Professional Documents
Culture Documents
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
©
Copyright 2020-2021 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2
Contents
About VMware Validated Design Architecture and Design for Cloud Operations
and Automation 5
VMware, Inc. 3
Architecture and Design for Cloud Operations and Automation
VMware, Inc. 4
About VMware Validated Design
Architecture and Design for Cloud
Operations and Automation
The Architecture and Design for Cloud Operations and Automation document contains a detailed
®
design for adding and connecting cross-region VMware Workspace ONE Access™ and VMware
®
vRealize Suite products to a single-region or dual-region Software-Defined Data Center (SDDC)
deployment of VMware Validated Design™.
Chapter 1 Architecture Overview for Cloud Operations and Automation discusses the building
blocks and the main principles of cloud operations and automation solutions. Chapter 2 Detailed
Design for Cloud Operations and Automation provides the available design options according to
the design objectives, and a set of design decisions to justify selecting the path for implementing
each solution.
Intended Audience
This design is intended for cloud architects, cloud administrators, and infrastructure
administrators who are familiar with and want to use VMware software to implement cloud
operations and automation capabilities for an SDDC that is deployed according to VMware
Validated Design.
VMware, Inc. 5
Architecture and Design for Cloud Operations and Automation
If you plan to deploy an SDDC by following the prescriptive path of VMware Validated Design, to
apply the Architecture and Design for Cloud Operations and Automation, you must be familiar
with the following guidance:
Optionally, you should be familiar with the Architecture and Design for a vSphere with Tanzu
Workload Domain guidance.
If you plan to deploy an SDDC by following the guidelines in the VMware Cloud Foundation
documentation, to apply the Architecture and Design for Cloud Operations and Automation, you
must be familiar with the following documentation:
Optionally, you should be familiar with the VMware Cloud Foundation Operations and
Administration documentaion.
Update History
This Architecture and Design for Cloud Operations and Automation is updated with each release
of the product or when necessary.
Revision Description
30 MAR 2021 The guidance now contains a validated design for a dual-
region SDDC.
VMware, Inc. 6
Architecture Overview for Cloud
Operations and Automation 1
By implementing the design for cloud operations and automation, you can automate monitoring,
logging, and provisioning and life cycle management of workloads across the Software Defined
Data Center.
Figure 1-1. Architecture Overview of the SDDC Cloud Operations and Automation in a Region
Region-
SDDC Specific vSphere with Tanzu vSphere with Tanzu
Manager Workspace
ONE Access
NSX-T NSX-T
(1:1 or 1:N) (1:1 or 1:N)
NSX-T
vCenter Server vCenter Server
vCenter Server
Principal Storage Principal Storage
Principal Storage (vSAN, vVols, NFS, or VMFS on FC) (vSAN, vVols, NFS, or VMFS on FC)
(vSAN)
Consolidated SDDC
Architecture
VMware, Inc. 7
Architecture and Design for Cloud Operations and Automation
Workspace ONE Access implements the zero trust access control model by providing users
continuous access to their applications and data based on many factors, such as their device,
location, authentication, intelligence, and risk signals. Workspace ONE Access ensures that users
do not have access to applications that they must not access. Workspace ONE Access provides
a common experience for accessing on-premises or SaaS applications, while also providing
administrators visibility into user application accessibility, who uses what or when, and the
frequency of access. Workspace ONE Access works together with your primary identity
providers while acting as a broker into the Software-Defined Data Center and End User
Computing platforms.
In the context of SDDC, Workspace ONE Access is the broker between existing authentication
providers in your data center, for example, Active Directory and LDAP directory, and SDDC
solutions, such as NSX-T Data Center and the vRealize Suite products. Workspace ONE Access
provides identity and access management services to each SDDC solution and ensures that the
SAML is valid across solutions and regions in the SDDC.
In the operations management layer, the physical infrastructure, virtual infrastructure, and tenant
workloads are monitored in real time, collecting the following information for intelligent and
dynamic operational management:
n Topology data, such as physical and virtual compute, networking, and storage objects
Overview
In this design, the vRealize Suite Lifecycle Manager solution supports the deployment, upgrade,
patching, and additional day-two operations, such as scale-up and scale-out, of the following
products:
VMware, Inc. 8
Architecture and Design for Cloud Operations and Automation
®
n VMware vRealize Operations Manager™
®
n VMware vRealize Automation™
After the appliance deployment, you can access the vRealize Suite Lifecycle Manager services by
using both the browser application user interface and the API.
During the vRealize Suite Lifecycle Manager deployment process, the Management domain
vCenter Server is automatically registered with the vRealize Suite Lifecycle Manager instance.
An administrator can automate life cycle operations for Workspace ONE Access and the vRealize
Suite products. vRealize Suite Lifecycle Manager provides the following management features:
n Manage the product install, upgrade, and patch repository by using the SDDC Manager
integration.
n Manage and deploy VMware Marketplace™ content across vRealize Suite solutions.
Architecture
vRealize Suite Lifecycle Manager contains the functional elements that collaborate to orchestrate
the life cycle management operations of the vRealize Suite products in this validated design.
VMware, Inc. 9
Architecture and Design for Cloud Operations and Automation
Content Repository
Products
Life Cycle Management Engine
Postgres
Management Cluster
vRealize Suite Lifecycle Manager contains modules for installation, upgrade, and patching of
vRealize Suite products in a vSphere environment. vRealize Suite Lifecycle Manager manages
product binaries, downloads product content from VMware Marketplace, and integrates with
Workspace ONE Access for a centralized identity and access management. vRealize Suite
Lifecycle Manager in VMware Cloud Foundation mode is integrated with SDDC Manager for
inventory synchronization, bundle management, product topology and placement, and load-
balancer automation.
Authentication Models
You can configure vRealize Suite Lifecycle Manager user access to use the following
authentication models:
Monitoring Architecture
vRealize Operations Manager tracks and analyzes the operation of multiple data sources in the
SDDC by using specialized analytic algorithms. These algorithms help vRealize Operations
Manager learn and predict the behavior of every object it monitors. Users access this information
by using views, reports, and dashboards.
VMware, Inc. 10
Architecture and Design for Cloud Operations and Automation
Architecture Overview
vRealize Operations Manager contains functional elements that collaborate for data analysis and
storage, and support creating clusters of nodes with different roles.
Remote Collector
Remote CollectorNode
Node
Product/Admin UI
Suite API
Collector
Primary Node
Master Node Primary Replica Node
Master Replica Node Data Node
Data Node
Transaction Locator
Transaction Service
Analytics
Common
Common Replication
Replication Common
Common Replication
Replication Common
Common
Databases
Databases Database
Database Databases
Databases Database
Database Databases
Databases
Types of Nodes
For high availability and scalability, you can deploy several vRealize Operations Manager
instances in a cluster to track, analyze, and predict the operation of monitored systems. Cluster
nodes can have either of the following roles:
Primary node
Required initial node in the cluster. In large-scale environments, the primary node manages all
other nodes. In small-scale environments, the primary node is the single standalone vRealize
Operations Manager node.
Data node
VMware, Inc. 11
Architecture and Design for Cloud Operations and Automation
Overcomes data collection issues across the enterprise network, such as limited network
performance. Remote collector nodes gather statistics about inventory objects and forward
collected data to the data nodes. Remote collector nodes do not store data or perform
analysis.
Tracks, analyzes, and predicts the operation of monitored systems. Consists of a primary
node, data nodes, and optionally, a primary replica node.
Consists of remote collector nodes. Only collects diagnostics data without storage or
analysis. A vRealize Operations Manager deployment can contain several collector groups.
Use collector groups to achieve adapter resiliency in cases where the collector experiences
network interruption or becomes unavailable.
Logging Architecture
vRealize Log Insight provides real-time log management and log analysis with machine learning-
based intelligent grouping, high-performance searching, and troubleshooting across physical,
virtual, and cloud environments.
Overview
vRealize Log Insight collects data from ESXi hosts by using the syslog protocol. vRealize Log
Insight has the following capabilities:
n Connects to other VMware products, such as vCenter Server, to collect events, tasks, and
alarm data.
n Integrates with vRealize Operations Manager to send notification events and enable launch in
context.
n Functions as a collection and analysis point for any system that is capable of sending syslog
data.
To collect additional logs, you can install the vRealize Log Insight agent on Linux or Windows
endpoints, or you can use the preinstalled agent on certain VMware products. The vRealize Log
Insight agent is useful for custom application logs and operating systems that do not natively
support the syslog protocol, such as Windows.
VMware, Inc. 12
Architecture and Design for Cloud Operations and Automation
Architecture
The architecture of vRealize Log Insight in the SDDC enables several channels for the collection
of log messages.
Configuration Replication
Query Locator
vRealize Log Insight clients connect to the integrated load balancer (ILB) FQDN, and use the
syslog or the Ingestion API via the vRealize Log Insight agent to send logs to vRealize Log Insight.
Users and administrators interact with the ingested logs by using the user interface or the API.
By default, vRealize Log Insight collects data from vCenter Server systems and ESXi hosts. For
analyzing forwarded logs from other components, such as NSX-T Data Center, use content
packs. Content packs contain extensions or provide integration with other systems in the SDDC.
Types of Nodes
For functionality, high availability, and scalability, vRealize Log Insight supports the following
types of nodes which have inherent roles:
Primary node
VMware, Inc. 13
Architecture and Design for Cloud Operations and Automation
Required initial node in the cluster. In a standalone mode, the primary node is responsible for
all activities, including queries and log ingestion. The primary node also handles operations
that are related to the life cycle of a cluster, such as performing upgrades and addition or
removal of worker nodes. In a scaled-out and highly available environment, the primary node
still performs life cycle operations, such as addition or removal of secondary nodes. However,
it functions as a generic worker about queries and log ingestion activities.
The primary node stores logs locally. If the primary node is down, the logs stored on it
become unavailable.
Worker node
Optional. This component enables a scale-out growth in larger environments. As you add and
configure more secondary nodes in a vRealize Log Insight cluster for high availability (HA),
queries and log ingestion activities are delegated to all available nodes. You must have at
least two worker nodes to form a cluster with the primary node. The worker node stores logs
locally. If any of the worker nodes is down, the logs on the worker node become unavailable.
In a cluster mode, the ILB is the centralized entry point which ensures that vRealize Log
Insight accepts incoming ingestion traffic. When you add nodes to the vRealize Log Insight
instance to form a cluster, the ILB feature simplifies the configuration for high availability. The
ILB balances the incoming traffic fairly among the available vRealize Log Insight nodes.
The ILB runs on one of the cluster nodes at all times. In environments that contain several
nodes, an election process determines the leader of the cluster. Periodically, the ILB performs
a health check to determine whether re-election is required. If the node that hosts the ILB
virtual IP (VIP) address stops responding, the VIP address is failed over to another node in
the cluster using an election process.
Use the ILB for administrative activities unless you are performing administrative activities on
individual nodes. The Web user interface of the ILB presents data from the primary and from
the worker nodes in a scaled-out cluster in a unified display (single pane of glass).
VMware, Inc. 14
Architecture and Design for Cloud Operations and Automation
By using the Cloud Assembly service, you can create and deploy virtual machines, applications,
and services to your cloud infrastructure. With Cloud Assembly you can:
n Design and deploy - iteratively build and deploy cloud templates for infrastructure and
applications.
As a cloud administrator, you configure the cloud vendor infrastructure to support cloud-agnostic
template development and deployment for multiple clouds. You set up projects, add groups or
users, and enable access to resources in cloud accounts or regions. You import or develop cloud
templates, or delegate development to the project administrators and members.
As a project member, you use Cloud Assembly to develop and deploy cloud templates with a
declarative and iterative approach. You deploy cloud templates to the cloud accounts and
regions, which are configured by the cloud administrator as part of the project, and manage the
resources throughout the deployment life cycle. You can also integrate resource delivery into
continuous integration and continuous delivery (CI/CD) processes.
Build cloud templates on a set of building blocks that can be deployed on any supported
cloud.
Infrastructure as code
VMware, Inc. 15
Architecture and Design for Cloud Operations and Automation
Establish governance that includes access definition to resources and which clouds can
support specific activities or teams.
Development model
Declarative approach
Service Broker is a cloud service that aggregates content in native formats from multiple clouds
and platforms into a simplified and efficient catalog. You use the catalog to manage the available
catalog items, as well as how and where they are deployed in cloud accounts/regions.
As a cloud administrator, Service Broker is the portal that you provide to your users, such as,
operations and development teams. You import content such as Cloud Assembly cloud
templates, AWS CloudFormation templates, and extensibility actions, and configure governance
in the form of projects to control accessibility of resources and deployment location.
As a user, you request and monitor the provisioning process. After deployment, you manage the
deployed catalog items throughout the deployment lifecycle.
Self service
A portal for users that provides access to both infrastructure and application-level services.
Governance
Policy-based management that provides access control over resources and deployment
locations.
Definition abstraction
Support for integrating end-user services that are designed by using a range of definition
tools, such as Cloud Assembly.
Multi-cloud support
Unified delivery of predefined services that run on different cloud environments, including
VMware-based private and hybrid clouds, as well as native public clouds.
VMware, Inc. 16
Architecture and Design for Cloud Operations and Automation
run workflows on objects of different technologies that vRealize Orchestrator accesses through a
series of plug-ins.
vRealize Orchestrator provides a standard set of plug-ins, including a plug-in for vCenter Server,
with which you can orchestrate tasks in the different environments that the plug-ins expose.
vRealize Orchestrator also presents an open architecture for plugging in external third-party
applications to the orchestration platform. You can run workflows on the objects of plugged-in
technologies that you define yourself. vRealize Orchestrator connects to an authentication
provider to manage user accounts and to a preconfigured PostgreSQL database to store
information from the workflows that it runs. You can access vRealize Orchestrator, the objects it
exposes, and the vRealize Orchestrator workflows through the Orchestrator service in vRealize
Automation, or through Web services. You can monitor and configure the vRealize Orchestrator
workflows and services by using the Orchestrator service in vRealize Automation and the
vRealize Orchestrator Control Center.
Code Stream is a cloud service that provides continuous integration and continuous delivery
(CI/CD) that enables you to deliver software rapidly and reliably. Code Stream simplifies the
ability to build, test, and deploy your applications, and increases productivity as you release
source code from the development repository, through testing, to production. Code Stream
integrates your release with custom and common developer tools and objects, such as Cloud
Assembly cloud templates.
You create a pipeline that runs actions to build, deploy, test, and release your software. Code
Stream runs your software through each stage of the pipeline until it is ready to be released. You
integrate the pipeline with one or more DevOps tools, which provide data for the pipeline to run.
For example, when a developer checks in code to a Git repository, Code Stream can trigger the
pipeline and automate the build, test, and deployment of an application.
VMware, Inc. 17
Architecture and Design for Cloud Operations and Automation
You can integrate Code Stream with other VMware Cloud™ services. For example, you can
publish your Code Stream pipeline to Service Broker as a catalog item that can be requested and
deployed on cloud account or regions, or deploy a Cloud Assembly cloud template and use the
parameter values that the cloud template exposes.
Artifacts
Ensure correct versions are used across all stages of the development life cycle.
Dashboards
Facilitate collaboration by providing dashboards and reports for release pipelines KPIs.
Integration
Use existing investments in build, test, provisioning, deployment, and monitoring tools.
Multi-cloud support
Run pipelines on different cloud environments including VMware-based private and hybrid
clouds, as well as native public clouds.
Important VMware Code Stream is out of scope for this VMware Validated Design.
VMware, Inc. 18
Detailed Design for Cloud
Operations and Automation 2
The design for cloud operations and automation considers components for security and
compliance, cloud operations, and cloud automation. It includes numbered design decisions, and
the justification and implications of each decision.
Orchestration
Virtual Hypervisor
Infrastructure Identity and Access
Monitoring Fault Tolerance
Management
Pools of Resources
Virtualization Control
Backup &
Logging Industry Regulations
Restore
Physical Compute
Infrastructure
Storage
Life Cycle Security Policies
Network Management
VMware, Inc. 19
Architecture and Design for Cloud Operations and Automation
In addition to the existing region-specific Workspace ONE Access instance in Region A, you
deploy a cross-region Workspace ONE Access cluster.
The design of the region-specific Workspace ONE Access instance is covered in the Architecture
and Design for the Management Domain documentation. See Region-Specific Workspace ONE
Access Design.
n Directory integration to authenticate users against an identity provider (IdP), such as Active
Directory or LDAP.
n Access policies that consist of rules to specify criteria that users must meet to authenticate.
VMware, Inc. 20
Architecture and Design for Cloud Operations and Automation
Figure 2-2. Logical Design of the Cross-Region Workspace ONE Access Deployment
Region A
Identity Provider
Directory Services
e.g. AD, LDAP
Access
User Interface
REST API
Cross-Region
Workspace
ONE Access
Supporting Components:
Postgres
Supporting Infrastructure:
Shared Storage,
DNS, NTP, SMTP
Cross-Region Solutions
vRealize Suite
Lifecycle Manager
vRealize Operations
Manager
vRealize Automation
VMware, Inc. 21
Architecture and Design for Cloud Operations and Automation
VMware, Inc. 22
Architecture and Design for Cloud Operations and Automation
Region A Region B
Virtual Virtual
Primary Secondary Secondary
Appliance Appliance
vRealize Operations
vRealize Log Insight vRealize Log Insight
Manager
vRealize Automation
VMware, Inc. 23
Architecture and Design for Cloud Operations and Automation
The cross-region Workspace ONE Access cluster is the authentication source for vRealize Suite
Lifecycle Manager, vRealize Operations Manager, and vRealize Automation, providing
authentication services through an integration with an enterprise identity provider.
Each region-specific Workspace ONE Access instance is the authentication source for the
regional NSX-T Data Center and vRealize Log Insight deployments, providing authentication
services through an integration with an enterprise identity provider.
Supporting Infrastructure
All instances of Workspace ONE Access in this design integrate with the following supporting
infrastructure:
n Active Directory
Important Workspace ONE Access does not replace an organization's enterprise directory.
Workspace ONE Access integrates with an enterprise directory as an identity provider for
authentication to support solution authorization.
In this design, you deploy a cluster topology of Workspace ONE Access for cross-region SDDC
solutions.
VMware, Inc. 24
Architecture and Design for Cloud Operations and Automation
Table 2-3. Design Decisions on the Deployment of Cross-Region Workspace ONE Access
Decision ID Design Decision Design Justification Design Implication
VMware, Inc. 25
Architecture and Design for Cloud Operations and Automation
Table 2-3. Design Decisions on the Deployment of Cross-Region Workspace ONE Access
(continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-005 Apply vSphere Distributed Using vSphere DRS n You can place only a
Resource Scheduler (DRS) prevents the Workspace single ESXi host at a time
anti-affinity rules for the ONE Access cluster nodes into maintenance mode
Workspace ONE Access from residing on the same for a management
cluster nodes. ESXi host and risking the cluster of four ESXi
high availability of the hosts.
deployment. n Requires at least four
physical hosts to
guarantee that the three
Workspace ONE Access
cluster nodes continue to
run if an ESXi host failure
occurs.
SDDC-COM-SEC-IAM-006 Add a VM group for the You can define the startup None.
Workspace ONE Access order of virtual machines
cluster nodes and set VM regarding the service
rules to restart the dependency. The startup
Workspace ONE Access order ensures that vSphere
VM group before the High Availability powers on
vRealize Automation VM the Workspace ONE
group. Access virtual machines in
an order that respects
product dependencies.
SDDC-COM-SEC-IAM-007 Place all Workspace ONE Provides the organization You must create the virtual
Access cluster nodes in a of cross-region Workspace machine folder
dedicated VM folder in ONE Access cluster nodes
Region A, xreg-m01-fd-wsa. in the management domain
inventory.
Table 2-4. Design Decisions on the Deployment of Cross-Region Workspace ONE Access in
Multiple Availability Zones
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-008 When using two availability Ensures that, by default, After the creation of the
zones in Region A, add the the Workspace ONE stretched cluster for
Workspace ONE Access Access cluster nodes are management domain
cluster nodes to the powered on within the availability zones, the VM
primary availability zone primary availability zone group for the primary
VM group, sfo-m01- hosts group. availability zone virtual
cl01_primary-az-vmgroup. machines must be updated
to include the Workspace
ONE Access cluster nodes.
VMware, Inc. 26
Architecture and Design for Cloud Operations and Automation
Table 2-5. CPU, Memory, and Storage Resources for the Cross-Region Workspace ONE Access
Cluster Deployment
Attribute Per Appliance Cluster Deployment
Memory 16 GB 48 GB
Directories and Identity Provider Design for Cross-Region Workspace ONE Access
You integrate your enterprise directory with Workspace ONE Access to synchronize users and
groups to the Workspace ONE Access identity and access management services. You configure
the Workspace ONE Access identity provider to perform the synchronization of users and
groups from your enterprise directory.
Directories
Workspace ONE Access has its own concept of a directory, corresponding to Active Directory or
LDAP directories in your environment. This internal Workspace ONE Access directory uses
attributes to define users and groups. You create one or more directories in the identity and
access management service and then synchronize each directory with your corresponding Active
Directory or LDAP directory. Workspace ONE Access integrates with the following types of
directories:
VMware, Inc. 27
Architecture and Design for Cloud Operations and Automation
Active Directory over LDAP You create this directory type if you plan to connect to a
single Active Directory domain environment. The native
connector binds to Active Directory using simple bind
authentication. If you have more than one domain in a
forest, you create a directory for each domain.
Active Directory over Integrated Windows Authentication You create this directory type if you plan to connect to a
multi-domain or multi-forest Active Directory environment.
The native connector binds to Active Directory using
Integrated Windows Authentication. The type and number
of directories that you create vary depending on your
Active Directory environment, such as single-domain or
multi-domain, and on the type of trust used between
domains. In most environments, you create a single
directory.
n Specify the attributes for users required in the Workspace ONE Access service.
n Add a directory in the Workspace ONE Access for the directory type for your organization.
n Map user attributes between your enterprise directory and Workspace ONE Access.
VMware, Inc. 28
Architecture and Design for Cloud Operations and Automation
Table 2-8. Design Decisions on Directories for Cross-Region Workspace ONE Access
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-011 Use Active Directory with Integrated Windows The Workspace ONE Access
Integrated Windows Authentication supports cluster nodes must be joined
Authentication as the establishing trust to the Active Directory
Directory Service relationships in a multi- domain to use Active
connection option. domain or multi-forest Directory with Integrated
Active Directory Windows Authentication
environment. with the native connector.
Refer to Active Directory
Environments in the
Workspace ONE Access for
more information on
integration with differing
Active Directory Forest and
Domain models.
SDDC-COM-SEC-IAM-012 Use an account with the Configuring Active You must manage the
Account Operators role in Directory with Integrated password life cycle of this
Active Directory, rainpole Windows Authentication account.
\svc-domain-join, to requires the native
perform the domain join Workspace ONE Access
operation for each native connectors to be joined to
Workspace ONE Access the Active Directory
connector. domain.
DDC-COM-SEC-IAM-013 Use an account with the You must provide a user You must manage the
Domain Users role in account with privileges to password life cycle of this
Active Directory, rainpole query the Active Directory account.
\svc-wsa-ad, to perform domain for Workspace
domain bind operations. ONE Access
synchronization.
VMware, Inc. 29
Architecture and Design for Cloud Operations and Automation
Table 2-8. Design Decisions on Directories for Cross-Region Workspace ONE Access (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-014 Configure the directory Limits the number of You must manage the
synchronization to replicated groups required groups from your enterprise
synchronize only groups for each product. directory selected for
required for the integrated Reduces the replication synchronization to
SDDC solutions. interval for group Workspace ONE Access.
information.
See the identity
management design for
each integrated product:
n Information Security
and Access Control
Design for Cross-
Region Workspace
ONE Access
n Identity Management
Design for vRealize
Suite Lifecycle Manager
n Identity Management
Design for vRealize
Operations Manager
n Information Security
and Access Control
Design for vRealize
Automation
VMware, Inc. 30
Architecture and Design for Cloud Operations and Automation
Table 2-8. Design Decisions on Directories for Cross-Region Workspace ONE Access (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-017 Add a filter to the Limits the number of To ensure that replicated
Workspace ONE Access replicated users for user accounts are managed
directory settings to Workspace ONE Access within the maximums, you
exclude users from the within the maximum scale. must define a filtering
directory replication. schema that works for your
organization based on your
directory attributes.
SDDC-COM-SEC-IAM-018 Configure the mapped You can configure the User accounts in your
attributes included when a minimum required and organization's enterprise
user is added to the extended user attributes to directory must have the
Workspace ONE Access synchronize directory user following required attributes
directory. account for the Workspace mapped:
ONE Access cluster to be n firstname, for example,
used as an authentication givenname for Active
source for cross-region Directory
vRealize Suite solutions.
n lastName, for example, sn
for Active Directory
n email, for example, mail
for Active Directory
n userName, for example,
sAMAccountName for Active
Directory
n If you require users to
sign in with an alternate
unique identifier, for
example,
userPrincipalName, you
must map the attribute
and update the identity
and access management
preferences.
SDDC-COM-SEC-IAM-019 Configure the Workspace Ensures that any changes Schedule the
ONE Access directory to group memberships in synchronization interval to
synchronization frequency the corporate directory are be longer than the time to
to a reoccurring schedule, available for integrated synchronize from the
for example, 15 minutes. vRealize Suite solutions in a enterprise directory. If users
timely manner. and groups are being
synchronized to Workspace
ONE Access when the next
synchronization is
scheduled, the new
synchronization starts
immediately after the end of
the previous iteration. With
this schedule, the process is
continuous.
VMware, Inc. 31
Architecture and Design for Cloud Operations and Automation
Table 2-9. Design Decisions on Identity Providers and Connectors in Cross-Region Workspace
ONE Access
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-020 Configure second and third High availability is achieved Each of the Workspace ONE
native connectors that by installing three Access cluster nodes must
correspond to the second Workspace ONE Access be joined to the Active
and third Workspace ONE cluster nodes load- Directory domain to use
Access cluster nodes to balanced by an NSX-T Data Active Directory with
support the high availability Center load balancer. Integrated Windows
of directory services Adding the additional Authentication with the
access. native connectors provides native connector.
redundancy and improves
performance by load-
balancing authentication
requests.
You can change the logo, the background and text colors, or the information in the header and
footer.
Table 2-10. Design Decisions on Branding for Cross-Region Workspace ONE Access
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-021 Apply branding Provides minimal corporate You must provide an icon,
customizations for the branding to the user logo, and background image
Workspace ONE Access interface consumed by end icon that meets the minimum
user interface that is users. the correct size and
presented to users when n Company name resolution.
logging into integrated n Product
SDDC solutions.
n Favorite icon
n Logo image
n Background image
n Colors
VMware, Inc. 32
Architecture and Design for Cloud Operations and Automation
vRealize Suite Lifecycle Manager deploys and manages the life cycle of the cross-region
Workspace ONE Access cluster.
Table 2-11. Design Decisions on Life Cycle for Cross-Region Workspace ONE Access
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-022 Use vRealize Suite Lifecycle vRealize Suite Lifecycle Upgrades of Workspace
Manager to perform the life Manager automates the life ONE Access require a
cycle management of the cycle of the cross-region bundle download in SDDC
cross-region Workspace Workspace ONE Access Manager before invoking the
ONE Access cluster. cluster. life cycle automation
SDDC Manager provides workflows in vRealize Suite
the upgrade bundles for Lifecycle Manager.
Workspace ONE Access to
vRealize Suite Lifecycle
Manager, but does not
support initiating a
Workspace ONE Access
upgrades through the
integration with vRealize
Suite Lifecycle Manager.
