With dedicated vCenter instances, you can use VMware Cloud Director as a central point of management (CPOM) for your vSphere environments.

When you add a vCenter instance to VMware Cloud Director, you can specify the purpose of the instance.

Dedicated vCenter
The infrastructure of an attached vCenter instance is encapsulated as a Software-Defined Data Center (SDDC) and is fully dedicated to a single tenant. You create a dedicated vCenter instance by activating the tenant access for that instance. After you activate the tenant access, you can publish a dedicated vCenter instance to a tenant.
Shared vCenter
The provider can use different resource pools of the vCenter instance across multiple provider VDCs and then allocate those resource pools to different tenants. A shared vCenter instance cannot be published to tenants.
None
The vCenter instance does not have any specific purpose.

VMware Cloud Director can act as an HTTP proxy server for the dedicated vCenter instances and the vCenter instances that do not have a set purpose.

With dedicated vCenter instances, you can use VMware Cloud Director as a central point of management for all your vSphere environments.

  • You can dedicate the resources of a vCenter instance to a single tenant by publishing the corresponding dedicated vCenter only to its organization. The tenant does not share these resources with other tenants. The tenant can access this dedicated vCenter instance by using a UI or API proxy without a VPN required.
  • You can use VMware Cloud Director as a lightweight directory to register all your vCenter instances.
  • You can use VMware Cloud Director as an API endpoint for all your vCenter instances.

You can activate the tenant access and mark a vCenter instance as dedicated, during or after the attachment of the target vCenter instance to VMware Cloud Director. See Attach a vCenter Instance Alone or Together with an NSX-V Manager Instance to VMware Cloud Director.

With an attached vCenter instance, you can create either a shared vCenter or a dedicated vCenter. If you created a shared vCenter instance, you cannot use this vCenter instance to create a dedicated vCenter, and the reverse.

You can create endpoints that tenants can use to access the underlying vSphere environment. The VMware Cloud Director credentials are for the proxied components that connect to vCenter. The vCenter instances have different credentials.

Dedicated vCenter instances in VMware Cloud Director remove the requirement for vCenter to be publicly accessible. To control the access, you can activate and deactivate the tenant access to an SDDC in VMware Cloud Director.

An endpoint is the access point to a component from an SDDC, for example, a vCenter instance, an ESXi host, or an NSX-V Manager instance. You can connect an endpoint to a proxy. By activating and deactivating a proxy, you can allow and stop the tenant access through that proxy.

Starting with VMware Cloud Director 10.2, if you use the API to query the dedicated vCenter and proxy entities and your tenant configuration supports multisite associations, VMware Cloud Director returns a multisite response. The results are from all available associations.

Creating and Managing Dedicated vCenter Instances

To create and manage dedicated vCenter instances and proxies, you can use the Service Provider Admin Portal or the VMware Cloud Director OpenAPI. For VMware Cloud Director OpenAPI, see Getting Started with VMware Cloud Director OpenAPI.

Important:

VMware Cloud Director requires a direct network connection to each dedicated vCenter instance. If the vCenter instance uses an external Platform Services Controller, VMware Cloud Director requires a direct network connection to the Platform Services Controller as well.

To use VMware OVF Tool in a proxied dedicated vCenter, VMware Cloud Director requires a direct connection to each ESXi host.

  1. Create a dedicated vCenter instance.

    When you add a vCenter instance to the VMware Cloud Director environment, you can create a dedicated vCenter instance by activating the tenant access in the Add vCenter Server wizard. See Add the vCenter Instance to VMware Cloud Director.

    Creating a dedicated vCenter instance also creates a default endpoint for it. While attaching the vCenter instance, you can also create a proxy. However, the default endpoint is not connected to any proxy by default. You must edit the default endpoint or create a new one to connect it to a proxy. See Create an Endpoint in VMware Cloud Director.

    You can activate the tenant access of vCenter instances that are already added to VMware Cloud Director and do not have a specified use. See Enable the Tenant Access of an Attached vCenter in VMware Cloud Director. Activating the tenant access makes the vCenter instance available to be published to tenants.

  2. Add a proxy.

    You can create a proxy either when you attach a vCenter instance to VMware Cloud Director or later. If the vCenter instance uses an external Platform Services Controller, VMware Cloud Director creates a proxy for the Platform Services Controller as well. With parent and child proxies, you can hide certain proxies from the tenants or you can activate and deactivate groups of child proxies through their parent proxies. For information on creating a proxy after you add a vCenter instance to VMware Cloud Director, see Add a VMware Cloud Director Proxy for Accessing the Underlying vCenter Resources.

    You can edit, activate, deactivate, and delete proxies from the Proxies tab under vSphere Resources.
    Note: When you add a proxy to a dedicated vCenter instance, you must upload the certificate and the thumbprint, so that tenants can retrieve the certificate and the thumbprint if the proxied component uses self-signed certificates.

    To view and manage certificates and certificate revocation lists (CRLs), see Manage the Proxy Certificates and CRLs in VMware Cloud Director.

  3. Get the certificate and the thumbprint of the created proxies, and verify that the certificate and the thumbprint are present and correct. See Manage the Proxy Certificates and CRLs in VMware Cloud Director.
  4. Publish the dedicated vCenter instance to one or more organizations.

    You can publish a dedicated vCenter instance to a tenant and make it visible in the VMware Cloud Director Tenant Portal. In most cases, one vCenter instance should be published only to one tenant. See Publish a Dedicated vCenter to VMware Cloud Director.

  5. To enable the tenants to access the dedicated vCenter instances and proxies from the VMware Cloud Director Tenant Portal, you must publish the CPOM extension plug-in to their organizations. See Publish or Unpublish a Plug-in from a VMware Cloud Director Organization.

Advanced Central Point of Management Settings

Starting with VMware Cloud Director 10.5, you can activate two advanced settings so that a vCenter instance can back both a provider VDC and a dedicated vCenter instance and to publish that dedicated vCenter instance to tenants. The advanced central point of management settings are deactivated by default. To access these settings, you can use the VMware Cloud Director configurations API endpoint and configuration value key.
Warning: Having a vCenter that backs both a provider VDC and a dedicated vCenter instance exposes the risk of tenancy boundary violations. You must consider thoroughly these settings before you activate them. You can activate them for very specific use cases or for testing and proof of concept purposes.

The two configuration value keys for the advanced settings are as follows:

  • system.setting.allowVcTenantAndProviderScoped - if activated, the same vCenter instance can back both a provider VDC and a dedicated vCenter instance. If a vCenter instance backs both, the VMware Cloud Director UI shows the usage of the instance as empty.
    /opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n system.setting.allowVcTenantAndProviderScoped -v true_or_false
  • vcloud.sddc.allowPublishOfProviderScoped - is activated, you can publish to tenants dedicated vCenter instances backed by vCenter which is also backing a provider VDC. For publishing a dedicated vCenter instance, see Publish a Dedicated vCenter to VMware Cloud Director.
    /opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n vcloud.sddc.allowPublishOfProviderScoped -v true_or_false