The design decisions determine the deployment configuration, resource sizing, and monitoring support of vRealize Operations Manager in the SDDC.
Deployment Specification
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-CFG-001 |
Deploy vRealize Operations Manager as a cluster of three nodes - one primary, one primary replica, and one data node, in the default management vSphere cluster. |
|
You must size all nodes identically, which increases the resource requirements in the SDDC. |
IOM-VROPS-CFG-002 |
Deploy two remote collector nodes in the default management vSphere cluster. |
Removes the load from the analytics cluster from collecting metrics from local-instance applications. |
You must assign a collector group when configuring the monitoring of a solution. |
IOM-VROPS-CFG-003 |
To deploy vRealize Operations Manager , use the vRealize Suite Lifecycle Manager instance in the corresponding VMware Cloud Foundation instance. |
|
You must deploy vRealize Suite Lifecycle Manager. |
IOM-VROPS-CFG-004 |
Protect all vRealize Operations Manager nodes by using vSphere High Availability. |
Supports the availability objective for vRealize Operations Manager without requiring manual intervention during a failure event. |
None. |
IOM-VROPS-CFG-005 |
Apply a vSphere Distributed Resource Scheduler (DRS) anti-affinity rule to the vRealize Operations Manager analytics cluster. |
Using vSphere DRS prevents the vRealize Operations Manager analytics cluster virtual machines from running on the same ESXi host and risking the high availability of the cluster. |
|
IOM-VROPS-CFG-006 |
Apply a vSphere Distributed Resource Scheduler (DRS) anti-affinity rule to the vRealize Operations Manager remote collector group. |
Using vSphere DRS prevents the vRealize Operations Manager remote collector virtual machines from running on the same ESXi host and risking the high availability of the cluster. |
You must perform additional configuration to set up an anti-affinity rule. |
IOM-VROPS-CFG-007 |
Place the vRealize Operations Manager analytics cluster virtual machines in a dedicated virtual machine folder. |
Provides an organization of the vRealize Operations Manager analytics cluster virtual machines in the management domain inventory. |
You must create the virtual machine folder during or after the deployment. |
IOM-VROPS-CFG-008 |
Place the vRealize Operations Manager remote collector virtual machines in a dedicated virtual machine folder. |
Provides an organization of the vRealize Operations Manager remote collector virtual machines in the management domain inventory. |
You must create the virtual machine folder during or after the deployment. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-CFG-009 |
When using two availability zones, add the vRealize Operations Manager virtual machines to the first availability zone VM group. |
Ensures that, by default, the vRealize Operations Manager virtual machines are powered on within the first availability zone hosts group. |
If vRealize Operations Manager is deployed after the creation of the stretched cluster for management domain availability zones, you must update the VM group for the first availability zone virtual machines to include the vRealize Operations Manager virtual machines. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-CFG-010 |
In an environment with multiple VMware Cloud Foundation instances, deploy two remote collector nodes in the default management vSphere cluster in each VMware Cloud Foundation instance by using the same vRealize Suite Lifecycle Manager instance and environment in the first VMware Cloud Foundation instance. |
Removes the load from the analytics cluster from collecting metrics from local-instance applications. |
You must assign a collector group when configuring the monitoring of a solution. |
IOM-VROPS-CFG-011 |
In an environment with multiple VMware Cloud Foundation instances, place the vRealize Operations Manager remote collector virtual machines in each instance, in a dedicated virtual machine folder. |
Provides an organization of the vRealize Operations Manager remote collector virtual machines in the management domain inventory. |
You must create the virtual machine folder during or after the deployment. |
IOM-VROPS-CFG-012 |
In an environment with multiple VMware Cloud Foundation instances, apply a vSphere Distributed Resource Scheduler (DRS) anti-affinity rule to the vRealize Operations Manager remote collector group. |
Using vSphere DRS prevents the vRealize Operations Manager remote collector virtual machines from running on the same ESXi host and risking the high availability of the cluster. |
You must perform additional configuration to set up an anti-affinity rule. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-CFG-013 |
Deploy each node in the analytics cluster as a medium-size appliance. |
|
|
IOM-VROPS-CFG-014 |
If the number of SDDC objects exceeds 12,500, scale up the analytics cluster nodes size by using vRealize Suite Lifecycle Manager. |
Ensures that the analytics cluster has enough capacity to meet the SDDC object and metric growth. |
|
IOM-VROPS-CFG-015 |
Increase the initial storage of each vRealize Operations Manager analytics cluster node by 1 TB. |
|
None. |
IOM-VROPS-CFG-016 |
Deploy each remote collector node as a standard-size appliance. |
|
