Free 2V0-13.25 Practice Test Questions 2026

Explanation:

C – The Provider Tenant must use an external VCF Operations orchestrator instance.
The Provider Tenant acts as the platform administrator. To manage tenant‑dedicated Orchestrators without interference, it must run on its own external Orchestrator. The embedded instance is insufficient for multi‑tenant isolation.

E – Each Tenant must use an external VCF Operations orchestrator instance.
To enforce that business units cannot interfere with each other’s operations, every tenant requires a completely separate, dedicated Orchestrator. An external instance per tenant provides full workload and failure isolation.

Why the other options are incorrect

A (each tenant uses embedded Orchestrator)
– Embedded instances are shared resources; they cannot provide the required operational separation between tenants.

B (Provider Tenant uses embedded Orchestrator)
– A shared embedded instance would not isolate the Provider’s management workflows from other tenants, violating the core requirement.

D (all tenants share a single Orchestrator)
– This creates a shared environment where one tenant’s activity (e.g., heavy automation load) directly impacts others, breaking non‑interference.

References

Mware VCF 9.0 Architecture Documentation – VCF Automation Deployment Models, "Orchestrator" section – States that for multi‑tenancy with strict isolation, each tenant must have its own external Orchestrator instance, and the Provider Tenant also requires a dedicated external instance.

Broadcom TechDocs– "Understanding VCF Automation All Apps Organization Multi‑Tenancy Model" – Confirms that tenant isolation is achieved by assigning separate Orchestrator instances per tenant, preventing cross‑tenant operational impact.

Explanation:

Why Option A is Correct A single VCF instance using dedicated Workload Domains per tenant directly satisfies all three requirements:

Minimize provider infrastructure lifecycle tasks – One instance means centralized patching, upgrades, and certificate management. Multiple instances would multiply every lifecycle operation.

Minimize infrastructure management overhead – Single SDDC Manager console for fleet management, licensing, identity, and monitoring reduces operational complexity.

Isolated compute infrastructure per tenant – Dedicated Workload Domains provide strict compute isolation. Each domain has its own vCenter and lifecycle boundary, preventing cross-tenant interference.

VCF 9.0 supports up to 15 domains per instance (1 management + 14 additional), making this model scalable.

Why Other Options Are Incorrect

B. Consolidated VCF per tenant
Requires separate VCF instances per tenant → multiplies lifecycle tasks and management overhead, violating both minimization requirements.

C. Dedicated VCF instances (Standard Architecture)
Same as B; maximizes operational burden instead of minimizing it.

D. Shared Workload Domain
Violates isolated compute requirement. Tenants share physical hosts, risking resource contention and interference.

References

Broadcom TechDocs – VCF Automation 9.0 Multi-Tenancy Model – Documents workload domain isolation for tenant compute separation.

VCF 9.0 Architecture Guide – Defines domains as lifecycle and isolation boundaries.

Explanation:

In a VMware Cloud Foundation (VCF) environment, selecting the right availability design depends on balancing the Recovery Point Objective (RPO) and Recovery Time Objective (RTO). For a business-critical database requiring an RPO of 5 minutes and an RTO of 30 minutes, a vSAN stretched cluster is the optimal design.

Why other options are incorrect:

Option A: A backup job scheduled every 30 minutes provides an RPO of 30 minutes. If a failure occurs 29 minutes after the last backup, the data loss exceeds the 5-minute limit requested by the application owners.

Option B: Asynchronous replication with 30-minute snapshots also results in a 30-minute RPO. While asynchronous replication can be configured for lower RPOs, the specific interval mentioned here violates the application requirements.

Option D: While array-level synchronous replication can provide a zero RPO, the requirement explicitly states that all workload domains will use vSAN. Introducing storage-array-level replication would require external storage hardware, contradicting the design constraint to use vSAN.

References

VMware Cloud Foundation 9.0 Design Guide: Multi-Availability Zone (Multi-AZ) VCF Design and vSAN Stretched Cluster configurations.

VMware vSAN Design Guide: Synchronous Replication and Stretched Cluster Site-to-Site Latency Requirements.

Explanation:

Why Option A is Correct
Recovery Time Objective (RTO) is a standard disaster recovery metric that defines the target maximum time allowed to restore a system or service to a usable state after a failure or disruption. In this customer scenario, an RTO of 8 hours for infrastructure components means the customer expects that any failed infrastructure component must be fully operational again within 8 hours of the incident.

Why Other Options Are Incorrect

B. The maximum amount of data loss considered acceptable
This describes Recovery Point Objective (RPO) , not RTO. The customer already specified RPO = 2 hours for business-critical workloads, which is a separate metric.

