vRealize Suite Lifecycle Manager Design for VMware Cloud Foundation

In VMware Cloud Foundation, vRealize Suite Lifecycle Manager provides life cycle management capabilities for vRealize Suite components and Workspace ONE Access, including automated deployment, configuration, patching, and upgrade, and content management across vRealize Suite products.

You deploy vRealize Suite Lifecycle Manager by using SDDC Manager. SDDC Manager deploys vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode. In this mode, vRealize Suite Lifecycle Manager is integrated with SDDC Manager, providing the following benefits:

Integration with the SDDC Manager inventory to retrieve infrastructure details when creating environments for Workspace ONE Access and vRealize Suite components, such as NSX segments and vCenter Server details.
Automation of the load balancer configuration when deploying Workspace ONE Access, vRealize Operations, and vRealize Automation.
Deployment details for vRealize Suite Lifecycle Manager environments are populated in the SDDC Manager inventory and can be queried using the SDDC Manager API.
Day-two workflows in SDDC Manager to connect vRealize Log Insight and vRealize Operations to workload domains.
The ability to manage password life cycle for Workspace ONE Access and vRealize Suite components.

For information about deploying vRealize Suite components, see VMware Validated Solutions.

Logical Design for vRealize Suite Lifecycle Manager for VMware Cloud Foundation

You deploy vRealize Suite Lifecycle Manager to provide life cycle management capabilities for vRealize Suite components and a Workspace ONE Access cluster.

Logical Design

In a VMware Cloud Foundation environment, you use vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode. In this mode, vRealize Suite Lifecycle Manager is integrated with VMware Cloud Foundation in the following way:

SDDC Manager deploys the vRealize Suite Lifecycle Manager appliance. Then, you deploy the vRealize Suite products that are supported by VMware Cloud Foundation by using vRealize Suite Lifecycle Manager.
Supported versions are controlled by the vRealize Suite Lifecycle Manager appliance and Product Support Packs. See the VMware Interoperability Matrix.
To orchestrate the deployment, patching, and upgrade of Workspace ONE Access and the vRealize Suite products, vRealize Suite Lifecycle Manager communicates with SDDC Manager and the management domain vCenter Server in the environment.
SDDC Manager configures the load balancer for Workspace ONE Access, vRealize Operations, and vRealize Automation.

The vRealize Suite Lifecycle Manager instance in the top VMware Cloud Foundation instance is connected to Workspace ONE Access. It manages the life cycle of vRealize Suite, synchronizes with SDDC Manager and uses vCenter Server endpoints in each instance. — Figure 1. Logical Design of vRealize Suite Lifecycle Manager

According to the VMware Cloud Foundation topology deployed, vRealize Suite Lifecycle Manager is deployed in one or more locations and is responsible for the life cycle of the vRealize Suite components in one or more VMware Cloud Foundation instances.

VMware Cloud Foundation instances might be connected for the following reasons:

Disaster recovery of the vRealize Suite components.
Over-arching management of those instances from the same vRealize Suite deployments.

Table 1. vRealize Suite Lifecycle Manager Component Layout
VMware Cloud Foundation Instances with a Single Availability Zone	VMware Cloud Foundation Instances with Multiple Availability Zones	Connected VMware Cloud Foundation Instances
A single vRealize Suite Lifecycle Manager appliance deployed on the cross-instance NSX segment. vSphere HA protects the vRealize Suite Lifecycle Manager appliance. Life cycle management for: Workspace ONE Access vRealize Suite	A single vRealize Suite Lifecycle Manager appliance deployed on the cross-instance NSX segment. vSphere HA protects the vRealize Suite Lifecycle Manager appliance. A should-run vSphere DRS rule specifies that the vRealize Suite Lifecycle Manager appliance should run on an ESXi host in the first availability zone. Life cycle management for: Workspace ONE Access vRealize Suite	The vRealize Suite Lifecycle Manager instance in the first VMware Cloud Foundation instance provides life cycle management for: Workspace ONE Access vRealize Suite vRealize Suite Lifecycle Manager in each additional VMware Cloud Foundation instance provides life cycle management for: vRealize Log Insight

Network Design for vRealize Suite Lifecycle Manager

For secure access to the UI and API, you place the vRealize Suite Lifecycle Manager appliance on an overlay-backed (recommended) or VLAN-backed Application Virtual Network.

vRealize Suite Lifecycle Manager must have routed access to the management VLAN through the Tier-0 gateway in the NSX instance for the management domain.

