Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
Modified on 20 JAN 2020VMware Validated DesignVMware Validated Design 5.1VMware Validated Design 5.0VMware Cloud on AWS
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com
Copyright ©
2019-2020 VMware, Inc. All rights reserved. Copyright and trademark information.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 2
Contents
About Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS 4
1 Applying the Guidance for Extending VMware Validated Design to VMware Cloud on AWS 6
2 Architecture Overview 7Physical Infrastructure Architecture for Extending the SDDC to VMware Cloud on AWS 7
Availability Zones and Regions 8
Virtual Infrastructure Architecture for Extending the SDDC to VMware Cloud on AWS 8
Operations Management Architecture for Extending the SDDC to VMware Cloud on AWS 11
Cloud Management Architecture for Extending the SDDC to VMware Cloud on AWS 12
3 Detailed Design 13Physical Infrastructure Design for Extending the SDDC to VMware Cloud on AWS 13
Physical Design Fundamentals of the SDDC Infrastructure on VMware Cloud on AWS 14
Physical Networking Design of the SDDC Infrastructure on VMware Cloud on AWS 16
Virtual Infrastructure Design for Extending the SDDC to VMware Cloud on AWS 26
Hybrid Linked Mode Design 26
Resource Reservation Design 28
Operations Management Design for Extending the SDDC to VMware Cloud on AWS 29
vRealize Operations Manager Design for the SDDC Infrastructure on VMware Cloud on AWS29
vRealize Log Insight and Log Intelligence Design for the SDDC Infrastructure on VMware Cloud on AWS 32
Cloud Management Design for Extending the SDDC to VMware Cloud on AWS 34
VMware, Inc. 3
About Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
The Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS documentation provides a detailed design for extending your on-premises VMware Validated Design™ SDDC to a hybrid SDDC by adding and configuring an SDDC on VMware Cloud™ on AWS as a third region, Region C.
VMware Cloud on AWS is an integrated cloud offering jointly developed by Amazon Web Services and VMware delivering a highly scalable, secure, and innovative service. With VMware Cloud on AWS, organizations can seamlessly migrate and extend their on-premises VMware vSphere® environments to the AWS Cloud running on an Amazon EC2 bare metal infrastructure.
The VMware Validated Design for SDDC traditionally uses on-premises data centers to host separate regions. Having multiple regions enables features, such as high availability, disaster recovery, data locality or sovereignty, and the ability to scale out capacity of the SDDC. If your organization does not have the ability to deploy infrastructure in any additional data center, you can extending your on-premises SDDC to a hybrid SDDC. To extend your VMware Validated Design SDDC to a hybrid SDDC, you can implement one or more regions by connecting your on-premises infrastructure with VMware Cloud on AWS.
Prerequisites
You must have a VMware Validated Design for Software-Defined Data Center 5.x deployed in at least a single region. See the VMware Validated Design documentation page.
Intended Audience
This design is intended for architects and administrators who want to use VMware Cloud™ on AWS for tenant workloads.
Required VMware Software
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS is compliant and validated with certain product versions. See VMware Validated Design Release Notes for more information about supported product versions.
n Software components for VMware Validated Design™ for Software-Defined Data Center 5.x
VMware, Inc. 4
n VMware vCenter Cloud Gateway
Update History
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS is updated with software releases or when necessary.
Revision Description
18 AUG 2020 At VMware we value inclusion. To foster this principle within our customer, partner, and internal community, we are replacing some of the terminology in our content. We have updated this guide to remove instances of non-inclusive language.
20 JAN 2020 The graphic in Virtual Infrastructure Architecture for Extending the SDDC to VMware Cloud on AWS is now updated for the VMware Cloud on AWS release (SDDC version 1.9).
19 NOV 2019 n The value of the free storage capacity is updated to 12.5 TB. See Table 3-1. Resources Consumed by the Management Components on the Initial Three-Host Cluster.
n The SDDC network topology is updated with the components of the NSX-T Edge appliance. The NSX-T Edge appliance includes a management gateway (MGW), a compute gateway (CGW), and a router. See Network Design Fundamentals.
03 SEP 2019 Initial release.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 5
Applying the Guidance for Extending VMware Validated Design to VMware Cloud on AWS
1The content in Architecture and Design or Extending VMware Validated Design to VMware Cloud on AWS supplements Architecture and Design in VMware Validated Design for Software-Defined Data Center, also referred to as the Standard SDDC.
Before You Design the Virtual Infrastructure for Extending the SDDC to VMware Cloud on AWS
Before you follow this documentation, you must deploy the components for the Standard SDDC according to VMware Validated Design for Software-Defined Data Center. See Architecture and Design, Planning and Preparation, Deployment for Region A, and Deployment for Region B in the VMware Validated Design documentation.
n VMware ESXi™
n VMware Platform Services Controller™ pair and Management vCenter Server®
n VMware NSX® Data Center for vSphere®
n VMware vRealize® Lifecycle Manager™
n vSphere® Update Manager™
n VMware vRealize® Operations Manager™
n VMware vRealize® Log Insight™
n VMware vRealize® Automation™ with embedded vRealize® Orchestrator™
n VMware vRealize® Business™ for Cloud
Designing a Virtual Infrastructure for Extending the SDDC to VMware Cloud on AWS
Next, directly follow this guidance to design the virtual infrastructure for your new region on VMware Cloud™ on AWS:
VMware, Inc. 6
Architecture Overview 2By extending your deployed VMware Validated Design SDDC to VMware Cloud on AWS, you can extend and integrate your on-premises environment to the VMware Cloud on AWS service.
This chapter includes the following topics:
n Physical Infrastructure Architecture for Extending the SDDC to VMware Cloud on AWS
n Virtual Infrastructure Architecture for Extending the SDDC to VMware Cloud on AWS
n Operations Management Architecture for Extending the SDDC to VMware Cloud on AWS
n Cloud Management Architecture for Extending the SDDC to VMware Cloud on AWS
Physical Infrastructure Architecture for Extending the SDDC to VMware Cloud on AWS
The physical infrastructure architecture includes details for the physical properties of the SDDC on VMware Cloud on AWS implementation as Region C in this design.
Each SDDC on VMware Cloud on AWS contains at least a single vSphere HA and a DRS cluster that runs all management virtual machines and customer workload virtual machines. The initial cluster contains at least three ESXi hosts. Each ESXi host provides 36 cores running at 2.3 GHz, 512 GB RAM, and 16 TB all-flash NVMe devices to the cluster. The workload virtual machines running inside the SDDC cluster consume a dedicated cluster-wide vSAN datastore. A cluster can be expanded up to 16 hosts, all of which have identical hardware capabilities.
