What's New in VMware Validated Design for SDDC 4.0?

2b60f038e196add9756714ba505b3189?s=47 Ryan Johnson
September 09, 2017

What's New in VMware Validated Design for SDDC 4.0?

This presentation provides an overview of what's new in the 4.0 release of the VMware Validated Design for Software-Defined Data Center. Recording at https://youtu.be/U01POpwnzlo

2b60f038e196add9756714ba505b3189?s=128

Ryan Johnson

September 09, 2017
Tweet

Transcript

  1. VMware Validated Design for Software-Defined Data Center What’s New in

    4.0? GA: 02 March 2017
  2. © 2017 VMware Inc. All rights reserved. | Slide 2

    What’s New in 4.0? § Bill of Materials § Design Updates § Getting Started
  3. © 2017 VMware Inc. All rights reserved. | Slide 3

    The Bill of Materials
  4. © 2017 VMware Inc. All rights reserved. | Slide 4

    vRealize Business 7.2 for Cloud vRealize Automation 7.2 vSphere 6.5 vSAN 6.5 Site Recovery Manager 6.5 vRealize Log Insight 4.0 and Content Packs vRealize Operations 6.4 and Management Packs NSX 6.3 Bill of Materials – Update Wave VMware Validated Design for SDDC For a complete list refer to the release notes.
  5. © 2017 VMware Inc. All rights reserved. | Slide 5

    The Documentation
  6. © 2017 VMware Inc. All rights reserved. | Slide 6

    Documentation What’s New in VMware Validated Design for SDDC 4.0 Now Available Online and in PDF - vmware.com/go/vvd-sddc ≠
  7. © 2017 VMware Inc. All rights reserved. | Slide 7

    The Design Updates
  8. © 2017 VMware Inc. All rights reserved. | Slide 8

    Physical / Virtualization Layer – Nodes What’s New in VMware Validated Design for SDDC 4.0 16 GB 192 GB vSphere vSAN Management Pod NSX § Minimum Memory per Node Raised to 192GB (from 128GB) – Accounts for growth of the management stack components. § Minimum SD Card Size per Node Raised to 16GB (from 8GB) – Accommodates the /scratch partition when ESXi is installed on the SD Card.
  9. © 2017 VMware Inc. All rights reserved. | Slide 9

    § Load Balanced Platform Services Controllers with an NSX Edge Services Gateway. Virtualization Layer – Platform Services Controllers What’s New in VMware Validated Design for SDDC 4.0
  10. © 2017 VMware Inc. All rights reserved. | Slide 10

    Virtualization Layer – vSphere Availability What’s New in VMware Validated Design for SDDC 4.0 Simplified Admission Control Configuration Workflow Select the Failures To Tolerate (FTT) and vSphere does the rest: § Based on % of resources § Automatic calculations § Overrides possible Issue warning if performance degradation could result: § Previously, vSphere HA would restart VMs, but could cause performance impact without prior warning. vSphere 6.5 Cluster Settings Admission Control Cluster Settings Setting Value Host Failures Cluster Tolerates 1 Define Failover Capacity Cluster Resource % VM Resource Reduction Event Threshold 0%
  11. © 2017 VMware Inc. All rights reserved. | Slide 11

    Virtualization Layer – vSphere Availability What’s New in VMware Validated Design for SDDC 4.0 Cluster > Configure > vSphere Availability > Edit Cluster > Configure > vSphere Availability Reserved percentage is automatically calculated based on host failures to tolerate and the number of hosts in the cluster. § Set the vSphere High Availability Admission Control for the Management Cluster to 1 Host
  12. © 2017 VMware Inc. All rights reserved. | Slide 12

    § CPU Shares Remain at “High”. § Memory Shares Raised to 16GB. § Supports NSX Components § NSX Edges for N/S Routing § NSX Controllers for NSX Control Plane Virtualization Layer – Shared Edge and Compute What’s New in VMware Validated Design for SDDC 4.0 Host and Cluster > Shared Edge and Compute Cluster > SDDC-EdgeRP01 § Resource Pool Memory for the Shared Edge and Compute Cluster Increased to 16GB (from 15GB.)
  13. © 2017 VMware Inc. All rights reserved. | Slide 13

    Virtualization Layer – Compute Only Clusters What’s New in VMware Validated Design for SDDC 4.0 Design for Workload Requirements Additional Compute Clusters May Span Racks (Restriction Removed in 4.0)
  14. © 2017 VMware Inc. All rights reserved. | Slide 14

