With VMware VMware Cloud Director you can build secure, multi-tenant clouds by pooling virtual infrastructure resources into virtual data centers (VDCs) and exposing them to users through Web-based portals and programmatic interfaces as a fully automated, catalog-based service.

The VMware Cloud Director Service Provider Admin Guide provides information about adding resources to the system, creating and provisioning organizations, managing resources and organizations, and monitoring the system.

Service Providers, Sub-Providers, and Tenants

VMware Cloud Director 10.6 introduces the concept of the sub-providers in addition to the service providers and tenants. A sub-provider is a tenant persona that can create tenant organizations and manage them. A provider can empower a tenant organization to become a sub-provider by granting it the necessary administrative rights and a right to traverse into other organizations. Sub-provider administrators cannot grant these rights to their tenants.

If you want to change an existing tenant organization to a sub-provider organization, you must publish it the Default Sub-Provider Entitlement rights bundle and publish the Sub-Provider Administrator role to the tenant organization, or a rights bundle and role that include an equivalent set of rights. When creating an organization, if you select the sub-provider option, VMware Cloud Director automatically publishes the Default Sub-Provider Entitlement rights bundle and the Sub-Provider Administrator role to the newly created organization.

The sub-provider administrator operates within the sub-provider organization and can perform the following operations:
  • Create organizations
  • Create, view, manage, and delete organization VDCs
  • Create, view, manage, and delete organization VDC networks
  • Switch in to organizations
  • Set up organization IdPs
  • Perform all standard tenant operations
  • Create and publish roles
  • Create and publish rights bundles
  • View external networks
  • Share and publish catalogs
  • Manage catalog subscriptions
Figure 1. Sample Greenfield Deployment
The provider manages the provider VDCs and grants resources. The sub-providers manage their organizations and the granted resources. Tenants manage their organizations and organization VDCs.
Figure 2. Sample Brownfield Deployment
A provider first grants sub-provider rights to the tenants. Then, the provider grants resources to the sub-provider and the sub provider can start creating their tenants.

Limitations of tenant organizations that sub-providers manage

In VMware Cloud Director 10.6, if a tenant organization is not empty, there are limitations to changing its managing organization. An organization is considered to be empty when it has no VDCs or networking resources configured.
  • You cannot reassign a tenant organization managed by the System organization to a sub-provider.
  • You cannot reassign to the System organization a tenant organization that a sub-provider manages.
  • You cannot reassign to a different sub-provider a tenant organization already managed by a sub-provider.

vSphere and NSX Resources

VMware Cloud Director relies on vSphere resources to provide CPU and memory to run virtual machines. In addition, vSphere datastores provide storage for virtual machine files and other files necessary for virtual machine operations. VMware Cloud Director also uses vSphere distributed switches, vSphere port groups, and NSX Data Center for vSphere to support virtual machine networking.

VMware Cloud Director can also use resources from NSX. For information about registering an NSX Manager instance with your cloud, see the Register an NSX Manager Instance with VMware Cloud Director topic or the VMware Cloud Director API Programming Guide for Service Providers.

You can use the underlying vSphere and NSX resources to create cloud resources.

VMware Cloud Director can act as an HTTP proxy server, with which you can enable organizations to access the underlying vSphere environment.

Cloud Resources

Cloud resources are an abstraction of their underlying vSphere resources. They provide the compute and memory resources for VMware Cloud Director virtual machines and vApps. A vApp is a virtual system that contains one or more individual virtual machines with parameters that define operational details. Cloud resources also provide access to storage and network connectivity.

Cloud resources include provider and organization VDCs, external networks, organization VDC networks, and network pools.

Before you can add cloud resources to VMware Cloud Director, you must add vSphere resources.

Compute Overprovisioning

The total amount of CPU and memory reservation capacity granted by providers cannot exceed the physical memory capacity. However, providers can use the CPU allocation and Memory allocation limits to overprovision compute resources to sub-providers. Sub-providers can also overprovision CPU and memory to their tenants, but the compute guaranteed resources cannot exceed their respective grants. For example, if a provider has physical memory capacity of 100 GB in a provider VDC, they can grant the provider VDC to a sub-provider with allocated memory of 200 GB and memory reservation capacity of 50 GB. In the example, the provider overprovisions the memory allocation, but limits the sub-provider reserved memory capacity to 50 GB. The sub-provider can create an organization VDC with a total capacity of 200 GB. However, the total reserved memory capacity across all tenants of the sub-provider cannot exceed 50 GB.
Figure 3. Sample Memory Allocation
The provider grants physical memory to the sub-providers, which allocate memory to their tenants.

CPU and memory allocation and overprovisioning are identical.

Storage Provisioning

Providers can grant provider VDC storage policies to their tenants. Sub-providers can consume granted storage policies by publishing them to their tenant organization VDCs. Unlike CPU and memory, you cannot overprovision storage. Sub-providers cannot allocate to their tenants more than their storage allocation. For example, if a provider has 100 GB of storage and grants to a sub-provider a storage policy with only 50 GB, the sub-provider can allocate to their tenant organization VDCs a total of 50 GB.