Each ESXi host provides 25 Gb/s of network bandwidth within the SDDC on VMware Cloud on AWS. Network I/O Control prioritizes the bandwidth between the several network traffic streams if contention occurs. The SDDC cluster uses native NSX technology that integrates AWS networking infrastructure. The customer can create logical networks to provide VMs network connectivity to other networks and the Internet if necessary. The management virtual machines, such as the vCenter Server, NSX Manager, and NSX Edge virtual machines run inside the cluster and are grouped in a separate vSphere DRS resource pool.
VMware, Inc. 7
Each SDDC cluster is dedicated to a single customer. Existing AWS controls ensure customer separation by using dedicated AWS accounts and AWS Virtual Private Connections (VPC) for each SDDC deployment on VMware Cloud on AWS. Because vSAN is built out of instance local storage and each ESXi host is dedicated to a single customer, there is no sharing of resources across different customers inside the SDDC compute, network, or storage layers.
n Availability Zones and Regions
In an SDDC, availability zones are collections of infrastructure components. Availability zones are isolated from each other to prevent the propagation of failure or outage across the data center. Use regions to place workloads closer to your customers, comply with data privacy laws and restrictions, and support disaster recovery solutions for the entire SDDC.
Availability Zones and Regions
In an SDDC, availability zones are collections of infrastructure components. Availability zones are isolated from each other to prevent the propagation of failure or outage across the data center. Use regions to place workloads closer to your customers, comply with data privacy laws and restrictions, and support disaster recovery solutions for the entire SDDC.
This hybrid cloud design uses an on-premises protected region (Region A) for SDDC management components with one or two availability zones, an on-premises recovery region (Region B) with a single availability zone, and a region on VMware Cloud on AWS (Region C) with a single availability zone. You can place workloads in each availability zone and region. You can expand the design to include multiple availability zones.
Figure 2-1. Availability Zones and Regions
AvailabilityZone
AvailabilityZone 1
AvailabilityZone 2
FutureAvailability
ZoneFuture
AvailabilityZone
Region B: LAXRegion A: SFO
AvailabilityZone
FutureAvailability
Zone
Region C: VMC
Virtual Infrastructure Architecture for Extending the SDDC to VMware Cloud on AWS
The architecture of the virtual components and services that are available in the SDDC on VMware Cloud on AWS as Region C supports the integration with the on-premises SDDC. The architecture allocates all resources required for the operation of the SDDC and isolates the management components in the cloud from the tenant workloads.
An SDDC on VMware Cloud on AWS can contain up to 10 clusters. VMware manages the vSphere HA, DRS, and vSAN settings, therefore your cloud administrator has a read-only view of the cluster configuration settings. Cloud administrators can configure only per-VM DRS rules, such as VM-VM anti-affinity and VM-Host affinity rules, by using compute policies.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 8
By default, each cluster contains two vSphere DRS resource pools as follows:
n The resource pool named Mgmt-ResourcePool contains the management virtual machines and is configured with a CPU and memory resource reservation. Your cloud administrator has a read-only view of the virtual machine and resource pool settings of the management resource pool.
n Tenant workloads are placed in the resource pool named Compute-ResourcePool. By default, this workload resource pool is not configured with CPU and memory resource reservations. Cloud administrators have full control access rights over this resource pool.
By default, the SDDC on VMware Cloud on AWS contains a single cluster. If you create a new cluster of hosts in the SDDC on VMware Cloud on AWS, the additional cluster is created in the same AWS availability zone. Additional clusters can use R5.metal hosts instead of i3.metal hosts. R5.metal hosts use Amazon EBS storage instead of local NVMe flash drives. EBS storage can scale form 15 TB to 35 TB by 5 TB increments. R5.metal hosts can be used only for additional clusters of an existing SDDC on VMware Cloud on AWS, and cannot be the first cluster that is provisioned in the environment.
You can configure an SDDC on VMware Cloud on AWS as an extension to an existing on-premises SDDC by using Hybrid Linked Mode and VPN connections.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 9
Figure 2-2. VMware Cloud on AWS Region-C Cluster
APP
OSAPP
OS
APP
OSAPP
OS
APP
OSAPP
OS
APP
OS
Virtual InfrastructureManagement
(Mgmt-ResourcePool)
NSX-TManagers
NSX-TEdges
ESXi ESXi ESXi
Workloads(Compute-
ResourcePool)
N-VDS
NSX-T Transport Zone
VMware Cloud Cluster
Managed by: VMware Cloud vCenter Server
Network: External(AWS VPC)
Network: Internal SDDC
vCenterServer
ESXi
Transport Nodes
VMC Console
VMC Console is a self-service, Web-based application that is available from the VMware Cloud services portal where you can manage and view your SDDCs on VMware Cloud on AWS. VMC Console shows each SDDC as a card, with information including name, region, status, and hardware allocation. Also, there are links for more details and operations that you can perform on the SDDC.
In addition, VMC Console shows subscriptions, activity logs, tools, and developer center to facilitate the use of the VMware Cloud on AWS service. A subscription is used to pre-pay for hardware at a reduced cost compared to using VMware Cloud on AWS in an on-demand manner. The available tools include Content Onboarding Assistant, the DCLI bundle, and the vCenter Cloud Gateway. The developer center provides code samples, an API Explorer, and other tools to help you learn the available automation and integration development options.
Linking Between the On-premises SDDC and the SDDC on VMware Cloud AWS
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 10
You use the vCenter Cloud Gateway appliance to link from your on-premises data center to your SDDC on VMware Cloud on AWS. The vCenter Cloud Gateway appliance provides the following benefits:
n Active Directory groups are mapped from your on-premises environment to the environment on VMware Cloud on AWS. You do not need to add Active Directory as an identity source in your VMware Cloud vCenter Server.
n You can restrict the access to important infrastructure services, such as Active Directory, according to the security policy of your organization. Latency when performing operations on the on-premises SDDC is lower.
n Because vCenter Cloud Gateway includes the vSphere UI, you benefit from automatically getting access to the latest version of the vSphere HTML5 Client on VMware Cloud on AWS that is fully interoperable with your on-premises environment.
