Fast cloud migration, measurable ROI: Forrester Total Economic Impact study of Azure VMware Solution
Many organizations are balancing near-term continuity for VMware-based workloads with longer-term cloud modernization goals – all while managing cost, security, and resiliency. Azure VMware Solution (AVS) is built for this moment: a Microsoft-managed service verified by VMware that enables running VMware Cloud Foundation (VCF) workloads (vSphere, NSX-T, vSAN, HCX) on dedicated Azure infrastructure. It gives organizations a practical way to move or extend VMware environments into Azure while maintaining operational consistency and leveraging the skills of existing VMware teams. To help leaders quantify the potential value of this approach, Microsoft commissioned Forrester Consulting to conduct The Total Economic Impact™ (TEI) of Microsoft Azure VMware Solution (March 2026). The study models the financial impact over three years and risk-adjusts results. Access the full study here: aka.ms/AVS-TEI Here’s what the study found and how IT leaders can use it as a framework for decision-making: Topline results from the study Forrester’s risk-adjusted financial analysis for a composite organization 1 found: 341% ROI over three years 2 $5.6M net present value (NPV) 3 <6 months payback 4 These metrics are meaningful on their own, but the bigger story for leadership is where the value comes from: improved operational stability, reduced infrastructure costs driven by data center exit and hardware refresh avoidance, and the ability to redeploy skilled IT resources from maintenance to modernization. The customer journey: why organizations turn to AVS AVS offers a bridge: Lift and shift VMware workloads into Azure without forcing immediate re-platforming then, modernize at a pace aligned to business priorities. In the study, Forrester interviewed decision-makers with experience using AVS. Interviewees described common challenges that led them to invest in AVS, including: Fragmented systems that complicated and slowed operations: Inherited stacks, duplicated tools, and unclear ownership of orphan machines made operations and governance harder. Rising cost and complexity of on-premises operation: Colocation fees, energy and cooling costs, server refresh cycles, and tooling renewals were difficult to justify against cloud economics. Limited capacity and skills to refactor at scale: Teams wanted the cost and agility benefits of the cloud but didn’t have the time or skills to rewrite hundreds (or thousands) of VMs on aggressive timelines. Security and audit pressure: Disparate environments and legacy access models elevated risk and created audit friction. Operational variability and end-user experience: VPN dependencies, inconsistent remote tooling, and endpoint logistics led to slow first-call resolution and downtime risks. Three quantified benefits that drive the business case 1) Reduction in downtime and associated costs by 80% In the study, interviewees reported that moving VMware workloads to AVS improved day-to-day reliability by eliminating fragile on-premises workflows and leveraging Azure’s managed infrastructure. Examples included fewer VPN-related failures, faster issue resolution through centralized tooling, and stronger service-level performance. For leadership teams, this benefit is about more than avoided cost. Better up time protects customer experience, employee productivity, and reduces the operational noise that can slow modernization programs. 2) Reduced infrastructure costs through data center exit, refresh avoidance, and cleanup A second driver is the ability to avoid or eliminate significant portions of data center cost and refresh spend. In the study, interviewees described using AVS to close data centers, avoid upcoming hardware refresh cycles, and reduce ongoing capital and operating costs. Importantly, interviewees also reported that migration waves prompted additional savings through portfolio hygiene by validating each VM, decommissioning redundant systems, and rightsizing oversized workloads. Those actions helped organizations reduce their ongoing compute, storage, and licensing footprint after migration. 3) Redeployment of 50% of IT team members from maintenance to modernization The TEI study quantifies a practical advantage of a managed VMware environment in Azure: fewer hours spent on hardware lifecycle, cluster patching, upgrades, and other routine data center tasks. In practice, many leaders treat this as capacity created rather than budget eliminated: the opportunity to shift experienced engineers toward modernization, automation, cloud governance, proactive incident prevention, and higher-value business initiatives. Unquantified benefits organizations should weigh Beyond the quantified categories, the study also highlights benefits that are strategically important, but not fully quantified in the model: Acceleration of future modernization: With workloads running in Azure via AVS, organizations can integrate platform services across security, identity, data, and analytics and build a runway for new capabilities, including AI-driven scenarios in Azure. Fast, cost-effective migration of legacy workloads: Interviewees described avoiding major consulting or hiring costs that would have been required to refactor complex workloads into