vCenter Server Design Decisions for the Management Domain

Use this design decision list for reference related to the vCenter Server configuration in an environment with a single or multiple VMware Cloud Foundation instances. The design also considers if an instance contains a single or multiple availability zones. The vCenter Server design also includes the configuration of the default management cluster.

The configuration tasks for most design decisions are automated in VMware Cloud Foundation. You must perform the configuration manually only for a limited number of decisions as noted in the design implication.

For full design details, see vCenter Server Design for the Management Domain.

Deployment Specification

Table 1. Design Decisions on the Deployment Model for the Management Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-CFG-001	Deploy a dedicated vCenter Server appliance for the management domain of the VMware Cloud Foundation instance.	Isolates vCenter Server failures to management or tenant workloads. Isolates vCenter Server operations between management and tenants. Supports a scalable cluster design where you can reuse the management components as more tenant workloads are added to the SDDC. Simplifies capacity planning for tenant workloads because you do not consider management workloads for the VI workload domain vCenter Server. Improves the ability to upgrade the vSphere environment and related components by enabling for explicit separation of maintenance windows: Management workloads remain available while you are upgrading the tenant workloads Tenant workloads remain available while you are upgrading the management nodes Supports clear separation of roles and responsibilities to ensure that only administrators with granted authorization can control the management workloads. Facilitates quicker troubleshooting and problem resolution. Simplifies disaster recovery operations by supporting a clear separation between recovery of the management components and tenant workloads. Provides isolation of potential network issues by introducing network separation of the clusters in the SDDC.	Requires a separate license for the vCenter Server instance in the management domain.

Table 2. Design Decisions on Sizing the Management Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-CFG-002	Deploy an appliance for the management domain vCenter Server of a small deployment size.	A vCenter Server appliance of a small-deployment size is sufficient for managing the anticipated number of ESXi hosts and virtual machines in the management domain of the VMware Cloud Foundation instance.	If the size of the management environment increases, you might have to increase the vCenter Server appliance size.
VCF-MGMT-VCS-CFG-003	Deploy the appliance of the management domain vCenter Server with the default storage size.	The default storage capacity that is assigned to a small-size appliance is sufficient to manage the management appliances that are required for the VMware Cloud Foundation instance.	None.

Table 3. Design Decisions on Enhanced Linked Mode for the Management Domain for Multiple VMware Cloud Foundation Instances
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-CFG-004	Join all vCenter Server instances to a single vCenter Single Sign-On domain.	When all vCenter Server instances are in the same vCenter Single Sign-On domain, they can share authentication and license data across all components and VMware Cloud Foundation instances.	Only one vCenter Single Sign-On domain exists. The number of linked vCenter Server instances in the same vCenter Single Sign-On domain is limited to 15 instances. Because each workload domain can contain a single vCenter Server instance, you can deploy maximum of 15 domains across all VMware Cloud Foundation instances. You must use the Cloud Builder API to join the management domains of multiple VMware Cloud Foundation instances to the same vCenter Single Sign-On domain because this Enhanced Linked Mode configuration is deprecated.
VCF-MGMT-VCS-CFG-005	Create a ring topology between the vCenter Server instances for the management domains.	By default, one vCenter Server instance replicates only with another vCenter Server instance. This setup creates a single point of failure for replication. A ring topology ensures that each vCenter Server instance has two replication partners and removes any single point of failure.	None.

Table 4. Design Decisions on High Availability of the Management Domain vCenter Server in a Single Availability Zone
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-CFG-006	Protect the appliance of the management domain vCenter Server by using vSphere HA.	vSphere HA is the only supported method to protect vCenter Server availability in VMware Cloud Foundation.	vCenter Server becomes unavailable during a vSphere HA failover.
VCF-MGMT-VCS-CFG-007	In vSphere HA, set the restart priority policy for the vCenter Server appliance to high.	vCenter Server is the management and control plane for physical and virtual infrastructure. In a vSphere HA event, to ensure the rest of the SDDC management stack comes up faultlessly, the management domain vCenter Server must be available first, before the other management components come online.	If the restart priority for another virtual machine is set to highest, the connectivity delay for the management components will be longer.

Table 5. Design Decisions on High Availability of the Management Domain vCenter Server for Multiple Availability Zones
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-CFG-008	Add the vCenter Server appliance to the virtual machine group for the first availability zone. See Design Decisions on vSphere DRS for a Management Domain with Multiple Availability Zones.	Ensures that, by default, the vCenter Server appliance is powered on a host in the first availability zone.	None.

Network Design

Table 6. Design Decisions on the Network Segment for the Management Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-NET-001	Place the appliance of the management domain vCenter Server on the management VLAN network segment.	Reduces the number of required VLANs because a single VLAN can be allocated to both, vCenter Server and NSX-T for Data Center management components.	None.