Operations Management Architecture for Extending the SDDC to VMware Cloud on AWS
To manage and monitor your SDDC on VMware Cloud on AWS that is implemented as Region C in this design, you can configure the on-premises vRealize Operations Manager and vRealize Log Insight instances. With this configuration, you avoid using multiple tools for the different parts of your hybrid environment.
VMware Cloud on AWS Operations Management
VMware Cloud on AWS offloads the majority of operations and management tasks to VMware directly. A limited number of relevant events and alerts are available through the hosted VMware Cloud vCenter Server. In this design, the on-premises analytics cluster vRealize Operations Manager is used to collect and monitor these events and alerts, similarly to how the on-premises vCenter Server instances are monitored.
VMware Cloud on AWS Logging
VMware Log Intelligence is a VMware Cloud service with which you can collect logs from the VMware Cloud on AWS service and associated VMware Cloud services. In this design, you use the on-premises vRealize Log Insight system to collect and aggregate logging data from both VMware Cloud on AWS and on-premises sources.
For forwarding log data that is collected from the SDDC on VMware Cloud on AWS to vRealize Log Insight, you deploy a VMware Cloud Proxy appliance in the on-premises environment.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 11
Figure 2-3. VMware Cloud Proxy Docker Containers
Cloud Proxy
Cloud Assembly SDDC AgentContainer: cloudassembly-sddc-agent
Docker Containers
Cloud Assembly CMX AgentContainer: cloudassembly-cmx-agent
vRealize Orchestrator AgentContainer: tango-vro-agent
Code Stream AgentContainer: codestream-lemans-agent
Log Intelligence AgentContainer: log-forwarder
Cloud Assembly Blueprint AgentContainer: cloudassembly-blueprint-agent
Cloud Management Architecture for Extending the SDDC to VMware Cloud on AWS
To configure the consumption portal for your SDDC on VMware Cloud on AWS implementation as Region C in this design, you can configure the on-premises vRealize Automation system.
You can use your on-premises vRealize Automation system with your SDDC on VMware Cloud on AWS as a deployment target end point. With this configuration, you can reuse the templates and blueprints that you developed for the on-premises environment, reducing the time required to stand up an additional environment.
Note Some blueprints might require a reconfiguration.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 12
Detailed Design 3The detailed design for extending VMware Validated Design to VMware Cloud on AWS considers both physical and virtual infrastructure design for the hybrid SDDC. It includes numbered design decisions and the justification and implications of each decision.
n Physical Infrastructure Design for Extending the SDDC to VMware Cloud on AWS
The physical design includes design decision details for the physical properties of the SDDC on VMware Cloud on AWS implementation as Region C in this design.
n Virtual Infrastructure Design for Extending the SDDC to VMware Cloud on AWS
This virtual design includes design decision details for the physical properties of the SDDC on VMware Cloud on AWS implementation as Region C in this design.
n Operations Management Design for Extending the SDDC to VMware Cloud on AWS
Operating a hybrid SDDC that consists of on-premises and VMware Cloud on AWS SDDC components can be performed by using the same management components as a standalone on-premises SDDC. You extend and integrate vRealize Operations Manager and vRealize Log Insight for seamless Day-2 operations of both environments.
n Cloud Management Design for Extending the SDDC to VMware Cloud on AWS
vRealize Automation is the management component in the on-premises SDDC infrastructure for deploying blueprints and applications. You can use your on-premises vRealize Automation deployment with your SDDC on VMware Cloud on AWS.
Physical Infrastructure Design for Extending the SDDC to VMware Cloud on AWS
The physical design includes design decision details for the physical properties of the SDDC on VMware Cloud on AWS implementation as Region C in this design.
n Physical Design Fundamentals of the SDDC Infrastructure on VMware Cloud on AWS
When deploying an SDDC on VMware Cloud on AWS, you must select the deployment location and the number of hosts for the initial cluster for your use case.
VMware, Inc. 13
n Physical Networking Design of the SDDC Infrastructure on VMware Cloud on AWS
To begin using VMware Cloud on AWS to run workloads as Region C in your SDDC, you must set up network connections between your on-premises data centers and the SDDC on VMware Cloud on AWS. This network can include a dedicated connection over AWS Direct Connect, an IPSec VPN, or both.
Physical Design Fundamentals of the SDDC Infrastructure on VMware Cloud on AWS
When deploying an SDDC on VMware Cloud on AWS, you must select the deployment location and the number of hosts for the initial cluster for your use case.
Selecting an AWS Region and Sizing the Initial Host Configuration
When deploying the SDDC on VMware Cloud on AWS as Region C of your validated SDDC, select the AWS Region location according to these criteria:
n Location latency
n Data sovereignty
n Co-location with existing services
n Cost
You can use any VMware Cloud enabled AWS region. This design uses US West (Oregon) as an example.
Figure 3-1. Cluster Configuration of the Hybrid SDDC
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
APPOS
MgmtVC
Region AManagement Cluster
ESXi ESXi ESXi ESXi ESXi ESXi
Region ACompute /
Edge ClusterRegion B
Management ClusterRegion BCompute /
Edge Cluster
PSC
NSX Edge Load Balancer
NSX Edge Load Balancer
ComputeVC
PSC
MgmtVC
ESXi ESXi ESXi ESXi ESXi ESXi
PSC
ComputeVC
PSC
Region CCluster
on VMwareCloud on AWS
ESXi ESXi
VMware CloudVC
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 14
You can initially deploy an SDDC on VMware Cloud on AWS with a minimum of three hosts and you can later expand it to 16 hosts. Each additional host adds a significant amount of resources to the cluster. The initial hosts run both the management and tenant virtual machines, similarly to VMware Validated Design for Consolidated SDDC. The SDDC on VMware Cloud on AWS must always have enough resources for the operation of the management virtual machines. For information on resource pool configuration and resource reservation in the initial cluster, see Resource Reservation Design.
Table 3-1. Resources Consumed by the Management Components on the Initial Three-Host Cluster
Resource Used Free
CPU 9 GHz 240 GHz
Memory 212 GB 1.3 TB
Storage 5.5 TB 12.5 TB
The on-premises and cloud units of the hybrid SDDC support maintenance operations in different ways.
n VMware Validated Design for Software-Defined Data Center defines a minimum of four ESXi hosts in the on-premises management cluster. Allocating four ESXi hosts provides full redundancy in the cluster.
n During maintenance operations in VMware Cloud on AWS environments, to provide enough capacity and redundancy for the update, VMware Cloud on AWS adds temporarily another host to the SDDC. VMware vSphere® vMotion™ and DRS activities occur to facilitate the update. During this time, your workloads and other resources function as usual. Adding permanently hosts to the initial cluster is not required.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 15
Table 3-2. Design Decisions on the Initial Configuration of the SDDC on VMware Cloud on AWS
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-PHY-001 Deploy the SDDC on VMware vCloud on AWS in an AWS Region that has the lowest latency to your on-premises infrastructure while meeting all other business requirements.
