ESXi Design Decisions for a Virtual Infrastructure Workload Domain

Use this design decision list for reference related to the ESXi host configuration in an environment with a single or multiple VMware Cloud Foundation instances. The decisions determine the ESXi hardware configuration, networking, life cycle management and remote access.

For full design details, see ESXi Design for a Virtual Infrastructure Workload Domain.

Deployment Specification

Table 1. Design Decisions on ESXi Server Hardware
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-ESX-CFG-001	For vSAN principal storage, use vSAN ReadyNodes for each ESXi host in the cluster in the VI workload domain.	Your VI workload domain is fully compatible with vSAN at deployment. For information about the models of physical servers that are vSAN-ready, see vSAN Compatibility Guide for vSAN ReadyNodes.	Hardware choices might be limited. If you plan to use a server configuration that is not a vSAN ReadyNode, your CPU, disks and I/O modules must be listed on the VMware Compatibility Guide under CPU Series and vSAN Compatibility List aligned to the ESXi version specified in VMware Cloud Foundation 4.5 Release Notes.
VCF-WLD-ESX-CFG-002	Allocate hosts with uniform configuration across the cluster in the VI workload domain.	A balanced cluster has these advantages: Predictable performance even during hardware failures Minimal impact of resync or rebuild operations on performance	You must apply vendor sourcing, budgeting, and procurement considerations for uniform server nodes, on a per cluster basis.

Table 2. Design Decisions on the ESXi Memory Size
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-ESX-CFG-003	In a cluster in the VI workload domain, install each ESXi host with a minimum of 256 GB RAM.	Each of the two large-size NSX Edge appliances in this vSphere cluster of the VI workload domain requires 32 GB RAM. The remaining RAM is available for customer workloads.	In a four-node cluster, only 768 GB is available for use because the host redundancy in vSphere HA is configured to N+1.

Table 3. Design Decisions on the Boot Device of the ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-ESX-CFG-004	Install and configure all ESXi hosts in the VI workload domain cluster to boot using a 32-GB device or greater.	Provides hosts with large memory, that is, greater than 512 GB, with enough space for the core dump partition while using vSAN.	When you use SATA-DOM or SD devices, scratch partition and ESXi logs are not retained locally. Configure the scratch partition of each ESXi host on supplemental storage.

Table 4. Design Decisions on the Virtual Machine Swap Configuration of the ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-ESX-CFG-005	For customer workloads running in the VI workload domain cluster, save the virtual machine swap file at the default location.	Simplifies the configuration process.	Increases the amount of on-disk storage required to host the entire virtual machine state.

Network Design

Table 5. Design Decisions on the Network Segments for the ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-ESX-NET-001	Place the ESXi hosts in the VI workload domain cluster on a new VLAN-backed management network segment dedicated for VI workload domain.	Physical VLAN security separation between VI workload domain ESXi hosts and other management components in management domain is achieved. Reduces the number of VLANs needed as a single VLAN can be allocated for both the ESXi hosts and NSX Edge nodes in the shared edge and workload cluster.	A new VLAN and a new subnet are required for the VI workload domain management network.

Table 6. Design Decisions on the IP Addressing Scheme for the ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-ESX-NET-002	Allocate statically assigned IP addresses and host names across all ESXi hosts in the VI workload domain cluster.	Ensures stability across the SDDC and makes it simpler to maintain and makes it easier to track.	Requires precise IP address management.

Table 7. Design Decisions on Name Resolution for the ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-ESX-NET-003	Configure forward and reverse DNS records for each ESXi host in the VI workload domain cluster.	All ESXi hosts are accessible by using a fully qualified domain name instead of by using IP addresses only.	You must provide DNS records for each ESXi host.

Table 8. Design Decisions on Time Synchronization for the ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-ESX-NET-004	Configure time synchronization by using an internal NTP time source across all ESXi hosts in the VI workload domain cluster.	Ensures consistent time across all devices in the environment, which can be critical for proper root cause analysis and auditing.	An operational NTP service must be available in the environment.
VCF-WLD-ESX-NET-005	Set the NTP service policy to `Start and stop with host` across all ESXi hosts in the VI workload domain cluster.	Ensures that the NTP service is available right after you restart an ESXi host.	None.

Life Cycle Management Design

Table 9. Design Decisions on Life Cycle Management of the ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-ESX-LCM-001	Use SDDC Manager to perform the life cycle management of ESXi hosts in the VI workload domain cluster.	SDDC Manager has a greater awareness of the full SDDC solution and therefore handles the patch update or upgrade of the VI workload domain as a single process. Directly performing life cycle management tasks on an ESXi host or through vCenter Server has the potential to cause issues within SDDC Manager.	The operations team must understand and be aware of the impact of performing a patch or upgrade by using SDDC Manager.

Information Security and Access Control

Table 10. Design Decisions on ESXi Host Access
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-ESX-SEC-001	Deactivate SSH access on all ESXi hosts in a VI workload domain cluster by having the SSH service stopped and using the default SSH service policy `Start and stop manually` .	Ensures compliance with the vSphere Security Configuration Guide and with security best practices. Disabling SSH access reduces the risk of security attacks on the ESXi hosts through the SSH interface.	You must enable SSH access manually for troubleshooting or support activities.
VCF-WLD-ESX-SEC-002	Set the advanced setting `UserVars.SuppressShellWarning` to `0` across all ESXi hosts in a VI workload domain cluster.	Ensures compliance with the vSphere Security Configuration Guide and with security best practices A warning appears in the vSphere Client every time SSH access is enabled on an ESXi host drawing administrator's attention.	You must suppress SSH enablement warnings manually when performing troubleshooting or support activities.

Table 11. Design Decisions on Certificate Management for the ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-ESX-SEC-003	Regenerate the certificate of each ESXi host after assigning the host an FQDN.	Establishes a secure connection with SDDC Manager during the deployment of the VI workload domain and prevents man-in-the-middle (MiTM) attacks.	You must manually regenerate the certificates of the ESXi hosts before the deployment of the VI workload domain.