Table 7. Design Decisions on the IP Addressing Scheme for the Management Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-NET-002	Allocate a statically assigned IP address and host name to the appliance of the management domain vCenter Server.	Ensures stability across the SDDC, makes it simpler to maintain and track, and to implement a DNS configuration.	Requires precise IP address management.

Table 8. Design Decisions on Name Resolution for the Management Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-NET-003	Configure forward and reverse DNS records for the appliance of the management domain vCenter Server.	The vCenter Server appliance is accessible by using a fully qualified domain name instead of by using an IP address only.	You must provide DNS records for the vCenter Server appliance.

Table 9. Design Decisions on Time Synchronization for the Management Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-NET-004	Configure time synchronization by using an internal NTP time for the appliance of the management domain vCenter Server.	Prevents issues in the management domain caused by time mismatch between different management components. Discards the requirement to provide Internet connectivity to an external NTP server.	An operational NTP service must be available in the environment. All firewalls between the vCenter Server appliance and the NTP servers must allow NTP traffic on the required network ports.

Life Cycle Management Design

Table 10. Design Decisions on Life Cycle Management of the Management Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-LCM-001	Use SDDC Manager to perform the life cycle management of the appliance for the management domain vCenter Server.	Because the deployment scope of SDDC Manager covers the full VMware Cloud Foundation stack, SDDC Manager performs patching, update, or upgrade of the management domain as a single process.	The operations team must understand and be aware of the impact of a patch, update, or upgrade operation by using SDDC Manager.

vSphere Cluster Design

Table 11. Design Decisions on the Configuration of the Default Cluster in a Management Domain with a Single Availability Zone
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-CLS-001	Create a cluster in the management domain for the initial set of ESXi hosts.	Simplifies configuration by isolating management workloads from tenant workloads. Ensures that tenant workloads have no impact on the management stack. You can add ESXi hosts to the cluster as needed.	Management of multiple clusters and vCenter Server instances increases operational overhead.
VCF-MGMT-VCS-CLS-002	Allocate a minimum of 4 ESXi hosts for the default management cluster.	Allocating 4 ESXi hosts provides N+1 redundancy to protect against host failure in the cluster. Having 4 ESXi hosts also guarantees redundancy for vSAN and NSX-T Data Center during maintenance operations.	To support redundancy, you must allocate additional ESXi host resources.

Table 12. Design Decisions on the Configuration of the Default Cluster in a Management Domain with Multiple Availability Zones
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-CLS-003	Add 4 ESXi hosts to create the second availability zone of default management cluster. The total number of ESXi hosts in the default cluster of the management domain across the two availability zones is eight.	Allocating 4 ESXi hosts provides N+1 redundancy for each availability zone to protect against host failure in the cluster. Having 4 ESXi hosts in each availability zone guarantees redundancy for vSAN and NSX-T Data Center during availability zone outages or maintenance operations.	To support redundancy, you must allocate additional ESXi host resources.

Table 13. Design Decisions on the Host Configuration for the Default Management Cluster for Multiple VMware Cloud Foundation Instances
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-CLS-004	In each subsequent VMware Cloud Foundation instance, create the default management cluster with a minimum of 4 ESXi hosts.	Allocating 4 ESXi hosts provides N+1 redundancy for the cluster. Having 4 ESXi hosts guarantees vSAN and NSX redundancy during maintenance operations.	To support redundancy, you must allocate additional ESXi host resources .

Table 14. Design Decisions on vSphere Availability for the Default Management Cluster
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-CLS-005	Use vSphere HA to protect all virtual machines against failures.	vSphere HA supports a robust level of protection for both ESXi host and virtual machine availability.	You must provide sufficient resources on the remaining hosts so that virtual machines can be migrated to those hosts in the event of a host outage.
VCF-MGMT-VCS-CLS-006	Set host isolation response to Power Off and restart VM in vSphere HA.	vSAN requires that the host isolation response be set to Power Off and to restart virtual machines on available ESXi hosts.	If a false positive event occurs, virtual machines are powered off and an ESXi host is declared isolated incorrectly.
VCF-MGMT-VCS-CLS-007	Set the advanced cluster setting `das.usedefaultisolationaddress` to false.	Ensures that vSphere HA uses the manual isolation addresses instead of the default management network gateway address.	You must manually configure this advanced parameter in case of deploying the management cluster in a single availability zone.

