Deployment Overview of VMware Cloud Foundation

The deployment of VMware Cloud Foundation is automated. You use VMware Cloud Builder to deploy the management domain, SDDC Manager to deploy VI workload domains for customer workloads, and VMware Aria Suite Lifecycle™ in VMware Cloud Foundation mode to deploy VMware Aria Suite products and Workspace ONE Access.

You deploy management components manually only in a few cases according to the instructions.

An example deployment flow can start with deploying all management components in VMware Cloud Foundation. You deploy the management domain and extend its capabilities with cloud management and cloud monitoring by using VMware Aria Suite or with other solutions. Next, you deploy VI workload domains for customer workloads and integrate each newly deployed domain with the solutions in place. Finally, you can introduce multiple availability zones for workload high-availability and mobility inside a data center, and additional VMware Cloud Foundation instances for workload mobility across physical locations.

Start with the management domain, add VMware Aria Suite in the management domain, and add a VI workload domain and connect it to vRealize Suite, all with SDDC Manager. — Figure 1. Example Deployment Flow for a Single VMware Cloud Foundation Instance

For NSX Federation, also deploy NSX Global Manager in the management domain of each VCF instance. Use SDDC Manager for vSAN stretched clusters. — Figure 2. Example Deployment Flow with NSX Federation

Deploying the Management Domain

The management domain of a VMware Cloud Foundation instance contains the components for deployment and operation of virtual infrastructure for customer workloads. Following a certain sequence of operations, you bring up VMware Cloud Foundation first. This operation deploys the management domain. Then, you can proceed with deploying VMware Aria Suite products and VI workload domains.


Steps		Description
0. Plan and prepare for the management domain deployment.		Work with the technology team of your organization on configuring the physical servers, network, and storage in the data center. Collect the environment details and write them down in the VMware Cloud Foundation Planning and Preparation Workbook in Microsoft^® Excel^® spreadsheet format (XLS).
1. Deploy the VMware Cloud Builder Appliance		Deploy the VMware Cloud Builder appliance on a laptop running VMware Workstation or VMware Fusion, or on an ESXi host.
2. Prepare the ESXi Hosts for VMware Cloud Foundation		Prepare a minimum of four ESXi hosts for the management domain by manually installing ESXi or by using the VMware Imaging Appliance.
3. Deploy the management domain by using VMware Cloud Builder.		Download the deployment parameter workbook for VMware Cloud Builder for VMware Cloud Foundation or for VMware Cloud Foundation on Dell EMC VxRail from VMware Customer Connect and fill in the details for the management domain deployment. In the workbook, select key-based licensing mode for VMware Cloud Foundation. You can use the details from the VMware Cloud Foundation Planning and Preparation Workbook. Then, upload the deployment parameter workbook to VMware Cloud Builder. After VMware Cloud Builder validates the target environment against the specification in the deployment parameter workbook, perform bring-up of the management domain. After bring-up is complete, the management domain contains vCenter Server, vSAN, and SDDC Manager.
Post-Deployment Configuration	Configure the Repository Settings for SDDC Manager	After the deployment of the management domain, configure SDDC Manager with repository credentials by using a VMware Customer Connect account. In this way, SDDC Manager can access the inventory of installation and upgrade bundles on depot.vmware.com. You can update the components of VMware Cloud Foundation as soon as an update is available.
	Configure backup of management components.	Optional. Reconfigure SFTP Backups for SDDC Manager and NSX-T Data Center By default, backups of NSX-T Data Center and SDDC Manager are stored on the SDDC Manager appliance. You should change the destination of the backups to an external SFTP server to ensure you can recover these components in the event of a failure. File-Based Backup of SDDC Manager and vCenter Server You should also configure a backup schedule for SDDC Manager and management domain vCenter Server, and export the vSphere Distributed Switch configuration.
	Configure certificate management in SDDC Manager.	Optional. If you want to use SDDC Manager to manage CA-signed certificates for management components, prepare a Microsoft certificate authority server, configure the integration with SDDC Manager, and then update the certificates for components for establishing a secure communication to the components of VMware Cloud Foundation.
	Configure password management.	To provide best security and proactively prevent any passwords from expiring, rotate passwords over a regular period according to the security policy of your organization, for example, every 90 days. You can use one of these password rotation options: Auto-rotate passwords according to a schedule in SDDC Manager. Manually rotate passwords.
	Create an automation account.	If you plan to use VMware Cloud Foundation APIs in automation scripts, create a special service account and generate tokens for protected access to the automation platform.

