VMware Aria Suite Lifecycle Design for VMware Cloud Foundation

In VMware Cloud Foundation, VMware Aria Suite Lifecycle provides life cycle management capabilities for VMware Aria Suite components and Workspace ONE Access, including automated deployment, configuration, patching, and upgrade, and content management across VMware Aria Suite products.

You deploy VMware Aria Suite Lifecycle by using SDDC Manager. SDDC Manager deploys VMware Aria Suite Lifecycle in VMware Cloud Foundation mode. In this mode, VMware Aria Suite Lifecycle is integrated with SDDC Manager, providing the following benefits:

Integration with the SDDC Manager inventory to retrieve infrastructure details when creating environments for Workspace ONE Access and VMware Aria Suite components, such as NSX segments and vCenter Server details.
Automation of the NSX load balancer configuration when deploying Workspace ONE Access, VMware Aria Operations, and VMware Aria Automation.
Deployment details for VMware Aria Suite Lifecycle environments are populated in the SDDC Manager inventory and can be queried using the SDDC Manager API.
Day-two workflows in SDDC Manager to connect VMware Aria Operations for Logs and VMware Aria Operations to workload domains.
The ability to manage password life cycle for Workspace ONE Access and VMware Aria Suite components.

For information about deploying VMware Aria Suite components, see VMware Validated Solutions.

Logical Design for VMware Aria Suite Lifecycle for VMware Cloud Foundation

You deploy VMware Aria Suite Lifecycle to provide life cycle management capabilities for VMware Aria Suite components and a Workspace ONE Access cluster.

Logical Design

In a VMware Cloud Foundation environment, you use VMware Aria Suite Lifecycle in VMware Cloud Foundation mode. In this mode, VMware Aria Suite Lifecycle is integrated with VMware Cloud Foundation in the following way:

SDDC Manager deploys the VMware Aria Suite Lifecycle appliance. Then, you deploy the VMware Aria Suite products that are supported by VMware Cloud Foundation by using VMware Aria Suite Lifecycle.
Supported versions are controlled by the VMware Aria Suite Lifecycle appliance and Product Support Packs. See the VMware Interoperability Matrix.
To orchestrate the deployment, patching, and upgrade of Workspace ONE Access and the VMware Aria Suite products, VMware Aria Suite Lifecycle communicates with SDDC Manager and the management domain vCenter Server in the environment.
SDDC Manager configures the load balancer for Workspace ONE Access, VMware Aria Operations, and VMware Aria Automation.

The VMware Aria Suite Lifecycle instance in the top VMware Cloud Foundation instance is connected to Workspace ONE Access. It manages the life cycle of VMware Aria Suite, synchronizes with SDDC Manager and uses vCenter Server endpoints in each instance. — Figure 1. Logical Design of VMware Aria Suite Lifecycle

According to the VMware Cloud Foundation topology deployed, VMware Aria Suite Lifecycle is deployed in one or more locations and is responsible for the life cycle of the VMware Aria Suite components in one or more VMware Cloud Foundation instances.

VMware Cloud Foundation instances might be connected for the following reasons:

Disaster recovery of the VMware Aria Suite components.
Over-arching management of those instances from the same VMware Aria Suite deployments.

Table 1. VMware Aria Suite Lifecycle Component Layout
VMware Cloud Foundation Instances with a Single Availability Zone	VMware Cloud Foundation Instances with Multiple Availability Zones	Connected VMware Cloud Foundation Instances
A single VMware Aria Suite Lifecycle appliance deployed on the cross-instance NSX segment. vSphere HA protects the VMware Aria Suite Lifecycle appliance. Life cycle management for: Workspace ONE Access VMware Aria Suite	A single VMware Aria Suite Lifecycle appliance deployed on the cross-instance NSX segment. vSphere HA protects the VMware Aria Suite Lifecycle appliance. A should-run vSphere DRS rule specifies that the VMware Aria Suite Lifecycle appliance should run on an ESXi host in the first availability zone. Life cycle management for: Workspace ONE Access VMware Aria Suite	The VMware Aria Suite Lifecycle instance in the first VMware Cloud Foundation instance provides life cycle management for: Workspace ONE Access VMware Aria Suite VMware Aria Suite Lifecycle in each additional VMware Cloud Foundation instance provides life cycle management for: VMware Aria Operations for Logs

Network Design for VMware Aria Suite Lifecycle

For secure access to the UI and API, you place the VMware Aria Suite Lifecycle appliance on an overlay-backed (recommended) or VLAN-backed Application Virtual Network.

