Use this design decision list for reference related to vRealize Suite Lifecycle Manager in an environment with a single or multiple VMware Cloud Foundation instances.
The deployment and configuration tasks for most design decisions are automated in VMware Cloud Foundation. You must perform the configuration manually only for a limited number of decisions as noted in the design implication.
For full design details, see vRealize Suite Lifecycle Manager Design.
Deployment Specification
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-CFG-001 |
Deploy a vRealize Suite Lifecycle Manager instance in the management domain of the first VMware Cloud Foundation instance to provide life cycle management for the following components:
|
Provides life cycle management operations for vRealize Suite applications and Workspace ONE Access. |
You must ensure that the required resources are available. |
VCF-VRS-vRSLCM-CFG-002 |
In each additional VMware Cloud Foundation instance, deploy a vRealize Suite Lifecycle Manager instance in the management domain to provide life cycle management for the following components:
|
Provides life cycle management operations in VMware Cloud Foundation mode for vRealize Suite application components that are isolated to the specific VMware Cloud Foundation instance. |
You must ensure the required resources are available. |
VCF-VRS-vRSLCM-CFG-003 |
Protect vRealize Suite Lifecycle Manager by using vSphere High Availability. |
Supports the availability objectives for vRealize Suite Lifecycle Manager without requiring manual intervention during a failure event. |
None. |
VCF-VRS-vRSLCM-CFG-004 |
Deploy vRealize Suite Lifecycle Manager by using SDDC Manager. |
|
None. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-CFG-005 |
Add the vRealize Suite Lifecycle Manager appliance to the VM group for first availability zone. |
Ensures that, by default, the vRealize Suite Lifecycle Manager appliance is powered on a host in the first availability zone. |
If vRealize Suite Lifecycle Manager is deployed after the creation of the stretched management cluster, you must add the vRealize Suite Lifecycle Manager appliance to the VM group manually. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-CFG-006 |
Increase the initial storage of the vRealize Suite Lifecycle Manager appliance with 100 GB. |
|
You must allocate sufficient storage to accommodate this increase. |
Network Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-NET-001 |
Place the vRealize Suite Lifecycle Manager appliance on an overlay-backed (recommended) or VLAN-backed NSX network segment. |
Provides a consistent deployment model for management applications. |
You must use an implementation in NSX-T Data Center to support this networking configuration. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-NET-002 |
Allocate a statically assigned IP address and host name to the vRealize Suite Lifecycle Manager virtual appliance. |
Using statically assigned IP addresses ensures stability across the SDDC and makes it simpler to maintain and easier to track. |
Requires precise IP address management. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-NET-003 |
Configure forward and reverse DNS records for the vRealize Suite Lifecycle Manager appliance. |
vRealize Suite Lifecycle Manager is accessible by using a fully qualified domain name instead of by using the IP address only. |
You must provide DNS records for the vRealize Suite Lifecycle Manager appliance. |
VCF-VRS-vRSLCM-NET-004 |
Configure the DNS settings for the vRealize Suite Lifecycle Manager appliance to use DNS servers from its corresponding VMware Cloud Foundation instance. |
vRealize Suite Lifecycle Manager requires DNS resolution to connect to SDDC Components. |
None. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-NET-005 |
Configure the DNS settings for the vRealize Suite Lifecycle Manager appliance to use DNS servers in each instance. |
vRealize Suite Lifecycle Manager can resolve DNS from local DNS servers during a planned migration or disaster recovery between VMware Cloud Foundation instances. |
As you scale from a deployment with a single VMware Cloud Foundation instance to one with multiple VMware Cloud Foundation instances, the DNS settings the vRealize Suite Lifecycle Manager appliance must be updated. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-NET-006 |
Configure the NTP settings for the vRealize Suite Lifecycle Manager appliance to use NTP servers in the first VMware Cloud Foundation instance. |
vRealize Suite Lifecycle Manager depends on time synchronization. |
None. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-NET-007 |
Configure the NTP settings for the vRealize Suite Lifecycle Manager appliance to use NTP servers in each VMware Cloud Foundation instance. |
vRealize Suite Lifecycle Manager can query NTP from local NTP servers to synchronize time during a planned migration or disaster recovery between the VMware Cloud Foundation instances. |
As you scale from a deployment with a single VMware Cloud Foundation instance to one with multiple VMware Cloud Foundation instances, the NTP settings on the vRealize Suite Lifecycle Manager appliance must be updated. |
Life Cycle Management Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-LCM-001
|
Use vRealize Suite Lifecycle Manager to manage its own life cycle. |
|
None. |
Life Cycle Operations Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-ENV-001 |
