Cross-Platform Terminology Glossary
Quick-reference mapping of equivalent concepts across all four platforms. Use this when switching between vendor documentation or when discussing features across candidates.
How to Read This Table
- VMware = what you know today (vSphere / NSX / vSAN / vRealize)
- OVE = OpenShift Virtualization Engine (KubeVirt on OpenShift)
- Azure Local = Microsoft Azure Local (Hyper-V + S2D + Arc)
- ESC = Swisscom Enterprise Service Cloud (managed VMware on Dell VxBlock)
Where a concept does not exist on a platform, the entry reads N/A with a short reason. Where the provider manages the feature opaquely, the entry reads Managed by provider.
Compute / Virtualization
| # | VMware | OVE | Azure Local | ESC | Notes |
|---|---|---|---|---|---|
| 1 | Virtual Machine (VM) | VirtualMachine CR (+ VirtualMachineInstance at runtime) |
Hyper-V VM (Azure Arc VM resource) | VM (via ESC portal) | OVE wraps every VM in a virt-launcher Pod; the VM is a Kubernetes-native object. |
| 2 | ESXi host | OpenShift Worker Node (RHCOS) | Azure Local node (Windows Server OS) | Managed host (Dell VxBlock) | OVE nodes run Red Hat CoreOS; Azure Local nodes run a locked-down Windows Server variant. ESC hosts are invisible to the customer. |
| 3 | vCenter Server | OpenShift Console + Kubernetes API (oc, kubectl) |
Azure Portal + Windows Admin Center (WAC) + Azure Arc | ESC Self-Service Portal + Swisscom API | OVE has no single "vCenter" -- the API server is the control plane. Azure Local splits between cloud portal (Arc) and on-prem console (WAC). |
| 4 | vMotion (live migration) | KubeVirt Live Migration (VirtualMachineInstanceMigration CR) |
Hyper-V Live Migration | vMotion (managed by provider) | KubeVirt migrates the virt-launcher Pod between nodes. Hyper-V Live Migration supports RDMA for near-zero downtime. |
| 5 | DRS (Distributed Resource Scheduler) | Kubernetes Scheduler + Descheduler Operator | N/A -- no automatic rebalancing; manual Live Migration or Failover Clustering preferred roles | Managed by provider | OVE uses standard kube-scheduler with pod priority and preemption. Azure Local lacks a DRS equivalent; workload balancing is manual or script-driven. |
| 6 | vSphere HA | KubeVirt VM eviction + automatic reschedule on healthy node | Windows Failover Clustering (automatic VM restart on surviving node) | vSphere HA (managed by provider) | OVE: if a node fails, the VirtualMachine CR is rescheduled to another node. Azure Local: Failover Clustering restarts VMs automatically. |
| 7 | Fault Tolerance (FT) | N/A -- no lockstep VM replication; use HA + application-level clustering | N/A -- use Failover Clustering + application-level HA | Managed by provider (if available) | No candidate offers VMware-style lockstep FT. All rely on HA restart + application-level redundancy. |
| 8 | Resource Pool | Namespace + ResourceQuota + LimitRange |
Azure Resource Group + VM size constraints | Tenant / project isolation (portal-level) | OVE namespaces are the primary isolation and quota boundary. Azure Local uses Azure subscription/resource-group hierarchy. |
| 9 | VM Template | OpenShift VM Template (cluster-scoped or namespaced) | VM Image (Azure Marketplace image or custom VHD/VHDX) + ARM/Bicep template | Service catalog template | OVE ships pre-built templates for RHEL, Windows, Fedora. Azure Local uses Azure image galleries and ARM templates. |
| 10 | Snapshot | VirtualMachineSnapshot CR (delegates to CSI VolumeSnapshot) |
Hyper-V Checkpoint | Snapshot (managed by provider) | OVE snapshots are storage-level (CSI); they do not capture in-memory state by default. Hyper-V checkpoints can be production (no memory) or standard (with memory). |
| 11 | Clone | CDI DataVolume clone (CSI clone or host-assisted copy) |
Hyper-V VM Export/Import or disk copy | Clone (managed by provider) | OVE cloning speed depends on whether the CSI driver supports efficient cloning (e.g., Ceph RBD fast clone). |
| 12 | Affinity rule | nodeAffinity / podAffinity on the VirtualMachine spec |
Failover Clustering affinity rule (preferred owner) | Managed by provider (limited control) | OVE uses standard Kubernetes scheduling primitives. Azure Local affinity is less granular than vSphere DRS rules. |
| 13 | Anti-affinity rule | podAntiAffinity on the VirtualMachine spec |