C. The minimum volume of data loss tolerated
This is also describing RPO but incorrectly phrased. RTO has nothing to do with data loss amounts.

D. The minimum acceptable duration to recover
Incorrect because RTO is a maximum allowable downtime, not a minimum. The goal is to recover within or under the RTO, not to take longer.

References

VMware Cloud Foundation 9.0 Design Guide– Availability and Resiliency – Defines RTO as the target maximum time to restore services after failure

VMware Site Recovery Manager Documentation – Standard industry definitions: RTO = time, RPO = data loss

Explanation:

Why Option B is Correct
Using multiple Workload Domains with independent scaling directly addresses the company's scalability and flexibility requirements. This aligns with the Standard Architecture model, which VMware recommends as the best practice for production environments .

Why Other Options Are Incorrect

A. Single workload domain for all departments
Creates a shared environment where all departments compete for the same resources. A single domain cannot scale flexibly because each department's growth impacts others. This violates the requirement for accommodating future demand across independent departments.

C. Single workload domain relying on storage/network scaling
Ignores compute isolation and independent lifecycle management. Storage and network scaling alone cannot provide the workload separation needed for multiple departments. All departments would share the same vCenter and SSO domain .

D. Multiple workload domains combined into a single vSphere cluster
This is contradictory and invalid. Workload domains are logical groupings of vSphere clusters—"a workload domain can have one or more vSphere clusters" . Combining multiple domains into a single cluster defeats the purpose of domain isolation and independent scaling.

References

Broadcom TechDocs – Standard Architecture Model - Recommends separate management and VI workload domains for scalability

Broadcom TechDocs– Workload Domain Models - Documents independent lifecycle management and scaling of workload domains

Explanation:

To meet military-grade compliance standards (such as DISA STIG or NIST), a VMware Cloud Foundation (VCF) environment must adhere to strict security hardening and identity assurance protocols.

Option D (UserVars.SuppressShellWarning = 0):
This is a critical hardening step. When the ESXi Shell or SSH is enabled, a warning is normally suppressed if this value is set to 1. Setting it to 0 ensures that the system triggers a visible warning in the vSphere Client whenever these potentially insecure access methods are active. Military compliance requires high visibility into administrative access to prevent unauthorized or forgotten backdoors into the hypervisor.

Option E (CA-Signed Certificates):
Using a trusted, internal Root Certificate Authority (CA) (e.g., RootCA.Military.Domain.Com) ensures that all management traffic is encrypted using validated, organization-approved credentials. Military standards strictly forbid the use of default self-signed certificates, as they are susceptible to Man-in-the-Middle (MITM) attacks and do not provide a verifiable chain of trust.

Why other options are incorrect:

Option A:
Configuring vSAN failure tolerance is a resiliency and availability decision, not a security hardening decision. It does not affect compliance with security frameworks like STIGs.

Option B:
While certificate renewal is a operational necessity, it is a lifecycle management task rather than a physical design decision that establishes the "hardening level" of the domain itself.

Option C:
Configuring NTP is a functional requirement for cluster synchronization. While using internal sources is good practice, it is a standard infrastructure requirement rather than a specific "security hardening" measure used to meet military-grade compliance.

References

VMware Cloud Foundation 9.0 Security Guide: Sections on "Hardening the Management and Workload Domains" and "Certificate Management Best Practices."

VMware vSphere Security Configuration Guide (STIG):Guidance on UserVars.SuppressShellWarning and SSH timeout settings.

Explanation:

Option B – Deploy a vSAN ESA cluster with a minimum of 6 nodes.
vSAN Express Storage Architecture (ESA) is the default and recommended architecture for VCF 9.0, optimized for all-NVMe storage to deliver the lowest possible latency. A minimum of 6 nodes is required to support 4+1 RAID-5 erasure coding, which provides a balance of performance and capacity efficiency.

Option D – Configure vSAN Policies (RAID-5/6) for all non-critical workloads.
RAID-5 and RAID-6 use erasure coding, which is space-efficient with approximately 125% overhead compared to 200% for RAID-1. This meets the requirement for "most efficient capacity utilization" for non-critical workloads.

Option F – Configure vSAN Policies (RAID-1) for all critical transactional database workloads.
RAID-1 (mirroring) requires fewer I/O operations per write than erasure coding, delivering the lowest latency and highest performance. This is essential for financial trading systems and core banking databases where microseconds matter.

Why Other Options Are Incorrect

Option A – Configure RAID-5 for all critical workloads.
RAID-5 has higher I/O overhead than RAID-1 because it must read, calculate parity, and write across multiple devices. This adds latency that is unacceptable for high-frequency trading systems.