For information about the integration of the cross-region Workspace ONE Access deployment
with vRealize Suite Lifecycle Manager, see SDDC Life Cycle Operations Design for vRealize Suite
Lifecycle Manager.
The integration to vRealize Log Insight from Workspace ONE Access provides the ability to send
logs from the appliances and services for aggregation and analysis, as necessary.
You enable logging by using the vRealize Log Insight ingestion API. To establish logging, you
install the vRealize Log Insight Agent and configure the Workspace ONE Access agent groups for
the vRealize Log Insight cluster. See Logging Design for vRealize Log Insight.
Table 2-12. Design Decisions on Logging for Cross-Region Workspace ONE Access
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-023 Do not configure the Workspace ONE Access You must install and
Workspace ONE Access cluster nodes are configure the vRealize Log
cluster nodes to use the configured to use the Insight agent on each cross-
syslog protocol for logs. vRealize Log Insight region Workspace ONE
ingestion API. Access cluster node.
VMware, Inc. 33
Architecture and Design for Cloud Operations and Automation
Workspace ONE Access supports data protection through the creation of consistent image-level
backups, using backup software that is based on the vSphere Storage APIs - Data Protection
(VADP).
n The Workspace ONE Access cluster nodes are connected to the cross-region network
segment, xreg-m01-seg01, to support growth to a multi-region design. The Workspace ONE
Access cluster nodes for cross-region vRealize Suite solutions are deployed together on the
same cross-region virtual network segment in Region A. This configuration provides a
consistent deployment model for management applications, and supports growth to a multi-
region design.
n All Workspace ONE Access components have routed access to the VLAN-backed
management network through the NSX-T Data Center Tier-0 gateway.
n Routing to the VLAN-backed management network and other external networks is dynamic
and is based on the Border Gateway Protocol (BGP).
VMware, Inc. 34
Architecture and Design for Cloud Operations and Automation
Figure 2-4. Network Design of the Cross-Region Workspace ONE Access Deployment
Region A Region B
(SFO - San Francisco) (LAX - Los Angeles)
172.16.11.0/24 172.17.11.0/24
VLAN: sfo01-m01-cl01-vds01-pg-mgmt VLAN: lax01-m01-cl01-vds01-pg-mgmt
xreg-m01-seg01 192.168.11.0/24
Cross-Region
Workspace ONE Access Cluster
Region A
Use the application virtual network configuration to connect the Workspace ONE Access cluster
with the other management solutions in the SDDC. The cross-region Workspace ONE Access
cluster is connected to the cross-region virtual network segment, xreg-m01-seg01. The cross-
region Workspace ONE Access cluster uses the load balancer on the NSX-T Data Center Tier-1
Gateway for high availability and balancing user access across the cluster nodes.
VMware, Inc. 35
Architecture and Design for Cloud Operations and Automation
Table 2-13. Design Decisions on the Virtual Network Segment for the Cross-Region Workspace
ONE Access Deployment
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-024 Place the Workspace ONE Provides a consistent You must use an
Access cluster nodes for deployment model for implementation in NSX-T
cross-region vRealize Suite management applications Data Center to support this
solutions on the cross- in a multi-region design. network configuration.
region virtual network
segment, xreg-m01-seg01, in
Region A.
IP Addressing
Allocate a statically assigned IP address and a host name from the cross-region network segment
to each cross-region Workspace ONE Access cluster node.
Table 2-14. Design Decisions on the IP Addressing for the Cross-Region Workspace ONE Access
Deployment
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-025 Allocate statically assigned Using statically assigned IP Requires precise IP address
IP addresses to the addresses ensures stability management.
Workspace ONE Access across the SDDC and
cluster nodes and the makes it simpler to maintain
embedded Postgres and easier to track.
database as well as the
NSX-T Data Center load-
balancer virtual server.
Name Resolution
The Workspace ONE Access cluster nodes are resolvable by using domain name resolution.
The IP addresses of the cross-region Workspace ONE Access cluster nodes are associated with a
fully qualified name whose suffix is set to the root domain, rainpole.io.
Table 2-15. Design Decisions on Name Resolution for Cross-Region Workspace ONE Access
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-026 Configure forward and Workspace ONE Access is n You must provide DNS
reverse DNS records for accessible by using a fully records for each
each cross-region qualified domain name Workspace ONE Access
Workspace ONE Access instead of IP addresses. cluster node and for the
cluster node IP address and NSX-T Data Center load-
the NSX-T Data Center balancer virtual server IP
load-balancer virtual IP address.
address. n All firewalls located
between the Workspace
ONE Access cluster
nodes and the DNS
servers must allow DNS
traffic.
VMware, Inc. 36
Architecture and Design for Cloud Operations and Automation
Table 2-16. Design Decisions on Name Resolution for Cross-Region Workspace ONE Access for a
Multi-Region SDDC
Decision ID Design Decision Design Justification Design Implication
Time Synchronization
Workspace ONE Access depends on time synchronization for all cluster nodes.
Table 2-17. Design Decisions on Time Synchronization for Cross-Region Workspace ONE Access
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-028 Configure NTP for each Workspace ONE Access All firewalls located between
Workspace ONE Access depends on time the Workspace ONE Access
cluster node. synchronization for all cluster nodes and the NTP
cluster nodes. servers must allow NTP
traffic.
Table 2-18. Design Decisions on Time Synchronization for Cross-Region Workspace ONE Access
for a Multi-Region SDDC
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-029 For a dual-region SDDC, Improves resiliency in the If you scale from a single-
configure the NTP settings event of an outage of an region to multi-region SDDC
on the cross-region NTP server. deployment, the NTP
Workspace ONE Access settings on each Workspace
cluster nodes to use NTP ONE Access cluster node
servers in each region. must be updated.
Load Balancing
A Workspace ONE Access cluster deployment requires a load balancer to manage connections
to Workspace ONE Access services.
VMware, Inc. 37
Architecture and Design for Cloud Operations and Automation
The design uses load-balancing services provided by NSX-T Data Center in the management
domain. During the deployment of the Workspace ONE Access cluster, vRealize Suite Lifecycle
Manager and SDDC Manager coordinate to automate the deployment and configuration of the
NSX-T Data Center load balancer.
VMware, Inc. 38
Architecture and Design for Cloud Operations and Automation
Table 2-19. Design Decisions on Load Balancing for Cross-Region Workspace ONE Access
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-030 Use the small-size NSX-T n Required to deploy You must use the NSX-T
Data Center load balancer Workspace ONE Data Center load balancer
that is configured by SDDC Access as a cluster that is configured by SDDC
Manager, on a dedicated deployment type, Manager and the integration
NSX-T Data Center Tier-1 enabling it to handle a with vRealize Suite Lifecycle
gateway in the greater load and obtain Manager.
management domain to a higher level of service
load balance connections availability for vRealize
across the cross-region Operations Manager
Workspace ONE Access and vRealize
cluster nodes. Automation, which also
share this load
balancer.
n During the deployment
of Workspace ONE
Access using vRealize
Suite Lifecycle
Manager, SDDC
Manager automates the
configuration of the
NSX-T Data Center load
balancer for the cross-
region Workspace ONE
Access cluster on the
NSX-T Data Center
standalone Tier-1
gateway.
SDDC-COM-SEC-IAM-031 n Use the NSX-T Data n The active monitor uses If a higher-level SSL cipher
Center load-balancer HTTPS requests to profile is required, set the
monitor, wsa-https- monitor the application SSL Configuration to use the
monitor, for the cross- health reported by default-high-security-
region Workspace ONE Workspace ONE server-ssl-profile SSL
Access cluster with an Access. profile.
active HTTPS monitor n Ensures that
on monitoring port 443. connections to
n The intervals and unhealthy cross-region
timeouts for the Workspace ONE
monitor are set to: Access members in the
n Monitoring interval: pool are disabled until a
3 seconds subsequent periodic
health check finds the
n Idle timeout period:
members to be healthy.
10 seconds
n Rise/Fall: 3 seconds.
n The HTTP request for
the monitor is set to:
n HTTP method: Get
n HTTP request
version: 1.1
VMware, Inc. 39
Architecture and Design for Cloud Operations and Automation
Table 2-19. Design Decisions on Load Balancing for Cross-Region Workspace ONE Access
(continued)
Decision ID Design Decision Design Justification Design Implication
n Request URL: /
SAAS/API/1.0/
REST/system/
health/heartbeat.
n The HTTP response for
the monitor is set to:
n HTTP response
code: 200
n HTTP response
body: ok
n The SSL configuration
for the monitor is set to:
n Server SSL: Enabled
n Client certificate:
Cross-region
Workspace ONE
Access cluster
certificate
n SSL profile: default-
balanced-server-ssl-
profile.
VMware, Inc. 40
Architecture and Design for Cloud Operations and Automation
Table 2-19. Design Decisions on Load Balancing for Cross-Region Workspace ONE Access
(continued)
Decision ID Design Decision Design Justification Design Implication
VMware, Inc. 41
Architecture and Design for Cloud Operations and Automation
Table 2-19. Design Decisions on Load Balancing for Cross-Region Workspace ONE Access
(continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-036 n Set the NSX-T Data End-to-end SSL is required If a higher-level SSL cipher
Center load-balancer to support load balancing profile is required, set the
virtual server, wsa-https, for the cross-region SSL configuration to use the
for the cross-region Workspace ONE Access default-high-security-
Workspace ONE cluster deployment type. server-ssl-profile SSL
Access cluster to use profile.
an SSL configuration.
n The SSL configuration
for the client SSL is set
to:
n Client SSL: Enabled
n Client certificate:
Cross-region
Workspace ONE
Access cluster
certificate
n SSL Profile: default-
balanced-client-ssl-
profile.
n The SSL configuration
for the server SSL is set
to:
n Server SSL: Enabled
n Client certificate:
Cross-region
Workspace ONE
Access cluster
certificate
n SSL Profile: default-
balanced-server-ssl-
profile.
SDDC-COM-SEC-IAM-037 The NSX-T Data Center HTTP header rewrites are None.
load-balancer virtual server, required to support load
wsa-https, for the cross- balancing for the cross-
region Workspace ONE region Workspace ONE
Access cluster is set to use Access cluster deployment
Request Rewrite phase. type.
n Match Conditions:
Delete
n Match Strategy: ALL
n Action: HTTP Request
Header Rewrite
n Header Name:
RemotePort
n Header Value:
$_remote_port
VMware, Inc. 42
Architecture and Design for Cloud Operations and Automation
Table 2-19. Design Decisions on Load Balancing for Cross-Region Workspace ONE Access
(continued)
Decision ID Design Decision Design Justification Design Implication
After the integration, information security and access control configurations for the integrated
SSDC products can be configured.
VMware, Inc. 43
Architecture and Design for Cloud Operations and Automation
Table 2-20. Design Decisions on Integrations for Cross-Region Workspace ONE Access
Decision ID Design Decision Design Justification Design Implication
Table 2-21. Workspace ONE Access Roles and Example Enterprise Groups
Role Description Enterprise Group
For more information about Workspace ONE Access roles and their permissions, see the
Workspace ONE Access documentation.
As the cloud administrator for Workspace ONE Access, you establish an integration with your
enterprise directories which allows you to use your organization's identity source for
authentication.
The cross-region Workspace ONE Access deployment allows you to control access to your
cross-region vRealize Suite solutions - vRealize Suite Lifecycle Manager, vRealize Operations
Manager, and vRealize Automation - by assigning roles to your organization's enterprise
directory groups, such as Active Directory security groups.
VMware, Inc. 44
Architecture and Design for Cloud Operations and Automation
Assigning roles to groups is more efficient than assigning roles to individual users. As a cloud
administrator, you determine the members that make up your groups and what roles they are
assigned. Groups in the connected directories are available for use Workspace ONE Access. In
this design, enterprise groups are used to assign roles in Workspace ONE Access.
Table 2-22. Design Decisions on Identity Management for Cross-Region Workspace ONE Access
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-041 Assign roles to groups, Provides access You must define and
synchronized from your management and manage security groups,
corporate identity source administration of group membership and,
for Workspace ONE Workspace ONE Access by security controls in your
Access. using corporate security corporate identity source for
group membership. Workspace ONE Access
administrative consumption.
SDDC-COM-SEC-IAM-042 Create a security group in Streamlines the You must create the security
your organization directory management of Workspace group outside of the SDDC
services for the Super ONE Access roles to users. stack.
Admin role, rainpole.io\ug- You must set the
wsa-admins, and appropriate directory
synchronize the group in synchronization interval in
the Workspace ONE Workspace ONE Access to
Access configuration. ensure that changes are
available within a reasonable
period.
SDDC-COM-SEC-IAM-043 Assign the enterprise Provides the following You must maintain the life
group for administrators, access control features: cycle and availability of the
rainpole.io\ug-wsa- n Access to Workspace security group outside of the
admins, the Super Admins ONE Access services is SDDC stack.
Workspace ONE Access granted to a managed
role. set of individuals that
are members of the
security group.
n Improved accountability
and tracking access to
Workspace ONE
Access.
SDDC-COM-SEC-IAM-044 Create a security group in Streamlines the You must create the security
your organization directory management of Workspace group outside of the SDDC
services for the Directory ONE Access roles to users. stack.
Admin role, rainpole.io\ug- You must set the
wsa-directory-admins, and appropriate directory
synchronize the group in synchronization interval in
the Workspace ONE Workspace ONE Access to
Access configuration. ensure that changes are
available within a reasonable
period.
VMware, Inc. 45
Architecture and Design for Cloud Operations and Automation
Table 2-22. Design Decisions on Identity Management for Cross-Region Workspace ONE Access
(continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-045 Assign the enterprise Provides the following You must maintain the life
group for directory access control features: cycle and availability of the
administrator users, n Access to Workspace security group outside of the
rainpole.io\ug-wsa- ONE Access services is SDDC stack.
directory-admins, the granted to a managed
Directory Admins set of individuals that
Workspace ONE Access are members of the
role. security group.
n Improved accountability
and tracking access to
Workspace ONE
Access.
SDDC-COM-SEC-IAM-046 Create a security group in Streamlines the You must create the security
your organization directory management of Workspace group outside of the SDDC
services for the ReadOnly ONE Access roles to users. stack.
Admin role, rainpole.io\ug- You must set the
wsa-read-only, and appropriate directory
synchronize the group in synchronization interval in
the Workspace ONE Workspace ONE Access to
Access configuration. ensure that changes are
available within a reasonable
period.
SDDC-COM-SEC-IAM-047 Assign the enterprise Provides the following You must maintain the life
group for read-only users, access control features: cycle and availability of the
rainpole.io\ug-wsa-read- n Access to Workspace security group outside of the
only, the ReadOnly Admin ONE Access services is SDDC stack.
Workspace ONE Access granted to a managed
role. set of individuals that
are members of the
security group.
n Improved accountability
and tracking access to
Workspace ONE
Access.
Note In an Active Directory forest, consider using a security group with a universal scope. Add
security groups with a global scope that includes service accounts and users from the domains in
the Active Directory forest.
VMware, Inc. 46
Architecture and Design for Cloud Operations and Automation
Table 2-23. Design Decisions on Password Management for Cross-Region Workspace ONE
Access
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-048 Rotate the appliance root The password for the root You must manage the
user password on a user account expires 60 password rotation schedule
schedule post deployment. days after the initial for the root user account in
deployment and after accordance with your
subsequent password corporate policies and
changes. regulatory standards, as
applicable.
You must manage the root
password rotation schedule
on the cross-region
Workspace ONE Access
cluster nodes by using SDDC
Manager.
SDDC-COM-SEC-IAM-049 Rotate the appliance The password for the You must manage the
sshuser user password on appliance sshuser user password rotation schedule
a schedule post account expires 60 days for the appliance sshuser
deployment. after the initial deployment user account in accordance
and after subsequent with your corporate policies
password changes. and regulatory standards, as
applicable.
You must manage the
sshuser password rotation
schedule on the cross-region
Workspace ONE Access
cluster nodes by using
vRealize Suite Lifecycle
Manager.
SDDC-COM-SEC-IAM-050 Rotate the admin The password for the You must manage the
application user password default administrator password rotation schedule
on a schedule post application user account for the admin application
deployment. does not expire after the user account in accordance
initial deployment. with your corporate policies
and regulatory standards, as
applicable.
You must manage the admin
password rotation schedule
on the cross-region
Workspace ONE Access
cluster nodes by using SDDC
Manager.
VMware, Inc. 47
Architecture and Design for Cloud Operations and Automation
Table 2-23. Design Decisions on Password Management for Cross-Region Workspace ONE
Access (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-051 Rotate the configadmin The password for the You must manage the
application user password configuration administrator password rotation schedule
on a schedule post application user account for the configuration
deployment. does not expire after the administrator application
initial deployment. user account in accordance
with your corporate policies
and regulatory standards, as
applicable.
You must manage the
password rotation schedule
on the cross-region
Workspace ONE Access
cluster nodes using vRealize
Suite Lifecycle Manager.
SDDC-COM-SEC-IAM-052 Configure a password You can set a policy for You must set the policy in
policy for Workspace ONE Workspace ONE Access accordance with your
Access local directory local directory users that organization policies and
users, admin and addresses your corporate regulatory standards, as
configadmin. policies and regulatory applicable.
standards. You must apply the
The password policy is password policy on the
applicable only to the local cross-region Workspace
directory users and does ONE Access cluster nodes.
not impact your
organization directory.
VMware, Inc. 48
Architecture and Design for Cloud Operations and Automation
Table 2-24. Design Decisions on Certificates for Cross-Region Workspace ONE Access
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-SEC-IAM-054 Use a SHA-2 or higher The SHA-1 algorithm is Not all certificate authorities
algorithm when signing considered less secure and support SHA-2.
certificates. has been deprecated.
VMware, Inc. 49
Architecture and Design for Cloud Operations and Automation
Orchestration
Virtual Hypervisor
Infrastructure Identity and Access
Monitoring Fault Tolerance
Management
Pools of Resources
Virtualization Control
Backup &
Logging Industry Regulations
Restore
Physical Compute
Infrastructure
Storage
Life Cycle Security Policies
Network Management
n Features of vRealize Suite Lifecycle Manager support initial installation and configuration of
vRealize Suite products and cross-region Workspace ONE Access. Additional features
support the life cycle management capabilities and configuration drift analysis for the
vRealize Suite products and cross-region Workspace ONE Access.
n Monitoring operations support in vRealize Operations Manager and vRealize Log Insight
provides performance, capacity management, and real-time logging of related physical and
virtual infrastructure and cloud management components.
VMware, Inc. 50
Architecture and Design for Cloud Operations and Automation
Logical Design
To orchestrate the deployment, patching, and upgrade of cross-region Workspace ONE Access
and the vRealize Suite products in the SDDC, vRealize Suite Lifecycle Manager communicates
with SDDC Manager and the Management domain vCenter Server in the SDDC. When vRealize
Suite Lifecycle Manager is in VMware Cloud Foundation mode, vRealize Suite Lifecycle Manager
retrieves the software bundles from the SDDC Manager inventory, and SDDC Manager configures
the load balancer for the cross-region Workspace ONE Access, vRealize Operations Manager,
and vRealize Automation.
VMware, Inc. 51
Architecture and Design for Cloud Operations and Automation
Region A
Identity Management
Cross-Region
Access Workspace
ONE Access
User Interface Integration
SDDC
REST API Manager
vRealize Suite
Lifecycle Manager
in VMware Cloud
Foundation Mode
Life Cycle Management Endpoint
vRealize vCenter
Operations Server
Manager
vRealize
Log Insight
vRealize
Automation Shared
Storage
Cross-Region
Workspace
ONE Access
Region B
Life Cycle Management
vRealize
Operations
Manager
Collectors
vRealize
Log Insight
VMware, Inc. 52
Architecture and Design for Cloud Operations and Automation
n A single vRealize Suite Lifecycle n A single vRealize Suite Lifecycle n In Region A, a single vRealize Suite
Manager appliance deployed on Manager appliance deployed on Lifecycle Manager appliance
the cross-region network segment. the cross-region network deployed on the cross-region
n vSphere HA protects the vRealize segment. network segment.
Suite Lifecycle Manager appliance. n vSphere HA protects the vRealize n vSphere HA protects the vRealize
Life cycle management for: Suite Lifecycle Manager Suite Lifecycle Manager appliance.
appliance. Life cycle management for:
n vRealize Log Insight
n A DRS rule specifies that the n vRealize Log Insight in each region
n Cross-region Workspace ONE
vRealize Suite Lifecycle Manager
Access n Cross-region Workspace ONE
appliance runs on an ESXi host in
n vRealize Automation Access
Availability Zone 1.
n vRealize Operations Manager n vRealize Automation
Life cycle management for:
analytics cluster n vRealize Operations Manager
n vRealize Log Insight
n vRealize Operations Manager analytics cluster
n Cross-region Workspace ONE
remote collectors n vRealize Operations Manager
Access remote collectors in each region
n vRealize Automation
n vRealize Operations Manager
analytics cluster
n vRealize Operations Manager
remote collectors
vRealize Suite Lifecycle Manager operates with the following elements and components:
Locker n Passwords
n Certificates
n Licenses
Product support n Product binaries for install and upgrade (.ova, .pak, .iso)
n Patch binaries
n Product supports packs (.pspak)
VMware, Inc. 53
Architecture and Design for Cloud Operations and Automation
Table 2-26. Elements and Components in vRealize Suite Lifecycle Manager (continued)
Element Components
You deploy vRealize Suite Lifecycle Manager by using SDDC Manager. SDDC Manager deploys
vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode. When in VMware Cloud
Foundation mode, vRealize Suite Lifecycle Manager is integrated with SDDC Manager, providing
the following benefits:
n Integration with the SDDC Manager inventory to retrieve infrastructure details when creating
environments for cross-region Workspace ONE Access and vRealize Suite components, such
as virtual network segments and vCenter Server details.
n Automation of the load balancer configuration when deploying cross-region Workspace ONE
Access, vRealize Operations Manager, and vRealize Automation.
n Deployment details for vRealize Suite Lifecycle Manager environments are populated in the
SDDC Manager inventory and can be queried using the SDDC Manager API.
n Day-two workflows in SDDC Manager to connect vRealize Log Insight and vRealize
Operations Manager to workload domains.
n The ability to manage password life cycle for cross-region Workspace ONE Access and
vRealize Suite components.
The vRealize Suite Lifecycle Manager appliance includes cloud operations services for life cycle
management of the vRealize Suite products and cross-region Workspace ONE Access.
VMware, Inc. 54
Architecture and Design for Cloud Operations and Automation
In the design, you deploy a single vRealize Suite Lifecycle Manager appliance instance on the first
vSphere cluster in the management domain in Region A. With this configuration, you can manage
the life cycle of all vRealize Suite products deployed across each region.
To accomplish this design objective, you deploy or reuse the following components to deploy
this cloud operations solution for the SDDC:
n SDDC Manager
SDDC-COM-CO- Deploy a single vRealize Suite Provides life cycle operations None.
LCM-001 Lifecycle Manager instance on for all vRealize Suite products
the first cluster in the and the cross-region
management domain in the Workspace ONE Access
first region to manage the cluster.
following management
components:
n Cross-region vRealize Suite
products
n Cross-region Workspace
ONE Access cluster
n Region-specific vRealize
Log Insight cluster in each
region
VMware, Inc. 55
Architecture and Design for Cloud Operations and Automation
Table 2-27. Design Decisions on Deployment of vRealize Suite Lifecycle Manager (continued)
Design Design
Decision ID Design Decision Justification Implication
SDDC-COM-CO- Deploy vRealize Suite Lifecycle n Allows SDDC Manager the None.
LCM-003 Manager by using SDDC ability to provide life cycle
Manager. management of vRealize
Suite components with its
integration to vRealize Suite
Lifecycle Manager.
n Deploys vRealize Suite
Lifecycle Manager in
VMware Cloud Foundation
mode, which enables
integration with the SDDC
Manager inventory for
product deployment and
life cycle.
n Automatically configures
the standalone NSX-T tier 1
gateway required for load
balancing the cross-region
Workspace ONE Access
and vRealize Suite
components.
SDDC-COM-CO- Place the cross-region vRealize Provides the organization of You must create the VM folder.
LCM-004 Suite Lifecycle Manager the vRealize Suite Lifecycle
appliance in a dedicated virtual Manager appliance in the
machine folder in Region A, management domain
xreg-m01-fd-vrslcm. inventory.
Table 2-28. Design Decisions on Deployment for vRealize Suite Lifecycle Manager for Multi
Availability Zones
Design Design
Decision ID Design Decision Justification Implication
SDDC-COM-CO- Add the vRealize Suite Ensures that, by default, the If vRealize Suite Lifecycle
LCM-005 Lifecycle Manager appliance to vRealize Suite Lifecycle Manager is deployed after the
the primary availability zone Manager appliance is powered creation of the stretched
VM group, sfo-m01- on within the primary clusters for management domain
cl01_primary-az-vmgroup. availability zone hosts group. availability zones, the VM group
for the primary availability zone
virtual machines must be
updated to include the vRealize
Suite Lifecycle Manager
appliance.
VMware, Inc. 56
Architecture and Design for Cloud Operations and Automation
Table 2-29. vRealize Suite Lifecycle Manager CPU, Memory, and Storage Resources
Attribute Appliance
CPU 2 vCPUs
Memory 6 GB
When you deploy vRealize Suite Lifecycle Manager, consider the storage required for the
following content:
n Product support for install, upgrade, patch, and support pack binaries
n Content management
SDDC-COM-CO- Increase the initial storage of Support for product binaries You must ensure you provide
LCM-006 the vRealize Suite Lifecycle (install, upgrade, and patch) sufficient storage to
Manager appliance by 100 GB. and content management. accommodate this increase.
The life cycle management of vRealize Suite Lifecycle Manager involves the process of
performing patch updates, upgrades, or product support packs to vRealize Suite Lifecycle
Manager.
In this design, the life cycle management of vRealize Suite Lifecycle Manager is performed by
using SDDC Manager.
The design of the SDDC Manager instance is covered in the Architecture and Design for the
Management Domain documentation. See SDDC Manager Detailed Design.
Table 2-31. Design Decisions on Life Cycle Management of vRealize Suite Lifecycle Manager
Decision ID Design Decision Design Justification Design Implication
VMware, Inc. 57
Architecture and Design for Cloud Operations and Automation
The native integration to vRealize Log Insight from vRealize Suite Lifecycle Manager provides the
ability to send logs from the service containers for aggregation and analysis, as necessary.
After you deploy vRealize Log Insight by using vRealize Suite Lifecycle Manager in VMware Cloud
Foundation mode, SDDC Manager updates the vRealize Log Insight liagent.ini file and
configures the vRealize Suite Lifecycle Manager logging to vRealize Log Insight through the
ingestion API.
Table 2-32. Design Decisions on Logging for vRealize Suite Lifecycle Manager
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- Configure the vRealize Suite Allows logs from vRealize Suite None.
LCM-008 Lifecycle Manager to send logs Lifecycle Manager to be
to the vRealize Log Insight forwarded to a vRealize Log
cluster in Region A. Insight cluster.
SDDC-COM-CO- Communicate with vRealize Provides potential to configure Transmission traffic for logs is
LCM-009 Log Insight using the default disaster recovery of vRealize not secure.
Ingestion API (cfapi) port 9000 Suite Lifecycle Manager in the
with ssl=no. SDDC.
For information about the vRealize log Insight logging sources, see Logging Design for vRealize
Log Insight.
Data Protection and Backup Design for vRealize Suite Lifecycle Manager
To preserve the cloud operations services functionality when data or system loss occurs, the
design supports the use of data protection.
vRealize Suite Lifecycle Manager supports data protection through the creation of consistent
image-level backups, using backup software that is based on the vSphere Storage APIs - Data
Protection (VADP).
n vRealize Suite Lifecycle Manager has routed access to the VLAN-backed management
network through the NSX-T Data Center Tier-0 Gateway.