    Virtualization Layer – vSphere Certificates Transition to SHA-2 Certificates (or higher) This VMware Validated Design comes with the SSL certificate generator CertGenVVD. Use this tool to generate Certificate Signing Request (CSR), OpenSSL CA signed certificates, and Microsoft CA signed certificates for all VMware products that are involved in the VMware Validated Design. Using the CertGenVVD tool saves you time when creating signed certificates. See VMware Knowledge Base article 2146215. kb.vmware.com/kb/2146215 § If the CertGenVVD tool is not an option for your environment, the design includes a validated procedure to create and replace your certificates What’s New in VMware Validated Design for SDDC 4.0
  15. © 2017 VMware Inc. All rights reserved. | Slide 15

    Virtualization Layer – vMotion TCP/IP Stack What’s New in VMware Validated Design for SDDC 4.0 § Addition of the vMotion TCP/IP Stack for the vMotion Traffic § Uses the vMotion TCP/IP stack to isolate traffic and to assign a dedicated default gateway. Host > Configure > Networking
  16. © 2017 VMware Inc. All rights reserved. | Slide 16

    § Enforce VM to VM dependency chains § Great for multi-tier applications that require VMs to restart in a particular order § Improved application recoverability § vRealize Automation, § vRealize Operations, or § the entire SDDC stack. § Validation checks § Detects circular dependency rules § Within and outside priority group Virtualization Layer – vSphere Availability What’s New in VMware Validated Design for SDDC 4.0 1 2 3 2 1 3
  17. © 2017 VMware Inc. All rights reserved. | Slide 17

    VM1 VM8 VM2 VM9 VM6 VM3 VM4 VM5 VM7 VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM1 VM8 VM2 Virtualization Layer – vSphere Availability What’s New in VMware Validated Design for SDDC 4.0
  18. © 2017 VMware Inc. All rights reserved. | Slide 18

    Virtualization Layer – vSphere Availability What’s New in VMware Validated Design for SDDC 4.0 § Use Virtual Machine Groups and Rules to control Start-up Order (New vSphere 6.5)
  19. © 2017 VMware Inc. All rights reserved. | Slide 19

    § vSphere Host Profiles are now configured for the Management Clusters. § Use in the Shared Edge and Compute Cluster or Additional Compute Clusters is optional. Virtualization Layer – vSphere Host Profiles What’s New in VMware Validated Design for SDDC 4.0
  20. © 2017 VMware Inc. All rights reserved. | Slide 20

    § The vSphere Distributed Switch Health Check is now enabled on all vSphere Distributed Switches. § Ensures all VLANS are trunked to all hosts attached to the vSphere Distributed Switch. § Ensures MTU sizes match the physical network. § All are vSphere Distributed Switches are Version 6.5.0 § Management vDS § Shared Edge and Compute vDS § Additional Compute vDS(s) Virtualization Layer – vSphere Distributed Switch What’s New in VMware Validated Design for SDDC 4.0
  21. © 2017 VMware Inc. All rights reserved. | Slide 21

    § Added a Global Transport Zones Across All Compute Clusters Virtualization Layer – NSX Transport Zones What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-VI-SDN-012 For the compute stack, use a universal transport zone that encompasses all shared edge and compute, and compute clusters from all regions for workloads that require mobility between regions. A Universal Transport zone supports extending networks and security policies across regions. This allows seamless migration of applications across regions either by cross vCenter vMotion or by failover recovery with Site Recovery Manager. vRealize Automation is not able to deploy on demand network objects against a Secondary NSX Manager. You must consider that you can pair up to eight NSX Manager instances. If the solution grows past eight NSX Manager instances, you must deploy a new primary manager and new transport zone. SDDC-VI-SDN-013 For the compute stack, use a global transport zone in each region that encompasses all shared edge and compute, and compute clusters for use with vRealize Automation on demand network provisioning. NSX Managers with a role of Secondary can not deploy Universal objects. To allow all regions to deploy on demand network objects a global transport zone is required. Shared Edge and Compute, and Compute Pods have two transport zones. The addition of the global transport zone in each region for edge/compute and additional compute resolves the conflict.
  22. © 2017 VMware Inc. All rights reserved. | Slide 22

    § Added a Distributed Logical Router (DLR) for the Shared Edge and Compute, and Compute Clusters § Used by on-demand NSX services requested through vRealize Automation. § Reduces the hop count to 1 between nodes attached to it. § Reduces latency and improves performance. Virtualization Layer – NSX Distributed Logical Router What’s New in VMware Validated Design for SDDC 4.0
  23. © 2017 VMware Inc. All rights reserved. | Slide 23

