The vCenter Server design includes the design for all the vCenter Server instances. For this design, determine the number of instances, their sizes, networking configuration, cluster layout, redundancy, and security configuration.
A vCenter Server deployment can consist of two or more vCenter Server instances according to the scale, number of VMs, and continuity requirements for your environment.
Protecting the vCenter Server system is important because it is the central point of management and monitoring. You can protect vCenter Server according to the maximum downtime tolerated. The following methods are available to protect a vCenter Server instance:
-
Automated protection using vSphere HA
-
Automated protection using vCenter Server HA
Attribute |
Specification |
---|---|
Appliance Size |
Small (up to 100 hosts or 1000 VMs) |
Number of vCPUs |
4 |
Memory |
19 GB |
Disk Space |
528 GB |
Attribute |
Specification |
---|---|
Appliance Size |
Large (up to 1,000 hosts or 10,000 VMs) |
Number of vCPUs |
16 |
Memory |
37 GB |
Disk Space |
1,113 GB |
TLS Certificates in vCenter Server
By default, vSphere uses TLS/SSL certificates that are signed by VMware Certificate Authority (VMCA). These certificates are not trusted by end-user devices or browsers.
As a security best practice, replace at least all user-facing certificates with certificates that are signed by a third-party or enterprise Certificate Authority (CA).
Design Recommendation |
Design Justification |
Design Implication |
---|---|---|
Deploy two vCenter Servers. One to support the management workloads and another to support the compute workloads. |
|
Requires licenses for each vCenter Server instance. |
Protect all vCenter Servers by using vSphere HA. |
Supports the availability objectives for the vCenter Servers without manual intervention during a failure event. |
vCenter Server becomes unavailable during the vSphere HA failover. |
Replace the vCenter Server machine certificate with a certificate signed by a third-party Public Key Infrastructure. |
|
Replacing and managing certificates is an operational overhead. |
Use an SHA-2 or higher algorithm when signing certificates. |
The SHA-1 algorithm is considered less secure and is deprecated. |
Not all certificate authorities support SHA-2. |