The ESXi design includes design decisions for boot options, user access, and the virtual machine swap configuration.

ESXi Hardware Requirements

You can find the ESXi hardware requirements in Physical Design Fundamentals for Consolidated SDDC. The following design outlines the design of the ESXi configuration.

ESXi Manual Install and Boot Options

You can install or boot ESXi 6.5 from the following storage systems:

SATA disk drives

SATA disk drives connected behind supported SAS controllers or supported on-board SATA controllers.

Serial-attached SCSI (SAS) disk drives

Supported for installing ESXi.


Dedicated SAN disk on Fibre Channel or iSCSI.

USB devices

Supported for ESXi installation. 16 GB or larger SD card is recommended.


(Software Fibre Channel over Ethernet)

ESXi can boot from a disk larger than 2 TB if the system firmware and the firmware on any add-in card support it. See the vendor documentation.

ESXi Boot Disk and Scratch Configuration

For new installations of ESXi, the installer creates a 4 GB VFAT scratch partition. ESXi uses this scratch partition to store log files persistently. By default, the vm-support output, which is used by VMware to troubleshoot issues on the ESXi host, is also stored on the scratch partition.

An ESXi installation on USB media does not configure a default scratch partition. Specify a scratch partition on a shared datastore and configure remote syslog logging for the ESXi host.

Table 1. ESXi Boot Disk Design Decision

Decision ID

Design Decision

Design Justification

Design Implication


Install and configure all ESXi hosts to boot using an SD device of 16 GB or greater.

SD cards are an inexpensive and easy to configure option for installing ESXi.

Using SD cards allows allocation of all local HDDs to a VMware vSAN storage system.

When you use SD cards, ESXi logs are not retained locally.

ESXi Host Access

After installation, ESXi hosts are added to a vCenter Server system and managed through that vCenter Server system.

Direct access to the host console is still available and most commonly used for troubleshooting purposes. You can access ESXi hosts directly using one of these three methods:

Direct Console User Interface (DCUI)

Graphical interface on the console. Allows basic administrative controls and troubleshooting options.

ESXi Shell

A Linux-style bash login on the ESXi console itself.

Secure Shell (SSH) Access

Remote command-line console access.

VMware Host Client

HTML5-based client that has a similar interface to the vSphere Web Client but is only used to manage single ESXi hosts. You use the VMware Host Client to conduct emergency management when vCenter Server is temporarily unavailable

You can enable or disable each method. By default, the ESXi Shell and SSH are disabled to secure the ESXi host. The DCUI is disabled only if Strict Lockdown Mode is enabled.

ESXi User Access

By default, root is the only user who can log in to an ESXi host directly. However, you can add ESXi hosts to an Active Directory domain. After the ESXi host has been added to an Active Directory domain, access can be granted through Active Directory groups. Auditing log-ins into the ESXi host also becomes easier.

Table 2. ESXi User Access Design Decisions

Decision ID

Design Decision

Design Justification

Design Implication


Add each ESXi host to the Active Directory domain.

Using Active Directory membership allows greater flexibility in granting access to ESXi hosts.

Ensuring that users log in with a unique user account allows greater visibility for auditing.

Adding ESXi hosts to the domain can add some administrative overhead.


Change the default ESX Admins group to the SDDC-Admins Active Directory group. Add ESXi administrators to the SDDC-Admins group following standard access procedures.

Having an SDDC-Admins group is more secure because it removes a known administrative access point. In addition, different groups allow for the separation of management tasks.

Additional changes to the ESXi hosts advanced settings are required.

Virtual Machine Swap Configuration

When a virtual machine is powered on, the system creates a VMkernel swap file to serve as a backing store for the virtual machine's RAM contents. The default swap file is stored in the same location as the virtual machine's configuration file. This simplifies the configuration, however it can cause an excess of replication traffic that is not needed.

You can reduce the amount of traffic that is replicated by changing the swap file location to a user-configured location on the ESXi host. However, it can take longer to perform VMware vSphere vMotion® operations when the swap file has to be recreated.

ESXi Design Decisions about NTP and Lockdown Mode Configuration

Table 3. Other ESXi Host Design Decisions

Decision ID

Design Decision

Design Justification

Design Implication


Configure all ESXi hosts to synchronize time with the central NTP servers.

Required because the deployment of vCenter Server Appliance on an ESXi host might fail if the host is not using NTP.

All firewalls located between the ESXi host and the NTP servers have to allow NTP traffic on the required network ports.


Enable Lockdown mode on all ESXi hosts.

To increase the security of ESXi hosts, by requiring that administrative operations be performed only from vCenter Server.

Lockdown mode settings are not part of Host Profiles and must be manually enabled on all hosts.