check-circle-line exclamation-circle-line close-line

Updated on: 30 August 2020

VMware vRealize Automation Cloud | 19 September 2019

You can find information about these new features and more at VMware vRealize Automation Cloud and in the signpost and tooltip help in the user interface. Even more information is available when you open the in-product support panel where you can read and search for related topics, and view community posts and KBs, that appear for the active user interface page.


vRealize Automation Blueprint name change to VMware Cloud Templates

  • Blueprints are renamed to VMware Cloud Templates. Learn more.
  • You might still see the term Blueprint in the official documentation, API, error messages, and other areas of code. 

Terraform Configuration as a VMware Cloud Templates Resource in vRealize Automation Cloud

Terraform open source configurations are now integrally supported by VMware Cloud Templates. Cloud Administrators can integrate Terraform configurations stored in Git and release as self-service catalog items. Select capabilities include the following. Learn more

  • Create Cloud Templates with Terraform configurations
  • Compose hybrid Terraform-VMware Cloud Templates
  • Enable built-in power Day 2 actions and custom day 2 actions on Terraform resources
  • Central deployment state file
  • Managed Terraform runtime in cloud
  • Code Stream pipeline to deploy Terraform based Cloud Templates for DevOps users

Multi-tenancy: Centralized Management of Tenant Infrastructure 

The capability for a provider to allocate provider-managed infrastructure to their tenants. Learn more.

  • Provider administrator creates a bundle of isolated IaaS resources (Compute, Network, Storage, Image, and Flavor) called the Virtual Private Zone (VPZ).
  • Provider administrator shares the VPZ with a tenant.
  • Tenant administrator, in turn, shares the VPZ with a project within the tenant org.
  • Tenant project members can provision a machine into the VPZ.
  • Project members view the deployment and see an "obfuscated" view of the underlying infrastructure (only the VPZ name).
  • Tenant A resources are not visible to Tenant B, even when underlying infrastructure is shared.

Custom Role Based Access Control (RBAC) 

  • vRealize Automation Cloud introduces Custom roles based access that enables customers to closely align the roles they assign consumers and providers to the actual roles they hold within their organizations. It helps with configuring restrictive enough roles, based on the actual tasks (permissions) users are eligible for and resource they are eligible to without overloading permissions with unnecessary tasks or confront organization security.

    Base concepts:

    • Org admins are able to define custom roles within organization.
    • Each custom role can be assigned to an organization users/group.
    • New custom roles model integrates with out of the box roles, and works in collaboration with access control and policy within the organizations.

    Available configurable permissions:

    • Custom Roles for Images, Flavors, Zones, Machines and Requests, Cloud Accounts, Cloud Zones and Projects
    • Custom Roles for Manage and View Onboarding Plans
    • Custom Roles for Extensibility use cases:
      • Manage and View
          • Subscriptions
          • Actions
          • Action Runs
        • Viewer permissions for:
          • Events
          • Event Topics
          • Workflows
          • Workflow Runs
    • Custom Roles to Manage and View Cloud Templates
    • Custom Roles to Manage and View Custom day2 for builtin & custom resources
    • Custom Roles for Pipeline Modeling, Execution, Configuration
    • Custom Roles for Policy Permissions
    • Custom Roles to manage permissions for approvals

XaaS Custom Resource and Custom Action Enhancements

  • Custom Resources Schema Dynamic data support. vRealize Automation Cloud now includes automatic validation for the workflows added as lifecycle actions to your custom action. This feature also includes improvements to the external type property and custom resource property schema. Learn more.
  • Custom Day 2 actions bindings. vRealize Automation Cloud supports three types of action bindings: in request, with binding action, and direct binding. Learn more.

Support 1:N Association Between NSX-T Manager and vCenter

  • Support for 1 NSX-T manager connected to multiple vCenters. Learn more.

NSX-T Policy Mode Support 

  • Enable the creation of a new NSX-T endpoint in Policy mode. Learn more.

  • Policy mode support for Networks (Day 0, Day 2), Load Balancers (Day 0), Security Groups (Day 0), Tagging (Day 0), VM Scale In/Out (Day 2), and Port Forwarding (Day 0, Day 2)

NSX Load Balancer Configurations - Logging Level, Algorithm, Type, NIC, and VIP 

  • Support for NSX Load Balancer advanced configurations, including Logging level, Algorithm, and Type (Day 0,Day 2). Learn more.

