Introducing VMware Validated Design
14 APR 2020VMware Validated Design 6.0VMware Cloud Foundation 4.0
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com
Copyright © 2016-2020 VMware, Inc. All rights reserved. Copyright and trademark information.
Introducing VMware Validated Design
VMware, Inc. 2
Contents
About Introducing VMware Validated Design 4
1 Features of VMware Validated Design 5
2 SDDC Architecture 7
3 Design Objectives of VMware Validated Design 9
4 Workload Domains in VMware Validated Design 11
5 Deployment of VMware Validated Design 15
6 Documentation Structure and Audience 18
7 SDDC Architecture Overview 23Physical Infrastructure Layer 26
Virtual Infrastructure Layer 29
Security and Compliance Layer 36
Cloud Operations Layer 41
Cloud Automation Layer 49
Multiple Availability Zones 52
VMware, Inc. 3
About Introducing VMware Validated Design
The Introducing VMware Validated Design document provides guidance on using the content of VMware Validated Design™ for Software-Defined Data Center. The guide also contains a high-level overview of the Software-Defined Data Center (SDDC) design that is supported in this VMware Validated Design version.
Introducing VMware Validated Design includes the following information:
n Design objectives
n Document structure and purpose
n SDDC High-Level Overview
Intended AudienceIntroducing VMware Validated Design is intended for cloud architects, infrastructure administrators, cloud administrators, and cloud operators who want to become familiar with VMware Validated Design to deploy and manage an SDDC that meets the requirements for capacity and scalability.
Required SoftwareIntroducing VMware Validated Design is compliant and validated with certain product versions. For more information about supported product versions, see VMware Validated Design Release Notes.
Update HistoryIntroducing VMware Validated Design is updated with each release of the product or when necessary.
Revision Description
2 JUN 2020 According to the configuration maximums for medium-size vCenter Server appliance with default storage size and VMware Cloud Foundation, you can deploy up to 4,000 virtual machines per virtual infrastructure workload domain and up to 56,000 virtual machines in a VMware Cloud Foundation environment of 14 workload domains. See Chapter 3 Design Objectives of VMware Validated Design.
14 APR 2020 Initial release.
VMware, Inc. 4
Features of VMware Validated Design 1Use VMware Validated Designs to build a scalable Software-Defined Data Center that is based on VMware best practices.
VMware Validated Designs have the following advantages:
One path to SDDC
After you satisfy the deployment requirements, follow one consistent path to deploy an SDDC.
VMware Validated Designs provide a tested solution path with information about product versions, networking architecture, capabilities, and limitations.
SDDC design for use in production
A VMware Validated Design supports an SDDC that has the following features:
n High-availability of management components
n Backup and restore of management components
n Monitoring and alerting
Validated design and deployment
The prescriptive documentation of a VMware Validated Design is continuously tested by VMware.
Validation provides the following advantages to your organization:
n Validated product interoperability
n Reduced risk of deployment and operational problems
n Reduced test effort
Validated solution capabilities
n Churn rate of tenant workloads
n High availability of management components
n Operational continuity
Fast SDDC standup
VMware, Inc. 5
You can implement a data center without engaging in design work and product research. After you download all SDDC products, follow the detailed design and step-by-step instructions.
Support for latest product releases
Every version of a VMware Validated Design accommodates new product releases. If you have deployed an SDDC according to an earlier version of a VMware Validated Design, you can directly follow the validated design to upgrade your environment.
Introducing VMware Validated Design
VMware, Inc. 6
SDDC Architecture 2VMware Validated Design supports an SDDC architecture according to the requirements of your organization and the resource capabilities of your environment.
High-Level Logical Design of the SDDCThe SDDC according to VMware Validated Design contains the main services that are required to cover provisioning of virtualized and containerized workloads, cloud operations, and cloud automation.
Figure 2-1. Logical Design of the SDDC
load balancing,logical switching,
logical routingworkload deployments
workload metrics,workload costing
central managementof virtual infrastructure
identity and access management
authenticationmanagement
central user management
life cycle management
monitor,collect and analyze logs
central user management
central user management
life cycle management
life cycle management
life cycle management
identity and access management
identity and access management
solutionlife cycle
managementsolutionlife cycle
management
load balancing,logical switching,
logical routing
load balancing,logical switching,
logical routing
network services deployment
monitor,collect and analyze logs
monitor,collect and analyze logs
monitor,log collection
store product binaries
store product binaries
vRealize Log Insight
lauch in context,notifiaction events,
UI integration
vRealize OperationsManager
vRealize Suite LifecycleManager
Workspace ONE Access
NSX-T Data Center
VMware Depot
vRealize Automation
vCenter Server
SDDC Manager
Active Directory
ESXi ESXi ESXi ESXi
vSphere Cluster
monitor,collect and analyze logs
solutionlife cycle
management
VMware, Inc. 7
SDDC ArchitectureVMware Validated Design supports the Standard SDDC architecture of VMware Cloud Foundation. This architecture implements a production-ready SDDC that includes at least two or more workload domains - management domain and virtual infrastructure workload domain. See Chapter 4 Workload Domains in VMware Validated Design.
Introducing VMware Validated Design
VMware, Inc. 8
Design Objectives of VMware Validated Design 3According to the SDDC implementation type, a VMware Validated Design has objectives to deliver prescriptive content about an SDDC that is fast to deploy and is suitable for use in production.
Table 3-1. Objectives of VMware Validated Design for Software-Defined Data Center
VMware Validated Design Objective Description
Main objective SDDC capable of automated provisioning of on-premises workload, hybrid workloads, and containers.
Scope of deployment Greenfield deployment of the management and workload domains of the SDDC, and incremental expansion of these domains as needed.
Cloud type On-premises private cloud with support for hybrid cloud.
Number of regions and disaster recovery support
Single-region multi-site SDDC that you can potentially use a best practice for a second VMware Cloud Foundation instance.
Availability zones are separate low-latency, high-bandwith connected sites. Regions have higher latency and lower bandwidth connectivity.
Maximum number of virtual machines and churn rate
By default, in a workload domain, VMware Cloud Foundation 4.0 deploys a medium-size vCenter Server appliance with default storage size. As a result, in VMware Validated Design 6.0, you determine the maximum number of virtual machines in the SDDC according to this deployment specification of vCenter Server.
n 4,000 running virtual machines per virtual infrastructure workload domain
n 56,000 running virtual machines overall distributed across 14 virtual infrastructure workload domains
n Churn rate of 150 virtual machines per hour
Churn rate is related to provisioning, power cycle operations, and decommissioning of one tenant virtual machine by using a blueprint in the cloud management platform. A churn rate of 100 means that 100 tenant workloads are provisioned, pass the power cycle operations, and are deleted.
Maximum number of containers or pods 2,000 pods per Supervisor Cluster
VMware, Inc. 9
Table 3-1. Objectives of VMware Validated Design for Software-Defined Data Center (continued)
VMware Validated Design Objective Description
Number of workload domains in a region Minimum two-domain setup, with minimum 4 VMware ESXi™ hosts in a domain
The validated design requires the following workload domains for SDDC deployment:
n Management domain. Contains the appliances of the SDDC management components.
n One or more solution-specific workload domains for Infrastructure-as-a-Service (IaaS), containers, and virtual desktop infrastructure (VDI). Up to 14 workload domains per region.
n Contains the tenant workloads.
n Contains the required SDDC services to enable the solution that is deployed.
