Deployment Model for VMware Aria Operations for Logs for Intelligent Logging and Analytics for VMware Cloud Foundation

The VMware Aria Operations for Logs cluster consists of one primary node and two worker nodes behind an integrated load balancer.

Deployment Type

You enable the integrated load balancer (ILB) on the three-node cluster so that all log sources can send logs to the cluster. When using the ILB, if there is a scale-out, it is not necessary to reconfigure all log sources with a new destination address. Using the ILB also guarantees that VMware Aria Operations for Logs accepts all incoming ingestion traffic.

VMware Aria Operations for Logs users accessing the web user interface or API, and clients ingesting logs using syslog or the Ingestion API, connect to VMware Aria Operations for Logs by using the ILB address.

In this validated solution, you deploy the VMware Aria Operations for Logs nodes on the default management vSphere cluster in each VMware Cloud Foundation instance.

The SDDC can comprise multiple VMware Cloud Foundation instances and multiple availability zones.

VMware Aria Operations for Logs is distributed as a product bundle that you download to VMware Aria Suite Lifecycle in VMware Cloud Foundation mode.

To accomplish the design objective of this design, you deploy or reuse the following components to deploy this validated solution for VMware Cloud Foundation:

SDDC Manager
VMware Aria Suite Lifecycle
Supporting infrastructure services, such as Active Directory, DNS, and NTP.

Table 1. Design Decisions on Deployment of VMware Aria Operations for Logs
Decision ID	Design Decision	Design Justification	Design Implication
ILA-VAOL-CFG-001	Deploy a three node VMware Aria Operations for Logs cluster - one primary and two worker nodes with an integrated load balancer, in the default management vSphere cluster.	Provides high availability. Using the integrated load balancer prevents a single point of failure. Using the integrated load balancer simplifies the VMware Aria Operations for Logs deployment and subsequent integration.	You must deploy a minimum of three medium-size nodes. You must size all nodes identically. If the capacity of your VMware Aria Operations for Logs cluster must expand, identical capacity must be added to each node.
ILA-VAOL-CFG-002	To deploy VMware Aria Operations for Logs, use the VMware Aria Suite Lifecycle instance in the corresponding VMware Cloud Foundation instance.	VMware Aria Operations for Logs product binary is downloaded directly to VMware Aria Suite Lifecycle in VMware Cloud Foundation mode.	You must deploy VMware Aria Suite Lifecycle in each VMware Cloud Foundation instance.
ILA-VAOL-CFG-003	Protect all VMware Aria Operations for Logs cluster nodes by using vSphere High Availability.	Supports the availability objectives for VMware Aria Operations for Logs without requiring manual intervention during an ESXi host failure event.	None.
ILA-VAOL-CFG-004	Apply a vSphere Distributed Resource Scheduler (DRS) anti-affinity rule to the VMware Aria Operations for Logs cluster virtual machines.	Using vSphere DRS prevents the VMware Aria Operations for Logs cluster virtual machines from running on the same ESXi host and risking the high availability of the cluster.	You must perform additional configuration to set up an anti- affinity rule. For a default management vSphere cluster that consists of four ESXi hosts, only a single ESXi host can enter maintenance mode at the same time.
ILA-VAOL-CFG-005	Place the VMware Aria Operations for Logs cluster virtual machines in a dedicated virtual machine folder.	Provides an organization of the VMware Aria Operations for Logs nodes in the management domain inventory.	You must create the virtual machine folder.

Deployment for Multiple Availability Zones

In an environment with multiple availability zones, the VMware Aria Operations for Logs cluster runs in the first availability zone. If a failure occurs in the first availability zone, the VMware Aria Operations for Logs cluster is failed over to the second availability zone.

Table 2. Design Decision on Deployment of VMware Aria Operations for Logs for Multiple Availability Zones
Decision ID	Design Decision	Design Justification	Design Implication
ILA-VAOL-CFG-006	When using two availability zones, add the VMware Aria Operations for Logs cluster virtual machines to the first availability zone VM group.	Ensures that, by default, the VMware Aria Operations for Logs cluster virtual machines are powered on within the first availability zone hosts group.	If VMware Aria Operations for Logs is deployed after the creation of the stretched cluster for management domain availability zones, the VM group for the first availability zone virtual machines must be updated to include the VMware Aria Operations for Logs cluster nodes.