You must provide 4 vCPUs and 8 GB of memory in the default management vSphere cluster in each VMware Cloud Foundation instance. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-CFG-017 |
Configure vRealize Operations Manager to use an outbound SMTP mail server to route notifications for system events. |
Integrates vRealize Operations Manager system events notifications to users by email to provide an enhanced user experience. |
You must maintain an SMTP server. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-CFG-018 |
Configure the correct currency in the vRealize Operations Manager global options. |
Ensures accurate costing in the correct currency. |
The currency cannot be changed after the initial configuration. |
Network Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-NET-001 |
Place the vRealize Operations Manager analytics nodes on the cross-instance NSX network segment. |
Provides a consistent deployment model for management applications and a potential to extend to a second VMware Cloud Foundation instance for disaster recovery. |
You must use an implementation of NSX-T Data Center to support this network configuration. |
IOM-VROPS-NET-002 |
Place the vRealize Operations Manager remote collector nodes on the local-instance NSX network segment. |
Supports collection of metrics locally per VMware Cloud Foundation instance. |
You must use an implementation in NSX-T Data Center to support this networking configuration. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-NET-003 |
In an environment with multiple VMware Cloud Foundation instances, place the vRealize Operations Manager remote collector nodes in each instance on the local-instance NSX segment. |
Supports collection of metrics locally per VMware Cloud Foundation instance. |
You must use an implementation in NSX-T Data Center to support this networking configuration. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-NET-004 |
Allocate statically assigned IP addresses and host names from the cross-instance NSX segment to the vRealize Operations Manager analytics cluster nodes and the NSX-T Data Center load balancer. |
Ensures stability across the SDDC, and makes it simpler to maintain and easier to track. |
Requires precise IP address management. |
IOM-VROPS-NET-005 |
Allocate statically assigned IP addresses and host names from the local-instance NSX segment to the vRealize Operations Manager remote collector nodes. |
Ensures stability across the SDDC, and makes it simpler to maintain and easier to track. |
Requires precise IP address management. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-NET-006 |
In an environment with multiple VMware Cloud Foundation instances, allocate statically assigned IP addresses and host names from each local-instance NSX segment to the corresponding vRealize Operations Manager remote collector nodes in the instance. |
Ensures stability across the SDDC, and makes it simpler to maintain and easier to track. |
Requires precise IP address management. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-NET-007 |
Configure forward and reverse DNS records for all vRealize Operations Manager nodes and for the NSX-T Data Center load balancer virtual IP address. |
All nodes are accessible by using fully qualified domain names instead of by using IP addresses only. |
You must provide DNS records for the vRealize Operations Manager nodes. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-NET-008 |
Use the small-size load balancer that is configured by SDDC Manager on a dedicated NSX-T Data Center Tier-1 gateway in the management domain to load balance the clustered Workspace ONE Access nodes, to also load balance the connections across the vRealize Operations Manager analytics cluster members. |
Required to deploy a vRealize Operations Manager analytics cluster deployment type with distributed user interface access across members. |
You must use the NSX-T Data Center load balancer that is configured by SDDC Manager to support this network configuration. |
IOM-VROPS-NET-009 |
Do not use a load balancer for the vRealize Operations Manager remote collector nodes. |
|
None. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-NET-010 |
Configure NTP on each vRealize Operations Manager node. |
vRealize Operations Manager depends on time synchronization. |
None. |
IOM-VROPS-NET-011 |
Configure the timezone of vRealize Operations Manager to use UTC. |
You must use UTC to provide the integration with vRealize Automation , because vRealize Automation supports only UTC. |
If you are in a timezone other than UTC, timestamps appear skewed. |
Life Cycle Management Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-LCM-001 |
|
|
|
vRealize Operations Manager Design
Design Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-CFG-019 |
Configure a vCenter Server cloud account for each vCenter Server instance in the SDDC. |
Provides the vRealize Operations Manager integration with and data collection from all vCenter Server instances in the SDDC. |
The vCenter Server cloud account uses the administrator@vsphere.local user account for application-to-application communication from vRealize Operations Manager to vSphere. While you can update the cloud account to use a custom user, the password rotation feature in SDDC Manager for administrator@vsphere.local reverts the configuration. |