VMware, Inc. 58
Architecture and Design for Cloud Operations and Automation
n Routing to the VLAN-management network, virtual network segments, and external networks
are dynamic and are based on the Border Gateway Protocol (BGP).
Figure 2-7. Network Design of the vRealize Suite Lifecycle Manager Deployment
Region A Region B
(SFO - San Francisco) (LAX - Los Angeles)
172.16.11.0/24 172.17.11.0/24
VLAN: sfo01-m01-cl01-vds01-pg-mgmt VLAN: lax01-m01-cl01-vds01-pg-mgmt
192.168.11.0/24
xreg-m01-seg01
APP
OS
xreg-vrslcm01
VMware, Inc. 59
Architecture and Design for Cloud Operations and Automation
Table 2-33. Design Decisions on the Virtual Network Segments for vRealize Suite Lifecycle
Manager
Design Design
Decision ID Design Decision Justification Implication
SDDC-COM-CO- In Region A, place the vRealize Provides a consistent You must use an implementation
LCM-010 Suite Lifecycle Manager deployment model for in NSX-T Data Center to support
appliance on the cross-region management applications. this networking configuration.
virtual network segment, xreg-
m01-seg01.
IP Addressing Scheme
Allocate a statically assigned IP address and host name from the cross-region network segment
to the cross-region vRealize Suite Lifecycle Manager virtual appliance.
Table 2-34. Design Decisions on the IP Addressing for vRealize Suite Lifecycle Manager
Decision ID Design Decision Design Justification Design Implication
Name Resolution
The IP address of the cross-region vRealize Suite Lifecycle Manager appliance is associated with
a fully qualified name whose suffix is set to the root domain, rainpole.io.
Table 2-35. Design Decisions on Name Resolution for vRealize Suite Lifecycle Manager
Design Design
Decision ID Design Decision Justification Implication
SDDC-COM-CO- Configure forward and reverse vRealize Suite Lifecycle You must provide DNS records
LCM-012 DNS records for the vRealize Manager is accessible by using for the vRealize Suite Lifecycle
Suite Lifecycle Manager a fully qualified domain name Manager appliance.
appliance. instead of by using the IP
address only.
VMware, Inc. 60
Architecture and Design for Cloud Operations and Automation
Table 2-36. Design Decisions on Name Resolution for vRealize Suite Lifecycle Manager for a
Multi-Region SDDC
Design Design
Decision ID Design Decision Justification Implication
SDDC-COM-CO- For a dual-region SDDC, vRealize Suite Lifecycle As you scale from a single-
LCM-013 configure the DNS settings for Manager can resolve DNS from region to multi-region
the vRealize Suite Lifecycle regional DNS servers during a deployment, the DNS settings
Manager appliance in Region A planned migration or disaster the vRealize Suite Lifecycle
to use DNS servers in each recovery between regions. Manager appliance must be
region. updated.
Time Synchronization
vRealize Suite Lifecycle Manager depends on time synchronization.
Table 2-37. Design Decisions on Time Synchronization for vRealize Suite Lifecycle Manager
Design Design
Decision ID Design Decision Justification Implication
Table 2-38. Design Decisions on Time Synchronization for vRealize Suite Lifecycle Manager for a
Multi-Region SDDC
Design Design
Decision ID Design Decision Justification Implication
SDDC-COM-CO- For a dual-region SDDC, vRealize Suite Lifecycle As you scale from a single-
LCM-015 configure the NTP settings for Manager can query NTP from region to multi-region
the vRealize Suite Lifecycle regional NTP servers to deployment, the NTP settings on
Manager appliance in Region A synchronize time during a the vRealize Suite Lifecycle
to use NTP servers in each planned migration or disaster Manager appliance must be
region. recovery between regions. updated.
SDDC Life Cycle Operations Design for vRealize Suite Lifecycle Manager
To deploy the vRealize Suite products by using vRealize Suite Lifecycle Manager, you configure
product support, data centers, environment structures, and product specifications.
In this design, vRealize Suite Lifecycle Manager supports the following products:
VMware, Inc. 61
Architecture and Design for Cloud Operations and Automation
n vRealize Automation
Product Support
vRealize Suite Lifecycle Manager provides several methods to obtain and store product binaries
for the install, patch, and upgrade of the vRealize Suite products.
SDDC Manager synchronization When vRealize Suite Lifecycle Manager is in VMware Cloud Foundation
mode, product binaries are downloaded to SDDC Manager using the bundle
management feature. Once downloaded and verified, product binaries are
synchronized to vRealize Suite Lifecycle Manager. This ensures that only
binaries that are compatible with the VMware Cloud Foundation bill of
materials are made available for deployment.
Product upload n You can upload and discover product binaries to the vRealize Suite
Lifecycle Manager appliance. You first upload the product and patch
binaries directly to a folder on the appliance, for example, /data/upload,
or to an NFS share, then you discover and add the product binaries to
the repository.
n If you remove the individual product or patch binaries that are
discovered, vRealize Suite Lifecycle Manager removes the metadata from
the repository but you must manage the related file on the file system.
My VMware n You can integrate vRealize Suite Lifecycle Manager with My VMware to
access and download vRealize Suite product entitlements. This method
simplifies, automates, and organizes the repository.
n If you remove an individual product or patch binaries that are
downloaded from the My VMware integration, the vRealize Suite
Lifecycle Manager removes the related files and metadata from the
repository.
This design uses the SDDC Manager synchronization method to obtain and store product binaries
for the install, patch, and upgrade of the cross-region Workspace ONE Access and the vRealize
Suite products.
Table 2-40. Design Decisions on Product Support for vRealize Suite Lifecycle Manager
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- Download product bundles for n Allows product binaries for n Product binaries for install,
LCM-016 install, patch, and upgrade Workspace ONE Access patch, and upgrade are
using SDDC Manager and and vRealize Suite product transferred from SDDC
synchronize to vRealize Suite install, patch, and upgrade Manager to the vRealize
Lifecycle Manager. to be provided through Suite Lifecycle Manager
SDDC Manager. repository for registration.
n You can deploy and n Because you use the local
manage the design in an vRealize Suite Lifecycle
environment that does not Manager repository, product
allow access to the Internet binaries are transferred
or are dark sites. across the WAN during
product install, patch, and
upgrade across regions.
VMware, Inc. 62
Architecture and Design for Cloud Operations and Automation
Products are deployed by using vRealize Suite Lifecycle Manager constructs named
environments.
n Environment name
n Administrator email
n Administrator password
n Data center
An environment is a logical object that is mapped to a data center object in vRealize Suite
Lifecycle Manager. Each environment can contain only one instance of a vRealize Suite product.
For example, only one vRealize Log Insight cluster can exist in an environment. However, you can
use vRealize Suite Lifecycle Manager to deploy and scale-out this vRealize Log Insight cluster in
the environment to the required number of nodes.
VMware Cloud Foundation mode n Infrastructure details for the deployed products,
including vCenter Server, networking, DNS and NTP
information are retrieved from the SDDC Manager
inventory by vRealize Suite Lifecycle Manager.
n Successful deployment details are synchronized back
to the SDDC Manager inventory.
n Limited to one instance of each vRealize Suite product
The vRealize Suite Lifecycle Manager UI provides the following installation methods for
environment creation.
VMware, Inc. 63
Architecture and Design for Cloud Operations and Automation
You can deploy new vRealize Suite products to the SDDC environment or import existing product
deployments.
When you add one or more products to an environment, the parameters differ for new product
deployment and for an existing product import.
For example, for a new deployment, you can provide the following parameters:
You can deploy products by using a configuration file in JSON format. When using the API, the
JSON configuration file is provided as the payload for the environment specification.
VMware, Inc. 64
Architecture and Design for Cloud Operations and Automation
A data center is another logical object in vRealize Suite Lifecycle Manager to represent a
geographical or logical location for an organization. Management domain vCenter Server
instances are added to specific datacenters.
In this design, you create data centers and environments in vRealize Suite Lifecycle Manager to
manage the life cycle operations on the vRealize Suite products and to support the growth of the
SDDC.
Table 2-43. Logical Data Center to vCenter Server Mappings in vRealize Suite Lifecycle Manager
Logical Data Center vCenter Server Type Description
Region A Management domain vCenter Server in Supports the deployment of vRealize Log
Region A Insight in Region A. vRealize Log Insight has
instances across the SDDC, each instance is
designated to an SDDC region. You deploy
each instance using a separate logical
datacenter and environment.
Region B Management domain vCenter Server in Supports the deployment of vRealize Log
Region B Insight in Region B.
VMware, Inc. 65
Architecture and Design for Cloud Operations and Automation
Table 2-45. Design Decisions on Environment and Data Center Management in vRealize Suite
Lifecycle Manager
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- n Create a data center object You can deploy and manage None.
LCM-017 in vRealize Suite Lifecycle the integrated vRealize Suite
Manager for the cross- components across the SDDC
region SDDC solutions. as a group.
n Assign the management
domain vCenter Server
instance to the data center.
SDDC-COM-CO- n Create a data center object Supports deployment and You must manage a separate
LCM-018 in vRealize Suite Lifecycle management of vRealize Suite data center object for the
Manager for Region A. products that are region- products that are specific to
n Assign the management specific. each region.
domain vCenter Server
instance from Region A.
SDDC-COM-CO- Create a cross-region n Supports deployment and You can manage region-specific
LCM-020 environment in vRealize Suite management of the components, such as remote
Lifecycle Manager to support integrated vRealize Suite collectors, only in an
the deployment of: products across the SDDC environment that is cross-region.
n vRealize Operations regions as a group.
Manager analytics cluster n Enables the deployment of
nodes region-specific
n vRealize Operations remote components, such as
collectors vRealize Operations remote
collectors. In vRealize Suite
n vRealize Automation cluster
Lifecycle Manager, you can
nodes
deploy and manage
vRealize Operations remote
collector objects only in an
environment that contains
the associated cross-region
components.
VMware, Inc. 66
Architecture and Design for Cloud Operations and Automation
Table 2-46. Design Decisions on Environment and Data Center Management in vRealize Suite
Lifecycle Manager for a Multi-Region SDDC
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- For a dual-region SDDC, create Supports deployment and You must manage a separate
LCM-023 a data center object in vRealize management of vRealize Suite data center object for the
Suite Lifecycle Manager for products that are region- products that are specific to
Region B and assign the specific. each region.
management domain vCenter
Server instance in Region B to
this data center.
SDDC-COM-CO- For a dual-region SDDC, create Supports the deployment of an vRealize Lifecycle Manager
LCM-024 a region-specific environment instance of vRealize Log Insight supports only a single instance
for Region B in vRealize Suite in Region B. of each product when deploying
Lifecycle Manager to support in VMware Cloud Foundation
the deployment of: mode. This environment must be
n vRealize Log Insight deployed in standalone mode.
Information Security and Access Control Design for vRealize Suite Lifecycle
Manager
You protect the vRealize Suite Lifecycle Manager deployment by configuring authentication and
secure communication with the other components in the SDDC. You dedicate a service account
to the communication between vRealize Suite Lifecycle Manager and vCenter Server.
You use a custom role in vSphere with permissions to perform life cycle operations on vRealize
Suite components in the SDDC. A dedicated service account is assigned a custom role for
communication between vRealize Suite Lifecycle Manager and the vCenter Server instances in
the environment.
vRealize Suite Lifecycle Manager performs local authentication only for the default administrator
account, vcfadmin@local. To ensure accountability on user access, you enable authentication
with Workspace ONE Access. You can grant both users and groups access to vRealize Suite
Lifecycle Manager to perform tasks and initiate orchestrated operations, such as deployment and
upgrade of vRealize Suite components and content.
VMware, Inc. 67
Architecture and Design for Cloud Operations and Automation
Table 2-47. Design Decisions on Identity Management for vRealize Suite Lifecycle Manager
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- Enable integration between n vRealize Suite Lifecycle You must deploy and configure
LCM-025 vRealize Suite Lifecycle Manager must integrate Workspace ONE Access to
Manager and your corporate with a Workspace ONE establish the integration
identity source by using the Access instance before it between vRealize Suite Lifecycle
cross-region Workspace ONE can deploy vRealize Suite Manager and your corporate
Access instance. products. identity sources.
n Enables authentication,
including multi-factor, to
vRealize Suite Lifecycle
Manager by using your
corporate identity source.
n Enables authorization
through the assignment of
organization and cloud
services roles to enterprise
users and groups defined in
your corporate identity
source.
SDDC-COM-CO- Create a security group in your Streamlines the management n You must create the security
LCM-026 corporate directory services of vRealize Suite Lifecycle group outside of the SDDC
for the vRealize Suite Lifecycle Manager roles for users. stack.
Manager administrators, n You must set the desired
rainpole.io\ug-vrslcm-admins, directory synchronization
and synchronize the group in interval in Workspace ONE
the Workspace ONE Access Access to ensure that
configuration for vRealize Suite changes are available within
Lifecycle Manager. a reasonable period.
SDDC-COM-CO- Assign the enterprise group for Provides the following access You must maintain the life cycle
LCM-027 vRealize Suite Lifecycle control features: and availability of the security
Manager administrators, n Access to vRealize Suite group outside of the SDDC
rainpole.io\ug-vrslcm-admins, Lifecycle Manager stack.
the VCF role. administration is granted to
a managed set of
individuals that are
members of the security
group.
n You can introduce
improved accountability
and tracking organization
owner access to vRealize
Suite Lifecycle Manager.
VMware, Inc. 68
Architecture and Design for Cloud Operations and Automation
Table 2-47. Design Decisions on Identity Management for vRealize Suite Lifecycle Manager
(continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- Create a security group in your Streamlines the management n You must create the security
LCM-028 corporate directory services of vRealize Suite Lifecycle group outside of the SDDC
for the vRealize Suite Lifecycle Manager roles for users. stack.
Manager content managers, n You must set the desired
rainpole.io\ug-vrslcm-content- directory synchronization
managers, and synchronize the interval in Workspace ONE
group in the Workspace ONE Access to ensure that
Access configuration for changes are available within
vRealize Suite Lifecycle a reasonable period.
Manager.
SDDC-COM-CO- Assign the enterprise group for Provides the following access You must maintain the life cycle
LCM-029 vRealize Suite Lifecycle control features: and availability of the security
Manager content managers, n Access to vRealize Suite group outside of the SDDC
rainpole.io\ug-vrslcm-content- Lifecycle Manager content stack.
managers, the Content management is granted to
Release Manager role. a managed set of
The content management individuals that are
feature is out of scope for this members of the security
design. However, this design group.
accounts for the identity and n You can introduce
access management controls improved accountability
for the feature. and tracking organization
owner access to vRealize
Suite Lifecycle Manager.
SDDC-COM-CO- Create a security group in your Streamlines the management n You must create the security
LCM-030 corporate directory services of vRealize Suite Lifecycle group outside of the SDDC
for the vRealize Suite Lifecycle Manager roles for users. stack.
Manager content developers, n You must set the desired
rainpole.io\ug-vrslcm-content- directory synchronization
developers, and synchronize interval in Workspace ONE
the group in the Workspace Access to ensure that
ONE Access configuration for changes are available within
vRealize Suite Lifecycle a reasonable period.
Manager.
SDDC-COM-CO- Assign the enterprise group for Provides the following access You must maintain the life cycle
LCM-031 vRealize Suite Lifecycle control features: and availability of the security
Manager content developers, n Access to vRealize Suite group outside of the SDDC
rainpole.io\ug-vrslcm-content- Lifecycle Manager content stack.
developers, the Content development is granted to
Developer role. a managed set of
The content management individuals that are
feature is out of scope for this members of the security
design. However, this design group.
accounts for the identity and n You can an introduce
access management controls improved accountability
for the feature. and tracking organization
owner access to vRealize
Suite Lifecycle Manager.
VMware, Inc. 69
Architecture and Design for Cloud Operations and Automation
VMware, Inc. 70
Architecture and Design for Cloud Operations and Automation
Table 2-48. Design Decisions on Service Accounts for vRealize Suite Lifecycle Manager
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- Define a custom vCenter vRealize Suite Lifecycle You must maintain the
LCM-032 Server role, vRealize Suite Manager accesses vSphere permissions required by the
Lifecycle Manager to vSphere with the minimum set of custom role.
Integration, for vRealize Suite permissions that are required
Lifecycle Manager that has the to support the deployment and
minimum privileges required to upgrade of vRealize Suite
support the deployment and products in the design.
upgrade of vRealize Suite
products in the design.
SDDC-COM-CO- Configure a service account, Provides the following access You must maintain the life cycle
LCM-033 svc-vrslcm- control features: and availability of the service
vsphere@rainpole.io, in n vRealize Suite Lifecycle account outside of the SDDC
vCenter Server for application- Manager accesses vSphere stack.
to-application communication with the minimum set of
from vRealize Suite Lifecycle required permissions.
Manager to vSphere. n If there is a compromised
account, the accessibility in
the destination application
remains restricted.
n You can introduce
improved accountability in
tracking request-response
interactions between the
components of the SDDC.
SDDC-COM-CO- Assign global permissions for n vRealize Suite Lifecycle n All vCenter Server instances
LCM-034 the vRealize Suite Lifecycle Manager accesses vSphere must be in the same vSphere
Manager to vSphere service with the minimum set of domain.
account, svc-vrslcm- permissions that are n You must maintain the
vsphere@rainpole.io, in required to support the assignment of the service
vCenter Server using the deployment and upgrade account and the custom role
custom role, vRealize Suite of vRealize Suite products at a cluster level for each
Lifecycle Manager to vSphere in the design. management cluster instead
Integration. n Enables content of using global permissions.
management integration n If you do not plan to use the
with the vSphere Content content management feature
Library, if necessary. of vRealize Suite Lifecycle
Manager, you must set the
role on each workload
domain vCenter Server
instance to No Access to
ensure that the account
cannot communicate with
the workload domain.
VMware, Inc. 71
Architecture and Design for Cloud Operations and Automation
Table 2-49. Design Decisions on Password Management for vRealize Suite Lifecycle Manager
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- Rotate the root password on or The password for the root user You must manage the password
LCM-035 before 365 days post- account expires 365 days after rotation schedule for the root
deployment by using SDDC the initial deployment. user account in accordance with
Manager. your organization policies and
regulatory standards, as
applicable.
Table 2-50. Design Decisions on Certificates for vRealize Suite Lifecycle Manager
Design Design
Decision ID Design Decision Justification Implication
SDDC-COM-CO- Use SDDC Manager to replace Configuring a CA-signed Replacing the default certificates
LCM-036 the default self-signed certificate ensures that the with trusted CA-signed
certificate of vRealize Suite communication to the certificates from a certificate
Lifecycle Manager with a CA- externally facing Web UI and authority might increase the
signed certificate. API for vRealize Suite Lifecycle deployment preparation time as
Manager, and cross-product, is certificates requests are
encrypted. generated and delivered.
SDDC-COM-CO- Use a SHA-2 or higher The SHA-1 algorithm is Not all certificate authorities
LCM-037 algorithm when signing considered less secure and has support SHA-2.
certificates. been deprecated.
Passwords
vRealize Suite Lifecycle Manager stores passwords in the locker repository which are referenced
during life cycle operations on data centers, environments, products, and integrations.
VMware, Inc. 72
Architecture and Design for Cloud Operations and Automation
Table 2-51. Life Cycle Operations Use of Locker Passwords in vRealize Suite Lifecycle Manager
Life Cycle Operations Element Password Use
Data Centers vCenter Server credentials for a vRealize Suite Lifecycle Manager-to-vSphere
integration user, svc-vrslcm-vsphere@rainpole.io.
Products n Product administrator password, for example, the admin password for an
individual product.
n Product appliance password, for example, the root password for and
individual product.
Table 2-52. Design Decisions on Locker Passwords in vRealize Suite Lifecycle Manager
Design Design
Decision ID Design Decision Justification Implication
SDDC-COM-CO- Replace the default store You can reference specific n Password items in the locker
LCM-038 passwords in the locker passwords for use across life cannot be edited or deleted
repository for use by life cycle cycle operations elements, from the UI; however, they
operations. such as: can be deleted by using the
n vCenter Server registration API. You must register and
and updates (management use a new locker password
domain vCenter Server when rotating a password.
instances) n When using the API, you
n Environment creations must specify the locker ID
for the password to be used
n Product deployments and
in the JSON payload, for
updates
example,
n My VMware registration
locker:password:39e54078-
and updates
cefa-4979-
ac5b-989e986b7aa5:20191023-
svc-vrslcm-
vsphere@rainpole.io.
Certificates
vRealize Suite Lifecycle Manager stores certificates in the locker repository which can be
referenced during product life cycle operations. Externally provided certificates, such as
Certificate Authority-signed certificates, can be imported or certificates generated by the
vRealize Suite Lifecycle Manager appliance.
The certificate validity - such as the issued date, expiration date, time remaining - and certificate
details - such as the issuer, subject, and subject alternative names - are available for reference
along with the certificate health based on the expiration date. Additionally, you can review the
certificate reference to see where the certificate is in use across environments and products. As
certificates need to be replaced, such as with expiration or a cluster scale-out, the locker
provides the ability to replace certificates on referenced entities.
VMware, Inc. 73
Architecture and Design for Cloud Operations and Automation
Table 2-53. Design Decisions on Locker Certificates in vRealize Suite Lifecycle Manager
Design Design
Decision ID Design Decision Justification Implication
SDDC-COM-CO- Import Certificate Authority- n You can review the validity, When using the API, you must
LCM-039 signed certificates to the locker details, and the specify the locker ID for the
repository for product life cycle environment and certificate to be used in the
operations. deployment usage for the JSON payload.
certificate across the
vRealize products.
n You can reference and use
Certificate Authority-signed
certificates during product
life cycle operations, such
as deployment and
certificate replacement.
Licenses
vRealize Suite Lifecycle Manager stores licenses in the locker repository which can be referenced
during product life cycle operations. Licenses can be validated and added to repository directory
or imported through an integration with My VMware.
The license details - such as the issued date, expiration date, time remaining - and license details
- such as the type, quantity, unit, and expiration - are available for reference. Additionally, you
can review the license references to see where the license is in use across environments and
products. Because a license must be replaced, such as with workload domain expansion, the
locker provides the ability of a license replacement for an individual or all referenced entities.
Table 2-54. Design Decisions on Locker Licenses in vRealize Suite Lifecycle Manager
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- Import vRealize Suite product n You can review the validity, When using the API, you must
LCMCM-040 licenses to the locker details, and the specify the locker ID for the
repository for product life cycle environment and license to be used in the JSON
operations. deployment usage for the payload.
license across the vRealize
Suite products.
n You can reference and use
licenses during product life
cycle operations, such as
deployment and license
replacement.
VMware, Inc. 74
Architecture and Design for Cloud Operations and Automation
n Information Security and Access Control Design for vRealize Operations Manager
You protect the vRealize Operations Manager deployment by configuring authentication and
secure communication with the other components in the SDDC. A dedicated service account
is assigned a custom role for communication between vRealize Operations Manager and the
management solutions in the data center.
VMware, Inc. 75
Architecture and Design for Cloud Operations and Automation
Region A
Access
vCenter
Remote
Server
Primary Replica Collector 1
Storage
Devices
Remote
Integrations
Data 1 Data n Collector 2
vRealize Workspace
Automation ONE Access
Management Management
Packs Packs
vRealize Additional
Log Insight Solutions
Supporting Supporting
Infrastructure, Infrastructure,
shared Storage, shared Storage,
AD, DNS, NTP AD, DNS, NTP
SMTP SMTP
Management
Packs Workspace
ONE Access
Suite API
Additional
Solutions
The vRealize Operations Manager logical components include an analytics cluster, remote
collectors groups, and metric adapters.
The remote collectors ease scalability by performing the data collection from the region-specific
applications, and periodically sending collected data to the analytics cluster. The remote
collectors communicate directly with the data nodes in the vRealize Operations Manager
analytics cluster.
VMware, Inc. 76
Architecture and Design for Cloud Operations and Automation
Remote collectors A group of two remote A group of two remote In each region, a group of
collector nodes. collector nodes. two remote collector nodes.
Metric adapters n NSX-T Data Center n NSX-T Data Center Adapters in Region A only:
n vCenter Server n vCenter Server n Workspace ONE Access
n vSAN n vSAN n vRealize Suite Lifecycle
n Storage devices n Storage devices Manager
VMware, Inc. 77
Architecture and Design for Cloud Operations and Automation
In the design, you deploy the vRealize Operations Manager analytics cluster nodes on the first
vSphere cluster in the management domain in Region A. You deploy the vRealize Operations
Manager remote collector nodes on the first vSphere cluster in the management domain in the
region. With this configuration, you can centrally manage monitoring across the entire SDDC.
The SDDC can comprise multiple regions and multiple availability zones.
You place the vRealize Operations Manager instance in Region A, on a specific virtual network
segment. This provides a consistent deployment model for management applications, and
supports growth to a dual-region design.
To accomplish this design objective, you deploy or reuse the following components to deploy
this operations management solution for the SDDC:
n SDDC Manager
SDDC-COM-CO-MON-001 Deploy vRealize Operations n Provides the scale You must identically size all
Manager as a cluster of capacity required for nodes which increases the
three nodes - one primary, monitoring of up to resource requirements in the
one primary replica, and 10,000 virtual SDDC.
one data node, on the first machines.
cluster in the management n Supports scale-up with
domain in Region A. additional data nodes.
SDDC-COM-CO-MON-002 Deploy two remote Removes the load from the You must assign a collector
collector nodes on the first analytics cluster from group when configuring the
cluster in the management collecting metrics from monitoring of a solution.
domain in Region A. region-specific applications.
VMware, Inc. 78
Architecture and Design for Cloud Operations and Automation
SDDC-COM-CO-MON-003 Use vRealize Suite Lifecycle Allows vRealize Suite You must deploy vRealize
Manager to deploy vRealize Lifecycle Manager the Suite Lifecycle Manager.
Operations Manager. ability to provide life cycle
management of vRealize
Operations Manager.
vRealize Operations
Manager install bundle is
synced from SDDC
Manager ensuring
interoperability with
VMware Cloud Foundation.
When vRealize Suite
Lifecycle Manager is in
VMware Cloud Foundation
mode, during the
deployment, SDDC
Manager configures the
load balancer for the
analytics cluster.
SDDC-COM-CO-MON-005 Apply vSphere Distributed Using vSphere DRS n You must perform
Resource Scheduler (DRS) prevents the vRealize additional configuration
anti-affinity rules to the Operations Manager to set up an anti- affinity
vRealize Operations analytics cluster nodes rule.
Manager analytics cluster. from running on the same n If additional data nodes
ESXi host and risking the are added, you must
high availability of the update the anti-affinity
cluster. rule.
n You can put in
maintenance mode only
a single ESXi host at a
time in a management
cluster of four ESXi
hosts.
SDDC-COM-CO-MON-006 Apply vSphere Distributed Using vSphere DRS You must perform additional
Resource Scheduler (DRS) prevents the vRealize configuration to set up an
anti-affinity rules to the Operations Manager anti- affinity rule.
vRealize Operations remote collector nodes
Manager remote collector from running on the same
group. ESXi host and risking the
high availability of the
cluster.
VMware, Inc. 79
Architecture and Design for Cloud Operations and Automation
SDDC-COM-CO-MON-007 Place the cross-region Provides organization of You must create the virtual
vRealize Operations the vRealize Operations machine folder.
Manager nodes in a Manager nodes in the
dedicated virtual machine management domain
folder in Region A, xreg- inventory.
m01-fd-vrops.
SDDC-COM-CO-MON-008 Place the region-specific Provides organization of You must create the virtual
vRealize Operations the vRealize Operations machine folder.
