Vmware Validated Design 62 SDDC Introduction

Introducing VMware
Validated Design
Modified on 30 MAR 2021
VMware Validated Design 6.2
VMware Cloud Foundation 4.2
Introducing VMware Validated Design
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
©
Copyright 2016-2021 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2
Contents
About Introducing VMware Validated Design 4
1 Features of VMware Validated Design 6
2 SDDC Architecture 8
3 Design Objectives of VMware Validated Design 10
4 Workload Domains in VMware Validated Design 13
5 SDDC Deployment Flow of VMware Validated Design 18
6 Documentation Structure and Audience 31
7 Post-Deployment Documentation 37
8 SDDC Architecture Overview 38

Physical Infrastructure Layer 41
Virtual Infrastructure Layer 45
Security and Compliance Layer 52
Cloud Operations Layer 55
Cloud Automation Layer 63
Multiple Availability Zones 66
VMware, Inc. 3
About Introducing VMware Validated
Design
The Introducing VMware Validated Design document provides guidance on using the content
of VMware Validated Design™ for Software-Defined Data Center. The guide also contains a
high-level overview of the Software-Defined Data Center (SDDC) design that is supported in this
VMware Validated Design version.
Introducing VMware Validated Design includes the following information:
n Design objectives
n Deployment flow of the SDDC management components
n Document structure and purpose
n SDDC high-level overview
Intended Audience
Introducing VMware Validated Design is intended for cloud architects, infrastructure
administrators, cloud administrators, and cloud operators who want to become familiar with
VMware Validated Design to deploy and manage an SDDC that meets the requirements for
capacity and scalability.
Supported VMware Cloud Foundation Version

Introducing VMware Validated Design is compatible with VMware Cloud Foundation™4.2.
Required VMware Software on VMware Cloud Foundation

Introducing VMware Validated Design is compliant and validated with product versions that are
part of the bill materials of VMware Cloud Foundation, and with certain VMware Workspace
ONE Access and vRealize Suite product versions. For more information about supported product
versions, see VMware Validated Design Release Notes.
Update History
This Introducing VMware Validated Design is updated with each release of the product or when
necessary.
VMware, Inc. 4
Revision Description
30 MAR 2021 This release of VMware Validated Design now includes guidance on cloud operations and automation
solutions for a dual-region SDDC. See Deployment Workflow for a Multi-Region SDDC, Cloud
Operations Layer, and Cloud Automation Layer.
09 FEB 2021 Initial releases.
VMware, Inc. 5
Features of VMware Validated
Design 1
Use VMware Validated Design to build a scalable Software-Defined Data Center that is based on
VMware best practices.
VMware Validated Design has the following advantages:
One path to SDDC
After you satisfy the deployment requirements, follow one consistent path to deploy an
SDDC.
VMware Validated Design provides a tested solution path with information about product
versions, networking architecture, capabilities, and limitations.
SDDC design for use in production
VMware Validated Design supports an SDDC that has the following features:
n High-availability of management components
n Backup and restore of management components
n Monitoring and alerting
Validated design and deployment
The prescriptive documentation of VMware Validated Design is continuously tested by

VMware.
Validation provides the following advantages to your organization:
n Validated product interoperability
n Reduced risk of deployment and operational problems
n Reduced test effort
Validated solution capabilities
n Churn rate of tenant workloads
n High availability of management components
n Operational continuity
VMware, Inc. 6
n Design with dual-region support in mind
Fast SDDC standup
You can implement a data center without engaging in design work and product research.
After you download all SDDC products, follow the detailed design and step-by-step
instructions.
Support for latest product releases
Every version of a VMware Validated Design accommodates new product releases. If you
have deployed an SDDC according to an earlier version of a VMware Validated Design, you
can directly follow the validated design to upgrade your environment.
VMware, Inc. 7
SDDC Architecture
2
VMware Validated Design supports an SDDC architecture according to the requirements of your
organization and the resource capabilities of your environment.
High-Level Logical Design of the SDDC

The SDDC according to VMware Validated Design contains the main services that are required
to cover provisioning of virtualized and containerized workloads, cloud operations, and cloud
automation.
Figure 2-1. Logical Design of the SDDC
monitor,
collect and analyze logs
identity and access

management store product binaries VMware Depot monitor,
solution
vRealize Log Insight solution vRealize Suite Lifecycle life cycle
life cycle Manager management
management
launch in context,
notification events, life cycle management
UI integration
identity and access
management
vRealize Operations vRealize Automation
workload metrics,
Manager
workload costing
solution load balancing,
life cycle logical switching,
monitor, store product binaries
management logical routing
log collection
Workspace ONE Access SDDC Manager authentication

load balancing, management
logical switching,
logical routing
load balancing,
identity and access
logical switching, workload deployments
management
logical routing
network
services deployment
NSX-T Data Center life cycle management life cycle management vCenter Server
monitor,
central user management
life cycle management
vSphere Cluster
Active Directory
ESXi ESXi ESXi ESXi central management
of virtual infrastructure
monitor,
VMware, Inc. 8
SDDC Architecture
VMware Validated Design supports the Standard SDDC architecture of VMware Cloud
Foundation. This architecture implements a production-ready SDDC that is dual-region. Each
region includes two workload domains - management and virtual infrastructure.
For information on the workflow for deploying the SDDC, see Chapter 5 SDDC Deployment Flow
of VMware Validated Design. For information on the types and components of the workload
domains in this validated design, see Chapter 4 Workload Domains in VMware Validated Design.
VMware, Inc. 9
Design Objectives of VMware
Validated Design 3
According to the SDDC implementation type, a VMware Validated Design has objectives to
deliver prescriptive content about an SDDC that is fast to deploy and is suitable for use in
production.
VMware Validated Design Objective Description
Main objective SDDC capable of automated provisioning of on-premises workload,

hybrid workloads, and containers.
Scope of deployment Greenfield deployment of the management and workload domains of

the SDDC, and incremental expansion of these domains as needed.
Cloud type On-premises private cloud.
Number of regions and disaster recovery Single-region SDDC with multiple availability zones that you can
support potentially use as a best practice for a second VMware Cloud
Foundation instance.
Availability zones are separate low-latency, high-bandwidth connected
sites. Regions have higher latency and lower bandwidth connectivity.
The documentation provides guidance for a deployment that supports
two regions for failover in the following way:
n The design documentation provides guidance for an SDDC whose
management components are designed to operate in the event of
planned migration or disaster recovery.
n The deployment documentation provides guidance for an SDDC that
supports two regions for both management and tenant workloads.
VMware, Inc. 10
Maximum number of virtual machines and By using the SDDC Manager API in VMware Cloud Foundation, you can
churn rate deploy a VMware vCenter Server™ appliance of a specified deployment
and storage size. As a result, in this VMware Validated Design, you
determine the maximum number of virtual machines in the SDDC
according to a medium-size vCenter Server deployment specification or
larger.
n 4,000 running virtual machines per virtual infrastructure workload
domain
n 56,000 running virtual machines overall distributed across 14 virtual
infrastructure workload domains
n Churn rate of 750 virtual machines per hour
Churn rate is related to provisioning, power cycle operations, and

decommissioning of one tenant virtual machine by using a blueprint
in the cloud automation platform. A churn rate of 100 means that 100
tenant workloads are provisioned, pass the power cycle operations,
and are deleted.
Maximum number of containers or pods 2,000 pods per Supervisor Cluster
Number of workload domains in a region Minimum two-domain setup, with a minimum of 4 VMware ESXi™ hosts
in a domain
The validated design requires the following workload domains for SDDC
deployment:
n Management domain. Contains the appliances of the SDDC
management components.
n One or more solution-specific workload domains for Infrastructure-
as-a-Service (IaaS) and containers. Up to 14 workload domains per
region.
n Contains the tenant workloads.
n Contains the required SDDC services to enable the solution that
is deployed.
See Chapter 4 Workload Domains in VMware Validated Design.
Shared use of components for This VMware Validated Design uses a dedicated NSX-T Manager cluster
management of workload domains for each workload domain.
Data center virtualization Maximized workload flexibility and limited dependencies on static
data center infrastructure by using compute, storage, and network
virtualization.
VMware, Inc. 11
Scope of guidance n Clean deployment of the management domain, workload domains,

and solutions working on top of the infrastructure in the domains.
n Incremental expansion of the deployed infrastructure
n In a single region
n To additional availability zones
n To additional regions
n Deployment and initial setup of management components at
the levels of virtualization infrastructure, identity and access
management, cloud automation, and cloud operations.
n Basic tenant operations such as creating a single Rainpole tenant,
assigning tenant capacity, and configuring user access.
n Operations on the management components of the SDDC such
as monitoring and alerting, backup and restore, post-maintenance
validation, disaster recovery, and upgrade.
Overall availability n 99.7% of management plane availability

n Workload availability subject to specific availability requirements
Planned downtime is expected for upgrades, patching, and on-going
maintenance.
Authentication, authorization, and access n Use of Microsoft Active Directory as the identity provider.
control n Use of service accounts with least privilege role-based access
control for solution integration.
Certificate signing Certificates are signed by an external certificate authority (CA) that
consists of a root and intermediate authority layers.
Hardening Tenant workload traffic can be separated from the management traffic.
VMware, Inc. 12
Workload Domains in VMware
Validated Design 4
In VMware Validated Design, a workload domain represents a logical unit that groups ESXi hosts
managed by a vCenter Server instance with specific characteristics according to VMware SDDC
best practices.
A workload domain exists in the boundaries of an SDDC region. A region can contain one or
more domains. A workload domain cannot span multiple regions.
Each domain contains the following components:
n One VMware vCenter Server™ instance.
n At least one vSphere cluster with vSphere HA and vSphere DRS enabled. See Cluster Types.
n One vSphere Distributed Switch per cluster for system traffic and segments in VMware NSX-
T Data Center™ for workloads.
n One NSX-T Manager cluster for configuring and implementing software-defined networking.
n One NSX-T Edge cluster that connects the workloads in the domain for logical switching,
logical dynamic routing, and load balancing.
n In either of the two regions in a multi-region SDDC, one NSX-T Global Manager cluster for
configuring software-defined networks that span multiple regions
n One or more shared storage allocations.
Management Domain
Contains the SDDC management components.
The management domain has the following features:
Table 4-1. Features of the Management Domain
Feature Description
Types of workloads Management workloads and networking components for

