vCenter Server Design Decisions for a Virtual Infrastructure Workload Domain

Use this design decision list for reference related to the vCenter Server configuration in an environment with a single or multiple VMware Cloud Foundation instances. The design also considers if an instance contains a single or multiple availability zones. The vCenter Server design also includes the configuration of a VI workload domain cluster.

The configuration tasks for most design decisions are automated in VMware Cloud Foundation. You must perform the configuration manually only for a limited number of decisions as noted in the design implication.

For full design details, see vCenter Server Design for a Virtual Infrastructure Workload Domain.

Deployment Specification

Table 1. Design Decisions on the Deployment Model for a VI Workload Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-CFG-001	For each VI workload domain, deploy a dedicated vCenter Server system in the management domain.	Isolates vCenter Server failures to management or customer workloads. Isolates vCenter Server operations between management and business applications. Supports a scalable cluster design where you might reuse the management components as more customer workloads are added to the VM. Simplifies capacity planning for customer workloads because you do not consider management workloads for the VI workload domain vCenter Server. Improves the ability to upgrade the vSphere environment and related components by providing for explicit separation of maintenance windows: Management workloads remain available while you are upgrading the customer workloads Customer workloads remain available while you are upgrading the management nodes Supports clear separation of roles and responsibilities to ensure that only administrators with proper authorization can attend to the management workloads. Facilitates quicker troubleshooting and problem resolution. Simplifies disaster recovery operations by supporting a clear demarcation between recovery of the management components and customer workloads. Provides isolation of potential network issues by introducing network separation of the clusters in the SDDC.	None

Table 2. Design Decisions on Sizing a VI Workload Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-CFG-002	Deploy a vCenter Server appliance of a medium deployment size or larger.	A vCenter Server appliance of a medium-deployment size is typically sufficient to manage customer workloads that run in a VI workload domain.	If the size of the VI workload domain grows, you might have to increase the size of the vCenter Server appliance.
VCF-WLD-VCS-CFG-003	Deploy the vCenter Server appliance with the default storage size.	The default storage capacity assigned to a medium-sized appliance is sufficient.	None.

Table 3. Design Decisions on Enhanced Linked Mode for a VI Workload Domain
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-CFG-004	Join all VI workload domains vCenter Server instances to a single vCenter Single Sign-On domain.	When all vCenter Server instances are joined to a single vCenter Single Sign-On domain, they can share authentication and license data across all components and regions.	Only one vCenter Single Sign-On domain exists. The number of linked vCenter Server instances in the same vCenter Single Sign-On domain is limited to 15. Because each VI workload domain can contain a single vCenter Server instance, one VMware Cloud Foundation instance can contain no more than 15 domains, including the management domain.
VCF-WLD-VCS-CFG-005	Create a ring topology between all the vCenter Server instances in the same VMware Cloud Foundation instance, including the management domain and all VI workload domains.	By default, one vCenter Server instance replicates only with another vCenter Server instance. This setup creates a single point of failure for replication. A ring topology ensures that each vCenter Server instance has two replication partners and removes any single point of failure.	None

Table 4. Design Decisions on High Availability of a VI Workload Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-CFG-006	Protect the vCenter Server appliance by using vSphere HA.	Supports the availability objectives for vCenter Server appliances without requiring manual intervention if a failure occurs.	vCenter Server becomes unavailable during a vSphere HA failover.
VCF-WLD-VCS-CFG-007	In vSphere HA, set the restart priority policy for the vCenter Server appliance to high.	vCenter Server is the management and control plane for physical and virtual infrastructure. In a vSphere HA event, to ensure the rest of the SDDC management stack comes up faultlessly, VI workload domain vCenter Server must be available first, before the other management components come online.	If the restart priority for another virtual machines is set to highest, the connectivity delays for management components will be longer.

Network Design

Table 5. Design Decisions on the Network Segment for a VI Workload Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-NET-001	Place the appliance of the VI workload domain vCenter Server on the management VLAN network segment.	Reduces the number of VLANs needed as a single VLAN can be allocated for both vCenter Server and NSX-T for Data Center management components.	None.

Table 6. Design Decisions on the IP Addressing Scheme for a VI Workload Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-NET-002	Allocate a statically assigned IP address and host name to the appliance of the VI workload domain vCenter Server.	Ensures stability across the SDDC, makes it simpler to maintain and track, and to implement a DNS configuration.	Requires precise IP address management.

Table 7. Design Decisions on Name Resolution for a VI Workload Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-NET-003	Configure forward and reverse DNS records for the appliance of the VI workload domain vCenter Server.	The vCenter Server appliance is accessible by using a fully qualified domain name instead of by using IP addresses only.	You must provide DNS records for the VI workload domain vCenter Server appliance in each region.