Deploying VMware Aria Suite Lifecycle and Workspace ONE Access

VMware Aria Suite Lifecycle is the foundation for automated deployment of VMware Aria Suite products on VMware Cloud Foundation for operations management, logging and workload provisioning. You use Workspace ONE Access that is integrated with VMware Aria Suite Lifecycle for central role-based access control in VMware Aria Suite.


Steps	Description
0. Plan and prepare for the deployment of VMware Aria Suite Lifecycle and Workspace ONE Access.	Work with the technology team of your organization on configuring the physical servers, network, and storage in the data center. Collect the environment details and write them down in the VMware Cloud Foundation Planning and Preparation Workbook in Microsoft^® Excel^® spreadsheet format (XLS).
1. Set up routing and networks in NSX.	Deploy an NSX Edge Cluster Deploy an NSX Edge cluster in the management domain and application virtual networks. SDDC Manager deploys the edge cluster and creates Tier-0 and Tier-1 gateways for north-south and east-west routing for management components in VMware Cloud Foundation. Deploy Application Virtual Networks When SDDC Manager creates the NSX segments for the application virtual networks, it connects them to the NSX gateways. See Application Virtual Network Design for VMware Cloud Foundation.
2. Deploy VMware Aria Suite Lifecycle.	You deploy VMware Aria Suite Lifecycle in the management domain. SDDC Manager provides inventory information about the management domain in VMware Aria Suite Lifecycle. SDDC Manager also configures the NSX Tier 1 gateway to support the load balancer for the cross-region solutions.
Post-Deployment Configuration of VMware Aria Suite Lifecycle	Replace the Certificate of the VMware Aria Suite Lifecycle Instance Upload a CA-signed certificate for trusted communication to VMware Aria Suite Lifecycle Configure Data Center and vCenter Server in VMware Aria Suite Lifecycle Perform configuration procedures so that you can manage the deployment and life cycle of VMware Aria Suite.
3. Deploy Workspace ONE Access.	Optional. If you want to provide centralized identity and access management to VMware Aria Suite, deploy a Workspace ONE Access instance and integrate it with Active Directory. For a clustered Workspace ONE Access instance, VMware Aria Suite Lifecycle calls SDDC Manager to configures the required NSX load balancer.
Post-Deployment Configuration for VMware Aria Suite Lifecycle and Workspace ONE Access	Add the Workspace ONE Access Passwords to VMware Aria Suite Lifecycle Optional. Create separate passwords for the administrator accounts for the VMware Aria Suite Lifecycle global environment and Workspace ONE Access. Image-Based Backup and Restore of VMware Cloud Foundation Optional. Create full virtual machine image-level backup jobs by using a backup solution that is compatible with VMware vSphere Storage APIs - Data Protection (VADP).
4. Deploy a VMware Aria Suite solution that is required by your SDDC design.	Deploy a VMware Aria Suite solution in VMware Cloud Foundation and connect it with the platform and with other VMware Aria Suite components to form a fully-integrated cloud management system. For information on deploying VMware Aria Suite components and integrating them with the VMware Cloud Foundation platform, see VMware Cloud Foundation Validated Solutions.

Deploying a Virtual Infrastructure Workload Domain

After you deploy the management domain and VMware Aria Suite solutions in VMware Cloud Foundation, following a certain sequence of operations, you create a VI workload domain to run customer workloads with specific requirements.

vCenter Server and the NSX Manager cluster for the VI workload domain are deployed on the management domain. You deploy the NSX edge cluster in the VI workload domain. See Workload Domains in VMware Cloud Foundation.


