Introducing VMware Validated Design - VMware …...Features of VMware Validated Design 1 Use VMware Validated Designs to build a scalable Software-Defined Data Center that is based

Introducing VMware Validated Design

14 APR 2020VMware Validated Design 6.0VMware Cloud Foundation 4.0

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

If you have comments about this documentation, submit your feedback to

[email protected]

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

Copyright © 2016-2020 VMware, Inc. All rights reserved. Copyright and trademark information.


VMware, Inc. 2

https://docs.vmware.com/

mailto:[email protected]

http://pubs.vmware.com/copyright-trademark.html

Contents

About Introducing VMware Validated Design 4

1 Features of VMware Validated Design 5

2 SDDC Architecture 7

3 Design Objectives of VMware Validated Design 9

4 Workload Domains in VMware Validated Design 11

5 Deployment of VMware Validated Design 15

6 Documentation Structure and Audience 18

7 SDDC Architecture Overview 23Physical Infrastructure Layer 26

Virtual Infrastructure Layer 29

Security and Compliance Layer 36

Cloud Operations Layer 41

Cloud Automation Layer 49

Multiple Availability Zones 52

VMware, Inc. 3

About Introducing VMware Validated Design

The Introducing VMware Validated Design document provides guidance on using the content of VMware Validated Design™ for Software-Defined Data Center. The guide also contains a high-level overview of the Software-Defined Data Center (SDDC) design that is supported in this VMware Validated Design version.

Introducing VMware Validated Design includes the following information:

n Design objectives

n Document structure and purpose

n SDDC High-Level Overview

Intended AudienceIntroducing VMware Validated Design is intended for cloud architects, infrastructure administrators, cloud administrators, and cloud operators who want to become familiar with VMware Validated Design to deploy and manage an SDDC that meets the requirements for capacity and scalability.

Required SoftwareIntroducing VMware Validated Design is compliant and validated with certain product versions. For more information about supported product versions, see VMware Validated Design Release Notes.

Update HistoryIntroducing VMware Validated Design is updated with each release of the product or when necessary.

Revision Description

2 JUN 2020 According to the configuration maximums for medium-size vCenter Server appliance with default storage size and VMware Cloud Foundation, you can deploy up to 4,000 virtual machines per virtual infrastructure workload domain and up to 56,000 virtual machines in a VMware Cloud Foundation environment of 14 workload domains. See Chapter 3 Design Objectives of VMware Validated Design.

14 APR 2020 Initial release.

VMware, Inc. 4

https://docs.vmware.com/en/VMware-Validated-Design/6.0/rn/vmware-validated-design-60-release-notes.html

Features of VMware Validated Design 1Use VMware Validated Designs to build a scalable Software-Defined Data Center that is based on VMware best practices.

VMware Validated Designs have the following advantages:

One path to SDDC

After you satisfy the deployment requirements, follow one consistent path to deploy an SDDC.

VMware Validated Designs provide a tested solution path with information about product versions, networking architecture, capabilities, and limitations.

SDDC design for use in production

A VMware Validated Design supports an SDDC that has the following features:

n High-availability of management components

n Backup and restore of management components

n Monitoring and alerting

Validated design and deployment

The prescriptive documentation of a VMware Validated Design is continuously tested by VMware.

Validation provides the following advantages to your organization:

n Validated product interoperability

n Reduced risk of deployment and operational problems

n Reduced test effort

Validated solution capabilities

n Churn rate of tenant workloads

n High availability of management components

n Operational continuity

Fast SDDC standup

VMware, Inc. 5

You can implement a data center without engaging in design work and product research. After you download all SDDC products, follow the detailed design and step-by-step instructions.

Support for latest product releases

Every version of a VMware Validated Design accommodates new product releases. If you have deployed an SDDC according to an earlier version of a VMware Validated Design, you can directly follow the validated design to upgrade your environment.


VMware, Inc. 6

SDDC Architecture 2VMware Validated Design supports an SDDC architecture according to the requirements of your organization and the resource capabilities of your environment.

High-Level Logical Design of the SDDCThe SDDC according to VMware Validated Design contains the main services that are required to cover provisioning of virtualized and containerized workloads, cloud operations, and cloud automation.

Figure 2-1. Logical Design of the SDDC

load balancing,logical switching,

logical routingworkload deployments

workload metrics,workload costing

central managementof virtual infrastructure

identity and access management

authenticationmanagement

central user management

life cycle management

monitor,collect and analyze logs








solutionlife cycle

managementsolutionlife cycle

management


logical routing


logical routing

network services deployment



monitor,log collection

store product binaries

store product binaries

vRealize Log Insight

lauch in context,notifiaction events,

UI integration

vRealize OperationsManager

vRealize Suite LifecycleManager

Workspace ONE Access

NSX-T Data Center

VMware Depot

vRealize Automation

vCenter Server

SDDC Manager

Active Directory

ESXi ESXi ESXi ESXi

vSphere Cluster


solutionlife cycle

management

VMware, Inc. 7

SDDC ArchitectureVMware Validated Design supports the Standard SDDC architecture of VMware Cloud Foundation. This architecture implements a production-ready SDDC that includes at least two or more workload domains - management domain and virtual infrastructure workload domain. See Chapter 4 Workload Domains in VMware Validated Design.


VMware, Inc. 8

Design Objectives of VMware Validated Design 3According to the SDDC implementation type, a VMware Validated Design has objectives to deliver prescriptive content about an SDDC that is fast to deploy and is suitable for use in production.

Table 3-1. Objectives of VMware Validated Design for Software-Defined Data Center

VMware Validated Design Objective Description

Main objective SDDC capable of automated provisioning of on-premises workload, hybrid workloads, and containers.

Scope of deployment Greenfield deployment of the management and workload domains of the SDDC, and incremental expansion of these domains as needed.

Cloud type On-premises private cloud with support for hybrid cloud.

Number of regions and disaster recovery support

Single-region multi-site SDDC that you can potentially use a best practice for a second VMware Cloud Foundation instance.

Availability zones are separate low-latency, high-bandwith connected sites. Regions have higher latency and lower bandwidth connectivity.

Maximum number of virtual machines and churn rate

By default, in a workload domain, VMware Cloud Foundation 4.0 deploys a medium-size vCenter Server appliance with default storage size. As a result, in VMware Validated Design 6.0, you determine the maximum number of virtual machines in the SDDC according to this deployment specification of vCenter Server.

n 4,000 running virtual machines per virtual infrastructure workload domain

n 56,000 running virtual machines overall distributed across 14 virtual infrastructure workload domains

n Churn rate of 150 virtual machines per hour

Churn rate is related to provisioning, power cycle operations, and decommissioning of one tenant virtual machine by using a blueprint in the cloud management platform. A churn rate of 100 means that 100 tenant workloads are provisioned, pass the power cycle operations, and are deleted.

