Use this design decision list for reference related to vRealize Suite Lifecycle Manager in an environment with a single or multiple VMware Cloud Foundation instances.

The deployment and configuration tasks for most design decisions are automated in VMware Cloud Foundation. You must perform the configuration manually only for a limited number of decisions as noted in the design implication.

For full design details, see vRealize Suite Lifecycle Manager Design.

Deployment Specification

Table 1. Design Decisions on the Deployment Model for vRealize Suite Lifecycle Manager

Decision ID

Design Decision

Design

Justification

Design

Implication

VCF-VRS-vRSLCM-CFG-001

Deploy a vRealize Suite Lifecycle Manager instance in the management domain of the first VMware Cloud Foundation instance to provide life cycle management for the following components:

  • Workspace ONE Access

  • vRealize Operations

  • vRealize Automation

  • vRealize Log Insight

Provides life cycle management operations for vRealize Suite applications and Workspace ONE Access.

You must ensure that the required resources are available.

VCF-VRS-vRSLCM-CFG-002

In each additional VMware Cloud Foundation instance, deploy a vRealize Suite Lifecycle Manager instance in the management domain to provide life cycle management for the following components:

  • vRealize Log Insight

Provides life cycle management operations in VMware Cloud Foundation mode for vRealize Suite application components that are isolated to the specific VMware Cloud Foundation instance.

You must ensure the required resources are available.

VCF-VRS-vRSLCM-CFG-003

Protect vRealize Suite Lifecycle Manager by using vSphere High Availability.

Supports the availability objectives for vRealize Suite Lifecycle Manager without requiring manual intervention during a failure event.

None.

VCF-VRS-vRSLCM-CFG-004

Deploy vRealize Suite Lifecycle Manager by using SDDC Manager.

  • Deploys vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode, which enables the integration with the SDDC Manager inventory for product deployment and life cycle management of vRealize Suite components.

  • Automatically configures the standalone Tier-1 gateway required for load balancing the clustered Workspace ONE Access and vRealize Suite components. See Load Balancing.

None.

Table 2. Design Decisions on the Deployment of vRealize Suite Lifecycle Manager for Multiple Availability Zones

Decision ID

Design Decision

Design

Justification

Design

Implication

VCF-VRS-vRSLCM-CFG-005

Add the vRealize Suite Lifecycle Manager appliance to the VM group for first availability zone.

Ensures that, by default, the vRealize Suite Lifecycle Manager appliance is powered on a host in the first availability zone.

If vRealize Suite Lifecycle Manager is deployed after the creation of the stretched management cluster, you must add the vRealize Suite Lifecycle Manager appliance to the VM group manually.

Table 3. Design Decisions on Sizing vRealize Suite Lifecycle Manager

Decision ID

Design Decision

Design

Justification

Design

Implication

VCF-VRS-vRSLCM-CFG-006

Increase the initial storage of the vRealize Suite Lifecycle Manager appliance with 100 GB.

  • Provides support for vRealize Suite product binaries (install, upgrade, and patch) and content management.

  • SDDC Manager automates the creation of storage.

You must allocate sufficient storage to accommodate this increase.

Network Design

Table 4. Design Decisions on the NSX Segments for vRealize Suite Lifecycle Manager

Decision ID

Design Decision

Design

Justification

Design

Implication

VCF-VRS-vRSLCM-NET-001

Place the vRealize Suite Lifecycle Manager appliance on an overlay-backed (recommended) or VLAN-backed NSX network segment.

Provides a consistent deployment model for management applications.

You must use an implementation in NSX-T Data Center to support this networking configuration.

Table 5. Design Decisions on the IP Addressing Scheme for vRealize Suite Lifecycle Manager

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-vRSLCM-NET-002

Allocate a statically assigned IP address and host name to the vRealize Suite Lifecycle Manager virtual appliance.

Using statically assigned IP addresses ensures stability across the SDDC and makes it simpler to maintain and easier to track.