The vRealize Suite Lifecycle Manager appliance is connected to the cross-instance NSX segment. The segment is connected to the management networks in each VMware Cloud Foundation instance through the Tier-0 and Tier-1 gateways. — Figure 2. Network Design for vRealize Suite Lifecycle Manager

Data Center and Environment Design for vRealize Suite Lifecycle Manager

To deploy vRealize Suite products by using vRealize Suite Lifecycle Manager, you configure product support, data centers, environment structures, and product specifications.

Product Support

vRealize Suite Lifecycle Manager provides several methods to obtain and store product binaries for the install, patch, and upgrade of the vRealize Suite products.

Table 2. Methods for Obtaining and Storing Product Binaries
Method	Description
Product Upload	You can upload and discover product binaries to the vRealize Suite Lifecycle Manager appliance.
VMware Customer Connect	You can integrate vvRealize Suite Lifecycle Manager with VMware Customer Connect to access and download vRealize Suite product entitlements from an online depot over the Internet. This method simplifies, automates, and organizes the repository.

Data Centers and Environments

vRealize Suite Lifecycle Manager supports the deployment and upgrade of vRealize Suite products in a logical environment grouping.

You create data centers and environments in vRealize Suite Lifecycle Manager to manage the life cycle operations on the vRealize Suite products and to support the growth of the SDDC.

Table 3. vRealize Suite Lifecycle Manager Logical Constructs
Construct	Definition
Datacenter	Represents a geographical or logical location for an organization. Management domain vCenter Server instances are added to specific data centers.
Environment	Is mapped to a data center object. Each environment can contain only one instance of a vRealize Suite product.

Table 4. Logical Datacenter to vCenter Server Mappings in vRealize Suite Lifecycle Manager
Logical Datacenter	vCenter Server Type	Description
Cross-instance	Management domain vCenter Server for the local VMware Cloud Foundation instance. Management domain vCenter Server for an additional VMware Cloud Foundation instance.	Supports the deployment of cross-instance components, such as Workspace ONE Access, vRealize Operations, and vRealize Automation, including any per-instance collector components.
Local-instance	Management domain vCenter Server for the local VMware Cloud Foundation instance.	Supports the deployment of vRealize Log Insight.

Table 5. vRealize Suite Lifecycle Manager Environment Types
Environment Type	Description
Global Environment	Contains the Workspace ONE Access instance that is required before you can deploy vRealize Automation.
VMware Cloud Foundation Mode	Infrastructure details for the deployed products, including vCenter Server, networking, DNS and NTP information are retrieved from the SDDC Manager inventory. Successful deployment details are synced back to the SDDC Manager inventory. Limited to one instance of each vRealize Suite product.
Standalone Mode	Infrastructure details for the deployed products are entered manually. Successful deployment details are not synced back to the SDDC Manager inventory. Supports deployment of more than one instance of a vRealize Suite product.

Note:

You can deploy new vRealize Suite products to the SDDC environment or import existing product deployments.

Table 6. Environment Topologies
Environment Name	VMware Cloud Foundation Mode	Logical Datacenter	Product Components
Global Environment	Enabled	Cross-instance	Workspace ONE Access
Cross-instance	Enabled	Cross-instance	vRealize Operations analytics nodes vRealize Operations remote collectors vRealize Automation cluster
Each instance	Enabled	Local-instance	vRealize Log Insight cluster nodes

Locker Design for vRealize Suite Lifecycle Manager

The vRealize Suite Lifecycle Manager Locker allows you to secure and manage passwords, certificates, and licenses for vRealize Suite product solutions and integrations.

Passwords

vRealize Suite Lifecycle Manager stores passwords in the locker repository which are referenced during life cycle operations on data centers, environments, products, and integrations.

Table 7. Life Cycle Operations Use of Locker Passwords in vRealize Suite Lifecycle Manager
Life Cycle Operations Element	Password Use
Datacenters	vCenter Server credentials for avRealize Suite Lifecycle Manager-to-vSphere integration user.
Environments	Global environment default configuration administrator,configadmin. Environment password, for example, for product default admin or root password.
Products	Product administrator password, for example, the admin password for an individual product. Product appliance password, for example, the root password for an individual product.

Certificates

vRealize Suite Lifecycle Manager stores certificates in the Locker repository which can be referenced during product life cycle operations. Externally provided certificates, such as Certificate Authority-signed certificates, can be imported or certificates can be generated by the vRealize Suite Lifecycle Manager appliance.