Maximum number of containers or pods 2,000 pods per Supervisor Cluster

VMware, Inc. 9

Table 3-1. Objectives of VMware Validated Design for Software-Defined Data Center (continued)

VMware Validated Design Objective Description

Number of workload domains in a region Minimum two-domain setup, with minimum 4 VMware ESXi™ hosts in a domain

The validated design requires the following workload domains for SDDC deployment:

n Management domain. Contains the appliances of the SDDC management components.

n One or more solution-specific workload domains for Infrastructure-as-a-Service (IaaS), containers, and virtual desktop infrastructure (VDI). Up to 14 workload domains per region.

n Contains the tenant workloads.

n Contains the required SDDC services to enable the solution that is deployed.

See Chapter 4 Workload Domains in VMware Validated Design.

Data center virtualization Maximized workload flexibility and limited dependencies on static data center infrastructure by using compute, storage, and network virtualization.

Scope of guidance n Greenfield deployment of the management domain, workload domains, and solutions working on top of the infrastructure in the domains.

n Incremental expansion of the deployed infrastructure

n In a single region

n To additional availability zones.

n Deployment and initial setup of management components at the levels of virtualization infrastructure, cloud automation, and cloud operations.

n Basic tenant operations such as creating a tenant, assigning tenant capacity, and configuring user access.

n Operations on the management components of the SDDC such as monitoring and alerting, backup and restore, and post-maintenance validation.

Overall availability n 99.7% of management plane availability

n Workload availability subject to specific availability requirements

Planned downtime is expected for upgrades, patching, and on-going maintenance.

Authentication, authorization, and access control n Use of Microsoft Active Directory as a central user repository.

n Use of service accounts with minimum required authentication and Access Control List configuration.

Certificate signing Certificates are signed by an external certificate authority (CA) that consists of a root and intermediate authority layers.

Hardening Tenant workload traffic can be separated from the management traffic.


VMware, Inc. 10

Workload Domains in VMware Validated Design 4In VMware Validated Design, a workload domain represents a logical unit that groups ESXi hosts managed by a vCenter Server instance with specific characteristics according to VMware SDDC best practices.

A workload domain exists in the boundaries of an SDDC region. A region can contain one or more domains. A workload domain cannot span multiple regions.

Each domain contains the following components:

n One VMware vCenter Server™ instance.

n At least one vSphere cluster with vSphere HA and vSphere DRS enabled. See Cluster Types.

n One vSphere Distributed Switch per cluster for system traffic and NSX-T segments for workloads.

n One NSX-T Manager cluster for configuring and implementing software-defined networking.

n One NSX-T Edge cluster that connects the workloads in the domain for logical switching, logical dynamic routing, and load balancing.

n One or more shared storage allocations.

Management DomainContains the SDDC management components.

The management domain has the following features:

Table 4-1. Features of the Management Domain

Feature Description

Types of workloads Management workloads and networking components for them.

Cluster types Management cluster

Virtual switch type n vSphere Distributed Switch for system traffic and NSX-T network segments

n NSX-T Virtual Distributed Switch (N-VDS) on the NSX-T Edge nodes

Software-defined networking NSX -T Data Center

Shared storage type n vSAN for primary storage

n NFS for secondary storage

VMware, Inc. 11

Table 4-1. Features of the Management Domain (continued)

Feature Description

Time of deployment First domain to deploy during initial SDDC implementation

Deployment method Deployed by VMware Cloud Builder as part of the bring-up process of VMware Cloud Foundation

Table 4-2. Management Workloads for the Management Domain

Component Cluster Location

vCenter Server First cluster in the domain

NSX-T Manager cluster First cluster in the domain

NSX-T Edge cluster for north-south routing, east-west routing, and load balancing

First cluster in the domain

Virtual Infrastructure Workload DomainsContains tenant workloads that use NSX-T Data Center for logical networking. According to the requirements of your organization, you can deploy multiple virtual infrastructure (VI) workload domains in your environment.

A virtual infrastructure workload domain has the following features:

Table 4-3. Features of a VI Workload Domain

Feature Description

Types of workloads Tenant workloads and networking components for them.

Cluster types n Shared edge and workload cluster

n Additional workload clusters

Virtual switch type n vSphere Distributed Switch for system traffic from the management domain and for NSX-T network segments

n N-VDS on the NSX-T Edge nodes in the workload domain

Software-defined networking NSX-T Data Center

Shared storage type vSAN

You can also use NFS according to the requirements of your organization.

Time of deployment After initial SDDC bring-up of the management domain

Deployment method Deployed by SDDC Manager


VMware, Inc. 12

Table 4-4. Management Workloads for a VI Workload Domain

Component Deployment Location Shared Between Workload Domains

vCenter Server First cluster in the management domain

X

NSX-T Manager cluster First cluster in the management domain

n ✓ for workload domains where workloads share the same overlay transport zone cross-domain and are provisioned without using vRealize Automation

Deployed with the first VI workload domain

n X for workload domains where workloads must be connected to domain-specific transport zones or where you use vRealize Automation for workload provisioning

NSX-T Edge cluster for north-south and east-west routing

Shared edge and workload cluster in the workload domain




vSphere with Kubernetes Workload DomainsContains containerized workloads that use vSphere with Kubernetes for container provisioning and NSX-T Data Center for logical networking. According to the requirements of your organization, you can deploy multiple vSphere with Kubernetes workload domains.

A vSphere with Kubernetes workload domain has the following features:

Table 4-5. Features of a vSphere with Kubernetes Workload Domain

Feature Description

Types of workloads Containerized workloads and networking components for them.

Cluster types n Shared edge and workload cluster

n Additional workload clusters

Virtual switch type n vSphere Distributed Switch for system traffic from the management domain and for NSX-T network segments

n N-VDS on the NSX-T Edge nodes in the workload domain

Software-defined networking NSX-T Data Center

Shared storage type vSAN

You can also use FC/FCoE, iSCSI or NFS according to the requirements of your organization.


VMware, Inc. 13

Table 4-5. Features of a vSphere with Kubernetes Workload Domain (continued)

Feature Description

Time of deployment After initial SDDC bring-up of the management domain

Deployment method You use SDDC Manager for environment validation and the vSphere Client for enabling vSphere with Kubernetes

Table 4-6. Management Workloads for a vSphere with Kubernetes Workload Domain

Component Deployment Location Shared Between Workload Domains

vCenter Server First cluster in the management domain

X

NSX-T Manager cluster First cluster in the management domain




NSX-T Edge cluster for north-south and east-west routing

Shared edge and workload cluster n ✓ for workload domains where workloads share the same overlay transport zone cross-domain

Deployed with the first vSphere with Kubernetes workload domain

n X for workload domains where workloads must be connected to domain-specific transport zones

Supervisor Cluster Shared edge and workload cluster X


VMware, Inc. 14

Deployment of VMware Validated Design 5Тhe deployment of the SDDC is automated. You use VMware Cloud Builder to deploy the SDDC management domain, SDDC Manager to deploy workload domains for tenant workloads, and vRealize Suite Lifecycle Manager to deploy the vRealize Suite products in this design. You deploy SDDC management components manually only in a few cases according the instructions.