Manager remote collector Manager Remote Collector
nodes in Region A in a nodes in the management
dedicated virtual machine domain inventory.
folder, sfo-m01-fd-vropsrc.
Table 2-57. Design Decisions on Deployment for vRealize Operations Manager in Multiple
Availability Zones
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-009 When using two availability Ensures that, by default, If vRealize Operations
zones in Region A, add the the vRealize Operations Manager is deployed after
vRealize Operations Manager virtual appliance is the creation of the stretched
Manager nodes to the powered on within the cluster for management
primary availability zone primary availability zone domain availability zones,
VM group, sfo-m01- hosts group. the VM group for the
cl01_primary-az-vmgroup. primary availability zone
virtual machines must be
updated to include the
vRealize Operations
Manager nodes.
VMware, Inc. 80
Architecture and Design for Cloud Operations and Automation
Table 2-58. Design Decisions on Deployment for vRealize Operations Manager for a Multi-Region
SDDC
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-010 For a dual-region SDDC, Removes the load from the You must assign a collector
deploy two remote analytics cluster from group when configuring the
collector nodes on the first collecting metrics from monitoring of a solution.
cluster in the management region-specific applications.
domain in each region.
Deploying three medium-size nodes satisfies the requirement for retention and for monitoring the
expected number of objects and metrics based on the following assumptions.
10,000 12,500
You allocate storage capacity for analytics data collected from the management products and
from the number of tenant virtual machines that are defined in the objectives of this SDDC
design.
This design uses medium-size nodes for the analytics cluster and standard-size nodes for the
remote collector group. To collect the required number of metrics, you must add a virtual disk
with the size of 1 TB to each analytics cluster node.
Table 2-60. vRealize Operations Manager Analytics Cluster CPU, Memory, and Storage
Resources
Attribute Per Appliance Cluster Deployment
vCPUs 8 24
Memory 32 GB 96 GB
Additional Storage 1 TB 3 TB
VMware, Inc. 81
Architecture and Design for Cloud Operations and Automation
Unlike the analytics cluster nodes, remote collector nodes have only the collector role. Deploying
two remote collector nodes in the region does not increase the capacity for monitored objects.
Table 2-61. vRealize Operations Manager Remote Collector CPU, Memory, and Storage
Resources
Attribute Appliance
CPU 2 vCPUs
Memory 4 GB
VMware, Inc. 82
Architecture and Design for Cloud Operations and Automation
SDDC-COM-CO-MON-012 Deploy each node in the n If you use fewer large- ESXi hosts in the
analytics cluster as a size vRealize management cluster must
medium-size appliance. Operations Manager have physical CPUs with a
nodes, you must minimum of 8 cores per
increase the minimum socket. In total, vRealize
host memory size to Operations Manager uses 24
handle the increased vCPUs and 96 GB of
performance that is the memory in the management
result from stretching cluster.
NUMA node When you exceed 12,500
boundaries. objects, you must scale up
n Provides enough the analytics cluster
capacity for the metrics appliance size using vRealize
and objects generated Suite Lifecycle Manager.
by up to 12,500 objects
while having high
availability in the
analytics cluster
enabled. Metrics are
collected from the
following components:
n vCenter Server
instances
n ESXi hosts
n NSX-T Data Center
components
n vRealize
Automation
n vRealize Log Insight
n Storage Array and
data center
infrastructure
SDDC-COM-CO-MON-013 If the number of SDDC Ensures that the analytics n The capacity of the
objects exceeds 12,500, cluster has enough physical ESXi hosts must
scale up the analytics capacity to meet the SDDC be enough to
cluster appliance size using object and metric growth. accommodate virtual
vRealize Suite Lifecycle machines that require 32
Manager. GB RAM without bridging
NUMA node boundaries.
n The management cluster
must have enough ESXi
hosts so that vRealize
Operations Manager can
run according to vSphere
DRS anti-affinity rules.
n The number of nodes
must not exceed
number_of_ESXi_hosts
in_the_management_cluste
r - 1.
VMware, Inc. 83
Architecture and Design for Cloud Operations and Automation
SDDC-COM-CO-MON-015 Deploy each remote n Enables metric You must provide 4 vCPUs
collector node as a collection for the and 8 GB of memory in the
standard-size appliance. expected number of management cluster in each
objects in the SDDC region.
when at full capacity.
n Remote collectors do
not perform analytics
operations or store
data on disk, therefore
no additional storage is
required.
Life cycle management of vRealize Operations Manager involves the process of performing patch
updates or upgrades to the vRealize Operations Manager analytics cluster and remote collector
nodes.
Table 2-63. Design Decisions on Life Cycle Management of vRealize Operations Manager
Decision ID Design Decision Design Justification Design Implication
VMware, Inc. 84
Architecture and Design for Cloud Operations and Automation
The native integration to vRealize Log Insight from vRealize Operations provides the ability to
send logs for aggregation and analysis, as needed.
After you deploy vRealize Log Insight by using vRealize Suite Lifecycle Manager in VMware Cloud
Foundation mode, SDDC Manager updates the vRealize Log Insight liagent.ini file and
configures the vRealize Operations Manager logging to vRealize Log Insight through the ingestion
API.
SDDC-COM-CO-MON-018 Communicate with the Supports disaster recovery Transmission traffic for logs
vRealize Log Insight using of vRealize Operations is not encrypted.
the default Ingestion API Manager in the SDDC.
(cfapi) port 9000 and During the failover, the
ssl=no. DNS records for vRealize
Log Insight in Region A are
updated to redirect to the
instance in Region B to
ensure the log collection
remains operational. The
ssl=no setting must be
used when there is a
certificate mismatch post
failover.
For information about configuring the vRealize Log Insight agent for the vRealize Operations
Manager, see Logging Design for vRealize Log Insight.
VMware, Inc. 85
Architecture and Design for Cloud Operations and Automation
SDDC-COM-CO-MON-020 Configure the correct Ensures accurate costing in The currency cannot be
currency in the vRealize the correct currency. changed after the initial
Operations Manager global configuration.
options.
vRealize Operations Manager supports data protection through the creation of consistent image-
level backups by using backup software that is based on the vSphere Storage APIs - Data
Protection (VADP).
n The vRealize Operations Manager analytics cluster is deployed on the same network as the
cross-region Workspace ONE Access, vRealize Automation, and vRealize Suite Lifecycle
Manager to provide a consistent deployment model for management applications.
VMware, Inc. 86
Architecture and Design for Cloud Operations and Automation
n The vRealize Operations Manager remote collector groups are deployed together on the
same network in each region. This configuration ensures collection of metrics locally per
region if there is a cross-region network outage. Using the region-specific virtual network
segment co-locates metric collection with the region-specific applications.
n vRealize Operations Manager has routed access to the VLAN-backed management network
through the NSX-T Data Center Tier-0 Gateway.
n Routing to the VLAN-management network, virtual network segments, and external networks
is dynamic and is based on the Border Gateway Protocol (BGP).
VMware, Inc. 87
Architecture and Design for Cloud Operations and Automation
Region A Region B
(SFO - San Francisco) (LAX - Los Angeles)
172.16.11.0/24 172.17.11.0/24
VLAN: sfo01-m01-cl01-vds01-pg-mgmt VLAN: lax01-m01-cl01-vds01-pg-mgmt
xreg-m01-seg01 192.168.11.0/24
Analytics Cluster
Region A
In a multi-region SDDC, the region-specific and cross-region virtual network segments are
connected to the management networks in each region through the NSX-T global Tier-0 and
Tier-1 gateways.
VMware, Inc. 88
Architecture and Design for Cloud Operations and Automation
Table 2-67. Design Decisions on the Virtual Network Segments for vRealize Operations Manager
Decision ID Design Decision Design Justification Design Implication
Table 2-68. Design Decisions on the Virtual Network Segments for vRealize Operations Manager
for a Multi-Region SDDC
Decision ID Design Decision Design Justification Design Implication
IP Addressing
Allocate a statically assigned IP address and host name from the cross-region network segment
to the vRealize Operations Manager analytics cluster virtual appliances, and a statically assigned
IP address and host name from each region-specific network segment to the vRealize Operations
Manager remote collector virtual appliances.
VMware, Inc. 89
Architecture and Design for Cloud Operations and Automation
Table 2-69. Design Decisions on the IP Addressing for vRealize Operations Manager
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-024 Allocate statically assigned Using statically assigned IP Requires precise IP address
IP addresses and host addresses ensures stability management.
names from the cross- across the SDDC and
region network segment to makes it simpler to maintain
the vRealize Operations and easier to track.
Manager analytics cluster
nodes and the NSX-T Data
Center load balancer.
SDDC-COM-CO-MON-025 Allocate statically assigned Using statically assigned IP Requires precise IP address
IP addresses and host addresses ensures stability management.
names from the region- across the SDDC and
specific network segment makes it simpler to maintain
in Region A, to the vRealize and easier to track.
Operations Manager
remote collector nodes.
Table 2-70. Design Decisions on the IP Addressing for vRealize Operations Manager for a Multi-
Region SDDC
Decision ID Design Decision Design Justification Design Implication
Name Resolution
The FQDNs of the vRealize Operations Manager nodes follow a certain domain name resolution:
n The IP addresses of the analytics cluster nodes and a load balancer virtual IP address (VIP)
are associated with names whose suffix is set to the root domain, rainpole.io.
From the public network, users access vRealize Operations Manager by using the VIP
address, the traffic to which is handled by an NSX-T Data Center Tier-0 gateway providing
the load balancer services.
n The IP addresses of the remote collector group nodes are associated with names whose
suffix is set to the region-specific domain, sfo.rainpole.io.
VMware, Inc. 90
Architecture and Design for Cloud Operations and Automation
Table 2-71. Design Decisions on Name Resolution for vRealize Operations Manager
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-027 Configure forward and All nodes are accessible by You must provide DNS
reverse DNS records for all using fully qualified domain records for the vRealize
vRealize Operations names instead of by using Operations Manager nodes.
Manager nodes and for the IP addresses only.
NSX-T Data Center load
balancer virtual IP address.
Note The design uses an Active Directory forest with two regional Active Directory child
domains, so the examples use a hierarchical DNS name space. However, the design supports the
use of a flat DNS name space.
When using multiple regions, the IP addresses of the remote collector group nodes are
associated with names whose suffix is set to the region-specific domain, lax.rainpole.io.
Table 2-72. Design Decisions on Name Resolution for vRealize Operations Manager for a Multi-
Region SDDC
Decision ID Design Decision Design Justification Design Implication
Load Balancing
A vRealize Operations Manager cluster deployment requires a load balancer to manage
connections to vRealize Operations Manager. The design uses load-balancing services provided
by NSX-T Data Center in the management domain. The load balancer is automatically configured
by vRealize Suite Lifecycle Manager and SDDC Manager during the deployment of vRealize
Operations Manager.
VMware, Inc. 91
Architecture and Design for Cloud Operations and Automation
Table 2-73. Design Decisions on Load Balancing for vRealize Operations Manager
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-029 Use the small-size load Required to deploy a You must use the NSX-T
balancer that is configured vRealize Operations Data Center load balancer
by SDDC Manager on a Manager analytics cluster that is configured by SDDC
dedicated NSX-T Data deployment type with Manager to support this
Center Tier-1 Gateway in distributed user interface network configuration.
the management domain to access across members.
load balance the cross-
region Workspace ONE
Access cluster, to also load
balance connections across
the vRealize Operations
Manager analytics cluster
members.
VMware, Inc. 92
Architecture and Design for Cloud Operations and Automation
Table 2-73. Design Decisions on Load Balancing for vRealize Operations Manager (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-031 n Use the NSX-T Data n The LEAST_CONNECTION When the level of
Center load balancer option distributes connections exceeds the
server pool, vrops- requests to members maximum number that the
server-pool, for based on the number of vRealize Operations
vRealize Operations current connections. Manager analytics cluster
Manager to use the New connections are can accept, connections
LEAST_CONNECTION sent to the vRealize might be dropped.
algorithm. Operations Manager
n The SNAT translation analytics cluster pool
mode is set to Auto Map member with the
Mode for the pool. fewest connections.
VMware, Inc. 93
Architecture and Design for Cloud Operations and Automation
Table 2-73. Design Decisions on Load Balancing for vRealize Operations Manager (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-034 n Use the NSX-T Data The virtual server receives None.
Center load balancer all the client connections
virtual server, vrops- and distributes them
https, for vRealize among the vRealize
Operations Manager to Operations analytics cluster
use the L4 TCP type pool members based on
and port 443. the state of those pool
n An IP address is set for members.
the virtual server.
n The persistence for the
virtual server is set to
Source IP.
n The source IP for the
virtual server is set to
vrops-source-ip-
persistence-profile.
n The application profile
is set to vrops-tcp-app-
profile.
n The server pool for the
vRealize Operations
Manager server pool is
set to vrops-server-
pool.
VMware, Inc. 94
Architecture and Design for Cloud Operations and Automation
Table 2-73. Design Decisions on Load Balancing for vRealize Operations Manager (continued)
Decision ID Design Decision Design Justification Design Implication
Time Synchronization
Time synchronization provided by the Network Time Protocol (NTP) is important to ensure that
all components within the SDDC are synchronized to the same time source. Configure the
vRealize Operations Manager nodes with time synchronization using an internal NTP time source.
VMware, Inc. 95
Architecture and Design for Cloud Operations and Automation
Table 2-74. Design Decisions on Time Synchronization for vRealize Operations Manager
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-039 Configure the timezone of You must use UTC to If you are in a timezone
vRealize Operations enable the integration with other than UTC, timestamps
Manager to use UTC. vRealize Automation, appear skewed.
because vRealize
Automation supports only
UTC.
Table 2-75. Design Decisions on Time Synchronization for vRealize Operations Manager for a
Multi-Region SDDC
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-040 For a dual-region SDDC, vRealize Operations As you scale from a single-
configure the NTP settings Manager can query NTP region to multi-region
for the vRealize Operations from regional NTP servers deployment, the NTP
Manager analytics cluster to synchronize time during settings on the vRealize
nodes to use the NTP a planned migration or Operations Manager
servers in each region. disaster recovery between analytics cluster nodes must
regions. be updated.
n vCenter Server
n vSAN
n Storage devices
n vRealize Automation
VMware, Inc. 96
Architecture and Design for Cloud Operations and Automation
Administrative Alerts
vRealize Operations Manager displays the following administrative alerts:
Log Insight log event The infrastructure on which vRealize Operations Manager is
running has low-level issues. You can also use the log
events for root cause analysis.
Custom dashboard vRealize Operations Manager can show super metrics for
data center monitoring, capacity trends, and single pane of
glass overview.
Cloud Accounts
You use cloud accounts to add cloud endpoints as adapter instances to enable vRealize
Operations Manager to communicate with them. vRealize Operations Manager can collect data
from the following private and public cloud accounts:
Public cloud accounts are supported but out of scope in this design.
VMware, Inc. 97
Architecture and Design for Cloud Operations and Automation
SDDC-COM-CO-MON-041 Configure a vCenter Server Enables integration and You must configure a service
cloud account for each data collection of all account for application-to-
vCenter Server instance in vCenter Server instances in application communication
the SDDC. the SDDC in vRealize from vRealize Operations
Operations Manager. Manager to vSphere.
SDDC-COM-CO-MON-044 Enable the vSAN Enables integration and You must configure a service
integration in the vCenter data collection of all vSAN account for application-to-
Server cloud accounts. instances in the SDDC in application communication
vRealize Operations from the vSAN adapters in
Manager. vRealize Operations
Manager to vSphere.
For information about the design decisions on service accounts for vCenter Server cloud
accounts, see Service Accounts Design for vRealize Operations Manager.
Table 2-80. Design Decisions on Cloud Accounts in vRealize Operations Manager for a Multi-
Region SDDC
Design Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-045 For a dual-region SDDC, Enables integration and You must configure a service
configure a vCenter Server data collection of all account for application-to-
cloud account for each vCenter Server instances in application communication
vCenter Server instance in the SDDC in vRealize from vRealize Operations
Region B. Operations Manager. Manager to vSphere.
SDDC-COM-CO-MON-046 For a dual-region SDDC, vRealize Operations You must configure the
connect each workload Manager is integrated with cloud account manually.
domain in region B to SDDC Manager only in
vRealize Operations Region A.
Manager manually.
VMware, Inc. 98
Architecture and Design for Cloud Operations and Automation
Table 2-80. Design Decisions on Cloud Accounts in vRealize Operations Manager for a Multi-
Region SDDC (continued)
Design Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-048 For a dual-region SDDC, Enables integration and You must configure a service
enable the vSAN data collection of all vSAN account for application-to-
integration in the vCenter instances in the SDDC in application communication
Server cloud accounts in vRealize Operations from the vSAN adapters in
Region B. Manager. vRealize Operations
Manager to vSphere.
Direct Integrations
vRealize Operations Manager includes direct integration with vRealize Automation and vRealize
Log Insight. These integrations provide the following functionality:
VMware, Inc. 99
Architecture and Design for Cloud Operations and Automation
Table 2-82. Design Decision on Direct Integrations for vRealize Operations Manager
Design Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-049 Configure the vRealize n Enables the ability to You must manage the
Automation integration in share common password life cycle of this
vRealize Operations constructs such as endpoint.
Manager. cloud accounts, cloud
zones, and projects
across vRealize
Operations Manager
and vRealize
Automation.
n Enables the ability to
understand the
deployment cost:
n Evaluate upfront
costs on vRealize
Automation.
n Monitor ongoing
costs per virtual
machine,
deployment, or
project.
SDDC-COM-CO-MON-051 Configure the vRealize Log n Enables Logs tab in You must manage the
Insight integration in vRealize Operations password life cycle of this
vRealize Operations Manager endpoint.
Manager. n Enables Troubleshoot
with the Logs
dashboard
n Enables vRealize Log
Insight launch in
context from vRealize
Operations Manager
For information about the design decisions on service accounts for direct integration of vRealize
Operations Manager with vRealize Automation, see Service Accounts Design for vRealize
Operations Manager.
For information about the integration of vRealize Log Insight with vRealize Operations Manager,
see Integration of vRealize Log Insight with vRealize Operations Manager.
Management Packs
You install and activate management packs for vRealize Operations Manager to enable collecting
data from or sending data to the target system.
Table 2-83. Design Decision on Management Packs for vRealize Operations Manager
Design Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-053 Install the Storage Devices Enables vRealize You must install the
management pack for Operations Manager to management pack manually.
vRealize Operations communicate with storage
Manager. devices and arrays.
SDDC-COM-CO-MON-054 Install the Workspace ONE Enables vRealize None. The management
Access management pack Operations Manager to pack is installed by SDDC
for vRealize Operations communicate with Manager
Manager. Workspace ONE Access
endpoints.
For information about the design decisions on service accounts for the vRealize Operations
Manager management packs, see Service Accounts Design for vRealize Operations Manager.
Users can authenticate to vRealize Operations Manager by using the following account types:
Imported from an LDAP database Users can use their LDAP credentials to log in to vRealize
Operations Manager.
Integrated with Workspace ONE Access Specified users and groups from upstream identity sources
are synchronized to vRealize Operations Manager through
Workspace ONE Access.
vCenter Server user accounts After a vCenter Server instance is registered with vRealize
Operations Manager, the following vCenter Server users
can log in to vRealize Operations Manager:
n Users that have administration access in vCenter
Server.
n Users that have one of the vRealize Operations
Manager privileges, such as PowerUser, assigned to
the account which appears at the root level in vCenter
Server.
Local user accounts in vRealize Operations Manager vRealize Operations Manager performs local authentication
using the account information stored in its global database.
This design uses Workspace ONE Access for identity management and access control. You
enable authentication using Workspace ONE Access to ensure accountability on user access.
You can grant both users and groups access to vRealize Operations Manager to perform tasks,
such as creating and viewing dashboards.
Table 2-85. Design Decision on Identity Management for vRealize Operations Manager
Design Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-057 Enable vRealize Operations Allows authentication, You must deploy and
Manager integration with including multi-factor, to configure Workspace ONE
your corporate identity vRealize Operations Access to establish the
source by using Workspace Manager by using your integration between vRealize
ONE Access. corporate identity source. Operations Manager and
Allows authorization your corporate identity
through the assignment of sources.
organization and cloud
services roles to enterprise
users and groups defined in
your corporate identity
source.
SDDC-COM-CO-MON-058 Create a security group in Streamlines the You must create the security
your corporate directory management of vRealize group outside of the SDDC
services for the vRealize Operations Manager roles stack.
Operations Manager for users.
Administrator role,
rainpole.io\ug-vrops-
admins, and synchronize
the group in the
Workspace ONE Access
configuration for vRealize
Operations Manager.
SDDC-COM-CO-MON-059 Assign the enterprise Provides the following You must maintain the life
group for vRealize access control features: cycle and availability of the
Operations Manager n Access to vRealize security group outside of the
administrators, rainpole.io Operations Manager SDDC stack.
\ug-vrops-admins, the administration is
Administrator role. granted to a managed
set of individuals that
are members of the
security group.
n You can introduce
improved accountability
and tracking
organization owner
access to vRealize
Operations Manager.
SDDC-COM-CO-MON-060 Create a security group in Streamlines the You must create the security
your corporate directory management of vRealize group outside of the SDDC
services for the vRealize Operations Manager roles stack.
Operations Manager for users.
ContentAdmin
role,rainpole.io\ug-vrops-
content-admins, and
synchronize the group in
the Workspace ONE
Access configuration for
vRealize Operations
Manager.
Table 2-85. Design Decision on Identity Management for vRealize Operations Manager
(continued)
Design Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-061 Assign the enterprise Provides the following You must maintain the life
group for vRealize access control features: cycle and availability of the
Operations Manager n Access to the vRealize security group outside of the
content administrators, Operations Manager SDDC stack.
rainpole.io\ug-vrops- user interface is
content-admins, the granted to a managed
ContentAdmin role. set of individuals that
are members of the
security group.
n You can introduce
improved accountability
and tracking
organization owner
access to vRealize
Operations Manager.
SDDC-COM-CO-MON-062 Create a security group in Streamlines the You must create the security
your corporate directory management of vRealize group outside of the SDDC
services for the vRealize Operations Manager roles stack.
Operations Manager for users.
ReadOnly role, rainpole.io
\ug-vrops-read-only, and
synchronize the group in
the Workspace ONE
Access configuration for
vRealize Operations
Manager.
SDDC-COM-CO-MON-063 Assign the enterprise Provides the following You must maintain the life
group for vRealize access control features: cycle and availability of the
Operations Manager read- n Access to the vRealize security group outside of the
only users, rainpole.io\ug- Operations Manager SDDC stack.
vrops-read-only, the user interface is
ReadOnly role. granted to a managed
set of individuals that
are members of the
security group.
n You can introduce
improved accountability
and tracking
organization owner
access to vRealize
Operations Manager.
Table 2-86. Design Decisions on Service Accounts for the vCenter Server Cloud Accounts in
vRealize Operations Manager
Design Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-064 Define a custom vCenter vRealize Operations You must maintain the
Server role for vRealize Manager accesses vSphere permissions required by the
Operations Manager that with the minimum set of custom role.
has the minimum privileges permissions that are
required to support required to support
collecting metrics and performing actions against
performing actions against vSphere endpoints across
vSphere endpoints across the SDDC.
the SDDC, vRealize
Operations to vSphere
Integration – Actions.
SDDC-COM-CO-MON-065 Configure a service account Provides the following n You must maintain the
in vCenter Server with access control features: life cycle and availability
global permissions, for n The adapters in of the service account
application-to-application vRealize Operations outside of the SDDC
communication from Manager access stack.
vRealize Operations vSphere with the n All vCenter Server
Manager to vSphere, svc- minimum set of instances must be in the
vrops- permissions that are same vSphere domain.
vsphere@rainpole.io, and required to collect
assign the actions custom metrics and perform
role, vRealize Operations permitted actions.
to vSphere Integration – n In the event of a
Actions. compromised account,
the accessibility in the
destination application
remains restricted.
n You can introduce
improved accountability
in tracking request-
response interactions
between the
components of the
SDDC.
n
SDDC-COM-CO-MON-066 Configure each vCenter Enables integration and You must manage the
Server cloud account to data collection of all password life cycle of this
use the vCenter Server vCenter Server instances in cloud account.
service account,svc-vrops- the SDDC in vRealize
vsphere@rainpole.io. Operations Manager.
Table 2-86. Design Decisions on Service Accounts for the vCenter Server Cloud Accounts in
vRealize Operations Manager (continued)
Design Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-067 Define a custom vCenter vRealize Operations You must maintain the
Server role for vRealize Manager accesses vSphere permissions required by the
Operations Manager that with the minimum set of custom role.
has the minimum privileges permissions that are
required to support required to support
collecting metrics from collecting metrics from
vSphere endpoints across vSphere endpoints across
the SDDC, vRealize the SDDC.
Operations to vSphere
Integration – Metrics.
SDDC-COM-CO-MON-068 Configure a service account Provides the following You must maintain the life
in vCenter Server with access control features: cycle and availability of the
global permissions, for n The adapters in service account outside of
application-to-application vRealize Operations the SDDC stack.
communication from the Manager access
vSAN adapters in vRealize vSphere with the
Operations Manager to minimum set of
vSphere, svc-vrops- permissions that are
vsan@rainpole.io, and required to collect
assign the metrics custom metrics about vSAN
role, vRealize Operations inventory objects.
to vSphere Integration – n In the event of a
Metrics. compromised account,
the accessibility in the
destination application
remains restricted.
n You can introduce
improved accountability
in tracking request-
response interactions
between the
components of the
SDDC.
SDDC-COM-CO-MON-069 Configure the vSAN Enables integration and You must manage the
integration in the vCenter data collection of all vSAN password life cycle of this
Server cloud account to instances in the SDDC in endpoint.
use the vSAN service vRealize Operations
account, svc-vrops- Manager.
vsan@rainpole.io.
Table 2-87. Design Decision on Service Accounts for Integration of vRealize Operations Manager
with vRealize Automation
Design Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-070 Create a service account, The service account is used You must maintain the life
svc-vrops-vra@rainpole.io, for application-to- cycle and availability of the
in the directory services application communication service account outside of
and ensure it is from vRealize Operations the SDDC stack.
synchronized in Workspace to vRealize Automation. You must maintain the
ONE Access. synchronization and
availability of the service
account in Workspace ONE
Access.
Table 2-88. Design Decision on Service Accounts for vRealize Operations Manager Management
Packs
Design Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-072 Create a service account, The service account is used n You must maintain the
svc-vrops-nsx@rainpole.io, for application-to- life cycle and availability
in the directory services application communication of the service account
and ensure it is from vRealize Operations outside of the SDDC
synchronized in Workspace Manager to NSX-T Data stack.
ONE Access. Center. n You must maintain the
synchronization and
availability of the service
account in Workspace
ONE Access.
SDDC-COM-CO-MON-073 Configure a service account n Provides the following You must maintain the life
in NSX-T Data Center for access control features: cycle and availability of the
application-to-application The adapters in service account outside of
communication from vRealize Operations the SDDC stack.
vRealize Operations Manager access NSX-T
Manager to NSX-T Data Data Center with the
Center, svc-vrops- minimum set of
nsx@rainpole.io, using the permissions that are
default NSX-T Data Center required for metric
Network Admin role. collection and topology
mapping.
n In the event of a
compromised account,
the accessibility in the
destination application
remains restricted.
n You can introduce
improved accountability
in tracking request-
response interactions
between the
components of the
SDDC.
SDDC-COM-CO-MON-074 Configure the endpoint of n Enables integration and You must manage the
the NSX-T management data collection of all password life cycle of this
pack for vRealize NSX-T instances in the endpoint.
Operations Manager to use SDDC in vRealize
svc-vrops-nsx@rainpole.io. Operations Manager.