    § Added Static Routes to ECMP Edges in the event of a UDLR or DLR Control VM Failover § Uses a higher admin cost than the dynamically learned routes. § Maintains adjacency if a control VM fails over. Virtualization Layer – NSX ESX Backup Routes What’s New in VMware Validated Design for SDDC 4.0 Example:
  24. © 2017 VMware Inc. All rights reserved. | Slide 24

    § Previously Supplemental Documentation in 3.0.2; Now included in 4.0 § Increased security level by ensuring only network traffic required for the SDDC. § Define explicit rules for the distributed firewall which allow access to and between management applications § 4 Step Process § Add vCenter Server Instances to the NSX Distributed Firewall Exclusion List § Create NSX IP Sets for All Components of the Management Clusters § Create NSX Security Groups § Create NSX Distributed Firewall Rules Virtualization Layer – NSX DFW Use in Management What’s New in VMware Validated Design for SDDC 4.0 Example NSX Distributed Firewall Rules – Creted from IP Sets and Security Groups:
  25. © 2017 VMware Inc. All rights reserved. | Slide 25

    § Ensure that at least 30% of free space is always available on vSAN datastores. § When vSAN reaches 80% usage, a re-balance task is started which can be resource intensive. Virtualization Layer – Datastore Free Space %s What’s New in VMware Validated Design for SDDC 4.0 § Ensure that at least 20% of free space is always available on non-vSAN datastores. § If the datastore runs out of free space, services that include the NSX Edge core network services fail. To prevent this, maintain adequate free space. 0% 50% 100% 25% 75% 0% 50% 100% 25% 75% vSAN Datastore Non-vSAN Datastore
  26. © 2017 VMware Inc. All rights reserved. | Slide 26

    § Configure the virtual machine swap file as a sparse objects on vSAN. § This feature can provide a considerable space-saving on capacity space consumed. Virtualization Layer – VM Swap as Sparse Object on vSAN What’s New in VMware Validated Design for SDDC 4.0 [root@mgmt01esx01.sfo01.rainpole.local:~] esxcfg-advcfg -s 1 /VSAN/SwapThickProvisionDisabled Value ofSwapThickProvisionDisabled is 1 [root@mgmt01esx01.sfo01.rainpole.local:~] SSH > [Host] > esxcfg-advcfg Perform or Script Task Across All Hosts in Management Cluster (Optional on Shared Edge and Compute as well as Additional Compute Clusters) Host and Clusters > [Host] > Configure > Advanced Settings > Edit
  27. © 2017 VMware Inc. All rights reserved. | Slide 27

    Virtualization Layer – VM Swap as Sparse Object on vSAN What’s New in VMware Validated Design for SDDC 4.0 Before: 84.09 GB (4%) After: Now 88.00 MB (~0%)
  28. © 2017 VMware Inc. All rights reserved. | Slide 28

    Cloud Management Layer – vRealize Automation What’s New in VMware Validated Design for SDDC 4.0 § Deprecated the prescriptive configuration for vRealize Automation. § Guidance provided in the IT Automating IT use case. § Provides implementation steps for a set of scenarios. § Procedures for commonly executed tasks. § Now includes chapters on: § Integrating vRealize Automation with Infoblox IPAM. § Creating Multi-Tier Application Patterns § NSX Micro-Segmentation for Multi-Tier Applications
  29. © 2017 VMware Inc. All rights reserved. | Slide 29

    Cloud Management Layer – vRealize Automation What’s New in VMware Validated Design for SDDC 4.0 § Orchestration Services § Core Services § vPostgres (A) § vIDM § Core Services § vPostgres (P) § vIDM § IaaS Web Services § IaaS Web Services § Orchestration Services § IaaS Manager Services § IaaS Manager Services § Distributed Execution Manager § Distributed Execution Manager
  30. © 2017 VMware Inc. All rights reserved. | Slide 30

    Cloud Management Layer – vRealize Automation What’s New in VMware Validated Design for SDDC 4.0 User Traffic § Orchestration Services Network Traffic
  31. © 2017 VMware Inc. All rights reserved. | Slide 31

