Application Virtual Network

Management applications, such as VMware vRealize Automation, VMware vRealize Operations Manager, or VMware vRealize Orchestrator, leverage a traditional 3-tier client-server architecture with a presentation tier (user interface), functional process logic tier, and data tier. This architecture requires a load balancer for presenting end-user facing services.

Table 1. Design Decisions on Isolating Management Applications
Decision ID	Design Decision	Design Justification	Design Implications
SDDC-VI-SDN-042	Place the following management applications on an application virtual network. Update Manager Download Service vRealize Suite Lifecyle Manager vRealize Operations Manager vRealize Operations Manager remote collectors vRealize Log Insight VMware Skyline Collectors vRealize Automation vRealize Automation Proxy Agents vRealize Business for Cloud vRealize Business data collectors	Access to the management applications is only through published access points.	The application virtual network is fronted by an NSX Edge device for load balancing and the distributed firewall to isolate applications from each other and external users. Direct access to application virtual networks is controlled by distributed firewall rules.
SDDC-VI-SDN-043	Create three application virtual networks. Each region has a dedicated application virtual network for management applications in that region that do not require failover. One application virtual network is reserved for management application failover between regions.	Using only three application virtual networks simplifies the design by sharing Layer 2 networks with applications based on their needs.	A single /24 subnet is used for each application virtual network. IP management becomes critical to ensure no shortage of IP addresses occurs.

Table 2. Design Decisions on Portable Management Applications
Decision ID	Design Decision	Design Justification	Design Implications
SDDC-VI-SDN-044	The following management applications must be easily portable between regions. vRealize Suite Lifecycle Manager vRealize Operations Manager vRealize Automation vRealize Business	Management applications must be easily portable between regions without requiring reconfiguration.	Unique addressing is required for all management applications.

Having software-defined networking based on NSX in the management stack makes all NSX features available to the management applications.

This approach to network virtualization service design improves security and mobility of the management applications and reduces the integration effort with existing customer networks.

Figure 1. Virtual Application Network Components and Design

Certain configuration choices might later facilitate the tenant onboarding process.

Create the primary NSX ESG to act as the tenant PLR and the logical switch that forms the transit network for use in connecting to the UDLR.
Connect the primary NSX ESG uplinks to the external networks
Connect the primary NSX ESG internal interface to the transit network.
Create the NSX UDLR to provide routing capabilities for tenant internal networks and connect the UDLR uplink to the transit network.
Create any tenant networks that are known up front and connect them to the UDLR.