – Approval Policy
Approval policies ensure that requests meet company requirements prior to deployment for certain users. When a user submits a deployment request, an approval policy can require one or more designated approvers to review and approve the request before any resources are provisioned. This directly addresses the requirement for pre-deployment compliance checking. Approval policies can be configured to trigger only for specific users, groups, or projects.
Option C – Resource Quota Policy
Resource quota policies limit the total active resource consumption per VCF Automation user. A quota policy defines maximum limits for CPU, memory, storage, and instance counts that a user or project can consume across all active deployments. Once the quota is reached, the user cannot request additional resources until existing deployments are deleted or the quota is increased. This directly meets the requirement to limit consumption per user.
The requirement to "maintain existing process for virtual machine deployments" is addressed by upgrading the existing fleet management instance, not by a specific policy type.
Why Other Options are Incorrect
Option A – IaaS Policy
IaaS policies enforce technical constraints at the infrastructure layer, such as requiring specific storage classes or VM classes. While they can validate certain aspects of a deployment, they do not provide approval workflows or per-user consumption limits. IaaS policies are more about technical compliance than governance approval.
Option D – Deployment Limit Policy
Deployment limit policies restrict resource usage on deployments created from specific cloud templates. They are template-scoped and do not provide per-user consumption limits across all deployments, nor do they provide pre-deployment approval workflows.
Option E – Lease Policy
Lease policies define how long a deployment can exist before automatic expiration and deletion. They manage time-based resource reclamation but do not limit total active consumption per user nor provide pre-deployment approvals.
References
Broadcom TechDocs – Approval Policies in VCF Automation – Pre-deployment approval workflows for compliance checking
Broadcom TechDocs – Resource Quota Policies – Per-user and per-project limits on CPU, memory, storage, and instances
An architect is responsible for designing a VMware Cloud Foundation (VCF)-based private
cloud. During the design requirements gathering workshop, the following information was
captured:
• The solution must capture events from all infrastructure components of the VCF fleet.
• The solution must provide a single pane of glass management interface for
troubleshooting, alerting, and monitoring using metrics, events, and flows.
• The solution must meet a 99.9% Service Level Agreement for Availability.
Which three design decisions should the architect make to meet the stated requirements?
(Choose three.)
A. Configure VCF Operations for logs to capture events from only VCF Management components.
B. Configure the integration for VCF Operations and VCF Automation.
C. Deploy VCF Operations for logs in a Simple model.
D. Configure the integration for VCF Operations and VCF Operations for logs.
E. Configure VCF Operations for logs to capture events from all VCF infrastructure components.
F. Deploy VCF Operations for logs in a High Availability model.
Explanation:
Option F – Deploy VCF Operations for logs in a High Availability model.
This meets the 99.9% availability requirement. The HA model is a three-node cluster behind an internal load balancer, providing application-level resilience plus vSphere HA and DRS protection . A Simple (single-node) model would create a single point of failure, violating the availability SLA.
Option D – Configure the integration for VCF Operations and VCF Operations for logs.
This meets the single pane of glass requirement. VCF Operations centrally manages log collection across all VCF components, and integration with VCF Operations for logs is required to enable diagnostic findings, centralized log analysis, and unified troubleshooting . Without this integration, logs and metrics remain in separate silos.
Option B – Configure the integration for VCF Operations and VCF Automation.
This provides visibility into VCF Automation components. The VCF Operations for logs collects logs from VCF Automation for VM Apps Organization using the CASAdapter, which is required to generate diagnostic findings for automation-related issues . This ensures complete coverage across all infrastructure components.
Why Other Options are Incorrect
Option A
– Configure VCF Operations for logs to capture events from only VCF Management components. This violates the requirement to capture events from all infrastructure components of the VCF fleet. The solution must include VI workload domains, NSX, vSAN, and other components, not just management .
Option C
– Deploy VCF Operations for logs in a Simple model. A simple (single-node) deployment lacks high availability. If the single node fails, log collection stops entirely, failing the 99.9% availability SLA .
Option E
– Configure VCF Operations for logs to capture events from all VCF infrastructure components. While this statement is technically correct for log collection scope, it is not a separate design decision that needs to be made. This capability is automatically enabled when you deploy the HA model (Option F) and configure the integration (Option D). The exam asks for three distinct decisions the architect should make.
