After you upgrade all VMware Cloud Director servers and the shared database, you can upgrade the NSX Manager instances that provide network services to your cloud. After that, you can upgrade the ESXi hosts and the vCenter Server instances that are registered to your VMware Cloud Director installation.

Important:

VMware Cloud Director supports only advanced edge gateways. You must convert any legacy non-advanced edge gateway to an advanced gateway. See https://kb.vmware.com/kb/66767.

Starting with version 10.1, service providers and tenants can use the VMware Cloud Director API to test connections to remote servers, and to verify the server identity as part of an SSL handshake. To protect VMware Cloud Director network connections, configure a deny list of internal hosts that are unreachable to tenants who are using the VMware Cloud Director API for connection testing. Configure the deny list after the VMware Cloud Director installation or upgrade and before granting tenants access to VMware Cloud Director. See Configure a Test Connection Denylist.

Important: After upgrading to version 10.1 and later, VMware Cloud Director always verifies certificates for any infrastructure endpoints connected to it. This is due to a change in the way VMware Cloud Director manages SSL certificates. If you do not import your certificates into VMware Cloud Director before the upgrade, the vCenter Server and NSX connections might show failed connection errors due to SSL verification issues. In this case, after upgrading, you have two options:
  1. Run the cell management tool trust-infra-certs command to import automatically all certificates into the centralized certificate store. See Import Endpoints Certificates from vSphere Resources.
  2. In the Service Provider Admin Portal UI, select each vCenter Server and NSX instance, and reenter the credentials while accepting the certificate.