them.
Cluster types Management cluster
VMware, Inc. 13
Table 4-1. Features of the Management Domain (continued)
Feature Description
Virtual switch type n vSphere Distributed Switch for system traffic and
NSX-T network segments
n NSX-T Virtual Distributed Switch (N-VDS) on the NSX-
T Edge nodes
Software-defined networking NSX -T Data Center
Shared storage type n VMware vSAN™ for principal storage

n NFS for supplemental storage
Time of deployment First domain to deploy during initial SDDC implementation
Deployment method Deployed by VMware Cloud Builder as part of the bring-

up process of VMware Cloud Foundation except for
®
the region-specific VMware Workspace ONE Access™
instance. You deploy the region-specific Workspace ONE
Access instance manually and connect it to the NSX-T
instance for the management domain.
Table 4-2. Management Workloads for the Management Domain
Component Cluster Location
vCenter Server First cluster in the domain
NSX-T Manager cluster First cluster in the domain
NSX-T Edge cluster for north-south routing, east-west First cluster in the domain
routing, and load balancing
NSX-T Global Manager cluster for global networking First cluster in the domain
across multiple regions
Region-specific Workspace ONE Access for central role- First cluster in the domain
based access control
Virtual Infrastructure Workload Domains

Contains tenant workloads that use NSX-T Data Center for logical networking. According to the
requirements of your organization, you can deploy multiple virtual infrastructure (VI) workload
domains in your environment.
A virtual infrastructure workload domain has the following features:
Table 4-3. Features of a VI Workload Domain
Feature Description
Types of workloads Tenant workloads and networking components for them.
Cluster types n Shared edge and workload cluster

n Additional workload clusters
VMware, Inc. 14
Table 4-3. Features of a VI Workload Domain (continued)
Feature Description
Virtual switch type n vSphere Distributed Switch for system traffic from
the management domain and for NSX-T network
segments
n N-VDS on the NSX-T Edge nodes in the workload
domain
Software-defined networking NSX-T Data Center
Shared storage type vSAN, vVols, NFS, or VMFS on FC for principal storage
Time of deployment After initial SDDC bring-up of the management domain
Deployment method Deployed by SDDC Manager

For a multi-region SDDC, you deploy the NSX-T Global
Manager cluster from an OVA file.
Table 4-4. Management Workloads for a VI Workload Domain
Component Deployment Location Shared Between Workload Domains
vCenter Server First cluster in the management X

domain
NSX-T Manager cluster First cluster in the management n ✓ for workload domains where workloads
domain share the same overlay transport
zone cross-domain, including domains
where you use vRealize Automation for
workload provisioning
Deployed with the first VI workload

domain
n X for workload domains where workloads
must be connected to domain-specific
transport zones
NSX-T Edge cluster for north- Shared edge and workload n ✓ for workload domains where workloads
south and east-west routing cluster in the workload domain share the same overlay transport
Deployed with the first VI workload

domain
transport zones
NSX-T Global Manager cluster for First cluster in the domain ✓

global networking across multiple
regions
VMware, Inc. 15
vSphere with Tanzu Workload Domains

Contains containerized workloads that use vSphere with Tanzu for container provisioning and
NSX-T Data Center for logical networking. According to the requirements of your organization,
you can deploy multiple vSphere with Tanzu workload domains.
A vSphere with Tanzu workload domain has the following features:
Table 4-5. Features of a vSphere with Tanzu Workload Domain
Feature Description
Types of workloads Containerized workloads and networking components for

them.
Cluster types n Shared edge and workload cluster

n Additional workload clusters
Virtual switch type n vSphere Distributed Switch for system traffic from
the management domain and for NSX-T network
segments
n N-VDS on the NSX-T Edge nodes in the workload
domain
Software-defined networking NSX-T Data Center
Shared storage type vSAN, vVols, NFS, or VMFS on FC for principal storage
Time of deployment After initial SDDC bring-up of the management domain
Deployment method You use SDDC Manager for environment validation and
the vSphere Client for enabling vSphere with Tanzu
Table 4-6. Management Workloads for a vSphere with Tanzu Workload Domain
vCenter Server First cluster in the management X

domain
NSX-T Manager cluster First cluster in the management n ✓for workload domains where workloads
domain share the same overlay transport
Deployed with the first vSphere with

Tanzu workload domain
transport zones
VMware, Inc. 16
Table 4-6. Management Workloads for a vSphere with Tanzu Workload Domain (continued)
NSX-T Edge cluster for north- Shared edge and workload n ✓ for workload domains where workloads
south and east-west routing cluster share the same overlay transport
workload provisionin
Deployed with the first vSphere with

Tanzu workload domain
transport zones
Supervisor Cluster Shared edge and workload X

cluster
VMware, Inc. 17
SDDC Deployment Flow of
VMware Validated Design 5
Тhe deployment of the SDDC is automated. You use VMware Cloud Builder in VMware
Cloud Foundation to deploy the SDDC management domain, SDDC Manager in VMware Cloud
®
Foundation to deploy workload domains for tenant workloads, and VMware vRealize Suite
Lifecycle Manager™ in VMware Cloud Foundation mode to deploy the vRealize Suite products in
this design. You deploy SDDC management components manually only in a few cases according
to the instructions.
In VMware Validated Design 6.2, you can deploy an SDDC in a single-region or in a dual-region
configuration. To design your SDDC in the second region (Region B), you apply the design
guidance for a single region, modifying configurations for a single region to accommodate a
dual-region setup or introducing configurations specific to a dual-region SDDC.
For more details on the deployment steps, see VMware Validated Design documentation page.
Deployment Workflow for a Single-Region SDDC

For each region, the workflow for SDDC deployment consists of the following stages:
VMware, Inc. 18
Figure 5-1. SDDC Deployment Workflow in a Region

3.4 SDDC Manager and user connect
the vRealize Suite products to the workload domain
3.3 SDDC Manager and user vRealize Automation vRealize Automation

connect the vRealize Suite
products to the management domain
vRealize Log Insight vRealize Log Insight
3.2. vRealize Suite Lifecycle Manager vRealize Operations Manager vRealize Operations Manager
deploys the vRealize Suite products
Cross-Region Workspace ONE Access
3.1. SDDC Manager deploys

vRealize Suite Lifecycle Manager vRealize Lifecycle Manager
in VMware Cloud Foundation mode
3. Cloud Operations and Cloud Automation Solutions
deployment flow
in a workload domain
2.3 User connects Region- Specific

Workspace ONE Access to the workload domain
1.3 User deploys Region-Specific Region-Specific Workspace ONE Access Region-Specific Workspace ONE Access
Workspace ONE Access
SDDC Manager
NSX-T Data Center NSX-T Data Center

1.2 Cloud Builder deploys
virtual infrastructure and
2.2 SDDC Manager deploys
SDDC Manager vCenter Server vCenter Server
virtual infrastructure
vSAN vSAN, NFS, or VMFS
1.1 User installs ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi 2.1 User installs ESXi
on the domain hosts on the domain hosts
1. Management Domain 2. Virtual Infrastructure Workload Domain
VMware, Inc. 19
Figure 5-2. SDDC Deployment Workflow with a vSphere with Tanzu Workload Domain
3.4 SDDC Manager and user connect

the vRealize Suite products to the workload domain
3.3 SDDC Manager and user
connect the vRealize Suite vRealize Log Insight vRealize Log Insight
products to the management domain
vRealize Operations Manager vRealize Operations Manager

3.2. vRealize Suite Lifecycle Manager
deploys the vRealize Suite products
3.1. SDDC Manager deploys

vRealize Suite Lifecycle Manager vRealize Lifecycle Manager
in VMware Cloud Foundation mode
3. Cloud Operations and Cloud Automation Solutions
deployment flow
in a workload domain
2.4 SDDC Manager validates

vSphere with Tanzu the environment and user
enables vSphere with Tanzu
2.3 User connects Region-Specific

Workspace ONE Access to the workload domain
1.3 User deploys Region-Specific Region-Specific Workspace ONE Access Region-Specific Workspace ONE Access
Workspace ONE Access
SDDC Manager
1.2 Cloud Builder deploys NSX-T Data Center NSX-T Data Center
virtual infrastructure and
SDDC Manager
2.2 SDDC Manager deploys
vCenter Server vCenter Server
virtual infrastructure
vSAN vSAN, NFS, or VMFS
1.1 User installs ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi 2.1 User installs ESXi
on the domain hosts on the domain hosts
1. Management Domain 2. vSphere with Tanzu Workload Domain
Table 5-1. Deployment Flow for an SDDC with a Single Region
Stage Steps
Plan and prepare for Prepare the data center and fill in the environment specification.
SDDC deployment Work with the technology team of your organization on configuring the physical servers,
network, and storage in the data center. Collect the environment details and write them
® ®
down in the Planning and Preparation Workbook in Microsoft Excel spreadsheet format
(XLS).
1. Deploy the See VMware Validated Design Deployment of the Management Domain.
management domain of
the SDDC. Prerequisites Prepare the deployment specification of the management
domain.
Download the deployment parameter workbook from My
VMware and fill in the details for the management domain
deployment. You can use the details from the Planning and
Preparation Workbook.
1. Prepare the environment Install and configure ESXi on the physical servers.
for the management
domain
VMware, Inc. 20
Table 5-1. Deployment Flow for an SDDC with a Single Region (continued)
Stage Steps
2. Deploy the 1 Prepare VMware Cloud Builder.

management domain by
Download and deploy the VMware Cloud Builder
using VMware Cloud
appliance from My VMware.
Builder
2 Run the automated deployment of the management
domain.
Upload the deployment parameter workbook to VMware