See Chapter 4 Workload Domains in VMware Validated Design.
Data center virtualization Maximized workload flexibility and limited dependencies on static data center infrastructure by using compute, storage, and network virtualization.
Scope of guidance n Greenfield deployment of the management domain, workload domains, and solutions working on top of the infrastructure in the domains.
n Incremental expansion of the deployed infrastructure
n In a single region
n To additional availability zones.
n Deployment and initial setup of management components at the levels of virtualization infrastructure, cloud automation, and cloud operations.
n Basic tenant operations such as creating a tenant, assigning tenant capacity, and configuring user access.
n Operations on the management components of the SDDC such as monitoring and alerting, backup and restore, and post-maintenance validation.
Overall availability n 99.7% of management plane availability
n Workload availability subject to specific availability requirements
Planned downtime is expected for upgrades, patching, and on-going maintenance.
Authentication, authorization, and access control n Use of Microsoft Active Directory as a central user repository.
n Use of service accounts with minimum required authentication and Access Control List configuration.
Certificate signing Certificates are signed by an external certificate authority (CA) that consists of a root and intermediate authority layers.
Hardening Tenant workload traffic can be separated from the management traffic.
Introducing VMware Validated Design
VMware, Inc. 10
Workload Domains in VMware Validated Design 4In VMware Validated Design, a workload domain represents a logical unit that groups ESXi hosts managed by a vCenter Server instance with specific characteristics according to VMware SDDC best practices.
A workload domain exists in the boundaries of an SDDC region. A region can contain one or more domains. A workload domain cannot span multiple regions.
Each domain contains the following components:
n One VMware vCenter Server™ instance.
n At least one vSphere cluster with vSphere HA and vSphere DRS enabled. See Cluster Types.
n One vSphere Distributed Switch per cluster for system traffic and NSX-T segments for workloads.
n One NSX-T Manager cluster for configuring and implementing software-defined networking.
n One NSX-T Edge cluster that connects the workloads in the domain for logical switching, logical dynamic routing, and load balancing.
n One or more shared storage allocations.
Management DomainContains the SDDC management components.
The management domain has the following features:
Table 4-1. Features of the Management Domain
Feature Description
Types of workloads Management workloads and networking components for them.
Cluster types Management cluster
Virtual switch type n vSphere Distributed Switch for system traffic and NSX-T network segments
n NSX-T Virtual Distributed Switch (N-VDS) on the NSX-T Edge nodes
Software-defined networking NSX -T Data Center
Shared storage type n vSAN for primary storage
n NFS for secondary storage
VMware, Inc. 11
Table 4-1. Features of the Management Domain (continued)
Feature Description
Time of deployment First domain to deploy during initial SDDC implementation
Deployment method Deployed by VMware Cloud Builder as part of the bring-up process of VMware Cloud Foundation
Table 4-2. Management Workloads for the Management Domain
Component Cluster Location
vCenter Server First cluster in the domain
NSX-T Manager cluster First cluster in the domain
NSX-T Edge cluster for north-south routing, east-west routing, and load balancing
First cluster in the domain
Virtual Infrastructure Workload DomainsContains tenant workloads that use NSX-T Data Center for logical networking. According to the requirements of your organization, you can deploy multiple virtual infrastructure (VI) workload domains in your environment.
A virtual infrastructure workload domain has the following features:
Table 4-3. Features of a VI Workload Domain
Feature Description
Types of workloads Tenant workloads and networking components for them.
Cluster types n Shared edge and workload cluster
n Additional workload clusters
Virtual switch type n vSphere Distributed Switch for system traffic from the management domain and for NSX-T network segments
n N-VDS on the NSX-T Edge nodes in the workload domain
Software-defined networking NSX-T Data Center
Shared storage type vSAN
You can also use NFS according to the requirements of your organization.
Time of deployment After initial SDDC bring-up of the management domain
Deployment method Deployed by SDDC Manager
Introducing VMware Validated Design
VMware, Inc. 12
Table 4-4. Management Workloads for a VI Workload Domain
Component Deployment Location Shared Between Workload Domains
vCenter Server First cluster in the management domain
X
NSX-T Manager cluster First cluster in the management domain
n ✓ for workload domains where workloads share the same overlay transport zone cross-domain and are provisioned without using vRealize Automation
Deployed with the first VI workload domain
n X for workload domains where workloads must be connected to domain-specific transport zones or where you use vRealize Automation for workload provisioning
NSX-T Edge cluster for north-south and east-west routing
Shared edge and workload cluster in the workload domain
n ✓ for workload domains where workloads share the same overlay transport zone cross-domain and are provisioned without using vRealize Automation
Deployed with the first VI workload domain
n X for workload domains where workloads must be connected to domain-specific transport zones or where you use vRealize Automation for workload provisioning
vSphere with Kubernetes Workload DomainsContains containerized workloads that use vSphere with Kubernetes for container provisioning and NSX-T Data Center for logical networking. According to the requirements of your organization, you can deploy multiple vSphere with Kubernetes workload domains.
A vSphere with Kubernetes workload domain has the following features:
Table 4-5. Features of a vSphere with Kubernetes Workload Domain
Feature Description
Types of workloads Containerized workloads and networking components for them.
Cluster types n Shared edge and workload cluster
n Additional workload clusters
Virtual switch type n vSphere Distributed Switch for system traffic from the management domain and for NSX-T network segments
n N-VDS on the NSX-T Edge nodes in the workload domain
Software-defined networking NSX-T Data Center
Shared storage type vSAN
You can also use FC/FCoE, iSCSI or NFS according to the requirements of your organization.
Introducing VMware Validated Design
VMware, Inc. 13
Table 4-5. Features of a vSphere with Kubernetes Workload Domain (continued)
Feature Description
Time of deployment After initial SDDC bring-up of the management domain
Deployment method You use SDDC Manager for environment validation and the vSphere Client for enabling vSphere with Kubernetes
Table 4-6. Management Workloads for a vSphere with Kubernetes Workload Domain
Component Deployment Location Shared Between Workload Domains
vCenter Server First cluster in the management domain
X
NSX-T Manager cluster First cluster in the management domain
n ✓ for workload domains where workloads share the same overlay transport zone cross-domain and are provisioned without using vRealize Automation
Deployed with the first VI workload domain
n X for workload domains where workloads must be connected to domain-specific transport zones or where you use vRealize Automation for workload provisioning
NSX-T Edge cluster for north-south and east-west routing
Shared edge and workload cluster n ✓ for workload domains where workloads share the same overlay transport zone cross-domain
Deployed with the first vSphere with Kubernetes workload domain
n X for workload domains where workloads must be connected to domain-specific transport zones
Supervisor Cluster Shared edge and workload cluster X
Introducing VMware Validated Design
VMware, Inc. 14
Deployment of VMware Validated Design 5Тhe deployment of the SDDC is automated. You use VMware Cloud Builder to deploy the SDDC management domain, SDDC Manager to deploy workload domains for tenant workloads, and vRealize Suite Lifecycle Manager to deploy the vRealize Suite products in this design. You deploy SDDC management components manually only in a few cases according the instructions.