cloud-native designs. Improved audit readiness and security posture: Consolidating fragmented environments into governed Azure landing zones can simplify audit preparation and strengthen governance and monitoring. For many leadership teams, these benefits strengthen the business case because they support broader transformation outcomes that extend beyond infrastructure cost alone. Things to consider in your own decision process If you’re building a business case to move workloads to Azure, whether it be lifting and shifting to AVS or replatforming and refactoring to Azure IaaS and managed services, consider mapping your environment across these areas: Data center timelines: Refresh cycles, colocation exit deadlines, and contract constraints. Operating model readiness: How quickly teams can adopt cloud-native services versus preserving VMware operations during transition. Modernization roadmap: Determine which applications are candidates for investment in replatforming, refactoring, replacement, or retirement once in Azure. Next steps Read the full TEI study: aka.ms/AVS-TEI Explore more about AVS: aka.ms/AzureVMwareSolution Get the VMware to Azure VMware Solution Planning Guide: aka.ms/VMwareToAVSguide Learn more about the Azure Copilot migration agent: aka.ms/migrate/AMA 1 Composite organization: Forrester designed a composite organization based on characteristics of the interviewees’ organizations. 2 Return on Investment (ROI): A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs. 3 Net present value (NPV): The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs. 4 Payback: The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.Migrate & Modernize Your VMware Platform Using Azure VMware Solution Gen 2
This video series by Microsoft Global Blackbelts, Carlos Villuendas (CarlosV) and Trevor Davis (tredavis), guides users from configuring prerequisites to deploying, migrating on-premises VMware workloads to Azure VMware Solution, then integrating VMware workloads with Azure Native services for enhanced value. These are the first two videos, much more to come, please check back often. For requests, leave comments in the notes. Enjoy! 1 - Prerequisites 2 - DeploymentBroadcom VMware Licensing Changes: What Azure VMware Solution Customers Need to Know
Broadcom has announced changes are coming to its VMware licensing model on hyperscalers beginning in its new fiscal year on November 1, 2025. If you’re an Azure VMware Solution customer, here’s what you need to know about the new requirements and how they will affect your cloud deployments. What’s changing? Broadcom is changing its VMware licensing policies across all hyperscaler platforms to require customers to “bring your own” portable subscription for VMware Cloud Foundation (VCF). This means customers must purchase portable VCF subscriptions directly from Broadcom to use with cloud services in the future, including Azure VMware Solution. Azure VMware Solution already supports “bring your own” licensing model The good news is that Azure VMware Solution is ready for this change. The Azure VMware Solution VCF BYOL option is available in all 35 AVS regions worldwide, allowing customers to run AVS using their own VCF subscriptions. This BYOL solution is priced lower than AVS with bundled VCF subscription. No product changes to Azure VMware Solution These updates are about licensing only—there are no product changes to how Azure VMware Solution works. Microsoft will continue to deliver Azure VMware Solution as a fully managed VCF private cloud service on Azure. In practice, this means that Microsoft takes care of all infrastructure and VMware host level software management, patches and upgrades. You don’t need to worry about hardware maintenance or manual VMware host updates. Key dates and transition details Microsoft will stop selling Azure VMware Solution with VCF subscriptions included after October 15, 2025. After this date, new Azure VMware Solution node purchases will require you to provide a VCF subscription purchased from Broadcom. Microsoft will honor existing Reserved Instance commitments to Azure VMware Solution customers. If you purchase Azure VMware Solution Reserved Instances (RIs) on or before October 15, 2025, you can continue to use your Azure VMware Solution nodes without any licensing or product changes until your RI term ends. Azure VMware Solution with license included PayGo nodes can continue to operate without any licensing or product changes through October 31, 2026. Alternatively, customers can switch from Azure VMware Solution PayGo and purchase an Azure VMware Solution RI with license included by October 15, 2025. Helpful resources We’re committed to making this transition as smooth as possible for our customers and partners. Here are some helpful links with more details: How to use portable VCF subscriptions with Azure VMware Solution How to purchase an Azure VMware Solution RI Broadcom Blog announcing the VMware licensing change If you need to purchase VCF subscriptions and do not have a Broadcom contract, leverage one of the Broadcom channel partners here. We will be reaching out directly to current Azure VMware Solution customers with more details. If you have any questions, reach out to your Microsoft account representative so we can help you navigate this transition.