Requires precise IP address management.

Table 6. Design Decisions on Name Resolution for vRealize Suite Lifecycle Manager

Decision ID

Design Decision

Design

Justification

Design

Implication

VCF-VRS-vRSLCM-NET-003

Configure forward and reverse DNS records for the vRealize Suite Lifecycle Manager appliance.

vRealize Suite Lifecycle Manager is accessible by using a fully qualified domain name instead of by using the IP address only.

You must provide DNS records for the vRealize Suite Lifecycle Manager appliance.

VCF-VRS-vRSLCM-NET-004

Configure the DNS settings for the vRealize Suite Lifecycle Manager appliance to use DNS servers from its corresponding VMware Cloud Foundation instance.

vRealize Suite Lifecycle Manager requires DNS resolution to connect to SDDC Components.

None.

Table 7. Design Decisions on Name Resolution for vRealize Suite Lifecycle Manager for Multiple VMware Cloud Foundation Instances

Decision ID

Design Decision

Design

Justification

Design

Implication

VCF-VRS-vRSLCM-NET-005

Configure the DNS settings for the vRealize Suite Lifecycle Manager appliance to use DNS servers in each instance.

vRealize Suite Lifecycle Manager can resolve DNS from local DNS servers during a planned migration or disaster recovery between VMware Cloud Foundation instances.

As you scale from a deployment with a single VMware Cloud Foundation instance to one with multiple VMware Cloud Foundation instances, the DNS settings the vRealize Suite Lifecycle Manager appliance must be updated.

Table 8. Design Decisions on Time Synchronization for vRealize Suite Lifecycle Manager

Decision ID

Design Decision

Design

Justification

Design

Implication

VCF-VRS-vRSLCM-NET-006

Configure the NTP settings for the vRealize Suite Lifecycle Manager appliance to use NTP servers in the first VMware Cloud Foundation instance.

vRealize Suite Lifecycle Manager depends on time synchronization.

None.

Table 9. Design Decisions on Time Synchronization for vRealize Suite Lifecycle Manager for Multiple VMware Cloud Foundation Instances

Decision ID

Design Decision

Design

Justification

Design

Implication

VCF-VRS-vRSLCM-NET-007

Configure the NTP settings for the vRealize Suite Lifecycle Manager appliance to use NTP servers in each VMware Cloud Foundation instance.

vRealize Suite Lifecycle Manager can query NTP from local NTP servers to synchronize time during a planned migration or disaster recovery between the VMware Cloud Foundation instances.

As you scale from a deployment with a single VMware Cloud Foundation instance to one with multiple VMware Cloud Foundation instances, the NTP settings on the vRealize Suite Lifecycle Manager appliance must be updated.

Life Cycle Management Design

Table 10. Design Decisions on Life Cycle Management of vRealize Suite Lifecycle Manager

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-vRSLCM-LCM-001

Use vRealize Suite Lifecycle Manager to manage its own life cycle.

  • You can upgrade vRealize Suite products based on their general availability and endpoint interoperability.

  • You can perform skip-level upgrades of vRealize Suite products.

None.

Life Cycle Operations Design

Table 11. Design Decisions on Product Support for vRealize Suite Lifecycle Manager

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-vRSLCM-ENV-001

Obtain product binaries for install, patch, and upgrade in vRealize Suite Lifecycle Manager by using local product upload or VMware Customer Connect.

  • You can upgrade vRealize Suite products based on their general availability and endpoint interoperability rather than being listed as part of VMware Cloud Foundation bill of materials (BOM).

  • You can deploy and manage binaries in an environment that does not allow access to the Internet or are dark sites.

You must use support packs (PSPAKS) for vRealize Suite Lifecycle Manager to enable upgrading to newer version of vRealize Suite products.

