Workspace ONE Access is distributed as a virtual appliance in OVA format. The Workspace ONE Access appliance includes identity and access management services.

Deployment Type

You consider the deployment type - standard or cluster - according to the design objectives for the availability and number of users that the system and integrated SDDC solutions must support. Workspace ONE Access is deployed on the first cluster in the management domain.

In this design, you deploy a cluster topology of Workspace ONE Access for cross-region SDDC solutions.
Table 1. Topology Attributes of the Cross-Region Workspace ONE Deployment

Deployment Type

Number of Nodes

Synchronized User Scale

Description

Cluster

3

10,000 users

You deploy a three-node Workspace ONE Access cluster and a load balancer on the first cluster in the management domain in Region A.

Table 2. Design Decisions on the Deployment of Cross-Region Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-SEC-IAM-001

Deploy the Workspace ONE Access cluster on the first cluster in the management domain in Region A.

Provides identity and access management services to cross-region SDDC solutions.

None.

SDDC-COM-SEC-IAM-002

Use vRealize Suite Lifecycle Manager to deploy the three-node Workspace ONE Access cluster.

Deploying the cluster configuration that includes the three-node appliance architecture satisfies the design objectives in scope for the design allowing Workspace ONE Access to scale to a higher number of consuming users for vRealize Automation and vRealize Operations authentication.

The cross-region Workspace ONE Access cluster is managed by vRealize Suite Lifecycle Manager.

None

SDDC-COM-SEC-IAM-003

Protect all Workspace ONE Access nodes by using vSphere High Availability.

Supports the availability objectives for Workspace ONE Access without requiring manual intervention during a failure event.

None

SDDC-COM-SEC-IAM-004

Apply vSphere Distributed Resource Scheduler (DRS) anti-affinity rules for the Workspace ONE Access nodes in the cluster.

Using vSphere DRS prevents Workspace ONE Access nodes from residing on the same ESXi host and risking the high availability of the deployment.

You can place only a single ESXi host at a time into maintenance mode for a management cluster of four ESXi hosts.

Requires at least four physical hosts to guarantee the three Workspace ONE Access nodes continue to run in the cluster if an ESXi host failure occurs.

SDDC-COM-SEC-IAM-005

Add a VM group for the Workspace ONE Access cluster nodes and set VM rules to restart the Workspace ONE Access VM group before the vRealize Automation VM group.

You can define the startup order of virtual machines regarding the service dependency. The startup order ensures that vSphere HA powers on the virtual machines for Workspace ONE Access in the correct order.

None

SDDC-COM-SEC-IAM-006

When using two availability zones in Region A, add the Workspace ONE Access cluster nodes to the primary availability zone VM group, sfo-m01-cl01_primary-az-vmgroup.

Ensures that, by default, the Workspace ONE Access appliance is powered on within the primary availability zone hosts group.

If Workspace ONE Access is deployed after the creation of the stretched clusters for management domain availability zones, the VM group for the primary availability zone virtual machines must be updated to include the Workspace ONE Access appliance.

SDDC-COM-SEC-IAM-007

Place all Workspace ONE Access cluster nodes in a dedicated VM folder in Region A, xreg-m01-fd-wsa.

Provides the organization of cross-region Workspace ONE Access nodes in the management domain inventory

You must create the VM folder.

Sizing Compute and Storage Resources

A Workspace ONE Access cluster deployment requires certain CPU, memory, and storage resources to support a vRealize Automation cluster deployment.
Table 3. CPU, Memory, and Storage Resources for the Cross-Region Workspace ONE Access Cluster Deployment

Attribute

Per Appliance

Cluster Deployment

CPU

8 vCPUs

24 vCPUs

Memory

16 GB

48 GB

Storage

4.8 GB (thin provisioned)

60.2 GB (thick provisioned)

14.4 GB (thin provisioned)

180.6 GB (thick provisioned)

Table 4. Design Decisions on Sizing of Cross-Region Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-SEC-IAM-008

Increase the CPU to 8 and the initial memory to 16 GB for each cross-region Workspace ONE Access cluster node.

Supports the scalability of a vRealize Automation cluster deployment.

You must manually increase the CPU and memory for each cross-region Workspace ONE Access cluster node.