The workflow for SDDC deployment consists of the following stages:
Figure 5-1. SDDC Deployment Workflow with a VI Workload Domain
vRealize Log InsightvRealize Log Insight
vRealize Automation vRealize Automation
vRealize Operations ManagervRealize Operations Manager
vRealize Lifecycle Manager
Cross-Region Workspace ONE Access
Region-Specific Workspace ONE Access
3.3 User connects the vRealize Suite to the workload domain
3. Cloud Operations and Cloud Automation Solutions
3.2. vRealize Suite Lifecycle Manager deploys the vRealize Suite products
3.1. SDDC Manager deploys vRealize Suite Lifecycle Manager
2.3 User connects Region- Specific Workspace ONE Access to the workload domain
Region-Specific Workspace ONE Access
SDDC Manager
NSX-T
vSAN
vCenter Server
NSX-T
vSAN, NFS, or VMFS
vCenter Server
ESXi ESXiESXi ESXi ESXi ESXiESXi ESXi
2.2 SDDC Manager deploysvirtual infrastructure
2.1 User installs ESXion the domain hosts
1.1 User installs ESXi on the domain hosts
1. Management Domain 2. Virtual Infrastructure Workload Domain
1.3 User deploys Region-SpecificWorkspace ONE Access
1.2 Cloud Builder deploys virtual infrastructure andSDDC Manager
deployment flow in a workload domain
VMware, Inc. 15
Figure 5-2. SDDC Deployment Workflow with a vSphere with Kubernetes Workload Domain
vRealize Log InsightvRealize Log Insight
vRealize Operations ManagervRealize Operations Manager
vRealize Lifecycle Manager
Cross-Region Workspace ONE Access
Region-Specific Workspace ONE Access
3.3 User connects the vRealize Suite to the workload domain
3. Cloud Operations and Cloud Automation Solutions
3.2. vRealize Suite Lifecycle Manager deploys the vRealize Suite products
3.1. SDDC Manager deploys vRealize Suite Lifecycle Manager
2.3 User connects Region-SpecificWorkspace ONE Access to the workload domain
Region-Specific Workspace ONE Access
SDDC Manager
NSX-T
vSAN
vCenter Server
NSX-T
vSAN, NFS, or VMFS
vCenter Server
ESXi ESXiESXi ESXi ESXi ESXiESXi ESXi
2.2 SDDC Manager deploysvirtual infrastructure
2.1 User installs ESXi on the domain hosts
1.1 User installs ESXi on the domain hosts
1. Management Domain 2. vSphere with Kubernetes Workload Domain
1.3 User deploys Region-SpecificWorkspace ONE Access
1.2 Cloud Builder deploys virtual infrastructure andSDDC Manager
deployment flow in a workload domain
vSphere with Kubernetes2.4 SDDC Managervalidates enviroment
2.5 User enables vSpherewith Kubernetes
1 Prepare the data center and fill in the environment specification.
Work with the technology team of your organization on configuring the physical servers, network, and storage in the data center. Collect the environment details and write them down in the Planning and Preparation Workbook in Microsoft® Excel® spreadsheet format (XLS).
2 Deploy the management domain of the SDDC.
See VMware Validated Design Deployment of the Management Domain.
a Prepare the deployment specification of the management domain.
Download the deployment parameter workbook from My VMware and fill in the details for the management domain deployment. You can use the details from the Planning and Preparation Workbook.
b Prepare the environment for the management domain.
Install and configure ESXi on the physical servers.
c Prepare VMware Cloud Builder.
Download and deploy the VMware Cloud Builder appliance from My VMware.
d Run the automated deployment of the management domain.
Upload the deployment parameter workbook to VMware Cloud Builder, perform an audit of the target environment, and bring up the SDDC management domain.
Introducing VMware Validated Design
VMware, Inc. 16
After the automated deployment is complete, in addition to the virtual infrastructure component, your environment contains SDDC Manager.
e Complete the initial configuration of the management domain.
Configure SDDC Manager for managing the SDDC and enable secure access within and to the management domain. Then, deploy manually the region-specific Workspace ONE Access instance and connect the management domain components to it.
3 Deploy a virtual infrastructure workload domain or vSphere with Kubernetes workload domain.
See VMware Validated Design Deployment of a Virtual Infrastructure Workload Domain and VMware Validated Design Deployment of a vSphere with Kubernetes Workload Domain.
a Prepare the environment for the workload domain.
Install and configure ESXi on the physical servers. Create a network pool for the workload domain, and upload product license keys.
b Run the automated deployment of the workload domain.
In SDDC Manager, provide the specification of the workload domain and initiate deployment. SDDC Manager validates the virtual infrastructure and provisions the requested virtual infrastructure. Then, deploy an NSX-T Edge cluster to the shared edge and workload cluster again by using SDDC Manager.
c Complete the initial configuration of the workload domain.
Enable secure access within and to the workload domain. Then, connect the workload domain components to the region-specific Workspace ONE Access instance.
d For a vSphere with Kubernetes workload domain, enable vSphere with Kubernetes.
Validate the domain configuration by using SDDC Manager and enable vSphere with Kubernetes by using the vSphere Client. Then, you can deploy applications or provision Tanzu Kubernetes clusters on the initial Supervisor Cluster.
4 Deploy the solutions for cloud operations and automation.
See VMware Validated Design Deployment of Cloud Operations and Automation .
a Deploy VMware vRealize Suite Lifecycle Manager.
By using SDDC Manager, download the vRealize Suite Lifecycle Manager install bundle and deploy vRealize Lifecycle Manager.
b Deploy the solutions.
Import the product binaries in vRealize Lifecycle Manager and deploy the solutions.
c Connect the solutions to the management and workload domains.
After you deploy each solution, integrate it with the virtual infrastructure of the SDDC and with the other solutions for cloud operations and automation.
For more details on the deployment steps, see VMware Validated Design documentation page.
Introducing VMware Validated Design
VMware, Inc. 17
Documentation Structure and Audience 6The structure of the VMware Validated Design documentation reflects the best practices in designing and deploying a data center that is capable of automated workload provisioning. The documentation components of the validated design are organized according to the audience and deployment stage.
VMware, Inc. 18
Figure 6-1. VMware Validated Design Documentation Flow
Planning and Preparation
Planning and Preparation
Introducing VMware Validated Design
Architecture and DesignManagement Domain
DeploymentManagement Domain
Architecture and DesignSolutions
Deployment Solutions
Architecture and DesignWorkload Domain
DeploymentWorkload Domain
Planning and Preparation
For information on the order in which you deploy the SDDC, see Chapter 5 Deployment of VMware Validated Design.
For details on the latest available documentation, see VMware Validated Design documentation page.
Architecture OverviewThe first part of a VMware Validated Design is Architecture Overview and it introduces the terms and components in the design.
Introducing VMware Validated Design
VMware, Inc. 19
Table 6-1. Architecture Overview Information
Section Attribute Description
Guide n Architecture and Design for the Management Domain
n Architecture and Design for a Virtual Infrastructure Workload Domain
n Architecture and Design for a vSphere with Kubernetes Workload Domain
n Architecture and Design for Cloud Operations and Automation
Purpose n Introduce the fundamentals and components in the SDDC design.
n Provide information about the layered structure of the SDDC.
n Describe the building modules and basic behavior of each management component.
Audience Cloud architects and cloud administrators
Documentation modules n Management domain
n Virtual infrastructure workload domain
n vSphere with Kubernetes workload domain
n Cloud operations and automation
Detailed DesignAfter you learn about the basic modules in the SDDC design, you proceed with detailed design of the management components and the required infrastructure.