Cloud Builder, perform an audit of the target environment,
and bring up the SDDC management domain.
After the automated deployment is complete, in addition

to the virtual infrastructure component, your environment
contains SDDC Manager.
3 Complete the initial configuration of the management
domain.
Configure SDDC Manager for managing the SDDC and

enable secure access within and to the management
domain.
3. Deploy manually the Deploy the region-specific Workspace ONE Access instance
region-specific Workspace from an OVA file by using the vSphere Client, connect it to
ONE Access instance the Active Directory domain, and connect the management
domain components to the region-specific Workspace ONE
Access instance.
2. Deploy a virtual See VMware Validated Design Deployment of a Virtual Infrastructure Workload Domain
infrastructure workload and VMware Validated Design Deployment of a vSphere with Tanzu Workload Domain.
domain or vSphere
1. Prepare the environment Install and configure ESXi on the physical servers. Create a
with Tanzu workload
for the workload domain. network pool for the workload domain, and upload product
domain.
license keys.
2. Run the automated 1 In SDDC Manager, provide the specification of the

deployment of the workload domain in JSON format and initiate deployment.
workload domain. SDDC Manager validates the virtual infrastructure and
provisions the requested virtual infrastructure.
2 Deploy an NSX-T Edge cluster to the shared edge and
workload cluster in the workload domain.
In SDDC Manager, provide the edge deployment

specification in JSON format and initiate deployment.
SDDC Manager validates the virtual infrastructure and
provisions the requested edge nodes.
3 Complete the initial configuration of the workload domain.
Enable secure access within and to the workload domain.
3. Connect manually the Connect the management components for the workload
region-specific Workspace domain to the region-specific Workspace ONE Access
ONE Access instance to instance.
the workload domain
VMware, Inc. 21
Stage Steps
4. For a vSphere with Validate the domain configuration by using SDDC Manager
Tanzu workload domain, and enable vSphere with Tanzu by using the vSphere
enable vSphere with Client. Then, you can deploy applications or provision Tanzu
Tanzu. Kubernetes clusters on the initial Supervisor Cluster.
3. Deploy the solutions See VMware Validated Design Deployment of Cloud Operations and Automation .
for cloud operations
and automation. 1. Deploy VMware vRealize By using SDDC Manager, download the vRealize Suite
Suite Lifecycle Manager in Lifecycle Manager install bundle and deploy vRealize Suite
VMware Cloud Foundation Lifecycle Manager.
mode. SDDC Manager provides inventory information about the
management domain in vRealize Suite Lifecycle Manager.
SDDC Manager also configures the NSX-T Tier 1 gateway to
support the load balancer for the cross-region solutions.
2. Deploy the solutions. Import the product binaries as software install bundles in
SDDC Manager, synchronize them in vRealize Suite Lifecycle
Manager, and deploy the solutions.
VMware, Inc. 22
Stage Steps
3. Connect the solutions to As a result from the integration between vRealize Suite
the management domain. Lifecycle Manager and SDDC Manager, vRealize Suite
Lifecycle Manager calls SDDC Manager to perform the
following operations during the automated deployment of the
vRealize Suite products:
n Configures the NSX-T load balancer that is required
for the cross-region Workspace ONE Access instance,
vRealize Operations Manager, and vRealize Automation.
n Connects the vRealize Suite components to each other.
®
n Connects VMware vRealize Operations Manager™ and
®
VMware vRealize Log Insight™ to the management
domain vCenter Server and the principal vSAN datastore.
n Connects vRealize Log Insight to the NSX-T instance for
the management domain.
You connect manually the following components for the
management domain:
n vRealize Suite products to the region-specific Workspace
ONE Access
n vRealize Operations Manager to the NSX-T instance for
the management domain
®
n VMware vRealize Automation™ to vRealize Operations
Manager
n NSX-T Edge nodes for the management and vRealize
Suite Lifecycle Manager to vRealize Log Insight
4. Connect the solutions to After you deploy vRealize Operations Manager and vRealize
the workload domain. Log Insight, use SDDC Manager to integrate them with the
virtual infrastructure of the workload domain.
You connect manually the following components for the
workload domain:
n vRealize Operations Manager to the NSX-T instance for
the workload domain
n vRealize Automation to the workload domain vCenter
Server and NSX-T instance
n NSX-T Edge nodes for the workload domain and vRealize
Suite Lifecycle Manager to vRealize Log Insight
Deployment Workflow for a Multi-Region SDDC

When you deploy an SDDC that spans two regions, you apply a staged approach for deploying
the workload domains and connecting the management and tenant workloads between the
regions.
VMware, Inc. 23
Figure 5-3. Deployment Workflow for a Dual-Region SDDC
3. Cloud Operations
and Cloud Automation 3.1 vRealize Suite integration for 3.2 vRealize Suite integration for
Solution the first region the second region
NSX-T Global Manager (Active) NSX-T Global Manager (Standby)
2.3. User deploys NSX-T Global Manager instances for the virtual
infrastructure workload domains
2. Virtual
Infrastructure
Workload Domains
2.1. Virtual Infrastructure 2.2. Virtual Infrastructure
Workload Domain Workload Domain
deployment flow
in a region
NSX-T Global Manager (Active) NSX-T Global Manager (Standby)
1.3. User deploys NSX-T Global Manager instances for the management domains
1. Management
Domains
1.1. Management Domain 1.2. Management Domain
Region A Region B
Table 5-2. Deployment Flow for an SDDC with Two Regions
Stage Steps
Plan and prepare for SDDC Prepare the data center and fill in the environment specification for both
deployment regions in the Planning and Preparation Workbook.
1. Deploy the management domain of See Deployment of the Management Domain in the First Region and
the SDDC in each region. Deployment of the Management Domain in the Second Region.
1. Deploy the management domain in the first region by following the

workflow for a single-region SDDC.
2. Deploy the management domain in the second region by following the

VMware, Inc. 24
Table 5-2. Deployment Flow for an SDDC with Two Regions (continued)
Stage Steps
3. In each region, deploy an NSX-T 1 Deploy manually an NSX-T Global

Global Manager cluster and enable Manager cluster in Region A.
NSX-T Federation.
Because VMware Cloud Builder
provides automated deployment
only for NSX-T Local Manager
instances, deploy each NSX-T
Global Manager appliance from
an OVA file. Then, connect
the cluster to the management
domain vCenter Server in the
region and to the region-specific
Workspace ONE Access instance.
2 Enable NSX-T Federation on the
NSX-T Global Manager in Region
A and set it as active.
Add the NSX-T Manager instance

deployed for the management
domain in Region A to the NSX-
T Global Manager cluster and
import the gateways and virtual
networks created in the local
NSX-T Manager during the single-
region deployment. The scope
of the imported network objects
becomes global, that is, you
can assign them more than one
location.
3 Prepare logical network
components for stretched
networking for the management
components between Region A
and Region B.
In the NSX-T Global Manager for

Region A, create a cross-region
Tier-1 gateway and associate it
with the Tier-0 gateway for the
region. Then, migrate the existing
cross-region virtual network to
the Tier-1 gateway.
4 Deploy manually an NSX-T Global
Manager cluster in Region B
following the same high-level
steps as for Region A.
5 Add the NSX-T Manager instance
for the management domain that
is deployed in Region B to the
A.
VMware, Inc. 25
Stage Steps
6 Complete the configuration of

logical network components for
stretched networking.
In the NSX-T Global Manager

for Region A, extend the Tier-0
gateway and the cross-region
Tier-1 gateway to Region B.
Create a region-specific Tier-1
gateway for Region B that is
associated with the cross-region
Tier-0 gateway and attach a
virtual network to this Tier-1
gateway for regional connectivity.
7 Set the NSX-T Global Manager
in Region B as standby in the
federation.
8 Connect the SDDC Manager
instances in the two regions by
using multi-instance management.
Join the SDDC Manager instance

in Region B as a member of the
federation that is initiated from
the SDDC Manager instance in
Region A.
2. Deploy the virtual infrastructure See Deployment of a Virtual Infrastructure Workload Domain in the First
workload domain in each region. Region and Deployment of a Virtual Infrastructure Workload Domain in the
Second Region.
1. Deploy the workload domain in the first region by following the workflow for
a single-region SDDC.
2. Deploy the management domain in the second region by following the

VMware, Inc. 26
Stage Steps
3. In each region, deploy an NSX-T 1 Deploy manually an NSX-T Global

Global Manager cluster and enable Manager cluster in Region A.
NSX-T Federation.
Because SDDC Manager provides
automated deployment only for
NSX-T Local Manager instances,
deploy each NSX-T Global
Manager appliance from an OVA
file. Then, connect the cluster
to the workload domain vCenter
Server in the region and to the
region-specific Workspace ONE
Access instance.
2 Enable NSX-T Federation on the
A and set it as active.
Add the NSX-T Manager instance

for the workload domain
deployed in Region A to the NSX-
T Global Manager cluster and
import the gateways and virtual
networks created in the local
NSX-T Manager during the single-
region deployment. The scope
of the imported network objects
becomes global, that is, you
can assign them more than one
location.
3 Prepare logical network
components for stretched
networking for tenant workloads
between Region A and Region B.
Create a configuration of Tier-1

gateways and virtual network
segments according to the
requirements of the tenant
workloads in the workload
domain. You can attach the Tier-1
gateways to the Tier-0 gateway
available in the environment and
plan for using the Tier-0 gateway
across other regions for workload
mobility.
4 Deploy manually an NSX-T Global
Manager cluster in Region B
following the same high-level
steps as for Region A.
VMware, Inc. 27
Stage Steps
5 Add the NSX-T Manager instance

deployed for the workload
domain in Region B to the NSX-T
Global Manager in Region A.
6 Complete the configuration of
logical network components for
stretched networking according
to the requirements of the tenant
workloads for workload mobility.
You can extend the scope of

the Tier-0 gateway available in
Region A to Region B.
7 Set the NSX-T Global Manager
in Region B as standby in the
federation.
3. Deploy the solutions for cloud See Deployment of Cloud Operations and Automation.
operations and automation
VMware, Inc. 28
Stage Steps
1. Deploy the management components for cloud operations and automation