Failover Clustering anti-affinity rule | Managed by provider (limited control) | OVE anti-affinity ensures VMs land on different nodes -- identical semantics to vSphere anti-affinity. |
| 14 | VMware Tools | qemu-guest-agent (Linux) / VirtIO drivers + qemu-ga (Windows) |
Hyper-V Integration Services (Linux Integration Services for Linux guests) | VMware Tools (managed by provider) | VirtIO drivers are essential for disk and network performance in OVE Windows guests. Must be installed pre-migration. |
| 15 | OVA / OVF | containerDisk image (stored in a container registry) or DataVolume import from URL/registry |
VHD / VHDX (native Hyper-V format) | OVA/OVF (managed by provider) | OVE can import OVA/VMDK via CDI (DataVolume with http or registry source). Azure Migrate converts VMDK to VHDX during migration. |
| 16 | Hot-add CPU / RAM | CPU hot-plug + memory hot-plug (KubeVirt >= 1.0, guest OS dependent) | Hot-add memory supported; CPU hot-add limited (Gen 2 VMs) | Managed by provider (limited by service profile) | OVE hot-plug changes the VirtualMachine spec; the virt-launcher Pod is patched live. Requires guest OS support (e.g., Linux kernel >= 5.x). |
| 17 | GPU passthrough | NVIDIA GPU Operator (PCI passthrough + vGPU/MIG) | Discrete Device Assignment (DDA) for passthrough; GPU-P for partitioning | Not in standard catalog (on request) | OVE: GPU Operator auto-discovers GPUs. Azure Local: DDA requires manual device assignment per VM. |
| 18 | Content Library | Container image registry (e.g., Quay, Harbor) + CDI DataSource | Azure Compute Gallery (shared image gallery) | Service catalog (managed by provider) | OVE uses standard OCI registries for golden images. Azure Compute Gallery supports image versioning and replication. |
| 19 | VM Folder | Namespace (flat within a namespace; labels for grouping) | Azure Resource Group + tags | Project / folder (portal-level) | OVE has no folder hierarchy inside a namespace; use labels and label selectors instead. |
| 20 | Datacenter | Cluster (OpenShift cluster = logical datacenter boundary) | Azure Local cluster (max 16 nodes) | Managed datacenter (Swisscom Tier-IV twin-DC) | A single OVE cluster can span one physical datacenter. Multi-DC requires multi-cluster + ACM. Azure Local: one cluster = one site typically. |
| 21 | Cluster | OpenShift Cluster (control plane + worker nodes) | Azure Local cluster (Failover Cluster) | Managed cluster (invisible to customer) | OVE: 3+ control-plane nodes + N worker nodes. Azure Local: 2-16 nodes per cluster. |
| 22 | vApp | N/A -- use Helm chart, ArgoCD Application, or namespace grouping | N/A -- use ARM template deployment | N/A | No direct equivalent; OVE models multi-VM applications via Kubernetes manifests or GitOps. |
Storage
| # | VMware | OVE | Azure Local | ESC | Notes |
|---|---|---|---|---|---|
| 23 | VMFS | N/A -- storage is CSI-based (no host-local filesystem for VMs) | ReFS (on S2D volumes) | VMFS (managed by provider) | OVE VMs use PersistentVolumeClaims (PVCs) backed by a CSI driver. There is no shared filesystem layer analogous to VMFS. |
| 24 | vSAN | OpenShift Data Foundation (ODF, built on Ceph) | Storage Spaces Direct (S2D) | Managed storage (Dell PowerMax / PowerStore inside VxBlock) | ODF provides block (RBD), file (CephFS), and object (RGW) from local disks. S2D provides block storage with mirror/parity resiliency. |
| 25 | Datastore | StorageClass (maps to a CSI backend) |
Cluster Shared Volume (CSV) | Managed datastore (invisible to customer) | OVE: each StorageClass represents a storage tier or backend. Azure Local: CSVs are presented to all cluster nodes. |
| 26 | VMDK | PersistentVolume (PV) with a DataVolume wrapper (raw or qcow2 on a PVC) |
VHD / VHDX | VMDK (managed by provider) | OVE stores VM disks as raw block or qcow2 images inside PVCs. CDI handles format conversion during import. |
| 27 | Storage Policy (SPBM) | StorageClass parameters + StorageProfile CR |
Storage QoS Policy (S2D) | Managed storage tiers (service classes) | OVE: storage profiles auto-detect CSI capabilities (thin provisioning, snapshots). Azure Local: QoS policies set IOPS limits per volume. |
