With dedicated vCenter Server instances, you can use VMware Cloud Director as a central point of management (CPOM) for your vSphere environments.

When you add a vCenter Server instance to VMware Cloud Director, you can specify the purpose of the instance.

Dedicated vCenter Server
The infrastructure of an attached vCenter Server instance is encapsulated as a Software-Defined Data Center (SDDC) and is fully dedicated to a single tenant. You create a dedicated vCenter Server instance by activating the tenant access for that instance. After you activate the tenant access, you can publish a dedicated vCenter Server instance to a tenant.
Shared vCenter Server
The provider can use different resource pools of the vCenter Server instance across multiple provider VDCs and then allocate those resource pools to different tenants. A shared vCenter Server instance cannot be published to tenants.
None
The vCenter Server instance does not have any specific purpose.

VMware Cloud Director can act as an HTTP proxy server for the dedicated vCenter Server instances and the vCenter Server instances that do not have a set purpose.

With dedicated vCenter Server instances, you can use VMware Cloud Director as a central point of management for all your vSphere environments.

  • You can dedicate the resources of a vCenter Server instance to a single tenant by publishing the corresponding dedicated vCenter Server only to its organization. The tenant does not share these resources with other tenants. The tenant can access this dedicated vCenter Server instance by using a UI or API proxy without a VPN required.
  • You can use VMware Cloud Director as a lightweight directory to register all your vCenter Server instances.
  • You can use VMware Cloud Director as an API endpoint for all your vCenter Server instances.

You can activate the tenant access and mark a vCenter Server instance as dedicated, during or after the attachment of the target vCenter Server instance to VMware Cloud Director. See Attach a vCenter Server Instance Alone or Together with an NSX-V Manager Instance to VMware Cloud Director.

With an attached vCenter Server instance, you can create either a shared vCenter Server or a dedicated vCenter Server. If you created a shared vCenter Server instance, you cannot use this vCenter Server instance to create a dedicated vCenter Server, and the reverse.

You can create endpoints that tenants can use to access the underlying vSphere environment. The VMware Cloud Director credentials are for the proxied components that connect to vCenter Server. The vCenter Server instances have different credentials.

Dedicated vCenter Server instances in VMware Cloud Director remove the requirement for vCenter Server to be publicly accessible. To control the access, you can activate and deactivate the tenant access to an SDDC in VMware Cloud Director.

An endpoint is the access point to a component from an SDDC, for example, a vCenter Server instance, an ESXi host, or an NSX-V Manager instance. You can connect an endpoint to a proxy. By activating and deactivating a proxy, you can allow and stop the tenant access through that proxy.

Starting with VMware Cloud Director 10.2, if you use the API to query the dedicated vCenter Server and proxy entities and your tenant configuration supports multisite associations, VMware Cloud Director returns a multisite response. The results are from all available associations.

Creating and Managing Dedicated vCenter Server Instances

To create and manage dedicated vCenter Server instances and proxies, you can use the Service Provider Admin Portal or the VMware Cloud Director OpenAPI. For VMware Cloud Director OpenAPI, see Getting Started with VMware Cloud Director OpenAPI.

Important:

VMware Cloud Director requires a direct network connection to each dedicated vCenter Server instance. If the vCenter Server instance uses an external Platform Services Controller, VMware Cloud Director requires a direct network connection to the Platform Services Controller as well.

To use VMware OVF Tool in a proxied dedicated vCenter Server, VMware Cloud Director requires a direct connection to each ESXi host.

  1. Create a dedicated vCenter Server instance.

    When you add a vCenter Server instance to the VMware Cloud Director environment, you can create a dedicated vCenter Server instance by activating the tenant access in the Add vCenter Server wizard. See Add the vCenter Server Instance to VMware Cloud Director.

    Creating a dedicated vCenter Server instance also creates a default endpoint for it. While attaching the vCenter Server instance, you can also create a proxy. However, the default endpoint is not connected to any proxy by default. You must edit the default endpoint or create a new one to connect it to a proxy. See Create an Endpoint in VMware Cloud Director.

    You can activate the tenant access of vCenter Server instances that are already added to VMware Cloud Director and do not have a specified use. See Enable the Tenant Access of an Attached vCenter Server in VMware Cloud Director. Activating the tenant access makes the vCenter Server instance available to be published to tenants.

  2. Add a proxy.

    You can create a proxy either when you attach a vCenter Server instance to VMware Cloud Director or later. If the vCenter Server instance uses an external Platform Services Controller, VMware Cloud Director creates a proxy for the Platform Services Controller as well. With parent and child proxies, you can hide certain proxies from the tenants or you can activate and deactivate groups of child proxies through their parent proxies. For information on creating a proxy after you add a vCenter Server instance to VMware Cloud Director, see Add a VMware Cloud Director Proxy for Accessing the Underlying vCenter Server Resources.

    You can edit, activate, deactivate, and delete proxies from the Proxies tab under vSphere Resources.
    Note: When you add a proxy to a dedicated vCenter Server instance, you must upload the certificate and the thumbprint, so that tenants can retrieve the certificate and the thumbprint if the proxied component uses self-signed certificates.

    To view and manage certificates and certificate revocation lists (CRLs), see Manage the Proxy Certificates and CRLs in VMware Cloud Director.

  3. Get the certificate and the thumbprint of the created proxies, and verify that the certificate and the thumbprint are present and correct. See Manage the Proxy Certificates and CRLs in VMware Cloud Director.
  4. Publish the dedicated vCenter Server instance to one or more organizations.

    You can publish a dedicated vCenter Server instance to a tenant and make it visible in the VMware Cloud Director Tenant Portal. In most cases, one vCenter Server instance should be published only to one tenant. See Publish a Dedicated vCenter Server to VMware Cloud Director.

  5. To enable the tenants to access the dedicated vCenter Server instances and proxies from the VMware Cloud Director Tenant Portal, you must publish the CPOM extension plug-in to their organizations. See Publish or Unpublish a Plug-in from a VMware Cloud Director Organization.

Advanced Central Point of Management Settings

Starting with VMware Cloud Director 10.5, you can activate two advanced settings so that a vCenter Server instance can back both a provider VDC and a dedicated vCenter Server instance and to publish that dedicated vCenter Server instance to tenants. The advanced central point of management settings are deactivated by default. To access these settings, you can use the VMware Cloud Director configurations API endpoint and configuration value key.
Warning: Having a vCenter Server that backs both a provider VDC and a dedicated vCenter Server instance exposes the risk of tenancy boundary violations. You must consider thoroughly these settings before you activate them. You can activate them for very specific use cases or for testing and proof of concept purposes.

The two configuration value keys for the advanced settings are as follows:

  • system.setting.allowVcTenantAndProviderScoped - if activated, the same vCenter Server instance can back both a provider VDC and a dedicated vCenter Server instance. If a vCenter Server instance backs both, the VMware Cloud Director UI shows the usage of the instance as empty.
    /opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n system.setting.allowVcTenantAndProviderScoped -v true_or_false
  • vcloud.sddc.allowPublishOfProviderScoped - is activated, you can publish to tenants dedicated vCenter Server instances backed by vCenter Server which is also backing a provider VDC. For publishing a dedicated vCenter Server instance, see Publish a Dedicated vCenter Server to VMware Cloud Director.
    /opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n vcloud.sddc.allowPublishOfProviderScoped -v true_or_false