Drive vCenter from cron, vSphere events, webhooks, or any HTTP signal. Snapshot before patching, gate destructive ops with the Pause task, retry only the failed step, and chain VMware with Ansible, Terraform, and ServiceNow in one execution history.
Replace VMware Aria Automation (vRA/vRO) with a workflow engine that listens to vCenter events, handles snapshot-gated change with rollback, and chains Ansible, ServiceNow, and Terraform in one audited flow. Drop the Broadcom-priced vRA subscription; run per-zone control planes for regulated OT.
What Kestra wraps around vSphere: when actions fire, what gets a snapshot first, who approves a delete, and where the audit lives. Your vCenter and ESXi hosts stay in place. The vRA/vRO catalog gets replaced.
The vcenter.Trigger and esxi.Trigger from the VMware plugin poll vSphere every minute or two for VM lifecycle events: created, removed, powered off, suspended, failed to power on. Filter by event type and a VM name regex. The payload reaches the flow as trigger.events, so cleanup, alerts, or DR steps run with the right VM in context.
CreateVmSnapshot runs before patches, template refreshes, or risky reconfigurations. RestoreVmFromSnapshot reverts on a failed health check. The snapshot ID flows forward, so every patch run has a rollback target captured per execution.
After CloneVm finishes, the VM's IP, hostname, and UUID flow into the next task. Ansible joins the domain and installs agents. ServiceNow gets a new CMDB record. One execution ID across the whole chain, retries scoped to the failing step.
The Pause task suspends the flow before delete, reset, or template conversion. A Kestra App turns the operation into a typed form: dropdowns for the VM, the snapshot, the datastore, the target environment. Operators submit. RBAC controls who can launch what. Same shape replaces the vRA self-service catalog.
Kestra runs as a self-hosted control plane inside each network zone, with remote workers close to the vSphere endpoint. No external connectivity, no shared control plane across regulated boundaries. One control plane per zone keeps blast radius contained.
Every operation captures the trigger source, the VM name, the snapshot taken, the operator, and the resulting state. The record is searchable by date, status, or VM. Auditors get evidence by default, attached to the execution that produced it.
Patterns vSphere admins and platform teams run in production today. Each one shows the flow end to end, with the real plugin classes in play.
vcenter.CloneVm deploys a VM from a golden template. The VM's IP and hostname flow into Ansible, which joins the domain, installs agents, and applies config. ServiceNow gets a new CMDB entry. Slack confirms. One execution ID across the whole chain.
Retry only the failed step. The CloneVm task does not re-run when the playbook fails.
Pass the VM name, IP, and vCenter UUID into the Ansible inventory and the ServiceNow record.
One execution ID across vCenter, Ansible, and ServiceNow. One UI to debug.
Every provision lands a record in ServiceNow with the vCenter metadata attached.
CreateVmSnapshot captures the pre-patch state. A Shell or Ansible task runs the OS update over SSH. An HTTP probe checks the application after reboot. On failure, RestoreVmFromSnapshot rolls back automatically and Slack alerts the on-call. The snapshot ID is preserved per execution so the rollback always lands on the right state.
The snapshotExtId is stored in the execution outputs and reusable downstream.
An errors branch fires RestoreVmFromSnapshot if the post-patch probe fails.
Re-run the patch on the same VM with the same snapshot from the execution UI.
Slack message includes the VM name, snapshot ID, and the URL of the failing execution.
The vcenter.Trigger polls for VM removal events. When a VM disappears from vCenter, a ForEach loops over the events, removes the DNS A record, deletes the Active Directory computer object via PowerShell, and posts a CrowdStrike API call to hide the host. The whole offboarding sequence runs without a human in the loop.
Sub-minute event detection without a webhook on vCenter.
Match only VmRemovedEvent on names matching a regex (production, staging, test).
Each removed VM gets its own ForEach iteration and its own log line.
Skip steps that already ran if the DNS or AD entry is already gone.
Published as the vm-event-based-cleanup blueprint in the Kestra catalog.
Replace the vRA service catalog with a typed form. Operators pick the template, datastore, network, and target environment from dropdowns. The same audited flow runs every time: clone, configure, register. RBAC controls who can launch what.
Form inputs validated before the run. Datastore, network, template all picked from live data.
Role-based access on the form itself, not on vCenter console handouts.
Every submission goes through the same audited, retry-aware execution.
| Capability | | | | Jenkins + scripts |
|---|---|---|---|---|
| Workflow language | Declarative YAML, Git-native, plus polyglot scripts (Python, JS, Bash, Groovy, R) | Polyglot vRO actions (JS, PowerShell, Python) with proprietary APIs | Cypher / Morpheus-specific scripts | Groovy pipelines |
| Event triggers on vCenter / ESXi | Native polling triggers, regex filter | vRO event subscriptions | Built-in event subscriptions | Webhook only |
| Snapshot-first patching with rollback | Native, snapshot ID flows forward | Custom vRO workflow per pattern | Built-in policy actions | Manual via shell + PowerCLI |
| Chain with Ansible, Terraform, ServiceNow | Native, with outputs | vRO plugins (limited extensibility) | Built-in connectors (proprietary) | Possible, glue scripts required |
| Self-service forms with RBAC | Kestra Apps, typed inputs | vRA service catalog | Built-in self-service catalog | Parameterized build |
| Per-zone control plane (air-gapped, OT) | Self-hosted per zone | Centralized appliance | Centralized appliance | Self-hosted |
| Licensing model | Instance + worker-based | Per-VM + per-user (Broadcom) | Per-workload | Free (build minutes for cloud) |
| Orchestrate beyond VMware | 1300+ plugins, cross-stack | VMware-centric, multi-cloud add-ons | Multi-cloud (proprietary connectors) | Possible, plugin-dependent |
Side-by-side breakdown across vSphere lifecycle, multi-cloud reach, self-service catalogs, and developer ergonomics.
Find answers to your questions right here, and don't hesitate to Contact Us if you couldn't find what you're looking for.
Orchestrate VMware Without the Legacy Automation Layer
The VMware plugin end to end: vSphere, vCenter, ESXi lifecycle, snapshots, templates, and event-based triggers.
Automate infrastructure workflows in Kestra
How Kestra orchestrates VMware, Docker, Terraform, OpenTofu, Ansible, and cloud CLIs in one declarative flow.
Hybrid cloud automation: patterns and platforms
Where Kestra fits alongside vSphere, AWS, Azure, and GCP for hybrid cloud automation, with platform comparisons.
VMware plugin reference
Every vCenter and ESXi task, every event type, every parameter, with copy-ready YAML examples.
Keep vCenter and ESXi. Replace vRA/vRO with declarative YAML flows: event triggers, snapshot-gated patching, self-service forms, and one audit trail across VMware, Ansible, Terraform, and ServiceNow.