| 28 | Thin provisioning | CSI thin provisioning (default for most CSI drivers, e.g., ODF/Ceph) | ReFS thin provisioning on S2D | Managed by provider | OVE: thin provisioning is typically the default for ODF and most enterprise CSI drivers. |
| 29 | Thick provisioning | CSI volumeMode: Block with pre-allocated volume (driver-dependent) |
Fixed-size VHDX (pre-allocated) | Managed by provider | OVE: not all CSI drivers support thick provisioning. ODF/Ceph does not natively thick-provision. |
| 30 | Linked clone | CDI smart clone (CSI clone if supported, e.g., Ceph RBD clone = COW) | Hyper-V differencing disk | Managed by provider | OVE: Ceph RBD clone creates a COW copy, functionally equivalent to a linked clone. |
| 31 | Full clone | CDI DataVolume clone with host-assisted copy (full data copy) |
Hyper-V full copy (Export/Import or disk copy) | Managed by provider | OVE: if the CSI driver does not support efficient clone, CDI falls back to a full host-assisted copy. |
| 32 | Snapshot (storage) | CSI VolumeSnapshot CR |
S2D shadow copy / Hyper-V checkpoint (disk component) | Managed by provider | OVE snapshots rely on the CSI driver; ODF supports crash-consistent snapshots. |
| 33 | vSAN disk group | ODF StorageCluster (Ceph OSDs grouped per node) | S2D Pool (cache tier + capacity tier per node) | Managed by provider | ODF: OSDs auto-discover local devices. S2D: cache tier (NVMe/SSD) + capacity tier (SSD/HDD) per node. |
| 34 | Storage vMotion | No direct equivalent -- use DataVolume clone + VM migration (two-step) |
Hyper-V Storage Migration (live, moves VHD/X between CSVs) | Storage vMotion (managed by provider) | OVE lacks a single-step storage live migration. Workaround: clone data to a new PVC, update the VM spec, then migrate. This is a known gap. |
| 35 | VAAI (vStorage APIs for Array Integration) | CSI driver offloads (clone, snapshot, extend delegated to the array) | SMB Offloaded Data Transfer (ODX) | Managed by provider | OVE: CSI drivers that support efficient clone/snapshot operations are the functional equivalent of VAAI. |
| 36 | RDM (Raw Device Mapping) | hostDisk or PV with volumeMode: Block (direct block device access) |
Hyper-V pass-through disk | N/A -- no direct device access for customers | OVE: volumeMode: Block provides raw block access to the guest. |
| 37 | Content Library (storage) | Container image registry (Quay, Harbor) + CDI DataSource / DataImportCron |
Azure Compute Gallery | Service catalog (managed by provider) | OVE DataImportCron can automatically sync golden images from a registry on a schedule -- equivalent to content library sync. |
| 38 | vSAN stretched cluster | ODF Metro DR (stretch Ceph across two sites) | S2D stretched cluster (2 sites + witness) | Managed twin-DC replication | ODF: requires ODF DR Operator + ACM. S2D: native stretched cluster with site-awareness and a witness node. |
| 39 | Storage Replica | ODF async/sync replication (Ceph RBD mirroring) | Storage Replica (sync or async, volume-level) | Managed replication (twin-DC) | Azure Local Storage Replica is a native Windows Server feature; ODF uses Ceph RBD mirroring via the DR Operator. |
Networking
| # | VMware | OVE | Azure Local | ESC | Notes |
|---|---|---|---|---|---|
| 40 | vSwitch (Standard) | Linux bridge (via Multus + bridge CNI) | Hyper-V Virtual Switch | Managed by provider | OVE: secondary NICs can be attached via NetworkAttachmentDefinition using bridge CNI for simple L2. |
| 41 | Distributed vSwitch (vDS) | OVN-Kubernetes (cluster-wide overlay, consistent across all nodes) | Network ATC (intent-based cluster-wide NIC config) | Managed by provider (NSX-based) | OVN-Kubernetes is the default CNI on OpenShift; it provides a distributed virtual switch equivalent with Geneve overlays. |
| 42 | Port group | NetworkAttachmentDefinition (Multus CR defining a secondary network) |
VMSwitch + VLAN configuration (SDN logical network) | Managed by provider | OVE: each NetworkAttachmentDefinition defines a VLAN, bridge, or SR-IOV network that VMs can attach to. |
| 43 | NSX Segment (overlay) | OVN-Kubernetes logical switch (namespace-scoped, Geneve overlay) | SDN Virtual Network (VXLAN-based overlay via Network Controller) | NSX segment (managed by provider) | OVE overlay networks are automatic for pod/VM traffic on the cluster network. Azure Local SDN uses VXLAN; OVE uses Geneve. |