Table 8. Design Decisions on Time Synchronization for a VI Workload Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-NET-004	Configure time synchronization using an internal NTP time for the appliance for the VI workload domain vCenter Server.	Prevents from failures in the deployment of the vCenter Server appliance on an ESXi host if the host is not using NTP. Discards the requirement to provide Internet connectivity to an external NTP server.	An operational NTP service must be available to the environment. All firewalls between the vCenter Server appliance and the NTP servers must allow NTP traffic on the required network ports.

Life Cycle Management Design

Table 9. Design Decisions on Life Cycle Management of a VI Workload Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-LCM-001	Use SDDC Manager to perform the life cycle management of the VI workload domain vCenter Server.	Because the deployment scope of SDDC Manager covers the full SDDC stack, SDDC Manager performs patching, update, or upgrade of the VI workload domain as a single process. Performing life cycle management tasks by using vCenter Server directly might cause issues in SDDC Manager.	The operations team must understand and be aware of the impact of a patch, segmentation, or upgrade operation by using SDDC Manager.

vSphere Cluster Design

Table 10. Design Decisions on the Cluster Configuration in a VI Workload Domain with a Single Availability Zone
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-CLS-001	Create a shared edge and workload vSphere cluster in the VI workload domain.	Simplifies configuration by isolating tenant workloads from management workloads. Ensures that management workloads have no impact on tenant workloads. You can add ESXi hosts to the cluster as needed.	Management of multiple clusters and vCenter Server instances increases operational overhead.
VCF-WLD-VCS-CLS-002	If using vSAN as the principal storage, create the shared edge and workload cluster in the VI workload domain with a minimum of 4 ESXi hosts.	Allocating 4 ESXi hosts provides N+1 redundancy for the cluster to protect against host failure. Having 4 ESXi hosts also guarantees vSAN and NSX-T Data Center redundancy during availability zone outages or maintenance operations.	To support redundancy, you must allocate additional ESXi host resources.

Table 11. Design Decisions on the Cluster Configuration in a VI Workload Domain with Multiple Availability Zones
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-CLS-003	Add 4 ESXi hosts to create the second availability zone of a shared edge and workload cluster in the VI workload domain. The total number of ESXi hosts in the shared edge and workload cluster of the VI workload domain across the two availability zones is eight.	Allocating 4 ESXi hosts provides N+1 redundancy for each availability zone in the cluster to protect against host failure. Having 4 ESXi hosts in each availability zone guarantees vSAN and NSX-T Data Center redundancy during availability zone outages or maintenance operations.	To support redundancy, you must allocate additional ESXi host resources.

Table 12. Design Decisions on the Configuration for a VI Workload Domain Cluster for Multiple VMware Cloud Foundation Instances
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-CLS-004	In each additional VMware Cloud Foundation instance, create the shared edge and workload cluster in the VI workload domain with a minimum of 4 ESXi hosts, when using vSAN as the principal storage.	Allocating 4 ESXi hosts provides N+1 redundancy for the cluster. Having 4 ESXi hosts guarantees vSAN and NSX redundancy during maintenance operations.	To support redundancy, you must allocate additional ESXi host resources .

Table 13. Design Decisions on vSphere Availability for a VI Workload Domain Cluster
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-CLS-005	Use vSphere HA to protect all virtual machines against failures.	vSphere HA supports a robust level of protection for both ESXi host and virtual machine availability.	You must provide sufficient resources on the remaining hosts so that virtual machines can be migrated to those hosts in the event of a host outage.
VCF-WLD-VCS-CLS-006	Set host isolation response to `Power Off and restart VM` in vSphere HA.	vSAN requires that the host isolation response be set to Power Off and to restart virtual machines on available ESXi hosts.	If a false positive event occurs, virtual machines are powered off and an ESXi host is declared isolated incorrectly.
VCF-WLD-VCS-CLS-007	Set the advanced cluster setting `das.usedefaultisolationaddress` to false.	Ensures that vSphere HA uses the manual isolation addresses instead of the default management network gateway address.	You must configure this parameter manually.

Table 14. Design Decisions on the Admission Control Policy for a Cluster in a VI Workload Domain with a Single Availability Zone
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-CLS-008	Configure admission control for 1 ESXi host failure and percentage-based failover capacity.	Using the percentage-based reservation works well in situations where virtual machines have varying and sometimes significant CPU or memory reservations. vSphere automatically calculates the reserved percentage according to the number of ESXi host failures to tolerate and the number of ESXi hosts in the cluster.	In a cluster of 4 ESXi hosts, the resources of only 3 ESXi hosts are available for use.
VCF-WLD-VCS-CLS-009	Set the isolation address for the cluster to the gateway IP address for the vSAN network.	Allows vSphere HA to validate complete network isolation if a connection failure occurs on an ESXi host.	You must configure the isolation address manually.

