NSX Manager Design for VMware Cloud Foundation

Following the principles of this design and of each product, you determine the size of, deploy and configure NSX Manager as part of your VMware Cloud Foundation deployment.

Sizing Considerations for NSX Manager for VMware Cloud Foundation

You select an appropriate NSX Manager appliance size that is suitable for the scale of your environment.

When you deploy NSX Manager appliances, either with a local or global scope, you select to deploy the appliance with a size that is suitable for the scale of your environment. The option that you select determines the number of CPUs and the amount of memory of the appliance. For detailed sizing according to the overall profile of the VMware Cloud Foundation instance you plan to deploy, see VMware Cloud Foundation Planning and Preparation Workbook.

Table 1. Sizing Considerations for NSX Manager
NSX Manager Appliance Size	Scale
Extra-Small	Cloud Service Manager only
Small	Proof of concept
Medium Default for the management domain	Up to 128 ESXi hosts
Large Default for VI workload domains	Up to 1,024 ESXi hosts

Note:

To deploy an NSX Manager appliance in the VI workload domain with a size different from the default one, you must use the API.

NSX Manager Design Requirements and Recommendations for VMware Cloud Foundation

Consider the placement requirements for using NSX Manager in VMware Cloud Foundation, and the best practices for having an NSX Manager cluster operate in an optimal way, such as number and size of the nodes, and high availability, on a standard or stretched management cluster.

NSX Manager Design Requirements for VMware Cloud Foundation

You must meet the following design requirements for in your NSX Manager design for VMware Cloud Foundation.

Table 2. NSX Manager Design Requirements for VMware Cloud Foundation
Requirement ID	Design Requirement	Justification	Implication
VCF-NSX-LM-REQD-CFG-001	Place the appliances of the NSX Manager cluster on the VM management network in the management domain.	Simplifies IP addressing for management VMs by using the same VLAN and subnet. Provides simplified secure access to management VMs in the same VLAN network.	None.
VCF-NSX-LM-REQD-CFG-002	Deploy three NSX Manager nodes in the default vSphere cluster in the management domain for configuring and managing the network services for the workload domain.	Supports high availability of the NSX manager cluster.	You must have sufficient resources in the default cluster of the management domain to run three NSX Manager nodes.

NSX Manager Design Recommendations for VMware Cloud Foundation

In your NSX Manager design for VMware Cloud Foundation, you can apply certain best practices for standard and stretched clusters.

Table 3. NSX Manager Design Recommendations for VMware Cloud Foundation
Recommendation ID	Design Recommendation	Justification	Implication
VCF-NSX-LM-RCMD-CFG-001	Deploy appropriately sized nodes in the NSX Manager cluster for the workload domain.	Ensures resource availability and usage efficiency per workload domain.	The default size for a management domain is Medium, and for VI workload domains is Large.
VCF-NSX-LM-RCMD-CFG-002	Create a virtual IP (VIP) address for the NSX Manager cluster for the workload domain.	Provides high availability of the user interface and API of NSX Manager.	The VIP address feature provides high availability only. It does not load-balance requests across the cluster. When using the VIP address feature, all NSX Manager nodes must be deployed on the same Layer 2 network.
VCF-NSX-LM-RCMD-CFG-003	Apply VM-VM anti-affinity rules in vSphere Distributed Resource Scheduler (vSphere DRS) to the NSX Manager appliances.	Keeps the NSX Manager appliances running on different ESXi hosts for high availability.	You must allocate at least four physical hosts so that the three NSX Manager appliances continue running if an ESXi host failure occurs.
VCF-NSX-LM-RCMD-CFG-004	In vSphere HA, set the restart priority policy for each NSX Manager appliance to high.	NSX Manager implements the control plane for virtual network segments. vSphere HA restarts the NSX Manager appliances first so that other virtual machines that are being powered on or migrated by using vSphere vMotion while the control plane is offline lose connectivity only until the control plane quorum is re-established. Setting the restart priority to high reserves the highest priority for flexibility for adding services that must be started before NSX Manager.	If the restart priority for another management appliance is set to highest, the connectivity delay for management appliances will be longer.

Table 4. NSX Manager Design Recommendations for Stretched Clusters in VMware Cloud Foundation
Recommendation ID	Design Recommendation	Justification	Implication
VCF-NSX-LM-RCMD-CFG-006	Add the NSX Manager appliances to the virtual machine group for the first availability zone.	Ensures that, by default, the NSX Manager appliances are powered on a host in the primary availability zone.	None.

