vRealize Automation 8.3 | 05 May 2021

  • vRA Easy Installer (ISO) build 17556762
  • vRA product (appliance)  build 17551690

Check regularly for additions and updates to these release notes.

What's in the Release Notes

About vRealize Automation 8.3

vRealize Automation 8.3 adds to the vRealize Automation 8.2 capabilities to bring it closer in capability to the vRA 7.x release, reintroducing key capabilities like XaaS and adding capabilities such as Powershell support in ABX and python, node.js and Powershell in vRO.


Upgrade failure after performing steps in KB 87120

Performing the instructions used to address the CVE-2021-44228 and CVE-2021-45046 log4j vulnerabilities described in KB 87120 can cause upgrade failures for vRealize Automation and vRealize Orchestrator 8.6.2 or earlier. For a workaround, see KB 87794.

New vRealize Automation 8.3 Patch 1

vRealize Automation 8.3 Patch 1 is now available and includes bug fixes in different areas. This is a cumulative update. 

For more information and installation instructions, see KB 82781.

What's New

The many benefits of vRealize Automation 8.3 include: 

Networking: NSX-V to NSX-T migration

Support for NSX-V to NSX-T migration via vRA Migration Assistant. Migration is supported for these topologies in vRA 8.3:

  • On-Demand Routed Networks (no services)
  • On-Demand Routed Networks (DHCP)
  • On-Demand Private Networks (DHCP)
  • On-Demand Security Groups
  • Existing Security Groups
  • On-Demand One-Armed Load Balancers on Existing Networks
  • On-Demand and Existing Security Groups (together)
  • On-Demand/Existing Security Groups with Load Balancers

Note: Support for additional topologies will be delivered in a future release. Learn more.

Networking: Additional properties in IPAM SDK action schema

IPAM SDK action schema is extended to include these properties:

  • Standardized projectId, blueprintId, deploymentId for Allocate/Deallocate/AllocateRange/DeallocateRange/UpdateRecord
  • Included addressSpaceId, vraIPAddressId in Deallocate/UpdateRecord
  • Added ID fields for AllocateRange/DeallocateRange 
  • Learn more

Networking: NSX-T Tier-1/ NSX-V ESG sharing within a deployment

  • Ability to reuse a single NSX-T Tier-1 router or NSX-V Edge Service Gateway (ESG) in a single deployment.
  • Previously in vRA Cloud/vRA 8.x, every on-demand NSX-T network created a new Tier-1 logical router, and every on-demand NSX-V network created a new ESG. With the Tier-1/ESG sharing capability, you can share a Tier-1 or ESG in a deployment, without requiring a separate Tier-1 or ESG for every network in the deployment.
  • You can achieve this capability with the Gateway resource type in the Cloud Template. The Gateway resource represents the Tier-1/ESG and can be connected to multiple networks in the deployment.
  • Learn more.

Networking: New NAT resource type for port forwarding (DNAT rules) support for NSX outbound networks

In 8.2, vRA introduced port forwarding (DNAT rules) support for NSX outbound networks with the Cloud Template resource type, Cloud.NSX.Gateway. This allowed DNAT rules to be specified for the gateway/router connected to the outbound network

In 8.3, a new Cloud Template resource type, Cloud.NSX.NAT is available in the Cloud Template for users to define DNAT rules for the deployment.

Note: vRealize Automation still supports the Cloud.NSX.Gateway resource type to be used with NAT rules for backward compatibility. However, this will be unsupported in a future release. In a future release, users will have to use the Cloud.NSX.NAT resource type for defining DNAT rules, and use Cloud.NSX.Gateway resource for defining shared NSX-T Tier1 or NSX-V ESG.  Learn more.

Networking: Reconfigure On-Demand Security group - Iterative and Day 2 - NSX-T

Reconfigure Security Group (Day-2 and Iterative deployment) action is only supported for NSX-T on-demand security groups. It allows you to modify, add, or remove rules of a security group for a running application. Learn more.

Learn more about the reconfigure day-2 action.

Networking: IPAM - Filtration for data collected networks

Allows filtration for data collected networks to minimize the initial set of networks for which actions are executed.

Previously, for the Infoblox IPAM plugin, we datacollect all networks from Infoblox with a default page size of 1000. For customers, who have thousands of networks, but only need to use a few in vRA, they can easily tag these networks with Extensible Attributes.

In vRealize Automation 8.3, properties in the Infoblox plugin are enabled to allow you to provide special filters that select only the required network type objects from Infoblox and filter out the rest. Learn more.

Networking: Load Balancer - Health monitor settings for NSX-V and NSX-T

You can configure (Day 0) active health monitor to test server availability, and passive health monitor to monitor failures during client connections and mark servers causing consistent failures as DOWN.