  • Support for NSX Load Balancer configuration options for NIC for all network types, including private, outbound and routed networks. (vRealize Automation Cloud 07.20 release supported this feature for existing and public networks). Load Balancer can now be connected to a specific machine NIC, rather than always using the first NIC in the machine by default. Learn more.

  • Ability to specify the IPv4 VIP (Virtual IP) in the Cloud Templates; this would allow Load Balancer to have a specific IP, instead of an IP from a static IP range.

Port Forwarding 

  • Port Forwarding (DNAT rules) support for NSX outbound networks. vRealize Automation now exposes a new Cloud.NSX.Gateway Cloud Templates resource type that will allow the DNAT rules to be specified for the gateway/router connected to the outbound network. Learn more.
  • Day 2 actions support for adding new NAT port forwarding rules, reordering rules, editing existing rules, and deleting rules.

Networking Day 2 – Reconfigure Security Groups

  • Support for Day 2 actions for security groups

    • Change security groups - add a new or existing security group, remove associated security groups, and modify
      associated security groups. Security groups should be part of deployment for the day2 actions. The day2 actions are supported for single machine only, not for multi-machine cluster.

    • Delete security group - remove security group from deployment. If the security group is on-demand, then it is destroyed.

vSphere 7 Supervisor Namespace as a Cloud Templates Resource

  • Cloud Templates author can define supervisor namespace resource limits on the Cloud Templates resource. This allows the admin to restrict user resource consumption

ITSM Plug-in 8.1.1 

Custom Forms

  • Support for Custom Forms which has Text Area, Text Field, Text, Password, Decimal, Integer, Drop Down, Checkbox, Date Time, Radio Group

vRealize Automation Catalogs in Native ServiceNow Catalog

  • vRealize Automation Catalogs items are now available in native ServiceNow catalog for Deployment

vRealize Automation Scaling

  • Up to 250 resources per deployment and 400,000 virtual machines.
  • If you anticipate deployments to have more than 100 resources, upgrade to the new API version 2020-08-25.

New Version of the vRealize Automation REST API

As of August 25, 2020, a new version of the vRealize Automation REST APIs is available with all vRealize Automation releases. The new version increases resource support to 300 resources per deployment and provides performance improvements. If you are an API user and have not locked your API to a version before, you might encounter a change in an API response. As a best practice, you should lock your API to the latest version which is apiVersion=2020-08-25. In this way, you ensure that your API responses do not change unexpectedly with an API update. If left unlocked, your API requests will default to the latest version.


Extensibility Subscriptions

  • Support for up to 50 blocking and 50 non-blocking subscriptions per event topic. Learn more

First Class Disk IaaS APIs – additional actions

  • New IaaS API support for First Class Disk (FCD) snapshot management (Create, Delete, List, and Restore). Learn more.
  • New IssS API to convert existing disk to an FCD. Learn more.

ITSM Plugin 

  • New ITSM plugin (version 8.1) for vRealize Automation Cloud is now available on ServiceNow store.
  • Orlando Support – Plugin supports Orlando which is latest ServiceNow version. It also supports previous ServiceNow versions Madrid and New York.
  • Multi-level Approval – The ServiceNow administrator can configure multi-level approval for ServiceNow Catalog requests. 
  • Email Notifications – The ServiceNow administrator can configure email notifications for various activities like Deployment Requests, Approval Requests, Day 2 Requests, and Endpoint and Entitlement configurations.
  • Auto Create tickets for failed deployments – A support ticket is created and assigned to support groups in ServiceNow whenever a deployment request fails in vRealize Automation or a day-2 action fails.

Shared Infrastructure Multi-Tenancy for Cloud Provider Hub Organizations 

Setup and manage Virtual Private Zones and share IaaS resources across projects while maintaining tenant isolation. For managed service providers, shared infrastructure multi-tenancy ensure optimal resource allocation and control. Currently this is only supported for provider organizations in Multi-Tenancy configuration through VMware Cloud Provider Hub.