    Cloud Management Layer – vRealize Automation What’s New in VMware Validated Design for SDDC 4.0 User Traffic Network Traffic Pool ID vra-iaas-mgr-443 DNS CNAME vra01ims01.rainpole.local Virtual Server (VIP) 192.168.11.59 Algorithm Round-Robin Session Persistence None Health /VMPSProvision = ProvisionService Pool ID vra-vro-8281 DNS CNAME vra01vro01.rainpole.local Virtual Server (VIP) 192.168.11.65 Algorithm Round-Robin Session Persistence None Health /wapi/api/status/web = REGISTERED Pool ID vra-iaas-web-443 DNS CNAME vra01iws01.rainpole.local Virtual Server (VIP) 192.168.11.56 Algorithm Round-Robin Session Persistence Source IP – 1800 Seconds Expiration Health /wapi/api/status/web = REGISTERED Pool ID vra-svr-443 vra-svr-8443 DNS CNAME vra01svr01.rainpole.local vra01svr01.rainpole.local Virtual Server (VIP) 192.168.11.53 192.168.11.53 Algorithm Round-Robin Round-Robin Session Persistence Source IP – 1800 Seconds Expiration Source IP – 1800 Seconds Expiration Health /vcac/services/api/health = 204 /vcac/services/api/health = 204 NSX Edge Load Balancing Algorithm Changed to Round-Robin § Previously IP HASH Two Application Profiles: § Persistent for vRA Appliances and vRA IaaS Web Servers w/ 1800 Sec. § Non-Persistent for vRA IaaS Manager and vRO Appliances
  32. © 2017 VMware Inc. All rights reserved. | Slide 32

    Cloud Management Layer – vRealize Business What’s New in VMware Validated Design for SDDC 4.0 § Increased the memory for each vRealize Business for Cloud Appliance to 8GB (from 4GB.) § Default vRealize Business for Cloud appliance size supports up to 10,000 VMs § Set the memory for each vRealize Business for Cloud Remote Collector to 2GB (set via resize.) § Remote Collectors do not run server service, and can run on 2GB of RAM 4 GB 8 GB 2 GB vRBC Collectors vRBC Appliances
  33. © 2017 VMware Inc. All rights reserved. | Slide 33

    Cloud Management Layer – vRealize Orchestrator What’s New in VMware Validated Design for SDDC 4.0 § Increased the memory for each vRealize Orchestrator Appliance to 6GB (from 4GB.) § The vRealize Orchestrator appliances require the appropriate resources to enable connectivity to vRealize Automation via the vRealize Orchestrator Plugin vRO Appliances 4 GB 6 GB
  34. © 2017 VMware Inc. All rights reserved. | Slide 34

    § Nodes for vRealize Operations reduced to 3 Medium Nodes – Master, Replica, and a single Data Node. § Supports up to 1000 VMs with sizing guidance as workloads increase. Cloud Operations Layer – vRealize Operations What’s New in VMware Validated Design for SDDC 4.0 vRealize Operations Remote Collector Cluster Management vCenter Server Remote Collector Compute vCenter Server Remote Collector NSX for vSphere vRealize Operations Analytics Cluster Master Replica Data vSAN / Storage Array vRealize Operations Remote Collector Cluster Management vCenter Server Remote Collector Compute vCenter Server Remote Collector NSX for vSphere vSAN / Storage Array Region B Region A vRealize Log Insight vRealize Log Insight Data
  35. © 2017 VMware Inc. All rights reserved. | Slide 35

    Cloud Operations Layer – vSphere Update Manager. What’s New in VMware Validated Design for SDDC 4.0 Now, Built into the VCSA, plus: Runs on PhotonOS. Integrated and enabled, by default. Zero install; embedded database. Scalable and low impact on resource Leverages the appliance backup. No more Windows license.
  36. © 2017 VMware Inc. All rights reserved. | Slide 36

    Cloud Operations Layer – vSphere Update Manager. What’s New in VMware Validated Design for SDDC 4.0 vCenter Server vSphere Update Manager vSphere Update Manager Download Service Nginx or Apache HTTP/S vDS-MGMT01-Management VXLAN > Uplink > External Connect the UMDS virtual machines to the region-specific application virtual network. § Provides local storage and access to vSphere Update Manager repository data. § Avoids cross-region bandwidth usage for repository access. § Provides a consistent deployment model for management applications.
  37. © 2017 VMware Inc. All rights reserved. | Slide 37

    Cloud Operations Layer – vRealize Log Insight What’s New in VMware Validated Design for SDDC 4.0 § Addition of vSphere Distributed Resource Scheduler anti-affinity rules for vRealize Log Insight cluster § Enabled Launch In Context with vRealize Operations Manager § vCenter Server and PSC instances set as syslog sources for vRealize Log Insight cluster § Configure vRealize Log Insight to ingest event, tasks, and alarms from vCenter Server instances. § Configure the vRealize Log Insight agents not to automatically update. § Configure vRealize Log Insight to forward logs between regions over SSL. § Configure disk cache for event forwarding to 2,000 MB (2 GB).
  38. © 2017 VMware Inc. All rights reserved. | Slide 38