Having all infrastructure closely or centrally located provides an optimal user experience. However, make sure that this setup is not at the expense of laws or infrastructure features.
While most AWS locations have the same pricing model, slight variations exist. These variations might change the overall service cost if the closest AWS region does not meet the requirements of your organization.
SDDC-VMC-PHY-002 Deploy the SDDC on VMware Cloud on AWS with three hosts.
Using the initial minimum cluster size still provides a significant amount of resources to tenant workloads. You can easily extend clusters on demand.
You can use single-host clusters for evaluation purposes, but they are not suitable for use in production.
The resources provided by three hosts might not be initially needed and therefore potentially wasted. Smaller clusters are not supported for production workloads.
Scaling Out an SDDC on VMware Cloud on AWS
While you can scale out the initial cluster, you can also add clusters to the SDDC. According to the operational and business requirements of your organization, you can use these additional clusters for other categories of service or environments, such as development or staging environments.
Before adding hosts to the initial cluster, size correctly the cluster by considering the number, size, and use of the tenant workloads you plan to provision.
Physical Networking Design of the SDDC Infrastructure on VMware Cloud on AWS
To begin using VMware Cloud on AWS to run workloads as Region C in your SDDC, you must set up network connections between your on-premises data centers and the SDDC on VMware Cloud on AWS. This network can include a dedicated connection over AWS Direct Connect, an IPSec VPN, or both.
Network Design Fundamentals
VMware Cloud on AWS uses VMware NSX-T™ Data Center to create and manage internal SDDC networks and provide endpoints for VPN connections from your on-premises network infrastructure.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 16
SDDC Network Topology
When fully configured, an SDDC on VMware Cloud on AWS includes two internal networks: a management network for hosts and management appliances, and a compute network for workload VMs. An NSX-T Edge appliance provides connectivity between your on-premises networks and VMware Cloud on AWS SDDC networks. The NSX-T Edge appliance routes the traffic to either the management network or the compute network as appropriate. The SDDC has two NSX-T Edge appliances that are configured in active-standby mode for high availability.
The NSX-T Edge appliance includes a management gateway (MGW), a compute gateway (CGW), and a router. The NSX-T Edge appliance also provides access to services, such as a gateway firewall. There are two gateway firewalls, a MGW firewall and a CGW firewall, which provide a north-south protection. For an east-west protection, there is a distributed firewall across all hosts in the SDDC.
MGW
The MGW in the NSX-T Edge appliance downlinks to the management network and uplinks to the router in the NSX-T Edge appliance. This configuration provides a north-south network connectivity for the vCenter Server and other management VMs running in the VMware Cloud on AWS SDDC.
During the SDDC creation, the Internet-facing IP address (Public IP #1) is automatically assigned from the pool of AWS public IP addresses. When you create the SDDC on VMware Cloud on AWS, configure the management subnet with a range of IP addresses (CIDR block) that can support the number of ESXi hosts in the SDDC. If you do not configure a range during the SDDC creation, the system uses a default of 10.2.0.0/16.
CGW
The CGW in the NSX-T Edge appliance downlinks to the compute network and uplinks to the router in the NSX-T Edge appliance. This configuration provides a north-south network connectivity for workload virtual machines running in the SDDC on VMware Cloud on AWS.
In a single-node SDDC, VMware Cloud on AWS creates a default logical network segment (CIDR block 192.168.1.0/24) to provide networking for these VMs. You can use the VMC Console to create additional logical networks.
Router
The router in the NSX-T Edge appliance provides connectivity to the external environment, so all traffic between your on-premises networks and your SDDC on VMware Cloud on AWS passes through this router. The router also connects the MGW and the CGW, so all traffic between the workload VMs and the management components in the VMware Cloud on AWS SDDC also passes through this router. Only VMware cloud administrators can view and manage the router.
The MGW and CGW firewall rules are applied on the uplink interfaces of the router.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 17
AWS Direct Connect
The AWS Direct Connect (DX) service provides a dedicated high-speed, low latency connection between your on-premises data center and your AWS VPC. You can use DX alone or with a VPN.
DX is used over a private virtual interface (VIF) to carry workload and management traffic, including VPN and vSphere vMotion traffic, between your on-premises data center and your connected VPC. Use DX over a public VIF to connect to AWS public endpoints, such as EC2 and S3.
You can use a DX connection over a private VIF for all traffic between your on-premises data center and your SDDC on VMware Cloud on AWS. The connection terminates in your connected Amazon VPC, provides a private IP address space, and uses BGP to advertise routes in your SDDC and learn routes in your on-premise data center.
A DX connection over a public VIF is typically used only for traffic between your on-premises data center and public AWS services, which you cannot access over a private VIF. The connection terminates at the AWS region level in the region occupied by your connected Amazon VPC and uses BGP to advertise AWS global routes.
The use of Direct Connect is beneficial, but not required for the Hybrid Cloud functionality, therefore optional for this VMware Validated Design. Even if a Direct Connect is established, a VPN is still necessary to complete the traffic flow between the VMware Cloud on AWS and on-premises SDDC infrastructure.
VPN Design
To route management traffic between your VMware Cloud on AWS and on-premises SDDC infrastructure, you must establish a VPN connection to each on-premises region.
VMware Cloud on AWS offers two different types of VPNs for management traffic, route-based or policy-based.
n A route-based VPN creates an IPsec tunnel interface and routes traffic through it as dictated by the routing table on the VMware Cloud on AWS SDDC. A route-based VPN provides resilient and secure access to multiple subnets. When you use a route-based VPN, new routes are added automatically when new networks are created.