Table 6-2. Detailed Design Information
Section Attribute Description
Guide n Architecture and Design for the Management Domain
n Architecture and Design for a Virtual Infrastructure Workload Domain
n Architecture and Design for a vSphere with Kubernetes Workload Domain
n Architecture and Design for Cloud Operations and Automation
Purpose n Provide complete details about the configuration of each layer and of the components that are a part of the layer.
n Describe available design alternatives.
n Provide design decisions to reflect the main design issues and the rationale behind a chosen solution path.
Audience Cloud architects and cloud administrators
Documentation modules n Management domain
n Virtual infrastructure workload domain
n vSphere with Kubernetes workload domain
n Cloud operations and automation
Introducing VMware Validated Design
VMware, Inc. 20
Planning and PreparationAfter you understand the details of the design, you plan your environment according to the requirements of the design so that you can deploy the designed SDDC directly without additional testing and troubleshooting efforts.
Table 6-3. Planning and Preparation Information
Section Attribute Description
Guide Planning and Preparation Workbook
Purpose Collect all requirements that your environment must meet so that you can follow a VMware Validated Design to create an SDDC. The Planning and Preparation Workbook provides prerequisites about the following areas:
n Required software including VMware products, scripts, and third-party software
n Networking configuration including VLANs, example IP addresses, and DNS names
n Host names
n Virtual networks
n Active Directory and local user configuration
n Specifications of inventory objects
Audience Cloud architects, infrastructure administrators, cloud administrators, and cloud operators
Documentation module n Management domain
n Virtual infrastructure workload domain
n vSphere with Kubernetes workload domain
n Cloud operations and automation
DeploymentAfter you make sure that your environment has the required structure and configuration, follow the Deployment in the First Region to start the SDDC implementation.
Introducing VMware Validated Design
VMware, Inc. 21
Table 6-4. Deployment Guide Information
Section Attribute Description
Guide n Deployment of the Management Domain in the First Region
n Deployment of a Virtual Infrastructure Workload Domain in the First Region
n Deployment of a vSphere with Kubernetes Workload Domain in the First Region
n Deployment of Cloud Operations and Automation Domain in the First Region
Purpose n Provide step-by-step instructions for each management component of the SDDC according to the selected design path in Detailed Design.
n Cover the single-region setup of the SDDC.
n Provide details about setting up the virtual infrastructure for both management and tenant workloads.
n Provide procedures for integration of the products to form one functional system.
Audience Cloud architects, infrastructure administrators, cloud administrators, and cloud operators
Documentation module n Management domain
n Virtual infrastructure workload domain
n vSphere with Kubernetes workload domain
n Cloud operations and automation
Introducing VMware Validated Design
VMware, Inc. 22
SDDC Architecture Overview 7SDDC layers represent aggregations of logically related functionality and operations in your environment. In a layer, you can interchange components as part of the end solution or outcome. If a particular component design does not fit the business or technical requirements, you can replace it with another similar component. .
Figure 7-1. SDDC Layers and Components
Cloud Operations
BusinessContinuity
CloudAutomation
VirtualInfrastructure
PhysicalInfrastructure
Security and Compliance
Monitoring
Logging
Life CycleManagement
Fault Tolerance and Disaster
Recovery
Backup & Restore
Replication Security Policies
Industry Regulations
Identity and Access Management
Service Catalog
Self-Service Portal
Orchestration
Hypervisor
Pools of Resources
Virtualization Control
Compute
Storage
Network
The SDDC layers are gradually implemented as you follow the implementation of the SDDC.
1 To provide the physical and virtual infrastructure, and local identity and access management for the SDDC management components, implement the management domain.
2 To provide the physical and virtual infrastructure for the virtualized or containerized workloads, implement one or more workload domains.
3 To operate the SDDC and deploy workloads on the workload domains, implement the solutions for cloud operations and automation including identity and access management for these solutions.
For information about the design and deployment of each layer at each deployment stage, see the VMware Validated Design documentation page.
VMware, Inc. 23
Figure 7-2. SDDC Architecture Overview
Management Domain
ESXi
vCenter Server
NSX-T
SDDC Manager
Region-Specific
Workspace ONE Access
Workload Domain
vSAN
ESXi ESXi
Shared Storage(vSAN, NFS, VMFS)
vCenter Server
NSX-T (1:1 or 1:N)
VMware Solution for Kubernetes
Workload Domain
Shared Storage(vSAN, NFS, VMFS)
vCenter Server
NSX-T (1:1 or 1:N)
VMware Solution for Kubernetes
Cloud Operations and Automation Solution Add-on
vRealize Suite Lifecycle
Manager
vRealize Operations
ManagervRealize
Log InsightvRealize
AutomationCross-Region Workspace
ONE Access
Another Solution Add-On
Consolidated SDDC Architecture
Standard SDDC Architecture
Physical Infrastructure Layer
Consists of the compute, network, and storage components. The compute component contains the x86-based servers that run the management components, NSX-T Edge nodes, and tenant workloads. This validated design provides only some guidance about the physical capabilities that are required to implement this architecture. You select a specific type or brand of hardware according to VMware Compatibility Guide.
The physical infrastructure layer configuration is part of the implementation of the SDDC management domain and workload domains.
Virtual Infrastructure Layer
Controls the access to the underlying physical infrastructure and allocates resources to the management and tenant workloads. The management workloads consist of elements in the virtual infrastructure layer itself, together with elements in the cloud operations, cloud automation, and security and compliance layers.
Introducing VMware Validated Design
VMware, Inc. 24
The virtual infrastructure layer groups physical infrastructure in pools of resources such as workload domains and clusters. See Chapter 4 Workload Domains in VMware Validated Design.
The virtual infrastructure layer configuration is part of the implementation of the SDDC management domain and workload domains.
Cloud Operations Layer
Provides operations management for continuous day-to-day service delivery. Cloud operations management consists of life cycle management, monitoring, logging, and other operation types.
The architecture of the cloud operations layer includes management components that support the main types of operations in an SDDC. You monitor the underlying physical infrastructure, and the management and tenant or containerized workloads in real time. Information is collected in the form of structured data (metrics) and unstructured data (logs). The cloud operations layer also collects data about the SDDC topology, that is physical and virtual compute, networking, and storage resources, which are key in intelligent and dynamic operational management.
The cloud operations layer configuration is part of the implementation of the SDDC management domain and workload domains, and of the solutions for cloud operations and automation.
Cloud Automation Layer
Requests resources and orchestrates the actions of the lower layers from a user interface or over an API.
The cloud automation layer configuration is part of the implementation of the SDDC solutions for cloud operations and automation.
Security and Compliance Layer
n Incorporates security guidance from NIST 800-53 across the VMware Validated Design to establish a baseline of security.
n Identifies and implements security best practices from setup to operations to secure your SDDC, and make it more resilient to internal and external threats.
n Provides role-based access control by implementing an identity and access management solution which integrates with Microsoft Active Directory.
The identity and access management functionality in the security and compliance layer configuration is part of the implementation of the SDDC management domain and workload domains, and of the solutions for cloud operations and automation. As part of achieving compliance with industry regulations, the SDDC security configurations can be adjusted to support a variety of compliance standards.
n Physical Infrastructure Layer
The physical layer in an SDDC contains the compute, storage, and network resources in your data center.