for first region.
2. Deploy additional management 1 Deploy these additional nodes in

nodes and connect the solutions Region B by using vRealize Suite
to the management and workload Lifecycle Manager.
domains in Region B. n Deploy a vRealize Operations
Manager remote collector
group.
n Deploy a vRealize Log Insight
cluster.
2 Manually connect the solutions
to the virtual infrastructure in
the management and workload
domains in Region B, and to
the newly-deployed management
components in the region.
Because the environment

contains a single vRealize Suite
Lifecycle Manager instance that
you use to deploy components in
both regions, the integration with
SDDC Manager is available only in
Region A.
n Connect vRealize Operations
Manager to vCenter Server,
NSX-T Local Manager
instances, and region-specific
Workspace ONE Access.
n For vRealize Log Insight in
Region B, perform several
types of operations.
n Integrate vRealize Log
Insight with the region-
specific Workspace ONE
Access and vRealize
Operations Manager
n Connect vRealize Log
Insight to vCenter Server,
NSX-T Local Manager
instances, and region-
specific Workspace ONE
Access in Region B.
n Configure event
forwarding between the
vRealize Log Insight
instances in the two
regions.
VMware, Inc. 29
Stage Steps
n Connect vRealize Automation

to the SDDC Manager
instance in Region B.
VMware, Inc. 30
Documentation Structure and
Audience 6
The structure of the VMware Validated Design documentation reflects the best practices in
designing and deploying a data center that is capable of automated workload provisioning. The
documentation components of the validated design are organized according to the audience and
deployment stage.
Figure 6-1. VMware Validated Design Documentation Flow
For information on the order in which you deploy the SDDC, see Chapter 5 SDDC Deployment
Flow of VMware Validated Design.
VMware, Inc. 31
For details on the latest available documentation, see VMware Validated Design documentation
page.
Architecture Overview
The first part of a VMware Validated Design is Architecture Overview and it introduces the terms
and components in the design.
Table 6-1. Architecture Overview Information
Section Attribute Description
Guide n Architecture and Design for the Management Domain

n Architecture and Design for a Virtual Infrastructure
Workload Domain
n Architecture and Design for a vSphere with Tanzu
Workload Domain
n Architecture and Design for Cloud Operations and
Automation
Purpose n Introduce the fundamentals and components in the

SDDC design.
n Provide information about the layered structure of the
SDDC.
n Describe the building modules and basic behavior of
each management component.
Audience Cloud architects and cloud administrators
Documentation modules n Management domain

n Virtual infrastructure workload domain
n vSphere with Tanzu workload domain
n Cloud operations and automation
Detailed Design
After you learn about the basic modules in the SDDC design, you proceed with detailed design of
the management components and the required infrastructure.
VMware, Inc. 32
Table 6-2. Detailed Design Information
Guide n Architecture and Design for the Management Domain

n Architecture and Design for a Virtual Infrastructure
Workload Domain
n Architecture and Design for a vSphere with Tanzu
Workload Domain
n Architecture and Design for Cloud Operations and
Automation
Purpose n Provide complete details about the configuration of

each layer and of the components that are a part of
the layer.
n Describe available design alternatives.
n Provide design decisions to reflect the main design
issues and the rationale behind a chosen solution
path.
Audience Cloud architects and cloud administrators
Documentation modules n Management domain

Planning and Preparation

After you understand the details of the design, you plan your environment according to the
requirements of the design so that you can deploy the designed SDDC directly without additional
testing and troubleshooting efforts.
VMware, Inc. 33
Table 6-3. Planning and Preparation Information
Guide Planning and Preparation Workbook
Purpose n Collect all requirements that your environment must

meet so that you can follow a VMware Validated
Design to create an SDDC.
n Provide dynamic sizing guidance for the management
domain according to the scale of your environment
The Planning and Preparation Workbook contains
prerequisites about the following areas:
n Required compute and storage resources
n Required software including VMware products,
scripts, and third-party software
n Network configuration including VLANs, example IP
addresses, and DNS names
n Host names
n Virtual networks
n Active Directory and local user configuration
n Specifications of inventory objects
Audience Cloud architects, infrastructure administrators, cloud

administrators, and cloud operators
Documentation module n Management domain

Deployment
After you make sure that your environment has the required structure and configuration, follow
the Deployment in the First Region documentation to start the SDDC implementation in the first
region.
VMware, Inc. 34
Table 6-4. Deployment Guide Information
Guide n Deployment of the Management Domain in the First

Region
n Deployment of a Virtual Infrastructure Workload
Domain in the First Region
n Deployment of a vSphere with Tanzu Workload
Domain in the First Region
n Deployment of Cloud Operations and Automation
Purpose n Provide step-by-step instructions for each

management component of the SDDC according to
the selected design path in Detailed Design.
n Cover the single-region setup of the SDDC.
n Provide details about setting up the virtual
infrastructure for both management and tenant
workloads.
n Provide procedures for integration of the products to
form one functional system.

Documentation module n Management domain

Deployment of Region B
After you make sure that your environment has the required structure and configuration, follow
the Deployment in the Second Region documents to start the SDDC implementation in the
second region.
VMware, Inc. 35
Table 6-5. Deployment Guide Information
Guide n Deployment of the Management Domain in the

Second Region
n Deployment of a Virtual Infrastructure Workload
Domain in the Second Region
n Deployment of Cloud Operations and Automation
Purpose n Provide step-by-step instructions for each

management component of the SDDC according to
the selected design path in Detailed Design.
n Cover the dual-region setup of the SDDC.
n Provide details about setting up the virtual
infrastructure for both management and tenant
workloads.
n Provide procedures for integration of the products to
form one functional system.

SDDC Architecture n Standard SDDC
Documentation on Workload Provisioning, Maintenance,

and Expansion of the SDDC
After you deploy the SDDC, follow the post-deployment documentation to operate and maintain
the management workloads, or to modify or extend the SDDC. See Chapter 7 Post-Deployment
Documentation.
VMware, Inc. 36
Post-Deployment Documentation
7
VMware Validated Design provides several types of documentation for operating, maintaining,
extending, and modifying a deployed SDDC. This documentation is delivered as a set of add-on
packages that could be asynchronously published.
For details on the latest available documentation, see VMware Validated Design documentation
page.
Operational Guidance
The operational guidance in VMware Validated Design provides a prescriptive guidance on the
common operations that you perform after the SDDC implementation is completed.
Documentation Feature Description
Type of Guidance According to the target operation type, each guide

provides a set of step-by-step instructions organized
by layer or solution. The guidance is based on the
SDDC configuration in the design and deployment
documentation.

Covered use cases n Shutdown and startup of the SDDC management

components.
n Upgrade of the SDDC management components.
n Operational verification of the SDDC management
components after software maintenance such as
installation, restore, upgrade, or failover.
n Replacement of the certificates of the SDDC
management components if the certificates are
expiring or if you are scaling out a component.
VMware, Inc. 37
SDDC Architecture Overview
8
SDDC layers represent aggregations of logically related functionality and operations in your
environment. In a layer, you can interchange components as part of the end solution or outcome.
If a particular component design does not fit the business or technical requirements, you can
replace it with another similar component.
Figure 8-1. SDDC Layers and Components
Cloud Service Catalog Cloud Business Security and

Automation Operations Continuity Compliance
Self-Service Portal
Orchestration
Virtual Hypervisor
Infrastructure Identity and Access
Monitoring Fault Tolerance
Management
Pools of Resources
Virtualization Control
Backup &
Logging Industry Regulations
Restore
Physical Compute
Infrastructure
Storage
Life Cycle Security Policies
Network Management
VMware, Inc. 38
Table 8-1. Layers in the SDDC
Physical Consists of the compute, network, and storage components. The compute component contains
Infrastructure the x86-based servers that run the management components, NSX-T Edge nodes, and tenant
Layer workloads. This validated design provides only some guidance about the physical capabilities
that are required to implement this architecture. You select a specific type or brand of hardware
according to VMware Compatibility Guide.
The physical infrastructure layer configuration is part of the implementation of the SDDC
management domain and workload domains.
Virtual Controls the access to the underlying physical infrastructure and allocates resources to the
Infrastructure management and tenant workloads. The management workloads consist of elements in the virtual
Layer infrastructure layer itself, together with elements in the cloud operations, cloud automation, and
security and compliance layers.
The virtual infrastructure layer groups physical infrastructure in pools of resources such as
workload domains and clusters. See Chapter 4 Workload Domains in VMware Validated Design.
The virtual infrastructure layer configuration is part of the implementation of the SDDC
management domain and workload domains.
Cloud Operations Provides operations management for continuous day-to-day service delivery. Cloud operations
Layer management consists of life cycle management, monitoring, logging, and other operation types.
The architecture of the cloud operations layer includes management components that support
the main types of operations in an SDDC. You monitor the underlying physical infrastructure, and
the management and tenant or containerized workloads in real time. Information is collected in
the form of structured data (metrics) and unstructured data (logs). The cloud operations layer
also collects data about the SDDC topology, that is physical and virtual compute, networking, and
storage resources, which are key in intelligent and dynamic operational management.
The cloud operations layer configuration is part of the implementation of the SDDC management
domain and workload domains, and of the solutions for cloud operations and automation.
Cloud Automation Requests resources and orchestrates the actions of the lower layers from a user interface or over
Layer an API.
The cloud automation layer configuration is part of the implementation of the SDDC solutions for
cloud operations and automation.
Security and n Incorporates security guidance from NIST 800-53 across the VMware Validated Design to
Compliance Layer establish a baseline of security.
n Identifies and implements security best practices from setup to operations to secure your
SDDC, and make it more resilient to internal and external threats.
n Provides role-based access control by implementing an identity and access management
solution which integrates with Microsoft Active Directory.
VMware, Inc. 39
Figure 8-2. SDDC Architecture Overview
Another Solution Add-On
Cloud Operations and Automation Solution Add-on
Cross-Region vRealize vRealize