  • The Provider Administrator can create a Virtual Private Zone which is a bundle of isolated IaaS resources (Compute, Network, Storage, Image, and Flavor). All CRUD operations are supported.
  • The Provider Administrator can add the newly created Virtual Private Zone to a project. You can add multiple Virtual Private Zones to a single project.
  • Project members can provision machines into the added Virtual Private Zone.

This is a key step towards “Shared Infrastructure Multi-Tenancy” in a multi-tenant vRealize Automation Cloud environment. In multi-tenant vRealize Automation Cloud environment the provider will be able to allocate Virtual Private Zones for provisioning from Tenant side.

NSX Enhancements 

  • NSX Cloud specific Load balancer exposes advanced configuration options and can now be connected to a specific machine NIC, rather than always using the first NIC in the machine itself by default. Learn more.

Custom Role Based Access Control (RBAC) 

vRA Cloud introduces Custom roles based access which enables customers to closely align the roles they assign consumers and providers to the actual roles they hold within their organizations. It helps configuring restrictive enough roles, based on the actual tasks (permissions) users are eligible for and their eligible resources without overloading permissions with unnecessary tasks or confront organization security.

Base concept:

  • Organization administrators are able to define custom roles within organization.
  • Each custom role can be assigned to an organization user/group.
  • New custom roles model natively integrate with out-of-the-box roles and work in collaboration with access control and policy within the organizations.

Available configurable permissions:

  • Custom Roles for Images, Flavors, Zones, Machines, and Requests
  • Custom Roles to Manage and View Custom day2 for built-in & custom resources
  • Custom Roles for Pipeline Modeling, Execution, and Configuration
  • Custom Roles for Policy Permissions
  • Custom Roles to manage permissions for approvals
  • More information about custom roles and examples of how they work with the the other roles

vSphere Supervisor Namespace Support

  • Ability for catalog user to request vSphere supervisor namespaces from the vRealize Automation Cloud catalog powered by an underlying VMware Blueprints.

vRealize Orchestrator Integration

  • VMware Cloud (VMC) on AWS is currently not supported as authentication provider for vRealize Orchestrator. 



Approval For Onboarded Deployments And Cloud Assembly

  • Support approval flow for pre-provision and day 2 actions for cloud assembly blueprint deployments
  • Support approval flow for day 2 actions on imported deployments
  • More information about approval policies


  • Create, deleted, list, attach and detach First Class Disks (FCD)

IaaS API Filter Resources Within Particular Region In Cloud Accounts

  • Resources in Cloud Assembly IaaS API can be found by the region that they belong to using Data filter. The region can be uniquely identified by the externalRegionId and the corresponding cloudAccountId

Integration With vROPS Cloud

  • Support for workload placement, cost and pricing, and health metrics via vRA Cloud. Learn more

New vRA Cloud Service Regions

  • Singapore AWS ap-southeast-1 since 05/28
  • Frankfurt AWS eu-central-1 since 06/01


Approval Policy

  • Approvals now apply to all catalog items beyond Cloud Assembly blueprints including CFTs, vRO workflows, ABX actions, OVAs, etc.).
  • You can now trigger approval policies based on the attributes of underlying resources filtered by: cloud account, cloud type, flavor, image, region or resource type. Learn more

API for Updating Cloud Account Password

  • Update cloud account password for vSphere and NSX using IaaS API.

Custom Day 2 Actions

  • Custom day 2 operations for custom resources and vRealize Automation built-in types. Learn more

Custom Resources

  • Support for custom resources based on vRO types. Learn more

Deployment History

  • View and filter deleted deployment history for up to 90 days after deletion. Learn more

Day 2 Networking

  • Update deployment constraints on the vSphere machine NIC to move it from one existing network to another existing network in the same network profile.
  • Machine can be moved from static to static network, or dynamic to dynamic network.
  • The previous network is deleted from the deployment. Learn more.

Share ABX Across Projects

  • Ability to share a single action based extensibility across multiple projects. Learn more


Active Directory

  • Apply AD policies to select cloud zones in a project based on tags.
  • Specify a set of optional tags when creating an AD policy.
  • Expose or indicate health for the AD integration end point and the health of the underlying ABX integration in use.