Licenses

vRealize Suite Lifecycle Manager stores licenses in the Locker repository which can be referenced during product life cycle operations. Licenses can be validated and added to the repository directory or imported through an integration with VMware Customer Connect.

vRealize Suite Lifecycle Manager Design Requirements and Recommendations for VMware Cloud Foundation

Consider the placement, networking, sizing and high availability requirements for using vRealize Suite Lifecycle Manager for deployment and life cycle management of vRealize Suite components in VMware Cloud Foundation. Apply similar best practices for having vRealize Suite Lifecycle Manager operate in an optimal way.

vRealize Suite Lifecycle Manager Design Requirements

You must meet the following design requirements for standard and stretched clusters in your vRealize Suite Lifecycle Manager design for VMware Cloud Foundation. For NSX Federation, additional requirements exist.

Table 8. vRealize Suite Lifecycle Manager Design Requirements for VMware Cloud Foundation
Requirement ID	Design Requirement	Justification	Implication
VCF-vRSLCM-REQD-CFG-001	Deploy a vRealize Suite Lifecycle Manager instance in the management domain of each VMware Cloud Foundation instance to provide life cycle management for vRealize Suite and Workspace ONE Access.	Provides life cycle management operations for vRealize Suite applications and Workspace ONE Access.	You must ensure that the required resources are available.
VCF-vRSLCM-REQD-CFG-002	Deploy vRealize Suite Lifecycle Manager by using SDDC Manager.	Deploys vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode, which enables the integration with the SDDC Manager inventory for product deployment and life cycle management of vRealize Suite components. Automatically configures the standalone Tier-1 gateway required for load balancing the clustered Workspace ONE Access and vRealize Suite components.	None.
VCF-vRSLCM-REQD-CFG-003	Allocate extra 100 GB of storage to the vRealize Suite Lifecycle Manager appliance for vRealize Suite product binaries.	Provides support for vRealize Suite product binaries (install, upgrade, and patch) and content management. SDDC Manager automates the creation of storage.	None.
VCF-vRSLCM-REQD-CFG-004	Place the vRealize Suite Lifecycle Manager appliance on an overlay-backed (recommended) or VLAN-backed NSX network segment.	Provides a consistent deployment model for management applications.	You must use an implementation in NSX to support this networking configuration.
VCF-vRSLCM-REQD-CFG-005	Import vRealize Suite product licenses to the Locker repository for product life cycle operations.	You can review the validity, details, and deployment usage for the license across the vRealize Suite products. You can reference and use licenses during product life cycle operations, such as deployment and license replacement.	When using the API, you must specify the Locker ID for the license to be used in the JSON payload.
VCF-vRSLCM-REQD-ENV-001	Configure datacenter objects in vRealize Suite Lifecycle Manager for local and cross-instance vRealize Suite deployments and assigns the management domain vCenter Server instance to each data center.	You can deploy and manage the integrated vRealize Suite components across the SDDC as a group.	You must manage a separate datacenter object for the products that are specific to each instance.
VCF-vRSLCM-REQD-ENV-002	If deploying vRealize Log Insight, create a local-instance environment in vRealize Suite Lifecycle Manager.	Supports the deployment of an instance of vRealize Log Insight.	None.
VCF-vRSLCM-REQD-ENV-003	If deploying vRealize Operations or vRealize Automation, create a cross-instance environment in vRealize Suite Lifecycle Manager	Supports deployment and management of the integrated vRealize Suite products across VMware Cloud Foundation instances as a group. Enables the deployment of instance-specific components, such as vRealize Operations remote collectors. In vRealize Suite Lifecycle Manager, you can deploy and manage vRealize Operations remote collector objects only in an environment that contains the associated cross-instance components.	You can manage instance-specific components, such as remote collectors, only in an environment that is cross-instance.
VCF-vRSLCM-REQD-SEC-001	Use the custom vCenter Server role for vRealize Suite Lifecycle Manager that has the minimum privileges required to support the deployment and upgrade of vRealize Suite products.	vRealize Suite Lifecycle Manager accesses vSphere with the minimum set of permissions that are required to support the deployment and upgrade of vRealize Suite products. SDDC Manager automates the creation of the custom role.	You must maintain the permissions required by the custom role.
VCF-vRSLCM-REQD-SEC-002	Use the service account in vCenter Server for application-to-application communication from vRealize Suite Lifecycle Manager to vSphere. Assign global permissions using the custom role.	Provides the following access control features: vvRealize Suite Lifecycle Manager accesses vSphere with the minimum set of required permissions. You can introduce improved accountability in tracking request-response interactions between the components of the SDDC. SDDC Manager automates the creation of the service account.	You must maintain the life cycle and availability of the service account outside of SDDC manager password rotation.