Azure VMWare (AVS) Cost Optimization Using Azure Migrate Tool
What is AVS? Azure VMware Solution provides private clouds that contain VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. Azure VMware Solution is available in Azure Commercial and Azure Government. The minimum initial deployment is three hosts, with the option to add more hosts, up to a maximum of 16 hosts per cluster. All provisioned private clouds have VMware vCenter Server, VMware vSAN, VMware vSphere, and VMware NSX. As a result, you can migrate workloads from your on-premises environments, deploy new virtual machines (VMs), and consume Azure services from your private clouds. Learn More: https://learn.microsoft.com/en-us/azure/azure-vmware/introduction What is Azure Migrate Tool? Azure Migrate is a comprehensive service designed to help you plan and execute your migration to Azure. It provides a unified platform to discover, assess, and migrate your on-premises resources, including servers, databases, web apps, and virtual desktops, to Azure. The tool offers features like dependency analysis, cost estimation, and readiness assessments to ensure a smooth and efficient migration process. Learn More: https://learn.microsoft.com/en-us/azure/migrate/migrate-services-overview How Azure Migrate can be used to Discover and Assess AVS? Azure Migrate enables the discovery and assessment of Azure VMware Solution (AVS) environments by collecting inventory and performance data from on-premises VMware environments, either through direct integration with vCenter (via Appliance) or by importing data from tools like RVTools. Using Azure Migrate, organizations can analyze the compatibility of their VMware workloads for migration to AVS, assess costs, and evaluate performance requirements. The process involves creating an Azure Migrate project, discovering VMware VMs, and generating assessments that provide insights into resource utilization, right-sizing recommendations, and estimated costs in AVS. This streamlined approach helps plan and execute migrations effectively while ensuring workloads are optimized for the target AVS environment. Note: We will be narrating the RVtools Import method in this article. What Is RVTools? RVTools is a lightweight, free utility designed for VMware administrators to collect, analyze, and export detailed inventory and performance data from VMware vSphere environments. Developed by Rob de Veij, RVTools connects to vCenter or ESXi hosts using VMware's vSphere Management SDK to retrieve comprehensive information about the virtual infrastructure. Key Features of RVTools: Inventory Management: Provides detailed information about virtual machines (VMs), hosts, clusters, datastores, networks, and snapshots. Includes details like VM names, operating systems, IP addresses, resource allocations (CPU, memory, storage), and more. Performance Insights: Offers visibility into resource utilization, including CPU and memory usage, disk space, and VM states (e.g., powered on/off). Snapshot Analysis: Identifies unused or orphaned snapshots, helping to optimize storage and reduce overhead. Export to Excel: Allows users to export all collected data into an Excel spreadsheet (.xlsx) for analysis, reporting, and integration with tools like Azure Migrate. Health Checks: Identifies configuration issues, such as disconnected hosts, orphaned VMs, or outdated VMware Tools versions. User-Friendly Interface: Displays information in tabular form across multiple tabs, making it easy to navigate and analyze specific components of the VMware environment. Hand-on LAB Disclaimer: The data used for this LAB has no relationship with real world scenarios. This sample data is self-created by the author and purely for understanding the concept. To discover and assess your Azure VMware Solution (AVS) environment using an RVTools extract report in the Azure Migrate tool, follow these steps: Prerequisites RVTools Setup: Download and install RVTools from the RVTools Download Ensure connectivity to your vCenter server. Extract the data by running RVTools and saving the output as an Excel (.xlsx) file Permissions: You need at least the Contributor role on the Azure Migrate project. Ensure that you have appropriate permissions in your vCenter environment to collect inventory and performance data. File Requirements: The RVTools file must be saved in .xlsx format without renaming or modifying the tabs or column headers. Note: Sample Sheet: Please check the attachment included with this article. Note that this is not the complete format; some tabs and columns have been removed for simplicity. During the actual discovery and assessment process, please do not modify the tabs or columns. Procedure Step 1: Export Data from RVTools Follow the steps provided in official website to get RVTools Extract Sample Sheet: Please check the attachment included with this article. Note that this is not the complete format; some tabs and columns have been removed for simplicity. During the actual discovery and assessment process, please do not modify the tabs or columns. Step 2: Discover Log in to the Azure portal. Navigate to Azure Migrate and select your project or create new project. Under Migration goals, select Servers, databases and web apps. On Azure Migrate | Servers, databases and web apps page, under Assessment tools, select Discover and then select Using import. In Discover page, in File type, select VMware inventory (RVTools XLSX). In the Step 1: Import the file section, select the RVTools XLSX file and then select Import. Wait for some time to Import Once import completed check for Error Messages if any and