Table 12. Design Decisions on Environment and Data Center Management for vRealize Suite Lifecycle Manager

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-vRSLCM-ENV-002

  • Create a datacenter object in vRealize Suite Lifecycle Manager for the cross-instance VMware Cloud Foundation solutions.

  • Assign the management domain vCenter Server instance to the data center.

You can deploy and manage the integrated vRealize Suite components across the SDDC as a group.

None.

VCF-VRS-vRSLCM-ENV-003

  • In vRealize Suite Lifecycle Manager, create a data center for the local VMware Cloud Foundation instance.

  • Assign the corresponding management domain vCenter Server instance.

Supports deployment and management of vRealize Suite products that are instance-specific, such as vRealize Log Insight.

You must manage a separate data center object for the products that are specific to each instance.

VCF-VRS-vRSLCM-ENV-004

Create a global environment in vRealize Suite Lifecycle Manager to support the deployment of workspace ONE Access.

A global environment is required by vRealize Suite Lifecycle Manager to deploy Workspace ONE Access.

None.

VCF-VRS-vRSLCM-ENV-005

Create a cross-instance environment in vRealize Suite Lifecycle Manager to support the deployment of:

  • vRealize Operations analytics nodes

  • vRealize Operations remote collectors

  • vRealize Automation cluster nodes

  • Supports deployment and management of the integrated vRealize Suite products across VMware Cloud Foundation instances as a group.

  • Enables the deployment of instance-specific components, such as vRealize Operations remote collectors. In vRealize Suite Lifecycle Manager, you can deploy and manage vRealize Operations remote collector objects only in an environment that contains the associated cross-instance components.

You can manage instance-specific components, such as remote collectors, only in an environment that is cross-instance.

VCF-VRS-vRSLCM-CFG-006

In vRealize Suite Lifecycle Manager, create a local-instance environment to support the deployment of:

  • vRealize Log Insight

Supports the deployment of an instance of vRealize Log Insight.

None.

Table 13. Design Decisions on Environment and Data Center Management in vRealize Suite Lifecycle Manager for Multiple VMware Cloud Foundation Instances

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-vRSLCM-ENV-007

Assign the management domain vCenter Server instance in the additional VMware Cloud Foundation instance to the cross-instance data center.

Supports the deployment of vRealize Operations remote collectors in an additional VMware Cloud Foundation instance.

None.

VCF-VRS-vRSLCM-ENV-008

  • In each additional VMware Cloud Foundation instance, create a data center object in vRealize Suite Lifecycle Manager for the additional instance.

  • Assign the corresponding management domain vCenter Server instance.

Supports the deployment and management of vRealize Suite products that are specific to VMware Cloud Foundation instance.

You must manage a separate data center object for the products that are specific to each instance.

VCF-VRS-vRSLCM-ENV-009

In each additional VMware Cloud Foundation instance, create a local-instance environment in vRealize Suite Lifecycle Manager to support the deployment of:

  • vRealize Log Insight

Supports the deployment of an instance of vRealize Log Insight in each additional VMware Cloud Foundation instance.

None.

Information Security and Access Control Design

Table 14. Design Decisions on Identity Management for vRealize Suite Lifecycle Manager

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-vRSLCM-SEC-001

Enable integration between vRealize Suite Lifecycle Manager and your corporate identity source by using the Workspace ONE Access instance.

  • Enables authentication to vRealize Suite Lifecycle Manager by using your corporate identity source.

  • Enables authorization through the assignment of organization and cloud services roles to enterprise users and groups defined in your corporate identity source.

You must deploy and configure Workspace ONE Access to establish the integration between vRealize Suite Lifecycle Manager and your corporate identity sources.

VCF-VRS-vRSLCM-SEC-002

Create corresponding security groups in your corporate directory services for vRealize Suite Lifecycle Manager roles:

  • VCF

  • Content Release Manager

  • Content Developer

Streamlines the management of vRealize Suite Lifecycle Manager roles for users.

  • You must create the security groups outside of the SDDC stack.