Support reconfiguration (Day 2) of health monitor settings. Learn more about the reconfigure load balancers day 2 action

Change deployment ownership day 2 action

You can change the deployment owner as admin or member for any project member, project admin, and org admin.

Learn more about the change owner day-2 action.

Deployment last request filter

  • You can filter deployments now by the last request status or the deployment lifecycle status.
  • Deployment lifecycle status: create/update/delete successful or failed
  • Last request status: the last request status on the deployment, can include cancelled/approval_pending/approval_rejected/in_progress/successful/failed
  • See how to access the deployment page filters.

Property Groups

  • Property groups help users to work more efficiently by reusing groups of properties, storing metadata and tracking resource usage
  • Create, update, read, and delete property groups with pre-defined data
  • Reuse property group as cloud template inputs and resource properties
  • Query resource and deployment by property groups as key value pairs
  • For more, see the property groups documentation.

Secrets in Cloud Templates and Extensibility

  • The idea of the "Secure properties" feature is to store sensitive data in encrypted form in the database and not show it anywhere in vRA.
  • Create and encrypt secret variables for project scope under infrastructure administration, and use in cloud templates.
  • Create and encrypt secret variables for extensibility actions, and use in ABX.
  • For more, see the documentation on how to use secrets and how to use secrets with Terraform configurations.

vRA Terraform Provider updates

  • Verified to be part of Hashicorp Terraform registry
  • Support First Class Disk resource type in vRA8 Terraform provider

Add custom properties while onboarding VMs

While onboarding VMs, users can specify custom properties to be added during the process. Users can specify these at a onboarding plan level. You can also remove these properties from individual VMs if the addition is not required. For more information, see What are onboarding plans in vRealize Automation Cloud Assembly.

Support disks with onboarding

Users will be able to onboard disks as part of an onboarding plan. They should be able to perform all Day 0\1\2 operations on onboarded disks. For more information, see What are onboarding plans in vRealize Automation Cloud Assembly.

Change owner of migrated deployments

Once deployments are migrated from 7.x to 8.x,  as the admin, you can change the owner of these deployments. For migration information, see the vRealize Automation 8 Transition Guide

Optimization of Reservation to Cloud Zone Migration

Ensures minimal number of cloud zones are created while migrating reservations with migration assistant. For migration information, see the vRealize Automation 8 Transition Guide

Migration Assistant support for vRA 7.4

The migration assistant supports migration from vRA 7.4 to vRA 8.x. For migration information, see the vRealize Automation 8 Transition Guide

Support Disk creation in to a SDRS datastore cluster

Supports day 0/1/2 actions to create new disks when SDRS is enabled and datastore clusters are being used for placement.

Consider all matched storage profiles & data stores instead of only first

When multiple storage profiles become eligible for placement, the following criteria will be followed for placement optimization:

  • All eligible datastores belonging to these storage profiles become under consideration and not just the first
  • vRA ensures that the cluster and datastore are connected.

Reuse Azure resource groups

  • Users can choose if the day 2 created disk should go to a new resource group or into an existing one. If existing is required, customer will be able to choose the Resource Group from a drop down.
  • Users can choose to reuse a resource group when defining the blueprint so that even with day 0 provisioning, they do not create new resource groups.

Networking: Change Security Group - Iterative deployment

  • Change security groups for a machine component using iterative development
  • If you want to associate or dissociate a security group (existing/new) which is part of deployment, to one or more machines in the deployment, you can attach/detach the security group in the cloud template to/from respective machine(s), and update deployments with this new topology through iterative development.
  • If you want to add an additional security group (existing/new) which is not part of deployment, to one or more machines in the deployment, you can add the additional security group in the cloud template and add (attach) it to machine(s), and update deployments with this new topology through iterative development. Learn more.

HCMP : Cloud zone capacity and consumption Insights

  • Integrate with vRealize Operations to view capacity insights for a cloud zone in the context
  • Key Indicators such as Physical resources available (CPU GHz, Cores), and utilization are provided
  • Trend of consumption for CPU and Memory help in understanding capacity trend situation
  • Projects and resources consumed from this cloud zone by them are provided for detailed consumption analysis
  • Learn more

vRA Vertical Scale

  • Enable customers to deploy and upgrade the vRA cluster using a standard-size (12 CPU, 42GB RAM) and extra-large-size (24 CPU, 96GB RAM) VA.
  • This functionality is available via vRSLCM.
  • Deploy standard/large vRA clusters, and upgrade from standard to large


  • In vRA 8.2, the image and flavor mappings were bundled into the VPZ. This potentially creates a manageability challenge.
  • In vRA 8.3, Flavor/Image Mappings are managed by the provider at the Tenant Management screen. They are decoupled from VPZs to enable the provider to define "global" mappings in the same way as an org admin can define it for their own org. The provider can also define tenant-specific mappings.
  • For more information, see Configuring Multi-provider tenant resources with vRealize Automation.