Steps	Description
0. Plan and prepare for the VI workload domain deployment.	Work with the technology team of your organization on configuring the physical servers, network, and storage in the data center. Collect the environment details and write them down in the VMware Cloud Foundation Planning and Preparation Workbook in Microsoft^® Excel^® spreadsheet format (XLS).
1. Prepare the ESXi hosts and add them to VMware Cloud Foundation.	Prepare ESXi Hosts for VMware Cloud Foundation Prepare a minimum of three ESXi hosts for the VI workload domain by manually installing ESXi. Create a Network Pool A network pool is a collection of subnets within a Layer-2 network domain. Each ESXi host is assigned IP addresses from this network pool for vSphere vMotion and storage. Commission Hosts Adding hosts to the SDDC Manager inventory is called commissioning. Add hosts individually or use a JSON template to add multiple hosts at once. SDDC Manager validates the specification of the hosts against the requirements for operating in VMware Cloud Foundation. Add License Keys Optional. Add license keys with sufficient capacity and required feature scope for vSphere, NSX, vCenter Server, and vSAN if used as principal storage. If the licenses you provided for the management domain at bring-up have enough capacity, you can use them instead.
2. Deploy a VI Workload Domain.	After the hosts are commissioned, deploy the VI workload domain by using the automated workflow in SDDC Manager.
3. Deploy an NSX Edge Cluster.	Deploy an NSX Edge cluster in a vSphere cluster in the VI workload domain to provide networking services and connectivity to the external network for your workloads.
4. Connect the VMware Aria Suite solution to the workload domains.	After you deploy the VI workload domain, use SDDC Manager to integrate it with the VMware Aria Suite components in your environment. For information on connecting VMware Aria Suite components with the VMware Cloud Foundation platform, see VMware Cloud Foundation Validated Solutions.
Post-Deployment Configuration	File-Based Backup of SDDC Manager and vCenter Server Optional. Configure a backup schedule and location for the VI workload domain vCenter Server, and export the vSphere Distributed Switch configuration. Configure certificate management in SDDC Manager Optional. If you want to manage signed certificates for management components of the VI workload domain, use the SDDC Manager UI to update them. Configure password management To provide best security and proactively prevent any passwords from expiring, rotate passwords over a regular period according to the security policy of your organization, for example, every 90 days. You can use one of these password rotation options: Auto-rotate passwords according to a schedule in SDDC Manager. Manually rotate passwords.

Deploying Additional Availability Zones and VMware Cloud Foundation Instances

After you initially deploy VMware Cloud Foundation in a single availability zone, following a certain sequence of operations, you can expand the environment to multiple availability zones by using vSAN stretched clusters or add another VMware Cloud Foundation instance connecting it to the environment by using NSX Federation.


Steps	Description
Deploy multiple availability zones in the management domain and in the VI workload domain.	Plan and prepare for configuring the vSAN stretched clusters. Work with the technology team of your organization on configuring the physical servers, network, and storage in the data centers. Collect the environment details and write them down in the VMware Cloud Foundation Planning and Preparation Workbook in Microsoft^® Excel^® spreadsheet format (XLS). Deploy the vSAN witness appliance for the management domain on a third site and configure the vSAN stretched cluster for the management domain. Deploy the vSAN witness appliance for the VI workload domain cluster on a third site and configure the vSAN stretched cluster for a vSAN cluster in the VI workload domain.
Configure NSX Federation to add moreVMware Cloud Foundation instances.	Plan and prepare for configuring NSX Federation. Work with the technology team of your organization on configuring the physical servers, network, and storage in the data centers. Collect the environment details and write them down in the VMware Cloud Foundation Planning and Preparation Workbook in Microsoft^® Excel^® spreadsheet format (XLS). In the first VMware Cloud Foundation instance, deploy an NSX Global Manager cluster for the management domain. If you plan to implement customer workload mobility across physical locations, deploy an NSX Global Manager cluster for the VI workload domain too. Activate NSX Federation by setting each NSX Global Manager in the first instance as active. Connect the NSX Global Manager to the local NSX Manager and prepare Tier-0 and Tier-1 gateways and NSX segments for stretched networking. Deploy a second VMware Cloud Foundation instance. Deploy manually one or more NSX Global Manager clusters in the second VMware Cloud Foundation instance. Set each NSX Global Manager in the second VMware Cloud Foundation instance as standby in the federation. Connect it to the local NSX Manager and complete the configuration of Tier-0 and Tier-1 gateway and NSX segments for stretched networking according to the requirements for workload mobility. Add more VMware Cloud Foundationinstances connecting their local NSX Managers to the dedicated NSX Global Manager in the first instance.