The workflow for SDDC deployment consists of the following stages:

Figure 5-1. SDDC Deployment Workflow with a VI Workload Domain

vRealize Log InsightvRealize Log Insight

vRealize Automation vRealize Automation

vRealize Operations ManagervRealize Operations Manager

vRealize Lifecycle Manager

Cross-Region Workspace ONE Access

Region-Specific Workspace ONE Access

3.3 User connects the vRealize Suite to the workload domain

3. Cloud Operations and Cloud Automation Solutions

3.2. vRealize Suite Lifecycle Manager deploys the vRealize Suite products

3.1. SDDC Manager deploys vRealize Suite Lifecycle Manager

2.3 User connects Region- Specific Workspace ONE Access to the workload domain


SDDC Manager

NSX-T

vSAN

vCenter Server

NSX-T

vSAN, NFS, or VMFS

vCenter Server

ESXi ESXiESXi ESXi ESXi ESXiESXi ESXi

2.2 SDDC Manager deploysvirtual infrastructure

2.1 User installs ESXion the domain hosts

1.1 User installs ESXi on the domain hosts

1. Management Domain 2. Virtual Infrastructure Workload Domain

1.3 User deploys Region-SpecificWorkspace ONE Access

1.2 Cloud Builder deploys virtual infrastructure andSDDC Manager

deployment flow in a workload domain

VMware, Inc. 15

Figure 5-2. SDDC Deployment Workflow with a vSphere with Kubernetes Workload Domain

vRealize Log InsightvRealize Log Insight

vRealize Operations ManagervRealize Operations Manager

vRealize Lifecycle Manager



3.3 User connects the vRealize Suite to the workload domain

3. Cloud Operations and Cloud Automation Solutions

3.2. vRealize Suite Lifecycle Manager deploys the vRealize Suite products

3.1. SDDC Manager deploys vRealize Suite Lifecycle Manager

2.3 User connects Region-SpecificWorkspace ONE Access to the workload domain


SDDC Manager

NSX-T

vSAN

vCenter Server

NSX-T

vSAN, NFS, or VMFS

vCenter Server

ESXi ESXiESXi ESXi ESXi ESXiESXi ESXi

2.2 SDDC Manager deploysvirtual infrastructure



1. Management Domain 2. vSphere with Kubernetes Workload Domain

1.3 User deploys Region-SpecificWorkspace ONE Access

1.2 Cloud Builder deploys virtual infrastructure andSDDC Manager

deployment flow in a workload domain

vSphere with Kubernetes2.4 SDDC Managervalidates enviroment

2.5 User enables vSpherewith Kubernetes

1 Prepare the data center and fill in the environment specification.

Work with the technology team of your organization on configuring the physical servers, network, and storage in the data center. Collect the environment details and write them down in the Planning and Preparation Workbook in Microsoft® Excel® spreadsheet format (XLS).

2 Deploy the management domain of the SDDC.

See VMware Validated Design Deployment of the Management Domain.

a Prepare the deployment specification of the management domain.

Download the deployment parameter workbook from My VMware and fill in the details for the management domain deployment. You can use the details from the Planning and Preparation Workbook.

b Prepare the environment for the management domain.

Install and configure ESXi on the physical servers.

c Prepare VMware Cloud Builder.

Download and deploy the VMware Cloud Builder appliance from My VMware.

d Run the automated deployment of the management domain.

Upload the deployment parameter workbook to VMware Cloud Builder, perform an audit of the target environment, and bring up the SDDC management domain.


VMware, Inc. 16

https://docs.vmware.com/en/VMware-Validated-Design/6.0/vmware-validated-design-60-vmware-cloud-foundation-40-sddc-planning-and-preparation-workbook.zip


After the automated deployment is complete, in addition to the virtual infrastructure component, your environment contains SDDC Manager.

e Complete the initial configuration of the management domain.

Configure SDDC Manager for managing the SDDC and enable secure access within and to the management domain. Then, deploy manually the region-specific Workspace ONE Access instance and connect the management domain components to it.

3 Deploy a virtual infrastructure workload domain or vSphere with Kubernetes workload domain.

See VMware Validated Design Deployment of a Virtual Infrastructure Workload Domain and VMware Validated Design Deployment of a vSphere with Kubernetes Workload Domain.

a Prepare the environment for the workload domain.

Install and configure ESXi on the physical servers. Create a network pool for the workload domain, and upload product license keys.

b Run the automated deployment of the workload domain.

In SDDC Manager, provide the specification of the workload domain and initiate deployment. SDDC Manager validates the virtual infrastructure and provisions the requested virtual infrastructure. Then, deploy an NSX-T Edge cluster to the shared edge and workload cluster again by using SDDC Manager.

c Complete the initial configuration of the workload domain.

Enable secure access within and to the workload domain. Then, connect the workload domain components to the region-specific Workspace ONE Access instance.

d For a vSphere with Kubernetes workload domain, enable vSphere with Kubernetes.

Validate the domain configuration by using SDDC Manager and enable vSphere with Kubernetes by using the vSphere Client. Then, you can deploy applications or provision Tanzu Kubernetes clusters on the initial Supervisor Cluster.

4 Deploy the solutions for cloud operations and automation.

See VMware Validated Design Deployment of Cloud Operations and Automation .

a Deploy VMware vRealize Suite Lifecycle Manager.

By using SDDC Manager, download the vRealize Suite Lifecycle Manager install bundle and deploy vRealize Lifecycle Manager.

b Deploy the solutions.

Import the product binaries in vRealize Lifecycle Manager and deploy the solutions.

c Connect the solutions to the management and workload domains.

After you deploy each solution, integrate it with the virtual infrastructure of the SDDC and with the other solutions for cloud operations and automation.

For more details on the deployment steps, see VMware Validated Design documentation page.


VMware, Inc. 17

https://docs.vmware.com/en/VMware-Validated-Design/index.html

Documentation Structure and Audience 6The structure of the VMware Validated Design documentation reflects the best practices in designing and deploying a data center that is capable of automated workload provisioning. The documentation components of the validated design are organized according to the audience and deployment stage.

VMware, Inc. 18

Figure 6-1. VMware Validated Design Documentation Flow

Planning and Preparation



Architecture and DesignManagement Domain

DeploymentManagement Domain

Architecture and DesignSolutions

Deployment Solutions

Architecture and DesignWorkload Domain

DeploymentWorkload Domain


For information on the order in which you deploy the SDDC, see Chapter 5 Deployment of VMware Validated Design.

For details on the latest available documentation, see VMware Validated Design documentation page.

Architecture OverviewThe first part of a VMware Validated Design is Architecture Overview and it introduces the terms and components in the design.


VMware, Inc. 19


Table 6-1. Architecture Overview Information

Section Attribute Description

Guide n Architecture and Design for the Management Domain

n Architecture and Design for a Virtual Infrastructure Workload Domain

n Architecture and Design for a vSphere with Kubernetes Workload Domain

n Architecture and Design for Cloud Operations and Automation

Purpose n Introduce the fundamentals and components in the SDDC design.

n Provide information about the layered structure of the SDDC.

n Describe the building modules and basic behavior of each management component.