rectify those and re upload, otherwise wait 10-15 minutes to reflect imported VMs in the discovery. Post discovery Reference Link: https://learn.microsoft.com/en-us/azure/migrate/vmware/tutorial-import-vmware-using-rvtools-xlsx?context=%2Fazure%2Fmigrate%2Fcontext%2Fvmware-context Step 3: Assess After the upload is complete, navigate to the Servers tab. Click on Assess -->Azure VMware Solution to assess the discovered machines. Edit assessment settings based on your requirements and Save Target region: Select the Azure region for the migration. Node Type: Specify the Azure VMware Solution series (e.g., AV36, AV36P). Pricing model: Select pay-as-you-go or reserved instance pricing. Discount: Specify any available discounts. Note: We will be explaining all the parameters in optimize session. As of now just review and leave parameters as it is. In Assess Servers, select Next. In Select servers to assess > Assessment name > specify a name for the assessment. In Select or create a group > select Create New and specify a group name. Select the appliance and select the servers you want to add to the group. Then select Next. In Review + create assessment, review the assessment details, and select Create Assessment to create the group and run the assessment. Step 4: Review the Assessment View an assessment In Windows, Linux and SQL Server > Azure Migrate: Discovery and assessment, select the number next to Azure VMware Solution. In Assessments, select an assessment to open it. As an example (estimations and costs, for example, only): Review the assessment summary. You can select Sizing assumptions to understand the assumptions that went in node sizing and resource utilization calculations. You can also edit the assessment properties or recalculate the assessment. Step 5: Optimize We have received a report without any optimization in our previous steps. Now we can follow below steps to optimize the cost and node count even further High level steps: Find limiting factor Find which component in settings are mapped for optimization depending on limiting factor Try to adjust the mapped component according to Scenario and Comfort Find Limiting factor: First understand which component (CPU, memory and storage) is deciding your ESXI Node count. This will be highlighted in the report The limiting factor shown in assessments could be CPU or memory or storage resources based on the utilization on nodes. It is the resource, which is limiting or determining the number of hosts/nodes required to accommodate the resources. For example, in an assessment if it was found that after migrating 8 VMware VMs to Azure VMware Solution, 50% of CPU resources will be utilized, 14% of memory is utilized and 18% of storage will be utilized on the 3 Av36 nodes and thus CPU is the limiting factor. Find which option in the setting can be used to optimize: This is depending on the limiting factor. For eg: If Limiting factor is CPU, which means you have high CPU requirement and CPU oversubscription can be used to optimize ESXI Node. Likewise, if storage is the limiting factor editing FTT, RAID or introducing External storage like ANF will help you to reduce Node count. Even reducing one node count will create a huge impact in dollar value. Let's understand how over commitment or over subscription works with simple example. Let's suppose I have two VMs with below specification Name CPU Memory Storage VM1 9 vCPU 200 GB 500 GB VM2 4 vCPU 200 GB 500 GB Total 13 vCPU 400 GB 1000 GB We have EXSI Node which has below capacity: vCPU 10 Memory 500 GB storage 1024 GB Now without optimization I need two ESXI node to accommodate 13 vCPU of total requirement. But let's suppose VM1 and VM2 doesn't consume entire capacity all the time. The total capacity usage at a time will not go beyond 10. then I can accommodate both VM in same ESXI node, Hence I can reduce my node count and cost. Which means it is possible to share resources among both VMs. Without optimization With optimization Parameters effecting Sizing and Pricing CPU Oversubscription Specifies the ratio of number of virtual cores tied to one physical core in the Azure VMware Solution node. The default value in the calculations is 4 vCPU:1 physical core in Azure VMware Solution. API users can set this value as an integer. Note that vCPU Oversubscription > 4:1 may impact workloads depending on their CPU usage. Memory overcommit factor Specifies the ratio of memory overcommit on the cluster. A value of 1 represents 100% memory use, 0.5, for example is 50%, and 2 would be using 200% of available memory. You can only add values from 0.5 to 10 up to one decimal place. Deduplication and compression factor Specifies the anticipated deduplication and compression factor for your workloads. Actual value can be obtained from on-premises vSAN or storage configurations. These vary by workload. A value of 3 would mean 3x so for 300GB disk only 100GB storage would be used. A value of 1 would mean no deduplication or compression. You can only add values from 1 to 10 up to one decimal place. FTT : How many device failure can be tolerated for a VM RAID : RAID stands for Redundant Arrays of Independent Disks Explains how data should be stored for redundancy Mirroring : Data will be duplicated as it is to another disk E.g.: To protect a 100 GB VM object by using RAID-1 (Mirroring) with an FTT of 1, you consume 200 GB. Erasure Coding : Erasure coding divides data into chunks and calculates parity information (redundant data) across multiple storage devices. This allows data reconstruction even if some chunks are lost, similar to RAID, but typically more space-efficient