vCenter Server Design

The vCenter Server design includes the design for all the vCenter Server instances. For this design, determine the number of instances, their sizes, networking configuration, vSphere cluster layout, redundancy, and security configuration.

A vCenter Server deployment can consist of one or more vCenter Server instances according to the scale, number of VMs, and continuity requirements for your environment.

You can install vCenter Server as a Windows-based system or deploy the Linux-based VMware vCenter Server Appliance. The Linux-based vCenter Server Appliance is preconfigured. It enables fast deployment, and potentially results in reduced Microsoft licensing costs.

Note:

vSphere 6.7 is the last release to support the Windows-based vCenter Server.

You must protect the vCenter Server system as it is the central point of management and monitoring. You can protect vCenter Server according to the maximum downtime tolerated and whether the failover automation is required. Use the following methods to protect the vCenter Server instances on Windows and the vCenter Server Appliance:

Table 1. Methods for Protecting vCenter Server
Redundancy Method	Protects vCenter Server (Windows)	Protects vCenter Server (Virtual Appliance)
Automated protection using vSphere HA	Yes	Yes
Manual configuration and manual failover, for example, cold standby.	Yes	Yes
vCenter Server HA	Not Available	Yes

vCenter Server Sizing

You can size the resources and storage for the Management vCenter Server Appliance and the Compute vCenter Server Appliance according to the expected number of VMs in the environment.

Table 2. Recommended Sizing for Management vCenter Servers
Attribute	Specification
Physical or virtual system	Virtual (vCenter Server Appliance)
Appliance Size	Small (up to 100 hosts or 1,000 VMs)
Platform Services Controller	Embedded
Number of vCPUs	4
Memory	16 GB
Disk Space	340 GB

Table 3. Recommended Sizing for Compute vCenter Servers
Attribute	Specification
Physical or virtual system	Virtual (vCenter Server Appliance)
Appliance Size	Large (up to 1,000 hosts or 10,000 VMs)
Platform Services Controller	Embedded
Number of vCPUs	16
Memory	32 GB
Disk Space	740 GB

Note:

vSphere 6.7 is the last release to support External Platform Service Controllers.

TLS Certificates in vCenter Server

By default, vSphere uses TLS/SSL certificates that are signed by VMware Certificate Authority (VMCA). These certificates are not trusted by end-user devices or browsers.

As a security best practice, replace at least all user-facing certificates with certificates that are signed by a third-party or enterprise Certificate Authority (CA). Certificates for VM-to-VM communication can remain VMCA-signed.

Table 4. Recommended vCenter Server Design
Design Decision	Design Justification	Design Implication
Deploy two vCenter Server systems with embedded Platform Services Controllers. One vCenter Server supports the management workloads. Another vCenter Server supports the compute workloads.	Isolates the vCenter Server failures to the management or compute workloads. Isolates vCenter Server operations between the management and compute workloads. Supports a scalable vSphere cluster design where you might reuse the management components as more compute workload domains are added. Simplifies capacity planning for compute workloads because you do not consider management workloads for the Compute vCenter Server. Improves the ability to upgrade the vSphere environment and related components by the separation of maintenance windows. Supports separation of roles and responsibilities to ensure that only administrators with proper authorization can attend to the management workloads. Facilitates quicker troubleshooting and problem resolution.	Requires licenses for each vCenter Server instance.
Deploy all vCenter Server instances as Linux-based vCenter Server Appliances.	Supports fast deployment, enables scalability, and reduces Microsoft licensing costs.	Operational staff needs Linux experience to troubleshoot the Linux-based appliances.
Protect all vCenter Servers and Platform Services Controller appliances by using vSphere HA.	Supports the availability objectives for vCenter Server appliances without the required manual intervention during a failure event.	vCenter Server becomes unavailable during the vSphere HA failover.
Replace the vCenter Server machine certificate with a certificate signed by a third-party Public Key Infrastructure.	Infrastructure administrators connect to the vCenter Server instances using a Web browser to perform configuration, management, and troubleshooting. The default certificate results in certificate warning messages.	Replacing and managing certificates is an operational overhead.
Use an SHA-2 or higher algorithm when signing certificates.	The SHA-1 algorithm is considered less secure and is deprecated.	Not all certificate authorities support SHA-2.