| 44 | NSX Distributed Firewall (DFW) rule | NetworkPolicy / MultiNetworkPolicy (namespace-scoped, label-based) |
Datacenter Firewall ACL (via SDN Network Controller) | NSX DFW (managed by provider) | OVE: NetworkPolicy is applied per-namespace to label-selected pods/VMs. Azure Local: Datacenter Firewall ACLs apply to SDN virtual networks. |
| 45 | NSX Tier-0 Gateway | MetalLB (BGP mode) + OVN-Kubernetes Gateway node | SDN Gateway (RAS Gateway for north-south routing) | Managed by provider (NSX Tier-0) | OVE: MetalLB advertises external IPs via BGP. The OVN gateway node handles north-south traffic. |
| 46 | NSX Tier-1 Gateway | OVN-Kubernetes logical router (per-namespace, automatic) | SDN logical network + NAT/routing rules | Managed by provider (NSX Tier-1) | OVE: each namespace gets its own logical router automatically. Inter-namespace routing is handled by OVN. |
| 47 | NSX Transport Zone | OVN-Kubernetes Geneve tunnel mesh (automatic across all nodes) | SDN provider address space (PA pool for VXLAN TEPs) | Managed by provider (NSX transport zone) | OVE: the transport zone equivalent is implicit -- all nodes in the cluster participate in the Geneve mesh. |
| 48 | NSX Security Group | Namespace + labels (pods/VMs selected by label for NetworkPolicy targets) |
Network Security Group (NSG, applied to SDN subnets) | NSX security group (managed by provider) | OVE: label selectors on NetworkPolicy act as dynamic security groups. Azure Local: NSGs are applied at the subnet level. |
| 49 | NSX Tag | Kubernetes label (key-value pair on any resource, including VMs) | Azure tag (on Arc VM resources) | NSX tag (managed by provider) | Labels are the universal tagging mechanism in Kubernetes; used for selection, policy, and grouping. |
| 50 | vmknic (VMkernel NIC) | Node NIC managed by NMState Operator (NodeNetworkConfigurationPolicy CR) |
Host vNIC (management, storage, live migration -- configured by Network ATC) | Managed by provider | OVE: NMState declaratively configures host NICs (bonds, VLANs, bridges). Azure Local: Network ATC auto-assigns intents (management, storage, compute). |
| 51 | GENEVE TEP (Tunnel Endpoint) | OVN-Kubernetes Geneve TEP (auto-configured per node) | VXLAN TEP (SDN provider address, auto-assigned) | Managed by provider | OVE and Azure Local both use overlay encapsulation (Geneve vs. VXLAN). Both auto-configure TEPs. |
| 52 | Load Balancer (NSX LB) | MetalLB (L2/BGP) + OpenShift Route / Ingress (L7) | Software Load Balancer (SLB, part of SDN stack) | NSX Load Balancer (managed by provider) | OVE: MetalLB for L4 (bare metal), HAProxy-based Ingress or OpenShift Router for L7. Azure Local: SLB is built into the SDN stack. |
| 53 | Traceflow (NSX) | ovnkube-trace CLI tool (traces packet path through OVN flows) |
N/A -- use pktmon (Packet Monitor, built into Windows) |
Managed by provider | OVE: ovnkube-trace simulates traffic through OVN logical flows. Azure Local: pktmon captures at the vSwitch level but is not a flow-trace tool. |
| 54 | Port mirroring (NSX / vDS) | ovs-mirror on OVS bridge (via Multus secondary interface) |
Hyper-V port mirroring (source/destination mode) | Managed by provider | OVE: requires manual OVS mirror setup or a tap CNI plugin. Azure Local: native Hyper-V port mirroring. |
| 55 | SR-IOV | SR-IOV Operator (auto-discovers VFs, creates SriovNetworkNodePolicy CR) |
SR-IOV (native Hyper-V support, manual VF config) | N/A -- not available to customers | OVE: the SR-IOV Operator automates VF provisioning and network attachment. |
| 56 | Microsegmentation | NetworkPolicy + MultiNetworkPolicy (per-namespace, per-label) |
Datacenter Firewall + NSG ACLs | NSX Distributed Firewall (managed by provider) | OVE microsegmentation operates at the pod/VM level via label selectors, similar in effect to NSX DFW. |
Operations & Management
| # | VMware | OVE | Azure Local | ESC | Notes |
|---|---|---|---|---|---|
| 57 | PowerCLI | oc CLI + virtctl CLI + kubectl |
PowerShell (Az.StackHCI, FailoverClusters modules) + Azure CLI (az) |
ESC CLI (limited) + ESC REST API | virtctl is the VM-specific CLI (start, stop, migrate, console, SSH proxy). oc handles everything else. |
| 58 | ESXCLI | oc debug node/<name> (opens shell on a node for low-level diagnostics) |
Get-ClusterNode, Get-VMHost (PowerShell on the host) |
