To provide identity and access management services to supported SDDC components, such as vRealize Suite components, this design uses a Workspace ONE Access cluster that is deployed on an NSX network segment.

Figure 1. Logical Design of the Clustered Workspace ONE Access

The Workspace ONE Access cluster consists of one primary and two secondary nodes that are natively clustered at the time of deployment by vRealize Suite Lifecycle Manager, and load-balanced by using an NSX load balancer.
Table 1. Clustered Workspace ONE Access Logical Components

Single VMware Cloud Foundation Instance

Single VMware Cloud Foundation Instance with Multiple Availability Zones

Multiple VMware Cloud Foundation Instances

  • A three-node Workspace ONE Access cluster behind an NSX load balancer and deployed on an overlay-backed (recommended) or VLAN-backed NSX segment.
  • All Workspace ONE Access services and databases are configured for high availability using a native cluster configuration. SDDC solutions that are portable across VMware Cloud Foundation instances are integrated with this Workspace ONE Access cluster.

  • vSphere HA protects the Workspace ONE Access nodes.

  • vSphere DRS anti-affinity rules ensure that the Workspace ONE Access nodes run on different ESXi hosts.

  • A three-node Workspace ONE Access cluster behind an NSX load balancer and deployed on an overlay-backed (recommended) or VLAN-backed NSX segment.

  • All Workspace ONE Access services and databases are configured for high availability using a native cluster configuration. SDDC solutions that are portable across VMware Cloud Foundation instances are integrated with this Workspace ONE Access cluster.

  • vSphere HA protects the Workspace ONE Access nodes.

  • A vSphere DRS anti-affinity rule ensures that the Workspace ONE Access nodes run on different ESXi hosts.

  • A should-run vSphere DRS rule ensures that, under normal operating conditions, the Workspace ONE Access nodes run on management ESXi hosts in the first availability zone.

  • In the first VMware Cloud Foundation instance, a three-node Workspace ONE Access cluster behind an NSX load balancer and deployed on an overlay-backed (recommended) or VLAN-backed NSX network segment.

  • All Workspace ONE Access services and databases are configured for high availability using a native cluster configuration. SDDC solutions that are portable across VMware Cloud Foundation instances are integrated with this Workspace ONE Access cluster.

  • vSphere HA protects the Workspace ONE Access cluster nodes.

  • vSphere DRS anti-affinity rules ensure that the Workspace ONE Access nodes run on different ESXi hosts.

Supporting Infrastructure

In this design, Workspace ONE Access integrates with the following supporting infrastructure:

  • NTP for time synchronization

  • DNS for name resolution

  • Active Directory

Important:

Workspace ONE Access does not replace an organization's enterprise directory. Workspace ONE Access integrates with an enterprise directory as an identity provider for authentication to support solution authorization.