Use this design decision list for reference related to SDDC Manager in an environment with a single or multiple VMware Cloud Foundation instances.
For full design details, see SDDC Manager Design.
Deployment Specification
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-MGMT-SDDC-CFG-001 |
Deploy an SDDC Manager system in the first availability zone of the management domain. |
SDDC Manager is required to perform VMware Cloud Foundation capabilities, such as provisioning of VI workload domains, deployment of solutions, patching and upgrade, and others. |
None. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-MGMT-SDDC-CFG-002 |
Deploy SDDC Manager with its default configuration. |
The configuration of SDDC Manager is not configurable and should not be changed from its defaults. |
None. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-MGMT-SDDC-CFG-003 |
Connect SDDC Manager to the Internet for downloading software bundles. |
SDDC Manager must be able to download install and upgrade software bundles for deployment of VI workload domains and solutions, and for upgrade from a repository. |
The rules of your organization might not permit direct access to the Internet. In this case, you must download software bundles for SDDC Manager manually. |
VCF-MGMT-SDDC-CFG-004 |
Configure a network proxy to connect SDDC Manager to the Internet. |
To protect SDDC Manager against external attacks from the Internet. |
The proxy must not use authentication because SDDC Manager does not support using a proxy with authentication. |
VCF-MGMT-SDDC-CFG-005 |
To check for and download software bundles, configure SDDC Manager with a VMware Customer Connect account with VMware Cloud Foundation entitlement. |
Software bundles for VMware Cloud Foundation are stored in a repository that is secured with access controls. |
Requires the use of a VMware Customer Connect user account with access to VMware Cloud Foundation licensing. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-MGMT-SDDC-CFG-006 |
Configure SDDC Manager with an external certificate authority that is responsible for providing signed certificates. |
Provides increased security by implementing signed certificate generation and replacement across the management components. |
An external certificate authority, such as Microsoft CA, must be locally available. |
Network Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-MGMT-SDDC-NET-001 |
Place the SDDC Manager appliance on the management VLAN network segment. |
Reduces the number of VLANs. You allocate a single VLAN to vCenter Server, NSX-T Data Center, SDDC Manager, and other SDDC management components. |
None. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-MGMT-SDDC-NET-002 |
Allocate a statically assigned IP address and host name to the SDDC Manager appliance in the management domain. |
Ensures stability across the SDDC, makes it simpler to maintain and track, and to implement a DNS configuration. |
Requires precise IP address management. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-MGMT-SDDC-NET-003 |
Configure forward and reverse DNS records for the SDDC Manager appliance, assigning the records to the child domain for the region. |
SDDC Manager is accessible by using a fully qualified domain name instead of by using IP addresses only. |
You must provide DNS records for the SDDC Manager appliance. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-MGMT-SDDC-NET-004 |
Configure time synchronization by using an internal NTP time for the SDDC Manager appliance in the management domain. |
Prevents from failures in the deployment of the SDDC Manager appliance. |
|
Life Cycle Management Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-MGMT-SDDC-LCM-001 |
Use SDDC Manager to manage its own life cycle. |
SDDC Manager supports own life cycle management. |
None. |
Information Security and Access Control Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-MGMT-SDDC-SEC-001 |
Replace the default VMCA-signed certificate of the SDDC Manager appliance with a CA-signed certificate. |
Ensures that the communication to the externally facing Web user interface and API of SDDC Manager is encrypted. |
Replacing the default certificate with a trusted CA-signed certificate from a certificate authority might increase the deployment preparation time as certificates requests are generated and delivered. |
VCF-MGMT-SDDC-SEC-002 |
Use a SHA-2 algorithm or stronger for signed certificates. |
The SHA-1 algorithm is considered less secure and has been deprecated. |
Not all certificate authorities support SHA-2. |
Test |
Test |
Test |
Test |