Route-based VPNs in a VMware Cloud on AWS SDDC use the IPsec protocol to secure traffic and the Border Gateway Protocol (BGP) to discover and propagate routes when networks are created. To create a route-based VPN, you configure BGP information for the VMware Cloud on AWS SDDC and on-premises endpoints, and specify tunnel security parameters for the VMware Cloud on AWS SDDC end of the tunnel.
n A policy-based VPN creates an IPsec tunnel and a policy that specifies how traffic uses it. When you use a policy-based VPN, you must update the routing tables on both ends of the network when new routes are added.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 18
Policy-based VPNs in a VMware Cloud on AWS SDDC use the IPsec protocol to secure traffic. To create a policy-based VPN, you first configure the VMware Cloud on AWS SDDC endpoint, then you configure a matching remote on-premises endpoint. Because each policy-based VPN must create an IPsec security association for each network, a network administrator must update the routing information on-premises and in the VMware Cloud on AWS SDDC whenever a new policy-based VPN is created. A policy-based VPN can be an appropriate choice when you have only a few networks on either end of the VPN, or if your on-premises network hardware does not support BGP, which is required for route-based VPNs.
Figure 3-2. VPN Overview
SDDC on VMwareCloud on AWS
Region C
Management Cluster
SharedEdge andComputeCluster
ESXi ESXi ESXi ESXiESXi
Management Cluster
SharedEdge andComputeCluster
ESXi ESXi ESXi ESXiESXi
ManagementvCenterServer
ComputevCenterServer
10.2.0.0/16Infrastructuresubnet
Region A Region B
ManagementvCenterServer
ComputevCenterServer
vCenterCloud
Gateway
Externalconnection
VMware CloudvCenter Server
ESXi ESXi ESXi
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 19
In this design, a VPN is required between the management cluster in each on-premises region (Region A and Region B) and the SDDC on VMware Cloud on AWS (Region C), however the on-premises termination locations are not enforced. Use NSX ESGs as the on-premises terminating devices, because you can place them in the on-premises SDDC infrastructure. This configuration provides a simple and secure location without complicating other parts of the enterprise network.
Table 3-3. Design Decisions on VPN Configuration
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-NET-001 Create a policy-based management VPN between the Management Gateway on the VMware Cloud on AWS SDDC and the Region-A and Region-B management environments.
BGP is not supported over NSX-IPsec VPN tunnels.
In some environments, it might be preferable to terminate the VPNs outside the on-premises SDDC environments where BGP is available.
SDDC-VMC-NET-002 If using NSX for management VPN termination, configure a highly available pair of NSX Edge service gateways (ESGs) in each of the edge clusters.
VPNs between the VMware Cloud on AWS and on-premises SDDC infrastructure must be able to exchange routing information.
Adds resource overhead.
SDDC-VMC-NET-003 If using NSX for management VPN termination, configure the ESG HA heartbeat timeout to 5 seconds.
Using a longer heartbeat timeout might result in a longer than desired outage of communication between on-premises and VMware Cloud on AWS workloads.
Configuring a heartbeat timeout that is too short might result in a premature failover that can increase or extend an outage.
Consider the difference in the property names in the VPN configuration of the VPN-enabled NSX ESGs and of the SDDC on VMware Cloud on AWS.
Table 3-4. Mapping VPN Parameters Between the User Interface of NSX for vSphere and VMC Console
NSX Property Name VMC Console Property Name
Name VPN Name
Peer ID On-prem Gateway IP
Peer Endpoint On-prem Gateway IP
Peer Subnets On-prem Network
Local ID Uplink SNAT (not a user-entered value)
Local Endpoint Uplink IP (not a user-entered value)
Local Subnets Local Network
Encryption Algorithm Encryption
Perfect Forward Secrecy Perfect Forward Secrecy
Authentication PSK (not configurable)
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 20
Table 3-4. Mapping VPN Parameters Between the User Interface of NSX for vSphere and VMC Console (continued)
NSX Property Name VMC Console Property Name
Diffie Hellman Group Diffie Hellman
Pre-Shared Key Pre-Shared Key
Enabled True (not configurable)
Figure 3-3. VPN Design for a Region in the On-Premises SDDC
VC
OSPSC
OSSRM
OS
ECMPESGs
ToRSwitches
Internet/EnterpriseNetwork
Mgmt-Management
Compute-Management
Legend:
SharedEdge and
Compute Cluster
192.168.11/24
Transit Networks
Management Application
vRealize AutomationvRealize Operations Manager
Universal Distributed Logical Router
ESGLoadBalancer
Mgmt-xRegion01-VXLAN
192.168.31/24
Mgmt-xRegionA01-VXLAN
Mgmt-VPN
vRealize Business for CloudvCenter Cloud Gateway
vRealize Log InsightvRealize Suite Lifecycle ManagervRealize Operations CollectorvRealize Automation Proxy
VMware Update ManagerDownload Service
vRealize Business Collector
MGMTVPN
ESGs
Edge-Management
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 21
Figure 3-4. VPN Design for Both Regions in the On-Premises SDDC
VC
OSPSC
OSSRM
OSVC
OSPSC
OSSRM
OS
ECMPESGs
ToRSwitches
Internet/EnterpriseNetwork
Mgmt-Management
Compute-Management
Legend:
SharedEdge and
Compute Cluster
192.168.11.0/24
Transit Networks
Management Application
vRealize AutomationvRealize Business for Cloud
vRealize Operations Manager
Universal Distributed Logical Router
ESGLoadBalancer
Mgmt-xRegion01-VXLAN
192.168.31.0/24
Mgmt-RegionA01-VXLAN
Mgmt-VPN
vCenter Cloud Gateway
vRealize Log InsightvRealize Suite Lifecycle ManagervRealize Operations CollectorvRealize Automation Proxy
VMware Update ManagerDownload Service
vRealize Business Collector
MGMTVPN
ESGsECMPESGs
ToRSwitches
Internet/EnterpriseNetwork
SharedEdge and
Compute Cluster
192.168.11.0/24
vRealize AutomationvRealize Business for Cloud
vRealize Operations Manager
ESGLoad
Balancer
Mgmt-xRegion01-VXLAN
192.168.32.0/24
Mgmt-RegionB01-VXLAN
vCenter Cloud Gateway
vRealize Log Insight vRealize Suite Lifecycle ManagervRealize Operations CollectorvRealize Automation Proxy
VMware Update ManagerDownload Service
vRealize Business Collector
MGMTVPN
ESGs
Failover Components
Region A Region B
To have traffic flowing between the VMware Cloud on AWS SDDC management networks and your on-premises management networks, you must populate the management VPN connections with the infrastructure subnet on the VMware Cloud on AWS SDDC, any custom network segments on the VMware Cloud on AWS SDDC, and the management on-premises networks. These networks are populated within the configuration of each side of the VPN tunnel as either local or remote networks. Also, adding the vSphere vMotion networks allows cold vSphere vMotions operations.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 22
Table 3-5. Management Network Configuration for VPN Connection
VPN Source VPN Destination Remote Networks Local Networks
VMware Cloud on AWS SDDC
Region A n 172.16.11.0/24
n 172.16.12.0/24
n 172.16.31.0/24
n 172.16.32.0/24
n 192.168.11.0/24
n 192.168.31.0/24
n Infrastructure Subnet (10.2.0.0/16)
n StandaloneSubnets
n RoutedSubnets
VMware Cloud on AWS SDDC
Region B n 172.17.11.0/24
n 172.17.12.0/24
n 172.17.31.0/24
n 172.17.32.0/24
n 192.168.11.0/24
n 192.168.32.0/24
n Infrastructure Subnet (10.2.0.0/16)
n StandaloneSubnets
n RoutedSubnets
Region A VMware Cloud on AWS SDDC
n Infrastructure Subnet (10.2.0.0/16)
n StandaloneSubnets
n RoutedSubnets
n 172.16.11.0/24
n 172.16.12.0/24
n 172.16.31.0/24
n 172.16.32.0/24
n 192.168.11.0/24
n 192.168.31.0/24
Region B VMware Cloud on AWS SDDC
n Infrastructure Subnet (10.2.0.0/16)
n StandaloneSubnets
n RoutedSubnets
n 172.17.11.0/24
n 172.17.12.0/24
n 172.17.31.0/24
n 172.17.32.0/24
n 192.168.11.0/24
n 192.168.32.0/24
Table 3-6. Design Decisions on VPN Endpoint Configuration
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-NET-004 Add all networks for management and vSphere vMotion in the on-premises and VMware Cloud on AWS SDDCs to each VPN endpoint configuration.
