Network Design for ESXi for the Management Domain

In the network design for the ESXi hosts in the management domain of VMware Cloud Foundation, you place the hosts on a VLAN for traffic segmentation. You decide on the IP addressing scheme and name resolution for connectivity to the SDDC management components and maintenance of the hosts.

Network Segments

To perform system functions in a virtual infrastructure in addition to providing network connectivity to the virtual machines, the ESXi hosts in the management domain are connected to several dedicated networks. See Networks in VMware Cloud Foundation and Overlay Design for the Management Domain.

Table 1. Design Decisions on the Network Segments for the ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-ESX-NET-001	Place the ESXi hosts in the default management cluster on the VLAN-backed management network segment.	Reduces the number of VLANs needed because a single VLAN can be allocated to both the ESXi hosts, vCenter Server, and management components for NSX-T for Data Center .	Separation of the physical VLAN between ESXi hosts and other management components for security reasons is missing.

IP Addressing

You must assign a static IP address for the management interface of each ESXi host in the management domain.

Following industry best practices, VMware Cloud Foundation does not allow using DHCP to assign an IP address to the management interface of ESXi hosts.

Table 2. Design Decisions on the IP Addressing Scheme for the ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-ESX-NET-002	Allocate statically assigned IP addresses and host names across all ESXi hosts in the default management cluster.	Ensures stability across the VMware Cloud Foundation instance, makes it simpler to maintain and track, and to implement a DNS configuration.	Requires precise IP address management.

Name Resolution

Name resolution provides the translation between an IP address and a fully qualified domain name (FQDN). The management IP address of each ESXi host in the management domain must have valid internal DNS registration which includes forward and reverse name resolution.

Table 3. Design Decisions on Name Resolution for the ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-ESX-NET-003	Configure forward and reverse DNS records for each ESXi host in the default management cluster.	All ESXi hosts are accessible by using a fully qualified domain name instead of by using IP addresses only.	You must provide DNS records for each ESXi host.

Time Synchronization

Time synchronization provided by the Network Time Protocol (NTP) is important to ensure that all components in the SDDC are synchronized to the same time source. For example, if the clocks on the physical machines in your vSphere network are not synchronized, SSL certificates and SAML Tokens, which are time-sensitive, might not be recognized as valid in communications between network machines. Time inconsistencies in vSphere can cause first-boot to fail at different services depending on where in the environment time is not accurate and when the time is synchronized.

Table 4. Design Decisions on Time Synchronization for the ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-ESX-NET-004	Configure time synchronization by using an internal NTP time source across all ESXi hosts in the management domain for the region.	Prevents from failures in the deployment of the vCenter Server appliance on an ESXi host if the host is not using NTP.	An operational NTP service must be available in the environment.
VCF-MGMT-ESX-NET-005	Set the NTP service policy to `Start and stop with host` across all ESXi hosts in the default management vSphere cluster.	Ensures that the NTP service is available right after you restart an ESXi host.	None.