Option C – Deploy a vSAN OSA All-NVMe cluster with 4 nodes.
OSA (Original Storage Architecture) is the legacy architecture. VCF 9.0 recommends ESA for new deployments. Additionally, 4 nodes are insufficient for ESA's 4+1 RAID-5 scheme, which requires 6 nodes.

Option E – Configure RAID-1 for all workloads.
While RAID-1 delivers performance, it uses 200% storage overhead. Applying this to non-critical workloads wastes capacity and violates the "most efficient capacity utilization" requirement.

References

Broadcom TechDocs – vSAN ESA Deployment Requirements – Minimum 6 nodes for 4+1 erasure coding

Broadcom TechDocs – vSAN Storage Policies – RAID-1 for performance, RAID-5/6 for capacity efficiency

Explanation:

Option B – Deploy the Managed Telegraf Agent for all workloads that subscribe to the OS Managed service.
The OS Managed service requires operating system metrics such as CPU, memory, disk, and network utilization. The Managed Telegraf Agent collects these metrics from both Windows and Linux platforms automatically. Using the Managed Telegraf Agent ensures centralized agent lifecycle management and minimal operational overhead.

Option C – Deploy the Managed Telegraf Agent for all workloads that subscribe to the Fully Managed service.
The Fully Managed service requires application-level monitoring for all approved infrastructure applications. The Managed Telegraf Agent includes built-in plugins that automatically discover and collect metrics from these supported applications. This eliminates manual agent configuration and reduces management overhead.

By deploying the Managed Telegraf Agent for both OS Managed and Fully Managed services, the architect achieves a standardized, supported agent strategy across two monitoring levels with minimal operational effort.

Why Other Options are Incorrect

Option A – Configure Service Discovery for Self-Managed service.
Service Discovery detects applications running on machines where Telegraf agents are deployed. Self-Managed service requires no agent and no application monitoring, making Service Discovery unnecessary and irrelevant.

Option D – Deploy Managed Telegraf Agent for Self-Managed service.
Self-Managed workloads require monitoring only at the VM construct level. VCF Operations collects these metrics directly from vCenter without any agent. Deploying an agent adds unneeded management overhead.

Option E – Deploy Open Source Telegraf Agent for Fully Managed service.
VMware explicitly states that after initial configuration, "no further support is offered" for Open Source Telegraf. Any issues must be addressed through the open source community. This increases operational overhead and violates the "minimal management overhead" requirement.

References

ExamTopics 2V0-13.25 Discussion – Verified community answers B and C

Broadcom TechDocs – Managed Telegraf Agent – Supported agent for OS and application monitoring

Broadcom TechDocs – Open Source Telegraf Support – No VMware support after initial configuration

Explanation:

Option D – Create a cluster with six hosts.
N+1 availability means the cluster must tolerate one full host failure while still running all five resource-intensive VMs. With six hosts, one host can fail and the remaining five hosts provide exactly enough capacity. Five hosts cannot meet N+1 because after one failure, only four hosts remain to run five VMs.

Option A – Use automated placement rules to keep the mission-critical application virtual machines apart.
Five resource-intensive VMs should be distributed across different hosts using DRS anti-affinity rules. This prevents any single host from becoming a performance bottleneck. It also protects availability – if one host fails, only one VM is affected instead of multiple VMs.

Why Other Options are Incorrect

Option B – Use resource pools to prioritize resources.
Resource pools manage allocation but do not provide N+1 availability. Prioritization cannot create physical capacity after a host failure.

Option C – Use placement rules to keep VMs together.
Keeping five resource-intensive VMs together creates performance contention and increases risk – one host failure would impact multiple mission-critical VMs simultaneously.

Option E – Create a cluster with five hosts.
Five hosts cannot meet N+1 for five VMs. After one host fails, only four hosts remain to run all five VMs, causing immediate oversubscription.

References
ExamTopics 2V0-13.24 – Verified answers for N+1 cluster sizing

Josh Odgers VCDX – N+1 Availability Design – vSAN cluster sizing requires enough capacity to tolerate largest node failure

Explanation:

Option A – Use the external VCF Identity Broker model.
The external (appliance) model deploys a three-node cluster of VCF Identity Broker (VIDB) appliances, with each node running on separate vSphere hosts . This provides built-in high availability, directly meeting the customer's requirement to avoid single points of failure. The embedded model (Option D) is integrated with a single vCenter Server and does not offer the same level of resilience .

Option C – Deploy a dedicated VCF Identity Broker for each VCF instance within a VCF Fleet.
A dedicated VIDB per instance creates the smallest possible login blast radius . An outage or operational task affecting one VIDB only impacts the single VCF instance it serves, not the other instances in the fleet. This directly satisfies the customer's requirement to minimize the risk of an administrator's task impacting multiple components. The dedicated model limits SSO scope to that instance, meaning users re-authenticate when moving across instances, but this trade-off is acceptable given the blast radius requirement .