Table 2-88. Design Decision on Service Accounts for vRealize Operations Manager Management
Packs (continued)
Design Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-MON-075 Configure a service account Provides the following You must maintain the life
in vCenter Server with access control features: cycle and availability of the
global permissions, for n The adapters in service account outside of
application-to-application vRealize Operations the SDDC stack.
communication from the Manager access
storage devices adapters in vSphere with the
vRealize Operations minimum set of
Manager to vSphere, svc- permissions that are
vrops-mpsd@rainpole.io, required to collect
and assign the metrics metrics about vSphere
custom role, vRealize inventory objects.
Operations to vSphere n In the event of a
Integration – Metrics. compromised account,
the accessibility in the
destination application
remains restricted.
n You can introduce
improved accountability
in tracking request-
response interactions
between the
components of the
SDDC.
SDDC-COM-CO-MON-076 Configure the endpoint of Enables integration and You must manage the
the Storage Devices data collection of all password life cycle of this
management pack for storage devices in the endpoint.
vRealize Operations SDDC in vRealize
Manager to use the Operations Manager.
Storage Devices service
account, svc-vrops-
mpsd@rainpole.io.
SDDC-COM-CO-MON-077 Configure a Workspace n Enables integration and You must manage the
ONE Access management data collection of all password life cycle of this
pack adapter instance for Workspace ONE endpoint.
each Workspace ONE Access instances in the
Access instance using the SDDC in vRealize
local system domain admin Operations Manager.
account. n Integration between
vRealize Operations
Manager and
Workspace ONE
Access is only
supported with the
local admin account.
Table 2-89. Design Decisions on Password Policy Settings for vRealize Operations Manager
Design Decision ID Design Decision Justification Implication
SDDC-COM-CO-MON-078 Rotate the root password The password for the root You must manage the
on or before 365 days post user account expires 365 password rotation schedule
deployment. days after the initial for the root user account in
deployment. accordance with your
corporate policies and
regulatory standards, as
applicable.
SDDC-COM-CO-MON-079 Rotate the admin password The password for the You must manage the
on or before 60 days post admin user account expires password rotation schedule
deployment. 60 days after the initial for the admin user account
deployment. in accordance with your
corporate policies and
regulatory standards, as
applicable.
SDDC-COM-CO-MON-081 Use a SHA-2 or higher The SHA-1 algorithm is Not all certificate authorities
algorithm when signing considered less secure and support SHA-2.
certificates. has been deprecated.
n Information Security and Access Control Design for vRealize Log Insight
You protect the vRealize Log Insight deployment by configuring the authentication and
secure communication with the other components in the SDDC. A dedicated service account
is assigned a custom role for communication between vRealize Log Insight and the
management solutions in the data center.
vRealize Log Insight collects logs to provide monitoring information about the SDDC from a
central location.
Region A Region B
Region-Specific Region-Specific
Workspace Access Access Workspace
ONE Access ONE Access
User Interface User Interface
vRealize
Operations
Manager Integration
vRealize vRealize
Log Insight Log Insight
vSphere vSphere
Integrated Integrated
Load Load
Balancer Balancer
Logging Clients Logging Clients
You deploy a vRealize Log Insight cluster configuration that consists of the following entities.
vRealize Log Insight users accessing the Web user interface or API, and clients ingesting logs
using syslog or the Ingestion API, connect to vRealize Log Insight by using the ILB address.
For isolation, you place the vRealize Log Insight on a specific virtual network segment.
In the design, you deploy the vRealize Log Insight nodes on the first vSphere cluster in the
management domain in each region.
The SDDC can comprise multiple regions and multiple availability zones.
vRealize Log Insight is distributed as an SDDC Manager bundle that is synchronized to vRealize
Suite Lifecycle Manager.
To accomplish the design objective of this design, you deploy or reuse the following components
to deploy this operations management solution for the SDDC:
n SDDC Manager
SDDC-COM-CO-LOG-001 Deploy vRealize Log Insight n Provides high n You must deploy a
in a cluster configuration of availability. minimum of three
three nodes with an n Using the integrated medium nodes.
integrated load balancer: load balancer prevents n You must size all nodes
one primary and two a single point of failure. identically.
worker nodes, on the first n Using the integrated n If the capacity of your
cluster in the management load balancer simplifies vRealize Log Insight
domain in Region A. the vRealize Log Insight cluster must expand,
deployment and identical capacity must
subsequent integration. be added to each node.
SDDC-COM-CO-LOG-002 Deploy vRealize Log Insight Allows vRealize Suite You must deploy vRealize
by using vRealize Suite Lifecycle Manager the Suite Lifecycle Manager.
Lifecycle Manager. ability to provide life cycle
management of vRealize
Log Insight.
SDDC-COM-CO-LOG-004 Apply vSphere Distributed Using vSphere DRS n You must perform
Resource Scheduler (DRS) prevents the vRealize Log additional configuration
anti-affinity rules to the Insight cluster nodes from to set up an anti- affinity
vRealize Log Insight cluster running on the same ESXi rule.
nodes. host and risking the high n You can put in
availability of the cluster. maintenance mode only
a single ESXi host at a
time in a management
cluster of four ESXi.
Table 2-93. Design Decisions on Deployment of vRealize Log Insight for Multiple Availability
Zones
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-LOG-006 When using two availability Ensures that, by default, If vRealize Log Insight is
zones in Region A, add the the vRealize Log Insight deployed after the creation
vRealize Log Insight nodes virtual appliance is of the stretched cluster for
to the primary availability powered on within the management domain
zone VM group, sfo-m01- primary availability zone availability zones, the VM
cl01_primary-az-vmgroup. hosts group. Group for the primary
availability zone virtual
machines must be updated
to include the vRealize Log
Insight virtual appliances.
Table 2-94. Design Decisions on Deployment of vRealize Log Insight for a Multi-Region SDDC
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-LOG-008 For a dual-region SDDC, Allows vRealize Suite n You must deploy
deploy vRealize Log Insight Lifecycle Manager the vRealize Suite Lifecycle
in Region B by using ability to provide life cycle Manager.
vRealize Suite Lifecycle management of vRealize n You must use a
Manager in Region A. Log Insight. standalone environment
type in vRealize Suite
Lifecycle Manager.
Table 2-94. Design Decisions on Deployment of vRealize Log Insight for a Multi-Region SDDC
(continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO-LOG-010 For a dual-region SDDC, Using vSphere DRS n You must perform
apply vSphere Distributed prevents the vRealize Log additional configuration
Resource Scheduler (DRS) Insight cluster nodes from to set up an anti- affinity
anti-affinity rules to the running on the same ESXi rule.
vRealize Log Insight cluster host and risking the high n You can put in
nodes in Region B. availability of the cluster. maintenance mode only
a single ESXi host at a
time in a management
cluster of four ESXi.
To accommodate log data from the products in the SDDC, you must correctly size the compute
resources and storage for the Log Insight nodes. For a detailed sizing guidance, see the vRealize
Log Insight sizing calculator at https://kb.vmware.com/s/article/60355.
By default, the vRealize Log Insight appliance uses the predefined values for medium
configurations.
To collect and store log data from the SDDC management components and tenant workloads
according to the objectives of this design, select the appropriate size for the vRealize Log Insight
nodes.
Table 2-95. Compute Resources for vRealize Log Insight per Region
Attribute Per Appliance Per Cluster
Memory 16 GB 48 GB
IOPS 1,000
Sizing is usually based on the organization requirements. This design provides calculations that
are based on a single-region implementation. This sizing is calculated according to the following
logging sources in the region:
ESXi hosts
ESXi hosts
The expected number of logging sources across two regions requires approximately 160 GB of
storage per node. Based on this example, the storage space that is allocated per medium-size
vRealize Log Insight appliance is sufficient to monitor a dual-region SDDC.
SDDC-COM-CO-LOG-012 Deploy each node in the Accommodates the You must increase the size
vRealize Log Insight cluster expected approximately of the nodes if you configure
as a medium-size 200 syslog and vRealize vRealize Log Insight to
appliance. Log Insight agent monitor additional syslog
connections from the sources.
following sources:
n Management domain
and Workload domain
vCenter Server
instances
n Management ESXi
hosts, and shared edge
and workload ESXi
hosts
n Management and
workload components
of NSX-T Data Center
n Workload domain
components of NSX-T
Data Center
n Region-specific
Workspace ONE
Access
n Cross-region
Workspace ONE
Access
n SDDC Manager
n vRealize Suite Lifecycle
Manager
n vRealize Automation
components
n vRealize Operations
Manager components
n vRealize Log Insight
event forwarding
between regions.
Using medium-size nodes
ensures that the storage
space for the vRealize Log
Insight cluster is sufficient
for 7 days of data
retention.
Life cycle management of vRealize Log Insight involves the process of performing patch updates
or upgrades to the vRealize Log Insight cluster.
In this design, life cycle management in the first region is performed by using SDDC Manager.
Table 2-98. Design Decisions on Life Cycle Management of vRealize Log Insight
Decision ID Design Decision Design Justification Design Implication
Table 2-99. Design Decisions on Life Cycle Management of vRealize Log Insight in a Multi-Region
SDDC
Decision ID Design Decision Design Justification Design Implication
Each vRealize Log Insight appliance has three default virtual disks and can use more virtual disks
for storage.
Table 2-100. Virtual Disk Configuration in the vRealize Log Insight Appliance
Hard disk Size Usage
Configure a retention period of seven days for the medium-size vRealize Log Insight appliance.
Table 2-101. Design Decision on Log Retention for vRealize Log Insight
Decision ID Design Decision Design Justification Design Implication
If you must retain logs for an extended period for compliance, auditability, or a customer-specific
reason, you configure vRealize Log Insight to archive log data.
Apply an archive policy of 90 days for the medium-size vRealize Log Insight appliance. Each
vRealize Log Insight cluster uses an estimated 400 GB of shared storage. You can calculate the
required archiving storage by using the vRealize Log Insight sizing calculator at https://
kb.vmware.com/s/article/60355.
Table 2-103. Design Decision on Log Archive Policy for vRealize Log Insight
Decision ID Design Decision Design Justification Design Implication
Content Pack Alerts Content packs contain default alerts that can be configured
to send notifications. These alerts are specific to the
content pack and are disabled by default.
User-Defined Alerts Administrators and users can define their own alerts based
on data ingested by vRealize Log Insight.
vRealize Log Insight handles alerts in two ways:
n Send an e-mail over SMTP.
n Send System Notifications to Third-Party Products
using Webhooks.
n Send to vRealize Operations Manager.
Table 2-105. Design Decision on Alert Notifications for vRealize Log Insight
Decision ID Design Decision Design Justification Design Implication
Launch in Context Launch vRealize Log Insight from the vRealize Operation
Manager user interface.
Embedded vRealize Log Insight Access the integrated vRealize Log Insight user interface
directly in the vRealize Operations Manager user interface.
Table 2-107. Design Decisions on Integration of vRealize Log Insight with vRealize Operations
Manager
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-019 Support launch in context Provides access to vRealize You can register only one
with vRealize Operation Log Insight for context- vRealize Log Insight cluster
Manager. based monitoring of an with vRealize Operations
object in vRealize Manager for launch in
Operations Manager. context at a time.
SDDC-COM-CO- LOG-020 Enable the embedded Provides central access to You can register only one
vRealize Log Insight user the vRealize Log Insight vRealize Log Insight cluster
interface in vRealize user interface for improved with vRealize Operations
Operations Manager. context-based monitoring Manager at a time.
on an object in vRealize
Operations Manager.
For information about the design decisions on the service account for integration of vRealize Log
Insight with vRealize Operations Manager, see Service Accounts for vRealize Log Insight.
vRealize Log Insight supports data protection through the creation of consistent image-level
backups, using backup software that is based on the vSphere Storage APIs - Data Protection
(VADP).
n The vRealize Log Insight cluster nodes are deployed together on the same network in the
region. This configuration colocates log collection with the region-specific applications using
the region-specific virtual network segment.
n This configuration ensures collection of logs locally per region if there is a cross-region
network outage.
n vRealize Log Insight has routed access to the VLAN-backed management network through
the NSX-T Data Center Tier-0 gateway.
n Routing to the VLAN management network, virtual network segments, and external networks
are dynamic and are based on the Border Gateway Protocol (BGP).
Region A Region B
(SFO - San Francisco) (LAX - Los Angeles)
172.16.11.0/24 172.17.11.0/24
VLAN: sfo01-m01-cl01-vds01-pg-mgmt VLAN: lax01-m01-cl01-vds01-pg-mgmt
In a multi-region SDDC, the region-specific virtual network segments are connected to the
management networks in each region through the NSX-T global Tier-0 and Tier-1 gateways.
Table 2-108. Design Decisions on the Virtual Network Segment for vRealize Log Insight
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-021 Place the vRealize Log n Colocates log collection You must use an
Insight nodes in Region A to the regional SDDC implementation in NSX-T
on the region-specific applications using the Data Center to support this
virtual network segment, region-specific virtual networking configuration.
that is, sfo-m01-seg01. network segments.
n Provides a consistent
deployment model for
management
applications.
Table 2-109. Design Decisions on the Virtual Network Segment for vRealize Log Insight for a
Multi-Region SDDC
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-022 For a dual-region SDDC, n Ensures centralized n Interruption in the cross-
place the vRealize Log access to log data per region network can
Insight nodes in Region B region if there is a impact event forwarding
on the region-specific cross-region network between the vRealize
virtual network segment, outage. Log Insight clusters and
that is, lax-m01-seg01. n Co-locates log cause gaps in log data.
collection to the n You must use an
regional SDDC implementation in NSX-T
applications using the Data Center to support
region-specific virtual this networking
network segments. configuration.
n Provides a consistent
deployment model for
management
applications.
IP Addressing Scheme
Allocate a statically assigned IP addresses and host names from the region-specific network
segment in Region A to the vRealize Log Insight cluster nodes.
Table 2-110. Design Decisions on the IP Addressing for vRealize Log Insight
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-023 Allocate statically assigned Using statically assigned IP Requires precise IP address
IP addresses and host addresses ensures stability management.
names from the region- across the SDDC and
specific network segment makes it simpler to maintain
in Region A to the vRealize and easier to track.
Log Insight cluster nodes
and the integrated load
balancer (ILB) in Region A.
Table 2-111. Design Decisions on the IP Addressing for vRealize Log Insight for a Multi-Region
SDDC
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-024 For a dual-region SDDC, Using statically assigned IP Requires precise IP address
allocate statically assigned addresses ensures stability management.
IP addresses and host across the SDDC and
names from the region- makes it simpler to maintain
specific network segment and easier to track.
in Region B to the vRealize
Log Insight cluster nodes
and the integrated load
balancer (ILB) in Region B.
Name Resolution
vRealize Log Insight node name resolution, including the integrated load balancer virtual IP
addresses (VIP), use a region-specific suffix, that is, sfo.rainpole.io for Region A.
Table 2-112. Design Decisions on Name Resolution for vRealize Log Insight
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-025 Configure forward and All nodes are accessible by You must provide DNS
reverse DNS records for all using fully qualified domain records for the vRealize Log
vRealize Log Insight cluster names instead of by using Insight nodes.
nodes and the integrated IP addresses only.
load balancer (ILB) VIP
address in Region A.
Table 2-113. Design Decisions on Name Resolution for vRealize Log Insight for a Multi-Region
SDDC
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-026 For a dual-region SDDC, All nodes are accessible by You must provide DNS
configure forward and using fully qualified domain records for the vRealize Log
reverse DNS records for all names instead of by using Insight nodes.
vRealize Log Insight cluster IP addresses only.
nodes and the integrated
load balancer (ILB) VIP
address in Region B.
Load Balancing
A vRealize Log Insight cluster deployment requires a load balancer to manage connections to
vRealize Log Insight. The design uses the vRealize Log Insight integrated load balancer (ILB).
Table 2-114. Design Decisions on Load Balancing for vRealize Log Insight
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-027 Enable the vRealize Log Supports balancing You must provide an extra IP
Insight integrated load ingestion traffic among the address and FQDN for the
balancer (ILB) for balancing Log Insight nodes and high Integrated Load Balancer
incoming traffic. availability. (ILB)
Time Synchronization
Time synchronization provided by the Network Time Protocol (NTP) is important to ensure that
all components within the SDDC are synchronized to the same time source. Configure time
synchronization using an internal NTP time source across all vRealize Log Insight nodes.
Table 2-115. Design Decisions on Time Synchronization for vRealize Log Insight
Decision ID Design Decision Design Justification Design Implication
For information about the logging sources for vRealize Log Insight in this design, see Deployment
Model of vRealize Log Insight.
Content Packs
Table 2-116. vRealize Log Insight Content Packs for the First Region
Content Pack Installed by
General default
Table 2-117. Design Decisions on Content Packs for vRealize Log Insight
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-029 Install the following content Provides additional Requires configuration of
packs: granular monitoring on the each non-default content
n VMware - Linux virtual infrastructure. pack.
SDDC-COM-CO- LOG-030 Configure the following n Provides a standardized Adds minimal load to
agent groups that are configuration that is vRealize Log Insight.
related to content packs: pushed to all vRealize
n SDDC - vRSLCM Log Insight agents in
each of the groups.
n SDDC - Photon OS
n Supports collection
n SDDC - Workspace
according to the
ONE Access
context of the
applications and
parsing of the logs
generated from the
SDDC components by
the vRealize Log Insight
agent such as specific
log directories, log files,
and logging formats.
General default
Table 2-119. Design Decisions on Content Packs for vRealize Log Insight for a Multi-Region SDDC
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-032 For a dual-region SDDC, n Provides a standardized Adds minimal load to
configure the following configuration that is vRealize Log Insight.
agent groups in Region B pushed to all vRealize
that are related to content Log Insight agents in
packs : each of the groups.
n SDDC - vRSLCM n Supports collection
n SDDC - Photon OS according to the
context of the
n SDDC - Workspace
applications and
ONE Access
parsing of the logs
generated from the
SDDC components by
the vRealize Log Insight
agent such as specific
log directories, log files,
and logging formats.
Logging Sources
Client applications can send logs to vRealize Log Insight in one of the following ways:
n Directly to vRealize Log Insight using the syslog TCP, syslog TCP over TLS/SSL, or syslog
UDP protocols
n By using vRealize Log Insight to query directly the vSphere Web Server APIs
vRealize Log Insight collects log events from the following virtual infrastructure and cloud
management components:
Table 2-121. Design Decision on Logging Sources for vRealize Log Insight
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-035 Configure the SDDC - Provides a standardized Adds minimal load to the
Workspace ONE Access configuration that is vRealize Log Insight cluster.
and SDDC - Photon OS pushed to the vRealize Log
agent groups in the Insight agents for each
vRealize Log Insight cluster Workspace ONE Access
in Region A to include all appliance.
Workspace ONE Access Supports collection
nodes. according to the context of
the Workspace ONE
Access using the vRealize
Log Insight ingestion API
and parses of the logs by
the vRealize Log Insight
agent such as specific log
directories, log files, and
logging formats.
SDDC-COM-CO- LOG-036 Configure syslog sources n Provides potential to n You must configure the
and vRealize Log Insight scale-out without integrated load balancer
agents to send log data reconfiguring all log on the vRealize Log
directly to the virtual IP sources with a new Insight cluster.
(VIP) address of the destination address. n You must configure
vRealize Log Insight n Simplifies the logging sources to
integrated load balancer configuration of log forward data to the
(ILB) in Region A. sources in the SDDC. vRealize Log Insight VIP.
Table 2-121. Design Decision on Logging Sources for vRealize Log Insight (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-037 Configure all vCenter Simplifies configuration for n You must configure
Server instances in Region log sources that are syslog- syslog sources to
A as direct syslog sources capable. forward logs to the
to send log data directly to vRealize Log Insight VIP.
vRealize Log Insight in n Certain dashboards in
Region A. vRealize Log Insight
require the use of the
vRealize Log Insight
agent for proper
ingestion.
n Not all operating system
level events are
forwarded to vRealize
Log Insight.
SDDC-COM-CO- LOG-038 Configure the vRealize Log Simplifies configuration of You must configure the
Insight agent on the SDDC log sources in the SDDC vRealize Log Insight agent to
Manager appliance in that are pre-packaged with forward logs to the vRealize
region A to forward logs to the vRealize Log Insight Log Insight VIP.
vRealize Log Insight in agent.
Region A.
SDDC-COM-CO- LOG-039 Configure the vRealize Log Simplifies configuration of You must configure the
Insight agent on the log sources in the SDDC vRealize Log Insight agent to
vRealize Suite Lifecycle that are pre-packaged with forward logs to the vRealize
Manager appliance to the vRealize Log Insight Log Insight VIP.
forward logs to vRealize agent.
Log Insight in Region A.
SDDC-COM-CO- LOG-040 Configure the Fluentd Enables the appliance and You must configure the
vRealize Log Insight plugin the containers to send logs Fluentd vRealize Log Insight
on the vRealize Automation to vRealize Log Insight. plugin to forward logs to the
cluster to forward logs to vRealize Log Insight VIP.
vRealize Log Insight in
Region A.
SDDC-COM-CO- LOG-041 Configure the vRealize Log Simplifies configuration of You must configure the
Insight agent for the log sources in the SDDC vRealize Log Insight agent to
vRealize Operations that are prepackaged with forward logs to the vRealize
Manager appliances to the vRealize Log Insight Log Insight VIP.
forward logs to vRealize agent.
Log Insight in Region A,
including:
n Analytics nodes
n Remote Collector
instances
Table 2-121. Design Decision on Logging Sources for vRealize Log Insight (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-042 Configure the NSX-T Data Simplifies configuration of n You must configure
Center components as log sources in the SDDC syslog sources to
direct syslog sources for that are syslog-capable. forward logs to the
vRealize Log Insight in vRealize Log Insight VIP.
Region A, including: n Not all operating system-
n NSX-T Manager level events are
instances forwarded to vRealize
n NSX Edge instances Log Insight.
SDDC-COM-CO- LOG-043 Communicate with the Using the TCP syslog n TCP has a higher
syslog clients, such as ESXi, protocol ensures reliability performance overhead
vCenter Server, NSX-T and supports retry compared to UDP.
Data Center, using the TCP mechanisms. n You must manually
protocol. TCP syslog traffic is secure disable the SSL
and more consistent with connection requirement
RFC 5424. in vRealize Log Insight.
SDDC-COM-CO- LOG-044 Do not configure vRealize Manually install updated You must maintain manually
Log Insight to automatically versions of the Log Insight the vRealize Log Insight
update all deployed agents. agents for each of the agents on each of the SDDC
specified components in components.
the SDDC for precise
maintenance.
For information about the design decisions on the service account for vRealize Log Insight
ingestion from vCenter Server, see Service Accounts for vRealize Log Insight.
Table 2-122. Design Decision on Logging Sources for vRealize Log Insight for a Multi-Region
SDDC
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-045 For a dual-region SDDC, You must use the vRealize None.
connect the workload Log Insight user interface,
domains in Region B to because vRealize Log
vRealize Log Insight in Insight in Region B is
Region B by using the deployed in standalone
vRealize Log Insight user mode.
interface.
SDDC-COM-CO- LOG-047 For a dual-region SDDC, Provides a standardized Adds minimal load to the
configure the SDDC - configuration that is vRealize Log Insight cluster.
Workspace ONE Access pushed to the vRealize Log
and SDDC - Photon OS Insight agents for each
agent groups in the Workspace ONE Access
vRealize Log Insight cluster appliance.
in region B to include the Supports collection
region-specific Workspace according to the context of
ONE Access node in region the Workspace ONE
B. Access using the vRealize
Log Insight ingestion API
and parses of the logs by
the vRealize Log Insight
agent such as specific log
directories, log files, and
logging formats.
SDDC-COM-CO- LOG-048 For a dual-region SDDC, n Provides potential to n You must configure the
configure syslog sources scale-out without integrated load balancer
and vRealize Log Insight reconfiguring all log on the vRealize Log
agents in Region B to send sources with a new Insight cluster.
log data directly to the destination address. n You must configure
virtual IP (VIP) address of n Simplifies the logging sources to
the vRealize Log Insight configuration of log forward data to the
integrated load balancer sources in the SDDC. vRealize Log Insight VIP.
(ILB) in Region B.
Table 2-122. Design Decision on Logging Sources for vRealize Log Insight for a Multi-Region
SDDC (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-049 For a dual-region SDDC, Simplifies configuration for n You must configure
configure all vCenter Server log sources that are syslog- syslog sources to
instances in Region B as capable. forward logs to the
direct syslog sources to vRealize Log Insight VIP.
send log data directly to n Certain dashboards in
vRealize Log Insight in vRealize Log Insight
Region B. require the use of the
vRealize Log Insight
agent for proper
ingestion.
n Not all operating system
level events are
forwarded to vRealize
Log Insight.
SDDC-COM-CO- LOG-050 For a dual-region SDDC, Simplifies configuration of You must configure the
configure the vRealize Log log sources in the SDDC vRealize Log Insight agent to
Insight agent on the SDDC that are pre-packaged with forward logs to the vRealize
Manager appliance in the vRealize Log Insight Log Insight VIP.
Region B to forward logs to agent.
vRealize Log Insight in
Region B.
SDDC-COM-CO- LOG-051 For a dual-region SDDC, Simplifies configuration of n You must configure
configure the NSX-T Data log sources in the SDDC syslog sources to
Center components in that are syslog-capable. forward logs to the
Region B as direct syslog vRealize Log Insight VIP.
sources for vRealize Log n Not all operating system-
Insight in Region B, level events are
including: forwarded to vRealize
n NSX-T Manager Log Insight.
instances
n NSX Edge instances
SDDC-COM-CO- LOG-052 For a dual-region SDDC, Using the TCP syslog n TCP has a higher
communicate with the protocol ensures reliability performance overhead
syslog clients in Region B, and supports retry compared to UDP.
such as ESXi, vCenter mechanisms. n You must manually
Server, NSX-T Data Center, TCP syslog traffic is secure disable the SSL
using the TCP protocol. and more consistent with connection requirement
RFC 5424. in vRealize Log Insight.
SDDC-COM-CO- LOG-053 For a dual-region SDDC, do Manually install updated You must maintain manually
not configure vRealize Log versions of the Log Insight the vRealize Log Insight
Insight in Region B to agents for each of the agents on each of the SDDC
automatically update all specified components in components.
deployed agents. the SDDC for precise
maintenance.
Information Security and Access Control Design for vRealize Log Insight
You protect the vRealize Log Insight deployment by configuring the authentication and secure
communication with the other components in the SDDC. A dedicated service account is assigned
a custom role for communication between vRealize Log Insight and the management solutions in
the data center.
Import users or user groups from Microsoft Active Users can use their AD credentials to log in to vRealize Log
Directory Insight.
Integrate with Workspace ONE Access Specified users and groups from upstream identity sources
are synchronized to vRealize Log Insight through
Workspace ONE Access.
Create local user accounts in vRealize Log Insight vRealize Log Insight performs local authentication using the
account information stored in its global database.
You enable authentication using Workspace ONE Access to ensure accountability on user
access. You can grant both users and groups access to vRealize Log Insight to perform tasks,
such as analyzing logs and viewing dashboards.
Table 2-124. Design Decisions on Identity Management for vRealize Log Insight
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-054 Enable vRealize Log Insight Allows authentication, You must deploy and
integration with your including multi-factor, to configure the regional
corporate identity source vRealize Log Insight using Workspace ONE Access
by using the region-specific your corporate identity instance to establish the
Workspace ONE Access source. integration between vRealize
instance. Allows authorization Log Insight and your
through the assignment of corporate identity sources.
roles to enterprise users
and groups defined in your
corporate identity source.