IOM-VROPS-CFG-020 |
Connect each VI workload domain to vRealize Operations Manager by using SDDC Manager. |
SDDC Manager provides a workflow to add the VI workload domain vCenter Server cloud account in vRealize Operations Manager . |
None. |
IOM-VROPS-CFG-021 |
Configure each vCenter Server cloud account to use the remote collector group for its VMware Cloud Foundation instance. |
Local-instance components are configured to use the remote collector group. This configuration offloads data collection for local management components from the analytics cluster. |
None. |
IOM-VROPS-CFG-022 |
Activate the vSAN integration in the vCenter Server cloud accounts. |
Provides the vRealize Operations Manager integration with and data collection from all vSAN instances in the SDDC. |
The vSAN adapter uses the administrator@vsphere.local user account for application-to-application communication from vRealize Operations Manager to vSphere. While you can update the adapter to use a custom user, the password rotation feature in SDDC Manager for administrator@vsphere.local reverts the configuration. |
Design Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-CFG-023 |
In an environment with multiple VMware Cloud Foundation instances, configure a vCenter Server cloud account for each vCenter Server instance in each VMware Cloud Foundation instance. |
Provides the vRealize Operations Manager integration with and data collection from all vCenter Server instances in the SDDC. |
None. |
IOM-VROPS-CFG-024 |
In an environment with multiple VMware Cloud Foundation instances, manually connect each VI workload domain in each additional VMware Cloud Foundation instance to vRealize Operations Manager . |
vRealize Operations Manager is integrated with SDDC Manager only in the first VMware Cloud Foundation instance. |
You must configure the cloud account manually. |
IOM-VROPS-CFG-025 |
In an environment with multiple VMware Cloud Foundation instances, configure each vCenter Server cloud account to use the remote collector group for its VMware Cloud Foundation instance. |
Local-instance components are configured to use the remote collector group. This configuration offloads data collection for local management components from the analytics cluster. |
None. |
IOM-VROPS-CFG-026 |
In an environment with multiple VMware Cloud Foundation instances, activate the vSAN integration in the vCenter Server cloud accounts. |
Provides the vRealize Operations Manager integration with and data collection from all vSAN instances in the SDDC. |
None. |
Design Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-CFG-027 |
Install the VMware Identity Manager management pack for vRealize Operations Manager . |
Provides the ability of vRealize Operations Manager to communicate with Workspace ONE Access endpoints. The management pack is installed by SDDC Manager. |
None. |
IOM-VROPS-CFG-028 |
Configure a VMware Identity Manager adapter instance for the clustered Workspace ONE Access instance. |
Provides the vRealize Operations Manager integration and data collection from the clustered Workspace ONE Access instance. The adapter is configured by SDDC Manager. |
None. |
IOM-VROPS-CFG-029 |
Configure the clustered Workspace ONE Access adapter to use the default collector group. |
Cross-instance components are configured to use the default collector group. |
The load on the analytics cluster, though minimal, increases. |
IOM-VROPS-CFG-030 |
Configure an NSX-T adapter instance for each NSX Manager instance. |
Provides the vRealize Operations Manager integration and data collection from NSX-T Data Center. |
In an environment with NSX-T Federation, only NSX-T Local Managers are supported at this time. |
IOM-VROPS-CFG-031 |
Configure each NSX-T adapter to use the remote collector group. |
Local-instance components are configured to use the remote collector group. This offloads data collection for local management components from the analytics cluster. |
None. |
IOM-VROPS-CFG-032 |
Install the SDDC Health management pack for vRealize Operations Manager . |
Provides aggregated dashboards for VMware Cloud Foundation. |
You must install the management pack manually. |
IOM-VROPS-CFG-033 |
Activate the native Ping management pack in vRealize Operations Manager . |
Provides metrics on the availability of endpoints. |
You must activate the management pack manually. |
IOM-VROPS-CFG-034 |
Add Ping adapters for the vRealize Operations Manager nodes. |
Provides metrics on the availability of vRealize Operations Manager nodes. |
You must add the adapter instances manually. |
IOM-VROPS-CFG-035 |
Configure each Ping adapter for the vRealize Operations Manager nodes to use the default collector group. |
Cross-instance components are configured to use the default collector group. |
The load on the analytics cluster, though minimal, increases. |
IOM-VROPS-CFG-036 |
Add a Ping adapter for the clustered Workspace ONE Access nodes. |
Provides metrics on the availability of the clustered Workspace ONE Access nodes. |
You must add the adapter instances manually. |
IOM-VROPS-CFG-037 |
Configure the Ping adapter for the clustered Workspace ONE Access nodes to use the default collector group. |
Local-instance components are configured to use the remote collector group. |