N/A -- no host-level access | OVE: oc debug gives a privileged pod on any node for troubleshooting. Normal operations never require node SSH. |
| 59 | MOB (Managed Object Browser) | Kubernetes API explorer (e.g., oc api-resources, oc explain) |
Azure Resource Explorer (portal) | N/A -- no API browser for customers | OVE: oc explain <resource> shows the schema for any CRD. The API itself is the "MOB". |
| 60 | vRealize / Aria Operations (monitoring) | Prometheus + Grafana + Alertmanager (embedded in OpenShift) | Azure Monitor + Azure Arc Insights + Log Analytics | Managed monitoring (provider-side, limited customer drill-down) | OVE ships a fully integrated monitoring stack. Azure Local monitoring lives in the Azure cloud portal. |
| 61 | vRealize Log Insight | OpenShift Logging Operator (Loki or EFK, with log forwarding to Splunk/ELK) | Azure Log Analytics + Azure Sentinel | Managed logging (limited forwarding options) | OVE: ClusterLogForwarder CR sends logs to Splunk, Elasticsearch, Kafka, etc. |
| 62 | Alarm / Alert | Alertmanager alert rule (PrometheusRule CR) |
Azure Monitor Alert rule | Provider-managed alerts + service-status notifications | OVE: alerts are defined as Prometheus alerting rules in YAML. Custom alerts are first-class objects. |
| 63 | Task / Event | Kubernetes Event (oc get events) + Audit Log |
Azure Activity Log + Windows Event Log | Provider audit log + tenant audit log | OVE: every API action generates a Kubernetes event. The audit log captures who did what and when. |
| 64 | Update Manager (VUM / vLCM) | Operator Lifecycle Manager (OLM) + Cluster Version Operator (CVO) | Azure Local Lifecycle Manager (via Azure Arc) + Cluster-Aware Updating | Managed by provider (patching is Swisscom responsibility) | OVE: cluster upgrades are rolling and automatic; VMs are live-migrated before node drain. Azure Local: updates orchestrated via Arc with Cluster-Aware Updating. |
| 65 | Ansible VMware collection | kubernetes.core + kubevirt.core Ansible collections |
azure.azcollection Ansible collection |
N/A -- limited Ansible integration (API calls only) | OVE: kubevirt.core provides modules for VM lifecycle. Azure Local: azure.azcollection manages Arc-enabled resources. |
| 66 | Terraform vSphere provider | hashicorp/kubernetes + kubevirt Terraform provider |
hashicorp/azurerm Terraform provider |
Swisscom Terraform provider (limited maturity) | OVE: the KubeVirt Terraform provider manages VirtualMachine CRs. Azure Local resources are managed via the azurerm provider. |
| 67 | Web Console (vSphere Client) | OpenShift Console (with dedicated Virtualization section) | Azure Portal (primary) + Windows Admin Center (on-prem) | ESC Self-Service Portal | OVE: the web console has a full VM lifecycle UI (create, migrate, console, metrics). Azure Local: Azure Portal is the primary UI; WAC for on-prem tasks. |
| 68 | VNC / VMRC (remote console) | virtctl console (serial) / virtctl vnc (graphical) / web console VNC |
Hyper-V VMConnect / Azure Portal serial console | Portal-based console | OVE: virtctl vnc opens a VNC session to the VM from your workstation. |
| 69 | REST API | Kubernetes API (fully RESTful, OpenAPI spec) | Azure Resource Manager (ARM) REST API | Swisscom ESC API | OVE: every operation is an API call; the console is just a frontend. ARM API is Azure's universal management API. |
| 70 | must-gather / support bundle |
oc adm must-gather (collects cluster-wide diagnostics into a tarball) |
Send-DiagnosticData (Azure Local diagnostic bundle) |
Support ticket to Swisscom | OVE: must-gather includes VM-specific data when using the KubeVirt must-gather image. |
| 71 | vSphere Tags & Categories | Kubernetes labels + annotations | Azure tags | N/A -- limited tagging via portal | Labels are used everywhere in OVE for selection, filtering, policy, and grouping. |
| 72 | vSphere Lifecycle Manager (image-based) | Machine Config Operator (MCO) -- manages node OS config and images declaratively | Azure Local OS update via Lifecycle Manager | Managed by provider | OVE: MCO ensures all nodes run the same OS configuration. Changes are rolled out node by node with automatic drain and reboot. |
| 73 | Distributed Power Management | N/A -- not a Kubernetes concept | N/A | N/A | No candidate offers automated host power-down for energy savings. |