Deployment for Multiple VMware Cloud Foundation Instances

In an environment with multiple VMware Cloud Foundation instances, you deploy a VMware Aria Operations for Logs cluster in each VMware Cloud Foundation instance.

Table 3. Design Decisions on Deployment of VMware Aria Operations for Logs for Multiple VMware Cloud Foundation Instances
Decision ID	Design Decision	Design Justification	Design Implication
ILA-VAOL-CFG-007	In an environment with multiple VMware Cloud Foundation instances, deploy a three node VMware Aria Operations for Logs cluster the default management vSphere cluster in each VMware Cloud Foundation instance.	Provides a local VMware Aria Operations for Logs infrastructure to each VMware Cloud Foundation instance for both availability, scale and performance reasons.	You must deploy VMware Aria Suite Lifecycle in each VMware Cloud Foundation instance.
ILA-VAOL-CFG-008	In an environment with multiple VMware Cloud Foundation instances, place the VMware Aria Operations for Logs cluster virtual machines in each instance in a dedicated virtual machine folder.	Provides an organization of the VMware Aria Operations for Logs cluster nodes in the management domain inventory.	You must create the virtual machine folder.

Sizing Compute and Storage Resources

To provide enough resources to accommodate the logs for the management components of the SDDC, you size resources for VMware Aria Operations for Logs.

To accommodate log data from the products in the SDDC, you must correctly size the compute resources and storage for the VMware Aria Operations for Logs cluster nodes. For a detailed sizing guidance, see the Sizing Estimator for VMware Aria Operations for Logs.

By default, the VMware Aria Operations for Logs appliance uses the predefined values for medium configurations.

To collect and store log data from management components according to the objectives of this design, select the appropriate size for the VMware Aria Operations for Logs nodes.

Table 4. Compute Resources for VMware Aria Operations for Logs per VMware Cloud Foundation Instance
Attribute	Per Appliance	Per Cluster
Appliance size	Medium	Medium
CPU	8 vCPUs	24 vCPUs
Memory	16 GB	48 GB
Disk capacity	530 GB	1,590 GB
IOPS	1,000	3,000
Amount of processed log data when using log ingestion	75 GB/day	225 GB/day
Number of processed log messages	5,000 events/second	15,000 events/second
Environment	Up to 250 syslog connections	Up to 750 syslog connections

Sizing is usually based on the organization requirements. This design provides calculations that are based on an implementation in a single VMware Cloud Foundation instance. This sizing is calculated according to the following logging sources in the VMware Cloud Foundation instance:

Table 5. Logging Sources for VMware Aria Operations for Logs
Category	Logging Source
Management domain	SDDC Manager appliance
	vCenter Server appliance
	ESXi hosts
	NSX Manager instances
	NSX Edge instances
VI workload domain	vCenter Server appliance
	ESXi hosts
	NSX Manager instances
	NSX Edge instances
VMware Aria Suite life cycle and access management	VMware Aria Suite Lifecycle appliance
VMware Aria Suite life cycle and access management	Clustered Workspace ONE Access nodes
Additional Solutions (if integrated into the environment	VMware Aria Operations nodes
	VMware Aria Automation nodes
	Site Recovery Manager appliance
	vSphere Replication appliance

The expected number of logging sources across two VMware Cloud Foundation instances requires approximately 160 GB of storage per node. Based on this example, the storage space that is allocated per medium-size VMware Aria Operations for Logs appliance is sufficient to monitor a multi-instance VMware Cloud Foundation.

Table 6. Design Decision on Sizing of VMware Aria Operations for Logs
Decision ID	Design Decision	Design Justification	Design Implication
ILA-VAOL-CFG-009	Deploy each node in the VMware Aria Operations for Logs cluster as a medium-size appliance.	Accommodates the expected approximately 200 syslog and VMware Aria Operations for Logs agent connections. Using medium-size nodes ensures that the storage space for the VMware Aria Operations for Logs cluster is sufficient for seven days of data retention.	You must scale-up the appliance size of the VMware Aria Operations for Logs nodes if the number of log sources exceeds the connection threshold for a medium-sized appliance.