Why Other Options are Incorrect

Option B – Deploy a shared VCF Identity Broker for all VCF Instances across all VCF Fleets.
This creates the largest possible blast radius . A single operational task or outage affecting the shared VIDB would impact authentication for all instances across both DC1 and DC2 datacenters, violating the requirement to minimize impact scope.

Option D – Use the embedded VCF Identity Broker model.
The embedded model lacks high availability as it is tied to a single vCenter Server . If that vCenter experiences issues, authentication services are disrupted. This fails the customer's requirement to avoid single points of failure.

Option E – Deploy a dedicated VCF Identity Broker for each VCF instance (paired with embedded model).
While dedicated per instance is correct for blast radius, this answer is incomplete because it does not specify the external/appliance model. The external model is required to achieve high availability. Additionally, the embedded model cannot be used with a dedicated VIDB per instance in a way that meets both requirements simultaneously.

References

Broadcom TechDocs – Appliance VCF Identity Broker Model – External 3-node cluster provides HA, recommended for multi-instance environments

Broadcom TechDocs – Single VCF Instance Single Sign-On Model – Dedicated VIDB per instance creates small blast radius

Explanation:

In solution architecture documentation, statements are classified into distinct categories based on their nature and binding commitment.

Option C – A Requirement.

A requirement is a documented need or expectation that the solution must satisfy. The statement "All Virtual Machines must be encrypted" directly meets the definition of a requirement because:
It is a mandatory condition imposed by the stakeholder
The solution must implement VM encryption to be acceptable
It is specific, measurable, and actionable
Non-compliance would constitute a failed design

This statement is not open to negotiation or interpretation. The architect must design VM encryption into every workload domain and virtual machine within the VCF environment.

Why Other Options are Incorrect

Option A – A Risk.
A risk is an uncertain event that may negatively impact the project if it occurs. Encryption is a stated mandate, not an uncertainty. For example, "VM encryption may cause performance overhead" would be a risk. The original statement is a firm requirement.

Option B – A Constraint.
A constraint is a fixed limitation or boundary imposed on the solution, such as budget caps, regulatory mandates, or technology restrictions (e.g., "Must use existing hardware" or "Only FIPS 140-3 validated encryption is allowed"). While encryption could be considered a constraint, the statement is expressed as an action or capability expected from the solution ("must be encrypted"), which aligns more closely with a functional requirement. However, in strict classification, a requirement and a constraint can overlap. VMware exam context treats direct "must be" statements from stakeholders as requirements unless they limit design choices to a specific fixed element.

Option D – An Assumption.
An assumption is something believed to be true without proof, such as "The customer will supply encryption keys" or "Hardware supports AES-NI instructions." The statement given is a stated expectation, not an unverified belief.

References

VMware Solution Architecture Framework – Requirements Classification – Differentiates requirements, constraints, risks, and assumptions in design workshops

TOGAF Architecture Content Framework – Requirements are stakeholder needs that the architecture must meet

Explanation:

In VMware vSphere Kubernetes Service (VKS), pods use different storage types for different purposes. Non-persistent data—data that does not need to survive pod restarts or redeployments—is stored in ephemeral storage.

Why ephemeral storage is correct:
Ephemeral storage is tied to the pod's lifecycle. When a pod is created, the container runtime allocates temporary storage for logs, scratch space, cached files, and other transient data. This storage disappears when the pod terminates. By default, VKS nodes include 20 GiB of ephemeral storage available at the root filesystem (/) .

Kubernetes follows the principle that containers are ephemeral by default—when a pod restarts, its local filesystem is removed . Ephemeral storage aligns with this stateless design pattern.

Why other options are incorrect

Option A – Container image storage:
This stores the read-only container images (layers) used to launch pods, not the runtime data generated by running containers. Image storage is separate from pod-local storage.

Option B – vSphere local storage:
This refers to datastores backed by local disks on ESXi hosts. While VKS can use vSphere storage for persistent volumes (stateful data), non-persistent pod data does not use vSAN or VMFS datastores—it uses the node's root disk.

Option C – Object storage:
Object storage (like S3-compatible storage) is used for blobs, backups, or persistent application data accessed via APIs. It is not the default location for a pod's temporary runtime files.

References
Broadcom Knowledge Base – Increase Ephemeral Storage on VKS Node – Documents default 20 GiB ephemeral storage and its behavior

Portworx – Chapter 5: Storage: From vSAN to Container-Native Storage – Explains ephemeral storage lifecycle and persistent vs. non-persistent data in Kubernetes