Obtain product binaries for install, patch, and upgrade in vRealize Suite Lifecycle Manager by using local product upload or VMware Customer Connect. |
|
You must use support packs (PSPAKS) for vRealize Suite Lifecycle Manager to enable upgrading to newer version of vRealize Suite products. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-ENV-002 |
|
You can deploy and manage the integrated vRealize Suite components across the SDDC as a group. |
None. |
VCF-VRS-vRSLCM-ENV-003 |
|
Supports deployment and management of vRealize Suite products that are instance-specific, such as vRealize Log Insight. |
You must manage a separate data center object for the products that are specific to each instance. |
VCF-VRS-vRSLCM-ENV-004 |
Create a global environment in vRealize Suite Lifecycle Manager to support the deployment of workspace ONE Access. |
A global environment is required by vRealize Suite Lifecycle Manager to deploy Workspace ONE Access. |
None. |
VCF-VRS-vRSLCM-ENV-005 |
Create a cross-instance environment in vRealize Suite Lifecycle Manager to support the deployment of:
|
|
You can manage instance-specific components, such as remote collectors, only in an environment that is cross-instance. |
VCF-VRS-vRSLCM-CFG-006 |
In vRealize Suite Lifecycle Manager, create a local-instance environment to support the deployment of:
|
Supports the deployment of an instance of vRealize Log Insight. |
None. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-ENV-007 |
Assign the management domain vCenter Server instance in the additional VMware Cloud Foundation instance to the cross-instance data center. |
Supports the deployment of vRealize Operations remote collectors in an additional VMware Cloud Foundation instance. |
None. |
VCF-VRS-vRSLCM-ENV-008 |
|
Supports the deployment and management of vRealize Suite products that are specific to VMware Cloud Foundation instance. |
You must manage a separate data center object for the products that are specific to each instance. |
VCF-VRS-vRSLCM-ENV-009 |
In each additional VMware Cloud Foundation instance, create a local-instance environment in vRealize Suite Lifecycle Manager to support the deployment of:
|
Supports the deployment of an instance of vRealize Log Insight in each additional VMware Cloud Foundation instance. |
None. |
Information Security and Access Control Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-SEC-001 |
Enable integration between vRealize Suite Lifecycle Manager and your corporate identity source by using the Workspace ONE Access instance. |
|
You must deploy and configure Workspace ONE Access to establish the integration between vRealize Suite Lifecycle Manager and your corporate identity sources. |
VCF-VRS-vRSLCM-SEC-002 |
Create corresponding security groups in your corporate directory services for vRealize Suite Lifecycle Manager roles:
|
Streamlines the management of vRealize Suite Lifecycle Manager roles for users. |
|
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-SEC-003 |
Define a custom vCenter Server role for vRealize Suite Lifecycle Manager that has the minimum privileges required to support the deployment and upgrade of vRealize Suite products. |
vRealize Suite Lifecycle Manager accesses vSphere with the minimum set of permissions that are required to support the deployment and upgrade of vRealize Suite products. SDDC Manager automates the creation of the custom role. |
You must maintain the permissions required by the custom role. |
VCF-VRS-vRSLCM-SEC-004 |
Create a service account in vCenter Server for application-to-application communication from vRealize Suite Lifecycle Manager to vSphere. Assign global permissions using the custom role. |
|
|
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-SEC-005 |
Rotate the root password on or before 365 days after deployment by using SDDC Manager. |
The password for the root user account expires 365 days after the initial deployment. |
You must manage the password rotation schedule for the root user account in accordance with your organization policies and regulatory standards, as applicable. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-SEC-006 |
Use SDDC Manager to replace the default VMCA-signed certificate of vRealize Suite Lifecycle Manager with a CA-signed certificate. |
Configuring a CA-signed certificate ensures that the communication to the externally facing Web UI and API for vRealize Suite Lifecycle Manager, and cross-product, is encrypted. |
Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time as certificates requests are generated and delivered. |
VCF-VRS-vRSLCM-SEC-007 |
Use a SHA-2 or higher algorithm when signing certificates. |
The SHA-1 algorithm is considered less secure and has been deprecated. |
Not all certificate authorities support SHA-2. |
Locker Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-SEC-008 |
Replace the default store passwords in the locker repository for use by life cycle operations. |
You can reference specific passwords for use across life cycle operations elements, such as:
|
|
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-SEC-009 |
Import Certificate Authority-signed certificates to the locker repository for product life cycle operations. |
|
When using the API you must specify the locker ID for the certificate to be used in the JSON payload. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-SEC-010 |
Import vRealize Suite product licenses to the locker repository for product life cycle operations. |
|
When using the API, you must specify the locker ID for the license to be used in the JSON payload. |