VMware Aria Suite Lifecycle must have routed access to the management VLAN through the Tier-0 gateway in the NSX instance for the management domain.

The VMware Aria Suite Lifecycle appliance is connected to the cross-instance NSX segment. The segment is connected to the management networks in each VMware Cloud Foundation instance through the Tier-0 and Tier-1 gateways. — Figure 2. Network Design for VMware Aria Suite Lifecycle

Data Center and Environment Design for VMware Aria Suite Lifecycle

To deploy VMware Aria Suite products by using VMware Aria Suite Lifecycle, you configure product support, data centers, environment structures, and product specifications.

Product Support

VMware Aria Suite Lifecycle provides several methods to obtain and store product binaries for the install, patch, and upgrade of the VMware Aria Suite products.

Table 2. Methods for Obtaining and Storing Product Binaries
Method	Description
Product Upload	You can upload and discover product binaries to the VMware Aria Suite Lifecycle appliance.
VMware Customer Connect	You can integrate vVMware Aria Suite Lifecycle with VMware Customer Connect to access and download VMware Aria Suite product entitlements from an online depot over the Internet. This method simplifies, automates, and organizes the repository.

Data Centers and Environments

VMware Aria Suite Lifecycle supports the deployment and upgrade of VMware Aria Suite products in a logical environment grouping.

You create data centers and environments in VMware Aria Suite Lifecycle to manage the life cycle operations on the VMware Aria Suite products and to support the growth of the SDDC.

Table 3. VMware Aria Suite Lifecycle Logical Constructs
Construct	Definition
Datacenter	Represents a geographical or logical location for an organization. Management domain vCenter Server instances are added to specific data centers.
Environment	Is mapped to a data center object. Each environment can contain only one instance of a VMware Aria Suite product.

Table 4. Logical Datacenter to vCenter Server Mappings in VMware Aria Suite Lifecycle
Logical Datacenter	vCenter Server Type	Description
Cross-instance	Management domain vCenter Server for the local VMware Cloud Foundation instance. Management domain vCenter Server for an additional VMware Cloud Foundation instance.	Supports the deployment of cross-instance components, such as Workspace ONE Access, VMware Aria Operations, and VMware Aria Automation, including any per-instance collector components.
Local-instance	Management domain vCenter Server for the local VMware Cloud Foundation instance.	Supports the deployment of VMware Aria Operations for Logs.

Table 5. VMware Aria Suite Lifecycle Environment Types
Environment Type	Description
Global Environment	Contains the Workspace ONE Access instance that is required before you can deploy VMware Aria Automation.
VMware Cloud Foundation Mode	Infrastructure details for the deployed products, including vCenter Server, networking, DNS and NTP information are retrieved from the SDDC Manager inventory. Successful deployment details are synced back to the SDDC Manager inventory. Limited to one instance of each VMware Aria Suite product.
Standalone Mode	Infrastructure details for the deployed products are entered manually. Successful deployment details are not synced back to the SDDC Manager inventory. Supports deployment of more than one instance of a VMware Aria Suite product.

Note:

You can deploy new VMware Aria Suite products to the SDDC environment or import existing product deployments.

Table 6. Environment Topologies
Environment Name	VMware Cloud Foundation Mode	Logical Datacenter	Product Components
Global Environment	Enabled	Cross-instance	Workspace ONE Access
Cross-instance	Enabled	Cross-instance	VMware Aria Operations analytics nodes VMware Aria Operations remote collectors VMware Aria Automation cluster
Each instance	Enabled	Local-instance	VMware Aria Operations for Logs cluster nodes

Locker Design for VMware Aria Suite Lifecycle

The VMware Aria Suite Lifecycle Locker allows you to secure and manage passwords, certificates, and licenses for VMware Aria Suite product solutions and integrations.

Passwords

VMware Aria Suite Lifecycle stores passwords in the locker repository which are referenced during life cycle operations on data centers, environments, products, and integrations.

Table 7. Life Cycle Operations Use of Locker Passwords in VMware Aria Suite Lifecycle
Life Cycle Operations Element	Password Use
Datacenters	vCenter Server credentials for aVMware Aria Suite Lifecycle-to-vSphere integration user.
Environments	Global environment default configuration administrator,configadmin. Environment password, for example, for product default admin or root password.
Products	Product administrator password, for example, the admin password for an individual product. Product appliance password, for example, the root password for an individual product.

Certificates

VMware Aria Suite Lifecycle stores certificates in the Locker repository which can be referenced during product life cycle operations. Externally provided certificates, such as Certificate Authority-signed certificates, can be imported or certificates can be generated by the VMware Aria Suite Lifecycle appliance.