Security
| # | VMware | OVE | Azure Local | ESC | Notes |
|---|---|---|---|---|---|
| 74 | vSphere Role / Permission | Kubernetes RBAC (Role, ClusterRole, RoleBinding, ClusterRoleBinding) |
Azure RBAC (Entra ID roles, scoped to resource group/subscription) | Tenant-level RBAC (provider-managed) | OVE: RBAC is namespace-scoped (Role) or cluster-wide (ClusterRole). Permissions are verb-based on API resources. |
| 75 | SSO (vCenter SSO) | OpenShift OAuth server (cluster-internal identity broker) | Entra ID (Azure AD) | Swisscom IdP federation | OVE: OAuth server federates to external IdPs. Azure Local: Entra ID is the sole identity provider. |
| 76 | LDAP integration | OAuth Identity Provider with LDAP backend (LDAPIdentityProvider CR) |
Active Directory + Entra ID Connect (syncs on-prem AD to Entra ID) | Federation with customer IdP (LDAP/AD) | OVE supports LDAP, OIDC, SAML, GitHub, GitLab, and other identity providers via the OAuth chain. |
| 77 | Encryption at rest | ODF cluster encryption + PV-level encryption + ETCD encryption | BitLocker (on S2D volumes, automatic) | AES-256 (provider-standard) | OVE: three layers -- ETCD secrets encryption, ODF cluster-wide encryption, per-PV encryption. Azure Local: BitLocker is enabled by default on all S2D volumes. |
| 78 | Encryption in transit | TLS 1.2+ everywhere; optional mTLS via Service Mesh | SMB 3.1.1 encryption + TLS for all management channels | TLS 1.2+ (provider-standard) | OVE: intra-cluster traffic uses TLS; Service Mesh (Istio) adds mTLS between workloads. |
| 79 | Secure Boot (host) | UEFI Secure Boot on RHCOS nodes (certified hardware) | UEFI Secure Boot + TPM 2.0 + VBS + HVCI (mandatory) | Managed by provider (not customer-configurable) | Azure Local has the strictest host security posture: Secure Boot, TPM, VBS, and HVCI are all mandatory. |
| 80 | Secure Boot (guest VM) | EFI firmware on VirtualMachine CR (UEFI boot, Secure Boot optional) |
Generation 2 VM with Secure Boot + vTPM | Managed by provider | OVE: set firmware.bootloader.efi.secureBoot: true on the VM spec. Azure Local: Gen 2 VMs support Secure Boot and vTPM natively. |
| 81 | Audit log | Kubernetes audit log (configurable audit profiles: Default, WriteRequestBodies, AllRequestBodies) |
Azure Activity Log + Windows Security Event Log | ISAE 3402 / SOC 2 Type II audit reports | OVE: audit log captures every API request with user identity, verb, resource, and outcome. Forwarded to SIEM via Logging Operator. |
| 82 | Compliance scanning | Compliance Operator (CIS, NIST 800-53, PCI-DSS benchmarks) | Azure Policy + Microsoft Defender for Cloud | ISO 27001, ISAE 3402, FINMA-CID attestation (provider responsibility) | OVE: Compliance Operator runs OpenSCAP scans and reports deviations as Kubernetes CRs. |
| 83 | Certificate management | cert-manager Operator (ACME, internal CA, Vault integration) | Azure Key Vault (integrated via Arc) | Managed by provider or customer-operated | OVE: cert-manager automates TLS certificate issuance and renewal for all workloads. |
| 84 | Security context / hardening | SELinux enforcing + Pod Security Admission + SecurityContextConstraints (SCC) |
Virtualization-Based Security (VBS) + Device Guard + Credential Guard | Managed by provider | OVE: SCCs restrict what a pod/VM launcher can do (capabilities, SELinux labels, volume types). |
| 85 | File Integrity Monitoring | File Integrity Operator (FIO, monitors node filesystem for unauthorized changes) | Microsoft Defender for Endpoint (FIM capability) | Managed by provider | OVE: FIO uses AIDE under the hood and reports changes as Kubernetes events. |
| 86 | FIPS 140 mode | FIPS mode available on RHCOS (cluster-wide, set at install time) | Windows FIPS 140-2 validated cryptographic modules | Managed by provider | OVE: FIPS mode enforces FIPS-validated crypto libraries for all cluster components. Must be set during initial cluster installation. |
| 87 | Network encryption (overlay) | OVN-Kubernetes IPsec (encrypts Geneve tunnel traffic between nodes) | SMB encryption for storage traffic; VXLAN not encrypted by default | Managed by provider | OVE: IPsec can be enabled on the OVN overlay to encrypt all inter-node VM traffic. Azure Local VXLAN overlay is not encrypted; use SDN Network Controller ACLs for isolation. |
