vCloud Director can act as an HTTP proxy server between tenants and the underlying vSphere environment. With dedicated vCenter Server instances, you can use vCloud Director as a central point of management (CPOM) for your vSphere environments.

When you add a vCenter Server instance to vCloud Director, you can specify the purpose of the instance.

Dedicated vCenter Server
The infrastructure of an attached vCenter Server instance is encapsulated as a Software-Defined Data Center (SDDC) and is fully dedicated to a single tenant. You create a dedicated vCenter Server instance by enabling the tenant access for that instance. After you enable the tenant access, you can publish a dedicated vCenter Server instance to a tenant.
Shared vCenter Server
The provider can use different resource pools of the vCenter Server instance across multiple provider VDCs and then allocate those resource pools to different tenants. A shared vCenter Server instance cannot be published to tenants.
None
The vCenter Server instance does not have any specific purpose.

With dedicated vCenter Server instances, you can use vCloud Director as a central point of management for all your vSphere environments.

  • You can dedicate the resources of a vCenter Server instance to a single tenant by publishing the corresponding dedicated vCenter Server only to its organization. The tenant does not share these resources with other tenants. The tenant can access this dedicated vCenter Server instance by using a UI or API proxy without a VPN required.
  • You can use vCloud Director as a lightweight directory to register all your vCenter Server instances.
  • You can use vCloud Director as an API endpoint for all your vCenter Server instances.

You can enable the tenant access and mark a vCenter Server instance as dedicated, during or after the attachment of the target vCenter Server instance to vCloud Director. See Attach a vCenter Server Instance Alone or Together with an NSX Manager Instance.

With an attached vCenter Server instance, you can create either a shared vCenter Server or a dedicated vCenter Server. If you created a shared vCenter Server instance, you cannot use this vCenter Server instance to create a dedicated vCenter Server, and the reverse.

You can create proxies that tenants can use to access the underlying vSphere environment. Users can log in to the UI or API of the components with proxies by using their vCloud Director accounts.

Dedicated vCenter Server instances in vCloud Director remove the requirement for vCenter Server to be publicly accessible. To control the access, you can enable and disable the tenant access to an SDDC in vCloud Director.

A proxy is an access point to a component from an SDDC, for example, a vCenter Server instance, an ESXi host, or an NSX Manager instance. By enabling and disabling a proxy, you can allow and stop the tenant access through that proxy.

Creating and Managing Dedicated vCenter Server Instances and Proxies

To create and manage dedicated vCenter Server instances and proxies, you can use the Service Provider Admin Portal or the vCloud OpenAPI. For vCloud OpenAPI, see Getting Started with vCloud OpenAPI at https://code.vmware.com.

Important:

vCloud Director requires a direct network connection to each dedicated vCenter Server instance. If the vCenter Server instance uses an external Platform Services Controller, vCloud Director requires a direct network connection to the Platform Services Controller as well.

To use VMware OVF Tool in a proxied dedicated vCenter Server, vCloud Director requires a direct connection to each ESXi host.

  1. Create a dedicated vCenter Server instance.

    When you add a vCenter Server instance to the vCloud Director environment, you can create a dedicated vCenter Server instance by enabling the tenant access in the Add vCenter Server wizard. While attaching the vCenter Server instance, you can also create a proxy for it. See Add the vCenter Server Instance. You can enable the tenant access of vCenter Server instances that are already added to vCloud Director and do not have a specified use. See Enable the Tenant Access of an Attached vCenter Server. Enabling the tenant access makes the vCenter Server instance available to be published to tenants.

  2. Add a proxy.

    You can create a proxy either when you attach a vCenter Server instance to vCloud Director or later. If the vCenter Server instance uses an external Platform Services Controller, vCloud Director creates a proxy for the Platform Services Controller as well. With parent and child proxies, you can hide certain proxies from the tenants or you can enable and disable groups of child proxies through their parent proxies. For information on creating a proxy after you add a vCenter Server instance to vCloud Director, see Create a Proxy for a Dedicated vCenter Server.

    You can edit, enable, disable, and delete proxies from the Proxies tab under vSphere Resources. If a vCenter Server instance has more than one proxy, you can select the default proxy.
    Note: When you add a proxy to a dedicated vCenter Server instance, you must upload the certificate and the thumbprint, so that tenants can retrieve the certificate and the thumbprint if the proxied component uses self-signed certificates.

    To view and manage certificates and certificate revocation lists (CRLs), see Manage the Proxy Certificates and CRLs.

  3. Get the certificate and the thumbprint of the created proxies, and verify that the certificate and the thumbprint are present and correct. See Manage the Proxy Certificates and CRLs.
  4. Publish the dedicated vCenter Server instance to one or more organizations.

    You can publish a dedicated vCenter Server instance to a tenant and make it visible in the vCloud Director Tenant Portal. In most cases, one vCenter Server instance should be published only to one tenant. See Publish a Dedicated vCenter Server.

  5. To enable the tenants to access the dedicated vCenter Server instances and proxies from the vCloud Director Tenant Portal, you must publish the CPOM extension plug-in to their organizations. See Publish or Unpublish a Plug-in from an Organization.