Licenses

VMware Aria Suite Lifecycle stores licenses in the Locker repository which can be referenced during product life cycle operations. Licenses can be validated and added to the repository directory or imported through an integration with VMware Customer Connect.

VMware Aria Suite Lifecycle Design Requirements and Recommendations for VMware Cloud Foundation

Consider the placement, networking, sizing and high availability requirements for using VMware Aria Suite Lifecycle for deployment and life cycle management of VMware Aria Suite components in VMware Cloud Foundation. Apply similar best practices for having VMware Aria Suite Lifecycle operate in an optimal way.

VMware Aria Suite Lifecycle Design Requirements

You must meet the following design requirements for standard and stretched clusters in your VMware Aria Suite Lifecycle design for VMware Cloud Foundation. For NSX Federation, additional requirements exist.

Table 8. VMware Aria Suite Lifecycle Design Requirements for VMware Cloud Foundation
Requirement ID	Design Requirement	Justification	Implication
VCF-VASL-REQD-CFG-001	Deploy a VMware Aria Suite Lifecycle instance in the management domain of each VMware Cloud Foundation instance to provide life cycle management for VMware Aria Suite and Workspace ONE Access.	Provides life cycle management operations for VMware Aria Suite applications and Workspace ONE Access.	You must ensure that the required resources are available.
VCF-VASL-REQD-CFG-002	Deploy VMware Aria Suite Lifecycle by using SDDC Manager.	Deploys VMware Aria Suite Lifecycle in VMware Cloud Foundation mode, which enables the integration with the SDDC Manager inventory for product deployment and life cycle management of VMware Aria Suite components. Automatically configures the standalone Tier-1 gateway required for load balancing the clustered Workspace ONE Access and VMware Aria Suite components.	None.
VCF-VASL-REQD-CFG-003	Allocate extra 100 GB of storage to the VMware Aria Suite Lifecycle appliance for VMware Aria Suite product binaries.	Provides support for VMware Aria Suite product binaries (install, upgrade, and patch) and content management. SDDC Manager automates the creation of storage.	None.
VCF-VASL-REQD-CFG-004	Place the VMware Aria Suite Lifecycle appliance on an overlay-backed (recommended) or VLAN-backed NSX network segment.	Provides a consistent deployment model for management applications.	You must use an implementation in NSX to support this networking configuration.
VCF-VASL-REQD-CFG-005	Import VMware Aria Suite product licenses to the Locker repository for product life cycle operations.	You can review the validity, details, and deployment usage for the license across the VMware Aria Suite products. You can reference and use licenses during product life cycle operations, such as deployment and license replacement.	When using the API, you must specify the Locker ID for the license to be used in the JSON payload.
VCF-VASL-REQD-ENV-001	Configure datacenter objects in VMware Aria Suite Lifecycle for local and cross-instance VMware Aria Suite deployments and assign the management domain vCenter Server instance to each data center.	You can deploy and manage the integrated VMware Aria Suite components across the SDDC as a group.	You must manage a separate datacenter object for the products that are specific to each instance.
VCF-VASL-REQD-ENV-002	If deploying VMware Aria Operations for Logs, create a local-instance environment in VMware Aria Suite Lifecycle.	Supports the deployment of an instance of VMware Aria Operations for Logs.	None.
VCF-VASL-REQD-ENV-003	If deploying VMware Aria Operations or VMware Aria Automation, create a cross-instance environment in VMware Aria Suite Lifecycle	Supports deployment and management of the integrated VMware Aria Suite products across VMware Cloud Foundation instances as a group. Enables the deployment of instance-specific components, such as VMware Aria Operations remote collectors. In VMware Aria Suite Lifecycle, you can deploy and manage VMware Aria Operations remote collector objects only in an environment that contains the associated cross-instance components.	You can manage instance-specific components, such as remote collectors, only in an environment that is cross-instance.
VCF-VASL-REQD-SEC-001	Use the custom vCenter Server role for VMware Aria Suite Lifecycle that has the minimum privileges required to support the deployment and upgrade of VMware Aria Suite products.	VMware Aria Suite Lifecycle accesses vSphere with the minimum set of permissions that are required to support the deployment and upgrade of VMware Aria Suite products. SDDC Manager automates the creation of the custom role.	You must maintain the permissions required by the custom role.
VCF-VASL-REQD-SEC-002	Use the service account in vCenter Server for application-to-application communication from VMware Aria Suite Lifecycle to vSphere. Assign global permissions using the custom role.	Provides the following access control features: VMware Aria Suite Lifecycle accesses vSphere with the minimum set of required permissions. You can introduce improved accountability in tracking request-response interactions between the components of the SDDC. SDDC Manager automates the creation of the service account.	You must maintain the life cycle and availability of the service account outside of SDDC manager password rotation.