Table 15. Design Decisions on the Admission Control Policy for the Default Cluster in a Management Domain with a Single Availability Zone
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-CLS-008	Configure admission control for 1 ESXi host failure and percentage-based failover capacity.	Using the percentage-based reservation works well in situations where virtual machines have varying and sometimes significant CPU or memory reservations. vSphere automatically calculates the reserved percentage according to the number of ESXi host failures to tolerate and the number of ESXi hosts in the cluster.	In a cluster of 4 ESXi hosts, the resources of only 3 ESXi hosts are available for use.
VCF-MGMT-VCS-CLS-009	Set the isolation address for the cluster to the gateway IP address for the vSAN network.	Allows vSphere HA to validate complete network isolation if a connection failure occurs on an ESXi host.	You must manually configure the isolation address.

Table 16. Design Decisions on the Admission Control Policy for the Default Management Cluster for Multiple Availability Zones
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-CLS-010	Increase admission control percentage to the half of the ESXi hosts in the cluster.	Allocating only half of a stretched cluster ensures that all VMs have enough resources if an availability zone outage occurs.	In a cluster of 8 ESXi hosts, the resources of only 4 ESXi hosts are available for use. If you add more ESXi hosts to the default management cluster, add them in pairs, one per availability zone.
VCF-MGMT-VCS-CLS-011	Set an additional isolation address to the vSAN network gateway in the second availability zone.	Allows vSphere HA to validate complete network isolation if a connection failure occurs on an ESXi host or between availability zones.	None.

Table 17. Design Decisions on the VM and Application Monitoring Service for the Management Domain
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-CLS-012	Enable VM Monitoring for each cluster.	VM Monitoring provides in-guest protection for most VM workloads. The application or service running on the virtual machine must be capable of restarting successfully after a reboot or the virtual machine restart is not sufficient.	None.
VCF-MGMT-VCS-CLS-013	Set the advanced cluster setting `das.iostatsinterval` to 0 to deactivate monitoring the storage and network I/O activities of the management appliances.	Enables triggering a restart of a management appliance when an OS failure occurs and heartbeats are not received from VMware Tools instead of waiting additionally for the I/O check to complete.	If you want to specifically enable I/O monitoring, then configure the `das.iostatsinterval` advanced setting.

Table 18. Design Decisions on vSphere DRS for a Management Domain with a Single Availability Zone
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-CLS-014	Enable vSphere DRS on all clusters, using the default fully automated mode with medium threshold.	Provides the best trade-off between load balancing and unnecessary migrations with vSphere vMotion.	If a vCenter Server outage occurs, the mapping from virtual machines to ESXi hosts might be difficult to determine.

Table 19. Design Decisions on vSphere DRS for a Management Domain with Multiple Availability Zones
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-CLS-015	Create a host group for each availability zone and add the ESXi hosts in the zone to the respective group.	Makes it easier to manage which virtual machines run in which availability zone.	You must create and maintain VM-Host DRS group rules.
VCF-MGMT-VCS-CLS-016	Create a virtual machine group for each availability zone and add the VMs in the zone to the respective group.	Ensures that virtual machines are located only in the assigned availability zone to avoid unnecessary vSphere vMotion migrations.	You must add virtual machines to the allocated group manually.
VCF-MGMT-VCS-CLS-017	Create a should-run VM-Host affinity rule to run each group of virtual machines on the respective group of hosts in the same availability zone.	Ensures that virtual machines are located only in the assigned availability zone to avoid unnecessary vSphere vMotion migrations.	You must manually create the rules.

Table 20. Design Decisions on Enhanced vMotion Compatibility for the Management Domain
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-CLS-018	Enable Enhanced vMotion Compatibility (EVC) on all clusters in the management domain.	Supports cluster upgrades without virtual machine downtime.	You can enable EVC only if the clusters contain hosts with CPUs from the same vendor.
VCF-MGMT-VCS-CLS-019	Set the cluster EVC mode to the highest available baseline that is supported for the lowest CPU architecture on the hosts in the cluster.	Supports cluster upgrades without virtual machine downtime.	None

Information Security and Access Control Design

Table 21. Design Decisions on Certificate Management for the Management Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-VCS-SEC-001	Replace the default VMCA-signed certificate of the appliance of the management domain vCenter Server with a certificate that is signed by an internal certificate authority.	Ensures that the communication to the externally facing Web user interface and API to vCenter Server, and between vCenter Server and other management components is encrypted.	Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificates requests.
VCF-MGMT-VCS-SEC-002	Use a SHA-2 algorithm or higher for signed certificates.	The SHA-1 algorithm is considered less secure and has been deprecated.	Not all certificate authorities support SHA-2 or higher.
VCF-MGMT-VCS-SEC-003	Perform SSL certificate life cycle management for vCenter Server by using SDDC Manager.	SDDC Manager provides automated SSL certificate lifecycle management rather than requiring a series of manual steps to be performed.	None.