NSX Global Manager Design Requirements and Recommendations for VMware Cloud Foundation

For a deployment with multiple VMware Cloud Foundation instances, you use NSX Federation, which requires the manual deployment of NSX Global Manager nodes in the first two instances. Consider the placement requirements for using NSX Global Manager in VMware Cloud Foundation, and the best practices for having an NSX Global Manager cluster operate in an optimal way, such as the number and size of the nodes, high availability, on a standard or stretched management cluster.

NSX Global Manager Design Requirements

You must meet the following design requirements in your NSX Global Manager design for VMware Cloud Foundation.

Table 5. NSX Global Manager Design Requirements for VMware Cloud Foundation
Requirement ID	Design Requirement	Justification	Implication
VCF-NSX-GM-REQD-CFG-001	Place the appliances of the NSX Global Manager cluster on the Management VM network in each VMware Cloud Foundation instance.	Simplifies IP addressing for management VMs. Provides simplified secure access to all management VMs in the same VLAN network.	None.

NSX Global Manager Design Recommendations

In your NSX Global Manager design for VMware Cloud Foundation, you can apply certain best practices for standard and stretched clusters.

Table 6. NSX Global Manager Design Recommendations for VMware Cloud Foundation
Recommendation ID	Design Recommendation	Justification	Implication
VCF-NSX-GM-RCMD-CFG-001	Deploy three NSX Global Manager nodes for the workload domain to support NSX Federation across VMware Cloud Foundation instances.	Provides high availability for the NSX Global Manager cluster.	You must have sufficient resources in the default cluster of the management domain to run three NSX Global Manager nodes.
VCF-NSX-GM-RCMD-CFG-002	Deploy appropriately sized nodes in the NSX Global Manager cluster for the workload domain.	Ensures resource availability and usage efficiency per workload domain.	The recommended size for a management domain is Medium and for VI workload domains is Large.
VCF-NSX-GM-RCMD-CFG-003	Create a virtual IP (VIP) address for the NSX Global Manager cluster for the workload domain.	Provides high availability of the user interface and API of NSX Global Manager.	The VIP address feature provides high availability only. It does not load-balance requests across the cluster. When using the VIP address feature, all NSX Global Manager nodes must be deployed on the same Layer 2 network.
VCF-NSX-GM-RCMD-CFG-004	Apply VM-VM anti-affinity rules in vSphere DRS to the NSX Global Manager appliances.	Keeps the NSX Global Manager appliances running on different ESXi hosts for high availability.	You must allocate at least four physical hosts so that the three NSX Manager appliances continue running if an ESXi host failure occurs.
VCF-NSX-GM-RCMD-CFG-005	In vSphere HA, set the restart priority policy for each NSX Global Manager appliance to medium.	NSX Global Manager implements the management plane for global segments and firewalls. NSX Global Manager is not required for control plane and data plane connectivity. Setting the restart priority to medium reserves the high priority for services that impact the NSX control or data planes.	Management of NSX global components will be unavailable until the NSX Global Manager virtual machines restart. The NSX Global Manager cluster is deployed in the management domain, where the total number of virtual machines is limited and where it competes with other management components for restart priority.
VCF-NSX-GM-RCMD-CFG-006	Deploy an additional NSX Global Manager Cluster in the second VMware Cloud Foundation instance.	Enables recoverability of NSX Global Manager in the second VMware Cloud Foundation instance if a failure in the first VMware Cloud Foundation instance occurs.	Requires additional NSX Global Manager nodes in the second VMware Cloud Foundation instance.
VCF-NSX-GM-RCMD-CFG-007	Set the NSX Global Manager cluster in the second VMware Cloud Foundation instance as standby for the workload domain.	Enables recoverability of NSX Global Manager in the second VMware Cloud Foundation instance if a failure in the first instance occurs.	Must be done manually.
VCF-NSX-GM-RCMD-SEC-001	Establish an operational practice to capture and update the thumbprint of the NSX Local Manager certificate on NSX Global Manager every time the certificate is updated by using SDDC Manager.	Ensures secured connectivity between the NSX Manager instances. Each certificate has its own unique thumbprint. NSX Global Manager stores the unique thumbprint of the NSX Local Manager instances for enhanced security. If an authentication failure between NSX Global Manager and NSX Local Manager occurs, objects that are created from NSX Global Manager will not be propagated on to the SDN.	The administrator must establish and follow an operational practice by using a runbook or automated process to ensure that the thumbprint is up-to-date.

Table 7. NSX Global Manager Design Recommendations for Stretched Clusters in VMware Cloud Foundation
Recommendation ID	Design Recommendation	Justification	Implication
VCF-NSX-GM-RCMD-CFG-008	Add the NSX Global Manager appliances to the virtual machine group for the first availability zone.	Ensures that, by default, the NSX Global Manager appliances are powered on a host in the primary availability zone.	Done automatically by VMware Cloud Foundation when stretching a cluster.