E.g.: to protect a 100 GB VM object by using RAID-5 (Erasure Coding) with an FTT of 1, you consume 133.33 GB. Comfort Factor: Azure Migrate considers a buffer (comfort factor) during assessment. This buffer is applied on top of server utilization data for VMs (CPU, memory and disk). The comfort factor accounts for issues such as seasonal usage, short performance history, and likely increases in future usage. For example, a 10-core VM with 20% utilization normally results in a 2-core VM. However, with a comfort factor of 2.0x, the result is a 4-core VM instead. AVS SKU Sizes Optimization Result In this example we got to know that CPU is my limiting factor hence I have adjusted CPU over subscription value from 4:1 to 8:1 Reduced node count from 6 (3 AV36P+3 AV64) to 5 AV36P Reduced Cost by 31% Note: Over-provisioning or over-committing can put your VMs at risk. However, in Azure Cloud, you can create alarms to warn you of unexpected demand increases and add new ESXi nodes on demand. This is the beauty of the cloud: if your resources are under-provisioned, you can scale up or down at any time. Running your resources in an optimized environment not only saves your budget but also allows you to allocate funds for more innovative ideas.Azure VMware Solution Broadcom VMSA-2025-0004 Remediation
With continuous monitoring and security intelligence gathering, Microsoft ensures proactive identification and mitigation of security threats. By leveraging advanced analytics, Microsoft is able to detect vulnerabilities early, empowering organizations to stay ahead of potential risks and safeguard their digital assets effectively. Recently, Microsoft discovered a critical ESXi vulnerability and has been collaborating with Broadcom to develop and qualify a secure patch to address this issue. With Microsoft’s commitment to the security of our platform and our improved lifecycle management process, we were able to quickly assemble a global team to work on the acceleration and validation of the ESXi 8.0 U2d Build 24585300 security patch. We have successfully qualified the security patch that will mitigate VMSA-2025-0004 across our fleet. As a result, with the public release of this vulnerability we are ready to patch your existing Azure VMware Solution infrastructure. We are committing to completing the remediation within 30-days. Microsoft will communicate the scheduled date of patching over the next three weeks. Any Azure VMware Solution private cloud deployed after March 4, 2025 will be provisioned with the patch already applied to the environment. Microsoft takes an in-depth approach to vulnerability and risk management. With our new and improved partnership with Broadcom, this allows us to enhance our overall security and quickly address vulnerabilities in VMware solutions. If you are interested in the Azure VMware Solution, please use these resources to learn more about the service: Homepage: Azure VMware Solution Documentation: Azure VMware Solution SLA: SLA for Azure VMware Solution Azure Regions: Azure Products by Region Known Issues: Azure VMware Solution Software Versions: Azure VMware Solution Security Advisories: Broadcom Release Notes: ESXi 8.0 U2d Build 24585300 Author Bios Ricky Perez is a Senior Technical Program Manager in the Azure VMware Solution product group at Microsoft. His background is in solution architecture with experience in public cloud and core infrastructure services. Chastidy Harris is a Senior Program Manager in the Azure VMware Solution product group at Microsoft. Rahi Patel is a Senior Technical Program Manager in the Azure VMware Solution product group at Microsoft. René van den Bedem is a Principal Technical Program Manager in the Azure VMware Solution product group at Microsoft. His background is in enterprise architecture with extensive experience across all facets of the enterprise, public cloud & service provider spaces, including digital transformation and the business, enterprise, and technology architecture stacks. René works backwards from the problem to be solved and designs solutions that deliver business value with the minimum of risk. In addition to being the first quadruple VMware Certified Design Expert (VCDX), he is also a Dell Technologies Certified Master Enterprise Architect, a Nutanix Platform Expert (NPX), and a VMware vExpert.Take Control of Your Azure VMware Solution Maintenance Schedule
Overview Azure VMware Solution is a VMware validated first party Azure service from Microsoft that provides private clouds containing VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. It enables customers to leverage their existing investments in VMware skills and tools, allowing them to focus on developing and running their VMware-based workloads on Azure. At Microsoft, we’re continuously evolving our services based on customer feedback and Azure VMware Solution is no exception. As a fully Microsoft-managed service, Azure VMware Solution takes care of the end-to-end lifecycle management of your VMware environment, from ESXi host patching to vCenter Server and NSX upgrades. This ensures your private cloud stays secure, compliant, and up-to-date. Historically, planned maintenance for Azure VMware Solution was scheduled by Microsoft, and customers who needed the schedule adjustments had to open a support request to modify their maintenance windows. But that’s changing. Introducing Self-Service Maintenance Scheduling We’re thrilled to introduce Self-Service Scheduling for planned maintenance events in Azure VMware Solution. Go ahead and schedule your next Azure VMware Solution maintenance on your terms and let