SDDC-COM-CO- LOG-055 Create a security group in Streamlines the You must create the security
your corporate directory management of vRealize group outside of the SDDC
services for the vRealize Log Insight roles for users. stack.
Log Insight administrators,
rainpole.io\ug-vrli-admins,
and synchronize the group
in the Workspace ONE
Access configuration for
vRealize Log Insight.
Table 2-124. Design Decisions on Identity Management for vRealize Log Insight (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-056 Assign the enterprise Provides the following You must maintain the life
group for vRealize Log access control features: cycle and availability of the
Insight administrators, n Access to vRealize Log security group outside of the
rainpole.io\ug-vrli-admins, Insight administration is SDDC stack.
the Super Admin role. granted to a managed
set of individuals that
are members of the
security group.
n You can introduce
improved accountability
and tracking
organization owner
access to vRealize Log
Insight.
SDDC-COM-CO- LOG-057 Create a security group in Streamlines the You must create the security
your corporate directory management of vRealize group outside of the SDDC
services for the vRealize Log Insight roles for users. stack.
Log Insight users,
rainpole.io\ug-vrli-users,
and synchronize the group
in the Workspace ONE
Access configuration for
vRealize Log Insight.
SDDC-COM-CO- LOG-058 Assign the enterprise Provides the following You must maintain the life
group for vRealize Log access control features: cycle and availability of the
Insight users, rainpole.io n Access to the vRealize security group outside of the
\ug-vrli-users, the User Log Insight user SDDC stack.
role. interface is granted to a
managed set of
individuals that are
members of the
security group.
n You can introduce
improved accountability
and tracking
organization owner
access to vRealize Log
Insight.
Table 2-124. Design Decisions on Identity Management for vRealize Log Insight (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-059 Create a security group in Streamlines the n You must create the
your corporate directory management of vRealize security group outside of
services for the vRealize Log Insight roles for users. the SDDC stack.
Log Insight viewers,
rainpole.io\ug-vrli-viewers,
and synchronize the group
in the Workspace ONE
Access configuration for
vRealize Log Insight.
SDDC-COM-CO- LOG-060 Assign the enterprise Provides the following You must maintain the life
group for vRealize Log access control features: cycle and availability of the
Insight viewers, rainpole.io n Access to the vRealize security group outside of the
\ug-vrli-viewers, the View Log Insight user SDDC stack.
Only Admin role. interface is granted to a
managed set of
individuals that are
members of the
security group.
n You can introduce
improved accountability
and tracking
organization owner
access to vRealize Log
Insight.
Table 2-125. Design Decisions on a Service Account for vRealize Log Insight Integration with
vRealize Operations Manager
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-061 In vRealize Operations Enables integration You must maintain the life
Manager, add an between vRealize Log cycle and availability of the
application-to-application Insight and vRealize service account outside of
service account from Operations Manager. the SDDC stack.
Workspace ONE Access,
for vRealize Log Insight
Integration, svc-vrli-
vrops@rainpole.io. Assign
this user the default
Administrator role.
SDDC-COM-CO- LOG-062 Enable vRealize Operations Integrating vRealize Log n You must maintain the
Manager integration in Insight alerts with vRealize life cycle of this
vRealize Log Insight using Operations Manager allows integration.
the vRealize Operations you to view all information n You must specify the
Manager service account, about your environment in user account in the
svc-vrli-vrops@rainpole.io. a single user interface. user@domain@source
format for the
integration. source is the
name of the Workspace
ONE Access
authentication source
created in vRealize
Operations Manager,
svc-vrli-
vrops@rainpole.io@Wor
kspaceONE.
Table 2-126. Design Decision on a Service Account for vRealize Log Insight Ingestion from
vCenter Server
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-063 Define a custom vCenter vRealize Log Insight You must maintain the
Server role for vRealize Log accesses vSphere with the permissions required by the
Insight that has the minimum set of permissions custom role.
minimum privileges that are required to
required to support support collecting logs
collecting logs from from vSphere endpoints
vSphere endpoints across across the SDDC.
the SDDC, vRealize Log
Insight to vSphere
Integration.
SDDC-COM-CO- LOG-064 Configure a service account Provides the following n You must maintain the
in vCenter Server with access control features: life cycle and availability
global permissions, for n vRealize Log Insight of the service account
application-to-application accesses vSphere with outside of the SDDC
communication from the minimum set of stack.
vRealize Log Insight to permissions that are n All vCenter Server
vSphere, svc-vrli- required to collect logs. instances must be in the
vsphere@rainpole.io, and same vSphere domain.
n If there is a
assign the custom role, compromised account,
vRealize Log Insight to the accessibility in the
vSphere Integration. destination application
remains restricted.
n You can introduce
improved accountability
in tracking request-
response interactions
between the
components of the
SDDC.
SDDC-COM-CO- LOG-065 Configure vRealize Log Ensures that all tasks, You must manage the
Insight to ingest events, events, and alarms password life cycle of this
tasks, and alarms from the generated across all service account.
Management domain vCenter Server instances in
vCenter Server and from a specific region of the
the Workload domain SDDC are captured and
vCenter Server by using analyzed for the
the vRealize Log Insight administrator.
service account, svc-vrli-
vsphere@rainpole.io.
Table 2-127. Design Decisions on Password Policy Settings for vRealize Log Insight
Design Decision ID Design Decision Justification Implication
SDDC-COM-CO- LOG-066 Rotate the root password The password for the root You must manage the
on all vRealize Log Insight user account expires 365 password rotation schedule
nodes, on or before 365 days after the initial for the root user account in
days post deployment. deployment. accordance with your
corporate policies and
regulatory standards, as
applicable.
SDDC-COM-CO- LOG-067 Use a CA-signed certificate Configuring a CA-signed Using CA-signed certificates
containing the vRealize Log certificate ensures that the from a certificate authority
Insight cluster node communication to the might increase the
FQDNs, and the ILB FQDN externally facing UI and API deployment preparation
in the SAN attributes, when for vRealize Log Insight, time as certificate requests
deploying vRealize Log and cross-product, is are generated and delivered.
Insight in each region. encrypted.
SDDC-COM-CO- LOG-068 Use a SHA-2 or higher The SHA-1 algorithm is Not all certificate authorities
algorithm when signing considered less secure and support SHA-2.
certificates. has been deprecated.
You forward syslog data in vRealize Log Insight by using the Ingestion API or a native syslog
implementation. While forwarding events, the vRealize Log Insight instance still ingests, stores,
and archives events locally.
The vRealize Log Insight Ingestion API uses TCP communication. In contrast to syslog, the
forwarding module supports the following features for the Ingestion API:
n Support for both structured and unstructured data, that is, multi-line messages
n Client-side compression
Table 2-129. Design Decisions on Event Forwarding Across Regions in vRealize Log Insight
for a Multi-region SDDC
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CO- LOG-069 For a dual-region, forward Supports the following n You must configure
log events to the other operations: each vRealize Log
region by using the n Structured and Insight cluster to
Ingestion API. unstructured data for forward log data to the
client-side cluster in the other
compression region. The
configuration
n Event throttling from
introduces
one vRealize Log
administrative overhead
Insight cluster to
to prevent recursion of
another.
logging between
In the event of a cross-
regions using inclusion
region outage, the
and exclusion tagging.
administrator has access
n Log forwarding adds
to all logs from the two
load to each region.
regions although one of
You must consider log
the regions is offline.
forwarding in the sizing
calculations for the
vRealize Log Insight
cluster in each region.
n You must configure
identical size on both
source and destination
clusters.
SDDC-COM-CO- LOG-070 For a dual-region SDDC, Ensures that the log n You must set up a
configure log forwarding forward operations from custom CA- signed SSL
to use SSL on port 9543. one region to the other certificate.
are secure.
Event forwarding with
SSL does not work with
the self-signed
certificate that is
installed on the
destination servers by
default.
n If you add vRealize Log
Insight nodes to a
cluster in a region, the
SSL certificate used by
the vRealize Log Insight
cluster in the other
region must be installed
in the Java keystore of
all nodes before SSL
can be used.
Orchestration
Virtual Hypervisor
Infrastructure Identity and Access
Monitoring Fault Tolerance
Management
Pools of Resources
Virtualization Control
Backup &
Logging Industry Regulations
Restore
Physical Compute
Infrastructure
Storage
Life Cycle Security Policies
Network Management
n Simplicity for easier life cycle management of the products in this layer
While some of the design objectives are native to the vRealize Automation product, a set of
design and deployment decisions ensures that all Cloud Automation design objectives are met.
Region A
User Interface
Cross-Region
Workspace
ONE Access
API
Integration Accounts
SDDC
Manager
Private Cloud Accounts NSX-T Data Center
Load Balancer
vRealize
Orchestrator
VMware Cloud vRealize
Foundation Automation Cluster
vRealize
Operations
Manager
vCenter Server
My VMware
NSX-T Supporting Components:
Data Center Kubernetes, Docker, Postgres,
FaaS, Traefik, Flannel, Fluentd GitHub, GitLab,
and BitBucket
Supporting Infrastructure:
Shared Storage,
Additional
AD, DNS, NTP, SMTP
Solutions
e.g. IPAM, K8s,
Terraform,
Ansible, Puppet
vCenter Server
NSX-T
Data Center
User Access
vRealize Automation provides a UI and RESTful API for consuming vRealize Automation services.
Cloud Accounts
vRealize Automation can simplify the multi-cloud experience by managing and working with
resources in private cloud and public cloud services. Each supported type of infrastructure is
represented by a cloud account.
n Private Cloud
n Public Cloud
You configure an SDDC Manager integration and add workload domains from a VMware Cloud
Foundation instance as VMware Cloud Foundation cloud accounts into VMware Cloud Assembly.
A VMware Cloud Foundation cloud account enables you to incorporate a VMware Cloud
Foundation workload domain into Cloud Assembly to facilitate a comprehensive hybrid cloud
management solution. VMware Cloud Foundation cloud accounts bring in both the compute
(vSphere) and network (NSX-T Data Center) resources into vRealize Automation for provisioning
and managing resources. VMware Cloud Foundation cloud accounts can automatically generate
a new service account for each vCenter Server endpoint, and reuse the existing administrator
credential for each NSX-T Data Center endpoint. Flavor and image mappings as well as network
and storage profiles can be defined for VMware Cloud Foundation cloud accounts like all the
vCenter Server cloud account.
Integrations
n SDDC Manager
n My VMware
The vRealize Operations Management Pack for vRealize Automation provides performance and
capacity metrics of cloud zones, projects, and underlying cloud infrastructure.
Supporting Infrastructure
vRealize Automation integrates with the following supporting infrastructure:
n DNS for providing name resolution for the vRealize Automation components.
n NTP for providing time synchronization for the vRealize Automation components.
n Workspace ONE Access, connected to an Identity Provider, for example, Active Directory, for
identity and access management.
You can configure automated network provisioning as a part of the cloud template design
instead of as a separate operation outside vRealize Automation.
Usage Model
vRealize Automation enables a usage model that includes interaction between the cloud
automation services, the supporting infrastructure, and the provisioning infrastructure. The usage
model of vRealize Automation contains the following elements and components in them:
Service Broker
Administrator Authoring
Administration of Services Authoring
cloud resources Cloud Zones
Users
Cloud, tenant, group, infrastructure, service, and other administrators as defined by business
policies and organizational structure. Cloud or tenant users in an organization can provision
virtual machines and directly perform operations on them at the level of the operating
system.
Cloud Templates
Cloud templates are infrastructure-as-code. vRealize Automation Cloud Assembly enables the
creation of cloud templates in a design canvas, YAML, or HCL (Terraform).
Image and flavor mappings simplify the cloud template creation while adding greater
flexibility and customization.
An image mapping groups a set of predefined target machine images for a specific cloud
account or region in vRealize Automation Cloud Assembly by using natural language naming
A flavor mapping groups a set of target deployment sizes for a specific cloud account or
region in vRealize Automation Cloud Assembly by using natural language naming.
Provisioning infrastructure
Private and public cloud resources which together form a hybrid cloud.
Private cloud resources are supported hypervisors and associated management tools.
Public cloud resources are supported cloud providers and associated APIs.
Cloud Assembly
The default tenant uses the vRealize Automation administrator portal to set up and
administer tenants and global configuration options.
A custom tenant uses the vRealize Automation tenant portal, which you access by appending
a tenant identifier.
Service Broker
Aggregates native content from multiple clouds and platforms into a single catalog with role-
based policies.
vRealize Orchestrator
Provides a standard set of plug-ins, including a plug-in for vCenter Server, with which you can
orchestrate tasks in the different environments that the plug-ins expose.
n SDDC Manager
n NSX-T Data Center load balancer for cross-region Workspace ONE Access cluster.
n Supporting infrastructure services, such as Active Directory, DNS, NTP, and SMTP
In this design, you deploy a vRealize Automation cluster of three nodes and a load balancer on
the first cluster in the management domain in Region A. vSphere High Availability protects
vRealize Automation by restarting a virtual appliance on an alternate ESXi host in the
management domain cluster if affected by a host failure. A vSphere Distributed Resource
Scheduler anti-affinity rule prevents the vRealize Automation cluster nodes from running on the
same ESXi host in the management domain cluster.
All vRealize Automation services and databases are configured for high availability by using the
underlying Kubernetes orchestration. The vRealize Automation cluster manages the workloads in
each region.
SDDC-COM-CA-001 Deploy a single vRealize n vRealize Automation You must maintain vRealize
Automation installation on can manage one or Automation within its
the first cluster in the more regions and scalability and concurrency
management domain in provides a single cloud maximums.
Region A to provide cloud automation service,
automation services to all regardless of region.
regions. n vRealize Automation
can also manage
VMware Cloud on AWS
and public cloud
instances.
n Because of the
abstraction of the
vRealize Automation
over virtual networking,
it is independent of any
physical site locations
or hardware.
SDDC-COM-CA-004 Apply vSphere Distributed Using vSphere DRS n You can place only a
Resource Scheduler (DRS) prevents the vRealize single ESXi host at a time
anti-affinity rules for the Automation cluster nodes into maintenance mode
vRealize Automation cluster from residing on the same for a management
nodes. ESXi host and risking the cluster of four ESXi
high availability of the hosts.
deployment. n Requires at least four
physical hosts to
guarantee the three
vRealize Automation
nodes continue to run if
an ESXi host failure
occurs.
SDDC-COM-CA-005 Add a VM group for the You can define the startup None.
vRealize Automation cluster order of virtual machines
nodes and set VM rules to regarding the service
restart the Workspace ONE dependency. The startup
Access VM group before order ensures that vSphere
the vRealize Automation High Availability powers on
VM group. the virtual machines for
vRealize Automation in an
order that respects product
dependencies.
SDDC-COM-CA-006 Place all cross-region Provides the organization You must create the virtual
vRealize Automation cluster of the cross-region vRealize machine folder.
nodes in a dedicated virtual Automation cluster nodes
machine folder, xreg-m01- in the management domain
fd-vra. inventory
Table 2-132. Design Decisions on Deployment of vRealize Automation for Multiple Availability
Zones
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-007 When using two availability Ensures that, by default, After the creation of the
zones in Region A, add the the vRealize Automation stretched cluster for
vRealize Automation cluster cluster nodes are powered management domain
nodes to the primary on within the primary availability zones, the VM
availability zone VM group, availability zone hosts group for the primary
sfo-m01-cl01_primary-az- group. availability zone virtual
vmgroup. machines must be updated
to include the vRealize
Automation cluster nodes.
Memory 40 GB 120 GB
SDDC-COM-CA-008 Set the organization name You can customize the None.
in the organization settings. organization name to a
user-friendly name instead
of the host name from the
Workspace ONE Access
cluster.
Life cycle management of vRealize Automation involves the process of performing patch updates
or upgrades to the vRealize Automation cluster.
After the deployment of vRealize Automation by using vRealize Suite Lifecycle Manager, SDDC
Manager manages the life cycle of the vRealize Automation cluster through the integration with
vRealize Suite Lifecycle Manager.
SDDC-COM-CA-009 Use SDDC Manager to SDDC Manager provides You must deploy vRealize
orchestrate the life cycle the upgrade/patch bundles Suite Lifecycle Manager
management of the for vRealize Automation to using SDDC Manager.
vRealize Automation vRealize Suite Lifecycle
cluster. Manager and manages
vRealize Automation
upgrades/patching through
the integration with
vRealize Suite Lifecycle
Manager.
The native integration to vRealize Automation from vRealize Operations Manager provides the
ability to monitor the health, efficiency, and capacity risks associated with vRealize Automation
and the cloud accounts. You can use the integration to:
n View the performance and health of vRealize Automation objects, such as cloud zones and
projects.
n Troubleshoot vSphere, vSAN, and NSX-T Data Center issues associated with vRealize
Automation cloud accounts.
For information about the direct integration of vRealize Operations Manager with vRealize
Automation, see Monitoring and Alerting Design in vRealize Operations Manager.
The native integration to vRealize Log Insight from vRealize Automation enables sending logs
from the operating system and service containers in the pods for aggregation and analysis, as
necessary.
After you deploy vRealize Automation by using vRealize Suite Lifecycle Manager in VMware
Cloud Foundation mode, SDDC Manager enables the Fluentd configuration in vRealize
Automation to send logs to the vRealize Log Insight cluster in Region A using the vRealize Log
Insight ingestion API.
SDDC-COM-CA-010 Configure vRealize Allows logs from vRealize A vRealize Log Insight
Automation to send logs to Automation services to be Content Pack for vRealize
the vRealize Log Insight in forwarded from the Fluentd Automation is not available.
Region A. vRealize Log Insight plug-in
to vRealize Log Insight.
For information about the logging sources for vRealize Log Insight, see Logging Design for
vRealize Log Insight.
vRealize Automation supports data protection through the creation of consistent image-level
backups, using backup software that is based on the vSphere Storage APIs - Data Protection
(VADP).
n The vRealize Automation cluster nodes are connected to the cross-region network segment,
xreg-m01-seg01, to support growth to a multi-region design. The vRealize Automation cluster
nodes are deployed together on the same cross-region virtual network segment in Region A.
This configuration provides a consistent deployment model for management applications and
supports growth to a multi-region design.
n All vRealize Automation components have routed access to the VLAN-backed management
network through the NSX-T Data Center Tier-0 gateway.
n Routing to the VLAN-backed management network and other external networks is dynamic
and is based on the Border Gateway Protocol (BGP).
Region A Region B
(SFO - San Francisco) (LAX - Los Angeles)
172.16.11.0/24 172.17.11.0/24
VLAN: sfo01-m01-cl01-vds01-pg-mgmt VLAN: lax01-m01-cl01-vds01-pg-mgmt
xreg-m01-seg01 192.168.11.0/24
Use the virtual network segment configuration to connect vRealize Automation with the other
management solutions in the SDDC. Use the load balancer created on the standalone NSX-T Data
Center Tier-1 gateway of the cross-region network segment for high availability and balancing
user access across the vRealize Automation cluster.
This design uses NSX-T Data Center segments to abstract vRealize Automation and its
supporting services. You place them in a single designated region, Region A, regardless of the
underlying physical infrastructure, such as network subnets, compute hardware, or storage
types.
Table 2-137. Design Decisions on the Virtual Network Segment for vRealize Automation
Decision ID Design Decision Design Justification Design Implication
IP Addressing Scheme
Allocate a statically assigned IP address and a host name from the cross-region network segment
to each vRealize Automation cluster node.
SDDC-COM-CA-013 Allocate statically assigned Using statically assigned IP Requires precise IP address
IP addresses and host addresses ensures stability management.
names from the cross- across the SDDC and
region network segment to makes it simpler to maintain
the vRealize Automation and easier to track.
cluster nodes and the NSX-
T Data Center load
balancer.
Important By default, the following network ranges are reserved for the internal Kubernetes
configuration in vRealize Automation:
Setting Value
If these network ranges conflict with your organization's environment, you can override the
defaults during the deployment of vRealize Automation. Additionally, the settings can be
reconfigured as a day-two action using vRealize Suite Lifecycle Manager.
Name Resolution
The vRealize Automation cluster nodes are resolvable by using domain name resolution.
The IP addresses of the vRealize Automation nodes are associated with a fully qualified name
suffix in a designated domain namespace, rainpole.io.
SDDC-COM-CA-014 Configure forward and vRealize Automation is n You must provide DNS
reverse DNS records for accessible by using a fully records for each vRealize
each vRealize Automation qualified domain name Automation cluster node
cluster node IP address and instead of by using IP and the NSX-T Data
for the NSX-T Data Center addresses only. Center load-balancer
load-balancer virtual IP virtual server IP address.
address. n All firewalls located
between the vRealize
Automation nodes and
the DNS servers must
allow DNS traffic.
Table 2-140. Design Decisions on Name Resolution for vRealize Automation for a Multi-Region
SDDC
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-015 For a dual-region SDDC, vRealize Automation cluster If you scale from a single-
configure the DNS settings nodes can resolve DNS region to multi-region SDDC
for each vRealize from regional DNS servers deployment, the DNS
Automation cluster node to during a planned migration settings on each vRealize
use DNS servers in each or a disaster recovery Automation cluster node
region. between regions. must be manually updated
by using the vRealize
Automation CLI.
Time Synchronization
vRealize Automation depends on time synchronization for all cluster nodes.
SDDC-COM-CA-016 Configure NTP for each vRealize Automation All firewalls located between
vRealize Automation cluster depends on time the vRealize Automation
node. synchronization for all cluster nodes and the NTP
cluster nodes. servers must allow NTP
traffic.
Table 2-142. Design Decisions on Time Synchronization for vRealize Automation for Multiple
Regions
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-017 In a dual-region SDDC, vRealize Automation cluster If you scale from a single-
configure the NTP settings nodes can query NTP from region to multi-region SDDC
for each vRealize regional NTP servers to deployment, the NTP
Automation cluster node to synchronize time during a settings on each vRealize
use NTP servers in each planned migration or Automation cluster node
region. disaster recovery between must be manually updated
regions. by using the vRealize
Automation CLI.
Load Balancing
A vRealize Automation cluster deployment requires a load balancer to manage the connections
to the vRealize Automation services.
The design uses load-balancing services provided by NSX-T Data Center in the management
domain. During the deployment of vRealize Automation, vRealize Suite Lifecycle Manager and
SDDC Manager coordinate to automate the deployment and configuration of the NSX-T Data
Center load balancer.
SDDC-COM-CA-018 Use the small-size NSX-T n Required to deploy You must use the NSX-T
Data Center load balancer vRealize Automation as Data Center load balancer
that is configured by SDDC a cluster deployment that is configured by SDDC
Manager, on a dedicated type, enabling it to Manager and the integration
NSX-T Data Center Tier-1 handle a greater load with vRealize Suite Lifecycle
gateway in the and obtain a higher Manager.
management domain to level of service
load balance connections availability.
across the vRealize n During the deployment
Automation cluster nodes. of vRealize Automation
by using vRealize Suite
Lifecycle Manager,
SDDC Manager
automates the
configuration of the
NSX-T Data Center load
balancer for the
vRealize Automation
cluster on the NSX-T
Data Center standalone
Tier-1 gateway.
Table 2-143. Design Decisions on Load Balancing for vRealize Automation (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-022 n Use the NSX-T Data The virtual server receives None.
Center load-balancer all the client connections
virtual server, vra-https, and distributes them
for vRealize Automation among the pool members
to use the L4 TCP type based on the state of the
and port 443. pool members.
n An IP is set for the load
balancer.
n The application profile
is set to, vra-tcp-app-
profile.
n The server pool for the
vRealize Automation is
set to, vra-server-pool.
Table 2-143. Design Decisions on Load Balancing for vRealize Automation (continued)
Decision ID Design Decision Design Justification Design Implication
Cloud Assembly has three service roles assigned from identity and access management. You
assign the service roles to designated enterprise groups, synchronized from your enterprise
identity source through Workspace ONE Access.
Table 2-144. Service Role Assignments for Cloud Assembly in vRealize Automation
Service Role Description Enterprise Group
You can also define more granular custom roles and then assign users to those roles. The custom
roles have two categories, view and manage:
View
A user assigned to a role with this permission can see all the items for all projects in the
selected sections of the user interface.
Manage
A user assigned to a role with this permission can see all the items and has full add, edit, and
delete permissions for all projects in the selected sections of the user interface.
These permissions extend the privileges that are granted by the other roles and are not
restricted by project membership.
For information about the service role design decisions for the vRealize Automation Cloud
Assembly service, see Identity Management Design for vRealize Automation.
Tagging serves as the foundation for the workload placement in Cloud Assembly. Tags are labels
that you apply to Cloud Assembly constructs. Tags enable policy-driven placement by directing
how and where Cloud Assembly uses resources and infrastructure to build deployable services
across private and public clouds. Structurally, tags must follow the key:value pair convention, for
example, region:sfo, but their construction is largely open. Tags also enable search and
identification of compute, storage, and network resources, as well as provisioned machines, by
using logical and natural language context.
Tagging Strategy
Before you create and use tags in Cloud Assembly, you must establish a well-defined and
adaptive tagging strategy and taxonomy. A tagging strategy ensures that users who create and
use tags understand what the tags mean, how the tags must be used, and where or when the
tags must be applied. For example, a tagging strategy can determine the tags that can be
discovered, for example, vSphere tags, and the tags that can be user-defined and managed by
using Cloud Assembly.
n Plan and communicate - Create, communicate, and execute a plan for tagging that relates to
the structure of your organization. Your plan must support your deployment requirements,
use clear natural language, and be understandable to all applicable users.
n Simple and adaptive - Use simple, clear, and meaningful names and values for tags. Users can
easily understand capabilities and constraints when using tags in cloud templates or
reviewing tag assignments for a resource. Apply relevant tags to resources while avoiding
unnecessary tagging that might result in deployment or operations challenges.
Tag Types
In terms of origination, tags can be external and internal:
External tags
Discovered and imported from vSphere, NSX Data Center, and VMware Cloud on AWS, as
well as from public clouds like Amazon Web Services and Microsoft Azure. External tags are
visible in both the originating cloud account and Cloud Assembly.
Internal tags
Standard tags
Applied automatically during provisioning on vSphere, Amazon Web Services, and Microsoft
Azure deployments.
Unlike other tags, users cannot use standard tags during deployment configuration, and no
constraints are applied. Standard tags are stored as system custom properties and are added
to deployments after provisioning.
User-defined tags
Capability tags
Used to define capabilities of an object and enable you to define placement logic for
deployment. These tags define the required connectivity, functionality, and capabilities for
deployments.
You can create capability tags on resources, such as cloud zones, storage and storage
profiles, and networks and network profiles. Capability tags on storage or network
components affect only the components on which they are applied. Cloud Assembly matches
capability tags with constraints from cloud zones and on cloud templates at deployment time.
Constraint tags
You can apply constraint tags to two constructs - project and image configuration, and cloud
template deployment. Constraints applied to both constructs are merged in cloud templates
to form a set of deployment requirements.
When configuring Cloud Assembly, you apply constraint tags to projects so that you provide
governance directly at the project level. All constraints added at this level are applied to all cloud
templates that are requested for the applicable project. If a tag on a project conflicts with a tag
on a cloud template, the project tag takes precedence, allowing you to enforce governance
rules.
On cloud templates, you add constraint tags as YAML code to match the appropriate capability
tags that your cloud administrator created on Cloud Assembly objects and resources. In addition,
there are other more complex options for implementing constraint tags. For example, you can
use a variable to populate one or more tags on a request, so that you can specify one or more of
the tags at request time.
Create constraint tags by using the tag label in the cloud template YAML code. Constraint tags
from projects are added to the constraint tags created in cloud templates.