Backup, DR & Business Continuity
| # | VMware | OVE | Azure Local | ESC | Notes |
|---|---|---|---|---|---|
| 88 | vSphere Replication | ODF Ceph RBD mirroring (async/sync via DR Operator) | Storage Replica (sync/async, volume-level) | Managed replication (twin-DC, sync/async) | OVE: DR Operator + ACM orchestrate failover across two OVE clusters. Azure Local: Storage Replica supports both synchronous (metro) and asynchronous (WAN) replication. |
| 89 | Site Recovery Manager (SRM) | ODF DR Operator + Advanced Cluster Management (ACM) | Azure Site Recovery (ASR) | Managed DR as a service | OVE: ACM automates VM failover and failback across clusters. Azure Local: ASR replicates VMs to Azure or another Azure Local cluster. |
| 90 | Veeam / backup integration | OADP Operator (Velero-based) + Kasten K10 + Trilio + Veeam Kasten | Azure Backup (native) + Veeam + Commvault + Rubrik | Backup as a managed service (Swisscom) | OVE: OADP uses Velero for VM-aware backups (quiesce guest, snapshot PVCs, upload to S3). |
Migration
| # | VMware | OVE | Azure Local | ESC | Notes |
|---|---|---|---|---|---|
| 91 | VMware HCX | Migration Toolkit for Virtualization (MTV Operator) | Azure Migrate (Server Assessment + Server Migration) | VMware HCX / vMotion (VMware-to-VMware, trivial) | OVE MTV connects to vCenter API, maps networks/storage, and migrates VMs (cold or warm). Azure Migrate uses replication-based migration with minimal cutover. |
| 92 | vCenter Converter | MTV (same tool, handles VMDK conversion to raw/qcow2 via CDI) | Azure Migrate (handles VMDK to VHD/VHDX conversion) | N/A -- same hypervisor, no conversion needed | OVE: CDI (Containerized Data Importer) handles disk format conversion transparently during migration. |
| 93 | Change Block Tracking (CBT) | MTV warm migration (uses VMware CBT via VDDK to track delta blocks) | Azure Migrate replication (continuous replication with change tracking) | N/A | OVE: MTV warm migration leverages CBT to minimize cutover downtime to minutes. |
Multi-Cluster & Lifecycle
| # | VMware | OVE | Azure Local | ESC | Notes |
|---|---|---|---|---|---|
| 94 | vCenter Linked Mode | Advanced Cluster Management for Kubernetes (ACM) | Azure Arc (multi-cluster registration + Azure Resource Manager) | N/A -- single managed environment | OVE ACM provides a single pane of glass for multiple OVE clusters (policy, observability, VM placement). Azure Arc registers multiple clusters into one Azure tenant. |
| 95 | vSphere Cluster (HA/DRS group) | OpenShift Cluster (single control plane + worker pool) | Azure Local Failover Cluster (single cluster, max 16 nodes) | Managed by provider | OVE: one cluster is the HA domain. For >5,000 VMs, a single ~100-node cluster suffices. Azure Local requires multiple 16-node clusters. |
| 96 | vSphere Update Manager (VUM) | Cluster Version Operator (CVO) + OLM | Azure Local Lifecycle Manager (via Arc) | Managed by provider | OVE: CVO handles platform upgrades; OLM handles operator (add-on) upgrades. Both are declarative and automated. |
| 97 | vSphere Distributed Switch update | NMState Operator (NodeNetworkConfigurationPolicy applied cluster-wide) |
Network ATC (intent re-evaluation on config change) | Managed by provider | OVE: NMState applies network configuration changes declaratively across all matching nodes. |
Observability & Troubleshooting
| # | VMware | OVE | Azure Local | ESC | Notes |
|---|---|---|---|---|---|
| 98 | vROps dashboards | Grafana dashboards (pre-built for OpenShift Virtualization) | Azure Monitor workbooks + Azure Arc Insights | Provider-managed dashboards (limited customer visibility) | OVE: OpenShift ships with VM-specific Grafana dashboards (CPU, memory, disk, network per VM). |
| 99 | vROps capacity planning | Prometheus metrics + custom Grafana dashboards or third-party tools | Azure Monitor + Azure Advisor recommendations | Managed by provider | OVE: capacity planning uses Prometheus metrics (node CPU/mem utilization, storage usage). No built-in capacity planner. |
| 100 | ESXi DCUI (Direct Console UI) | oc debug node/<name> (drops into a privileged shell on the node) |
Server Manager / WAC / SCONFIG on the host | N/A -- no host access | OVE: oc debug is the emergency access path; normal operations are fully remote. |