Workspace Suite Lifecycle Operations vRealize vRealize
ONE Access Manager Manager Log Insight Automation
Management Domain Workload Domain Workload Domain
Region-
SDDC Specific vSphere with Tanzu vSphere with Tanzu
Manager Workspace
ONE Access
NSX-T NSX-T
(1:1 or 1:N) (1:1 or 1:N)
NSX-T
vCenter Server vCenter Server
vCenter Server
Principal Storage Principal Storage
Principal Storage (vSAN, vVols, NFS, or VMFS on FC) (vSAN, vVols, NFS, or VMFS on FC)
(vSAN)
ESXi ESXi ESXi
Consolidated SDDC
Architecture
Standard SDDC Architecture
The SDDC layers are gradually implemented as you follow the implementation of the SDDC.
1 To provide the physical and virtual infrastructure, and local identity and access management
for the SDDC management components, implement the management domain.
2 To provide the physical and virtual infrastructure for the virtualized or containerized
workloads, implement one or more workload domains.
3 To operate the SDDC and deploy workloads on the workload domains, implement the
solutions for cloud operations and automation including identity and access management
for these solutions.
For information about the design and deployment of each layer at each deployment stage, see
the VMware Validated Design documentation page.
n Physical Infrastructure Layer

The physical layer in an SDDC contains the compute, storage, and network resources in your
data center.
VMware, Inc. 40
n Virtual Infrastructure Layer

The virtual infrastructure layer of the SDDC contains ESXi, vCenter Server, vSAN, and NSX-T
Data Center that provide compute, networking, and storage resources to the management
and tenant workloads.
n Security and Compliance Layer

As part of the security and compliance layer, this design uses Workspace ONE Access
to provide identity and access management to the SDDC management components. To
satisfy the requirements of the management components for availability and locality, you
deploy a region-specific Workspace ONE Access instance and a cross-region Workspace
ONE Access instance.
n Cloud Operations Layer

The cloud operations layer of the SDDC provides capabilities for life cycle management by
using SDDC Manager in VMware Cloud Foundation and vRealize Suite Lifecycle Manager.
The layer also supports performance and capacity monitoring, and log collection for the
SDDC management components by using vRealize Operations Manager and vRealize Log
Insight.
n Cloud Automation Layer

By using the cloud automation layer, you provide automated workload deployment to
tenants by using vRealize Automation.
n Multiple Availability Zones

VMware Validated Design provides alternative guidance for implementing an SDDC that
contains two availability zones. You configure vSAN stretched clusters in the management
domain and the workload domains to create second availability zones. The SDDC continues
operating during host maintenance or if a loss of one availability zone occurs.
Physical Infrastructure Layer

The physical layer in an SDDC contains the compute, storage, and network resources in your
data center.
VMware, Inc. 41
Figure 8-3. Physical Configuration of the SDDC
External
connection
ToR ToR ToR ToR ToR ToR

Switch Switch Switch Switch Switch Switch
Shared edge and

workload cluster
(4 ESXi hosts)
Management
cluster
(4 ESXi hosts)
Workload cluster
(19 ESXi host each)
Workload Domains
The compute, storage, and network resources are organized in workload domains. The physical
layer also includes the physical network infrastructure, and storage setup. For information on
workload domains and clusters, see Chapter 4 Workload Domains in VMware Validated Design.
Compute
The physical compute resources are delivered through ESXi, a bare-metal hypervisor that installs
directly onto your physical server. With direct access and control of underlying resources, ESXi
logically partitions hardware to consolidate applications and cut costs. ESXi is the base building
block of the Software-Defined Data Center.
Network
VMware Validated Design can use most physical network architectures. When building an SDDC,
the following considerations exist:
n Layer 2 or Layer 3 transport types
This VMware Validated Design uses a Layer 3 network architecture.
n A Top of Rack (ToR) switch is typically located inside a rack and provides network access
to the servers inside that rack.
VMware, Inc. 42
n An inter-rack switch at the aggregation layer provides connectivity between racks. Links
between inter-rack switches are typically not required. If a link failure between an inter-
rack switch and a ToR switch occurs, the routing protocol ensures that no traffic is sent to
the inter-rack switch that has lost connectivity.
n Using quality of service tags for prioritized traffic handling on the network devices
n NIC configuration on the physical servers
VMware vSphere® Distributed Switch supports several NIC teaming options. Load-based
NIC teaming supports an optimal use of available bandwidth and redundancy if a link
failure occurs. Use a minimum of two 10-GbE connections, with two 25-GbE connections
recommended, for each ESXi host in combination with a pair of top of rack switches.
n VLAN port modes on both physical servers and network equipment
802.1Q network trunks can support as many VLANs as required. For example, management,
storage, overlay, and VMware vSphere® vMotion® traffic.
Because of the considerations for the physical network architecture, providing a robust physical
network to support the physical-to-virtual network abstraction is an important requirement of
network virtualization.
Regions and Availability Zones

Availability Zone
Represent the fault domain of the SDDC. Multiple availability zones can provide continuous
availability of an SDDC. This VMware Validated Design supports one availability zone per
region. See Multiple Availability Zones.
Region
Each region is a separate SDDC instance. You use multiple regions for disaster recovery
across individual SDDC instances.
In this VMware Validated Design, regions have similar physical and virtual infrastructure
design but different naming.
Table 8-2. Regions in VMware Validated Design
Region Disaster Recovery Role Region-Specific Domain Name
Region A Protected sfo01.rainpole.io
Region B Recovery lax01.rainpole.io
VMware, Inc. 43
Storage
This VMware Validated Design provides guidance for the storage of the management
components. A shared storage system not only hosts the management and tenant or container
workloads, but also template repositories and backup locations. Storage within an SDDC can
include either or both internal and external storage as either principal or supplemental storage.
For the management domain, this validated design includes internal storage by using vSAN for
principal storage and external NFS storage for supplemental storage.
Internal Storage
vSAN is a software-based distributed storage platform that combines the internal compute
and storage resources of clustered VMware ESXi hosts. By using storage policies on a
cluster, you configure multiple copies of the data. As a result, this data is accessible during
maintenance and host outages.
External Storage
External storage provides non-vSAN storage by using NFS, iSCSI, or Fiber Channel. Different
types of storage can provide different levels of SLA, ranging from just a bunch of disks
(JBODs) using SATA drives with minimal to no redundancy, to fully redundant enterprise-
class storage arrays.
Principal Storage
VMware vSAN™ storage is the default storage type for the SDDC management components.
All design, deployment, and operational guidance are performed on vSAN. Considering block
or file storage technology for principal storage is out of scope of the design. These storage
technologies are referenced only for specific use cases such as backups to supplemental
storage.
The storage devices on vSAN ready servers provide the storage infrastructure. This validated
design uses vSAN in an all-flash configuration.
For workloads in workload domains, you can use vSAN, vVols, NFS, and VMFS on FC.
Supplemental Storage
NFS storage is the supplemental storage for the SDDC management components. It provides
space for archiving log data and application templates.
Supplemental storage provides additional storage for backup of the SDDC. It can use the
NFS, iSCSI, or Fibre Channel technology. Different types of stage can provide different levels
of SLA, ranging from JBODs with minimal to no redundancy, to fully redundant enterprise-
class storage arrays. For bandwidth-intense IP-based storage, the bandwidth of these pods
can scale dynamically.
VMware, Inc. 44
Virtual Infrastructure Layer

The virtual infrastructure layer of the SDDC contains ESXi, vCenter Server, vSAN, and NSX-T Data
Center that provide compute, networking, and storage resources to the management and tenant
workloads.
Cluster Types
This VMware Validated Design uses the following types of clusters:
Figure 8-4. First Cluster in the Management Domain
Management Workloads
APP APP APP APP

OS OS OS OS
vSAN
vSphere Distributed Switch with NSX-T
Management Domain vCenter Server
Management Cluster
ESXi ESXi ESXi ESXi
VMware, Inc. 45
Figure 8-5. Shared Edge and Workload Cluster in a Virtual Infrastructure Workload Domain
Tenant Workloads NSX-T Edges
APP APP APP APP

OS OS OS OS
vSAN
vSphere Distributed Switch with NSX-T
Workload Domain
vCenter Server
Shared Edge and Workload Cluster
ESXi ESXi ESXi ESXi
Single Availability Zone

SDDC Architecture
First Cluster in the Management Domain
Resides in the management domain and runs the virtual machines of the components
that manage the data center, such as vCenter Server, NSX-T Manager, SDDC Manager,
® ®
Workspace ONE Access, VMware vRealize Suite Lifecycle Manager™, VMware vRealize
®
Operations Manager™, VMware vRealize Log Insight™, vRealize Automation, and other
The first management cluster occupies half a rack.
Shared Edge and Workload Cluster
Represents the first cluster in the virtual infrastructure workload domain and runs the
required NSX-T services for north-south routing between the data center and the external
network, and east-west routing inside the data center. This shared cluster also hosts the
tenant workloads. As you extend your environment, you must add workload-only clusters.
Workload Cluster
VMware, Inc. 46
Resides in a virtual infrastructure workload domain and runs tenant workloads . Use workload
clusters to support a mix of different types of workloads for different types of Service Level
Agreements (SLAs). You can mix different types of workload clusters and provide separate
compute pools for different types of SLAs.
vCenter Server Design