Compute Limits

  • Limit how much CPU and memory resource can be consumed by deployments of a project.

NSX-V: On-demand security Group

  • Enable native support for NSX-V on-demand security groups in blueprint design canvas. Learn more

Pipeline as Catalog Item

  • Support pipeline workflow as a catalog item.

Powershell Support Beta

  • Powershell support on-prem for ABX (wrappers, image, callback, proxy, code editor, log enhancement, dependencies, code completion, flow support, troubleshooting).

Policy Enhancement

  • UX improvements on filter and criteria.

RBAC Enhancement

  • View only role for project and org.

Storage Limit For vSphere

  • Limit storage capacity of a cloud zone that deployments of a particular project can consume.
  • For vSphere templates based provisioning, before day 2 actions.

Security Group

  • Enhancement to graphical representations and bindings of compute networking interface cards to Security Group constructs in blueprint design canvas.

Tagging API

  • Create and manage tags on resource pools, clusters and computes via IaaS API.


OVA As A Catalog Item

  • Bitnami based open virtual appliances (OVA) files from the marketplace can be shared in the catalog for specific projects.
  • Users can then request and provision an OVA catalog item.
  • While a deployment is being created it can be managed as any other employments (e.g. policy, day2).

Ansible Tower Integration

  • Out of the box support for Ansible Tower and open source version of Tower in Cloud Assembly. Learn more

Persistent Disk API

  • Ability to ensure disks are not deleted on deployment/VM delete. Learn more
  • Ability to create a disk independent of a VM.

Service Broker Admin To Manage K8s Zones

  • Service Broker admin can create and manage project configurations for Kubernetes zones.

Approvals For Deployment Requests

  • User-based approvals for initial catalog item requests and day 2 actions.
  • Triggering (multiple) approvals based on deployment criteria.
  • Auto-approve or reject when there is no response within specified time period.
  • Ability to add reason for approval decision.
  • Ability to specify whether one (any) or multiple (all) approvers are required.
  • Approval through URL in email.
  • Ability to track approval process for requesters/approvers.
  • Email notifications for approvals.
  • Learn more about approval policies

Bulk Deployments

Networking Day 2 Actions

Networking Extensibility Events 

  • Subscribe to new independent extensibility events for networks, load-balancers, and security groups for custom deployments enhancements by applying ABX actions and vRO workflows.

Custom Forms


Cloud Assembly IaaS API

  • Users can enumerate all private images for enabled regions of specified account through the vRealize Automation Cloud IaaS API. The account here can be of type: AWS, Azure, GCP, VMC, vSphere
  • Users can create a new VMC Cloud account through the vRealize Automation Cloud IaaS API.
  • Users can get the resources for specified zone through the vRealize Automation Cloud IaaS API. The returned list of computes has the following properties:

               name                      : Compute name
               id                             : The id of this resource instance

               tags                         : A set of tag keys and optional values that were set on this resource instance
               type                        : Type of the compute instance
               externalRegionId    : The external region id of the compute
               externalZoneId       : The external zone id of the compute
               externalId               : External entity id on the provider side
               orgId                      : The id of the organization that this entity belongs to
               createdAt               : Date when the entity was created
               updatedAt              : Date when the entity was last updated

For more details, refer to vRealize Automation Cloud IaaS API Swagger documentation:


  • On-demand Security Groups
    Create an on-demand NSX Security Groups directly on the blueprint design canvas. Display all security groups under new Security tab. More about security resources.
  • Graphical Input Editor in Blueprinting Canvas
    Configure your topology inputs by using a graphical editor on the design canvas in Cloud Assembly. Choose how you prefer to interact with your blueprints with the yaml script editor and the graphical editor.
  • Blueprint API schema validation
    Blueprint APIs are being updated to perform schema validation for level 2 objects. For example, Ansible playbooks must be an array of strings and not a string.
  • Cloud Assembly IaaS API deployed resources are visible in UI
    When provisioning a resource by using the Cloud Assembly IaaS API, the resources are visible in the UI on the Deployments tab.