Audience Cloud architects and cloud administrators

Documentation modules n Management domain

n Virtual infrastructure workload domain

n vSphere with Kubernetes workload domain

n Cloud operations and automation

Detailed DesignAfter you learn about the basic modules in the SDDC design, you proceed with detailed design of the management components and the required infrastructure.

Table 6-2. Detailed Design Information


Guide n Architecture and Design for the Management Domain

n Architecture and Design for a Virtual Infrastructure Workload Domain

n Architecture and Design for a vSphere with Kubernetes Workload Domain

n Architecture and Design for Cloud Operations and Automation

Purpose n Provide complete details about the configuration of each layer and of the components that are a part of the layer.

n Describe available design alternatives.

n Provide design decisions to reflect the main design issues and the rationale behind a chosen solution path.

Audience Cloud architects and cloud administrators

Documentation modules n Management domain





VMware, Inc. 20

Planning and PreparationAfter you understand the details of the design, you plan your environment according to the requirements of the design so that you can deploy the designed SDDC directly without additional testing and troubleshooting efforts.

Table 6-3. Planning and Preparation Information


Guide Planning and Preparation Workbook

Purpose Collect all requirements that your environment must meet so that you can follow a VMware Validated Design to create an SDDC. The Planning and Preparation Workbook provides prerequisites about the following areas:

n Required software including VMware products, scripts, and third-party software

n Networking configuration including VLANs, example IP addresses, and DNS names

n Host names

n Virtual networks

n Active Directory and local user configuration

n Specifications of inventory objects

Audience Cloud architects, infrastructure administrators, cloud administrators, and cloud operators

Documentation module n Management domain




DeploymentAfter you make sure that your environment has the required structure and configuration, follow the Deployment in the First Region to start the SDDC implementation.


VMware, Inc. 21

Table 6-4. Deployment Guide Information


Guide n Deployment of the Management Domain in the First Region

n Deployment of a Virtual Infrastructure Workload Domain in the First Region

n Deployment of a vSphere with Kubernetes Workload Domain in the First Region

n Deployment of Cloud Operations and Automation Domain in the First Region

Purpose n Provide step-by-step instructions for each management component of the SDDC according to the selected design path in Detailed Design.

n Cover the single-region setup of the SDDC.

n Provide details about setting up the virtual infrastructure for both management and tenant workloads.

n Provide procedures for integration of the products to form one functional system.

Audience Cloud architects, infrastructure administrators, cloud administrators, and cloud operators

Documentation module n Management domain





VMware, Inc. 22

SDDC Architecture Overview 7SDDC layers represent aggregations of logically related functionality and operations in your environment. In a layer, you can interchange components as part of the end solution or outcome. If a particular component design does not fit the business or technical requirements, you can replace it with another similar component. .

Figure 7-1. SDDC Layers and Components

Cloud Operations

BusinessContinuity

CloudAutomation

VirtualInfrastructure

PhysicalInfrastructure

Security and Compliance

Monitoring

Logging

Life CycleManagement

Fault Tolerance and Disaster

Recovery

Backup & Restore

Replication Security Policies

Industry Regulations

Identity and Access Management

Service Catalog

Self-Service Portal

Orchestration

Hypervisor

Pools of Resources

Virtualization Control

Compute

Storage

Network

The SDDC layers are gradually implemented as you follow the implementation of the SDDC.

1 To provide the physical and virtual infrastructure, and local identity and access management for the SDDC management components, implement the management domain.

2 To provide the physical and virtual infrastructure for the virtualized or containerized workloads, implement one or more workload domains.

3 To operate the SDDC and deploy workloads on the workload domains, implement the solutions for cloud operations and automation including identity and access management for these solutions.

For information about the design and deployment of each layer at each deployment stage, see the VMware Validated Design documentation page.

VMware, Inc. 23


Figure 7-2. SDDC Architecture Overview

Management Domain

ESXi

vCenter Server

NSX-T

SDDC Manager

Region-Specific

Workspace ONE Access

Workload Domain

vSAN

ESXi ESXi

Shared Storage(vSAN, NFS, VMFS)

vCenter Server

NSX-T (1:1 or 1:N)

VMware Solution for Kubernetes

Workload Domain

Shared Storage(vSAN, NFS, VMFS)

vCenter Server

NSX-T (1:1 or 1:N)

VMware Solution for Kubernetes

Cloud Operations and Automation Solution Add-on

vRealize Suite Lifecycle

Manager

vRealize Operations

ManagervRealize

Log InsightvRealize

AutomationCross-Region Workspace

ONE Access

Another Solution Add-On

Consolidated SDDC Architecture

Standard SDDC Architecture

Physical Infrastructure Layer

Consists of the compute, network, and storage components. The compute component contains the x86-based servers that run the management components, NSX-T Edge nodes, and tenant workloads. This validated design provides only some guidance about the physical capabilities that are required to implement this architecture. You select a specific type or brand of hardware according to VMware Compatibility Guide.

The physical infrastructure layer configuration is part of the implementation of the SDDC management domain and workload domains.

Virtual Infrastructure Layer

Controls the access to the underlying physical infrastructure and allocates resources to the management and tenant workloads. The management workloads consist of elements in the virtual infrastructure layer itself, together with elements in the cloud operations, cloud automation, and security and compliance layers.


VMware, Inc. 24

https://www.vmware.com/resources/compatibility/search.php

https://www.vmware.com/resources/compatibility/search.php

The virtual infrastructure layer groups physical infrastructure in pools of resources such as workload domains and clusters. See Chapter 4 Workload Domains in VMware Validated Design.

The virtual infrastructure layer configuration is part of the implementation of the SDDC management domain and workload domains.

Cloud Operations Layer

Provides operations management for continuous day-to-day service delivery. Cloud operations management consists of life cycle management, monitoring, logging, and other operation types.

The architecture of the cloud operations layer includes management components that support the main types of operations in an SDDC. You monitor the underlying physical infrastructure, and the management and tenant or containerized workloads in real time. Information is collected in the form of structured data (metrics) and unstructured data (logs). The cloud operations layer also collects data about the SDDC topology, that is physical and virtual compute, networking, and storage resources, which are key in intelligent and dynamic operational management.

The cloud operations layer configuration is part of the implementation of the SDDC management domain and workload domains, and of the solutions for cloud operations and automation.

Cloud Automation Layer

Requests resources and orchestrates the actions of the lower layers from a user interface or over an API.

The cloud automation layer configuration is part of the implementation of the SDDC solutions for cloud operations and automation.

Security and Compliance Layer

n Incorporates security guidance from NIST 800-53 across the VMware Validated Design to establish a baseline of security.

n Identifies and implements security best practices from setup to operations to secure your SDDC, and make it more resilient to internal and external threats.

n Provides role-based access control by implementing an identity and access management solution which integrates with Microsoft Active Directory.

The identity and access management functionality in the security and compliance layer configuration is part of the implementation of the SDDC management domain and workload domains, and of the solutions for cloud operations and automation. As part of achieving compliance with industry regulations, the SDDC security configurations can be adjusted to support a variety of compliance standards.

n Physical Infrastructure Layer

The physical layer in an SDDC contains the compute, storage, and network resources in your data center.


