Cloud Accounts Design for VMware Aria Automation Assembler for Private Cloud Automation for VMware Cloud Foundation

Cloud accounts in VMware Aria Automation Assembler provide a centralized authentication mechanism to cloud resources. You configure the necessary permissions to collect data and deploy cloud templates to VMware Cloud Foundation instances.

Important:

This validated solution does not use the VMware Cloud Foundation cloud account type and the SDDC Manager integration. SDDC Manager does not manage NSX Federation and the associated NSX Global Manager instances. This solution is constructed to allow for extensibility to consume NSX Federation."

You create cloud accounts for the projects in which your organization's team members work. Resource information, such as network and security, compute, storage, and tags data, is collected from your cloud accounts.

For organizations that are distributed across multiple geographic regions, VMware Aria Automation connects to the cloud accounts directly by using HTTPS.

VMware Aria Automation connects to on-premises private cloud accounts, such as a VI workload domain that includes a vCenter Server and NSX Manager topology. You provide the details, such as the cloud account endpoint FQDN or IP address, user name, password, name, description, and capability tags.

VMware Aria Automation uses a custom role in vSphere with permissions for a designated service account to perform VMware Aria Automation operations on vCenter Server cloud accounts. You can use the same service account across all vCenter Server cloud accounts or a dedicated a service account per workload domain. Service accounts are assigned a role for communication between VMware Aria Automation and the vCenter Server instances and NSX Manager clusters across the VMware Cloud Foundation instances that are using the least privilege and permissions scope required for the private cloud integrations.

Important:

You must refine the scope of permissions for the service account used by the vCenter Server cloud account to exclude visibility of vSphere inventory objects to VMware Aria Automation by setting the object permissions to No Access for the service account. This configuration ensures that VMware Aria Automation avoids workload placement or workload on-boarding for vSphere inventory objects that must be excluded. See Identity Management Design for Private Cloud Automation for VMware Cloud Foundation.

For example, set the No Access role for permissions on:

Virtual machine folders containing NSX Edge nodes virtual machines.
Local VMFS datastores or a storage folders containing local VMFS datastores.
Read-only datastores or a storage folders containing read-only datastores., for example, lcm-bundle-repo.

You can also configure VMware Aria Automation Assembler cloud accounts to public cloud services. VMware Aria Automation Assembler can collect infrastructure data from a configured public cloud, for example, VMware Cloud on AWS, Amazon Web Services, Microsoft Azure, and Google Compute Platform, and you can deploy cloud templates to one or more of the account regions in the public cloud backed cloud account.

Table 1. Design Decisions on Cloud Accounts for VMware Aria Automation Assembler in VMware Aria Automation
Decision ID	Design Decision	Design Justification	Design Implication
PCA-VAA-CA-CFG-003	Add a cloud account for the vCenter Server instance for each VI workload domain in each VMware Cloud Foundation instance.	You can integrate the vCenter Server instance for each VI workload domains with VMware Aria Automation for provisioning.	You must manage the cloud account credentials and the life cycle management of the related service accounts. You must manage capability tags for the cloud account.
PCA-VAA-CA-CFG-004	Add a cloud account for the NSX Manager cluster for each VI workload domain in each VMware Cloud Foundation instance. Note: For an environment with NSX Federation, add a cloud account for each VI workload domain NSX Local Manager cluster.	You can integrate the NSX Manager cluster for one or more VI workload domains with VMware Aria Automation for provisioning.	You must manage the cloud account credentials and the life cycle management of the related service accounts. VMware Aria Automation supports adding more than one vCenter Server cloud account that shares an NSX Manager cluster. If using an NSX Manager cluster for more than one vCenter Server cloud account, you must manage the NSX Manager-to-vCenter Server associations in the NSX Manager cloud accounts. You must manage capability tags for the cloud account. Each member of an NSX Manager cluster has a certain scalability - the main limit is 199 concurrent API sessions. An NSX Manager cluster assigns the cluster VIP to a single NSX Manager cluster member at any given time. All API requests from VMware Aria Automation are directed to this cluster member through the NSX cloud account. For environments that require a higher concurrent API session count, an external load balancer is required to distribute the API sessions across all NSX Manager cluster members for the workload domain.
PCA-VAA-CA-CFG-005	Use the default `POLICY` mode for each NSX Manager cloud account.	Ensures that all NSX entities created by VMware Aria Automation use the Policy API instead of the legacy Manager API. There is no migration path from `MANAGER` mode to `POLICY` mode.	None.

For information about the service accounts for the cloud accounts, see Service Accounts Design for Private Cloud Automation for VMware Cloud Foundation.