// Guide · Pre-deployment & planning

VCF Pre-Deployment Checklist

Every VCF deployment failure that isn't a bug is a missed prerequisite. This interactive checklist walks through every category — DNS records, NTP, networking, hardware, licensing, certificates, firewall ports, accounts — and produces a signed-off PDF you can hand to your project team.

VCF 5.x / 9.xPoC + HA modesDNS · NTP · NetworkingHardware · LicensingFirewall portsPDF export

Open the tool Jump to walkthrough

Quick start

Pick your deployment mode — Proof of Concept (relaxed) or High Availability (full production checks).
Work through each category — DNS, NTP, Physical Networking, Hardware, Licensing, VCF Installer, Certificates, Passwords, Firewall, Final Pre-Flight.
Tick items as complete — checklist persists in your browser, so you can come back later.
Add notes — record IP addresses, account names, ticket numbers next to each item.
Export to PDF — when complete, generate a signed-off PDF for your team or change record.

On this page

When to use this tool
How it works
Step-by-step walkthrough
Common mistakes
Related tools
FAQ

When to use this tool

Use this tool:

Before kicking off any VCF deployment — every install fails for the same reasons (missing DNS records, wrong NTP, hardware not on HCL, firewall ports closed). This catches them before they cost you a day.
As an audit document — exported PDF demonstrates due diligence to change advisory boards.
For team handover — the network and storage teams can complete their sections independently before the deployment day.
For PoC and lab builds too — the PoC mode skips production-only items but still catches the deal-breakers.

⚠

This is a checklist, not a tester The tool tracks completion of items — it does not actually verify that DNS resolves or ports are open. You still need to manually verify each prerequisite on your environment. Use this to track the verification work, not skip it.

How it works

VCF deployment fails when one of about 50 prerequisites isn't met. This tool catalogues every one of them, organised into 10 categories. Each item is either:

Universal — needed for any VCF deployment
HA-only — additional production-grade requirements (multiple DNS, redundant NTP, certs from real CA)

Choose PoC mode to hide HA-only items for a faster lab walkthrough. Choose HA mode to see everything required for production.

Your progress is saved in browser local storage — close the tab and come back later, work resumes where you left off. Export to PDF when done for an auditable record.

Step-by-step walkthrough

1. Pick deployment mode

At the top: Proof of Concept (PoC) for labs and demos, High Availability (HA) for production. HA mode adds items like redundant DNS, secondary NTP, real CA-signed certificates, and resource sizing checks. PoC mode skips them so you can build a lab faster.

2. DNS Records

Every VCF appliance and ESXi host needs both forward (A) and reverse (PTR) DNS records. The checklist enumerates them by component:

ESXi hosts (one per host)
vCenter Server appliance
SDDC Manager
NSX Manager (×3 + VIP for HA)
VCF Operations / Operations Collector / Automation

Use the DNS Zone Designer to generate all the records, then check them off here as you verify resolution from a test workstation.

3. NTP & Time Sync

Time skew breaks SSO, certificate validation, and clustering. Verify NTP servers are reachable, accurate, and configured on every appliance. HA mode adds: redundant NTP servers, time skew monitoring.

4. Physical Networking

VLANs configured on switches, jumbo MTU end-to-end, port-channels/LACP set up, BGP peering ready for NSX edges if applicable. The Network Config Generator produces the switch configs; this checklist confirms they're actually deployed.

5. Hardware & ESX

Each host on the VCF HCL, BIOS settings reviewed (VT-x/AMD-V, EPT, performance profile), TPM 2.0 if using vTPM, NICs at correct firmware level, drives meet vSAN requirements. The Host Sizing Calculator validates host count first; this confirms each host is actually fit for purpose.

6. Licensing

VCF licenses present in the Broadcom Business Console, sized for your core count. Distinct from per-product licenses (vCenter, NSX, vSAN) — VCF uses a single SKU at the right tier.

7. VCF Installer

The Cloud Builder appliance (or VCF Installer in 9.x) downloaded, deployed, reachable from the management network, with the right version for your target VCF release.

8. Certificates

For HA: certificates from a real CA, with SANs covering every component FQDN. For PoC: self-signed is acceptable but document the security exception. Microsoft AD CS, Let's Encrypt (with appropriate ACME automation), or commercial CA all work.

9. Passwords & Accounts

VCF 9 enforces minimum password lengths (15+ chars). Document the password vault, set per-component passwords (don't use one global password for prod), have the SSO admin and AD service accounts pre-created.

10. Firewall — DNS & NTP Access

Common gotcha: management network can't reach corporate DNS or NTP because of segmentation rules. Verify each port and protocol explicitly — use nc -zv dns-server 53 from the management VLAN.

11. Final Pre-Flight

The last-mile items: maintenance window approved, change record raised, stakeholders notified, rollback plan documented. These are the meta-prerequisites — easy to forget when you're focused on the technical ones.

12. Export PDF

When everything is ticked, click Export PDF. Get a printable document with each item, your notes, the sign-off date, and a unique deployment reference. Drop it in your CMDB/change record as evidence.

Common mistakes

🚨

Skipping NTP because "it usually works" Time skew >1 minute breaks SSO authentication and certificate validation. Every VCF deployment that mysteriously fails late in the install loop is usually NTP. Verify with ntpq -p or chronyc sources, not just "I configured the server."

⚠

PoC certs in production Self-signed certs technically work but cause warning floods, breaks API integrations, and triggers compliance findings. Switching certs post-deployment is more painful than getting it right first time. For HA mode, use a real CA.

⚠

Treating the checklist as the work Ticking "DNS configured" without actually testing resolution from the management network is the #1 cause of false sign-offs. The checklist is a tracking aid, not a verifier — actually run nslookup from the right network.

⚠

Forgetting browser storage clears on incognito Progress saves to browser local storage. Incognito/private mode loses it on tab close. Export to PDF often if you're in private browsing.

Tools that pair well with VCF Pre-Deployment Checklist:

FAQ

Does the checklist cover VCF 4.x and 5.x?

Yes — the items apply to VCF 4.x, 5.x, and 9.x. Specific version differences (e.g. installer name, password rules) are noted on relevant items.

Can multiple people work on the checklist together?

Not in real-time — progress is local to one browser. The intended workflow: each team owner exports their section's PDF, then the project owner consolidates.

Why is licensing called out separately?

Because VCF licenses come from the Broadcom Business Console with a different SKU than legacy per-product licensing. Many teams discover they have vSphere + vSAN + NSX licenses but no actual VCF entitlement on deployment day.

What's the difference between PoC and HA modes in practice?

HA mode adds: redundant DNS/NTP servers, real CA certificates required, hardware redundancy validation, performance NIC sizing, BGP redundancy for NSX edges. PoC mode lets you skip these for a fast lab build.

Does the PDF export include my notes?

Yes — every item's notes field is included in the PDF, alongside completion status and timestamps.

Can I customise the checklist for my organisation?

Not yet via the UI. The roadmap includes adding/removing items and templated checklists for specific VCF versions.