To have operations running in both on-premises and VMware Cloud on AWS SDDC infrastructure, traffic between all management subnets must be routed.
Having management networks routable over a VPN might bring in security considerations in some organizations.
Firewall Rules Design
The management gateway on the VMware Cloud on AWS SDDC is configured with a firewall that blocks all inbound connections to the management network on the VMware Cloud on AWS SDDC. This configuration ensures the security and integrity of the management interfaces on VMware Cloud on AWS, such as vCenter Server and ESXi. The firewall has limited configuration options for existing management interfaces, but some connections can be allowed.
When you create an SDDC on VMware Cloud on AWS, the management gateway firewall has the following rules.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 23
Table 3-7. Default Management Gateway Firewall Rules
Rule Name Source Destination Services Action
vCenter Outbound Rule
vCenter Any Any Allow
ESXi Outbound Rule ESXi Any Any Allow
Default Deny All Any Any Any Block
To allow the SDDC on VMware Cloud on AWS to connect to your on-premises management domain, you must change the default firewall policy. To simplify the firewall rule management, you can create groups of IP addresses and subnets.
Table 3-8. Design Decisions on Management Gateway Firewall Configurations
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-NET-005 Configure the management gateway firewall to allow access from the on-premises management subnet to the vCenter Server, ESXi, and NSX Manager instances on the VMware Cloud on AWS SDDC.
The hybrid functionality requires changes on the firewall.
Changing the default firewall rules increases the security boundary from which the SDDC on VMware Cloud on AWS can be accessed.
SDDC-VMC-NET-006 Configure the local on-premises SDDC management subnets as groups.
Using groups simplifies the firewall rule management.
None.
To simplify the firewall rule management, you add the following groups.
Table 3-9. Inventory Groups
Name Member Type Members
SFO01Nets IP Address 172.16.11.0/24, 172.16.12.0/24, 172.16.31.0/24, 172.16.32.0/24, 192.168.11.0/24, 192.168.31.0/24
LAX01Nets IP Address 172.17.11.0/24, 172.17.12.0/24, 172.17.31.0/24, 172.17.32.0/24, 192.168.11.0/24, 192.168.32.0/24
To allow the hybrid functionality, you must add the following management gateway firewall rules to the default outbound rules that are configured when the SDDC infrastructure is created on VMware Cloud on AWS.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 24
Table 3-10. Additional Management Gateway Firewall Rules
Name Source Destination Services Action
SFO01M01 ESXi Rule SFO01Nets ESXi Provisioning & Remote Console (TCP 902), vSphere vMotion (TCP 8000), ICMP (ALL ICMP), HTTPS (TCP 443)
Allow
SFO01M01 vCenter Rule
SFO01Nets vCenter ICMP (ALL ICMP), SSO (TCP 7444), HTTPS (TCP 443)
Allow
SFO01 NSX Rule SFO01Nets NSX HTTPS (TCP 443) Allow
Name Resolution Design
Specifying a DNS server allows the gateway to resolve fully-qualified domain names (FQDNs) to IP addresses on the network.
The management gateway on the VMware Cloud on AWS SDDC must be configured to resolve the on-premises FQDNs.
Table 3-11. Design Decisions on the Management Gateway DNS Configuration
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-NET-007 Configure the management gateway DNS server IP address to forward name resolution to the on-premises DNS servers.
Without the on-premises DNS resolution, vCenter Cloud Gateway is unable to link the two environments. See Table 3-13. Design Decisions on the vCenter Cloud Gateway Deployment.
None.
The compute gateway on the VMware Cloud on AWS SDDC can be configured to resolve up to five specific domains by configuring a domain name server for each.
Network Segment Design
Network segments are logical networks for use by workload VMs in the Compute-ResourcePool of the SDDC on VMware Cloud on AWS.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 25
VMware Cloud on AWS supports three types of logical network segments: routed, extended, and disconnected.
n A routed network segment (the default type) has connectivity to other logical networks in the SDDC on VMware Cloud on AWS, and to external networks through the SDDC firewall.
n An extended network segment extends an existing L2VPN tunnel, providing a single IP address space that spans the VMware Cloud on AWS SDDC and an on-premises network.
n A disconnected network segment has no uplink and provides an isolated network accessible only to VMs connected to it. Disconnected segments are created when needed by HCX. You can also create disconnected network segments and can convert them to other segment types.
SDDCs on VMware Cloud on AWS does not contain a default network segment, so you must create at least one for your workload VMs. You can use the VMC Console to create network segments or delete network segments that are no longer in use.
When you create a network segment, ensure that it does not overlap your management network or any of the subnets in your connected Amazon VPC.
