Logical Design for the Workspace ONE Access

To provide identity and access management services to supported SDDC components, such as vRealize Suite components, this design uses a Workspace ONE Access instance that is deployed on an NSX network segment.

The Workspace ONE Access deployment consists of one primary node. It is connected to vRealize Suite Lifecycle Manager and add-on vRealize Suite components. — Figure 1. Logical Design of Standard Workspace ONE Access

Table 1. Logical Components of Standard Workspace ONE Access
Single VMware Cloud Foundation Instance	Single VMware Cloud Foundation Instance with Multiple Availability Zones	Multiple VMware Cloud Foundation Instances
A single-node Workspace ONE Access instance deployed on an overlay-backed (recommended) or VLAN-backed NSX segment. SDDC solutions that are portable across VMware Cloud Foundation instances are integrated with this Workspace ONE Access instance.	A single-node Workspace ONE Access instance deployed on an overlay-backed (recommended) or VLAN-backed NSX segment. SDDC solutions that are portable across VMware Cloud Foundation instances are integrated with this Workspace ONE Access instance. A should-run vSphere DRS rule ensures that, under normal operating conditions, the Workspace ONE Access node runs on a management ESXi host in the first availability zone.	In the first VMware Cloud Foundation instance, a single-node Workspace ONE Access instance deployed on an overlay-backed (recommended) or VLAN-backed NSX network segment. SDDC solutions that are portable across VMware Cloud Foundation instances are integrated with this Workspace ONE Access instance.

The Workspace ONE Access cluster consists of one primary and two secondary nodes and load-balanced by using an NSX load balancer. It is connected to vRealize Suite Lifecycle Manager and add-on vRealize Suite components. — Figure 2. Logical Design of Clustered Workspace ONE Access

Table 2. Logical Components of Clustered Workspace ONE Access
Single VMware Cloud Foundation Instance	Single VMware Cloud Foundation Instance with Multiple Availability Zones	Multiple VMware Cloud Foundation Instances
A three-node Workspace ONE Access cluster behind an NSX load balancer and deployed on an overlay-backed (recommended) or VLAN-backed NSX segment. All Workspace ONE Access services and databases are configured for high availability using a native cluster configuration. SDDC solutions that are portable across VMware Cloud Foundation instances are integrated with this Workspace ONE Access cluster. vSphere HA protects the Workspace ONE Access nodes. vSphere DRS anti-affinity rules ensure that the Workspace ONE Access nodes run on different ESXi hosts.	A three-node Workspace ONE Access cluster behind an NSX load balancer and deployed on an overlay-backed (recommended) or VLAN-backed NSX segment. All Workspace ONE Access services and databases are configured for high availability using a native cluster configuration. SDDC solutions that are portable across VMware Cloud Foundation instances are integrated with this Workspace ONE Access cluster. vSphere HA protects the Workspace ONE Access nodes. A vSphere DRS anti-affinity rule ensures that the Workspace ONE Access nodes run on different ESXi hosts. A should-run vSphere DRS rule ensures that, under normal operating conditions, the Workspace ONE Access nodes run on management ESXi hosts in the first availability zone.	In the first VMware Cloud Foundation instance, a three-node Workspace ONE Access cluster behind an NSX load balancer and deployed on an overlay-backed (recommended) or VLAN-backed NSX network segment. All Workspace ONE Access services and databases are configured for high availability using a native cluster configuration. SDDC solutions that are portable across VMware Cloud Foundation instances are integrated with this Workspace ONE Access cluster. vSphere HA protects the Workspace ONE Access cluster nodes. vSphere DRS anti-affinity rules ensure that the Workspace ONE Access nodes run on different ESXi hosts.

Supporting Infrastructure

In this design, Workspace ONE Access integrates with the following supporting infrastructure:

NTP for time synchronization
DNS for name resolution
Active Directory

Important:

Workspace ONE Access does not replace an organization's enterprise directory. Workspace ONE Access integrates with an enterprise directory as an identity provider for authentication to support solution authorization.