Network Design for ESXi for a Virtual Infrastructure Workload Domain

In the network design for the ESXi hosts in a VI workload domain, you place the hosts on a VLAN for traffic segmentation and decide on the IP addressing scheme and name resolution for optimal support for customer's workloads and maintenance of the hosts.

Network Segments

To perform system functions in a virtual infrastructure in addition to providing network connectivity to the virtual machines, the ESXi hosts in the management domain are connected to several dedicated networks. See Networks in VMware Cloud Foundation and Overlay Design for a Virtual Infrastructure Workload Domain.

Table 1. Design Decisions on the Network Segments for the ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-ESX-NET-001	Place the ESXi hosts in the VI workload domain cluster on a new VLAN-backed management network segment dedicated for VI workload domain.	Physical VLAN security separation between VI workload domain ESXi hosts and other management components in management domain is achieved. Reduces the number of VLANs needed as a single VLAN can be allocated for both the ESXi hosts and NSX Edge nodes in the shared edge and workload cluster.	A new VLAN and a new subnet are required for the VI workload domain management network.

IP Addressing

You must assign a static IP address for the management interface of each ESXi host in the VI workload domain.

Following industry best practices, VMware Cloud Foundation does not allow using DHCP to assign an IP address to the management interface of ESXi hosts.

Table 2. Design Decisions on the IP Addressing Scheme for the ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-ESX-NET-002	Allocate statically assigned IP addresses and host names across all ESXi hosts in the VI workload domain cluster.	Ensures stability across the SDDC and makes it simpler to maintain and makes it easier to track.	Requires precise IP address management.

Name Resolution

Name resolution provides the translation between an IP address and a fully qualified domain name (FQDN). The management IP address of each ESXi host in the VI workload domain must have valid internal DNS registration which includes forward and reverse name resolution.

Table 3. Design Decisions on Name Resolution for the ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-ESX-NET-003	Configure forward and reverse DNS records for each ESXi host in the VI workload domain cluster.	All ESXi hosts are accessible by using a fully qualified domain name instead of by using IP addresses only.	You must provide DNS records for each ESXi host.

Time Synchronization

Time synchronization provided by the Network Time Protocol (NTP) is important to ensure that all components in the SDDC are synchronized to the same time source. For example, if the clocks on the physical machines in your vSphere network are not synchronized, SSL certificates and SAML Tokens, which are time-sensitive, might not be recognized as valid in communications between network machines. Time inconsistencies in vSphere can cause first-boot to fail at different services depending on where in the environment time is not accurate and when the time is synchronized.

Table 4. Design Decisions on Time Synchronization for the ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-ESX-NET-004	Configure time synchronization by using an internal NTP time source across all ESXi hosts in the VI workload domain cluster.	Ensures consistent time across all devices in the environment, which can be critical for proper root cause analysis and auditing.	An operational NTP service must be available in the environment.
VCF-WLD-ESX-NET-005	Set the NTP service policy to `Start and stop with host` across all ESXi hosts in the VI workload domain cluster.	Ensures that the NTP service is available right after you restart an ESXi host.	None.