Introducing VMware Validated Design
VMware, Inc. 25
n Virtual Infrastructure Layer
The virtual infrastructure layer of the SDDC contains ESXi, vCenter Server, vSAN, and NSX-T Data Center that provide compute, networking, and storage resources to the management and tenant workloads.
n Security and Compliance Layer
As part of the security and compliance layer, this design uses Workspace ONE Access to provide identity and access management to the SDDC management components. To satisfy the requirements of the management components for availability and locality, you deploy a region-specific Workspace ONE Access instance and a cross-region Workspace ONE Access instance.
n Cloud Operations Layer
The cloud operations layer of the SDDC provides capabilities for life cycle management by using SDDC Manager in VMware Cloud Foundation and vRealize Suite Lifecycle Manager. The layer also supports performance and capacity monitoring, and log collection for the SDDC management components by using vRealize Operations Manager and vRealize Log Insight.
n Cloud Automation Layer
By using the cloud automation layer, you provide automated workload deployment to tenants by using vRealize Automation.
n Multiple Availability Zones
VMware Validated Design provides alternative guidance for implementing an SDDC that contains two availability zones. You configure vSAN stretched clusters in the management domain and the workload domains to create second availability zones. The SDDC continues operating during host maintenance or if a loss of one availability zone occurs.
Physical Infrastructure LayerThe physical layer in an SDDC contains the compute, storage, and network resources in your data center.
Introducing VMware Validated Design
VMware, Inc. 26
Figure 7-3. Physical Configuration of the SDDC
Workload cluster (19 ESXi host each)
Shared edge and workload cluster (4 ESXi hosts)
Management cluster (4 ESXi hosts)
ToR Switch
ToR Switch
External connection
ToR Switch
ToR Switch
ToR Switch
ToR Switch
Workload DomainsThe compute, storage, and network resources are organized in workload domains. The physical layer also includes the physical network infrastructure, and storage setup. For information on workload domains and clusters, see Chapter 4 Workload Domains in VMware Validated Design.
ComputeThe physical compute resources are delivered through ESXi, a bare-metal hypervisor that installs directly onto your physical server. With direct access and control of underlying resources, ESXi logically partitions hardware to consolidate applications and cut costs. ESXi is the base building block of the Software-Defined Data Center.
NetworkVMware Validated Design can use most physical network architectures. When building an SDDC, the following considerations exist:
n Layer 2 or Layer 3 transport types
This VMware Validated Design uses a Layer 3 network architecture.
n A Top of Rack (ToR) switch is typically located inside a rack and provides network access to the servers inside that rack.
Introducing VMware Validated Design
VMware, Inc. 27
n An inter-rack switch at the aggregation layer provides connectivity between racks. Links between inter-rack switches are typically not required. If a link failure between an inter-rack switch and a ToR switch occurs, the routing protocol ensures that no traffic is sent to the inter-rack switch that has lost connectivity.
n Using quality of service tags for prioritized traffic handling on the network devices
n NIC configuration on the physical servers
VMware vSphere® Distributed Switch supports several NIC teaming options. Load-based NIC teaming supports an optimal use of available bandwidth and redundancy if a link failure occurs. Use a minimum of two 10-GbE connections, with two 25-GbE connections recommended, for each ESXi host in combination with a pair of top of rack switches.
n VLAN port modes on both physical servers and network equipment
802.1Q network trunks can support as many VLANs as required. For example, management, storage, overlay, and VMware vSphere® vMotion® traffic.
Because of the considerations for the physical network architecture, providing a robust physical network to support the physical-to-virtual network abstraction is an important requirement of network virtualization.
Regions and Availability Zones
Availability Zone
Represent the fault domain of the SDDC. Multiple availability zones can provide continuous availability of an SDDC. This VMware Validated Design supports one availability zone per region. See Multiple Availability Zones.
Region
Each region is a separate SDDC instance. You use multiple regions for disaster recovery across individual SDDC instances.
In this VMware Validated Design, you implement a single-region SDDC.
StorageThis VMware Validated Design provides guidance for the storage of the management components. A shared storage system not only hosts the management and tenant or container workloads, but also template repositories and backup locations. Storage within an SDDC can include either or both internal and external storage as either primary or secondary storage. This validated design includes internal storage by using vSAN for primary storage and external NFS storage for secondary storage.
Internal Storage
Introducing VMware Validated Design
VMware, Inc. 28
vSAN is a software-based distributed storage platform that combines the internal compute and storage resources of clustered VMware ESXi hosts. By using storage policies on a cluster, you configure multiple copies of the data. As a result, this data is accessible during maintenance and host outages.
External Storage
External storage provides non-vSAN storage by using NFS, iSCSI, or Fiber Channel. Different types of storage can provide different levels of SLA, ranging from just a bunch of disks (JBODs) using SATA drives with minimal to no redundancy, to fully redundant enterprise-class storage arrays.
Primary Storage
VMware vSAN™ storage is the default storage type for the SDDC management components. All design, deployment, and operational guidance are performed on vSAN. Considering block or file storage technology for primary storage is out of scope of the design. These storage technologies are referenced only for specific use cases such as backups to secondary storage.
The storage devices on vSAN ready servers provide the storage infrastructure. This validated design uses vSAN in an all-flash configuration.
Secondary Storage
NFS storage is the secondary storage for the SDDC management components. It provides space for archiving log data and application templates.
Secondary storage provides additional storage for backup of the SDDC. It can use the NFS, iSCSI, oror Fibre Channel technology. Different types of stage can provide different levels of SLA, ranging from JBODs with minimal to no redundancy, to fully redundant enterprise-class storage arrays. For bandwidth-intense IP-based storage, the bandwidth of these pods can scale dynamically.
Virtual Infrastructure LayerThe virtual infrastructure layer of the SDDC contains ESXi, vCenter Server, vSAN, and NSX-T Data Center that provide compute, networking, and storage resources to the management and tenant workloads.
Cluster TypesThis VMware Validated Design uses the following types of clusters:
Introducing VMware Validated Design
VMware, Inc. 29
Figure 7-4. First Cluster in the Management Domain
APPOS
APPOS
APPOS
APPOS
Management Workloads
Management Cluster
ESXi ESXi ESXi ESXi
Management Domain vCenter Server
vSphere Distributed Switch with NSX-T
Figure 7-5. Shared Edge and Workload Cluster in a Virtual Infrastructure Workload Domain
APPOS
APPOS
APPOS
APPOS
Tenant Workloads
vSphere Distributed Switch with NSX-T
NSX-T Edges
Shared Edge and Workload Cluster
Workload Domain vCenter Server
ESXi ESXi ESXi ESXi
First Cluster in the Management Domain
Resides in the management domain and runs the virtual machines of the components that manage the data center, such as vCenter Server, NSX-T Manager, SDDC Manager, Workspace ONE Access, VMware vRealize® Suite Lifecycle Manager™, VMware vRealize® Operations Manager™, VMware vRealize® Log Insight™, vRealize Automation, and other management components.
Introducing VMware Validated Design
VMware, Inc. 30
The first management cluster occupies half a rack.
Shared Edge and Workload Cluster
Represents the first cluster in the virtual infrastructure workload domain and runs the required NSX-T services for north-south routing between the data center and the external network, and east-west routing inside the data center. This shared cluster also hosts the tenant workloads. As you extend your environment, you must add workload-only clusters.
Workload Cluster
Resides in a virtual infrastructure workload domain and runs tenant workloads . Use workload clusters to support a mix of different types of workloads for different types of Service Level Agreements (SLAs). You can mix different types of workload clusters and provide separate compute pools for different types of SLAs.
vCenter Server Design
Figure 7-6. Layout of vSphere Clusters
APPOS
APPOS
APPOS
Management Domain vCenter Server
Workload Domain vCenter Server
ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi
Region A
Shared Edge and Workload Cluster
Region A
Management Cluster
Introducing VMware Validated Design
VMware, Inc. 31
Table 7-1. vCenter Server Design Details
Design Area Description
vCenter Server instances You deploy vCenter Server instances in the following way:
n One vCenter Server instance for the management domain.
n One vCenter Server instance for each workload domain.