References
Broadcom TechDocs – High Availability VCF Operations for Logs Model – Three-node cluster with load balancer provides HA
Broadcom TechDocs – Centralized Log Collection Architecture – Integration between VCF Operations and VCF Operations for logs
Constraint: Existing stretched cluster model must be used.
Requirement: Minimize management infrastructure downtime.
Which Supervisor deployment model supports the design?
A. Three Management Zone Supervisor deployment with HA control plane
B. Single Management Zone Supervisor deployment with HA control plane
C. Three Management Zone deployment with Simple Availability control plane
D. Single Management Zone Supervisor deployment with Simple Availability control plane
Explanation:
Why Option B is Correct
The customer has two requirements:
Existing stretched cluster model must be used (vSAN stretched cluster across two sites)
Minimize management infrastructure downtime
The Single Management Zone Supervisor deployment with HA control plane supports this design for the following reasons:
In a stretched cluster configuration, vCenter Server and the Supervisor control plane VMs are deployed on the stretched cluster itself. The Single Management Zone model means all control plane VMs reside in a single availability zone (typically the preferred site), while the HA control plane ensures that control plane VMs are distributed across multiple hosts within that zone. This provides high availability against host failures while remaining compatible with the stretched cluster constraint.
Why Other Options are Incorrect
Option A – Three Management Zone Supervisor deployment with HA control plane
While this provides excellent availability, it is unnecessary and adds complexity. The Three Management Zone model is designed for environments requiring maximum fault tolerance across three failure domains. The customer's existing stretched cluster has only two sites (zones), not three. Deploying a three-zone Supervisor on a two-site stretched cluster is not supported or practical.
Option C – Three Management Zone deployment with Simple Availability control plane
This option fails both requirements: the three-zone model is incompatible with a two-site stretched cluster, and the Simple (non-HA) control plane does not minimize downtime.
Option D – Single Management Zone deployment with Simple Availability control plane
While the Single Management Zone model is compatible with stretched clusters, the Simple Availability control plane provides no high availability. A single control plane VM failure would disrupt management operations, violating the requirement to minimize downtime.
References
Broadcom TechDocs – Supervisor Deployment Models – Single Management Zone with HA control plane is supported on stretched clusters
VCF 9.0 Stretched Cluster Design Guide – Control plane placement and HA requirements for minimizing downtime
An architect is designing a VMware Cloud Foundation (VCF) deployment to meet the
following design requirements:
• Tenants need dedicated external network access.
• The number of NSX Edge clusters should be minimized.
To fulfill these requirements, the architect made a design decision to use a Workload
Networking VPC with Full Services Model.
Which additional design decision should be considered as part of the logical network
design?
A. Deploy the maximum number of 10 NSX Edges into a single Edge cluster.
B. Install two NSX bare metal Edges with multiple physical interfaces to separate tenants.
C. Use Virtual Routing and Forwarding (VRF) lite to create a separate VRF TO Gateway for each tenant.
D. Use NSX Federation providing a dedicated NSX instance for each tenant.
Explanation:
Why Option C is Correct
The customer requires dedicated external network access for each tenant while minimizing the number of NSX Edge clusters. The Full Services VPC model normally requires Edge nodes for routing. VRF Lite solves this conflict by providing routing isolation within a single Edge cluster. Each tenant receives a logically separate routing table and gateway that shares the same parent Tier-0 Gateway and Edge nodes. This gives tenants dedicated external access without deploying additional Edge clusters.
Why Other Options are Incorrect
Option A – Deploy maximum 10 NSX Edges into a single Edge cluster.
Adding more Edge nodes does not provide tenant-dedicated external access. The Full Services Model requires only two Edge nodes (Active/Standby). Maximum deployment adds unnecessary hardware without enabling tenant isolation.
Option B – Install two NSX bare metal Edges with multiple physical interfaces.
Physical interface separation does not create logical routing isolation. Two Edge nodes cannot provide dedicated external access for multiple tenants simultaneously, and this approach does not scale.
Option D – Use NSX Federation with dedicated NSX instance per tenant.
This violates minimizing Edge clusters. Deploying separate NSX instances per tenant dramatically increases infrastructure footprint and operational complexity, the opposite of what the customer requires.
References
Broadcom TechDocs – VPC with Full Services Workload Networking Model – VRFs provide dedicated external access without dedicated Edge nodes
Digital Thought Disruption– VCF 9 NSX Deep Dive – Native VRF-Lite support for tenant isolation
| Page 2 out of 12 Pages |
| 1234 |
| 2V0-13.25 Practice Test Home |