Figure 8-6. Layout of vCenter Server Clusters
Region A Region A Region B Region B
Management Cluster Shared Edge and Management Cluster Shared Edge and
Workload Cluster Workload Cluster
Management Workload Management Workload
Domain Domain Domain Domain
vCenter vCenter vCenter vCenter
Server Server APP APP APP Server Server APP APP APP
OS OS OS OS OS OS
ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi
Table 8-3. vCenter Server Design Details
Design Area Description
vCenter Server instances You deploy vCenter Server instances in the following way:
n One vCenter Server instance for the management
domain.
n One vCenter Server instance for each workload
domain.
Using this model provides the following benefits:
n Isolation of management domain vCenter Server and
workload domain vCenter Server
n Simplified capacity planning
n Separated upgrade
n Separated roles
Clusters You distribute hosts and workloads in the following

clusters:
n First cluster in the management domain that contains
all management hosts and handles resources for the
management workloads.
n Shared edge and workload cluster in each workload
domain that contains tenant or container workloads,
and NSX-T Edge nodes used for the workloads.
VMware, Inc. 47
Table 8-3. vCenter Server Design Details (continued)
Design Area Description
Resource pools for tenant workloads and dedicated NSX On the shared edge and workload cluster in a workload
components domain, you use resource pools to distribute compute
and storage resources to the tenant or container
workloads, and the NSX-T components carrying their
traffic.
Deployment model Each vCenter Server instance is with an embedded

Platform Services Controller.
Dynamic Routing and Virtual Network Segments

This VMware Validated Design supports dynamic routing for both management and tenant
and container workloads, and also introduces a model of isolated application networks for the
Virtual network segments are created on the vSphere Distributed Switch for the first cluster in
the management domain and for the shared edge and workload cluster in a workload domain.
Dynamic routing support includes the following nodes:
VMware, Inc. 48
Figure 8-7. Dynamic Routing in a Single Region
Region A
ToR
Switches
Region A
BGP ASN
Uplink VLAN 1 BGP

ECMP
Uplink VLAN 2 BFD (Optional) Default Route
Tier-0
Gateway
SR SR
SDDC
BGP ASN DR DR
ESXi Transport Nodes
SR SR
Tier-1 DR DR DR DR DR DR
Gateway
NSX-T NSX-T ESXi ESXi ESXi ESXi
Edge Edge Host 1 Host 2 Host 3 Host 4
Node 1 Node 2
VM VM VM
VMware, Inc. 49
Figure 8-8. Routing Devices for a Multi-Region SDDC
n NSX-T Edge cluster
n Tier-0 gateway with ECMP enabled for north-south routing across all regions
You apply the no-export BGP community to all routes learned from external neighbors.
Because the NSX-T SDN in the first and second regions does not have an independent path
between those autonomous systems, re-advertising data center networks would give a false
indication of a valid, independent path.
n Tier-1 gateway for east-west routing across all regions
VMware, Inc. 50
n Tier-1 gateway for east-west routing in each region
Virtual network segments provide support for limited access to the nodes of the applications
through published access points.
Figure 8-9. Virtual Network Segment Design
Internet/ Enterprise Workload

Network Domain
VC SDDC Mgr
OS OS
ToR Switches
ECMP
Tier-0 Gateway NSX-T Edge

Active/ Active Cluster
Tier-1 Gateway
192.168.11.0/24 192.168.31.0/24
xreg-m01-seg01 sfo-m01-seg01
vRSCLM Region-Specific WSA

Cross-Region WSA vROps Remote Collectors
vROps vRLI
vRA
n Cross-region virtual network segment that connects the components that are designed to fail
over to a recovery region.
n Region-specific virtual network segment in Region A for components that are not designed to
fail over.
VMware, Inc. 51
n Region-specific application virtual network in Region B for components that are not designed
to fail over.
Software-Defined Storage Design

In each region, workloads on the management cluster store their data on a vSAN datastore. The
vSAN datastore spans all four ESXi hosts of the first cluster in the management domain and of
the shared edge and workload cluster in a workload domain. Each host adds one disk group to
the datastore.
Applications store their data according to the default storage policy for vSAN.
vRealize Log Insight uses NFS exports as supplemental storage for log archiving.
Figure 8-10. Shared Storage Logical Design
Management Cluster Shared Edge and Workload Cluster
Virtual Virtual Virtual Tenant n

Appliance Appliance Appliance
Tenant 1
Virtual Virtual Virtual

Appliance Appliance Appliance
APP APP APP
OS OS OS
ESXi Host ESXi Host
Principal Datastore Supplemental Datastores Principal Datastore Supplemental Datastores
Mgmt Backups Templates Workloads Workloads Workloads

VMs and Logs SLA 1 SLA 2 SLA N
Software-Defined Storage vSAN, vVols, NFS, or VMFS on FC vVols, NFS, VMFS on iSCSI, and VMFS on FC
Policy-Based Storage Management

Virtualized Data Services
Hypervisor Storage Abstraction
vSAN NAS
Physical Disks Physical Disks
FLASH FLASH FLASH FLASH FLASH FC15K FC10K SATA
Security and Compliance Layer

As part of the security and compliance layer, this design uses Workspace ONE Access to
provide identity and access management to the SDDC management components. To satisfy the
requirements of the management components for availability and locality, you deploy a region-
specific Workspace ONE Access instance and a cross-region Workspace ONE Access instance.
Workspace ONE Access provides these services:
n Directory integration to authenticate users against existing directories such as Active

Directory or LDAP.
n Addition of two-factor authentication through integration with third-party software such as

RSA SecurID, Entrust, and others.
VMware, Inc. 52
For information on the account configuration in Active Directory and local accounts, see Planning
and Preparation Workbook.
Figure 8-11. Cross-Region and Region-Specific Workspace ONE Access Deployments in Region A
Region A
Identity Provider
Directory Services
e.g. AD, LDAP
Access Access
User Interface User Interface
REST API REST API
NSX-T Data Center

Load Balancer
Cross-Region Region-Specific
Workspace Workspace
ONE Access ONE Access
Virtual
Primary Secondary Secondary
Appliance
Supporting Components: Supporting Components:

Postgres Postgres
Supporting Infrastructure: Supporting Infrastructure:

Shared Storage, Shared Storage,
DNS, NTP, SMTP DNS, NTP, SMTP
Cross-Region Solutions Region-Specific Solutions
vRealize Suite NSX-T

Lifecycle Manager Data Center
vRealize Operations
Manager
vRealize Automation
VMware, Inc. 53
Region-Specific Workspace ONE Access

The region-specific Workspace ONE Access instance provides identity and access management
services to regional SDDC solutions.
Figure 8-12. Logical Design of the Region-Specific Workspace ONE Access Deployment
Region A Region B
Identity Provider Identity Provider
Directory Services Directory Services

e.g. AD, LDAP e.g. AD, LDAP
Access Access
REST API REST API
Region-Specific Region-Specific
Workspace Workspace
Virtual Virtual
Appliance Appliance
Supporting Components: Supporting Components:

Postgres Postgres

Shared Storage, Shared Storage,
DNS, NTP, SMTP DNS, NTP, SMTP
Region-Specific Solutions Region-Specific Solutions
NSX-T NSX-T
Data Center Data Center
VMware, Inc. 54
Table 8-4. Design Details on Region-Specific Workspace ONE Access
Design Attribute Description
Deployment model One appliance that is connected to the Active Directory

domain of the SDDC. The appliance is deployed from an
OVA file.
Authenticated components n NSX-T Data Center

n vRealize Log Insight
Network segment Region-specific virtual network segment. See Dynamic

Routing and Virtual Network Segments.
Identity and access management setup n Integration with the rainpole.io Active Directory
domain.
n Directory Service connection is Active Directory with
Integrated Windows Authentication

The cross-region Workspace ONE Access provides identity and access management services to
cross-region SDDC solutions.
Table 8-5. Design Details on Cross-Region Workspace ONE Access
Deployment model A cluster of three nodes behind a load balancer. The

cluster is deployed by using vRealize Suite Lifecycle
Manager.
Network segment Cross-region virtual network segment. See Dynamic

Authenticated components n vRealize Suite Lifecycle Manager

n vRealize Operations Manager
n vRealize Automation
Identity and access management setup n Integration with the rainpole.io Active Directory
domain.
n Directory Service connection is Active Directory with
Integrated Windows Authentication
Cloud Operations Layer

The cloud operations layer of the SDDC provides capabilities for life cycle management by using
SDDC Manager in VMware Cloud Foundation and vRealize Suite Lifecycle Manager. The layer also
supports performance and capacity monitoring, and log collection for the SDDC management
components by using vRealize Operations Manager and vRealize Log Insight.
VMware, Inc. 55
SDDC Manager
You use SDDC Manager in VMware Cloud Foundation to perform the following operations:
n Deploy virtual infrastructure workload domains and extend the virtual infrastructure of the
management domain.
n Deploy the NSX-T Edge cluster for a workload domain.
n Expand a cluster with hosts and add clusters to workload domains.
n Manage the life cycle of the virtual infrastructure components in all workload domains, and of
vRealize Suite Lifecycle Manager.
n Manage certificates and passwords of the SDDC management components.
Figure 8-13. Logical Design of SDDC Manager
Region A Region B
External Services Access Identity Source Identity Source Access External Services
My VMware User Interface User Interface My VMware

Active Directory Active Directory
API API
depot.vmware.com depot.vmware.com
Infrastructure Provisioning Infrastructure Provisioning

and Configuration and Configuration
vCenter vCenter
Server Server
Life Cycle Management Life Cycle Management

SDDC Manager SDDC Manager
NSX-T Solution and NSX-T
Data Center User Authentication Data Center
Virtual Virtual
Appliance Appliance
vCenter vCenter Single vCenter
Server Sign-On Domain Server