    § Updated the design to use any vSphere APIs for Data Protection (VADP) compatible solution. § Protects against data loss, hardware failure, accidental deletion, or other disaster for each region. § Provides consistent image-level backups for the SDDC Management Stack. § Adapt and apply the design decisions to the selected backup solutions. § If used, retain a cross-region replicated backup for a minimum of 1 day. § Many VADP-based solutions have the ability to replicate backup job content. § Cross-region replication of backup jobs enables disaster recovery in the event of an unsuccessful cross-region failover. Cloud Operations Layer – Backup and Recovery What’s New in VMware Validated Design for SDDC 4.0
  39. © 2017 VMware Inc. All rights reserved. | Slide 39

    Configure a service accounts for application-to- application communication with least-privilege. § In the event of a compromised account, the accessibility in the destination application remains restricted. § Accountability in tracking request-response interactions between the components of the SDDC. Cloud Operations Layer – Service Accounts What’s New in VMware Validated Design for SDDC 4.0
  40. © 2017 VMware Inc. All rights reserved. | Slide 40

    Planning and Preparation > External Services > Active Directory Users and Groups
  41. © 2017 VMware Inc. All rights reserved. | Slide 41

    Access the Documentation vmware.com/go/vvd-sddc Get Started VMware Validated Design for SDDC 4.0 Professional Services Join the Community vmware.com/go/vvd-community
  42. © 2017 VMware Inc. All rights reserved. | Slide 42

    Additional Resources What’s New in VMware Validated Design for SDDC 4.0 Resource URL Product Page vmware.com/go/vvd Download vmware.com/go/vvd-sddc Poster vmware.com/go/vvd-sddc-poster Community vmware.com/go/vvd-community Videos and Demos vmware.com/go/vvd-videos Certified Partner Architectures vmware.com/go/vvd-cpa Twitter @VMwareSDDC
  43. © 2017 VMware Inc. All rights reserved. | Slide 43

    Questions?
  44. © 2017 VMware Inc. All rights reserved. | Slide 44

    Thank You.
  45. © 2017 VMware Inc. All rights reserved. | Slide 45

    Addendum Bill of Materials and Design Decisions Reference Materials
  46. © 2017 VMware Inc. All rights reserved. | Slide 46

    Bill of Materials VMware Validated Design for SDDC 4.0 Product Group and Edition Product 3.0.2 4.0 VMware vSphere Enterprise Plus ESXi 6.0 Update 2 6.5.0 a vSphere Data Protection 6.1.2 6.1.3 Update Manager - 6.5.0 a VMware vCenter Server Standard vCenter Server 6.0 Update 2 6.5.0 a VMware vSAN Standard or higher vSAN 6.2 6.5 a VMware NSX Enterprise NSX 6.2.4 6.3 VMware vRealize Operations Advanced or higher vRealize Operations Manager 6.3 6.4 Management Pack for NSX for vSphere 3.0.2 3.5 Management Pack for vRealize Log Insight 1.0.1 1.01 Management Pack for vRealize Automation 2.1 2.1 Management Pack for Storage Devices 6.0.4 6.0.5
  47. © 2017 VMware Inc. All rights reserved. | Slide 47

    Bill of Materials VMware Validated Design for SDDC 4.0 Product Group Product 3.0.2 4.0 VMware vRealize Log Insight vRealize Log Insight 3.6 4.0 Content Pack for NSX 3.5 3.5 Content Pack for vSAN 2.0 2.0 Content Pack for vRealize Automation 7 1.0 1.0 Content Pack for vRealize Orchestrator 7.0.1+ 2.0 2.0 Content Pack for Microsoft SQL Server - 3.2 VMware vRealize Automation Advanced or higher vRealize Automation 7.1 7.2 vRealize Orchestrator 7.1 72. vRealize Orchestrator Plug-in for NSX 1.0.4 1.0.4 VMware vRealize Business for Cloud Standard vRealize Business for Cloud 7.1 7.2 VMware Site Recovery Manager Enterprise Site Recovery Manager 6.1.1 6.5
  48. © 2017 VMware Inc. All rights reserved. | Slide 48