In this example, the cloud template constraint attempts to deploy on objects with the
cloud:private capability tag applied:
constraints:
- tag:
cloud:private
In this example, you pass a cloud template expression for user selection with a cloud template
input:
inputs:
targetCloud:
type:string
enum:
- private
- vmc
- aws
- azure
- gcp
- ......
constraints:
- tag: '${"cloud:" + to_lower(input.targetCloud)}'
key:value or key:value:hard Use this tag format when a cloud template must be
provisioned on resources with a matching capability tag. If
no matching tag is found, the deployment process fails.
key:value:soft Use this tag format when you prefer a matching resource.
If there is no matching tag, the deployment process
proceeds without failing and accepts resources.
!key:value Use this tag format, with the hard or soft value, when you
want the deployment process to avoid resources with a
matching tag.
Integrations ✓ x
Cloud zones ✓ x
Projects x ✓
Table 2-146. Comparison of Capability and Constraint Tags in Cloud Assembly (continued)
Objects Type Objects Capability Constraint
Flavor mappings x ✓
Network profiles ✓ x
Compute Clusters ✓ x
Resource pools ✓ x
Availability zones ✓ x
Datastore / Clusters x x
IP ranges x x
Load balancers ✓ x
Network domains x x
Machines Machines x x
Volumes Volumes x x
Kubernetes Kubernetes x x
1 Cloud zones are filtered by several criteria, including availability and profiles. Tags in profiles
for the zone are matched.
2 Cloud zone and compute capability tags are used to filter the remaining cloud zones by hard
constraints.
3 Provisioning priority is used to select a cloud zone from the remaining filtered cloud zones. If
there are several cloud zones with the same provisioning priority, they are sorted by
matching soft constraints, using a combination of the cloud zone and compute capabilities.
4 After a cloud zone is selected, a host is selected by matching a series of filters, including hard
and soft constraints as expressed in cloud templates.
You can simulate a provisioning request to validate your configurations. Based on the provided
values, the request goes through the projects, cloud zones, and profiles configurations without
executing the provisioning.
Note The design decisions regarding the use of tags on cloud accounts, cloud zones, projects, \
and profiles are provided within the specific architecture topics.
Table 2-147. Design Decisions on Tagging for Cloud Assembly in vRealize Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-025 Establish and publish a Capability and constraint Your strategy must account
well-defined strategy, tags enable you to for external tags, for
implementation, and organize and activate cloud example, vSphere and NSX-
taxonomy for the tagging resources and profiles for T Data Center tags, and
of cloud resources. resource consumption by internal user-defined tags
using the declarative nature managed through Cloud
of cloud templates to Assembly.
define deployment
configurations.
SDDC-COM-CA-26 Apply constraint tags to During a provisioning You must manage the
cloud templates in the operation, capabilities are capability tags on your cloud
YAML code. matched with constraints, resources, such as cloud
each expressed as tags, in zones, storage and storage
cloud templates and profiles, networks and
images to determine the network profiles.
deployment configuration.
You create cloud accounts for the projects in which your organization team members work.
Resource information, such as network and security, compute, storage, and tags data, is
collected from your cloud accounts.
For organizations that are distributed across multiple geographic regions, vRealize Automation
connects to the cloud accounts directly by using HTTPS.
vRealize Automation connects to on-premises private cloud accounts, such as a VMware Cloud
Foundation workload domain that includes a vCenter Server and NSX-T Manager topology. You
provide or discover the details, such as the endpoint IP address/FQDN/URL, user name,
password, name, description, and capability tags.
vRealize Automation uses a custom role in vSphere with permissions for a designated service
account to perform vRealize Automation operations on cloud accounts in the Software-Defined
Data Center. Dedicated service accounts are assigned a custom role for communication between
vRealize Automation and the vCenter Server and NSX-T Manager instances in the environment.
You can also configure Cloud Assembly cloud accounts to public cloud services. Cloud Assembly
can collect infrastructure data from a configured public cloud, and you can deploy cloud
templates to one or more of the account regions in the public cloud backed cloud account.
Table 2-148. Design Decisions on Cloud Accounts for Cloud Assembly in vRealize Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-027 Add a VMware Cloud Discovers VMware Cloud n You must manage the
Foundation cloud account Foundation workload cloud account
for each workload domain domain endpoints and credentials and the life
in the region. topologies for vRealize cycle management of
Automation consumption. the related service
accounts.
n You must manage
capability tags for the
cloud account.
n Each member of an NSX-
T Manager cluster has a
certain scalability - the
main limit is 199
concurrent API sessions.
An NSX-T Manager
cluster assigns the
cluster VIP to a single
NSX-T Manager cluster
member at any given
time. All API requests
from vRealize
Automation are directed
to this cluster member
through the NSX-T cloud
account. For
environments that
require a higher
concurrent API session
count, an external load
balancer is required to
distribute the API
sessions across all NSX-T
Manager cluster
members for the
workload domain.
SDDC-COM-CA-028 Do not use the Auto n Allows you to control n When configuring the
Configuration for the explicitly both the cloud account, you must
VMware Cloud Foundation roles/permissions and use service accounts that
cloud account service scope for the endpoint are created for
accounts. service accounts used application-to-
for each VMware Cloud application integration
Foundation cloud for both vRealize
account. Automation to vSphere
n Allows you to use an and vRealize Automation
enterprise directory, for to NSX-T Data Center
example, Active
Directory, for service
accounts instead of
local system accounts.
Table 2-148. Design Decisions on Cloud Accounts for Cloud Assembly in vRealize Automation
(continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-029 Use the default POLICY n Ensures that all NSX-T There is no migration path
mode for NSX-T Data Data Center entities from the use of local policy
Center in each VMware created by vRealize to the use of global policy
Cloud Foundation cloud Automation use the for the release of vRealize
account. Policy API instead of Automation in this design.
the legacy Manager
API.
n There is no migration
path from MANAGER mode
to POLICY mode.
For information about the service accounts for the cloud accounts, see Service Accounts Design
for vRealize Automation.
You create cloud zones to define a set of resources within a cloud account. Each cloud zone is
associated with a Cloud Assembly project. Cloud zones can be shared across multiple groups of
users and are not limited by a one-to-one relationship.
You can add or remove tags to filter the compute resources that are used in the cloud zone. For
example, you can have multiple clusters within a workload domain provided by a VMware Cloud
Foundation cloud account. The clusters can serve different purposes due to specific functional or
non-functional constraints or classifications.
Cloud zones do not control how CPU and memory are allocated during periods of resource
contention. This function is performed by the use of vSphere resource pools on a VMware Cloud
Foundation cloud account. To ensure resource availability, all tenant virtual machines must be
deployed on a resource pool in the shared edge and workload cluster in the workload domain.
Table 2-149. Resource Pools in the Shared Edge and Workload Cluster in a Workload Domain
Resource Pool Object Types
For additional clusters in a workload domain to be used by vRealize Automation, apply tags to
ensure that the resources are available to the cloud zone.
By default, on vCenter Server-backed cloud zones, workloads are placed on random hosts.
Optionally, one of the following strategies can be applied to a cloud zone:
BINPACK The most loaded host with enough resources to run the
workload is selected for workload placement.
By default, workloads are placed in the default data center folder. Workload placement can be
set by defining a relative path within the data center in the cloud template YAML code.
For an on-premises cloud account, you can deploy the workload in an alternate folder. You can
set the target folder with a cloud template expression that evaluates end-state values. If you set
the targetCloud value to vmc, the folderName property value is set to Workload. The else option can
apply an alternative value to folderName - a blank value ("") or another input value $
{input.myFolderName}. See the following sample YAML cloud template:
resources:
'Cloud_vSphere_Machine_1:
type: Cloud.vSphere.Machine
properties:
image: ''${input.operatingSystem}''
flavor: ''${input.nodeSize}''
count: ''${input.nodeCount}''
FolderName: ‘${input.targetCloud == “vmc” ? “Workload” : ${input.targetEnvironment}’
networks:
- network: ''${resource.Cloud_NSX_Network_1.id}''
constraints:
- tag: ''${"cloud:" + to_lower(input.targetCloud)}'''
You can add capability tags to match cloud template constraints to a cloud zone. Capability tags
are optional because the tags on compute resources, such as vSphere clusters and resource
pools, are also used as capability tags for a cloud zone, for example, cloud:private, region:sfo,
region:us-west-1, region:us-west-2, env:prod, env:dev, env:dmz.
Table 2-151. Design Decisions on Cloud Zones for Cloud Assembly in vRealize Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-031 Add tags to each cloud Ensures that deployments n You must ensure that
zone. can be targeted for a you manage the tagging
designated region. of cloud zones.
n You must ensure that
constraint tags are
included in the cloud
template YAML if a
region-specific targeting
is required.
SDDC-COM-CA-032 Add tags only to the *- Ensures that virtual You must ensure that
user-vm resource pool in machines are deployed on constraint tags are included
the default shared edge the designated resource in the cloud template YAML.
and workload cluster for pool in the default cluster
cloud zones that contain of the workload domain.
NSX-T Data Center-backed
cloud accounts.
SDDC-COM-CA-033 For each additional cluster n Ensures that, as you n You must ensure that
added to a workload add new vSphere you manage the tagging
domain, add tags to the clusters to a workload of compute resources as
vSphere cluster. domain, you can you add clusters to a
dynamically include workload domain.
compute resources for n You must ensure that
workload provisioning constraint tags are
by adding the included in the cloud
appropriate tags. template YAML.
n Ensures that
deployments can be
targeted for designated
clusters of the workload
domain.
Table 2-151. Design Decisions on Cloud Zones for Cloud Assembly in vRealize Automation
(continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-034 Add a workload folder in Ensures that cloud n You must add the default
the vCenter Server data templates that do not workload folder to all
center for each workload include the folderName workload domains.
domain, for example, sf0- value are deployed in a n To override the default
w01-fd-workload. default workload folder. folder, you must add
logic in your cloud
template YAML code to
deploy cloud templates
in alternative folders.
SDDC-COM-CA-035 Use the DEFAULT placement n All vSphere clusters You must ensure that the
policy for each cloud zone. have the vSphere vSphere Distributed
Distributed Resource Resource Scheduler is
Scheduler enabled to enabled for all workload
optimize initial and domain clusters.
ongoing workload
placement within a
cluster.
n The ADVANCED option for
vRealize Operations
does not support
workload placement on
resource pools in
vCenter Server for
workload placement.
Integrations create a connection between Cloud Assembly and the target service. You configure
integrations with a direct connection to a target service.
VMware SDDC Manager You can use the SDDC Manager integration to discover and
consume VMware Cloud Foundation workload domains and
their endpoint topologies.
VMware vRealize Operations Manager You can use vRealize Operations Manager to direct
workload placement and display metrics post placement.
Ansible and Ansible Tower You can manage deployments for configuration and drift.
Red Hat OpenShift You can use the Kubernetes integration with Red Hat
OpenShift to create Kubernetes clusters by using cloud
templates.
Table 2-153. Design Decisions on Integrations for Cloud Assembly in vRealize Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-036 Add an integration in Cloud Natively integrates vRealize n When configuring the
Assembly for each SDDC Automation with SDDC integration, you must use
Manager instance in a Manager for the discovery a service account that is
region. of VMware Cloud created for application-
Foundation workload to-application integration
domain topologies. for vRealize Automation
to SDDC Manager.
n When the service
account password is
updated, you must
manage the service
account password in the
integration configuration.
SDDC-COM-CA-037 Add an integration in Cloud Provides the ability to You must consider using a
Assembly with My VMware. download curated cloud dedicated My VMware
templates and images from account for the integration
VMware Marketplace to with Cloud Assembly, svc-
Cloud Assembly. vra-
marketplace@rainpole.io,
with the minimum My
VMware permissions to
access the VMware
Marketplace.
Table 2-153. Design Decisions on Integrations for Cloud Assembly in vRealize Automation
(continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-038 Use the default integration The use of the embedded It might be less efficient to
to the vRealize vRealize Orchestrator run a workflow in a multi-
Orchestrator cluster that is cluster has the following region deployment from a
embedded in vRealize advantages over the use of centralized cluster. However,
Automation. an external vRealize it is simpler to manage.
Orchestrator instance:
n Operates in cluster
mode.
n Provides a faster time
to value.
n Reduces the number of
appliances to manage.
n Provides an easier
upgrade path and
better supportability.
n Improves performance.
n Removes the
requirement for an
external database.
Using the embedded
instance of vRealize
Orchestrator is applicable
in most use cases. For
information about the use
cases for using the external
vRealize Orchestrator, refer
to the product
documentation.
SDDC-COM-CA-039 Add an integration in Cloud n Allows you to use data n When configuring the
Assembly for the vRealize from vRealize integration, you must use
Operations Manager cluster Operations Manager in a service account that is
deployment. vRealize Automation to created for application-
display live vSphere- to-application integration
based virtual machine for vRealize Automation
metrics for CPU, to vRealize Operations
memory, storage IOPS, Manager.
and network MBps after n When the service
placement. Metrics for account password is
the past day, week, or updated, you must
month are available. manage the service
n Allows you to use data account password in the
from vRealize integration configuration.
Operations Manager in n You must configure
vRealize Automation to vRealize Operations
display the cost Manager with vRealize
estimation at the time Automation to ensure
of deployment and that both applications
over time.
Table 2-153. Design Decisions on Integrations for Cloud Assembly in vRealize Automation
(continued)
Decision ID Design Decision Design Justification Design Implication
For information about the service account for the Cloud Assembly integration with vRealize
Operations Manager, see Service Accounts Design for vRealize Automation.
A project in Cloud Assembly determines the cloud zones on which a set of users or groups can
deploy workloads, a priority value, the maximum number of virtual machines to deploy, and a
maximum amount of memory that the deployment can use. A project is typically defined by using
an organizational structure, such as a cost-center, or a specific business group or purpose.
By using projects, you can organize and govern what business users can do and what cloud
zones they can use to deploy cloud templates in your cloud infrastructure. You create a project
for which you manage membership - project administrators, project members, and project
viewers - and cloud zones so that the project members can deploy their cloud templates to the
associated cloud zones. Project administrators use the infrastructure that is created by the cloud
administrator to ensure that project members have the resources they need while project
members are users who create, iterate, and deploy cloud templates. Project viewers have read-
only access to the project.
For example, as a Cloud Assembly administrator, you can first create a project for a development
team and then add the users and groups as project members or project administrators. After
that, you can add the cloud zones that are designated for these workloads.
Projects provide a context to which you can assign cloud templates, and moving beyond Cloud
Assembly, projects can also bind integration endpoints, such as, Git-based repositories in Code
Stream.
When you assign a cloud zone within a project, you can include additional configurations that
determine the project behavior.
Provisioning priority The priority order for a cloud zone used in a project when
all other constraints are met.
Resource tags can be created on cloud resources during provisioning. For vSphere cloud
accounts, the tags are associated with the workloads inside the workload domain.
At deployment time, to determine the best deployment location, the project cloud template
requirements are evaluated against the cloud zones associated with the project.
You can also add a custom property in a project to trigger and populate extensibility actions or
workflows, override cloud template level properties, or for reporting.
vRealize Automation
Constraints: Constraints:
cloud:private / region:sfo / tier:platinum / function:app cloud:private / region:lax / tier:silver / function:web
Region A Region B
Network Profiles Network Profiles
vSphere Cloud Account vSphere Cloud Account
Region A Region B
Storage Profiles NSX-T Cloud Account NSX-T Cloud Account Storage Profiles
Synchronization
vSphere vSphere
Content Library Content Library
Region A Region B
Workload Domain Workload Domain
Images Images
Storage Path: Storage Path:
SFO-vSAN LAX-NFS-DSC
Windows Windows
Region A DC Region B DC
Layer 3
Network
Table 2-155. Design Decisions on Projects for Cloud Assembly in vRealize Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-040 For each project, add one An enterprise group is a You must maintain the
or more enterprise groups collection of directory membership and availability
to the Project users, such as an Active of the security groups
Administrator and Project Directory security group. outside of the SDDC stack.
Member roles instead of The use of enterprise
assigning individual users groups to specify the role
to project roles. For permissions for a collection
example, rainpole.io\ug- of users facilitates the
vra-project-admins-sample project membership
and rainpole.io\ug-vra- management.
project-users-sample.
SDDC-COM-CA-041 For each project, add one Provides one or more cloud None.
or more cloud zones based zones and their resources
on the project for project consumption.
requirements and allowed
cloud resources.
SDDC-COM-CA-042 For each project, set a Prioritizes one cloud zone You must manage the
provisioning priority for over another within a provisioning priority for each
each cloud zone based on project. cloud zone in each project.
your deployment The default priority is 0
prioritization. (highest priority).
SDDC-COM-CA-043 For each project, set limits Sets the maximum number If a value greater than 0
for the project cloud zones of workload instances and (unlimited) is used for the
as required. resources provisioned in instance or resource limit,
the cloud zone for the you must manage the limit
project. for each cloud zone in each
The default limit is 0 project when requirements
(unlimited). change.
SDDC-COM-CA-044 For each project, specify a Ensures proper placement If the same constraint or the
network, storage, and of the workloads in a same constraint category is
extensibility constraints project and its cloud zones. specified in both the project,
that must be applied to all for example, region:sfo, and
requests in the project. the cloud template, for
example, region:lax, the
constraint specified in the
project takes precedence,
for example, region:sfo.
Table 2-155. Design Decisions on Projects for Cloud Assembly in vRealize Automation
(continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-045 For each project, add one Custom properties can be If the same custom property
or more custom properties, used for provisioning or is specified in both the
for example, project:foo. capturing additional project, for example,
metadata. For example, for project:foo, and the cloud
reporting or extensibility template, for example,
actions. project:bar, the property
value specified in the project
takes precedence, for
example, project:foo.
SDDC-COM-CA-046 For each project, add a The template provides a The template substitutes
custom naming template to custom virtual machine auto-generated virtual
be used for virtual machine name and does not affect machine names by using
names provisioned in the the host name of the virtual available properties, such as
project. machine. resource properties, custom
properties, endpoint
properties, project
properties, and a random
number with a specified
number of digits.
You must ensure that the
template generates unique
names for this project and
between other projects.
Important Project Administrators must be granted the Service Broker Administrator role to
perform customizations to cloud template icons and forms. However, members of this role are
also entitled to manage cloud accounts, cloud zones, and integrations created by a Cloud
Assembly Administrator.
A flavor mapping associates a defined cloud region with one or more resource sizing options or
instance types. A mapping defines a common term that is mapped to the specific constructs in
each of your platform environments. A flavor can equate to a specific number of CPUs and
memory allocation, allowing you to scale your resources to the requirements of your target
workload.
These sizing options are commonly expressed as t-shirt sizes. For example, x-small can represent
1 CPU and 512 MB memory, while medium can represent 4 CPUs and 16 GB memory for a VMware
Cloud Foundation cloud account in a specific data center. The same resources can be mapped to
t2.nano and t2.large for an Amazon Web Services account in a specific region.
You can create a flavor-mapping schema across your cloud accounts and regions. For example, a
flavor map named x-large can contain a similar flavor sizing for some or all available accounts
and regions in your project. When you build a cloud template, you set an available flavor that fits
your requirements.
Figure 2-17. Flavor Mapping and Cloud Template Consumption Across Clouds
Sample Cloud Template
type: Cloud.Machine
properties:
image: '${input.operatingSystem}'
flavor: '${input.nodeSize}'
count: '${input.nodeCount}'
constraints:
- tag: '${input.targetCloud}'
- tag: '${input.targetRegion}'
flavor: medium
us-east-2 us-east-2
EC2 Instance EC2 Instance
in us-east-1 in us-east-1
Microsoft Azure
STD_F4S_V2 STD_F4S_V2
East US 2 East US 1
To simplify the cloud template creation, when you add a cloud account, you can select a pre-
configuration option. Selecting the pre-configuration option, selects the most popular flavor
mapping and image mapping for the specified region in your organization.
Table 2-156. Design Decisions on Flavor Mappings for Cloud Assembly in vRealize Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-047 Create standardized flavor Provides a simple, natural You must publish and
mappings based on a language naming to define communicate the updates to
common taxonomy and common deployment size cloud template developers
deployment intent. specifications. and consumers.
For example, you can use t-
shirt sizes or a custom
taxonomy.
SDDC-COM-CA-048 For each flavor mapping, Provides a simple, natural You must maintain the
add all applicable cloud language naming to define mapping for any image
zones. common deployment size mapping create or update
specifications when used in operation.
a specific cloud account or
region.
Image Mappings
With Cloud Assembly image mappings, you can use natural language naming to define a group
of virtual machine operating system image specifications when used in a cloud account or region.
Image mappings provide a method to define the virtual machine image that an environment can
consume. An image mapping associates an image name with a virtual machine template in a
region. You can create one or more image names and map to a metadata file that contain
predefined value sets.
For example, if you want to deploy an Ubuntu virtual machine, you can map linux-ubuntu-
server-20-04-lts to an image from the vSphere Content Library or native vSphere virtual machine
template in a vSphere cloud region or account, or to an AMI file in Amazon Web Services, or a
specific VHD file in Microsoft Azure.
A mapping links a common term to the specific construct in each of your platform environments.
Also, an image can map to a virtual machine image that contains pre-populated cost or region
specifications to import into a cloud template.
Cloud accounts backed by vCenter Server and NSX-T Data Center environments, such as
VMware Cloud Foundation and VMware Cloud on AWS Software-Defined Data Center
environments, use image mappings to group a set of target deployment conditions together,
including virtual machine configuration settings and guest operating system. Cloud accounts,
such as Amazon Web Services and Microsoft Azure, also use a similar grouping mechanism to
define a set of deployment conditions.
Cloud Assembly can consume images for VMware Cloud Foundation or vCenter Server
environments by using traditional virtual machine templates or Open Virtual Format (OVF)
images, packaged in the Open Virtual Appliance (OVA) format in the vSphere Content Library or
a source URL. In this design, the vSphere Content Library is used to manage and distribute virtual
machine images across workload domains in the Software-Defined Data Center instances.
Images Images
Image mappings can consume both private images and public cloud images, such as Amazon
Machine Images (AMIs) on Amazon Web Services, or Azure Images (VHD or VHDX) on Microsoft
Azure. Cloud Assembly automatically performs private image collection every 24 hours, or you
can manually trigger a synchronization. Synchronization is disabled during an image enumeration
and for 10 minutes after the completion of the last image enumeration.
Figure 2-19. Image Mapping and Cloud Template Consumption Across Clouds
type: Cloud.Machine
properties:
image: '${input.operatingSystem}'
flavor: '${input.nodeSize}'
count: '${input.nodeCount}'
constraints:
- tag: '${input.targetCloud}'
- tag: '${input.targetRegion}'
image: ubuntu-server-1804-lts
Workload Domain
Content Libraries
Publisher Subscriber
us-west-1 us-west-2
us-west-2 us-west-1
OVA OVA OVA OVA
AMIs in AMIs in
us-east-1 us-east-2 us-east-2 us-east-1
VHD in VHD in
East US 1 East US 2 East US 2 East US 1
When you build, deploy, and iterate a cloud template, you pick an available image that best fits
your requirements.
Table 2-157. Design Decisions on Image Mappings for Cloud Assembly in vRealize Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-049 Use the Open Virtual Provides a simple, You must use OVFTool,
Format (OVF) images standardized, and portable PowerCLI or third-party
packaged in the Open file format for all virtual solutions, for example,
Virtual Appliance (OVA) machine images that can HashiCorp Packer, to export
format for the VMware be replicated by the or generate virtual machines
Cloud Foundation cloud vSphere Content Library in the OVA format.
accounts. and natively consumed by If necessary, native vSphere
vRealize Automation. templates can be used
instead of OVA images.
Templates can be imported
to the vSphere Content
Library for distribution.
SDDC-COM-CA-050 Use the vSphere Content n The vSphere Content n The vSphere Content
Library to synchronize Library is built into Library permissions are
virtual machine images vSphere and meets all connected to global
across workload domains the requirements to permissions in the
and regions for the synchronize virtual permissions hierarchy.
VMware Cloud Foundation machine images across To allow Cloud Assembly
cloud accounts. multiple regions in a to synchronize and use
Software-Defined Data images in the Content
Center. Library, the user and role
n vRealize Automation must be applied at the
can consume Open global permissions level.
Virtual Format images n You must provide
from the vSphere storage space in each
Content Library for a region for images.
cloud account. n You must ensure that the
service account used for
the cloud account for
vCenter Server has the
minimum required
permissions to consume
images from the vSphere
Content Library.
n You must ensure that the
number, size, and
structure of the OVA
images are kept within
the vSphere Content
Library configuration
maximums.
n You must ensure HTTPS
communications
between all workload
domain vCenter Server
instances.
Table 2-157. Design Decisions on Image Mappings for Cloud Assembly in vRealize Automation
(continued)
Decision ID Design Decision Design Justification Design Implication
n Deployment of OVF-
based machine images
from the vSphere
Content Library might be
slower than cloning of
native vSphere
templates.
SDDC-COM-CA-051 Create standardized image You can create a simple You must publish and
mappings based on similar taxonomy to map images communicate the image-
operating systems, to cloud templates. mapping standards and
functional deployment updates to cloud template
intent, and cloud zone developers.
availability.
SDDC-COM-CA-052 For each image in an image Refines the image selection You must manage multiple
mapping, add a constraint in an image mapping by images in each region based
tag, if applicable. matching constraints. on the use of constraint tags
For example, you can in your organization.
specify a provider as the
constraint tag
provider:rainpole on one
image, and the constraint
tag provider:marketplace on
another image within the
same image mapping.
During a cloud template
provisioning, you can pass
the provider:rainpole
constraint tag to ensure
that the deployment
selects a corporate image.
Network profile capability tags define a group of networks and workload-specific network
characteristics that are available for a cloud account in a particular region. Network profile
capability tags are matched to cloud template constraint tags during provisioning. Capability tags
are applied to all networks in the network profile.
Network profiles can match the key:value constraint pair in a cloud template network
configuration. If a network profile is enabled for a public IP address, only networks that match
networkType:public are matched during the deployment process.
You can use network policies within a network profile to define network settings, such as private
or public networks, on-demand networks, and security groups generation. For example, you can
create an on-demand network for each deployment using an NSX transport zone or a public
cloud network domain. The existing public and private networks within the network profile are
used as the underlying or upstream networks. You can match network type tags with cloud
template constraints to place the deployed workload in a specific network.
n Name: n cloud:private
subnet-19h4ud4 n region:sfo
n CIDR: n network:db
172.11.30.0/24 n env:prod
n Name: n cloud:private
subnet-89d738j5 n region:lax
n CIDR: n network:app
172.21.20.0/24 n env:prod
n Name: n cloud:private
subnet-19jd8yt4 n region:lax
n CIDR: n network:db
172.21.30.0/24 n env:prod
Note The scope of this design includes only VMware Cloud Foundation. Examples include both
private and public cloud network profiles for Cloud Assembly in a multi-cloud context.
Table 2-159. Design Decisions on Network Profiles for Cloud Assembly in vRealize Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-053 For each account or region, You can add networks with You must manage network
add one or more network predefined characteristics profiles for each account or
profiles based on network that can be consumed region.
characteristics available for during a deployment
consumption. process.
SDDC-COM-CA-054 For each network in a You use capability tags to You must manage capability
network profile, add one or manage the workload tagging on each network
more capability tags. network placement logic profile for workflow
during the deployment placement selection during a
process. deployment process.
Storage Profiles
A storage profile in Cloud Assembly describes cloud-specific storage on which workloads can be
deployed based on a set of characteristics.
Storage profiles are organized under cloud-specific regions. An on-premises VMware Cloud
Foundation cloud account can have a single region, for example, sfo, with multiple storage
profiles. A public cloud account, such as Amazon Web Services, can have multiple regions, for
example, AWS us-east-1 and us-west-1, with multiple storage profiles for each region.
