Network Design for NSX Manager for a Virtual Infrastructure Workload Domain

For traffic segmentation in VMware Cloud Foundation, you place NSX Manager for the VI workload domain in the management domain on the management VLAN and decide on the IP addressing scheme and name resolution for optimal support for the SDDC tenant workloads.

Network Segment

For secure access to the ESXi hosts and vCenter Server, in each VMware Cloud Foundation instance, NSX Manager for the VI workload domain is connected to the management VLAN segment in the management domain.

Table 1. Design Decisions on the Network Segment for NSX Manager
Decision ID	Design Decision	Design Justification	Decision Implication
VCF-WLD-NSX-PHY-007	Place the appliances of the NSX Manager cluster on the management VLAN in the management domain.	Provides direct secure connection to the ESXi hosts and vCenter Server for edge node management and distributed network services. Reduces the number of required VLANs because a single VLAN can be allocated to both, vCenter Server and NSX-T Data Center.	None.

IP Addressing Scheme

You must assign a static IP addresses to the NSX Manager for the VI workload domain. Following industry best practices, VMware Cloud Foundation does not allow using DHCP to assign IP addresses to management components.

Table 2. Design Decisions on the IP Addressing Scheme for NSX Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-NSX-NET-001	Allocate a statically assigned IP address and host name to the nodes of the NSX Manager cluster.	Ensures stability across the SDDC, makes it simpler to maintain and track, and to implement a DNS configuration.	Requires precise IP address management.

Name Resolution

Name resolution provides the translation between an IP address and a fully qualified domain name (FQDN), which makes it easier to remember and connect to components across the VMware Cloud Foundation instance. Each IP address must have valid internal DNS registration which includes forward and reverse name resolution. NSX Manager must be connected to the following components:

VI workload domain vCenter Server
Each ESXi host
NSX Edge cluster
NSX Global Manager cluster if your environment is configured with NSX Federation for customer workloads
Internal DNS servers for name resolution of other management components

Table 3. Design Decisions on Name Resolution for NSX Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-NSX-NET-002	Configure forward and reverse DNS records for the nodes of the NSX Manager cluster for the VI workload domain.	The NSX Manager nodes and VIP address are accessible by using fully qualified domain names instead of by using IP addresses only.	You must provide DNS records for the NSX Manager nodes for the VI workload domain in each VMware Cloud Foundation instance.

Time Synchronization

Time synchronization provided by the Network Time Protocol (NTP) is important to ensure that all components within the SDDC are synchronized to the same time source.

Table 4. Design Decisions on Time Synchronization for NSX Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-NSX-NET-003	Configure NTP on each NSX Manager appliance.	NSX Manager depends on time synchronization.	None.