    Physical / Virtualization Layer – Nodes What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-PHY-010 Set up each ESXi host in the management pod to have a minimum 192 GB RAM. The management and edge VMs in this pod require a total 424 GB RAM. None Decision ID Design Decision Design Justification Design Implication SDDC-VI-ESXi-001 Install and configure all ESXi hosts to boot using a SD device of 16 GB or greater. SD cards are an inexpensive and easy to configure option for installing ESXi. Using SD cards allows allocation of all local HDDs to a VMware vSAN storage system. When you use SD cards ESXi logs are not retained locally. § Minimum Memory per Node Raised to 192GB (from 128GB.) § Minimum SD Card Size per Node Raised to 16GB (from 8GB.)
  49. © 2017 VMware Inc. All rights reserved. | Slide 49

    § An NSX Edge Services Gateway w/ HA as a Load Balancer for the Platform Services Controllers. Virtualization Layer – Platform Services Controllers What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-VIVC-006 Use an NSX Edge Services Gateway as a load balancer for the Platform Services Controllers. Using a load balancer increases the availability of the PSC’s for all applications. Configuring the load balancer and repointing vCenter Server to the load balancers virtual IP (VIP) creates administrative overhead.
  50. © 2017 VMware Inc. All rights reserved. | Slide 50

    § vSphere High Availability Admission Control for the Management Cluster is Set to 1 Host Virtualization Layer – vSphere Availability What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-VIVC-015 Configure Admission Control for 1 host failure and percentage based failover capacity. Using the percentage-based reservation works well in situations where virtual machines have varying and sometime significant CPU or memory reservations. vSphere 6.5 automatically calculates the reserved percentage based on host failures to tolerate and the number of hosts in the cluster. In a four host management cluster only the resources of three hosts are available for use.
  51. © 2017 VMware Inc. All rights reserved. | Slide 51

    § Resource Pool for Shared Edge and Compute Cluster Raised to 16GB Memory (from 15GB.) Virtualization Layer – Shared Edge and Compute What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-VIVC-021 Create a resource pool for the required SDDC NSX Controllers and edge appliances with a CPU share level of High, a memory share of normal, and 16 GB memory reservation. The NSX components control all network traffic in and out of the SDDC as well as update route information for inter-SDDC communication. In a contention situation it is imperative that these virtual machines receive all the resources required. During contention SDDC NSX components receive more resources then all other workloads as such monitoring and capacity management must be a proactive activity.
  52. © 2017 VMware Inc. All rights reserved. | Slide 52

    § Transition to SHA-2 (or Higher) Certificates § By default, vSphere 6.5 uses TLS/SSL certificates that are signed by VMCA. These certificates are not trusted by end-user devices or browsers. It is a security best practice to replace, at minimum, user-facing certificates with certificates that are signed by a third-party or enterprise Certificate Authority. This is also known as hybrid mode. Certificates for machine-to-machine communication may remain as VMCA signed certificates. Virtualization Layer – vSphere Certificates What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-VIVC-032 Use a SHA-2 or higher algorithm when signing certificates. The SHA-1 algorithm is considered less secure and has been deprecated. Not all certificate authorities support SHA-2.
  53. © 2017 VMware Inc. All rights reserved. | Slide 53

    Addition of the vMotion TCP/IP Stack for the vMotion Traffic (New in vSphere 6.5). § Uses the vMotion TCP/IP stack to isolate traffic and to assign a dedicated default gateway. Virtualization Layer – vMotion TCP/IP Stack What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-VI-Net-018 Use the vMotion TCP/IP stack for vMotion traffic. By leveraging the vMotion TCP/IP stack, vMotion traffic can utilize a default gateway on its own subnet, allowing for vMotion traffic to go over Layer 3 networks. The vMotion TCP/IP stack is not available in the vDS VMkernel creation wizard, and as such the VMkernel adapter must be created directly on a host.
  54. © 2017 VMware Inc. All rights reserved. | Slide 54

    § Use Virtual Machine Groups and Rules to control Start-up Order (New vSphere 6.5) Virtualization Layer – VM Monitoring & Startup What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-VI-VC-026 Enable Virtual Machine Monitoring for each cluster. Virtual Machine Monitoring provides adequate in-guest protection for most VM workloads. There is no downside to enabling Virtual Machine Monitoring. SDDC-VI-VC-027 Create Virtual Machine Groups for use in startup rules in the management and shared edge and compute clusters. By creating Virtual Machine groups, rules can be created to configure the startup order of the SDDC management components. Creating the groups is a manual task and adds administrative overhead. SDDC-VI-VC-028 Create Virtual Machine rules to specify the startup order of the SDDC management components. The rules enforce the startup order of virtual machine groups to ensure the correct startup order of the SDDC management components. Creating the rules is a manual task and adds administrative overhead.
  55. © 2017 VMware Inc. All rights reserved. | Slide 55