VMware, Inc. 25

n Virtual Infrastructure Layer

The virtual infrastructure layer of the SDDC contains ESXi, vCenter Server, vSAN, and NSX-T Data Center that provide compute, networking, and storage resources to the management and tenant workloads.

n Security and Compliance Layer

As part of the security and compliance layer, this design uses Workspace ONE Access to provide identity and access management to the SDDC management components. To satisfy the requirements of the management components for availability and locality, you deploy a region-specific Workspace ONE Access instance and a cross-region Workspace ONE Access instance.

n Cloud Operations Layer

The cloud operations layer of the SDDC provides capabilities for life cycle management by using SDDC Manager in VMware Cloud Foundation and vRealize Suite Lifecycle Manager. The layer also supports performance and capacity monitoring, and log collection for the SDDC management components by using vRealize Operations Manager and vRealize Log Insight.

n Cloud Automation Layer

By using the cloud automation layer, you provide automated workload deployment to tenants by using vRealize Automation.

n Multiple Availability Zones

VMware Validated Design provides alternative guidance for implementing an SDDC that contains two availability zones. You configure vSAN stretched clusters in the management domain and the workload domains to create second availability zones. The SDDC continues operating during host maintenance or if a loss of one availability zone occurs.

Physical Infrastructure LayerThe physical layer in an SDDC contains the compute, storage, and network resources in your data center.


VMware, Inc. 26

Figure 7-3. Physical Configuration of the SDDC

Workload cluster (19 ESXi host each)

Shared edge and workload cluster (4 ESXi hosts)

Management cluster (4 ESXi hosts)

ToR Switch

ToR Switch

External connection

ToR Switch

ToR Switch

ToR Switch

ToR Switch

Workload DomainsThe compute, storage, and network resources are organized in workload domains. The physical layer also includes the physical network infrastructure, and storage setup. For information on workload domains and clusters, see Chapter 4 Workload Domains in VMware Validated Design.

ComputeThe physical compute resources are delivered through ESXi, a bare-metal hypervisor that installs directly onto your physical server. With direct access and control of underlying resources, ESXi logically partitions hardware to consolidate applications and cut costs. ESXi is the base building block of the Software-Defined Data Center.

NetworkVMware Validated Design can use most physical network architectures. When building an SDDC, the following considerations exist:

n Layer 2 or Layer 3 transport types

This VMware Validated Design uses a Layer 3 network architecture.

n A Top of Rack (ToR) switch is typically located inside a rack and provides network access to the servers inside that rack.


VMware, Inc. 27

n An inter-rack switch at the aggregation layer provides connectivity between racks. Links between inter-rack switches are typically not required. If a link failure between an inter-rack switch and a ToR switch occurs, the routing protocol ensures that no traffic is sent to the inter-rack switch that has lost connectivity.

n Using quality of service tags for prioritized traffic handling on the network devices

n NIC configuration on the physical servers

VMware vSphere® Distributed Switch supports several NIC teaming options. Load-based NIC teaming supports an optimal use of available bandwidth and redundancy if a link failure occurs. Use a minimum of two 10-GbE connections, with two 25-GbE connections recommended, for each ESXi host in combination with a pair of top of rack switches.

n VLAN port modes on both physical servers and network equipment

802.1Q network trunks can support as many VLANs as required. For example, management, storage, overlay, and VMware vSphere® vMotion® traffic.

Because of the considerations for the physical network architecture, providing a robust physical network to support the physical-to-virtual network abstraction is an important requirement of network virtualization.

Regions and Availability Zones

Availability Zone

Represent the fault domain of the SDDC. Multiple availability zones can provide continuous availability of an SDDC. This VMware Validated Design supports one availability zone per region. See Multiple Availability Zones.

Region

Each region is a separate SDDC instance. You use multiple regions for disaster recovery across individual SDDC instances.

In this VMware Validated Design, you implement a single-region SDDC.

StorageThis VMware Validated Design provides guidance for the storage of the management components. A shared storage system not only hosts the management and tenant or container workloads, but also template repositories and backup locations. Storage within an SDDC can include either or both internal and external storage as either primary or secondary storage. This validated design includes internal storage by using vSAN for primary storage and external NFS storage for secondary storage.

Internal Storage


VMware, Inc. 28

vSAN is a software-based distributed storage platform that combines the internal compute and storage resources of clustered VMware ESXi hosts. By using storage policies on a cluster, you configure multiple copies of the data. As a result, this data is accessible during maintenance and host outages.

External Storage

External storage provides non-vSAN storage by using NFS, iSCSI, or Fiber Channel. Different types of storage can provide different levels of SLA, ranging from just a bunch of disks (JBODs) using SATA drives with minimal to no redundancy, to fully redundant enterprise-class storage arrays.

Primary Storage

VMware vSAN™ storage is the default storage type for the SDDC management components. All design, deployment, and operational guidance are performed on vSAN. Considering block or file storage technology for primary storage is out of scope of the design. These storage technologies are referenced only for specific use cases such as backups to secondary storage.

The storage devices on vSAN ready servers provide the storage infrastructure. This validated design uses vSAN in an all-flash configuration.

Secondary Storage

NFS storage is the secondary storage for the SDDC management components. It provides space for archiving log data and application templates.

Secondary storage provides additional storage for backup of the SDDC. It can use the NFS, iSCSI, oror Fibre Channel technology. Different types of stage can provide different levels of SLA, ranging from JBODs with minimal to no redundancy, to fully redundant enterprise-class storage arrays. For bandwidth-intense IP-based storage, the bandwidth of these pods can scale dynamically.

Virtual Infrastructure LayerThe virtual infrastructure layer of the SDDC contains ESXi, vCenter Server, vSAN, and NSX-T Data Center that provide compute, networking, and storage resources to the management and tenant workloads.

Cluster TypesThis VMware Validated Design uses the following types of clusters:


VMware, Inc. 29

Figure 7-4. First Cluster in the Management Domain

APPOS

APPOS

APPOS

APPOS

Management Workloads

Management Cluster

ESXi ESXi ESXi ESXi

Management Domain vCenter Server

vSphere Distributed Switch with NSX-T

Figure 7-5. Shared Edge and Workload Cluster in a Virtual Infrastructure Workload Domain

APPOS

APPOS

APPOS

APPOS

Tenant Workloads

vSphere Distributed Switch with NSX-T

NSX-T Edges

Shared Edge and Workload Cluster

Workload Domain vCenter Server

ESXi ESXi ESXi ESXi

First Cluster in the Management Domain

Resides in the management domain and runs the virtual machines of the components that manage the data center, such as vCenter Server, NSX-T Manager, SDDC Manager, Workspace ONE Access, VMware vRealize® Suite Lifecycle Manager™, VMware vRealize® Operations Manager™, VMware vRealize® Log Insight™, vRealize Automation, and other management components.


VMware, Inc. 30

The first management cluster occupies half a rack.


