NSX Segments Design for the Management Domain

In VMware Cloud Foundation, you place vRealize Suite components on a pre-defined configuration of NSX segments, called application virtual networks (AVNs), for dynamic routing and load balancing. You can also use AVNs to deploy a standalone Workspace ONE Access instance that provides central user management to the NSX-T Data Center instances in the environment.

NSX segments provide flexibility for workload placement by removing the dependence on traditional physical data center networks. This approach also improves security and mobility of the management applications, and reduces the integration effort with existing customer network.

Table 1. Comparing AVN Types
Design Component	Overlay-Based NSX Segments	VLAN-Backed NSX Segments
Benefits	Supports IP mobility with dynamic routing. Limits the number of VLANs needed in the data center fabric. In an environment with multiple availability zones, limits the number of VLANs needed to expand from an architecture with one availability zone to an architecture with two availability zones. Required for environments with multiple VMware Cloud Foundation instances.	Uses the data center fabric for the network segment and the next-hop gateway.
Limitations	Requires routing between the data center fabric and the NSX Edge nodes.	Not supported in environments with multiple VMware Cloud Foundation instances.

Two AVNs. One is for traffic within the VCF instance, connected to a local Tier-1 gateway. The other one is for cross-instance traffic and is connected to a cross-instance Tier-1 gateway. — Figure 1. Application Virtual Networks in VMware Cloud Foundation

For the design for specific vRealize Suite components, see VMware Cloud Foundation Design for vRealize Suite Lifecycle and Access Management and VMware Validated Solutions. For identity and access management design for NSX-T Data Center, see Identity and Access Management for VMware Cloud Foundation.

Important:

If you plan to use NSX Federation in the management domain, create the AVNs before you enable the federation. Creating AVNs in an environment where NSX Federation is already active is not supported.

Table 2. Design Decisions on NSX Segments
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-NSX-SDN-AVN-001	Create one cross-instance NSX segment for the components of a vRealize Suite application or another solution that requires mobility between VMware Cloud Foundation instances.	Prepares the environment for the deployment of solutions on top of VMware Cloud Foundation, such as the vRealize Suite, without a complex physical network configuration. The components of the vRealize Suite application must be easily portable between VMware Cloud Foundation instances without requiring reconfiguration.	Each NSX segment requires a unique IP address space.
VCF-MGMT-NSX-SDN-AVN-002	Create one or more local-instance NSX segments for the components of a vRealize Suite application or or another solution that are assigned to a specific VMware Cloud Foundation instance.	Prepares the environment for the deployment of solutions on top of VMware Cloud Foundation, such as the vRealize Suite, without a complex physical network configuration.	Each NSX segment requires a unique IP address space.
VCF-MGMT-NSX-SDN-AVN-003	Use overlay-backed NSX segments.	Supports expansion to deployment topologies for multiple VMware Cloud Foundation instances. Limits the number of VLANs required for the data center fabric.	Using overlay-backed NSX segments requires routing, eBGP recommended, between the data center fabric and edge nodes.

With NSX Federation, an NSX segment can span multiple instances of NSX-T Data Center and VMware Cloud Foundation. A single network segment can be available in different physical locations over the NSX SDN. In an environment with multiple VMware Cloud Foundation instances, the cross-instance NSX network in the management domain is extended between the first two instances. This configuration provides IP mobility for management components which fail over from the first to the second instance.

Table 3. Design Decisions on NSX Segments for Multiple VMware Cloud Foundation Instances
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-NSX-SDN-AVN-004	Extend the cross-instance NSX segment to the second VMware Cloud Foundation instance.	Enables workload mobility without a complex physical network configuration. The components of a vRealize Suite application must be easily portable between VMware Cloud Foundation instances without requiring reconfiguration.	Each NSX segment requires a unique IP address space.
VCF-MGMT-NSX-SDN-AVN-005	In each VMware Cloud Foundation instance, create additional local-instance NSX segments.	Enables workload mobility within a VMware Cloud Foundation instance without complex physical network configuration. Each VMware Cloud Foundation instance should have network segments to support workloads which are isolated to that VMware Cloud Foundation instance.	Each NSX segment requires a unique IP address space.
VCF-MGMT-NSX-SDN-AVN-006	In each VMware Cloud Foundation instance, connect or migrate the local-instance NSX segments to the corresponding local-instance Tier-1 gateway.	Configures local-instance NSX segments at required sites only.	Requires an individual Tier-1 gateway for local-instance segments.