| 101 | Network I/O Control (NIOC) | OVN-Kubernetes QoS (bandwidth limiting via NetworkPolicy annotations) |
DCB (Data Center Bridging) + SMB Direct RDMA QoS | Managed by provider | OVE: bandwidth can be limited per VM NIC via annotations. Azure Local: hardware-level QoS via DCB. |
| 102 | vSphere Health Check | Insights Advisor (Red Hat Insights, SaaS-based cluster health) | Azure Arc cluster health checks + Cluster Validation (Test-Cluster) |
Managed by provider (proactive health monitoring) | OVE: Insights Advisor provides proactive recommendations, CVE alerts, and configuration drift detection. |
Kubernetes / Container Integration
| # | VMware | OVE | Azure Local | ESC | Notes |
|---|---|---|---|---|---|
| 103 | Tanzu Kubernetes Grid (TKG) | Native -- OVE is Kubernetes; VMs and containers coexist on the same control plane | AKS on Azure Local (separate K8s cluster deployed on Hyper-V VMs) | Swisscom Container Services (EoL 31.12.2026, successor unclear) | OVE: strongest differentiator -- no second platform needed for Phase 2 containerization. Azure Local: AKS runs as a separate managed K8s cluster on top of Hyper-V. |
| 104 | vSphere Pod (Project Pacific) | Pod (native Kubernetes Pod, runs alongside VMs on the same nodes) | AKS Pod (runs inside AKS-managed K8s cluster, separate from Hyper-V VMs) | N/A | OVE: a VM and a containerized app can share the same namespace, network, and storage class. |
| 105 | VM Service (Tanzu) | VirtualMachine CR (first-class Kubernetes resource, managed via kubectl/oc) |
Arc VM (Azure-managed VM resource on Azure Local) | VM as a service (ESC portal) | OVE: VMs are declared in YAML, version-controlled in Git, deployed via CI/CD pipelines -- true GitOps for VMs. |
Identity & Multi-Tenancy
| # | VMware | OVE | Azure Local | ESC | Notes |
|---|---|---|---|---|---|
| 106 | vSphere SSO domain | OpenShift OAuth server + external IdP (LDAP, OIDC, SAML) | Entra ID tenant (Azure AD) | Swisscom IdP federation | OVE supports multiple concurrent identity providers. Azure Local: single Entra ID tenant per cluster. |
| 107 | vCenter Permissions (propagating) | RBAC RoleBinding (namespace-scoped) / ClusterRoleBinding (cluster-wide) |
Azure RBAC role assignment (scoped to subscription, resource group, or resource) | Tenant-level permissions (managed by provider) | OVE: permissions propagate through namespace hierarchy but not across namespaces automatically. Use ClusterRole for cluster-wide policies. |
| 108 | vCenter Global Permissions | ClusterRoleBinding (applies a ClusterRole to a user/group cluster-wide) |
Azure RBAC at subscription scope | N/A -- provider controls global access | OVE: ClusterRoleBinding grants permissions across all namespaces. |
| 109 | vSphere Content Library sharing (cross-vCenter) | Image registry replication (Quay/Harbor geo-replication) | Azure Compute Gallery replication (cross-region) | N/A | OVE: container registries support geo-replication natively. Azure Compute Gallery replicates images across Azure regions. |
Quick Abbreviation Reference
| Abbreviation | Meaning |
|---|---|
| ACM | Advanced Cluster Management (Red Hat) |
| ARM | Azure Resource Manager |
| CBT | Change Block Tracking |
| CDI | Containerized Data Importer |
| CNI | Container Network Interface |
| CR | Custom Resource (Kubernetes) |
| CRD | Custom Resource Definition |
| CSV | Cluster Shared Volume (Azure Local) |
| CVO | Cluster Version Operator |
| DDA | Discrete Device Assignment (Hyper-V) |
| DRS | Distributed Resource Scheduler (VMware) |
| ESC | Enterprise Service Cloud (Swisscom) |
| FT | Fault Tolerance (VMware) |
| HA | High Availability |
| HVCI | Hypervisor-Protected Code Integrity |
| MCO | Machine Config Operator |
| MTV | Migration Toolkit for Virtualization (Red Hat) |
| ODF | OpenShift Data Foundation (Ceph-based) |
| OLM | Operator Lifecycle Manager |
| OVE | OpenShift Virtualization Engine |
| OVN | Open Virtual Networking |
| PV | PersistentVolume |
| PVC | PersistentVolumeClaim |
| RBAC | Role-Based Access Control |
| S2D | Storage Spaces Direct |
| SCC | SecurityContextConstraints |
| SDN | Software-Defined Networking |
| SR-IOV | Single Root I/O Virtualization |
| VBS | Virtualization-Based Security |
| VF | Virtual Function (SR-IOV) |
| WAC | Windows Admin Center |