Using this model provides the following benefits:
n Isolation of management domain vCenter Server and workload domain vCenter Server
n Simplified capacity planning
n Separated upgrade
n Separated roles
Clusters You distribute hosts and workloads in the following clusters:
n First cluster in the management domain that contains all management hosts and handles resources for the management workloads.
n Shared edge and workload cluster in each workload domain that contains tenant or container workloads, and NSX-T Edge nodes used for the workloads.
Resource pools for tenant workloads and dedicated NSX components
On the shared edge and workload cluster in a workload domain, you use resource pools to distribute compute and storage resources to the tenant or container workloads, and the NSX-T components carrying their traffic.
Deployment model Each vCenter Server instance is with an embedded Platform Services Controller.
Dynamic Routing and Virtual Network SegmentsThis VMware Validated Design supports dynamic routing for both management and tenant and container workloads, and also introduces a model of isolated application networks for the management components.
Virtual network segments are created on the vSphere Distributed Switch for the first cluster in the management domain and for the shared edge and workload cluster in a workload domain.
Introducing VMware Validated Design
VMware, Inc. 32
Figure 7-7. Distributed Port Groups Design
Sample ESXi Management Host
sfo-m01-cl01-vds01
VLAN ESXi Management
VLAN vMotion
VLAN NFS
VLAN Host Overlay (Host TEP)
VLAN Uplink01
VLAN Uplink02
VLAN vSAN
nic0 nic1
Introducing VMware Validated Design
VMware, Inc. 33
Figure 7-8. Virtual Network Segment Design
VC
OSSDDC Mgr
OS
xreg-m01-seg01
192.168.11/24
sfo-m01-seg01
192.168.31/24
Workload Domain
Internet/ EnterpriseNetwork
Tier-0 GatewayActive/ Active
NSX-T EdgeCluster
ToR Switches
ECMP
Tier-1 Gateway
vRSCLMCross-Region WSA
vROpsvRA
Region-Specific WSAvROps Remote CollectorsvRLI
Dynamic routing support includes the following nodes:
n NSX-T Edge cluster
n Tier-0 gateway with ECMP enabled for north-south routing across the data center
n Tier-1 gateway for east-west routing across the data center
Introducing VMware Validated Design
VMware, Inc. 34
Virtual network segments provide support for limited access to the nodes of the applications through published access points.
n Cross-region virtual network segment that connects the components that are designed to fail over to a recovery region.
n Region-specific virtual network segment in Region A for components that are not designed to fail over.
Software-Defined Storage DesignIn each region, workloads on the management cluster store their data on a vSAN datastore. The vSAN datastore spans all four ESXi hosts of the first cluster in the management domain and of the shared edge and workoad cluster in a workload domain. Each host adds one disk group to the datastore.
Applications store their data according to the default storage policy for vSAN.
vRealize Log Insight uses NFS exports as secondary storage for log archiving.
Introducing VMware Validated Design
VMware, Inc. 35
Figure 7-9. Shared Storage Logical Design
Virtual Appliance
Virtual Appliance
Virtual Appliance
Virtual Appliance
Virtual Appliance
Virtual Appliance
Management Cluster
ESXi Host
Datastore(s)
MgmtVMs
Backups Templatesand Logs
SampleDatastore Software-Defined Storage
Policy-Based Storage ManagementVirtualized Data Services
Hypervisor Storage Abstraction
SAN or NAS or DAS(3rd party or VMware vSAN)
Physical Disks
SSD FC15K FC10K SATA SSD FC15K FC10K SATA
VMDKs1500GB
200GB2048GB
Swap Files + Logs
Shared Edge and Workload Cluster
ESXi Host
Datastore(s)
PayloadsSLA 1
PayloadsSLA 2
PayloadsSLA N
APPOS
APPOS
APPOS
Tenant 1
Tenant n
Security and Compliance LayerAs part of the security and compliance layer, this design uses Workspace ONE Access to provide identity and access management to the SDDC management components. To satisfy the requirements of the management components for availability and locality, you deploy a region-specific Workspace ONE Access instance and a cross-region Workspace ONE Access instance.
Introducing VMware Validated Design
VMware, Inc. 36
Workspace ONE Access provides these services:
n Directory integration to authenticate users against existing directories such as Active Directory or LDAP.
n Addition of two-factor authentication through integration with third-party software such as RSA SecurID, Entrust, and others.
For information on the account configuration in Active Directory and local accounts, see Planning and Preparation Workbook.
Region-Specific Workspace ONE AccessThe region-specific Workspace ONE Access instance provides identity and access management services to regional SDDC solutions.
Introducing VMware Validated Design
VMware, Inc. 37
Figure 7-10. Logical Design of the Region-Specific Workspace ONE Access Deployment
Virtual Appliance
Region A
Identity Provider
Access
Directory Servicese.g. AD, LDAP
User Interface
REST API
Region-Specific Workspace ONE Access
Supporting Components:Postgres
Supporting Infrastructure:Shared Storage, DNS, NTP, SMTP
Region-Specific Solutions
NSX-TData Center
Introducing VMware Validated Design
VMware, Inc. 38
Table 7-2. Design Details on Region-Specific Workspace ONE Access
Design Attribute Description
Deployment model One appliance that is connected to the Active Directory domain of the SDDC. The appliance is deployed from an OVA file.
Authenticated components n NSX-T Data Center
n vRealize Log Insight
Network segment Region-specific virtual network segment. See Dynamic Routing and Virtual Network Segments.
Identity and access management setup n Integration with the rainpole.io Active Directory domain.
n Directory Service connection is Active Directory with Integrated Windows Authentication
Cross-Region Workspace ONE AccessThe cross-region Workspace ONE Access provides identity and access management services to cross-region SDDC solutions.
Introducing VMware Validated Design
VMware, Inc. 39
Figure 7-11. Logical Design of the Cross-Region Workspace ONE Access Deployment
Secondary SecondaryPrimary
Cross-Region Workspace ONE Access
Supporting Components:Postgres
NSX-T Data CenterLoad Balancer
Access
User Interface
REST API
Region A
Identity Provider
Directory Servicese.g. AD, LDAP
Supporting Infrastructure:Shared Storage, DNS, NTP, SMTP
Cross-Region Solutions
vRealize OperationManager
vRealize Automation
vRealize SuiteLifecycle Manager
Introducing VMware Validated Design
VMware, Inc. 40
Table 7-3. Design Details on Cross-Region Workspace ONE Access
Design Attribute Description
Deployment model A cluster of three nodes behind a load balancer. The cluster is deployed by using vRealize Suite Lifecycle Manager.
Network segment Cross-region virtual network segment. See Dynamic Routing and Virtual Network Segments.
Authenticated components n vRealize Suite Lifecycle Manager
n vRealize Operations Manager
n vRealize Automation
Identity and access management setup n Integration with the rainpole.io Active Directory domain.
n Directory Service connection is Active Directory with Integrated Windows Authentication
Cloud Operations LayerThe cloud operations layer of the SDDC provides capabilities for life cycle management by using SDDC Manager in VMware Cloud Foundation and vRealize Suite Lifecycle Manager. The layer also supports performance and capacity monitoring, and log collection for the SDDC management components by using vRealize Operations Manager and vRealize Log Insight.
