For the design of the configuration of the ESXi hosts, consider boot options, user access, and the virtual machine swap configuration.

ESXi Hardware Requirements

For the ESXi hardware requirements, see Physical Design Fundamentals in ROBO.

ESXi Manual Install and Boot Options

You can install or boot ESXi from the following storage systems:

SATA disk drives

SATA disk drives connected behind supported SAS controllers or supported on-board SATA controllers.

Serial-attached SCSI (SAS) disk drives

Supported for ESXi installation

SAN

Dedicated SAN disk on Fibre Channel or iSCSI.

USB devices

Supported for ESXi installation. Use a 16-GB SD card or larger.

FCoE

Dedicated FCoE LUN. You can use a VMware software FCoE adapter and a network adapter with FCoE capabilities. A dedicated FCoE HBA is not required.

ESXi can boot from a disk larger than 2 TB if the system firmware and the firmware on any add-in card support it. See the vendor documentation.

ESXi Boot Disk and Scratch Configuration

For new installations of ESXi, the installer creates a 4 GB VFAT scratch partition. ESXi uses this scratch partition to store log files persistently. By default, the vm-support output, which is used by VMware to troubleshoot issues on the ESXi host, is also stored on the scratch partition.

An ESXi installation on a USB media does not configure a default scratch partition. Specify a scratch partition on a shared datastore and configure remote syslog logging for the ESXi host.

Table 1. Design Decision on the ESXi Boot Disk

Decision ID

Design Decision

Design Justification

Design Implication

ROBO-VI-ESXi-001

Install and configure all ESXi hosts to boot using an SD device of 16 GB or greater.

SD cards are an inexpensive and easy to configure as an option for installing ESXi.

Using SD cards allows allocation of all local HDDs to a vSAN storage system.

When you use SD cards, ESXi logs are not retained locally.

ESXi Host Access

After installation, you add ESXi hosts to a vCenter Server system and manage them by using the vCenter Server system.

Direct access to the host console is still available and most commonly used for troubleshooting purposes. You can access ESXi hosts directly using one of these three methods:

Direct Console User Interface (DCUI)

Graphical interface on the console. Provides basic administrative controls and troubleshooting options.

ESXi Shell

A Linux-style bash login on the ESXi console itself.

Secure Shell (SSH) Access

Remote command-line console access.

VMware Host Client

HTML5-based client that has a similar interface to the vSphere Web Client but for managing individual ESXi hosts only. You use the VMware Host Client for emergency management when vCenter Server is temporarily unavailable

You can enable or disable each method. By default, the ESXi Shell and SSH are disabled to protect the ESXi host. The DCUI is disabled only if Strict Lockdown Mode is enabled.

ESXi User Access

By default, root is the only user who can log in to an ESXi host directly. However, you can add ESXi hosts to an Active Directory domain. After the ESXi host has been added to an Active Directory domain, you can grant access through Active Directory groups. Auditing logins in to the ESXi host also becomes easier.

Table 2. Design Decisions on ESXi User Access

Decision ID

Design Decision

Design Justification

Design Implication

ROBO-VI-ESXi-002

Add each ESXi host to the Active Directory domain.

Using Active Directory membership provides greater flexibility in granting access to ESXi hosts.

Ensuring that users log in with a unique user account provides greater visibility for auditing.

Adding ESXi hosts to the domain can add some administrative overhead.

ROBO-VI-ESXi-003

Change the default ESX Admins group to the SDDC-Admins Active Directory group. Add ESXi administrators to the SDDC-Admins group following standard access procedures.

Having an SDDC-Admins group is more secure because it removes a known administrative access point. In addition, you can separate management tasks using different groups.

Additional changes to the ESXi hosts advanced settings are required.

Virtual Machine Swap Configuration

When a virtual machine is powered on, the system creates a VMkernel swap file to serve as a backing store for the contents of the virtual machine's RAM. The default swap file is stored in the same location as the configuration file of the virtual machine. The colocation simplifies the configuration, however, it can cause an excess of replication traffic that is not needed.

You can reduce the amount of traffic that is replicated by changing the default swap file location to a user-configured location on the ESXi host. However, it can take longer to perform vSphere vMotion operations when the swap file must be recreated.

ESXi Design Decisions about NTP and Lockdown Mode Configuration

Table 3. Other Design Decisions on the ESXi Host Configuration

Decision ID

Design Decision

Design Justification

Design Implication

ROBO-VI-ESXi-004

Configure all ESXi hosts to synchronize time with the central NTP servers.

The deployment of vCenter Server Appliance on an ESXi host might fail if the host is not using NTP.

All firewalls located between the ESXi host and the NTP servers must allow NTP traffic on the required network ports.

ROBO-VI-ESXi-005

Enable Lockdown mode on all ESXi hosts.

You increase the security of ESXi hosts by requiring that administrative operations be performed only from vCenter Server.

Lockdown mode settings are not part of vSphere host profiles and must be manually enabled on all hosts.