After you implement the Private Cloud Automation for VMware Cloud Foundation validated solution, configure both monitoring and alerting for the vRealize Automation components in the VMware Cloud Foundation environment.

For validated monitoring solutions, see VMware Cloud Foundation Validated Solutions.

If vRealize Operations Manager is integrated into your VMware Cloud Foundation system, you can use vRealize Operations Manager to direct workload placement and assign the pricing policies for the monetary impact of deployments and their resources. You can also use vRealize Operations Manager to display metrics, insights, optimization opportunities, and alerts in vRealize Automation.

Additionally, you can activate the native integration to vRealize Automation from vRealize Operations Manager to provide the ability to monitor the health, efficiency, and capacity risks associated with vRealize Automation. You can use the integration to:

  • View the performance and health of vRealize Automation objects in vRealize Operations Manager.

  • Troubleshoot vSphere, vSAN, and NSX-T Data Center issues associated with vRealize Automation cloud accounts.

Table 1. Design Decisions on Monitoring and Alerting for Private Cloud Automation

Decision ID

Design Decision

Design Justification

Design Implication

PCA-VRA-MON-001

Configure the vRealize Automation integration in vRealize Operations Manager.

  • Provides the ability to share common constructs, such as cloud accounts, cloud zones, and projects, across vRealize Operations Manager and vRealize Automation.

  • Provides the ability to understand the deployment cost.

    • Evaluate upfront costs on vRealize Automation.

    • Monitor ongoing costs per virtual machine, deployment, or project.

You must manage the password life cycle of this endpoint.

PCA-VRA-MON-002

Configure the vRealize Automation integration in vRealize Operations Manager to use the default collector group.

Cross-instance components are configured to use the default collector group.

The load on the analytics cluster, though minimal, increases.

PCA-VRA-MON-003

Add an integration in Cloud Assembly for vRealize Operations Manager deployment.

  • You can use data from vRealize Operations Manager in vRealize Automation to display live vSphere-based virtual machine metrics for CPU, memory, storage IOPS, and network MBps after placement. Metrics for the past day, week, or month are available.

  • You can use data from vRealize Operations Manager in vRealize Automation to apply and display the cost estimation at the time of deployment and over time.

  • When configuring the integration, you must use a service account that is created for application-to-application integration for vRealize Automation to vRealize Operations Manager.

  • When the service account password is updated, you must manage the service account password in the integration configuration.

  • You must configure vRealize Operations Manager with vRealize Automation to ensure that both applications are set to the same time zone. vRealize Automation uses only UTC.

  • You must configure vRealize Operations Manager with a currency setting to consume the vRealize Operations Manager cost engine for vRealize Automation cost estimation.

  • The vRealize Operations Manager integration is not used for workload placement in this design. The integration does not support resource pools in vCenter Server or vSAN datastores for workload placement.

  • Project costs include only the costs for private cloud workloads. If a project contains deployments that belong to public clouds, the costs for these deployments are not included in the project cost.

PCA-VRA-MON-004

Use the ADVANCED placement policy for each vRealize Automation cloud zone that is monitored by vRealize Operations Manager.

By default, the workload placement evaluation uses the vRealize Operations Manager recommendation.

  • You must integrate vRealize Automation with vRealize Operations Manager in Cloud Assembly.

  • The ADVANCED option for vRealize Operations Manager does not support workload placement when resource pools in vCenter Server for workload placement are in use. If resource pools must be activated in a workload domain, the workload placement falls back to the DEFAULT placement policy. By default, all vSphere clusters have the vSphere Distributed Resource Scheduler activated to optimize initial and ongoing workload placement within a cluster.

PCA-VRA-MON-005

Add a Ping adapter for the vRealize Automation cluster nodes.

Provides metrics on the availability of vRealize Automation nodes.

You must add the adapter instances manually.

You configure the account associated with vRealize Automation for activating thevRealize Operations Manager direct integration with vRealize Automation.

Table 2. Design Decision on Service Accounts for Monitoring and Alerting for Private Cloud Automation

Design Decision ID

Design Decision

Design Justification

Design Implication

PCA-VRA-MON-006

Assign the Organization Owner default role and the Cloud Assembly administrator service role to an enterprise directory service account user for the application-to-application communication from vRealize Operations to vRealize Automation.

Provides the following access control features:

  • vRealize Operations accesses vRealize Automation with the minimum set of required permissions for the integration.

  • If there is a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the vRealize Operations and vRealize Automation integration.

None.

PCA-VRA-MON-007

Assign the ReadOnly role to an Active Directory user account as an integration account for the application-to-application communication from vRealize Automation to vRealize Operations Manager.

Provides the following access control features:

  • vRealize Automation integrates vRealize Operations Manager with the minimum set of required permissions.

  • If there is a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the vRealize Automation and vRealize Operations Manager.

  • You must maintain the life cycle, availability, and security controls for the account in Active Directory.

  • You must maintain the synchronization and availability of the service account in Workspace ONE Access and vRealize Operations Manager.

  • You must use the format of user@domain@source when configuring the integration to use a service account backed by Workspace ONE Access. For example, svc-vra-vrops@sfo.rainpole.io@WorkspaceONE.

Important:

This solution is based on the use of Active Directory over LDAP with SSL used as the identity provider using Workspace ONE Access.

If Active Directory Federation Services (ADFS) is used as an identity provider for vRealize Operations Manager, vRealize Automation cannot authenticate to vRealize Operations Manager. A limitation exists where API-based logins to a system that uses a third-party identity provider, for example, ADFS with Workspace ONE Access. The user name and password cannot be sent over SAML to the identity provider for authentication.

Prerequisites

Verify that vRealize Operations Manager is deployed and operational in a logical environment in VMware Cloud Foundation mode, using the corresponding vRealize Suite Lifecycle Manager instance.