    § vSphere Host Profiles are now configured for the Management Clusters. § Use in the Shared Edge and Compute Cluster or Additional Compute Clusters is optional. Virtualization Layer – vSphere Host Profiles What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-VI-VC-016 Create a host profile for the Management Cluster. Utilizing host profiles simplifies configuration of hosts and ensures settings are uniform across the cluster Anytime an authorized change to a host is made the host profile must be updated to reflect the change or the status will show non-compliant.
  56. © 2017 VMware Inc. All rights reserved. | Slide 56

    § The vSphere Distributed Switch Health Check is now enabled on all vSphere Distributed Switches. § All are Version 6.5.0 > Management, Shared Edge and Compute, and Additional Compute Virtualization Layer – vSphere Distributed Switch What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-VI-Net-001 Enable vSphere Distributed Switch Health Check on all virtual distributed switches. vSphere Distributed Switch Health Check ensures all VLANS are trunked to all hosts attached to the vSphere Distributed Switch and ensures MTU sizes match the physical network. You must have a minimum of two physical uplinks to use this feature.
  57. © 2017 VMware Inc. All rights reserved. | Slide 57

    § Added a Distributed Logical Router (DLR) for Shared Edge and Compute, and Compute Clusters § Used by on-demand NSX services requested through vRealize Automation Virtualization Layer – NSX Distributed Logical Router What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-VI-SDN-020 Deploy a DLR for the shared edge and compute and compute clusters to provide east/west routing for workloads that require on demand network objects from vRealize Automation. Using the DLR reduces the hop count between nodes attached to it to 1. This reduces latency and improves performance. DLRs are limited to 1,000 logical interfaces. When that limit is reached a new DLR must be deployed.
  58. © 2017 VMware Inc. All rights reserved. | Slide 58

    § Added Static Routes to ECMP Edges in the event of a UDLR or DLR Control VM Failover § Maintains router adjacency if/when a control VM fails over. Virtualization Layer – NSX ESX Backup Routes What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-VI-SDN-025 Create one or more static routes on ECMP enabled edges for subnets behind the UDLR and DLR with a higher admin cost then the dynamically learned routes When the UDLR or DLR control VM fails over router adjacency is lost and routes from upstream devices such as ToR's to subnets behind the UDLR are lost. This requires each ECMP edge device be configured with static routes to the UDLR or DLR. If any new subnets are added behind the UDLR or DLR the routes must be updated on the ECMP edges. Example:
  59. © 2017 VMware Inc. All rights reserved. | Slide 59

    § Ensure that at least 30% of free space is always available on vSAN datastores. Virtualization Layer – Datastore Free Space %s What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-VI-Storage-002 In the shared edge and compute cluster, ensure that at least 20% of free space is always available If the datastore runs out of free space, services that include the NSX Edge core network services fail. To prevent this, maintain adequate free space. Monitoring and capacity management are critical and must be performed proactively. Decision ID Design Decision Design Justification Design Implication SDDC-VI-Storage-SDS-006 On all vSAN datastores , ensure that at least 30% of free space is always available. When vSAN reaches 80% usage a re-balance task is started which can be resource intensive. Increases the amount of available storage needed. § Ensure that at least 20% of free space is always available on non-vSAN datastores. 0% 50% 100% 25% 75% 0% 50% 100% 25% 75% vSAN Datastore Non-vSAN Datastore
  60. © 2017 VMware Inc. All rights reserved. | Slide 60

    § Configure the virtual machine swap file as a sparse objects on vSAN. § This feature can provide a considerable space-saving on capacity space consumed. Virtualization Layer – VM Swap as Sparse Object on vSAN What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-VI-Storage-SDS-010 Configure the virtual machine swap file as a sparse objects on vSAN Enabling this setting creates virtual swap files as a sparse object on the vSAN datastore. Sparse virtual swap files will only consume capacity on vSAN as they are accessed. The result can be significantly less space consumed on the vSAN datastore, provided virtual machines do not experience memory over commitment, requiring use of the virtual swap file. Administrative overhead to enable the advanced setting on all ESXi hosts running VMware vSAN.
  61. © 2017 VMware Inc. All rights reserved. | Slide 61