ESXi Shared Storage, DNS, NTP, Shared Storage, DNS, NTP, ESXi
Certificare Authority Certificare Authority
vRealize
Suite Lifecycle
Manager
VMware, Inc. 56
Table 8-6. SDDC Manager Design Details
Deployment model One appliance in each region that deploys virtual

infrastructure workload domains, and upgrades the virtual
infrastructure components in the management domain
and all workload domains, and vRealize Suite Lifecycle
Manager. In each region, the appliance is deployed by
VMware Cloud Builder, part of VMware Cloud Foundation,
during the automated deployment of the management
domain.
Supported components n ESXi hosts in the management domain and in all

workload domains
n Management domain vCenter Server and workload
domain vCenter Server
n NSX-T Data Center
n vRealize Suite Lifecycle Manager in VMware Cloud
Foundation mode
n SDDC Manager as self-upgrade
Network segment Management network
Setup for workload domain and product deployment n Direct integration with My VMware to access install
and upgrade bundles
n Configuration with an external certificate authority
for replacing the certificates of the management
components in the SDDC
Support for connecting deployed workload domains

to vRealize Operations Manager and vRealize Log
Insight
vRealize Suite Lifecycle Manager

vRealize Suite Lifecycle Manager provides life cycle management capabilities for vRealize
Suite components including automated deployment, configuration, and upgrade. vRealize Suite
Lifecycle Manager communicates with each management domain vCenter Server in the SDDC
to orchestrate the deployment, upgrade, and configuration drift analysis of vRealize Suite
components in the SDDC.
Starting with VMware Cloud Foundation 4.1, vRealize Suite Lifecycle Manager is deployed in
VMware Cloud Foundation mode. In this mode, vRealize Suite Lifecycle Manager and VMware
Cloud Foundation are integrated for inventory synchronization, life cycle management of the
vRealize Suite products, and workload domain integration.
VMware, Inc. 57
Figure 8-14. Logical Design of vRealize Suite Lifecycle Manager
Region A
Identity Management
Cross-Region
Access Workspace
ONE Access
User Interface Integration
SDDC
REST API Manager
vRealize Suite
Lifecycle Manager
in VMware Cloud
Foundation Mode
Life Cycle Management Endpoint
vRealize vCenter
Operations Server
Manager
vRealize
Log Insight
vRealize
Automation Shared
Storage
Cross-Region
Workspace
ONE Access
Region B
Life Cycle Management
vRealize
Operations
Manager
Collectors
vRealize
Log Insight
VMware, Inc. 58
Table 8-7. vRealize Suite Lifecycle Manager Design Details
Deployment model One appliance that deploys and upgrades the vRealize
Suite components on a virtual infrastructure that is
controlled by the management domain vCenter Server.
The appliance is deployed by using SDDC Manager.
Supported components n Cross-region Workspace ONE Access

n vRealize Operations Manager including remote
collectors in Region A and Region B
n vRealize Log Insight in Region A and Region B

Product installation setup n Direct integration with My VMware to access vRealize

Suite entitlements
n In Region A, direct integration with SDDC Manager for
the following operations:
n Inventory synchronization and software bundle
retrieval
n Configuration of the load balancer for the vRealize
Suite components, and of the integration between
the vRealize Suite products, and between the
vRealize Suite products and the management and
workload domains
In Region B, the integration with the region-specific

SDDC Manager instance is not available. You must
connect vRealize Suite Lifecycle Manager with the
underlying virtual infrastructure, and the available
components with the newly-added product instances
manually.
n Environments configuration that uses the product-
based deployment path in the installation wizard
Table 8-8. Environment Layout in vRealize Suite Lifecycle Manager
Environment Name Scope Product Components
Globalenvironment Cross-Region Cross-region Workspace ONE

Access
Cross-Region Cross-Region n vRealize Operations Manager

analytics cluster
n vRealize Operations Manager
remote collectors
n vRealize Automation cluster
nodes
Region A Region A vRealize Log Insight Cluster
Region B Region B vRealize Log Insight Cluster
VMware, Inc. 59
vRealize Operations Manager

You use vRealize Operations Manager to monitor the management components of the SDDC
including vSphere, vSAN, NSX-T Data Center, Workspace ONE Access, and vRealize Automation.
vRealize Operations Manager is also sized to accommodate the number of tenant workloads
according to the design objectives.
Figure 8-15. Logical Design of vRealize Operations Manager
Region A
Access
User Interface API
Identity Management vRealize vRealize Metric Adapters

Operations Manager Operations Manager
Cross-Region Analytics Cluster Remote Collectors
Workspace NSX-T Data
ONE Access NSX-T Center
Data
Collector
Center
Group
Private Cloud Accounts Load
Balancer vSAN
vCenter
Remote
Server
Primary Replica Collector 1
Storage
Devices
Remote
Integrations
Data 1 Data n Collector 2
vRealize Workspace
Automation ONE Access
Management Management
Packs Packs
vRealize Additional
Log Insight Solutions
Supporting Supporting
Infrastructure, Infrastructure,
shared Storage, shared Storage,
AD, DNS, NTP AD, DNS, NTP
SMTP SMTP
Public Cloud Accounts Region B vRealize Metric Adapters

Operations Manager
Amazon Web Remote Collectors
NSX-T Data
Services Center
Collector
Group
Microsoft
Azure
Supporting Remote vSAN
Infrastructure, Collector 1
shared Storage,
AD, DNS, NTP
Remote Storage
SMTP
Collector 2 Devices
Management
Packs Workspace
ONE Access
Suite API
Additional
Solutions
VMware, Inc. 60
Table 8-9. vRealize Operations Manager Design Details
Deployment model n Analytics cluster of three nodes with a load balancer:

primary, primary replica, and data node
n Remote collector group in each region that consists
of two remote collectors that communicate with the
region-specific components
The vRealize Operations Manager nodes are deployed by
using vRealize Suite Lifecycle Manager.
Monitored components n Management domain vCenter Server and workload

n ESXi hosts in the management domain and in the
workload domains
n All local components of NSX-T Data Center for the
management domain and for the workload domains
n vSAN
n Workspace ONE Access
n vRealize Log Insight including Launch in Context
n vRealize Operations Manager (self-health monitoring)

You use vRealize Log Insight to access the logs of the SDDC management components from a
central place and view this information in visual dashboards.
VMware, Inc. 61
Figure 8-16. Logical Design of vRealize Log Insight

Event
Forwarding
Region A Region B
Identity Management Identity Management
Region-Specific Region-Specific
Workspace Access Access Workspace
Integration API API
vRealize
Operations
Manager Integration
vRealize vRealize
Log Insight Log Insight
vSphere vSphere
Integrated Integrated
Load Load
Balancer Balancer
Logging Clients Logging Clients
NSX-T Primary Worker1 Primary Worker1 NSX-T

Data Center Data Center
Worker2 WorkerN Worker2 WorkerN

vCenter vCenter
Server Server
Content Packs Content Packs

ESXi ESXi
Ingestion API Ingestion API
vRealize Syslog Syslog vRealize

Operations Operations
Manager Manager
vRealize Supporting Log Supporting Log vRealize

Automation Infrastructure Archive Infrastructure Archive Automation
Shared NFS Shared NFS
Storage, AD, Export Storage, AD, Export
Additional DNS,NTP, DNS,NTP, Additional
Solutions SMTP SMTP Solutions
VMware, Inc. 62
Table 8-10. vRealize Log Insight Design Details
Deployment model Cluster of primary node and two worker nodes with an
integrated load balancer in each region. The vRealize
Log Insight nodes are deployed by using vRealize Suite
Lifecycle Manager.
Monitored components n Management domain vCenter Server and workload

n ESXi hosts in the management domain and in the
workload domains
n All local components of NSX-T Data Center for the
management domain and for the workload domains
n vSAN
n Analytics cluster nodes of vRealize Operations
Manager
n Management appliances
Archiving Archiving location on an NFS export
Cloud Automation Layer

By using the cloud automation layer, you provide automated workload deployment to tenants by
using vRealize Automation.
VMware, Inc. 63
Figure 8-17. Logical Design of vRealize Automation
Region A
Identity Management Access
User Interface
Cross-Region
Workspace
ONE Access
API
Integration Accounts
SDDC
Manager
Private Cloud Accounts NSX-T Data Center
Load Balancer
vRealize
Orchestrator
VMware Cloud vRealize
Foundation Automation Cluster
vRealize
Operations
Manager
vCenter Server
My VMware
NSX-T Supporting Components:
Data Center Kubernetes, Docker, Postgres,
FaaS, Traefik, Flannel, Fluentd GitHub, GitLab,
and BitBucket
Supporting Infrastructure:
Shared Storage,
Additional
AD, DNS, NTP, SMTP
Solutions
e.g. IPAM, K8s,
Terraform,
Ansible, Puppet
Public Cloud Accounts Region B

Private Cloud Accounts
VMware Cloud Amazon Web
on AWS Services
VMware Cloud
Foundation
Microsoft Azure Google Cloud
vCenter Server
NSX-T
Data Center
VMware, Inc. 64
Figure 8-18. vRealize Automation Usage Model
Rainpole User 1 Rainpole User 2

Production Project Member Development Project Member
User Access
Service Broker
Production Project Development Project
Tagging, Images, Cloud Templates,

Cloud Assembly Cloud Templates and Extensibility
and Extensibility
Administrator Authoring
Administration of Services Authoring
cloud resources Cloud Zones
Cloud Assembly Admin Project Admin
Private Cloud Resources Private Cloud Resources
Compute Network Storage Compute Network Storage
Table 8-11. Cloud Automation Design Details
Deployment model of vRealize Automation A cluster of three vRealize Automation nodes with a load
balancer. The cluster is deployed by using vRealize Suite
Lifecycle Manager.
vRealize Automation services n Cloud Assembly

n Service Broker
n Orchestrator (using the embedded vRealize
Orchestrator)

Cloud accounts n Workload domain vCenter Server

n Workload domain NSX-T Local Manager
Note Deploying workloads on a workload domain by

using vRealize Automation requires that you deploy an
NSX-T Data Center instance for each domain.
Cloud zones One cloud zone mapped to one region
Tagging n For the shared and workload cluster, apply tagging on

the resource pools
n For workload clusters, apply tagging at the vSphere
cluster
VMware, Inc. 65
Table 8-11. Cloud Automation Design Details (continued)
Tenants A single tenant company called Rainpole
Workload placement setup n My VMware integration to download and provision

blueprints from VMware Marketplace
n Flavor mappings to define the deployment sizings
n Image mappings to define target deployment
operating system and related configuration settings
n Network profiles to define the subnet and routing
configuration for the provisioned virtual machines
n Storage profiles to define disk customizations and
type of storage for the provisioned workloads
n Projects to define the users that can provision
workloads, the priority and cloud zone of
deployments, and the maximum allowed deployment
instances.
n Content sources and catalogs to provide access to
blueprints to users.
Multiple Availability Zones