the built-in health checks guide you to a smooth upgrade: Self-Service the planned Maintenance events – An Azure Portal feature that gives customers a user interface to view upcoming maintenance and schedule it to a preferred time without contacting support. Private Cloud “Maintainable State” Indicator – A built-in pre-check that determines if your private cloud is in a maintenance-ready state. If not, it will show which issues need attention to make the environment ready for upgrade. Designed for Agility and Peace of Mind These features mark a significant step toward a more agile and transparent Azure VMware Solution maintenance experience. You maintain the benefits of a fully managed service, expert-managed upgrades, built-in security, and full support, while gaining precise control over the timing of your upgrades. Whether you're planning around critical business windows or simply want more predictability, the new self-service capabilities help ensure smoother, more efficient Azure VMware Solution operations. Ready to try it out? Step 1 - Log in to the Azure portal and take control of your next maintenance event. It’s maintenance, your way. Step 2 - From the Azure VMware Solution private cloud Overview page in the Azure Portal, look for the maintenance message and click the schedule link or under the Operations option, select the Maintenance page. Step 3 - From the Maintenance page, check the "Maintenance ready" status for each item and use the "Reschedule" link to change the upgrade date and time. Step 4 - If the Maintenance ready status is "No", check the detailed message for the remediation plan to unblock the upgrade. Summary Self-Service Maintenance Scheduling is now in Public Preview, use this instead of opening a service request to change your Azure VMware Solution planned maintenance. If you are interested in the Azure VMware Solution, please use these resources to learn more about the service: Homepage: Azure VMware Solution Documentation: Azure VMware Solution SLA: SLA for Azure VMware Solution Azure Regions: Azure Products by Region Self-Service Maintenance: Plan self-service maintenance for Azure VMware Solution Author Bios Hetal Prashnani is a Technical Program Manager in the Azure VMware Solution product group at Microsoft. René van den Bedem is a Principal Technical Program Manager in the Azure VMware Solution product group at Microsoft. His background is in enterprise architecture with extensive experience across all facets of the enterprise, public cloud & service provider spaces, including digital transformation and the business, enterprise, and technology architecture stacks. René works backwards from the problem to be solved and designs solutions that deliver business value with the minimum of risk. In addition to being the first quadruple VMware Certified Design Expert (VCDX), he is also a Dell Technologies Certified Master Enterprise Architect, a Nutanix Platform Expert (NPX), and a VMware vExpert.Azure VMware Solution Broadcom VMSA-2025-0013 Remediation
Broadcom has released a new Critical Security Advisory, VMSA-2025-0013 with a CVSS base score range of 7.1 to 9.3. With Microsoft’s commitment to the security of our platform and our improved lifecycle management process, we were able to quickly assemble a global team to work on the acceleration and validation of the ESXi 8.0 U3f + Hot Patch (VAIO bug fix) Build 24797835 security patch . We have nearly finished qualifying the security patch that will mitigate VMSA-2025-0013 across our fleet. As a result, with the public release of this vulnerability we expect to be able to patch your existing Azure VMware Solution infrastructure next week. We are committing to completing the remediation within 30-days. Microsoft will communicate the scheduled date of patching over the next three weeks. Any Azure VMware Solution private cloud deployed next week will be provisioned with the patch already applied to the environment. Microsoft takes an in-depth approach to vulnerability and risk management. With our new and improved partnership with Broadcom, this allows us to enhance our overall security and quickly address vulnerabilities in VMware solutions. If you are interested in the Azure VMware Solution, please use these resources to learn more about the service: Homepage: Azure VMware Solution Documentation: Azure VMware Solution SLA: SLA for Azure VMware Solution Azure Regions: Azure Products by Region Known Issues: Azure VMware Solution Software Versions: Azure VMware Solution Security Advisories: Broadcom Release Notes: vCenter Server 8.0 U3e Build 24674346 Release Notes: ESXi 8.0 U3f + Hot Patch (VAIO bug fix) Build 24797835 Author Bios Rahi Patel is a Senior Technical Program Manager in the Azure VMware Solution product group at Microsoft. René van den Bedem is a Principal Technical Program Manager in the Azure VMware Solution product group at Microsoft. His background is in enterprise architecture with extensive experience across all facets of the enterprise, public cloud & service provider spaces, including digital transformation and the business, enterprise, and technology architecture stacks. René works backwards from the problem to be solved and designs solutions that deliver business value with the minimum of risk. In addition to being the first quadruple VMware Certified Design Expert (VCDX), he is also a Dell Technologies Certified Master Enterprise Architect, a Nutanix Platform Expert (NPX), and a VMware vExpert.New Automation enhancements in AVS Landing Zone for Migration-Ready Infrastructure