A provider can grant more storage than physically available. However, the sub-providers do not have any visibility into how much they are overprovisioning to their tenants because they do not know how much physical storage there is.

Figure 4. Sample Storage Allocation
The provider grants physical storage to the sub-providers, which allocate storage to their tenants.

Dedicated vCenter Instances and Proxies

A dedicated vCenter instance is a cloud resource that encapsulates an entire vCenter installation. A dedicated vCenter instance includes one or more proxies that are access points to different components of the underlying vSphere environment. The provider can create and enable dedicated vCenter instances and proxies. The provider can publish a dedicated vCenter instance to tenants.

To create and manage dedicated vCenter instances and proxies, you can use the Service Provider Admin Portal or the vCloud OpenAPI. See Managing Dedicated vCenter Instances in VMware Cloud Director and Getting Started with VMware Cloud Director OpenAPI.

Provider Virtual Data Centers

A provider VDC combines the compute and memory resources of a single vCenter resource pool with the storage resources of one or more datastores available to that resource pool.

A provider VDC can use network resources from an NSX-V Manager instance that is associated with the vCenter instance or from an NSX Manager instance that is registered with the cloud.

You can create multiple provider VDCs for users in different geographic locations or business units, or for users with different performance requirements.

Organization Virtual Data Centers

An organization VDC provides resources to an organization and is partitioned from a provider VDC. Organization VDCs provide an environment where virtual systems can be stored, deployed, and operated. They also provide storage for virtual media, such as floppy disks and CD ROMs.

A single organization can have multiple organization VDCs.

VMware Cloud Director Networking

VMware Cloud Director supports three types of networks.
  • External networks
  • Organization VDC networks
  • vApp networks

Some organization VDC networks and all vApp networks are backed by network pools.

External Networks

An external network is a logical, differentiated network based on a vSphere port group. Organization VDC networks can connect to external networks to provide Internet connectivity to virtual machines inside a vApp.

VMware Cloud Director supports IPv6 external networks. An IPv6 external network supports both IPv4 and IPv6 subnets, and an IPv4 external network supports both IPv4 and IPv6 subnets.

By default, only System Administrators create and manage external networks.

Organization Virtual Data Center Networks

An organization VDC network belongs to a VMware Cloud Director organization VDC and is available to all the vApps in the organization. An organization VDC network allows vApps in an organization to communicate with each other. To provide external connectivity, you can connect an organization VDC network to an external network. You can also create an isolated organization VDC network that is internal to the organization.

VMware Cloud Director supports IPv6 for direct and routed organization VDC networks.

System Administrators can create isolated VDC networks backed by an NSX logical switch. Organization Administrators can create isolated VDC networks backed by network pools.

VMware Cloud Director uses cross-VDC networking by configuring stretched networks in VDC groups.

By default, only System Administrators can create direct and cross-VDC networks. System Administrators and Organization Administrators can manage organization VDC networks, although there are some limits to what an Organization Administrators can do.

vApp Networks

A vApp network belongs to a vApp and allows virtual machines in the vApp to communicate with each other. To enable a vApp to communicate with other vApps in the organization, you can connect the vApp network to an organization VDC network. If the organization VDC network is connected to an external network, the vApp can communicate with vApps from other organizations. vApp networks are backed by network pools.

Most users with access to a vApp can create and manage their own vApp networks. For information about working with networks in a vApp, see VMware Cloud Director Sub-Provider and Tenant Guide.

Network Pools

A network pool is a group of undifferentiated networks that is available for use within an organization VDC. A network pool is backed by vSphere network resources such as VLAN IDs or port groups. VMware Cloud Director uses network pools to create NAT-routed and internal organization VDC networks and all vApp networks. Network traffic on each network in a pool is isolated at layer 2 from all other networks.

Each organization VDC in VMware Cloud Director can have one network pool. Multiple organization VDCs can share one network pool. The network pool for an organization VDC provides the networks created to satisfy the network quota for an organization VDC.

Only System Administrators can create and manage network pools.

Organizations

VMware Cloud Director supports multi-tenancy by using organizations. An organization is a unit of administration for a collection of users, groups, and computing resources. Users authenticate at the organization level, supplying credentials established by an organization administrator when the user was created or imported. System Administrators create and provision organizations, while Organization Administrators manage organization users, groups, and catalogs. Organization Administrators tasks are described in VMware Cloud Director Sub-Provider and Tenant Guide.

Users and Groups

An organization can contain an arbitrary number of users and groups. Organization Administrators can create users, and import users and groups from a directory service such as LDAP. The System Administrator manages the set of rights available to each organization. The System Administrator can create and publish global tenant roles to one or more organizations. The Organization Administrator can create local roles in their organizations.

Catalogs

Organizations use catalogs to store vApp templates and media files. The members of an organization that have access to a catalog can use the containing vApp templates and media files to create their own vApps. A System Administrator can allow an organization to publish a catalog to make it available to other organizations. Organization Administrators can then decide which catalog items to provide to their users.