Represents the first cluster in the virtual infrastructure workload domain and runs the required NSX-T services for north-south routing between the data center and the external network, and east-west routing inside the data center. This shared cluster also hosts the tenant workloads. As you extend your environment, you must add workload-only clusters.

Workload Cluster

Resides in a virtual infrastructure workload domain and runs tenant workloads . Use workload clusters to support a mix of different types of workloads for different types of Service Level Agreements (SLAs). You can mix different types of workload clusters and provide separate compute pools for different types of SLAs.

vCenter Server Design

Figure 7-6. Layout of vSphere Clusters

APPOS

APPOS

APPOS



ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi

Region A


Region A

Management Cluster


VMware, Inc. 31

Table 7-1. vCenter Server Design Details

Design Area Description

vCenter Server instances You deploy vCenter Server instances in the following way:

n One vCenter Server instance for the management domain.

n One vCenter Server instance for each workload domain.

Using this model provides the following benefits:

n Isolation of management domain vCenter Server and workload domain vCenter Server

n Simplified capacity planning

n Separated upgrade

n Separated roles

Clusters You distribute hosts and workloads in the following clusters:

n First cluster in the management domain that contains all management hosts and handles resources for the management workloads.

n Shared edge and workload cluster in each workload domain that contains tenant or container workloads, and NSX-T Edge nodes used for the workloads.

Resource pools for tenant workloads and dedicated NSX components

On the shared edge and workload cluster in a workload domain, you use resource pools to distribute compute and storage resources to the tenant or container workloads, and the NSX-T components carrying their traffic.

Deployment model Each vCenter Server instance is with an embedded Platform Services Controller.

Dynamic Routing and Virtual Network SegmentsThis VMware Validated Design supports dynamic routing for both management and tenant and container workloads, and also introduces a model of isolated application networks for the management components.

Virtual network segments are created on the vSphere Distributed Switch for the first cluster in the management domain and for the shared edge and workload cluster in a workload domain.


VMware, Inc. 32

Figure 7-7. Distributed Port Groups Design

Sample ESXi Management Host

sfo-m01-cl01-vds01

VLAN ESXi Management

VLAN vMotion

VLAN NFS

VLAN Host Overlay (Host TEP)

VLAN Uplink01

VLAN Uplink02

VLAN vSAN

nic0 nic1


VMware, Inc. 33

Figure 7-8. Virtual Network Segment Design

VC

OSSDDC Mgr

OS

xreg-m01-seg01

192.168.11/24

sfo-m01-seg01

192.168.31/24

Workload Domain

Internet/ EnterpriseNetwork

Tier-0 GatewayActive/ Active

NSX-T EdgeCluster

ToR Switches

ECMP

Tier-1 Gateway

vRSCLMCross-Region WSA

vROpsvRA

Region-Specific WSAvROps Remote CollectorsvRLI

Dynamic routing support includes the following nodes:

n NSX-T Edge cluster

n Tier-0 gateway with ECMP enabled for north-south routing across the data center

n Tier-1 gateway for east-west routing across the data center


VMware, Inc. 34

Virtual network segments provide support for limited access to the nodes of the applications through published access points.

n Cross-region virtual network segment that connects the components that are designed to fail over to a recovery region.

n Region-specific virtual network segment in Region A for components that are not designed to fail over.

Software-Defined Storage DesignIn each region, workloads on the management cluster store their data on a vSAN datastore. The vSAN datastore spans all four ESXi hosts of the first cluster in the management domain and of the shared edge and workoad cluster in a workload domain. Each host adds one disk group to the datastore.

Applications store their data according to the default storage policy for vSAN.

vRealize Log Insight uses NFS exports as secondary storage for log archiving.


VMware, Inc. 35

Figure 7-9. Shared Storage Logical Design

Virtual Appliance

Virtual Appliance

Virtual Appliance

Virtual Appliance

Virtual Appliance

Virtual Appliance

Management Cluster

ESXi Host

Datastore(s)

MgmtVMs

Backups Templatesand Logs

SampleDatastore Software-Defined Storage

Policy-Based Storage ManagementVirtualized Data Services

Hypervisor Storage Abstraction

SAN or NAS or DAS(3rd party or VMware vSAN)

Physical Disks

SSD FC15K FC10K SATA SSD FC15K FC10K SATA

VMDKs1500GB

200GB2048GB

Swap Files + Logs


ESXi Host

Datastore(s)

PayloadsSLA 1

PayloadsSLA 2

PayloadsSLA N

APPOS

APPOS

APPOS

Tenant 1

Tenant n

Security and Compliance LayerAs part of the security and compliance layer, this design uses Workspace ONE Access to provide identity and access management to the SDDC management components. To satisfy the requirements of the management components for availability and locality, you deploy a region-specific Workspace ONE Access instance and a cross-region Workspace ONE Access instance.


VMware, Inc. 36

Workspace ONE Access provides these services:

n Directory integration to authenticate users against existing directories such as Active Directory or LDAP.

n Addition of two-factor authentication through integration with third-party software such as RSA SecurID, Entrust, and others.

For information on the account configuration in Active Directory and local accounts, see Planning and Preparation Workbook.

Region-Specific Workspace ONE AccessThe region-specific Workspace ONE Access instance provides identity and access management services to regional SDDC solutions.


VMware, Inc. 37



Figure 7-10. Logical Design of the Region-Specific Workspace ONE Access Deployment

Virtual Appliance

Region A

Identity Provider

Access

Directory Servicese.g. AD, LDAP

User Interface

REST API


Supporting Components:Postgres

Supporting Infrastructure:Shared Storage, DNS, NTP, SMTP

Region-Specific Solutions

NSX-TData Center


VMware, Inc. 38

Table 7-2. Design Details on Region-Specific Workspace ONE Access

Design Attribute Description

Deployment model One appliance that is connected to the Active Directory domain of the SDDC. The appliance is deployed from an OVA file.

Authenticated components n NSX-T Data Center

n vRealize Log Insight

Network segment Region-specific virtual network segment. See Dynamic Routing and Virtual Network Segments.

Identity and access management setup n Integration with the rainpole.io Active Directory domain.

n Directory Service connection is Active Directory with Integrated Windows Authentication

Cross-Region Workspace ONE AccessThe cross-region Workspace ONE Access provides identity and access management services to cross-region SDDC solutions.


VMware, Inc. 39

Figure 7-11. Logical Design of the Cross-Region Workspace ONE Access Deployment

Secondary SecondaryPrimary


Supporting Components:Postgres

NSX-T Data CenterLoad Balancer

Access

User Interface

REST API

Region A

Identity Provider

Directory Servicese.g. AD, LDAP

Supporting Infrastructure:Shared Storage, DNS, NTP, SMTP

Cross-Region Solutions

vRealize OperationManager

vRealize Automation

vRealize SuiteLifecycle Manager


VMware, Inc. 40

Table 7-3. Design Details on Cross-Region Workspace ONE Access


Deployment model A cluster of three nodes behind a load balancer. The cluster is deployed by using vRealize Suite Lifecycle Manager.

Network segment Cross-region virtual network segment. See Dynamic Routing and Virtual Network Segments.