Performance Improvements

  • Leverage vCenter content library to clone the "closest" template when creating a new VM. This eliminates copying of templates when a template copy may already be present in the local data store, reducing cloning time.
  • Deployments are distributed across multiple cloud zones, based on policy, when all other criteria select multiple candidate cloud zones.
  • ABX actions run in a K8s pod which was tied to a particular ABX action - for the life of the platform. Pods will be reclaimed and available for other ABX actions to be run, enhancing ABX scale and concurrency characteristics.

Active Directory per blueprint

Support for Active Directory at blueprint level.

Resource utilization for consumers

  • Shows my resource usage
  • Displays the total consumption of resource usage (CPU, memory, storage) per user
  • Learn more about the resource usage dashboard.

Improvements in Custom resource types and custom day2 actions

  • Enhance custom resource request forms and allow decorating resource types with powerful workflows and dynamic request forms:
  • Ability to use resource properties in Custom request forms of a day2 actions
  • Ability to bind complex objects and query collection of object properties and reference types

Custom Forms enhancements

Multi-Value picker enhancements include:

  • Ability to browse full details while searching via "show all" option
  • Support for reference object types

Number of cores per socket for vSphere machines in VMware Cloud Templates

  • Virtual cores per socket feature allows vSphere to simulate how physical cores are organized.
  • This feature helps reduce software licensing costs and improve performance for the VM by allowing better NUMA scheduling at the hypervisor layer.
  • Number of cores are defined by setting the numCores attribute for Cloud.vSphere.Machine.
    Learn more.

Auto-enable Federated Catalog & Blueprints for Cloud customers

  • The Federated Catalog feature is automatically enabled through an internal process.
  • When vRA receives a CSP notification for new Flex customer's subscription ID (attached to an Org), vRA checks if that SID contains the "vRA for Flex" SKU. If so, the Federated Catalog feature flag is enabled for the Org.

SaltStack Config integration in vRealize Automation

In the 8.3 release, SaltStack Config is integrated in vRealize Automation to enable deployment of Photon OS based SaltStack Config appliance and installation of minions in newly created VMs.

In this first phase of integration, the supported capabilities are:

  • Deployment of single node SaltStack Config (with master) via vRealize Suite Lifecycle Manager (LCM)
  • vRealize Suite Lifecycle Manager creates an integration endpoint in vRealize Automation
  • Users specify deployment of minions in new VMs via YAML code snippets in cloud templates
  • Users have the ability to switch between vRealize Automation and SaltStack Config interfaces
  • Learn more.

Notify cloud consumers for optimization and enable consumers to take action

As a cloud admin, you can alert project owners of optimization opportunities. You can also enable deployment owners to optimize deployments, by providing recommendations and actions in-context for deployments.

Non-overlapping cloud zones

Cloud zones in vRA represents compute capacity and they include compute resources (vCenter clusters, hosts or resource pools for VMware Cloud, availability zones for AWS, Azure and GCP).

Cloud zones are defined in one of three ways:

1 - Include all available  clusters / availability zones

2 - Manually select clusters / availability zones

3 - Dynamically  select clusters / availability zones based on tags

Prior to the vRA 8.3 release, the same compute resources could be a member of multiple cloud zones. 

In vRA 8.3, cloud zone definitions no longer include the same underlying compute resources. 

All existing cloud zone definitions continue to work the same way, however the user is notified when a cloud zone includes a compute resource that is already a member of another cloud zone. Modify and re-save cloud zones to make them distinct.

Note: Auto-generated cloud zones (during cloud account creation) are associated with the underlying compute resources after the data collection. For dynamically defined cloud zones (tag based), when the tags are updated for the underlying compute resources, the cloud zone definitions are updated after the next data collection cycle.

For more information, see Learn more about vRealize Automation Cloud Assembly cloud zones.

Documentation for resource action condition expression

Updated documentation to include examples for resource action condition expression. Learn more.

Support for Azure VMware Solution and Google Cloud VMware Engine

vRealize Automation is tested and certified to work with VMware's hosted cloud solutions on Microsoft Azure and Google Cloud Platform, called Azure VMware Solution (AVS) and Google Cloud VMware Engine (GCVE), respectively.  Workloads running on AVS or GCVE are now managed by vRealize Automation Cloud after setting up vCenter and NSX-T cloud accounts. For more information, refer to Azure VMware Solution documentation and Google Cloud VMware Engine documentation.

Logging integration 

vRA does not support multiple Logging Integration Endpoints. In regards to performance, vRA only supports one external log endpoint: either a Syslog server or vRealize Log Insight. 