Table 9. vRealize Suite Lifecycle Manager Design Requirements for Stretched Clusters in VMware Cloud Foundation
Requirement ID	Design Requirement	Justification	Implication
VCF-vRSLCM-REQD-CFG-006	For multiple availability zones, add the vRealize Suite Lifecycle Manager appliance to the VM group for the first availability zone.	Ensures that, by default, the vRealize Suite Lifecycle Manager appliance is powered on a host in the first availability zone.	If vRealize Suite Lifecycle Manager is deployed after the creation of the stretched management cluster, you must add the vRealize Suite Lifecycle Manager appliance to the VM group manually.

Table 10. vRealize Suite Lifecycle Manager Design Requirements for NSX Federation in VMware Cloud Foundation
Requirement ID	Design Requirement	Justification	Implication
VCF-vRSLCM-REQD-CFG-007	Configure the DNS settings for the vRealize Suite Lifecycle Manager appliance to use DNS servers in each instance.	Improves resiliency in the event of an outage of external services for a VMware Cloud Foundation instance.	As you scale from a deployment with a single VMware Cloud Foundation instance to one with multiple VMware Cloud Foundation instances, the DNS settings of the vRealize Suite Lifecycle Manager appliance must be updated.
VCF-vRSLCM-REQD-CFG-008	Configure the NTP settings for the vRealize Suite Lifecycle Manager appliance to use NTP servers in each VMware Cloud Foundation instance.	Improves resiliency if an outage of external services for a VMware Cloud Foundation instance occurs.	As you scale from a deployment with a single VMware Cloud Foundation instance to one with multiple VMware Cloud Foundation instances, the NTP settings on the vRealize Suite Lifecycle Manager appliance must be updated.
VCF-vRSLCM-REQD-ENV-004	Assign the management domain vCenter Server instance in the additional VMware Cloud Foundation instance to the cross-instance data center.	Supports the deployment of vRealize Operations remote collectors in an additional VMware Cloud Foundation instance.	None.

vRealize Suite Lifecycle Manager Design Recommendations

In your vRealize Suite Lifecycle Manager design for VMware Cloud Foundation, you can apply certain best practices .

Table 11. vRealize Suite Lifecycle Manager Design Recommendations for VMware Cloud Foundation
Recommendation ID	Design Recommendation	Justification	Implication
VCF-vRSLCM-RCMD-CFG-001	Protect vRealize Suite Lifecycle Manager by using vSphere HA.	Supports the availability objectives for vRealize Suite Lifecycle Manager without requiring manual intervention during a failure event.	None.
VCF-vRSLCM-RCMD-LCM-001	Obtain product binaries for install, patch, and upgrade in vRealize Suite Lifecycle Manager from VMware Customer Connect.	You can upgrade vRealize Suite products based on their general availability and endpoint interoperability rather than being listed as part of VMware Cloud Foundation bill of materials (BOM). You can deploy and manage binaries in an environment that does not allow access to the Internet or are dark sites.	The site must have an Internet connection to use VMware Customer Connect. Sites without an Internet connection should use the local upload option instead.
VCF-vRSLCM-RCMD-LCM-002	Use support packs (PSPAKS) for vRealize Suite Lifecycle Manager to enable upgrading to later versions of vRealize Suite products.	Enables the upgrade of an existing vRealize Suite Lifecycle Manager to permit later versions of vRealize Suite products without an associated VVMware Cloud Foundation upgrade. See VMware Knowledge Base article 88829	None.
VCF-vRSLCM-RCMD-SEC-001	Enable integration between vRealize Suite Lifecycle Manager and your corporate identity source by using the Workspace ONE Access instance.	Enables authentication to vRealize Suite Lifecycle Manager by using your corporate identity source. Enables authorization through the assignment of organization and cloud services roles to enterprise users and groups defined in your corporate identity source.	You must deploy and configure Workspace ONE Access to establish the integration between vRealize Suite Lifecycle Manager and your corporate identity sources.
VCF-vRSLCM-RCMD-SEC-002	Create corresponding security groups in your corporate directory services for vRealize Suite Lifecycle Manager roles: VCF Content Release Manager Content Developer	Streamlines the management of vRealize Suite Lifecycle Manager roles for users.	You must create the security groups outside of the SDDC stack. You must set the desired directory synchronization interval in Workspace ONE Access to ensure that changes are available within a reasonable period.