For IT administrators, two words sure to cause undue stress are “patching cycle.” It’s a necessary process fraught with challenges. Scheduling downtime, coordinating with application owners, and bracing for the unexpected create the kind of headaches that make people want to throw their hands in the air. Historically, securing and updating infrastructure meant taking critical services offline. However, VMware Cloud Foundation (VCF) 9.0 is rewriting this narrative, transforming patching from a risky disruption into a seamless, flexible operation. The core of this evolution is live patching, a feature designed to help organizations be secure faster without pulling the plug on their workloads.
A Smarter Foundation for Updates – Living the Lifecycle
The journey toward less disruptive patching begins with a complete overhaul of the update system. VCF 9.0 retires the old Update Manager in favor of the more robust Lifecycle Manager. This isn’t just a name change; it’s a shift in thinking about updates. Lifecycle Manager provides continuous monitoring of system configurations, alerting you if it detects rogue software components.
VCF 9.0 introduces a clearer versioning scheme and decouples major platform upgrades from critical security fixes. This means you can apply a comprehensive VCF bundle upgrade or deploy a targeted, host-only ESXi patch to address an urgent vulnerability without a full platform update. All patches are inclusive and cumulative, eliminating the headache of managing complex patch chains. Applying the latest version guarantees you have all previous fixes, simplifying one of the most tedious aspects of infrastructure management.
Patching on the Fly – We’ll Do It Live
The real star in VCF 9.0 is the enhancements to live patching. While introduced in earlier versions, the goal now is for this feature to cover approximately 80% of host patching needs. This means for the vast majority of updates, you can patch your infrastructure without taking workloads offline. This is a massive win for resilience and trust, especially for organizations running sensitive, 24/7 applications or those dealing with skittish workload administrators who are rightfully hesitant about any disruption. Once they’ve been burned they won’t trust any live patching system. VCF 9.0 aims to restore that lost trust.
So, how does it work? When a live patch is initiated, the host enters a partial maintenance mode. This stabilizes the machine by preventing new workloads from starting or moving, but it keeps existing ones running. For repairs to the core virtual machine monitor (VMM), VCF employs a fast suspend resume. This lightning-fast process, akin to a process-to-process vMotion, completes in milliseconds, effectively swapping out the necessary components without the VM or its user ever noticing.
It’s important to note a key caveat. Live patching is not yet compatible with hosts enabled with DPUs (Data Processing Units) or a host-level TPM (Trusted Platform Module). The ability to replace parts of a running operating system is powerful, and robust authentication is needed to prevent it from being used maliciously. This limitation, however, does not affect virtual TPMs used by guest workloads. When you think about it, it makes a lot of sense. Remember when specialized hardware could prevent a host from being vMotioned to another cluster? This is just that restriction but for live patching.
All of these new features for live patching would be enough, but VMware has updated one additional feature as well. Enhanced vMotion Compatibility (EVC) smooths out differences between CPU generations, enabling vMotion between mixed-CPU clusters, which is a common scenario in real-world data centers. Historically, enabling EVC was cumbersome, requiring an empty cluster if you forgot to enable it at cluster creation (which most of us probably did). Now, it can be turned on dynamically, even on active clusters. This makes it far easier to move workloads around as needed to perform maintenance and patching, ensuring resilience is never compromised.
Bringing It All Together
VCF 9.0’s advancements in patching and lifecycle management are about more than just convenience. They are central to its security-first approach of building inherent trust in the stack. By making security updates faster, easier, and dramatically less disruptive, VMware is giving administrators the tools to maintain a robust and resilient platform without the traditional trade-off of scheduled downtime. It’s like performing critical engine maintenance while the car is still driving down the highway, which is a powerful new reality for modern infrastructure. When you look at the recent spate of attacks that require immediate patching to prevent an outage or incident upgrading to VCF 9.0 makes all the sense in the world.
The VMware Cloud Foundation 9.0 Showcase: Powering the Modern Private Cloud was presented by VMware in association with Techstrong and Tech Field Day. The videos will be posted to the Tech Field Day YouTube channel and on the website. You can learn more about VMware Cloud Foundation 9.0 on the VMware website.