vSphere in a cloud software-defined data center like your VMware Cloud on AWS SDDC works in the same way that your on-premises vSphere does. In the SDDC, some vSphere components are owned and managed by VMware, so some on-premises administrative workflows that you're familiar with have differences or aren't needed.
What's Different in the Cloud?
- VMware Cloud on AWS users don't have physical access to ESXi host hardware and cannot log in to the ESXi host operating system. Procedures that require this kind of access are performed by VMware staff.
- Global Permissions defined in your on-premises vCenter do not apply to objects that VMware manages for you, like SDDC hosts and datastores, so they aren't replicated from your on-premises to the vCenter in your cloud SDDC.
| Topic | Highlights |
|---|---|
| vSphere Managed Inventory Objects | Each VMware Cloud on AWS SDDC has a single data center named SDDC-Datacenter. The data center defines the namespace for networks and datastores. The names for these objects must be unique within a data center. You cannot have two datastores with the same name within a single data center. Virtual machines, templates, and clusters need not be unique within the data center, but must be unique within their folder. |
| VMware Cloud on AWS users don't have physical access to access ESXi host hardware and cannot log in to the ESXi host operating system. Procedures that require this kind of access are performed by VMware staff. | |
| Securing vCenter Server Systems | In an on-premises SDDC, you are responsible for ensuring the security of your vCenter system. In VMware Cloud on AWS, VMware performs most of these tasks for you. You are responsible for following security best practices, especially for the VMs in your environment, and might want to be aware of some other aspects of vCenter and vCenter Single Sign-On such as password and lockout policies. |
| vSphere Authentication with vCenter Single Sign-On | When you change the password for your SDDC from the vSphere Client, the new password is not synchronized with the password that is displayed on the Default vCenter Credentials page. That page shows only the Default credentials. If you change the credentials, you are responsible for keeping track of the new password. After installation, [email protected] has administrator access to both vCenter Single Sign-On and vCenter. That user can also add identity sources, set the default identity source, and set policies in the vmc.local domain. Certain management operations in the vmc.local domain are restricted to VMware Cloud on AWS operations staff. |
Linking, Federation, and Federated Login
- Hybrid Linked Mode, which allows you to link your SDDC vCenter Server with an on-premises vCenter Single Sign-On domain. Hybrid Linked Mode links your on-premises SSO domain to the SSO domain in your SDDC vCenter, establishing a one-way trust relationship in which your VMware Cloud on AWS vCenter trusts your on-premises vSphere identity provider and any vCenter user who can authenticate on-premises is automatically authenticated in the SDDC.
- Enterprise Federation with VMware Cloud Services and Federated Login for vCenter, which you can combine to consolidate SDDC vCenter account administration with VMware Cloud Services account administration and eliminate the need to manage a separate vSphere SSO domain.
A VMware Cloud on AWS organization that contains multiple SDDCs can use Hybrid Linked Mode, Enterprise Federation, and Federated Login backed by a single Active Directory domain (or other SAML2.0 compliant IDP) in any combination. The trust chain established by Hybrid Linked Mode enables members of the CloudAdmin group in any vCenter to be treated as members of that group in any of the organization's other vCenters.