Note: vRealize Log Insight is prioritized over Syslog. Learn more.

Federal Information Processing Standards (FIPS) Support

vRealize Automation 8.3 includes cryptographic modules that have successfully passed NIST FIPS 140-2 Cryptographic Module Validation Program (CMVP) testing. When these modules are configured to run in ‘FIPS-mode’, they cover all cryptographic operations in the product that perform a security function and/or process sensitive data, with these exceptions:

  • The identity and access management (vIDM) functionality in vRA
  • Cloud Template resources with prefix "Cloud.Service" that use opensource Terraform libraries to provision
  • Cloud Template resources with the prefix “Cloud.Terraform" that contain any Terraform Configuration resource supported by Terraform or even custom providers that work with Terraform

Note: You can choose whether to be in FIPS-mode ONLY during installation and before content in vRA/vRO is generated. Also, FIPS mode is available only for greenfield vRA environments.

Before You Begin

Familiarize yourself with the supporting documents.

After installing vRealize Automation and setting up your users, you can use the Getting Started and Using and Managing guides for each of the included services. The Getting Started guides include an end-to-end proof of concept. The Using and Managing guides provide more in-depth information that supports your exploration of the available features. Additional information is also available in vRealize Automation 8.3 product documentation.

For information on vRealize Orchestrator 8.3 features and limitations, refer to the vRealize Orchestrator 8.3 Release Notes.

API Documentation and Versioning

API documentation is available with the product. To access all Swagger documents from a single landing page, go to https://<appliance.domain.com>/automation-ui/api-docs where appliance.domain.com is your vRealize Automation appliance.

Before using the API, consider the latest API updates and changes for this release and note any changes to the API services that you use. If you have not locked your API to a version before, you might encounter an unexpected change in an API response. As a best practice, assign the apiVersion variable to lock your API to the version you want to use. For example:

  • To lock your APIs to the vRealize Automation 8.2 APIs, use apiVersion=2020-10-06
  • To lock your APIs to the vRealize Automation 8.3 APIs, use apiVersion=2021-02-04

If left unlocked, your API requests will default to the latest version which is apiVersion=2021-02-04.

For information on how to lock you APIs to a specific version, see the "API Versioning" section of the vRealize Automation 8.3 API Programming Guide.

Before using the API, consider the latest API updates and changes for this release.

Service Name Service Description API Updates and Changes
iaas-api This API holds all functionality specific to Provisioning service including infrastructure setup, validation and provisioning of resources in iterative manner.

New property

  • «customProperties» to update custom properties for machines: customProperties in POST /iaas/api/machines/{id}

New functionality

  • Enables users to cancel IaaS deployment requests

Change for obtaining the access token

As of vRealize Automation 8.0.1 or later, you must use both the  Identity Service API and the IaaS API to obtain the access token used to authenticate an API session. Using the token generated by the Identity Service API alone will not work due to a missing internal state.

For the complete procedure on how to obtain the token needed for authentication, see Get Your Access Token in the API Programming Guide.


This API holds all functionality specific to creation, management and delete of projects

New request params

  • get /iaas/api/projects/
    • new attribute for 200 response: content[]/placementPolicy (in: body, type: string)
  • get /iaas/api/projects/{id}
    • new attribute for 200 response: placementPolicy (in: body, type: string)
  • post /iaas/api/projects/
    • new request param: placementPolicy (in: body, type: string)
  • patch /iaas/api/projects/{id}
    • new request param: placementPolicy (in: body, type: string)
blueprint-service This API holds all functionality specific to Blueprint services, including creation, validation, and provisioning.

New endpoints

  • GET /properties/api/property-groups
    List all property groups
  • POST /properties/api/property-groups
    Creates a property group
    Note: Only org admin can invoke this api
  • GET /properties/api/property-groups/{propertyGroupId}
    Get property group by Id
  • PUT /properties/api/property-groups/{propertyGroupId}
    Update a property group
    Note: Only org admin can invoke this api
  • DELETE /properties/api/property-groups/{propertyGroupId}
    Deletes the property group
    Note: Only org admin can invoke this api

New params:
anyOf :

  • GET /blueprint/api/blueprints/{blueprintId}/inputs-schema
  • GET /blueprint/api/blueprints/{blueprintId}/versions/{version}/inputs-schema
relocation-service The relocation service is used to define policy and plans for bringing existing VMs from any cloud under management.

New endpoints

  • GET /relocation/onboarding/disk
    List all onboarded disks for all plans. Use oData filters to narrow the search
  • PATCH /relocation/onboarding/disk/{disk-id}
    Patches the selected onboarding disks.