This configuration offloads data collection for local management components from the vRealize Operations Manager analytics cluster. |
Information Security and Access Design
Design Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-SEC-001 |
Activate vRealize Operations Manager integration with your corporate identity source by using the clustered Workspace ONE Access deployment. |
Allows authentication, including multi-factor, to vRealize Operations Manager by using your corporate identity source. Allows authorization through the assignment of organization and cloud services roles to enterprise users and groups defined in your corporate identity source. |
You must deploy and configure a Workspace ONE Access cluster to establish the integration between vRealize Operations Manager and your corporate identity sources. |
IOM-VROPS-SEC-002 |
Assign the default Administrator role in vRealize Operations Manager to an active directory security group. |
Provides the following access control features:
|
You must maintain the life cycle and availability of the security group outside of the SDDC stack. |
IOM-VROPS-SEC-003 |
Assign the default ContentAdmin role in vRealize Operations Manager to an active directory security group. |
Provides the following access control features:
|
You must maintain the life cycle and availability of the security group outside of the SDDC stack. |
IOM-VROPS-SEC-004 |
Assign the default ReadOnly role in vRealize Operations Manager to an active directory security group. |
Provides the following access control features:
|
You must maintain the life cycle and availability of the security group outside of the SDDC stack. |
Design Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-SEC-005 |
Configure the endpoint of the NSX-T management pack for vRealize Operations Manager to use the NSX-T Data Center local system domain admin account. |
Provides integration and data collection of all NSX-T Data Center instances in the SDDC in vRealize Operations Manager . |
You must manage the password life cycle of this endpoint. |
IOM-VROPS-SEC-006 |
Configure a Workspace ONE Access management pack adapter instance for the clustered Workspace ONE Access instance using the local system domain admin account. |
|
You must manage the password life cycle of this endpoint. |
Design Decision ID |
Design Decision |
Justification |
Implication |
---|---|---|---|
IOM-VROPS-SEC-007 |
Rotate the vRealize Operations Managerroot password on a recurring or event-initiated schedule by using the SDDC Manager user interface or API. |
|
By using SDDC Manager, you manage the password change or automated password rotation schedule for the vRealize Operations Managerrootaccount in accordance with your organizational policies and regulatory standards. |
IOM-VROPS-SEC-008 |
Rotate the vRealize Operations Manageradmin password on a recurring or event-initiated schedule by using the SDDC Manager user interface or API. |
|
By using SDDC Manager, you manage the password change or automated password rotation schedule for the vRealize Operations Manageradminaccount in accordance with your organizational policies and regulatory standards. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-SEC-009 |
Use a CA-signed certificate containing the analytics and remote collector nodes in the SAN attributes, when deploying vRealize Operations Manager . |
Configuring a CA-signed certificate ensures that the communication to the externally facing Web UI and API for vRealize Operations Manager , and cross-product, is encrypted. |
|
IOM-VROPS-SEC-010 |
Use a SHA-2 or higher algorithm when signing certificates. |
The SHA-1 algorithm is considered less secure and has been deprecated. |
Not all certificate authorities support SHA-2. |
Solution Interoperability Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VROPS-LOG-001 |
Use the vRealize Log Insight content pack for vRealize Operations Manager . |
Provides additional granular monitoring on the virtual infrastructure. The content pack for vRealize Operations Manager is installed by default in vRealize Log Insight. |
None. |
IOM-VROPS-LOG-002 |
Configure the vRealize Log Insight agent for the vRealize Operations Manager nodes to forward logs to vRealize Log Insight in their corresponding VMware Cloud Foundation instance. |
Simplifies configuration of log sources in the SDDC that are prepackaged with the vRealize Log Insight agent. |
You must configure the vRealize Log Insight agent to forward logs to the vRealize Log Insight VIP. |
IOM-VROPS-LOG-003 |
Configure vRealize Operations Manager to send logs to the vRealize Log Insight cluster in the corresponding VMware Cloud Foundation instance. |
Allows logs from vRealize Operations Manager to be forwarded to a vRealize Log Insight cluster. |
None. |
IOM-VROPS-LOG-004 |
Communicate with the vRealize Log Insight using the default Ingestion API (cfapi) port |
Supports disaster recovery of vRealize Operations Manager in the SDDC. During the failover, the DNS records for vRealize Log Insight in Region A are updated to redirect to the instance in Region B to ensure the log collection remains operational. The |
Transmission traffic for logs is not encrypted. |
IOM-VROPS-LOG-005 |
Configure a dedicated Photon OS agent group and assign the vRealize Operations Manager Cluster and Remote Collector Node FQDNs. |
|
Adds minimal load to the vRealize Log Insight cluster. |