VMware Validated Design provides alternative guidance for implementing an SDDC that contains
two availability zones. You configure vSAN stretched clusters in the management domain and the
workload domains to create second availability zones. The SDDC continues operating during host
maintenance or if a loss of one availability zone occurs.
In a stretched cluster configuration, both availability zones are active. If a failure in either
availability zone occurs, the virtual machines are restarted in the operational availability zone
because virtual machine writes occur to both availability zones synchronously.
Overview of vSAN Stretched Cluster

Virtual machine write operations are performed synchronously across both availability zones.
Each availability zone has a copy of the data and witness components are placed on the witness
host in a third location in the SDDC. As a result of distance and latency requirements, multiple
availability zones are typically used in metropolitan or campus environments.
Extending the management cluster to a vSAN stretched cluster provides the following
advantages:
n Increased availability with minimal downtime and data loss
n Inter-site load balancing
Using a vSAN stretched cluster for the management components has the following
disadvantages:
n Increased footprint
VMware, Inc. 66
n Symmetrical host configuration in the two availability zones
n Distance and latency requirements between the two availability zones
n Additional setup and more complex Day-2 operations
n Licensing requirements
Regions and Availability Zones

In the multi-availability zone version of the VMware Validated Design, you have two availability
zones in Region A.
Availability Zone and Region Region-Specific Domain

Region Availability Zone Identifier Name
Region A Availability Zone 1 SFO01 sfo.rainpole.io
Region A Availability Zone 2 SFO02 sfo.rainpole.io
Region B LAX01 lax01.rainpole.io
Physical Infrastructure
You must use homogenous physical servers between availability zones. You replicate the hosts
for the first cluster in the management domain and shared edge and workload cluster in a
workload domain, and you place them in the same rack.
Figure 8-19. Infrastructure Architecture for Multiple Availability Zones
External External External

connection connection connection
ToR ToR ToR ToR ToR ToR

Switch Switch Switch Switch Switch Switch
Stretched Stretched Management

management cluster management cluster cluster
Availability Zone 1 Availability Zone 2 (4 ESXi hosts)
(4 ESXi hosts) (4 ESXi hosts)
Stretched shared Stretched shared

edge and edge and Еdge and
workload cluster workload cluster workload cluster
Availability Zone 1 Availability Zone 2 (4 ESXi hosts)
(4 ESXi hosts) (4 ESXi hosts)
Availability Zone 1 Availability Zone 2
Region A Region B
VMware, Inc. 67
Component Layout with Two Availability Zones

The management components of the SDDC run in Availability Zone 1. They can be migrated to
Availability Zone 2 when an outage or overload occurs in Availability Zone 1.
You can start deploying the SDDC in a single availability zone configuration, and then extend the
environment with the second availability zone.
Figure 8-20. vSphere Logical Cluster Layout for Multiple Availability Zones for the Management
Domain
Region A Region A Region B Region B
Management Cluster Shared Edge and Management Cluster Shared Edge and
Workload Cluster Workload Cluster
Management Workload Management Workload
Domain Domain Domain Domain
vCenter vCenter vCenter vCenter
Server Server APP APP APP Server Server APP APP APP
OS OS OS OS OS OS
ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi
ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi
Network Configuration
NSX-T Edge nodes connect to top of rack switches in each data center to support northbound
uplinks and route peering for SDN network advertisement. This connection is specific to the top
of rack switch that you are connected to.
VMware, Inc. 68
Figure 8-21. Dynamic Routing in Multiple Availability Zones

Region A
Availability Zone1 eBGP (loc-pref Availability Zone 2

ToR & ASPath_prepend)
eBGP ToR
Switches ECMP
ECMP Switches
BFD (Optional
BDF (OPtional)
Region A - AZ 1
BGP ASN Region A - AZ 2
Default Route Default Route BGP ASN
Uplink VLAN 1 (low loc-pref)
Uplink VLAN 2
Tier-0 SR SR
Gateway
DR DR
SDDC BGP ASN
ESXi Transport Nodes ESXi Transport Nodes
SR SR
DR DR DR DR DR DR Tier-1 DR DR DR DR
Gateway
ESXi ESXi ESXi ESXi NSX-T NSX-T ESXi ESXi ESXi ESXi
Host 1 Host 2 Host 3 Host 4 Edge Edge Host 1 Host 2 Host 3 Host 4
Node 1 Node 2
VM VM VM
If an outage of an availability zone occurs, vSphere HA fails over the edge appliances to the other
availability zone by using vSphere HA. Availability Zone 2 must provide an analog of the network
infrastructure which the edge node is connected to in Availability Zone 1.
The management network in the primary availability zone, and the Uplink 01, Uplink 02, and Edge
Overlay networks in each availability zone must be stretched to facilitate failover of the NSX-T
Edge appliances between availability zones. The Layer 3 gateway for the management and Edge
Overlay networks must be highly available across the availability zones.
The network between the availability zones should support jumbo frames and its latency must be
less than 5 ms. Use a 25-GbE connection with vSAN for best and predictable performance (IOPS)
of the environment.
Table 8-12. Networks That Are Stretched Across Availability Zones
Stretched Network Requires HA Layer 3 Gateway
Management for Availability Zone 1 ✓
Uplink01 x
Uplink02 x
Edge overlay ✓
VMware, Inc. 69
Witness Appliance
When using two availability zones, deploy a vSAN witness appliance in a location that is not local
to the ESXi hosts in any of the availability zones.
VMware Validated Design uses vSAN witness traffic separation where you can use a VMkernel
adapter for vSAN witness traffic that is different from the adapter for vSAN data traffic. In this
design, you configure vSAN witness traffic in the following way:
n On each management ESXi host in both availability zones, the vSAN witness traffic is placed
on the management VMkernel adapter.
n On the vSAN witness appliance, you use the same VMkernel adapter for both management
and witness traffic.
Figure 8-22. vSAN Witness Network Design in the Management Domain
Witness Site
Physical
Upstream
Router
Witness
Appliance
VLAN: lax-m01-cl01-vds01-pg-mgmt

Physical Management Physical
Upstream Domain Upstream
Router vCenter Server Router
sfo-m01-vc01. ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi
sfo.rainpole.io Host 1 Host 2 Host 3 Host 4 Host 1 Host 2 Host 3 Host 4
VLAN: sfo-m01-cl01-vds01-pg-mgmt
VLAN: az2_sfo-m01-cl01-vds01-pg-mgmt
VLAN: sfo-m01-cl01-vds01-pg-vsan VLAN: az2_sfo-m01-cl01-vds01-pg-vsan
VMware, Inc. 70
Figure 8-23. vSAN Witness Network Design in a Virtual Infrastructure Workload Domain
Witness Site
Physical
Upstream
Router
Witness
Appliance
VLAN: lax-m01-cl01-vds01-pg-mgmt

Physical Workload Domain Physical
Upstream vCenter Server Upstream
Router sfo-w01-vc01. Router
sfo.rainpole.io ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi
Host 1 Host 2 Host 3 Host 4 Host 1 Host 2 Host 3 Host 4
VLAN: sfo-m01-cl01-vds01-pg-mgmt
VLAN: sfo-w01-cl01-vds01-pg-mgmt
VLAN: az2_sfo-w01-cl01-vds01-pg-mgmt
VLAN: sfo-w01-cl01-vds01-pg-vsan VLAN: az2_sfo-w01-cl01-vds01-pg-vsan
VMware, Inc. 71

Vmware Validated Design 62 SDDC Introduction

Uploaded by

Copyright:

Available Formats

Vmware Validated Design 62 SDDC Introduction

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vmware Validated Design 62 SDDC Introduction

Uploaded by

Copyright:

Available Formats

Introducing VMware

About Introducing VMware Validated Design 4

1 Features of VMware Validated Design 6

3 Design Objectives of VMware Validated Design 10

4 Workload Domains in VMware Validated Design 13

5 SDDC Deployment Flow of VMware Validated Design 18

6 Documentation Structure and Audience 31

8 SDDC Architecture Overview 38

Introducing VMware Validated Design includes the following information:

n Deployment flow of the SDDC management components

n Document structure and purpose

n SDDC high-level overview

Supported VMware Cloud Foundation Version

Required VMware Software on VMware Cloud Foundation

09 FEB 2021 Initial releases.

VMware Validated Design has the following advantages:

One path to SDDC

SDDC design for use in production

n High-availability of management components

n Backup and restore of management components

n Monitoring and alerting

Validated design and deployment

The prescriptive documentation of VMware Validated Design is continuously tested by

Validation provides the following advantages to your organization:

n Validated product interoperability

n Reduced risk of deployment and operational problems

n Reduced test effort

Validated solution capabilities

n Churn rate of tenant workloads

n High availability of management components

n Design with dual-region support in mind

Fast SDDC standup

Support for latest product releases

High-Level Logical Design of the SDDC

Figure 2-1. Logical Design of the SDDC

identity and access

Workspace ONE Access SDDC Manager authentication

VMware Validated Design Objective Description

Main objective SDDC capable of automated provisioning of on-premises workload,

Scope of deployment Greenfield deployment of the management and workload domains of

Cloud type On-premises private cloud.

VMware Validated Design Objective Description

Churn rate is related to provisioning, power cycle operations, and

Maximum number of containers or pods 2,000 pods per Supervisor Cluster

VMware Validated Design Objective Description

Scope of guidance n Clean deployment of the management domain, workload domains,

Overall availability n 99.7% of management plane availability

Each domain contains the following components:

n One VMware vCenter Server™ instance.

n One or more shared storage allocations.

The management domain has the following features:

Table 4-1. Features of the Management Domain

Types of workloads Management workloads and networking components for

Cluster types Management cluster

Table 4-1. Features of the Management Domain (continued)

Software-defined networking NSX -T Data Center

Shared storage type n VMware vSAN™ for principal storage

Time of deployment First domain to deploy during initial SDDC implementation

Deployment method Deployed by VMware Cloud Builder as part of the bring-