New properties

  • Onboarding Plan and Onboarding Machine data models introduce new «customProperties» property to attach custom properties to the machine during onboarding
migration-service This service is used to quickly setup a vRA 8 instance based on information in a configuration file a.k.a Zero-Setup

New endpoints

  • GET /migration/api/v2t/plans
    Retrieves a page of NSX migration plans.
  • POST /migration/api/v2t/plans
    Creates NSX migration plan.
  • GET /migration/api/v2t/plans/{id}
    Retrieves an NSX migration plan.
  • DELETE /migration/api/v2t/plans/{id}
    Delete an NSX migration plan.
  • PATCH /migration/api/v2t/plans/{id}
    Updates an NSX migration plan's name and description.
  • GET /migration/api/v2t/plans/{id}/assessmentReport
    Retrieves the assessment report for a plan.
  • GET /migration/api/v2t/plans/{id}/assessmentReport/type/{type}
    Retrieves the assessment report for a plan for a given type.
  • GET /migration/api/v2t/plans/{id}/deploymentConfiguration
    Retrieves an NSX deployment configuration.
  • POST /migration/api/v2t/plans/{id}/disableMaintenance
    Disables the maintenance mode of the NSX-V, associated vCenter, and NSX-T cloud accounts for a given NSX migration plan.
  • POST /migration/api/v2t/plans/{id}/enableMaintenance
    Places the NSX-V, associated vCenter, and NSX-T cloud accounts for a given NSX migration plan into a maintenance mode.
  • POST /migration/api/v2t/plans/{id}/runAssessment
    Runs assessment for a migration plan.
  • POST /migration/api/v2t/plans/{planId}/migrate
    Saves V2T output file if provided and triggers the conversion of vRA resources. If the output file not provided in this call, the file saved in the migration plan will be used. The max file size is limited to 1 MB unless explicitly configured in application.properties
  • GET /migration/api/v2t/plans/{planId}/report
    Retrieves a page of NSX migration report elements associated with this NSX migration plan. This API supports filtering by ReportElement.status, ReportElement.vraResourceName and ReportElement.deploymentId. 
  • GET /migration/api/v2t/plans/{planId}/report/{elementType}
    Retrieves a page of NSX migration report associated with this plan for a given resource type. Types are: Deployment, NetworkProfile, SecurityGroup, etc. This API supports filtering by ReportElement.status, ReportElement.vraResourceName and ReportElement.deploymentId. 
  • POST /migration/api/v2t/plans/{planId}/testingCompleted
    Updates an NSX migration plan's sub-stage to POST_MIGRATION_TEST_COMPLETED.
cgs-service Content Service APIs are used to connect to your Infrastructure as Code content in external content sources (ex: SCM Providers and VMWare Marketplace).

New endpoints

  • GET /content/api/vcf/{integrationId}/domain
    Get a List of domains given a Vcf integration-id
  • POST /content/api/vcf/domains-enumeration
    Get list of domains given Vcf Credentials
  • GET /content/api/vcf/{integrationId}/domain/{domainId}
    Get details of a single domain
  • POST /content/api/vcf/{integrationId}/domain/{domainI/service-accounts
    Create a Service Credential for vCenter and NSX associated with a VCF Domain
  • GET /content/api/vcf/{integrationId}/domain/{domainI/service-accounts
    Get details of vcf service credential
  • DELETE /content/api/vcf/{integrationId}/domain/{domainI/service-accounts/{id}
    Delete vcf service credential given credential Id
  • DELETE /content/api/vcf/{integrationId}/domain/{domainI/service-accounts/
    Delete vcf service account
  • PATCH /content/api/vcf/{integrationId}/domain/{domainI/service-accounts/
    Update vcf service account
form-service Define dynamic form rendering and customization behavior in Service Broker and Cloud Assembly VMware services.

New endpoints

  • POST form-service/api/custom/resource-actions/{actionId}/form-data
    CF-1387 Returns form field values in Resource Action request for resource properties that have a binding.
  • POST /form-service/api/forms/renderer/external-values:
    CF-1603 New API that executes multiples vRO actionn in custom request form at once and returns single result when all actions execution complete.

New parameters

  •  POST /form-service/api/forms/designer/runnable-item-elements
    •  externalType - CF-1387 provides vRO type of the field that should be read-only when generating resource action form elements
Deployment This API provides access to deployment objects and platforms/blueprints that have been deployed into the system.