Authenticated components n vRealize Suite Lifecycle Manager

n vRealize Operations Manager

n vRealize Automation

Identity and access management setup n Integration with the rainpole.io Active Directory domain.

n Directory Service connection is Active Directory with Integrated Windows Authentication

Cloud Operations LayerThe cloud operations layer of the SDDC provides capabilities for life cycle management by using SDDC Manager in VMware Cloud Foundation and vRealize Suite Lifecycle Manager. The layer also supports performance and capacity monitoring, and log collection for the SDDC management components by using vRealize Operations Manager and vRealize Log Insight.

SDDC ManagerYou use SDDC Manager in VMware Cloud Foundation to perform the following operations:

n Deploy virtual infrastructure workload domains and extend the virtual infrastructure of the management domain.

n Deploy the NSX-T Edge cluster for a workload domain.

n Expand a cluster with hosts and add clusters to workload domains.

n Manage the life cycle of the virtual infrastructure components in all workload domains, and of vRealize Suite Lifecycle Manager.

n Manage certificates and passwords of the SDDC management components.


VMware, Inc. 41

Figure 7-12. Logical Design of SDDC Manager

Solution andUser Authentication

vCenter SingleSign-On Domain

ESXi

NSX-TData Center

vRealizeSuite Lifecycle Manager

SDDC Manager

Virtual Appliance

Region A

Infrastructure Provisioningand Configuration

vCenterServer

Life Cycle Management

vCenter Server

External Services

My VMware

depot.vmware.com

Supporting Infrastructure:Shared Storage, DNS, NTP,

Certificare Authority

Access

User Interface

API

Identity Source

Active Directory


VMware, Inc. 42

Table 7-4. SDDC Manager Design Details


Deployment model One appliance that deploys virtual infrastructure workload domains, and upgrades the virtual infrastructure components in the management domains and all workload domains, and vRealize Suite Lifecycle Manager. The appliance is deployed by Cloud Builder, part of VMware Cloud Foundation, during the automated deployment of the management domain.

Supported components n ESXi hosts in the management domain and in all workload domains

n Management domain vCenter Server and workload domain vCenter Server

n NSX-T Data Center

n vRealize Suite Lifecycle Manager

n SDDC Manager as self-upgrade

Network segment Management network

Setup for workload domain and product deployment n Direct integration with My VMware to access install and upgrade bundles

n Configuration with an external certificate authority for replacing the certificates of the management components in the SDDC

vRealize Suite Lifecycle ManagervRealize Suite Lifecycle Manager provides life cycle management capabilities for vRealize Suite components including automated deployment, configuration, and upgrade. vRealize Suite Lifecycle Manager communicates with each management domain vCenter Server in the SDDC to orchestrate the deployment, upgrade, and configuration drift analysis of vRealize Suite components in the SDDC.


VMware, Inc. 43

Figure 7-13. Logical Design of vRealize Suite Lifecycle Manager

vRealizeAutomation

vRealizeLog Insight

vRealizeOperationsManager

Life Cycle Management

SharedStorage

Appliance

Cross-Region vRealize Suite

Lifecycle Manager

vCenterServer

Endpoint

VMware Marketplace

My VMware

External Services

REST API

User Interface

Access

Region A



Identity Management

Table 7-5. vRealize Suite Lifecycle Manager Design Details


Deployment model One appliance that deploys and upgrades the vRealize Suite components on a virtual infrastructure that is controlled by the management domain vCenter Server. The appliance is deployed by using SDDC Manager.

Supported components n Cross-region Workspace ONE Access

n vRealize Operations Manager

n vRealize Log Insight



VMware, Inc. 44

Table 7-5. vRealize Suite Lifecycle Manager Design Details (continued)



Product installation setup n Direct integration with My VMware to access vRealize Suite entitlements

n Environments configuration that uses the product-based deployment path in the installation wizard

Table 7-6. Environment Layout in vRealize Suite Lifecycle Manager

Environment Name Scope Product Components

Globalenvironment Cross-Region Cross-region Workspace ONE Access

Cross-Region Cross-Region n vRealize Operations Manager analytics cluster

n vRealize Operations Manager remote collectors

n vRealize Automation cluster nodes

Region A Region A vRealize Log Insight Cluster

vRealize Operations ManagerYou use vRealize Operations Manager to monitor the management components of the SDDC including vSphere, vSAN, NSX-T Data Center, Workspace ONE Access, and vRealize Automation.

vRealize Operations Manager is also sized to accommodate the number of tenant workloads according to the design objectives.


VMware, Inc. 45

Figure 7-14. Logical Design of vRealize Operations Manager

Region A

Public Cloud Accounts

vRealize Operations Manager

Analytics Cluster

Private Cloud Accounts

Identity Management


vCenter Server

Integrations

vRealize Automation


Amazon Web Services

Microsoft Azure


Access

User Interface API

Metric Adapters

AdditionalSolutions

ManagementPacks

Supporting Infrastructure,

shared Storage,AD, DNS, NTP

SMTP

Supporting Infrastructure,

shared Storage,AD, DNS, NTP

SMTP

vRealize Operations ManagerRemote Collectors

CollectorGroup

ManagementPacks

Remote Collector 2

Remote Collector 1Master Replica

Data 1 Data nWorkspace ONE Access

NSX-T Data Center

vSAN

StorageDevices


VMware, Inc. 46

Table 7-7. vRealize Operations Manager Design Details


Deployment model n Analytics cluster of three nodes: master, master replica, and data node

n Remote collector group that consists of two remote collectors that communicate with the region-specific components

The vRealize Operations Manager nodes are deployed by using vRealize Suite Lifecycle Manager.

Monitored components n Management domain vCenter Server and workload domain vCenter Server

n ESXi hosts in the management domain and in the workload domains

n All components of NSX-T Data Center for the management domain and for the workload domains

n vSAN

n Workspace ONE Access


n vRealize Log Insight including Launch in Context

n vRealize Operations Manager (self-health monitoring)

vRealize Log InsightYou use vRealize Log Insight to access the logs of the SDDC management components from a central place and view this information in visual dashboards.


VMware, Inc. 47

Figure 7-15. Logical Design of vRealize Log Insight

IntegratedLoad Balancer

Access

User Interface

API

Content Packs

Syslog

Ingestion API

SupportingInfrastructure

Shared Storage, AD,DNS,NTP,

SMTP

LogArchive

NFSExport


Master Worker1

Worker2 WorkerN

Region A

Integration

Identity Management


vSphere



Logging Clients

vCenter Server

ESXi

NSX-TData Center

vRealizeAutomation

AdditionalSolutions


VMware, Inc. 48

Table 7-8. vRealize Log Insight Design Details


Deployment model Cluster of master node and two worker nodes. The vRealize Operations Manager nodes are deployed by using vRealize Suite Lifecycle Manager.

Monitored components n Management domain vCenter Server and workload domain vCenter Server

n ESXi hosts in the management domain and in the workload domains

n All components of NSX-T Data Center for the management domain and for the workload domains

n vSAN

n Analytics cluster nodes of vRealize Operations Manager

n Management appliances

Archiving Archiving location on an NFS export

Cloud Automation LayerBy using the cloud automation layer, you provide automated workload deployment to tenants by using vRealize Automation.


