After you upgrade all VMware Cloud Director servers and the shared database, you can upgrade the NSX-V Manager instances that provide network services to your cloud. After that, you can upgrade the ESXi hosts and the vCenter instances that are registered to your VMware Cloud Director installation.

Important:

VMware Cloud Director supports only advanced edge gateways. You must convert any legacy non-advanced edge gateway to an advanced gateway. See https://kb.vmware.com/kb/66767.

Service providers, sub-providers, and tenants can use the VMware Cloud Director API to test connections to remote servers, and to verify the server identity as part of an SSL handshake. To protect VMware Cloud Director network connections, configure a deny list of internal hosts that are unreachable to tenants who are using the VMware Cloud Director API for connection testing. Configure the deny list after the VMware Cloud Director installation or upgrade and before granting tenants access to VMware Cloud Director. See Configure a Test Connection Denylist.

Important: VMware Cloud Director always verifies certificates for any infrastructure endpoints connected to it. If you do not import your certificates into VMware Cloud Director before the upgrade, the vCenter and NSX connections might show failed connection errors due to SSL verification issues. In this case, after upgrading, you have two options:
  1. Run the cell management tool trust-infra-certs command to import automatically all certificates into the centralized certificate store. See Import Endpoints Certificates from vSphere Resources.
  2. In the Service Provider Admin Portal UI, select each vCenter and NSX instance, and reenter the credentials while accepting the certificate.

To enable operations across vCenter instances where the source and destination vCenter instances are not the same, verify that the vCenter instances trust each other independently of VMware Cloud Director. To view the certificates that a vCenter instance trusts, see the Explore Certificate Stores Using the vSphere Client in the VMware vSphere Product Documentation. Verify that each vCenter instance trusts the other vCenter instances that it needs to interact with. See also KB 89906.