  • Graphical Property Editor in Blueprinting Canvas 
    The Blueprint editor now includes a GUI for objects properties. The GUI reflects what is present on the canvas and in the code view in real time and can be used to add properties or edit existing properties. The GUI includes helpful and relevant signposts to all displayed fields.
  • Policy Deployment Criteria
    A policy in Service Broker can now be further refined when the policy is applied within the selected scope. The policy criteria is a logical expression. The expression is evaluated against deployments. More about configuring the deployment criteria.

  • IPv6 Support for vSphere Machines
    Cloud Assembly supports pure IPv4 or dual stack IPv4 and IPv6 for vSphere cloud accounts and their endpoints. More about IPv6 and IPv4.


  • Network Automation - Security Groups in Blueprints​
    Assign existing NSX security groups directly on the blueprint design canvas. All security groups are listed on the new "Security" tab. Existing security groups can be applied per vNIC of a virtual machine in a deployment. More about security groups.
  • Action Based Extensibility (ABX) for On-Premises (Beta)
    Introducing Action Based Extensibility (ABX) serverless capabilities on-premises. Tie actions to lifecycle events with subscriptions. Create inputs in blueprints and define package dependencies and requirements. Establish and release versions for actions. Create workflow chains of actions across clouds and establish failure actions. Python 3 and NodeJS languages supported. The actions will run on a local ABX appliance (with a dedicated cloud extensibility proxy). More about action-based extensibility (ABX) for on-premises integration.
  • Active Directory Integration in Cloud Assembly (Beta)
    Out-of-the-box integration with Active Directory is now supported. With this integration, users can manage the placement of machines within the Active Directory structure easily through configurations at the project level. 
  • Set Icons on Catalog Items
    Catalog items in Service Broker have a default icon when created.  You can now change the icon to whatever you choose as more relevant to your catalog entry.
  • Enable Custom Forms import / export in the custom Form Designer
    A custom form can be exported and imported as a JSON file or as a YAML file. 
  • New Action Editor design page
    The ABX Actions page on the Extensibility tab has been updated to improve the user experience. More about extensibility actions.
  • Kubernetes Cluster and Namespace Management (Beta) 
    The following capabilities were added for Kubernetes support. More about Kubernetes.
    • Connect to PKS endpoint and share the PKS plans across projects
    • Self-service request for creating a cluster
    • Admin provided shared cluster for the project
    • Discover and add existing PKS clusters on the endpoint
    • Onboard an external native Kubernetes cluster (EKS, GKE etc.)
    • Policy based placement of namespaces
    • RBAC for Kubernetes namespaces
    • Ability to requests namespaces from catalog
    • Ability to manage and share namespaces on Kubernetes clusters
  • Network Automation - Tagging Networking Objects
    Enable the provisioning and management of network resources, including network load balancers and Virtual Machine NICs, that can be consumed in projects and blueprints by leveraging tags. The tags can be propagated to the endpoints for NSX-T, NSX-V,  vSphere, AWS, and Azure. More about tags.

  • Cloud Agnostic Load Balancer - Day 2 reconfiguration
    You can now reconfigure a deployed load balancer (ports, networks, and member pool) for load balancers on NSX-T, NSX-V, AWS and Azure. More about reconfiguring a load balancer.

  • Ability to set IP mode (DHCP, Static & Mixed)
    You can now define your preferred IP mode as DHCP, static, or mixed for private, outbound and routed networks. More about IP mode.

  • Access Control for Day 2 Actions
    Control who can access and edit Day 2 actions for existing workloads through the Service Broker policy engine. More about Day 2 actions.
  • Service Broker Catalog content refresh
    A scheduled refresh of templates imported into the Service Broker catalog is now set to occur every 6 hours. 
  • New Extensibility event topics
    Additional events topics for Blueprints, Kubernetes, and Disk events has been added.


  • Custom Naming (Beta)
    Define the naming nomenclature of your VMs with custom machine naming on a project level. By defining these name templates on a project level, all machines deployed by users within the project are automatically assigned a name based on the template. More about custom naming.
  • Blueprint validation
    A test option is now available within the blueprint design. The test capability provides the ability to auto suggest flavors and constraints based on the project of the blueprint and also provide the ability to simulate the flow and show placement errors before starting the actual provisioning.
  • Infoblox IPAM Integration (Beta)
    Cloud Assembly now includes integration with Infoblox as a provider-specific IPAM solution within your environment. Once the IPAM integration configuration is complete, you can use the Infoblox to provision IP addresses using existing Infoblox networks. More about configuring for Infoblox IPAM integration.