Azure VMware Solution (AVS) Landing Zone offers PowerShell automation scripts that streamline deployment and management of key AVS components—jumpbox for secure access, HCX Connector for hybrid connectivity, and HCX Service Mesh for workload mobility—enabling consistent, repeatable setups that reduce manual effort, improve operational readiness, and accelerate migration timelines across multiple environments and regions.HCX 4.11.0 Upgrade and What it means for Current HCX Users
Overview Azure VMware Solution is a VMware validated first party Azure service from Microsoft that provides private clouds containing VMware vSphere clusters built from dedicated bare-metal Azure infrastructure. It enables customers to leverage their existing investments in VMware skills and tools, allowing them to focus on developing and running their VMware-based workloads on Azure. VMware HCX is the mobility and migration software used by the Azure VMware Solution to connect remote VMware vSphere environments to the Azure VMware Solution. These remote VMware vSphere environments can be on-premises, co-location or cloud-based instances. Figure 1 – Azure VMware Solution with VMware HCX Service Mesh Broadcom has announced the end-of-life (EOL) for VMware HCX version 4.10.x, effective July 27, 2025. To proactively address this change and ensure continued support, Microsoft will begin upgrading all Azure VMware Solution customers using HCX Manager to HCX version 4.11.0. What Changes are introduced as part of HCX 4.11.0? With the release of HCX 4.11.0, Broadcom has made significant changes to the way HCX will be available for download and upgrades. Local Mode From HCX 4.11.0 onwards, HCX will only be available in local mode. This means that HCX systems running 4.11.0 or later will no longer receive upgrade notifications under the System updates section from Broadcom. Once HCX systems are upgraded to 4.11.0 using the offline bundle they will operate in Local mode only. Connection to VMware & Hybridity Depot. As of 4.11.0 activation key-based licensing has been deprecated. Activation keys in HCX 4.11.0 will stop working 450 days after the upgrade to HCX 4.11.0 takes place. HCX systems running versions prior to 4.11.0 that are currently using the activation keys will stop working when connect.hcx.vmware.com is decommissioned later this year. Please note, the following HCX functionality is deprecated in HCX 4.11.0 and will be removed in a future release. HCX is 4.11.0 will no longer be supported as of December 24 th , 2025. Customers should plan to migrate to an alternative solution at the earliest if they use any of the following features. HCX V2T Migration HCX WAN Optimization HCX Disaster Recovery vCenter Server Plug-in for HCX HCX UI – Tracking page in Migration interface What actions will customers need to take? To ensure smooth migration, customers will be required to upgrade any paired HCX connectors and service mesh appliances to HCX 4.11.0. Furthermore, customers may be required to execute a resync operation on each HCX service mesh on both the source and connector sides to ensure that no errors have occurred due to the upgrade. All Azure VMware Solution customers have now been notified of their preliminary scheduled upgrade date. Customers have the option to reschedule using the Azure VMware Solution portal but must complete this upgrade during US work hours before July 31. Microsoft will only upgrade the HCX Cloud Manager, the on-prem HCX manager and service mesh appliances will need to be upgraded by the customer. Once upgraded, customers will find previous and current versions of the HCX connector bundles, including HCX 4.11.0, in their vSAN datastore for cluster-1, under a folder named “AVS_Official_HCX_Connector_Binaries” The HCX 4.11.0 bundle should be used by customers to upgrade their on-prem HCX connector. Summary Microsoft is working towards upgrading all Azure VMware Solution customers that are using HCX by the end of July 2025. Customers are currently being notified of when their upcoming HCX upgrade will take place. For additional information on VMware HCX 4.11, please review the following Knowledge base article from Broadcom. Upgrade Bundle Download from 443 UI will Fail in All HCX versions prior to 4.11 If you are interested in the Azure VMware Solution, please use these resources to learn more about the service. Homepage: Azure VMware Solution Learn: Run VMware resources on Azure VMware Solution Training Documentation: Azure VMware Solution Azure CLI: Azure Command-Line Interface (CLI) Overview PowerShell module: Az.VMware Module Terraform provider: azurerm_vmware_private_cloud Terraform Registry GitHub repository: Azure/azure-vmware-solution Cloud Adoption Framework: Introduction to the Azure VMware Solution adoption scenario Network connectivity scenarios: Enterprise-scale network topology and connectivity for Azure VMware Solution Enterprise Scale Landing Zone: Enterprise-scale for Microsoft Azure VMware Solution Enterprise Scale GitHub repository: Azure/Enterprise-Scale-for-AZURE VMWARE SOLUTIONS VMware homepage: VMware to Azure Migration Solutions VMware Ports and Protocols for HCX VMware HCX - VMware Ports and Protocols Author Bios Ricky Perez is a Senior Technical Program Manager in the Azure VMware Solution product group at Microsoft. His background is in solution architecture with experience in public cloud and core infrastructure services. Varun Hariharan is a Senior Product Manager on the Azure VMware Solution team at Microsoft, where he is focusing on observability and workload strategies for customers. His background is in Infrastructure as a Service (IaaS), log management, enterprise software, and DevOps.