VMware, Inc. 49

Figure 7-16. Logical Design of vRealize Automation

Secondary SecondaryPrimary

Region A

Identity Management

Cross-Specific Workspace ONE Access

Access

User Interface

API


My VMware

vRealizeOrchestrator

AdditionalSolutionse.g. SD, IPAM, K8s, Ansible, Puppet

Git

Public Cloud Accounts

VMware Cloudon AWS

Microsoft Azure

Amazon Web Services

Google Cloud

Private Cloud Accounts

vCenter Server

NSX-TData Center

vRealizeAutomation Cluster


Supporting Components:Kubernetes, Docker, Postgres,FaaS, Traefik, Flannel, Fluentd

Supporting Infrastructure:Shared Storage,

AD, DNS, NTP, SMTP

Integration Accounts


VMware, Inc. 50

Figure 7-17. vRealize Automation Usage Model

Service Broker

Cloud Assembly

Cloud Zones

Blueprints and ExtensibilityTagging, Images, Blueprints, and Extensibility

Rainpole User 1Production Project Member

Rainpole User 2Development Project Member

User Access

Development ProjectProduction Project

AuthoringAdministratorAdministration ofcloud resources

Services Authoring

Project AdminCloud Assembly Admin

Private Cloud Resources

Compute Network Storage

Private Cloud Resources

Compute Network Storage

Table 7-9. Cloud Automation Design Details


Deployment model of vRealize Automation A cluster of three vRealize Automation nodes with a load balancer. The cluster is deployed by using vRealize Suite Lifecycle Manager.

vRealize Automation services n Cloud Assembly

n Service Broker

n Orchestrator (using the embedded vRealize Orchestrator)


Cloud accounts n Workload domain vCenter Server

n Workload domain NSX-T Manager

Note Deploying workloads on a workload domain by using vRealize Automation requires that you deploy an NSX-T Data Center instance for each domain.

Cloud zones One cloud zone mapped to one region

Tagging n For the shared and workload cluster, apply tagging on the resource pools

n For workload clusters, apply tagging at the vSphere cluster


VMware, Inc. 51

Table 7-9. Cloud Automation Design Details (continued)


Tenants A single tenant company called Rainpole

Workload placement setup n My VMware integration to download and provision blueprints from VMware Marketplace

n Flavor mappings to define the deployment sizings

n Image mappings to define target deployment operating system and related configuration settings

n Network profiles to define the subnet and routing configuration for the provisioned virtual machines

n Storage profiles to define disk customizations and type of storage for the provisioned workloads

n Projects to define the users that can provision workloads, the priority and cloud zone of deployments, and the maximum allowed deployment instances.

n Content sources and catalogs to provide access to blueprints to users.

Multiple Availability ZonesVMware Validated Design provides alternative guidance for implementing an SDDC that contains two availability zones. You configure vSAN stretched clusters in the management domain and the workload domains to create second availability zones. The SDDC continues operating during host maintenance or if a loss of one availability zone occurs.

In a stretched cluster configuration, both availability zones are active. If a failure in either availability zone occurs, the virtual machines are restarted in the operational availability zone because virtual machine writes occur to both availability zones synchronously.

Overview of vSAN Stretched ClusterVirtual machine write operations are performed synchronously across both availability zones. Each availability zone has a copy of the data and witness components are placed on the witness host in a third location in the SDDC. As a result of distance and latency requirements, multiple availability zones are typically used in metropolitan or campus environments.

Extending the management cluster to a vSAN stretched cluster provides the following advantages:

n Increased availability with minimal downtime and data loss

n Inter-site load balancing

Using a vSAN stretched cluster for the management components has the following disadvantages:

n Increased footprint

n Symmetrical host configuration in the two availability zones

n Distance and latency requirements between the two availability zones

n Additional setup and more complex Day-2 operations


VMware, Inc. 52

n Licensing requirements

Regions and Availability ZonesIn the multi-availability zone version of the VMware Validated Design, you have two availability zones in Region A.

Region Availability ZoneAvailability Zone and Region Identifier Region-Specific Domain Name

Region A Availability Zone 1 SFO01 sfo.rainpole.io

Region A Availability Zone 2 SFO02 sfo.rainpole.io

Physical InfrastructureYou must use homogenous physical servers between availability zones. You replicate the hosts for the first cluster in the management domain and shared edge and workload cluster in a workload domain, and you place them in the same rack.

Figure 7-18. Infrastructure Architecture for Two Availability Zones

Availability Zone 1

ToR Switch

ToR Switch

Stretchedmanagement clusterAvailability Zone 1(4 ESXi hosts)

Stretched sharededge andworkload clusterAvailability Zone 1(4 ESXi hosts)

External connection

External connection

ToR Switch

ToR Switch

Stretchedmanagement clusterAvailability Zone 2(4 ESXi hosts)

Stretched sharededge and workload clusterAvailability Zone 2(4 ESXi hosts)

Availability Zone 2

Component Layout with Two Availability ZonesThe management components of the SDDC run in Availability Zone 1. They can be migrated to Availability Zone 2 when an outage or overload occurs in Availability Zone 2.


VMware, Inc. 53

You can start deploying the SDDC in a single availability zone configuration, and then extend the environment with the second availability zone.

Figure 7-19. vSphere Logical Cluster Layout for Multiple Availability Zones

APPOS

APPOS

APPOS




Region A


Availability Zone 1 Availability Zone 1


Availability Zone 2 Availability Zone 2

Region A

Management Cluster

Network ConfigurationNSX-T Edge nodes connect to top of rack switches in each data center to support northbound uplinks and route peering for SDN network advertisement. This connection is specific to the top of rack switch that you are connected to.

If an outage of an availability zone occurs, vSphere HA fails over the edge appliances to the other availability zone by using vSphere HA. Availability Zone 2 must provide an analog of the network infrastructure which the edge node is connected to in Availability Zone 1.

The management, Uplink 01, Uplink 02, and Edge Overlay networks in each availability zone must be stretched to facilitate failover of the NSX-T Edge appliances between availability zones. The Layer 3 gateway for the management and Edge Overlay networks must be highly available across the availability zones.

The network between the availability zones should support jumbo frames and its latency must be less than 5 ms. Use a 25-GbE connection with vSAN for best and predictable performance (IOPS) of the environment.

To support failover of the NSX-T Edge appliances, the following networks are stretched across Availability Zone 1 to Availability Zone 2.


VMware, Inc. 54

Table 7-10. Networks That Are Stretched Across Availability Zones

Stretched Network Requires HA Layer 3 Gateway

Management for Availability Zone 1 ✓

Uplink01 x

Uplink02 x

Edge overlay ✓

Management for Availability Zone 2 ✓


VMware, Inc. 55

Documents

Introducing VMware Validated Design - VMware …...Features of VMware Validated Design 1 Use VMware Validated Designs to build a scalable Software-Defined Data Center that is based