The Fork in the Road: Connected vs. Disconnected Mode in VCF Operations 9.0

The Fork in the Road: Connected vs. Disconnected Mode in VCF Operations 9.0

When you first deploy or configure VMware Cloud Foundation (VCF) Operations 9.0, you are presented with a seemingly simple radio button choice for licensing: Connected or Disconnected. It feels like a minor configuration detail—like choosing a time zone—but this single decision drastically changes your day-to-day life as an admin.

In this article, let us break down what these modes actually mean, the “180-Day Shuffle” you might be signing up for, and why “Disconnected” might not be the safety blanket you think it is.

1. Connected Mode: The “Easy Button”

Connected Mode is the default (and recommended) state for most enterprises. In this mode, your VCF Operations instance uses a Unified Cloud Proxy to open a secure, outbound-only tunnel to Broadcom’s cloud services.

Why choose it?

  • Automated Licensing: VCF 9.0 moves away from static keys to a usage-based operational model. In Connected Mode, the appliance automatically reports usage data to Broadcom. You do not have to touch it.
  • Log Assist: This is the only way to enable the “one-click” upload of support bundles.
  • Skyline Health (Diagnostic Findings): Your environment pulls down real-time definitions of known issues. If a new “Purple Screen of Death” bug is discovered globally, your VCF Ops gets the alert definition automatically without waiting for a patch.

The Reality:

It requires internet access (via proxy). For 90% of customers, the security trade-off is negligible compared to the operational value.

2. Disconnected Mode: The “Fort Knox” Approach

Disconnected Mode is designed strictly for air-gapped environments—think Defense, Intelligence, or highly regulated banking zones where no packets are allowed to leave the data center.

The Trade-off

While you gain absolute isolation, you pay for it with operational friction. The biggest pain point? The “180-Day Shuffle.”

In VCF 9.0, even air-gapped environments must report usage to remain compliant. Since the appliance cannot “phone home,” you become the carrier pigeon.

The Workflow:

  1. Export: Every 180 days (or sooner), you must manually generate an encrypted usage report file from VCF Ops.
  2. Transport: Move this file to a machine with internet access (often involving USB drives and security scans).
  3. Upload: Log into the Broadcom portal and upload the file.
  4. Download: Receive a valid acknowledgement/license file in return.
  5. Import: Carry that file back to VCF Ops and import it to reset the timer.

If you miss this window, you risk your console entering a restricted state.

Comparison: What Do You Lose?

Here is a quick cheat sheet on what functionality drops off when you cut the cord:

*A Note on “Cloud-Based AI & Pricing”

It is important to understand what “Blocked” means here.

  • Live Access (Connected): Your instance connects to live external APIs. You get real-time AWS/Azure pricing for “What-If” migration planning, and the AI Assistant can query the live Broadcom Knowledge Base for answers.
  • Blocked (Disconnected): Your core capacity engine still works perfectly! However, features that rely on external data (like public cloud rate cards or search-based support assistants) are disabled because the appliance cannot reach the outside world.

Also, more details on what Cloud-based AI means from the above table :

1. The “Skyline” Brain (Diagnostic Findings)

  • Live Access (Connected): Your VCF Ops instance connects to Broadcom’s central “Cloud Brain.” If a new “Purple Screen of Death” bug is discovered by a customer in Japan today, Broadcom updates the signature in the cloud. Your instance downloads this new AI signature immediately and warns you before you hit the bug.
  • Blocked (Offline): Your instance is stuck with the “knowledge” it had the day you installed it. It cannot warn you about new bugs or security vulnerabilities discovered after the release date until you manually patch the entire appliance. You lose the real-time immunity of the fleet.

2. Intelligent Assist (The Support Bot)

  • Live Access (Connected): VCF 9.0 introduces an AI Assistant (like a specialized ChatGPT for VMware) that helps you troubleshoot. In Connected Mode, this assistant can query Broadcom’s live Knowledge Base (KB) and community forums to give you answers like, “This error usually means your driver is outdated, see KB #12345.”
  • Blocked (Offline): The assistant is “lobotomized.” It cannot access the external KB or live support data. It can only search your local logs, significantly reducing its helpfulness during a crisis.

3. Public Cloud Costing (What-If Scenarios)

  • Live Access (Connected): If you run a “What-If Analysis” to see how much it would cost to migrate a VM to AWS or Azure, VCF Ops pulls live pricing APIs from Amazon/Microsoft to give you accurate dollar amounts.
  • Blocked (Offline): The system cannot reach the public cloud pricing APIs. Your “Cloud Migration” scenarios will either fail or use dangerously outdated rate cards, making financial planning impossible.

The “Gotcha”: Switching Modes

The good news is that this is not permanent. You can switch from Disconnected to Connected later if your security team relaxes the rules.

However, many admins default to “Disconnected” during setup just to “get the install done” without waiting for Firewall approvals. Don’t do this. You are effectively crippling your monitoring tool on Day 1. It is worth waiting the extra 2 days for the Network team to approve the Cloud Proxy rules so you can have Log Assist ready when you actually need it.

Conclusion

If you work in a submarine or a bunker, Disconnected Mode is built for you. Wear it as a badge of honor.

For everyone else? Fight for Connected Mode. The friction of manual licensing and the loss of Log Assist simply isn’t worth the illusion of extra security. Modern IT is hard enough—do not voluntarily sign up for manual log uploads if you do not have to.

Leave a Reply