New endpoint

  • get /deployment/api/deployments/{depId}/requests

New request param

  • get /deployment/api/deployments
    • new request param: lastRequestStatus(in: query, type: set<string>)
Approvals Enforce policies which control who must agree to a deployment or day 2 action before the request is provisioned

New endpoints:

  • /approval/api/policy/data/cloud-zones
    Returns a set of provisioning account cloud zones which matches the search param
  • /approval/api/policy/data/cloud-zones/{id}
    Returns a specific provisioning account CloudZone
  • /approval/api/policy/data/hasSnapshots
    Returns possible hasSnapshots values
  • /approval/api/policy/data/hasSnapshots/{id}
    Returns a hasSnapshots value
  • /approval/api/policy/data/osTypes
    Returns possible types for Operating system of the machine
  • /approval/api/policy/data/osTypes/{id}
    Returns a Operating system type
  • /approval/api/policy/data/powerState
    Returns possible powerState values
  • /approval/api/policy/data/powerState/{id}
    Returns a powerState value
  • /approval/api/policy/data/tag-keys
    Returns a list of tag keys which matches the search param
  • /approval/api/policy/data/tag-keys/{id}
    Returns a specific tag key
  • /approval/api/policy/data/tag-values
    Returns a list of tag values which matches the search param
  • /approval/api/policy/data/tag-values/{id}
    Returns a specific tag value
Resource quota policy - Aggregator service

This is new service running inside approval container

These APIs provide access to find the resource usage metrics at org, user and project level

New endpoints:

  • /aggregator/api/metrics/deployment/aggregate
    Returns aggregated resource usage metrics values of the current user
  • /aggregator/api/metrics/deployment/aggregate/projects/{projectId}
    Returns aggregated resource usage metrics values of the given project
    Note: Only org admin can invoke this api
  • /aggregator/api/metrics/deployment/aggregate/users/{userId}
    Returns aggregated resource usage metrics values of the given user
    Note: Only org admin can invoke this api
Code stream all pipeline-service These API provide access to Code Stream services.

DELETE /codestream/api/executions.

This new API is used to bulk delete execution and clear memory. It deletes only those executions which are in terminal state. It also accepts filter parameters.

For example, the following command deletes all the terminal executions of pipeline 'pipelineName':

DELETE /codestream/api/executions$filter=name eq 'pipelineName'.

At VMware, we value inclusion. To foster this principle within our customer, partner, and internal community, we removed non-inclusive language in our documentation.

Customers that upgraded to vRealize Automation 8.3 using the new upgrade bundle might see errors during scale out (similar to patched environments). As mentioned in KB 79105, the ova bundle is hosted on my.vmware.com.

vIDM 3.3.3 does not support IWA (Integrated Windows Authentication) with an embedded Linux connector. vRA 8.x Customers using LDAP or IWA with the external Windows connector are not impacted. For more details refer to KB 82013.

Support for Azure VMware Solution and Google Cloud VMware Engine

vRealize Automation Cloud is tested and certified to work with VMware's hosted cloud solutions on Microsoft Azure and Google Cloud Platform, called Azure VMware Solution (AVS) and Google Cloud VMware Engine (GCVE), respectively.  Workloads running on AVS or GCVE are now managed by vRealize Automation Cloud after setting up vCenter and NSX-T cloud accounts. For more information, refer to Azure VMware Solution documentation and Google Cloud VMware Engine documentation.

Upgrading to vRealize Automation 8.3

Using VMware vRealize Suite Lifecycle Manager, you can upgrade your vRealize Automation 8.x instance to 8.3. For more information, see Upgrading vRealize Suite Lifecycle Manager and vRealize Suite Products.

Resolved Issues

  • Migration Assessment of a single vRealize Automation 7.x installation into multiple vRealize Automation 8.x organizations requires manual certificate acceptance.

    This occurs when you attempt to migrate a single vRealize Automation 7.x environment into multiple 8.x organizations and your source vRealize Automation 7.x installation has configured an insecure SSL certificate.

  • Under certain circumstances, scaling in or out a load balanced machine cluster fails with a cryptic error message

    When scaling in or out a load balanced machine cluster where the load balancer contains "loggingLevel" or "type" properties with different values than the same properties on the parent (IaC) load balancer, the operation fails with the following message:

    Update operation is supported for one property at a time


  • The policy details page shows empty value for "Role" when a custom role is deleted.

    After deleting a custom role, when a user navigates to viewing the details of an existing Day 2 policy, the page should display a message reflecting that the role was deleted. However, the value for "Role" is empty.


Known Issues

The following known issues are present in this release.
  • Unable to access the onboarding page.

    Navigating to the onboarding page in Cloud Assembly->Infrastructure might cause a 302 status code. This can happen if you have been logged in for a long time.

    Workaround: Log out and then log back in.

  • vRA deployment fails to initialize on new setups from Easy Installer

    vRA deployment (single or clustered) fails to initialize on new setups from Easy Installer or vRealize Suite LCM
    The error shown in LCM is LCMVRAVAVACONFIG590003

    Workaround: Retry cluster initialization from within vRealize Suite LCM.