  • Disk Provisioning in Azure
    The default behavior for disk provisioning in Azure when no storage profile exists has been changed. Previously, if no storage profile had been configured for an Azure cloud account, storage accounts were created by default and disks were placed within the on-demand storage account. With this change, the default behavior when there is no storage profile is to use Azure managed disks.
  • Role Names
    The names of the Cloud Assembly service roles have been updated. The Automation Cloud Admin role is now named Cloud Assembly Administrator. The Automation User role is now named Cloud Assembly User. No other change has been made to the Cloud Assembly roles. More about Cloud Assembly roles.
  • Blueprint Sharing
    Cloud Assembly administrators can now control whether a blueprint can be shared to users in other projects. When creating or editing a blueprint, you can restrict the blueprint to its project or make the blueprint sharable to all projects within the same organization. If a blueprint is sharable, a Service Broker administrator can manage which projects have access to that blueprint for self-service provisioning in Service Broker. 
  • Cost Visibility
    Cost visibility has been temporarily disabled. This functionality is being rebuilt based on a new costing engine and will be expanded to include upfront cost prior to provisioning a deployment, as well as the running cost of deployed workloads.

  • Resource Tags on Project 
    Contain tag sprawl with tagging policies for your workload resources. Tags on provisioned machines within a project can now be set for each project. By defining these tags on a project level all machines deployed by users within the project are automatically tagged. More about project tags.
  • Systems Actions
    ABX actions can now be executed via the API without an association to a project. A projectId field is now optional.


  • Google Cloud Platform (GCP)
    GCP cloud provider functionality has passed Beta and is now enabled for use in production. More about the Google Cloud Platform cloud account.
    The following areas have been addressed:
    • GCP account registration
    • Native Discovery of GCP resource
    • Provision a VM
      • Network 
      • Network profile
      • Load Balancer support
      • Disk
      • Storage profile
    • Day 2 operations
      • Compute Resources - Power On/Power Off, Reset, Suspend, Resize, Snapshot Management
      • Storage - Disk Management operations
      • Networking
    • Networking
      • Add/Remove Nic from VM
      • Firewall rules updates
    • GCP-specific properties support 
      • constraints
      • count
      • name
      • persistent
      • persistentDisk
      • tags
      • attachedDisks
      • constraints
      • count
      • imageRef
      • name
      • tags
  • IaaS API
    The VMware Cloud Assembly IaaS API is a multi-cloud policy-based placement API designed for consumers who prefer an imperative over declarative style of provisioning of workloads. The official swagger documentation is available from
    IaaS API versioning is now mandatory and the IaaS API URL has changed to /iaas/api/. More about API documentation.
  • Versioning
    The IaaS API version parameter is now mandatory. This means that calls such as “GET /iaas/api/network-profiles” should be changed to “GET /iaas/api/network-profiles?apiVersion=2019-01-15”.

    Calls that do not explicitly contain the apiVersioning parameter, such as “GET /iaas/api/network-profiles” where the apiVersioning parameter is not included, will fail.

    To help ensure a smooth transition for existing code, during the next 3 months all calls that do not contain the apiVersioning parameter will log a warning message and the call will succeed.
  • URL
    The officially supported IaaS API URL path is /iaas/api/.

    This means that you should updated existing calls such as “GET /iaas/network-profiles?apiVersion=2019-01-15” to “GET /iaas/api/network-profiles?apiVersion=2019-01-15”.

    To ensure a smooth transition for already existing code, during the next 3 months all calls that have omitted the api subdirectory in the URL will be routed to an updated path that includes the api subdirectory. For example, the path “GET /iaas/network-profiles?apiVersion=2019-01-15” will be routed to the updated path “GET /iaas/api/network-profiles?apiVersion=2019-01-15”.
  • Display Page-Specific Help Topics 
    You can now access page-specific help topics by clicking the Help icon on the toolbar. You can also search for additional help content using the Search box. To pin the in-product Help panel in place while you continue working, click the pin in the top right corner. More about the in-product Help panel.