Firewall integration in Azure VMware Solution
2020 has been a year like no other. In just a few months' time, businesses have transformed and have accelerated their efforts to migrate to the cloud. Following our announcement of Azure VMware Solution (AVS) last year, we have been helping customers accelerate this move to cloud by providing an easy lift and shift migration. Albeit customers love the same operational experience for VMware workloads and use familiar VMware technologies like vCenter, NSX Manager, HCX etc. in AVS, they also want to leverage security integrations that they have invested in for years. Below are a few common questions that we get from customers around this topic. How can they use the same firewalls/tools that they have been using for years? How do they maintain the same security posture? How can they use the same firewall for both Azure and VMware workloads in AVS? In this blog series, we plan to discuss native security options, 3 rd party firewall integration with AVS along with a deep dive into configuration details. First in the series, this blog would summarize the security options available at your disposal. Let’s start with the built-in security capabilities that you can leverage in AVS. Built-in security/firewall with VMware NSX-T - VMware NSX-T is the default networking stack in AVS and it provides out-of-box security features that you can use to protect your workloads. Following are the capabilities that you can leverage. Distributed Firewall (DFW) -A stateful L3-L7 firewall that powers micro-segmentation and runs on your ESXi hosts in your AVS private cloud. DFW rules are enforced on the vNIC level of a VM workload and what that means is that the traffic is either allowed or dropped on the vNIC level based on the rule you defined. So, there is no more hair-pinning that traffic through a centralized or perimeter firewall. From a feature standpoint, it's rich and allows you to define security rules using network or application constructs. You could group the workloads using static (IPSet/NSX constructs like Segment etc.) or dynamic membership (VM tags, guest OS etc.). Even when you have a perimeter firewall, you should secure your East-West traffic. Gateway Firewall - A L4-L7 aware stateful North-South firewall that can be configured on NSX-T Tier-1 Gateway in AVS. It can also be used as an Inter-tenant or Inter-zone firewall i.e. filtering traffic between different tenants of your organization each with a dedicated Tier-1 Gateway. Azure Firewall - A managed, stateful firewall with built-in HA and SLA of 99.99% (when deployed in two or more availability zones). Customers can configure L3-L7 policies to filter traffic and take advantage of threat intelligence-based filtering to alert and deny traffic from/to known malicious IP addresses and domains. Please refer to the Azure firewall feature set here. If you are already using Azure firewall capabilities deployed in Azure Virtual WAN to protect resources in VNETs, you can connect the same virtual WAN hub over an express route connection to AVS and route internet traffic from AVS to Azure firewall. Let's switch gears and talk about the 3rd party firewall integration with Azure VMware Solution. There is a strong desire from customers to continue using the same firewall in AVS that they have been using in an on-premises datacenter. Based on the use-case, you could deploy a 3rd party firewall NVA in AVS private cloud or SDDC or leverage a firewall from Azure marketplace. Let's double click on both options. 3rd Party firewall deployed as NVA in AVS private cloud or SDDC -Before we discuss this integration, it's important to understand NSX-T deployment in AVS private cloud. When you create a private cloud in AVS, a default NSX-T Tier-0 Gateway configured in Active/Active mode and a default NSX-T Tier-1 Gateway configured in Active/Standby mode is deployed for you. Users can connect segments (logical switches) and provide East-West and North-South connectivity to the workloads connected on these segments. A 3rd party firewall NVA can be connected southbound to the default NSX-T Tier-1 gateway and this firewall can act as a North-South firewall or East-West firewall depending upon your use case. This integration is supported in following topologies. Option 1: Workload segments are directly connected to the firewall and the gateway on workloads is 3 rd party firewall. This topology restricts the users with numerous segments as the vNICs on the NVA becomes a limiting factor. Option 2: Workload segments are connected to an isolated Tier-1 and this Tier-1 gateway provides northbound connectivity to a 3 rd party firewall. This topology solves the problem of limited number of vNICs on NVA as you connect 100s of workload segments to an isolated Tier-1 which connects to the firewall NVA northbound. In this topology, isolated Tier-1s simulate security zones and the firewall can provide East-West filtering between security zones and North-South filtering for all traffic. We will discuss routing and other configuration details for these topologies in next part of this blog series. 3rd Party firewall deployed in Azure VNET – Customers can also deploy a 3 rd party firewall in Azure VNET and route traffic from AVS to this firewall via Azure Virtual WAN hub. To redirect internet traffic from AVS VMs to the firewall NVA, you need to connect AVS to an express route gateway in Azure virtual WAN and propagate a default route. Next, you configure a default route in Azure Virtual WAN hub to direct internet bound traffic to a NVA in spoke VNET. We will go through the configuration details in greater detail in upcoming blogs. Stay tuned! Summary Azure VMware Solution customers have multiple security options available to protect their workloads. Some of these firewalling capabilities can be used out of the box to provide East-West and North-South firewalling. Along with the built-in security capabilities, customers can also leverage the 3 rd party firewalls or next-gen firewalls to provide additional security and maintain the same security posture as they have on-premises. Following are a few resources to learn more about Azure VMware Solution. Learn Azure VMware Solution Networking Try Azure VMware Solution Hands-on-lab