  • When a vCenter cloud account is updated to add a data center, the resources from this data center are not immediately available for use.

    Changes made to regions (data centers) for a vCenter cloud account do not take immediate effect and require data collection to run.

    Workaround: Wait for the next data collection to complete successfully. Data collection runs approximately every 10 minutes.

  • PowerShell tasks appear to be stuck

    When there is no active session PowerShell tasks appear to be stuck. This behaviour is seen because the PowerShell process responsible to run the user script is held by Windows system process WmiPrvSE.

    Workaround : Login to the system and keep an active session. Lock the screen instead of completely logging out.

  • vRO represents Array types as complex types with only one column, rather than a field whose "type.isMultiple" is true.

    When adding a workflow which has an array input and consequently customizing its form, do not change the ID of the column in the Values tab of the data grid. The default value must stay set at _column-0_ . Conversely, you can change the label of the column (which is visible in the UI when adding values to the datagrid).

  • License re-configuring is not supported.

    After configuring vRealize Automation with the Enterprise license, the system can not be re-configured to use the Advanced License.

  • vRealize Automation 8 does not support Internet Explorer 11

    You cannot use Internet Explorer 11 with vRealize Automation 8.

    Workaround: Use a different browser instead of Internet Explorer 11.

  • BP Canvas is not refreshed after custom resource has been changed or deleted.

    If you delete a custom resource, the change is not propagated to the Blueprint canvas immediately.

    Workaround: The Canvas has a cache mechanism, which can be updated after using refresh button, next tot he search pane.

  • Create different custom resources with the same vRO object type is not supported

    In vRA 7.X it was possible to create different custom resources for the same type. This allowed users to define a different set of create / delete / operate actions for the same vRO type with creating different custom resource types. In vRA 8.x We do not support a case where same vRO_Type can be leveraged from different custom resources. 

  • vRO workflow is not executed through catalog when there is empty input with reference type

    Null pointer exception appears on attempt to request  vRO Workflow with and empty value for the Workflow input with a reference type.

    Workaround: Set a default value for the reference type or make the field mandatory.

  • Unsuccessfully provisionined custom resource can't be deleted from a deployment

    When you request a custom resource, if the workflow run that creates the resource fails, a resource in the deployment service is still created (since we are replying to the initial request with a STARTED status which in turn creates the resource in deployment). This resource cannot be deleted since it doesn't contain the metadata that is added upon successful provisioning of the resource in vRO.

    Workaround: Right after the first attempt to delete the custom resource, a dialog appears which asks you whether you want to force deletion. Say yes to force its deletion.

  • Custom Resource Name is not propagated correctly to the deployment view list

    When you create a custom resource based on vRO_Type, you usually use a comprehensive display name. Currently this display name is not available in the Deployment view. The resource, which appears in the deployment is identified only by its type.

  • Available option to set timezone from vCenter Machine Console window

     Undefined behaviour when user sets timezone from vCenter Machine Console window

    Workaround: Don't change the time zone.

  • Tenant Names with different cases are treated the same way

    A tenant named vmware and another one named VMware are seen as the same.

    Workaround: Tenants in vRA 8.x are based on hostnames since hostnames are case insensitive the tenant names are also case insensitive. This means that a tenant named VMware is the same as VMWARE or vmware or any other combination cases. The tenant name capitalization may vary and may not be preserved across the application.

  •  vRO Workflow presentation with an OGNL expression does not render properly when used as a custom day2 operation in vRA.

    Custom Resource Actions with workflows that have OGNL constraints in their presentation may not render properly and it may not be possible to populate all required fields.

  • Cost\Price functionality does not work with shared infrastructure multi-tenancy

    The pricing functionality might report inaccurate results when configured to a multi-tenant deployment where tenants can share infrastructure resources. This is because pricing does not recognize multi-tenancy.The price is calculated only for the org for which vROPs is added and deployments are created. 

  • Assessment Service swagger is not available

    The assessment service swagger page is not available.

    Workaround: Run the assessment through the migration API listed on the migration swagger page.

  • Deployments with an existing network fail during allocation on vSphere / NSX-v cloud accounts when DRS is disabled on the vSphere cluster.

    When selecting an NSX-V network in the network profile and requesting a deployment with an existing network, the deployment fails during allocation with the message: "Unable to find a common placement for compute...with the network configuration...". This occurs when the vCenter contains clusters with DRS disabled.

    Workaround: Enable DRS on the cluster and include the cluster in the vRA cloud zone, or select a vSphere network in the network profile.

  • Service broker forms do not populate default values set in vRO workflow input

    When vRO workflow has a string input set with default value ,it does not get automatically propagated in the request form when starting the workflow from service broker.

    Workaround: Set the given default value using service broker Custom forms.