SDDC ManagerYou use SDDC Manager in VMware Cloud Foundation to perform the following operations:
n Deploy virtual infrastructure workload domains and extend the virtual infrastructure of the management domain.
n Deploy the NSX-T Edge cluster for a workload domain.
n Expand a cluster with hosts and add clusters to workload domains.
n Manage the life cycle of the virtual infrastructure components in all workload domains, and of vRealize Suite Lifecycle Manager.
n Manage certificates and passwords of the SDDC management components.
Introducing VMware Validated Design
VMware, Inc. 41
Figure 7-12. Logical Design of SDDC Manager
Solution andUser Authentication
vCenter SingleSign-On Domain
ESXi
NSX-TData Center
vRealizeSuite Lifecycle Manager
SDDC Manager
Virtual Appliance
Region A
Infrastructure Provisioningand Configuration
vCenterServer
Life Cycle Management
vCenter Server
External Services
My VMware
depot.vmware.com
Supporting Infrastructure:Shared Storage, DNS, NTP,
Certificare Authority
Access
User Interface
API
Identity Source
Active Directory
Introducing VMware Validated Design
VMware, Inc. 42
Table 7-4. SDDC Manager Design Details
Design Attribute Description
Deployment model One appliance that deploys virtual infrastructure workload domains, and upgrades the virtual infrastructure components in the management domains and all workload domains, and vRealize Suite Lifecycle Manager. The appliance is deployed by Cloud Builder, part of VMware Cloud Foundation, during the automated deployment of the management domain.
Supported components n ESXi hosts in the management domain and in all workload domains
n Management domain vCenter Server and workload domain vCenter Server
n NSX-T Data Center
n vRealize Suite Lifecycle Manager
n SDDC Manager as self-upgrade
Network segment Management network
Setup for workload domain and product deployment n Direct integration with My VMware to access install and upgrade bundles
n Configuration with an external certificate authority for replacing the certificates of the management components in the SDDC
vRealize Suite Lifecycle ManagervRealize Suite Lifecycle Manager provides life cycle management capabilities for vRealize Suite components including automated deployment, configuration, and upgrade. vRealize Suite Lifecycle Manager communicates with each management domain vCenter Server in the SDDC to orchestrate the deployment, upgrade, and configuration drift analysis of vRealize Suite components in the SDDC.
Introducing VMware Validated Design
VMware, Inc. 43
Figure 7-13. Logical Design of vRealize Suite Lifecycle Manager
vRealizeAutomation
vRealizeLog Insight
vRealizeOperationsManager
Life Cycle Management
SharedStorage
Appliance
Cross-Region vRealize Suite
Lifecycle Manager
vCenterServer
Endpoint
VMware Marketplace
My VMware
External Services
REST API
User Interface
Access
Region A
Cross-Region Workspace ONE Access
Cross-Region Workspace ONE Access
Identity Management
Table 7-5. vRealize Suite Lifecycle Manager Design Details
Design Attribute Description
Deployment model One appliance that deploys and upgrades the vRealize Suite components on a virtual infrastructure that is controlled by the management domain vCenter Server. The appliance is deployed by using SDDC Manager.
Supported components n Cross-region Workspace ONE Access
n vRealize Operations Manager
n vRealize Log Insight
n vRealize Automation
Introducing VMware Validated Design
VMware, Inc. 44
Table 7-5. vRealize Suite Lifecycle Manager Design Details (continued)
Design Attribute Description
Network segment Cross-region virtual network segment. See Dynamic Routing and Virtual Network Segments.
Product installation setup n Direct integration with My VMware to access vRealize Suite entitlements
n Environments configuration that uses the product-based deployment path in the installation wizard
Table 7-6. Environment Layout in vRealize Suite Lifecycle Manager
Environment Name Scope Product Components
Globalenvironment Cross-Region Cross-region Workspace ONE Access
Cross-Region Cross-Region n vRealize Operations Manager analytics cluster
n vRealize Operations Manager remote collectors
n vRealize Automation cluster nodes
Region A Region A vRealize Log Insight Cluster
vRealize Operations ManagerYou use vRealize Operations Manager to monitor the management components of the SDDC including vSphere, vSAN, NSX-T Data Center, Workspace ONE Access, and vRealize Automation.
vRealize Operations Manager is also sized to accommodate the number of tenant workloads according to the design objectives.
Introducing VMware Validated Design
VMware, Inc. 45
Figure 7-14. Logical Design of vRealize Operations Manager
Region A
Public Cloud Accounts
vRealize Operations Manager
Analytics Cluster
Private Cloud Accounts
Identity Management
NSX-T Data CenterLoad Balancer
vCenter Server
Integrations
vRealize Automation
vRealize Log Insight
Amazon Web Services
Microsoft Azure
Cross-Region Workspace ONE Access
Access
User Interface API
Metric Adapters
AdditionalSolutions
ManagementPacks
Supporting Infrastructure,
shared Storage,AD, DNS, NTP
SMTP
Supporting Infrastructure,
shared Storage,AD, DNS, NTP
SMTP
vRealize Operations ManagerRemote Collectors
CollectorGroup
ManagementPacks
Remote Collector 2
Remote Collector 1Master Replica
Data 1 Data nWorkspace ONE Access
NSX-T Data Center
vSAN
StorageDevices
Introducing VMware Validated Design
VMware, Inc. 46
Table 7-7. vRealize Operations Manager Design Details
Design Attribute Description
Deployment model n Analytics cluster of three nodes: master, master replica, and data node
n Remote collector group that consists of two remote collectors that communicate with the region-specific components
The vRealize Operations Manager nodes are deployed by using vRealize Suite Lifecycle Manager.
Monitored components n Management domain vCenter Server and workload domain vCenter Server
n ESXi hosts in the management domain and in the workload domains
n All components of NSX-T Data Center for the management domain and for the workload domains
n vSAN
n Workspace ONE Access
n vRealize Automation
n vRealize Log Insight including Launch in Context
n vRealize Operations Manager (self-health monitoring)
vRealize Log InsightYou use vRealize Log Insight to access the logs of the SDDC management components from a central place and view this information in visual dashboards.
Introducing VMware Validated Design
VMware, Inc. 47
Figure 7-15. Logical Design of vRealize Log Insight
IntegratedLoad Balancer
Access
User Interface
API
Content Packs
Syslog
Ingestion API
SupportingInfrastructure
Shared Storage, AD,DNS,NTP,
SMTP
LogArchive
NFSExport
vRealize Log Insight
Master Worker1
Worker2 WorkerN
Region A
Integration
Identity Management
Region-Specific Workspace ONE Access
vSphere
vRealizeOperationsManager
vRealizeOperationsManager
Logging Clients
vCenter Server
ESXi
NSX-TData Center
vRealizeAutomation
AdditionalSolutions
Introducing VMware Validated Design
VMware, Inc. 48
Table 7-8. vRealize Log Insight Design Details
Design Attribute Description
Deployment model Cluster of master node and two worker nodes. The vRealize Operations Manager nodes are deployed by using vRealize Suite Lifecycle Manager.
Monitored components n Management domain vCenter Server and workload domain vCenter Server
n ESXi hosts in the management domain and in the workload domains
n All components of NSX-T Data Center for the management domain and for the workload domains
n vSAN
n Analytics cluster nodes of vRealize Operations Manager
n Management appliances
Archiving Archiving location on an NFS export
Cloud Automation LayerBy using the cloud automation layer, you provide automated workload deployment to tenants by using vRealize Automation.