Storage profiles include cloud-specific configurations and a means to identify the type of storage
by capability tags. Tags are then matched against the provisioning service request constraints to
create the required storage at deployment time. You can also specify if a profile should be used
as the default for an account/region.
Note The scope of this design includes VMware Cloud Foundation. Examples include both
private and public cloud storage profiles for Cloud Assembly in a multi-cloud context.
A cloud-independent placement is supported. For example, different cloud storage might have
different performance characteristics but still be considered for deployment based on capability
tags. For example, a platform can have two different vendor accounts and a region. A storage
profile for each region is tagged with a tier:platinum constraint. During provisioning, a request
containing a tier:platinum:hard tag for a hard constraint looks for a matching capability,
regardless of the cloud vendor. A match then applies the settings from the associated storage
profile during the creation of the deployed storage item.
Table 2-161. Design Decisions on Storage Profiles for Cloud Assembly in vRealize Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-055 For each account or region, You can add storage with You must manage storage
add one or more storage defined characteristics that profiles for each account/
profiles based on storage can be consumed during a region as storage is added,
characteristics available for deployment process. removed, and updated in a
consumption. cloud environment.
SDDC-COM-CA-056 For each storage profile, You use capability tags to You must manage capability
add one or more capability manage the workload tagging on each storage
tags. storage placement logic profile for the workflow
during the deployment placement logic during a
process. deployment process.
Cloud Assembly uses the vRealize Orchestrator integration to import and link workflows to a
subscription. You can create, modify, and delete workflows by using the vRealize Orchestrator
client. Workflows are maintained on the vRealize Orchestrator server instance.
Cloud Assembly supports the integration of multiple vRealize Orchestrator instances that can be
used in workflow subscriptions. You can manage which vRealize Orchestrator integration is used
in workflow subscriptions by using project extensibility constraints and capability tags.
With both soft and hard extensibility constraints on a project, you can manage which vRealize
Orchestrator integrations are used in cloud template provisioning for the project. Capability tags
are also used to manage which vRealize Orchestrator integrations are used in workflow
subscriptions.
For example, when you deploy a cloud template, Cloud Assembly uses the capability tags,
associated with a cloud account, for example, cloud:private and region:sfo, to manage what
vRealize Orchestrator integrations are used in workflow subscriptions.
The use of workflows and event subscriptions is not in the scope of this design. The design for
vRealize Orchestrator is in the scope of the design. See vRealize Orchestrator Design for vRealize
Automation.
For information about integrating your vRealize Orchestrator workflows into the provisioning life
cycle, see the vRealize Automation documentation.
Actions Extensibility
To automate extensibility actions, you can use lightweight action-based extensibility code within
Cloud Assembly. To extend your application life cycle, you can assign an extensibility action to a
Cloud Assembly subscription.
Action-based extensibility (ABX) provides a lightweight and flexible runtime where you can
define small scriptable actions and configure them to initiate during particular events provided
through the Event Broker Service (EBS). ABX supports Node.js, Python, and PowerShell runtime
environments.
You can create or import extensibility action scripts in Cloud Assembly and assign them to
subscriptions. Similarly to workflows, the extensibility action script triggers when an event
included in an extensibility subscription occurs. Extensibility action scripts are used for
lightweight integrations and customizations. ABX is a function as a service (FaaS) natively
through an on-premises vRealize Automation provider or a public cloud provider, such as
Amazon Web Services Lambda or Microsoft Azure Functions. ABX is an alternative method to
using workflows that are hosted on-premises using a vRealize Orchestrator server.
You can create extensibility actions by either writing a user-defined action script code or
importing a predefined script code as a ZIP package.
Action-based extensibility and the use of event subscription are not in the scope of the design.
For information about integrating ABX into the provisioning life cycle, see the vRealize
Automation documentation.
Table 2-162. Design Decisions on Action-Based Extensibility for Cloud Assembly in vRealize
Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-057 Use the embedded on- You can use the native The use of action-based
premises functions-as-a- vRealize Automation extensibility requires the
service provider in vRealize functions-as-a-service vRealize Automation
Automation for action- provider for the execution instance to have outbound
based extensibility. of lightweight actions access to the Internet to pull
through event container images from
subscriptions without the publicly available Internet
requirement for a public repositories, for example, to
cloud account provider, resolve any dependencies
such as Amazon Web included in the actions.
Services Lambda or If vRealize Automation is
Microsoft Azure Functions. deployed on an isolated
network that does not allow
outbound traffic to the
Internet, an HTTP proxy
must be configured and
applied using the vracli
proxy command option.
Service Broker has two service roles assigned from the corporate identity and access
management. You assign the service roles to designated enterprise groups, synchronized from
your corporate identity source through the cross-region Workspace ONE Access deployment.
Table 2-163. Service Role Assignments for Service Broker in vRealize Automation
Role Description Example Enterprise Group
For information about the service role design decisions on the vRealize Automation Service
Broker service, see Identity Management Design for vRealize Automation.
Catalog content sources can include cloud templates, actions, and workflows. Content sources
are entitled to projects. Projects link a set of users, that is, project members, with one or more
target cloud zone regions or datastores.
When users request a catalog item, the deployment location depends on the project. Projects
might have one or more cloud zones.
You create content sources in Service Broker to import certain content types into the catalog.
By default, content items are refreshed every six hours. Any released changes in an item from
the source are reflected in the catalog after the refresh. Content can also be refreshed outside
the standard cycle by initiating an on-demand import operation.
Table 2-165. Design Decisions on Content Sources for Service Broker in vRealize Automation
Decision ID Design Decision Design Justification Design Implication
You use the content list to view the import source and entitled projects for each item. For each
item, you can customize the catalog item icon and request form that is presented to the project
members during a request. With the icon customization, you can use non-default icons to
represent the catalog item and provide a better user experience to project members.
With the form customizations, you can add and configure elements and data validation on a
custom request form. By using input parameters, you can create useful forms and design how
the information appears at request time, how the parameter values are populated and add any
specialized constraints. Custom forms can be enabled or disabled on a per catalog item basis.
Table 2-166. Design Decisions on Content Customizations for Service Broker in vRealize
Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-061 For each shared content You can provide a n Images must not exceed
item, customize the icon meaningful visual indicator the dimension and file
based on the catalog item. on the catalog item or type size maximums.
to provide a better user n PNG format images are
experience for project not supported.
members.
SDDC-COM-CA-062 For each shared content You can create an intuitive Requires customization of
item, customize the form user experience by using request forms per catalog
based on the catalog item simple and discoverable item.
and user experience forms that capture
requirements. additional user inputs and
in-form validations.
After you create a content source and import content items, you can share the items based on
the release scope. When creating a cloud template in Cloud Assembly, you set the scope for
sharing in Service Broker. You can restrict the cloud template to be shared only within its own
project or make them available to any project in the organization.
For each project, you add released content items that are shared with project members. Items
can be added by using two methods:
Content Source A dynamic method to share all content items from the
content source. When new items are added to a content
source, each is made available in the catalog for the
members of a target project.
All Content A static method for sharing specific content items within a
project. When new items are added to the content source,
you must make them available in the catalog individually.
The content sharing method you choose depends on your organizational requirements, project
structure, and the level of control required when releasing content to the catalog.
Policies include definitions that are a set of rules or parameters for a specific use. The definition
commonly includes the scope and enforcement type. The scope of a definition determines
whether the policy is applicable to all deployments in an organization or only deployments in a
selected project.
Day-2 Actions Policy Allows you to select the actions that can be performed on
a workload post deployment.
When a project member requests a cloud template, there might be more than one policy that
applies. An enforcement type defines how multiple policies are evaluated, ranked, and, where
applicable, merged, to produce an effective policy. An effective policy produces the intended
results but is not always a specific named policy.
During the evaluation phase, Service Broker first identifies and ranks policies.
n If there are hard and soft policies, only the hard policies are considered and ranked.
n If there are only soft policies, the soft policies are ranked.
2 Policies with an organization scope are ranked higher than policies with a project scope.
3 Policies with earlier creation dates are ranked higher than policies with newer creation dates.
Post ranking, policies are evaluated to identify the merge order.
6 If a policy is incompatible with the preceding policies, this policy is discarded and marked as
ineffective.
A default organization-level policy that Organization Policy = Soft A member of project A requests a
allows the project-level policy values to n Grace period: 10 catalog item.
influence the applied values. Project B is not considered because it
n Lease: 100
is not applicable to project A
n Total Lease: 100
deployments.
Project A Policy 1 = Soft
Merged effective policy:
n Lease: 20
n Grace period: 10
n Total Lease: 50
n Lease: 20
Project B Policy 1 = Soft
n Total Lease: 100
n Lease: 10
n Total Lease: 30
Table 2-171. Design Decisions on Policies for Service Broker in vRealize Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-063 Identify and apply goals for By understanding how the For each policy type, you
your organization and each policies are processed, you must determine the
project based on the can meet organizational applicability and your
applicability of available goals without creating an organizational goals to
policy types. excessive and design policy enforcement
unmanageable number of and scope that results in the
policies. desired effective policy.
You configure a mail server in Service Broker to send outbound (SMTP) messages to users about
system events.
Table 2-172. Design Decisions on Notifications for Service Broker in vRealize Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-064 Configure Service Broker to vRealize Automation event You must configure an SMTP
use an outbound (SMTP) notifications are provided server to relay messaged
mail server to route by email for an enhanced from vRealize Automation.
notifications for system user experience.
events.
vRealize Orchestrator has two service roles assigned from identity and access management. You
assign the service roles to designated enterprise groups, synchronized from your enterprise
identity source through the cross-region Workspace ONE Access deployment.
Table 2-173. Service Role Assignments for vRealize Orchestrator in vRealize Automation
Role Description Example Enterprise Group
For information about the service role design decisions on the vRealize Orchestrator service, see
Identity Management Design for vRealize Automation.
For information about the design decisions on the vRealize Orchestrator trusted certificates, see
Certificate Management Design for vRealize Automation.
vRealize Orchestrator Plug-ins
You use vRealize Orchestrator plug-ins to access and control external services and applications.
The external technologies that you can access by using plug-ins include visualization
management tools, email systems, databases, directory services, and remote control interfaces.
vRealize Orchestrator provides a set of standard plug-ins for technologies, such as, as the
vCenter Server API.
vCenter Server Plug-in for vRealize Orchestrator
® ®
You can use the vCenter Server Plug-in for vRealize Orchestrator™ to manage multiple
Workload domain vCenter Server instances. You can create workflows that use the vCenter
Server plug-in API to automate tasks in your workload domain environment. The vCenter Server
plug-in maps the vCenter Server API to JavaScript code that you can use in workflows. The plug-
in also provides actions that perform individual vCenter Server tasks that you can include in
workflows.
The vCenter Server plug-in provides a library of standard workflows that automate vCenter
Server operations. For example, you can run workflows that create, clone, migrate, or delete
virtual machines. Before managing and running workflows on the objects in your vSphere
inventory, you must configure the vCenter Server plug-in and connect vRealize Orchestrator to
the Workload domain vCenter Server instances that you want to orchestrate.
Table 2-174. Design Decisions on vCenter Server Plug-In for vRealize Orchestrator in vRealize
Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-065 Register each Workload Required for n You cannot use per-
domain vCenter Server communication from the session authentication
instance with the embedded vRealize for vRealize Orchestrator
embedded vRealize Orchestrator to the communication to
Orchestrator instance. Do Workload domain vCenter vSphere, because
not use per session Server instances. vCenter Server does not
authentication. accept the token from
vRealize Automation and
the registration.
n When workload domains
are added or removed,
you must add or remove
the vCenter Server
instance in vRealize
Orchestrator.
n You must run the Update
a vCenter Server
Instance workflow with
new log-in properties
when the service
account password
changes during its life
cycle.
Organization Role
Service Role
A role within the vRealize Automation for the services within the cloud automation platform.
For more information about organization roles and their permissions, see the vRealize
Automation documentation.
As the cloud administrator for vRealize Automation, you establish an integration with your
enterprise directories through Workspace ONE Access which allows you to use your organization
identity source for vRealize Automation authentication.
After the integration, you can control authorization to your vRealize Automation organization and
services by assigning organization and service roles to your enterprise directory groups, such as
Active Directory security groups.
Important The use of vRealize Automation multi-tenancy is out of scope for this VMware
Validated Design. However, vRealize Automation multi-tenancy is supported with VMware Cloud
Foundation.
Assigning roles to groups is more efficient than assigning roles to individual users. As an
organization owner, you determine the members that make up your groups and what roles they
are assigned. In vRealize Automation, enterprise groups are groups that are derived from your
Workspace ONE Access connected directories and available for use in your organization. As an
organization owner, you can add and change the role assignment for an enterprise group. In this
design, enterprise groups are used to assign organization and service roles.
The Organization Owner role allows you add users and enterprise groups to your organization
and provide access to the vRealize Automation services.
For information about the service roles for the vRealize Automation services in this design, see
Service Roles Design for Cloud Assembly in vRealize Automation, Service Roles Design for
Service Broker in vRealize Automation, and Service Roles Design for vRealize Orchestrator in
vRealize Automation.
SDDC-COM-CA-067 Assign organization and Provides access You must define and
service roles to designated management and manage security groups,
enterprise groups, administration to vRealize group membership and,
synchronized from your Automation services by security controls in your
enterprise directory using enterprise security enterprise directory services
services. by using the group membership. for vRealize Automation
cross-region Workspace consumption.
ONE Access cluster
deployment.
SDDC-COM-CA-068 Create a security group in You can grant a managed You must create the security
your enterprise directory set of individuals the ability group in your enterprise
services for the to assign enterprise groups directory services.
Organization Owner to vRealize Automation
organization role, service roles.
rainpole.io\ug-vra-org-
owners, and synchronize
the group in the cross-
region Workspace ONE
Access cluster
configuration for vRealize
Automation.
SDDC-COM-CA-069 Assign the enterprise Provides the following You must maintain the life
group for organization access control features: cycle and availability of the
owners, rainpole.io\ug-vra- n Access to vRealize security group in your
org-owners, the Automation services, enterprise directory services.
Organization Owner such as Cloud
organization role. Service Assembly, are granted
roles for vRealize to a managed set of
Automation are not individuals that are
assigned to this group. members of a security
group.
n Improved accountability
and tracking
organization owner
access to vRealize
Automation.
Table 2-176. Design Decisions on Identity Management for vRealize Automation (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-070 Create a security group in Streamlines the You must create the security
your enterprise directory management of vRealize group in your enterprise
services for the Cloud Automation organization directory services.
Assembly Administrator and service roles to users.
service role, rainpole.io
\ug-vra-cloud-assembly-
admins, and synchronize
the group in the cross-
region Workspace ONE
Access cluster
configuration for vRealize
Automation.
SDDC-COM-CA-071 Assign the enterprise Provides the following You must maintain the life
group for Cloud Assembly access control features: cycle and availability of the
administrators, rainpole.io n Access to the vRealize security group in your
\ug-vra-cloud-assembly- Automation Cloud enterprise directory services.
admins, the Organization Assembly service is
Member organization role granted to a managed
and the Cloud Assembly set of individuals that
Administrator service role. are members of the
security group.
n Improved accountability
and tracking access to
the vRealize
Automation service.
SDDC-COM-CA-072 Create a security group in Streamlines the You must create the security
your corporate directory management of vRealize group in your enterprise
services for the Cloud Automation organization directory services.
Assembly User service and service roles to users.
role, rainpole.io\ug-vra-
cloud-assembly-users, and
synchronize the group in
the cross-region
Workspace ONE Access
configuration for vRealize
Automation.
Table 2-176. Design Decisions on Identity Management for vRealize Automation (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-073 Assign the enterprise Provides the following You must maintain the life
group for Cloud Assembly access control features: cycle and availability of the
users, rainpole.io\ug-vra- n Access to the vRealize security group in your
cloud-assembly-users, the Automation Cloud enterprise directory services.
Organization Member Assembly service is
organization role and the granted to a managed
Cloud Assembly User set of individuals that
service role. are members of the
security group.
n You can introduce
improved accountability
and tracking access to
the vRealize
Automation service.
SDDC-COM-CA-074 Create a security group in Streamlines the You must create the security
your enterprise directory management of vRealize group in your enterprise
services for the Service Automation organization directory services.
Broker Administrator and service roles to users.
service role, rainpole. io
\ug-vra-service-broker-
admins, and synchronize
the group in the cross-
region Workspace ONE
Access configuration for
vRealize Automation.
SDDC-COM-CA-075 Assign the enterprise Provides the following You must maintain the life
group for Service Broker access control features: cycle and availability of the
administrators, rainpole.io n Access to the vRealize security group in your
\ug-vra-service-broker- Automation Service enterprise directory services.
admins the Organization Broker service is Project Administrators must
Member organization role granted to a managed be granted the Service
and the Service Broker set of individuals that Broker Administrator
Administrator service role. are members of the service role to perform
security group. customizations to cloud
n You can introduce template icons and forms.
improved accountability However, members of this
and tracking access to role are also entitled to
the vRealize manage cloud accounts,
Automation service. cloud zones, and
integrations created by a
Cloud Assembly
Administrator.
Table 2-176. Design Decisions on Identity Management for vRealize Automation (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-076 Create a security group in Streamlines the You must create the security
your enterprise directory management of vRealize group in your enterprise
services for the Service Automation organization directory services.
Broker User service role, and service roles to users.
rainpole. io\ug-vra-
service-broker-users, and
synchronize the group in
the cross-region
Workspace ONE Access
configuration for vRealize
Automation.
SDDC-COM-CA-077 Assign the enterprise Provides the following You must maintain the life
group for Service Broker access control features: cycle and availability of the
users, rainpole.io\ug-vra- n Access to the vRealize security group in your
service-broker-users, the Automation Service enterprise directory services.
Organization Member Broker service is
organization role and the granted to a managed
Service Broker User set of individuals that
service role. are members of the
security group.
n You can introduce
improved accountability
and tracking access to
the vRealize
Automation service.
SDDC-COM-CA-078 Create a security group in Streamlines the You must create the security
your enterprise directory management of vRealize group in your enterprise
services for the Automation organization directory services.
Orchestrator and service roles to users.
Administrator service role
and synchronize the group
in the cross-region
Workspace ONE Access
configuration for vRealize
Automation.
SDDC-COM-CA-079 Assign the enterprise Provides the following You must maintain the life
group for vRealize access control features: cycle and availability of the
Orchestrator n Access to the vRealize security group in your
administrators, rainpole.io Automation enterprise directory services.
\ug-vra-orchestrator- Orchestrator service is
admins, the Organization granted to a managed
Member organization role set of individuals that
and the Orchestrator are members of the
Administrator service role. security group.
n You can introduce
improved accountability
and tracking access to
the vRealize
Automation service.
Table 2-176. Design Decisions on Identity Management for vRealize Automation (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-080 Create a security group in Streamlines the You must create the security
your enterprise directory management of vRealize group in your enterprise
services for the Automation organization directory services.
Orchestrator Workflow and service roles to users.
Designer service role,
rainpole. io\ug-vra-
orchestrator-designers,
and synchronize the group
in the cross-region
Workspace ONE Access
configuration for vRealize
Automation.
SDDC-COM-CA-081 Assign the enterprise Provides the following You must maintain the life
group for vRealize access control features: cycle and availability of the
Orchestrator workflow n Access to the vRealize security group in your
designers, rainpole.io\ug- Automation enterprise directory services.
vra-orchestrator- Orchestrator service is
designers, the granted to a managed
Organization Member set of individuals that
organization role and the are members of the
Orchestrator Workflow security group.
Designers service role. n You can introduce
improved accountability
and tracking access to
the vRealize
Automation service.
Important In an Active Directory forest, consider using a security group with a universal scope.
Add security groups with a global scope that includes service accounts and users from the
domains in the Active Directory forest.
Table 2-177. Design Decisions on Service Accounts for Cloud Assembly Cloud Accounts in
vRealize Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-082 Define a custom vCenter vRealize Automation You must maintain the
Server role, vRealize interacts with vSphere permissions required by the
Automation to vSphere using the minimum set of custom role.
Integration, for vRealize permissions that are
Automation that has the required to support the
minimum privileges cloud account.
required to support a
VMware Cloud Foundation
cloud account.
SDDC-COM-CA-083 Configure a service Provides the following You must maintain the life
account, svc-vra- access control features: cycle and availability of the
vsphere@rainpole.io, in n vRealize Automation service account in your
vCenter Server for services, such as Cloud enterprise directory services.
application-to-application Assembly, accesses
communication from vSphere with the
vRealize Automation to minimum set of
vSphere. required permissions.
n If there is a
compromised account,
the accessibility in the
destination application
remains restricted.
n You can introduce an
improved accountability
in tracking request-
response interactions
between the vRealize
Automation and the
vCenter Server
endpoint in the VMware
Cloud Foundation cloud
account.
SDDC-COM-CA-084 Assign global permissions vRealize Automation All vCenter Server instances
for the vRealize access designated must be in the same vSphere
Automation-to-vSphere workload domains with the domain.
service account, svc-vra- minimum set of permissions You must set the role for the
vsphere@rainpole.io. that are required to Management domain
support vCenter Server in vCenter Server instances to
the VMware Cloud No Access to ensure that the
Foundation cloud accounts. account cannot
For information about the communicate with the
required minimum management domain.
permissions, see the
vRealize Automation
documentation.
Table 2-177. Design Decisions on Service Accounts for Cloud Assembly Cloud Accounts in
vRealize Automation (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-085 Configure a service Provides the following You must maintain the life
account, svc-vra- access control features: cycle and availability of the
nsx@rainpole.io, in NSX-T n vRealize Automation service account in your
Manager for application-to- services, such as Cloud enterprise directory services.
application communication Assembly, accesses
from vRealize Automation NSX-T Data Center with
to NSX-T Data Center. the minimum set of
required permission.
n If there is a
compromised account,
the accessibility in the
destination application
remains restricted.
n You can introduce an
improved accountability
in tracking request-
response interactions
between the vRealize
Automation and the
SDDC cloud account.
SDDC-COM-CA-086 Assign the Enterprise vRealize Automation You must configure and
Admins role to the vRealize accesses designated manage the integration of
Automation-to-NSX-T workload domains with the Workspace ONE Access
service account, svc-vra- minimum set of permissions with NSX-T Data Center.
nsx@rainpole.io, to the that are required to
NSX-T Manager for each support NSX-T Data Center
workload domain. in the VMware Cloud
Foundation cloud accounts.
For information about the
required minimum
permissions, see the
vRealize Automation
documentation.
Table 2-178. Design Decisions on Service Accounts for Cloud Assembly Integrations in vRealize
Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-087 Configure a service Provides the following You must maintain the life
account, svc-vra- access control features: cycle and availability of the
vcf@rainpole.io, in each n vRealize Automation service account in your
SDDC Manager instance for services access SDDC enterprise directory services.
each VMware Cloud Manager instances with
Foundation instance. The the minimum set of
service account is used for required permissions.
application-to-application n If there is a
communication from compromised account,
vRealize Automation to the the accessibility in the
VMware Cloud Foundation destination application
SDDC Manager instances in remains restricted.
each region.
n You can introduce
improved accountability
in tracking request-
response interactions
between the vRealize
Automation and SDDC
Manager instances.
SDDC-COM-CA-089 Configure a service Provides the following You must maintain the life
account, svc-vra- access control features: cycle and availability of the
vrops@rainpole.io, in n vRealize Automation service account in your
vRealize Operations services access enterprise directory services.
Manager for application-to- vRealize Operations You must maintain the
application communication Manager with the synchronization and
from vRealize Automation minimum set of availability of the service
to vRealize Operations required permissions. account in Workspace ONE
Manager. Access and vRealize
n If there is a
compromised account, Operations Manager.
the accessibility in the You must use the format of
destination application user@domain@source when
remains restricted. configuring the integration
n You can introduce to use a service account
improved accountability backed by Workspace ONE
in tracking request- Access, svc-vra-
response interactions vrops@rainpole.io@Worksp
between the vRealize aceONE.
Automation and
vRealize Operations
Manager.
Table 2-179. Design Decisions on Service Accounts for vRealize Orchestrator in vRealize
Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-090 Configure a service account Provides the following You must maintain the life
in vCenter Server for access control features: cycle and availability of the
application-to-application n The vRealize service account in your
communication from the Orchestrator instance enterprise directory services.
embedded vRealize accesses the Workload
Orchestrator instance in domain vCenter Server
vRealize Automation to the instance with the
Workload domain vCenter minimum set of
Server instances in each required permissions.
region, svc-vro- n If there is a
vsphere@rainpole.io. compromised account,
the accessibility in the
destination application
remains restricted.
n You can introduce
improved accountability
in tracking request-
response interactions
between the
components of the
SDDC.
SDDC-COM-CA-091 n Add the service Allows only groups and You must maintain the
account used for users defined in the security group membership
application-to- directory services security outside of the SDDC stack to
application group to administer the ensure its membership.
communication from vRealize Orchestrator
vRealize Orchestrator instance.
to a directory services
security group,
rainpole.io\ug-vra-
orchestrator-admins.
n Add any named
administrative groups
or users to the security
group.
n In an Active Directory
forest, consider using a
security group with a
Universal scope. Add
security groups with a
Global scope that
includes service
accounts and users
from the domains in the
Active Directory forest.
Table 2-179. Design Decisions on Service Accounts for vRealize Orchestrator in vRealize
Automation (continued)
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-092 Create and apply a custom Provides the ability to limit n You must provide
vCenter Server role for the the privileges for administrator privileges
service account used to application-to-application for the custom role to
add Workload domain integration. register vRealize
vCenter Server instances to Orchestrator with
the vRealize Orchestrator vCenter Server.
configuration, vRealize Currently, your
Orchestrator to vSphere organization cannot
Integration. restrict access based on
the privileges required
by the organization
workflows on the
Workload domain
vCenter Server instance.
n You cannot integrate
vRealize Orchestrator
with VMware Cloud on
AWS SDDC instances.
Due to the restrictive
access mode on the
vCenter Server instance
in VMware Cloud on
AWS, the requirement
for administrative-level
permissions for vRealize
Orchestrator inhibits the
vCenter Server instance
registration.
SDDC-COM-CA-093 Assign global permissions Ensures that only the n All vCenter Server
for the vRealize workload domain vCenter instances must be in the
Orchestrator-to-vSphere Server instance provides same vSphere domain.
service account, svc-vro- accessible endpoints from n You must set the role for
vsphere@rainpole.io. vRealize Orchestrator. the management domain
vCenter Server instances
to No Access to ensure
that the account cannot
communicate with the
management domain.
SDDC-COM-CA-094 Rotate the root password The password for the root You must manage the
on a schedule post- user account does not password rotation schedule
deployment. expire after the initial for the root user account in
deployment. accordance with your
organization's policies and
regulatory standards, as
applicable.
SDDC-COM-CA-096 Use a SHA-2 or higher The SHA-1 algorithm is Not all certificate authorities
algorithm when signing considered less secure and support SHA-2.
certificates. has been deprecated.
You can import Workload domain vCenter Server instance SSL certificates from Certificates >
Trust Certificate in the vRealize Orchestrator HTML5-based Control Center UI at https://
vra_cluster_fqdn/vco-controlcenter.
Table 2-182. Design Decisions on Trusted Certificates for vRealize Orchestrator in vRealize
Automation
Decision ID Design Decision Design Justification Design Implication
SDDC-COM-CA-097 Import the certificate for Ensures that the certificate When Workload domains
each workload domain for each workload domain are added or removed, you
vCenter Server instance in vCenter Server instance in must add or remove the
a region to the embedded a region is trusted by the vCenter Server instance SSL
vRealize Orchestrator embedded vRealize certificate trust from the
instance in vRealize Orchestrator instance in embedded vRealize
Automation. vRealize Automation. Orchestrator instance in
vRealize Automation.