Table 15. Design Decisions on the Admission Control Policy for a Cluster in a VI Workload Domain with Multiple Availability Zones
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-CLS-010	Increase admission control percentage to the half of the ESXi hosts in the cluster.	Allocating only half of a stretched cluster ensures that all VMs have enough resources if an availability zone outage occurs.	In a cluster of 8 ESXi hosts, the resources of only 4 ESXi hosts are available for use. If you add more ESXi hosts to the cluster, add them in pairs, one per availability zone.
VCF-WLD-VCS-CLS-011	Set an additional isolation address to the vSAN network gateway in the second availability zone.	Allows vSphere HA to validate complete network isolation if a connection failure occurs on an ESXi host or between availability zones.	None.

Table 16. Design Decisions on the VM and Application Monitoring Service for a VI Workload Domain
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-CLS-012	Enable VM Monitoring for each cluster.	VM Monitoring provides in-guest protection for most VM workloads. The application or service running on the virtual machine must be capable of restarting successfully after a reboot or the virtual machine restart is not sufficient.	None.
VCF-WLD-VCS-CLS-013	Set the advanced cluster setting `das.iostatsinterval` to 0 to deactivate monitoring the storage and network I/O activities of the management and workload appliances in the cluster.	The NSX Edge appliances in the cluster are restarted when an OS failure occurs and heartbeats are not received from VMware Tools instead of waiting additionally for the I/O check to complete. I/O monitoring is deactivated for the workload virtual machines too.	You must manually enable I/O monitoring by configuring the `das.iostatsinterval` advanced setting.

Table 17. Design Decisions on vSphere DRS in a VI Workload Domain with a Single Availability Zone
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-CLS-014	Enable vSphere DRS on all clusters, using the default fully automated mode with medium threshold.	Provides the best trade-off between load balancing and unnecessary migrations with vSphere vMotion.	If a vCenter Server outage occurs, the mapping from virtual machines to ESXi hosts might be difficult to determine.

Table 18. Design Decisions on vSphere DRS in a VI Workload Domain with Multiple Availability Zones
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-CLS-015	Create a host group for each availability zone and add the ESXi hosts in the zone to the respective group.	Makes it easier to manage which virtual machines run in which availability zone.	You must create and maintain VM-Host DRS group rules.
VCF-WLD-VCS-CLS-016	Create a virtual machine group for each availability zone and add the VMs in the zone to the respective group.	Ensures that virtual machines are located only in the assigned availability zone to avoid unnecessary vSphere vMotion operations.	You must add virtual machines to the allocated group manually.
VCF-WLD-VCS-CLS-017	Create a should-run VM-Host affinity rule to run each group of virtual machines on the respective group of hosts in the same availability zone.	Ensures that virtual machines are located only in the assigned availability zone to avoid unnecessary vSphere vMotion migrations.	You must manually create the rules.

Table 19. Design Decisions on Enhanced vMotion Compatibility for a VI Workload Domain
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-CLS-018	Enable Enhanced vMotion Compatibility (EVC) on all clusters in the VI workload domain.	Supports cluster upgrades without virtual machine downtime.	You can enable EVC only if the clusters contain hosts with CPUs from the same vendor.
VCF-WLD-VCS-CLS-019	Set the cluster EVC mode to the highest available baseline that is supported for the lowest CPU architecture on the hosts in the cluster.	Supports cluster upgrades without virtual machine downtime.	None.

Information Security and Access Control Design

Table 20. Design Decisions on Certificate Management for a VI Workload Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-SEC-001	Replace the default VMCA-signed certificate of the appliance of the VI workload domain vCenter Server with a CA-signed certificate.	Ensures that the communication to the externally facing Web user interface and API to vCenter Server, and between vCenter Server and other management components is encrypted.	Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificates requests.
VCF-WLD-VCS-SEC-002	Use a SHA-2 algorithm or higher when signing certificates.	The SHA-1 algorithm is considered less secure and has been deprecated.	Not all certificate authorities support SHA-2.
VCF-WLD-VCS-SEC-003	Perform SSL certificate life cycle management for vCenter Server by using SDDC Manager.	SDDC Manager provides automated SSL certificate life cycle management rather than requiring a series of manual steps to be performed.	None.