  • Service Broker cannot import vRO workflows that have actions in valueList for a string field

    Schema for string field that contains valueListpopulated by an action cannot be parsed and imported in Service Broker


  • Pulling Docker Images Behind Proxy requires additional configuration

     The ABX service pulls container images from publicly available Internet repositories. If vRA is deployed on an isolated network that does not allow outbound traffic to public sites, a HTTP proxy must be configured. While vRA 8 enables proxy configuration via its CLI, the workflow does not include an automatic setup for the docker service.

     Workaround: Such configuration should be made separately. KB article to be determined.

  • Complex objects with type anyOf are not supported in cloud template request forms

    If the form contains anyOf property for a complex object, anyOf will be visualized as a string dropdown instead of different sets of constrains to validate the input.

    Workaround: Use Enum type instead of anyOf values.

  • Exception in input dialog if properties not defined in object type schema

    If input property is of object type and properties is not defined in json schema, the input dialog in test or deploy blueprint dialog would not load.

    Workaround: Either remove default value from input property, or define properties schema in the input property with default value.

  • Cannot send value while deploying with input array field

    Although users can fill the values in input form, UI is sending array of null to blueprint service in test/deployment dialog.

    Workaround: Use object or string/number fields instead.

  • After upgrading to vRealize Orchestrator or vRealize Automation 8.3, some resource elements in the vRealize Orchestrator Client might appear changed or reverted to an older version.

    After upgrading to vRealize Orchestrator or vRealize Automation 8.3, some resource elements in the vRealize Orchestrator Client might appear changed or reverted to an older version. This problem occurs with resource elements that were previously updated in the vRealize Orchestrator Client by using a different source file. After upgrading your vRealize Orchestrator or vRealize Automation deployment, these resource elements can be replaced by an older version. This is an intermittent issue.


    1. Log in to the vRealize Orchestrator Client.

    2. Navigate to Assets>Resources.

    3. Select the resource element affected by the problem.

    4. Select the Version History tab, and restore the element to the appropriate version.

    5. Repeat for all affected resource elements.

  • If vRA is upgraded from vRA 8.0/8.1/8.2 to 8.3 and AD is configured for a project, deployment fails with the error message: "Failed to successfully create Computer object in Active Directory".

    In the vRA 8.3, the AD scripts used to create active directory record are updated to support overriding relativeDN from values set in blueprint. User has to re-validate the existing AD integration in vRA after upgrade to deploy the new scripts.

    Workaround: Revalidate the AD integration account in UI.

  • When FIPS mode is enabled, Code Stream pod restarts in high load conditions.

    When a high number of concurrent pipelines are run with FIPS mode enabled, Code Stream pods are restarted because the memory consumption exceeds the preset limit of 2.5GB.


    With FIPS mode enabled, increase the memory limit of the Code Stream pods to 3GB. 

    1. SSH into the node. For HA setup, SSH into any one of the nodes.

    2. Check the current pod memory limit: kubectl -n prelude describe deployment codestream-app

    3. Verify that the limit is: Limits: memory: 2500M

    4. Edit the deployment yaml: kubectl -n prelude edit deployment codestream-app

    5. Increase the memory limit, and verify that the limit is: Limits: memory: 3000M6

    6. Code Stream pods will be recreated.

  • When exporting a package using Mozilla Firefox v84, the generated file has a .zip extension instead of .package and cannot be imported in vRO

    When you export a package with Firefox 84.0.2 on MacOS 10.15 the package is saved as a .zip file.


    • Use Google Chrome or a different version of Mozilla Firefox
    • Change the file extension from .zip to .package

    Note: In macOS, modify the file from the terminal, as the Finder application does not support changing the file format from a known format to an unknown.

  • NEW You can create a day2 policy with duplicate actions/authorities using API.

    When you attempt to create a policy with duplicate actions/authorities using the API, the system does not perform validation checks and the policy is created.

    Note: This does not happen when you create a policy using the UI because the dropdown does not show or allow duplicate selection of entries.

    Workaround: Create a day2 policy using the UI and not the API.

  • New Execution of local scripts on a virtual machine via a Workflow “Software-Install-Base” triggered by a vRealize Automation Custom Resource can cause the deployment to fail with an error “An Item with the same key has already been added: Key: LinkedView”.

    If the vRealize Automation Blueprint (or Cloud Template) is setup to execute local scripts via a Custom Resource that references the vRO Workflow “Software-Install-Base” which has a Dynamic Type:DynamicTypes:CustomScript.Script then the deployment fails.

    Workaround: Standup a SaltStack Server to run scripts locally on the machine or use another method of local script execution like cloud-init or ABX, or Code Stream.

check-circle-line exclamation-circle-line close-line
Scroll to top icon