The vCloud Director Multisite feature enables a service provider or other institutional owner of multiple, geographically-distributed vCloud Director installations (server groups) to manage and monitor those installations and their organizations as single entities.
When you associate two vCloud Director sites, you enable administration of the sites as a single entity. You also enable organizations at those sites to form associations with each other. When an organization is a member of an association, organization users can use the vCloud Director Tenant Portal to access organization assets at any member site, although each member organization and its assets are local to the site it occupies. The vCloud Director Web Console cannot be used to access resources at a remote association member.
You must use the vCloud API to associate sites. After two sites have been associated, you can use the vCloud API or the vCloud Director Tenant Portal to associate organizations that occupy those sites. See the vCloud API Programming Guide for Service Providers and the vCloud Director Tenant Portal Guide.
A site or organization can form an unlimited number of associations with a peer, but each association includes exactly two members. Each site or organization must have its own private key. Association members establish a trust relationship by exchanging public keys, which are used to verify signed requests from one member to another.
Each site in an association is defined by the scope of a vCloud Director server group (a group of servers that share a vCloud Director database). Each organization in an association occupies a single site. The organization administrator controls access by organization users and groups to assets at each member site.
Site Objects and Site Associations
The installation or upgrade process creates a Site object that represents the local vCloud Director server group. A system administrator whose authority extends to more than one vCloud Director server group can configure those server groups as an association of vCloud Director sites.
Associations of Organizations
After site association is complete, organization administrators at any member site can begin associating their organizations.
User and Group Identities
Associations of sites and organizations must agree to use the same identity provider (IDP). User and group identities for all organizations in the association must be managed through this IDP.
With the exception of the System organization, which must use the vCloud Director integrated IDP, association members are free to choose the IDP that works best for them.
Site Access Control for Organization Users and Groups
Organization administrators can configure their IDP to generate user or group access tokens that are valid at all member sites, or valid at only a subset of member sites. Note that while user and group identities must be the same in all member organizations, user and group rights are constrained by the roles those users and groups are assigned in each member organization. Assignment of a role to a user or group is local to a member organization, as are any custom roles you create.
Load Balancer Requirements
Effective implementation of a Multisite deployment requires you to configure a load balancer that distributes requests arriving at an institutional endpoint such as https://vcloud.example.com to the endpoints for each member of the site association (for example, https://us.vcloud.example.com and https://uk.vcloud.example.com). Unless a site has only a single cell, it must also configure a load balancer that distributes incoming requests across all of its cells, so that a request to https://us.vcloud.example.com can be handled by https://cell1.us.vcloud.example.com , https://cell2.us.vcloud.example.com , and so on.
After you have created a site association, the system periodically retrieves the status of the remote site and updates that status in the local site's vCloud Director database. This so-called heartbeat process runs with the identity of the Multisite system user, a local vCloud Director user account created in the System organization during vCloud Director installation. Although this account is a member of the System organization, it does not have system administrator rights. It has only a single right,
Multisite: System Operations, which gives it permission to make a vCloud API request that retrieves the status of the remote member of a site association.