Deployment Model for Workspace ONE Access

Workspace ONE Access is distributed as a virtual appliance in OVA format that you can deploy and manage from vRealize Suite Lifecycle Manager together with other vRealize Suite products. The Workspace ONE Access appliance includes identity and access management services.

Deployment Type

You consider the deployment type, standard or cluster, according to the design objectives for the availability and number of users that the system and integrated SDDC solutions must support. You deploy Workspace ONE Access on the default management vSphere cluster.

Table 1. Topology Attributes of Workspace ONE Access
Deployment Type	Number of Nodes	Considerations
Standard (Recommended)	1	Single node without a load balancer Can be scaled out to a 3-node cluster behind an NSX load balancer
Cluster	3	Clustered deployment using internal PostgreSQL database. NSX load balancer automatically deployed.

This design uses the recommended standard topology of Workspace ONE Access.

Table 2. Design Decisions on the Deployment Model for Workspace ONE Access
Decision ID	Design Decision	Design Justification	Design Implication
VCF-VRS-WSA-CFG-001	Deploy Workspace ONE Access by using vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode.	With this configuration, the Workspace ONE Access deployment can be scaled to support a higher number of consuming users for vRealize Operations and vRealize Automation. The Workspace ONE Access instance is managed by vRealize Suite Lifecycle Manager and imported into the SDDC Manager inventory.	None.
VCF-VRS-WSA-CFG-002	Use the embedded PostgreSQL database with Workspace ONE Access.	Removes the need for external database services.	None.
VCF-VRS-WSA-CFG-003	Protect all Workspace ONE Access nodes using vSphere High Availability (vSphere HA).	Supports high availability for Workspace ONE Access.	None for standard deployments. Clustered Workspace ONE Access deployments might require intervention if an ESXi host failure occurs.

Deployment of Workspace ONE Access in Multiple Availability Zones

Under normal operating conditions, Workspace ONE Access runs in the first availability zone. If a failure in occurs in the first availability zone, the Workspace ONE Access instance is failed over to the second availability zone.

Table 3. Design Decisions on the Deployment of Workspace ONE Access for Multiple Availability Zones
Decision ID	Design Decision	Design Justification	Design Implication
VCF-VRS-WSA-CFG-006	Add the Workspace ONE Access appliances to the VM group for the first availability zone.	Ensures that, by default, the Workspace ONE Access cluster nodes are powered on a host in the first availability zone.	If the Workspace ONE Access instance is deployed after the creation of the stretched management cluster, you must add the appliances to the VM group manually. Clustered Workspace ONE Access might require manual intervention after a failure of the active availability zone occurs.

Sizing Compute and Storage Resources

A Workspace ONE Access deployment requires certain CPU, memory, and storage resources to support the maximum users and groups that can be synced.

Table 4. CPU, Memory, and Storage Resources for Workspace ONE Access
Appliance Size	Directory Sync of Users and Groups per Tenant	CPU per Appliance	Memory per Appliance	Disk per Appliance
Extra Small	Maximum: 3,000 users 30 groups	4 vCPU	8 GB	100 GB
Small	Maximum: 5,000 users 50 groups	6 vCPU	10 GB	100 GB
Medium (Minimum requirement for vRealize Automation)	Maximum: 10,000 Users 100 groups	8 vCPU	16 GB	100 GB
Large	Maximum: 25,000 users 250 groups	10 vCPU	16 GB	100 GB
Extra Large	Maximum: 50,000 users 500 groups	12 vCPU	32 GB	100 GB
Extra Extra Large	Maximum: 100,000 users 1,000 groups	14 vCPU	48 GB	100 GB

Table 5. Design Decisions on Sizing Workspace ONE Access
Decision ID	Design Decision	Design Justification	Design Implication
VCF-VRS-WSA-CFG-007	Deploy each of the Workspace ONE Access appliances as a medium-size appliance.	Supports scalability for a vRealize Automation cluster deployment.	None.