Network Design for Cloud-Based Automation for VMware Cloud Foundation

You place the Cloud Proxy and the Cloud Extensibility Proxy appliances on the management VLAN.

Network Segment

The network segment design consists of characteristics and decisions for placement of the Cloud Proxy and the Cloud Extensibility Proxy in the management domain.

This validated solution places the Cloud Proxy and the Cloud Extensibility Proxy within the management VLAN of the VMware Cloud Foundation instance. This ensures connectivity and close proximity to vCenter Server and NSX-T Management cluster.

The Cloud Proxy appliance and the Cloud Extensibility Proxy are placed on the management network of the VMware Cloud Foundation instance together with the other components they communicate with. These components are the Workload Domain vCenter Server and Workload Domain NSX Manager instances. The Standalone Workspace ONE Access instance is connected through the overlay-backed NSX segment. — Figure 1. Network Design for Cloud-Based Automation on Management VLAN

Table 1. Design Decisions on Network Segments
Decision ID	Design Decision	Design Justification	Design Implication
CBA-CDP-NET-001	Place the Cloud Proxy appliance on the management VLAN.	Places the Cloud Proxy on the same network as the VMware Cloud Foundation components that the appliance must communicate with. Provides a consistent deployment model forVMware Cloud services.	None.
CBA-CEP-NET-001	Place the Cloud Extensibility Proxy appliance on the management VLAN.	Places the Cloud Extensibility Proxy on the same network as the VMware Cloud Foundation components that the appliance must communicate with. Provides a consistent deployment model VMware Cloud services.	None.

IP Addressing

Allocate statically assigned IP addresses and host names to the cloud proxies from their corresponding network.

If the Kubernetes default network ranges conflict with your environment, you can override the defaults during the deployment of the Cloud Proxy appliance.

Table 2. Design Decisions on IP Addressing
Decision ID	Design Decision	Design Justification	Design Implication
CBA-CDP-NET-002	Allocate statically assigned IP addresses from the management VLAN to the Cloud Proxy appliance.	Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.	Requires precise IP address management.
CBA-CEP-NET-002	Allocate statically assigned IP addresses from the management VLAN to the Cloud Extensibility Proxy appliance.	Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.	Requires precise IP address management.

Name Resolution

Name resolution provides the translation between an IP address and a fully qualified domain name (FQDN), which makes it easier to remember and connect to components across the SDDC. The IP address of each appliance must have a valid internal DNS forward (A) and reverse (PTR) records.

Table 3. Design Decisions on Name Resolution
Decision ID	Design Decision	Design Justification	Design Implication
CBA-CDP-NET-003	Configure forward and reverse DNS records for the Cloud Proxy appliance IP address.	Ensures the appliance is accessible by using a fully qualified domain name instead of using IP addresses only.	You must provide a DNS record for the appliance IP address. Firewalls between the appliance and the DNS servers must allow DNS traffic.
CBA-CDP-NET-004	Configure DNS servers on the Cloud Proxy appliance.	Ensures the appliance has accurate name resolution.	DNS infrastructure services should be highly-available in the environment. Firewalls between the appliance and the DNS servers must allow DNS traffic. You must provide two or more DNS servers unless a DNS geographic load balancing is active.
CBA-CEP-NET-003	Configure forward and reverse DNS records for the Cloud Extensibility Proxy appliance IP address.	Ensures the appliance is accessible by using a fully qualified domain name instead of using IP addresses only.	You must provide a DNS record for the appliance IP address. Firewalls between the appliance and the DNS servers must allow DNS traffic.
CBA-CEP-NET-004	Configure DNS servers on the Cloud Extensibility Proxy appliance.	Ensures the appliance has accurate name resolution.	DNS infrastructure services should be highly-available in the environment. Firewalls between the appliance and the DNS servers must allow DNS traffic. You must provide two or more DNS servers unless a DNS geographic load balancing is active.

Time Synchronization

The system time for the Cloud Proxy and Cloud Extensibility Proxy appliances, along with dependencies and integrations, must be synchronized and must use the same timezone.

Table 4. Design Decisions on Time Synchronization
Decision ID	Design Decision	Design Justification	Design Implication
CBA-CDP-NET-005	Configure NTP servers for the Cloud Proxy appliance.	Ensures that the appliance has accurate time synchronization. Assists in the prevention of time mismatch between the appliance and dependencies.	NTP infrastructure services should be highly-available in the environment. Firewalls between the appliance and the NTP servers must allow NTP traffic. You must provide two or more NTP servers unless an NTP geographic load balancing is active.
CBA-CEP-NET-005	Configure NTP servers for the Cloud Extensibility Proxy appliance.	Ensures appliance has accurate time synchronization. Assists in the prevention of time mismatch between the appliance and dependencies.	NTP infrastructure services should be highly-available in the environment. Firewalls between the appliance and the NTP servers must allow NTP traffic. You must provide two or more NTP servers unless an NTP geographic load balancing is active.