Virtual Infrastructure Design for Extending the SDDC to VMware Cloud on AWS
This virtual design includes design decision details for the physical properties of the SDDC on VMware Cloud on AWS implementation as Region C in this design.
n Hybrid Linked Mode Design
You configure Hybrid Linked Mode to link the vCenter Server instance on your VMware Cloud on AWS SDDC with your on-premises vCenter Single Sign-On domain.
n Resource Reservation Design
When you deploy an SDDC on VMware Cloud AWS, the configuration of the initial cluster includes reserving resources for the management workloads so that capacity for SDDC infrastructure management is always available.
Hybrid Linked Mode Design
You configure Hybrid Linked Mode to link the vCenter Server instance on your VMware Cloud on AWS SDDC with your on-premises vCenter Single Sign-On domain.
Shared vCenter Single Sign-On Domain
When you link a vCenter Server instance on VMware Cloud on AWS to a workload domain where multiple vCenter Server instances are connected in Enhanced Linked Mode, all those instances are linked to the SDDC on VMware Cloud on AWS.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 26
By using Hybrid Linked Mode, you can:
n View and manage the inventories of both your on-premises and VMware Cloud on AWS data centers from a single vSphere Client interface by using your on-premises credentials.
n Migrate workloads between your on-premises and VMware Cloud on AWS data centers.
n Share tags and tag categories from your on-premises to your VMware Cloud on AWS vCenter Server instance.
Figure 3-5. Design of a Shared vCenter Single Sign-On Domain
Region A: SFO Region B: LAX
Platform Services ControllerAppliance
SFO
Management vCenter Server
Appliance
Shared vCenter Single Sign-On Domain
Platform ServicesControllerAppliance
SFO
NSX Edge Load Balancer NSX Edge Load Balancer
ComputevCenter Server
Appliance
Platform ServicesControllerAppliance
LAX
ComputevCenter Server
Appliance
Platform ServicesControllerAppliance
LAX
Management vCenter Server
Appliance LAX LAXSFO SFO
Region C: VMC
vCenterCloud Gateway
SFO
VMware CloudvCenter Server
vCenter Cloud Gateway
To enable Hybrid Linked Mode, the vCenter Server instance on VMware Cloud on AWS must be able to communicate with all the on-premises vCenter Server instances in Region A and Region B. To exchange authentication and management functions between the VMware Cloud on AWS and the on-premises vCenter Server instances, you deploy a vCenter Cloud Gateway (VCG) appliance. For seamless authentication, you join the VCG appliance to the existing on-premises vCenter Single Sign-On domain. This configuration spans the vCenter Single Sign-On domain between both on-premises and VMware Cloud on AWS vCenter Server instances.
Provide the compute and storage resources for the operation of the vCenter Cloud Gateway appliance.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 27
Table 3-12. Minimum Hardware Requirements for the vCenter Cloud Gateway Appliance
Hardware Minimum required
CPUs 8
Memory 24 GB
Storage 190 GB
Table 3-13. Design Decisions on the vCenter Cloud Gateway Deployment
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-VI-001 Deploy the vCenter Cloud Gateway appliance in the management cluster in Region A.
Managing separate vCenter Single Sign-On domains limits the capabilities of the hybrid cloud.
Additional on-premises resources are required for the appliance.
SDDC-VMC-VI-002 Deploy the vCenter Cloud Gateway on the management VLAN.
The vCenter Cloud Gateway does not support VXLAN.
If an outage occurs, you must deploy the appliance again. You cannot fail it over to the recovery region of the on-premises SDDC.
Resource Reservation Design
When you deploy an SDDC on VMware Cloud AWS, the configuration of the initial cluster includes reserving resources for the management workloads so that capacity for SDDC infrastructure management is always available.
The initial cluster of the VMware Cloud on AWS SDDC runs both the management applications and provisioned tenant workloads.
Because the SDDC must remain operational even if a resource contention occurs, when VMware Cloud on AWS deploys the SDDC, it reserves resources in the cluster for the management components by creating resource pools. The initial cluster contains two resource pools, Mgmt-ResourcePool and Compute-ResourcePool, and the reservations are set on the management resource pool.
VMware Cloud on AWS assigns the Management Storage Policy to all management virtual machines. To guarantee that management virtual machine always receive all required storage resources, the object space reservation property of the Management Storage Policy is set to thick provisioning.
Table 3-14. Reservations for the Management Components in the Initial Cluster
ResourceReservation for the Management Resource Pool
Reservation for the Compute Resource Pool
CPU 73.5 GHz (Expandable) 0 GHz
Memory 117 GB (Expandable) 0 GB
Storage 11.12 TB 0 TB
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 28
Operations Management Design for Extending the SDDC to VMware Cloud on AWS
Operating a hybrid SDDC that consists of on-premises and VMware Cloud on AWS SDDC components can be performed by using the same management components as a standalone on-premises SDDC. You extend and integrate vRealize Operations Manager and vRealize Log Insight for seamless Day-2 operations of both environments.
n vRealize Operations Manager Design for the SDDC Infrastructure on VMware Cloud on AWS
vRealize Operations Manager is the monitoring management component that exists in the on-premises SDDC infrastructure, and can also be extended across the management VPN to monitor the SSDC infrastructure on VMware Cloud on AWS. Because VMware Cloud on AWS is a hosted and managed by VMware solution, not all the metrics, events, and alerts are made available.
n vRealize Log Insight and Log Intelligence Design for the SDDC Infrastructure on VMware Cloud on AWS
vRealize Log Insight is the logging management component that exists in the on-premises SDDC infrastructure. VMware Log Intelligence™ is the service that you can use to collect selected logs from your SDDC on VMware Cloud on AWS. To enable forwarding the logs from VMware Log Intelligence to the on-premises vRealize Log Insight instances, you must deploy a Cloud Proxy in each on-premises region.
vRealize Operations Manager Design for the SDDC Infrastructure on VMware Cloud on AWS
vRealize Operations Manager is the monitoring management component that exists in the on-premises SDDC infrastructure, and can also be extended across the management VPN to monitor the SSDC infrastructure on VMware Cloud on AWS. Because VMware Cloud on AWS is a hosted and managed by VMware solution, not all the metrics, events, and alerts are made available.
