SDDC Manager Design Decisions

Use this design decision list for reference related to SDDC Manager in an environment with a single or multiple VMware Cloud Foundation instances.

For full design details, see SDDC Manager Design.

Deployment Specification

Table 1. Design Decisions on the Deployment Model of SDDC Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-SDDC-CFG-001	Deploy an SDDC Manager system in the first availability zone of the management domain.	SDDC Manager is required to perform VMware Cloud Foundation capabilities, such as provisioning of VI workload domains, deployment of solutions, patching and upgrade, and others.	None.

Table 2. Design Decisions on Sizing Resources for SDDC Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-SDDC-CFG-002	Deploy SDDC Manager with its default configuration.	The configuration of SDDC Manager is not configurable and should not be changed from its defaults.	None.

Table 3. Design Decisions on Repository Access of SDDC Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-SDDC-CFG-003	Connect SDDC Manager to the Internet for downloading software bundles.	SDDC Manager must be able to download install and upgrade software bundles for deployment of VI workload domains and solutions, and for upgrade from a repository.	The rules of your organization might not permit direct access to the Internet. In this case, you must download software bundles for SDDC Manager manually.
VCF-MGMT-SDDC-CFG-004	Configure a network proxy to connect SDDC Manager to the Internet.	To protect SDDC Manager against external attacks from the Internet.	The proxy must not use authentication because SDDC Manager does not support using a proxy with authentication.
VCF-MGMT-SDDC-CFG-005	To check for and download software bundles, configure SDDC Manager with a VMware Customer Connect account with VMware Cloud Foundation entitlement.	Software bundles for VMware Cloud Foundation are stored in a repository that is secured with access controls.	Requires the use of a VMware Customer Connect user account with access to VMware Cloud Foundation licensing.

Table 4. Design Decisions on Certificate Authority Integration for SDDC Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-SDDC-CFG-006	Configure SDDC Manager with an external certificate authority that is responsible for providing signed certificates.	Provides increased security by implementing signed certificate generation and replacement across the management components.	An external certificate authority, such as Microsoft CA, must be locally available.

Network Design

Table 5. Design Decisions on Network Segments for SDDC Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-SDDC-NET-001	Place the SDDC Manager appliance on the management VLAN network segment.	Reduces the number of VLANs. You allocate a single VLAN to vCenter Server, NSX-T Data Center, SDDC Manager, and other SDDC management components.	None.

Table 6. Design Decisions on the IP Addressing Scheme for SDDC Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-SDDC-NET-002	Allocate a statically assigned IP address and host name to the SDDC Manager appliance in the management domain.	Ensures stability across the SDDC, makes it simpler to maintain and track, and to implement a DNS configuration.	Requires precise IP address management.

Table 7. Design Decisions on Name Resolution for SDDC Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-SDDC-NET-003	Configure forward and reverse DNS records for the SDDC Manager appliance, assigning the records to the child domain for the region.	SDDC Manager is accessible by using a fully qualified domain name instead of by using IP addresses only.	You must provide DNS records for the SDDC Manager appliance.

Table 8. Design Decisions on Time Synchronization for SDDC Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-SDDC-NET-004	Configure time synchronization by using an internal NTP time for the SDDC Manager appliance in the management domain.	Prevents from failures in the deployment of the SDDC Manager appliance.	An operational NTP service must be available to the environment. All firewalls located between the SDDC Manager appliance and the NTP servers must allow NTP traffic on the required network ports.

Life Cycle Management Design

Table 9. Design Decisions on Life Cycle Management of SDDC Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-SDDC-LCM-001	Use SDDC Manager to manage its own life cycle.	SDDC Manager supports own life cycle management.	None.

Information Security and Access Control Design

Table 10. Design Decisions on Certificate Management for SDDC Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-MGMT-SDDC-SEC-001	Replace the default VMCA-signed certificate of the SDDC Manager appliance with a CA-signed certificate.	Ensures that the communication to the externally facing Web user interface and API of SDDC Manager is encrypted.	Replacing the default certificate with a trusted CA-signed certificate from a certificate authority might increase the deployment preparation time as certificates requests are generated and delivered.
VCF-MGMT-SDDC-SEC-002	Use a SHA-2 algorithm or stronger for signed certificates.	The SHA-1 algorithm is considered less secure and has been deprecated.	Not all certificate authorities support SHA-2.
Test	Test	Test	Test