Introducing VMware Validated Design
VMware, Inc. 49
Figure 7-16. Logical Design of vRealize Automation
Secondary SecondaryPrimary
Region A
Identity Management
Cross-Specific Workspace ONE Access
Access
User Interface
API
vRealizeOperationsManager
My VMware
vRealizeOrchestrator
AdditionalSolutionse.g. SD, IPAM, K8s, Ansible, Puppet
Git
Public Cloud Accounts
VMware Cloudon AWS
Microsoft Azure
Amazon Web Services
Google Cloud
Private Cloud Accounts
vCenter Server
NSX-TData Center
vRealizeAutomation Cluster
NSX-T Data CenterLoad Balancer
Supporting Components:Kubernetes, Docker, Postgres,FaaS, Traefik, Flannel, Fluentd
Supporting Infrastructure:Shared Storage,
AD, DNS, NTP, SMTP
Integration Accounts
Introducing VMware Validated Design
VMware, Inc. 50
Figure 7-17. vRealize Automation Usage Model
Service Broker
Cloud Assembly
Cloud Zones
Blueprints and ExtensibilityTagging, Images, Blueprints, and Extensibility
Rainpole User 1Production Project Member
Rainpole User 2Development Project Member
User Access
Development ProjectProduction Project
AuthoringAdministratorAdministration ofcloud resources
Services Authoring
Project AdminCloud Assembly Admin
Private Cloud Resources
Compute Network Storage
Private Cloud Resources
Compute Network Storage
Table 7-9. Cloud Automation Design Details
Design Attribute Description
Deployment model of vRealize Automation A cluster of three vRealize Automation nodes with a load balancer. The cluster is deployed by using vRealize Suite Lifecycle Manager.
vRealize Automation services n Cloud Assembly
n Service Broker
n Orchestrator (using the embedded vRealize Orchestrator)
Network segment Cross-region virtual network segment. See Dynamic Routing and Virtual Network Segments.
Cloud accounts n Workload domain vCenter Server
n Workload domain NSX-T Manager
Note Deploying workloads on a workload domain by using vRealize Automation requires that you deploy an NSX-T Data Center instance for each domain.
Cloud zones One cloud zone mapped to one region
Tagging n For the shared and workload cluster, apply tagging on the resource pools
n For workload clusters, apply tagging at the vSphere cluster
Introducing VMware Validated Design
VMware, Inc. 51
Table 7-9. Cloud Automation Design Details (continued)
Design Attribute Description
Tenants A single tenant company called Rainpole
Workload placement setup n My VMware integration to download and provision blueprints from VMware Marketplace
n Flavor mappings to define the deployment sizings
n Image mappings to define target deployment operating system and related configuration settings
n Network profiles to define the subnet and routing configuration for the provisioned virtual machines
n Storage profiles to define disk customizations and type of storage for the provisioned workloads
n Projects to define the users that can provision workloads, the priority and cloud zone of deployments, and the maximum allowed deployment instances.
n Content sources and catalogs to provide access to blueprints to users.
Multiple Availability ZonesVMware Validated Design provides alternative guidance for implementing an SDDC that contains two availability zones. You configure vSAN stretched clusters in the management domain and the workload domains to create second availability zones. The SDDC continues operating during host maintenance or if a loss of one availability zone occurs.
In a stretched cluster configuration, both availability zones are active. If a failure in either availability zone occurs, the virtual machines are restarted in the operational availability zone because virtual machine writes occur to both availability zones synchronously.
Overview of vSAN Stretched ClusterVirtual machine write operations are performed synchronously across both availability zones. Each availability zone has a copy of the data and witness components are placed on the witness host in a third location in the SDDC. As a result of distance and latency requirements, multiple availability zones are typically used in metropolitan or campus environments.
Extending the management cluster to a vSAN stretched cluster provides the following advantages:
n Increased availability with minimal downtime and data loss
n Inter-site load balancing
Using a vSAN stretched cluster for the management components has the following disadvantages:
n Increased footprint
n Symmetrical host configuration in the two availability zones
n Distance and latency requirements between the two availability zones
n Additional setup and more complex Day-2 operations
Introducing VMware Validated Design
VMware, Inc. 52
n Licensing requirements
Regions and Availability ZonesIn the multi-availability zone version of the VMware Validated Design, you have two availability zones in Region A.
Region Availability ZoneAvailability Zone and Region Identifier Region-Specific Domain Name
Region A Availability Zone 1 SFO01 sfo.rainpole.io
Region A Availability Zone 2 SFO02 sfo.rainpole.io
Physical InfrastructureYou must use homogenous physical servers between availability zones. You replicate the hosts for the first cluster in the management domain and shared edge and workload cluster in a workload domain, and you place them in the same rack.
Figure 7-18. Infrastructure Architecture for Two Availability Zones
Availability Zone 1
ToR Switch
ToR Switch
Stretchedmanagement clusterAvailability Zone 1(4 ESXi hosts)
Stretched sharededge andworkload clusterAvailability Zone 1(4 ESXi hosts)
External connection
External connection
ToR Switch
ToR Switch
Stretchedmanagement clusterAvailability Zone 2(4 ESXi hosts)
Stretched sharededge and workload clusterAvailability Zone 2(4 ESXi hosts)
Availability Zone 2
Component Layout with Two Availability ZonesThe management components of the SDDC run in Availability Zone 1. They can be migrated to Availability Zone 2 when an outage or overload occurs in Availability Zone 2.
Introducing VMware Validated Design
VMware, Inc. 53
You can start deploying the SDDC in a single availability zone configuration, and then extend the environment with the second availability zone.
Figure 7-19. vSphere Logical Cluster Layout for Multiple Availability Zones
APPOS
APPOS
APPOS
Management Domain vCenter Server
Workload Domain vCenter Server
ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi
Region A
Shared Edge and Workload Cluster
Availability Zone 1 Availability Zone 1
ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi
Availability Zone 2 Availability Zone 2
Region A
Management Cluster
Network ConfigurationNSX-T Edge nodes connect to top of rack switches in each data center to support northbound uplinks and route peering for SDN network advertisement. This connection is specific to the top of rack switch that you are connected to.
If an outage of an availability zone occurs, vSphere HA fails over the edge appliances to the other availability zone by using vSphere HA. Availability Zone 2 must provide an analog of the network infrastructure which the edge node is connected to in Availability Zone 1.
The management, Uplink 01, Uplink 02, and Edge Overlay networks in each availability zone must be stretched to facilitate failover of the NSX-T Edge appliances between availability zones. The Layer 3 gateway for the management and Edge Overlay networks must be highly available across the availability zones.
The network between the availability zones should support jumbo frames and its latency must be less than 5 ms. Use a 25-GbE connection with vSAN for best and predictable performance (IOPS) of the environment.
To support failover of the NSX-T Edge appliances, the following networks are stretched across Availability Zone 1 to Availability Zone 2.
Introducing VMware Validated Design
VMware, Inc. 54
Table 7-10. Networks That Are Stretched Across Availability Zones
Stretched Network Requires HA Layer 3 Gateway
Management for Availability Zone 1 ✓
Uplink01 x
Uplink02 x
Edge overlay ✓
Management for Availability Zone 2 ✓
Introducing VMware Validated Design
VMware, Inc. 55