To configure monitoring of your SDDC on VMware Cloud on AWS by using vRealize Operations Manager, you connect to the vCenter Server instance on the VMware Cloud on AWS SDDC by using an adapter instance. The new adapter instance uses the existing default remote collector group in vRealize Operations Manager.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 29
Figure 3-6. Logical Design for Extending Operations Management to VMware Cloud on AWS
Metric AdaptersRegion A
Region B
vRealize Operations Manager
Analytics Cluster
Integration
ExternalLoad Balancer
vCenter Server
Access
User Interface
API
vRealizeLog Insight
vRealizeAutomation
Metric Adapters
vCenter Server
NSX
vRealizeLog Insight
AdditionalSolutions
vRealizeBusiness
vRealizeAutomation
ManagementPacks
Suite API
Shared Storage
vRealize Operations ManagerRemote Collectors
CollectorGroup
ManagementPacks
Suite API
Remote Collector 2
Remote Collector 1
Shared Storage
Metric Adapters
vCenter Server
NSX
vRealizeLog Insight
vRealize Operations ManagerRemote Collectors
CollectorGroup
ManagementPacks
Suite API
Remote Collector 2
Remote Collector 1
Shared Storage
StorageDevices
vSAN
StorageDevices
vSAN
Master Replica
Data 1 Data n
SiteRecoveryManager
AdditionalSolutions
SiteRecoveryManager
Region C
Integration
vCenter Server
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 30
Figure 3-7. Network Design for Extending Operations Management to VMware Cloud on AWS
APP
OSAPP
OSAPP
OSAPP
OSAPP
OSAPP
OS
vrops01svr01a vrops01svr01b vrops01svr01c
Mgmt-xRegion01-VXLAN
VIP: vrops01svr01.rainpole.local
Analytics Cluster Region A
vrops01svr01a vrops01svr01b vrops01svr01c
VIP: vrops01svr01.rainpole.local
Placeholder Disaster RecoveryAnalytics Cluster
Region B
sfo01m01lb01 lax01m01lb01
Mgmt-xRegion01-VXLAN
SDDC on VMwareCloud on AWS
Region C
Infrastructuresubnet
Externalconnection
VMware CloudvCenter Server
ESXi ESXi ESXi
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 31
Table 3-15. Design Decisions on Monitoring Configuration
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-OPS-001 Add an adapter instance for the vCenter Server instance on the VMware Cloud on AWS SDDC.
For each monitored vCenter Server instance, you create an adapter instance for collection of analytics data.
None.
SDDC-VMC-OPS-002 Use the default remote collector group when adding the adapter instance for the vCenter Server instance on the VMware Cloud on AWS SDDC.
The region-specific collectors are not failed over if a disaster recovery occurs. By using the default collector group, the analytics cluster collects metrics for this adapter instance. Because the analytics cluster is failed over if a disaster recovery event occurs, connection to the vCenter Server instance on the VMware Cloud on AWS SDDC remains open.
Small additional load on the analytics cluster.
vRealize Log Insight and Log Intelligence Design for the SDDC Infrastructure on VMware Cloud on AWS
vRealize Log Insight is the logging management component that exists in the on-premises SDDC infrastructure. VMware Log Intelligence™ is the service that you can use to collect selected logs from your SDDC on VMware Cloud on AWS. To enable forwarding the logs from VMware Log Intelligence to the on-premises vRealize Log Insight instances, you must deploy a Cloud Proxy in each on-premises region.
When forwarding logs to another location, the logs must be tagged with a site code to ensure the log origin is traceable. This tagging also allows filters to be created to stop duplicate or circular logging to occur.
Provide the compute and storage resources for the operation of the Cloud Proxy appliance.
Table 3-16. Resource Specification of the Cloud Proxy Appliance
Attribute Specification
Number of CPUs 4 vCPUs
Memory 12 GB
Disk size n 1.4 GB Thin Provisioned
n 80 GB Thick Provisioned
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 32
Table 3-17. Design Decisions on Logging Configuration
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-LOG-001 Enable the VMware Log Intelligence service for your SDDC on VMware Cloud on AWS.
Log collection from VMware Cloud on AWS is not possible without VMware Log Intelligence.
None.
SDDC-VMC-LOG-002 Deploy a Cloud Proxy appliance in each on-premises management cluster.
A Cloud Proxy is required to forward logs from Log Intelligence to the on-premises SDDC.
You must allocate additional resources to run the Cloud Proxy appliance.
SDDC-VMC-LOG-003 Tag the logs from the VMware Cloud on AWS SDDC with site=VMC.
Tagging logs allows for site identification and log filtering.
None.
SDDC-VMC-LOG-004 Filter the vRealize Log Insight forwarding rules to exclude site=VMC.
Each region must receive its own copy of the logs from the VMware Cloud on AWS SDDC by using a region-specific Cloud Proxy appliance. If a disaster occurs, logs are still forwarded to the running part of the on-premises SDDC.
Duplication of logs exists in each vRealize Log Insight instance.
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 33
Figure 3-8. Log Forwarding Design
VMwareCloud on AWS
Region C
10.2.0.0/16Infrastructuresubnet
Region A Region B
VMwareCloudProxy
vRealizeLog Insight
Externalconnection
VMware CloudvCenter Server
ESXi ESXi ESXi
LogForwarding
Management Cluster
VMwareCloudProxy
vRealizeLog Insight
LogForwarding
Management Cluster
LogForwarding
VMware Log Intelligence
VMware Cloud Services
Cloud Management Design for Extending the SDDC to VMware Cloud on AWS
vRealize Automation is the management component in the on-premises SDDC infrastructure for deploying blueprints and applications. You can use your on-premises vRealize Automation deployment with your SDDC on VMware Cloud on AWS.
You can configure the SDDC on VMware Cloud on AWS as a deployment endpoint for vRealize Automation, so that all deployment actions take place over the management VPN. The configuration includes creating an infrastructure endpoint and a fabric group with the following details:
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 34
Table 3-18. Design Decisions on vRealize Automation Endpoints
Decision ID Design Decision Design Justification Design Implication
SDDC-VMC-CMP-001 Create a vSphere endpoint to the SDDC on VMware Cloud on AWS.
vSphere endpoints and vCenter Server instances in each region have one-to-one relationship. You use an endpoint for each region.
As you add more SDDCs on VMware Cloud on AWS as regions, you must add more vSphere endpoints.
Table 3-19. Configuration of the Infrastructure Endpoint for VMware Cloud on AWS
Setting Value
vCenter Server URL https://vcenter.sddc-xxx-xxx-xxx-xxx.vmwarevmc.com/sdk
Resource Pool Compute-ResourcePool
Datastore WorkloadDatastore
VM & Template Folder Workloads
Network Any isolated or routed network segment
Architecture and Design for Extending VMware Validated Design to VMware Cloud on AWS
VMware, Inc. 35