  • You must set the desired directory synchronization interval in Workspace ONE Access to ensure that changes are available within a reasonable period .

Table 15. Design Decisions on Service Accounts for vRealize Suite Lifecycle Manager

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-vRSLCM-SEC-003

Define a custom vCenter Server role for vRealize Suite Lifecycle Manager that has the minimum privileges required to support the deployment and upgrade of vRealize Suite products.

vRealize Suite Lifecycle Manager accesses vSphere with the minimum set of permissions that are required to support the deployment and upgrade of vRealize Suite products.

SDDC Manager automates the creation of the custom role.

You must maintain the permissions required by the custom role.

VCF-VRS-vRSLCM-SEC-004

Create a service account in vCenter Server for application-to-application communication from vRealize Suite Lifecycle Manager to vSphere. Assign global permissions using the custom role.

  • Provides the following access control features:

    • vRealize Suite Lifecycle Manager accesses vSphere with the minimum set of required permissions.

    • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

  • SDDC Manager automates the creation of the service account.

  • You must maintain the life cycle and availability of the service account outside of SDDC manager password rotation.

Table 16. Design Decisions on Password Management for vRealize Suite Lifecycle Manager

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-vRSLCM-SEC-005

Rotate the root password on or before 365 days after deployment by using SDDC Manager.

The password for the root user account expires 365 days after the initial deployment.

You must manage the password rotation schedule for the root user account in accordance with your organization policies and regulatory standards, as applicable.

Table 17. Design Decisions on Certificate Management for vRealize Suite Lifecycle Manager

Decision ID

Design Decision

Design

Justification

Design

Implication

VCF-VRS-vRSLCM-SEC-006

Use SDDC Manager to replace the default VMCA-signed certificate of vRealize Suite Lifecycle Manager with a CA-signed certificate.

Configuring a CA-signed certificate ensures that the communication to the externally facing Web UI and API for vRealize Suite Lifecycle Manager, and cross-product, is encrypted.

Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time as certificates requests are generated and delivered.

VCF-VRS-vRSLCM-SEC-007

Use a SHA-2 or higher algorithm when signing certificates.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2.

Locker Design

Table 18. Design Decisions on Locker Passwords in vRealize Suite Lifecycle Manager

Decision ID

Design Decision

Design

Justification

Design

Implication

VCF-VRS-vRSLCM-SEC-008

Replace the default store passwords in the locker repository for use by life cycle operations.

You can reference specific passwords for use across life cycle operations elements, such as:

  • vCenter Server registration and updates (Management Domain vCenter Servers)

  • Environment creations

  • Product deployments and updates

  • VMware Customer Connect registration and updates

  • Password items in the locker cannot be edited or deleted from the UI; however, they can be deleted by using the API. You must register and use a new locker password when rotating a password.

Table 19. Design Decisions on Locker Certificates in vRealize Suite Lifecycle Manager

Decision ID

Design Decision

Design

Justification

Design

Implication

VCF-VRS-vRSLCM-SEC-009

Import Certificate Authority-signed certificates to the locker repository for product life cycle operations.

  • You can review the validity, details, and the environment and deployment usage for the certificate across the vRealize products.

  • You can reference and use Certificate Authority-signed certificates during product life cycle operations, such as deployment and certificate replacement.

When using the API you must specify the locker ID for the certificate to be used in the JSON payload.

Table 20. Design Decisions on Locker Licenses in vRealize Suite Lifecycle Manager

Decision ID

Design Decision

Design Justification

Design Implication

VCF-VRS-vRSLCM-SEC-010

Import vRealize Suite product licenses to the locker repository for product life cycle operations.

  • You can review the validity, details, and the environment and deployment usage for the license across the vRealize Suite products.

  • You can reference and use licenses during product life cycle operations, such as deployment and license replacement.

When using the API, you must specify the locker ID for the license to be used in the JSON payload.