Table 9. VMware Aria Suite Lifecycle Design Requirements for Stretched Clusters in VMware Cloud Foundation
Requirement ID	Design Requirement	Justification	Implication
VCF-VASL-REQD-CFG-006	For multiple availability zones, add the VMware Aria Suite Lifecycle appliance to the VM group for the first availability zone.	Ensures that, by default, the VMware Aria Suite Lifecycle appliance is powered on a host in the first availability zone.	If VMware Aria Suite Lifecycle is deployed after the creation of the stretched management cluster, you must add the VMware Aria Suite Lifecycle appliance to the VM group manually.

Table 10. VMware Aria Suite Lifecycle Design Requirements for NSX Federation in VMware Cloud Foundation
Requirement ID	Design Requirement	Justification	Implication
VCF-VASL-REQD-CFG-007	Configure the DNS settings for the VMware Aria Suite Lifecycle appliance to use DNS servers in each instance.	Improves resiliency in the event of an outage of external services for a VMware Cloud Foundation instance.	As you scale from a deployment with a single VMware Cloud Foundation instance to one with multiple VMware Cloud Foundation instances, the DNS settings of the VMware Aria Suite Lifecycle appliance must be updated.
VCF-VASL-REQD-CFG-008	Configure the NTP settings for the VMware Aria Suite Lifecycle appliance to use NTP servers in each VMware Cloud Foundation instance.	Improves resiliency if an outage of external services for a VMware Cloud Foundation instance occurs.	As you scale from a deployment with a single VMware Cloud Foundation instance to one with multiple VMware Cloud Foundation instances, the NTP settings on the VMware Aria Suite Lifecycle appliance must be updated.
VCF-VASL-REQD-ENV-004	Assign the management domain vCenter Server instance in the additional VMware Cloud Foundation instance to the cross-instance data center.	Supports the deployment of VMware Aria Operations remote collectors in an additional VMware Cloud Foundation instance.	None.

VMware Aria Suite Lifecycle Design Recommendations

In your VMware Aria Suite Lifecycle design for VMware Cloud Foundation, you can apply certain best practices .

Table 11. VMware Aria Suite Lifecycle Design Recommendations for VMware Cloud Foundation
Recommendation ID	Design Recommendation	Justification	Implication
VCF-VASL-RCMD-CFG-001	Protect VMware Aria Suite Lifecycle by using vSphere HA.	Supports the availability objectives for VMware Aria Suite Lifecycle without requiring manual intervention during a failure event.	None.
VCF-VASL-RCMD-LCM-001	Obtain product binaries for install, patch, and upgrade in VMware Aria Suite Lifecycle from VMware Customer Connect.	You can upgrade VMware Aria Suite products based on their general availability and endpoint interoperability rather than being listed as part of VMware Cloud Foundation bill of materials (BOM). You can deploy and manage binaries in an environment that does not allow access to the Internet or are dark sites.	The site must have an Internet connection to use VMware Customer Connect. Sites without an Internet connection should use the local upload option instead.
VCF-VASL-RCMD-LCM-002	Use support packs (PSPAKS) for VMware Aria Suite Lifecycle to enable upgrading to later versions of VMware Aria Suite products.	Enables the upgrade of an existing VMware Aria Suite Lifecycle to permit later versions of VMware Aria Suite products without an associated VMware Cloud Foundation upgrade. See VMware Knowledge Base article 88829	None.
VCF-VASL-RCMD-SEC-001	Enable integration between VMware Aria Suite Lifecycle and your corporate identity source by using the Workspace ONE Access instance.	Enables authentication to VMware Aria Suite Lifecycle by using your corporate identity source. Enables authorization through the assignment of organization and cloud services roles to enterprise users and groups defined in your corporate identity source.	You must deploy and configure Workspace ONE Access to establish the integration between VMware Aria Suite Lifecycle and your corporate identity sources.
VCF-VASL-RCMD-SEC-002	Create corresponding security groups in your corporate directory services for VMware Aria Suite Lifecycle roles: VCF Content Release Manager Content Developer	Streamlines the management of VMware Aria Suite Lifecycle roles for users.	You must create the security groups outside of the SDDC stack. You must set the desired directory synchronization interval in Workspace ONE Access to ensure that changes are available within a reasonable period.