    Cloud Management Layer – vRealize Business What’s New in VMware Validated Design for SDDC 4.0 § Increased the memory for each vRealize Business for Cloud Appliance to 8GB (from 4GB.) Decision ID Design Decision Design Justification Design Implication SDDC-CMP-024 Use default vRealize Business for Cloud appliance size (8GB). For vRealize Business for Cloud remote collector, utilize a reduced memory size of 2GB. Default vRealize Business for Cloud appliance size supports up to 10,000 VMs Remote Collectors do not run server service, and can run on 2GB of RAM. None § Set the memory for each vRealize Business for Cloud Remote Collector to 2GB (set via resize.) 4 GB 8 GB 2 GB vRBC Collectors vRBC Appliances
  62. © 2017 VMware Inc. All rights reserved. | Slide 62

    Cloud Management Layer – vRealize Orchestrator What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-CMP-VRO-01 Utilize external vRealize Orchestrator instances with default sizing - 2 CPUs, 6 GB memory, and 17 GB of hard disk. The vRealize Orchestrator appliance requires the appropriate resources to enable connectivity to vRealize Automation via the vRealize Orchestrator Plugin. External appliances are utilized to ensure isolation between vRealize portal components and customer workflows. Resources should not be reduced as the vRealize Orchestrator Appliance requires this for scalability. § Increased the memory for each vRealize Orchestrator Appliance to 6GB (from 4GB.) vRO Appliances 4 GB 6 GB
  63. © 2017 VMware Inc. All rights reserved. | Slide 63

    Cloud Operations Layer – vSphere Update Manager. What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-OPS-VUM-001 Use the vSphere Update Manager service on each vCenter Server Appliance to provide a total of four vSphere Update Manager instances that you configure and use for patch management. A one-to-one mapping of vCenter Server to vSphere Update Manager is required. Each Management or Compute vCenter Server instance in each region needs its own vSphere Update Manager. All physical design decisions for vCenter Server determine the setup for vSphere Update Manager. SDDC-OPS-VUM-002 Use the embedded PostgresSQL of the vCenter Server Appliance for vSphere Update Manager. § Reduces both overhead, and licensing cost for Microsoft or Oracle. § Avoids problems with upgrades. The vCenter Server Appliance has limited database management tools for database administrators. SDDC-OPS-VUM-003 Use the network settings of the vCenter Server Appliance for vSphere Update Manager . Simplifies network configuration because of the one-to-one mapping between vCenter Server and vSphere Update Manager. You configure the network settings once for both vCenter Server and vSphere Update Manager None SDDC-OPS-VUM-003 Deploy and configure UMDS virtual machines for each region. Limits direct access to the Internet from multiple vSphere Update Manager vCenter Server instances, and reduces storage requirements on each instance. None
  64. © 2017 VMware Inc. All rights reserved. | Slide 64

    Cloud Operations Layer – vSphere Update Manager. What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-OPS-VUM-005 Connect the UMDS virtual machines to the region-specific application virtual network. § Provides local storage and access to vSphere Update Manager repository data. § Avoids cross-region bandwidth usage for repository access. § Provides a consistent deployment model for management applications. You must use NSX to support this network configuration. SDDC-OPS-VUM-006 Use the default patch repositories by VMware. Simplifies the configuration because you do not configure additional sources. None. SDDC-OPS-VUM-007 Set the VM power state to Do Not Power Off. Ensures highest uptime of management components and compute workload virtual machines. You must manually intervene if the migration fails. SDDC-OPS-VUM-008 Enable parallel remediation of hosts assuming that enough resources are available to update multiple hosts at the same time. Provides fast remediation of host patches. More resources unavailable at the same time during remediation.
  65. © 2017 VMware Inc. All rights reserved. | Slide 65

    Cloud Operations Layer – vSphere Update Manager What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-OPS-VUM-005 Connect the UMDS virtual machines to the region-specific application virtual network. § Provides local storage and access to vSphere Update Manager repository data. § Avoids cross-region bandwidth usage for repository access. § Provides a consistent deployment model for management applications. You must use NSX to support this network configuration. SDDC-OPS-VUM-006 Use the default patch repositories by VMware. Simplifies the configuration because you do not configure additional sources. None. SDDC-OPS-VUM-007 Set the VM power state to Do Not Power Off. Ensures highest uptime of management components and compute workload virtual machines. You must manually intervene if the migration fails. SDDC-OPS-VUM-008 Enable parallel remediation of hosts assuming that enough resources are available to update multiple hosts at the same time. Provides fast remediation of host patches. More resources unavailable at the same time during remediation.
  66. © 2017 VMware Inc. All rights reserved. | Slide 66

    Cloud Operations Layer – vSphere Update Manager What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-OPS-VUM-009 Enable migration of powered-off virtual machines and templates. Ensures that templates stored on all management hosts are accessible. Increases the amount of time to start remediation for templates to be migrated. SDDC-OPS-VUM-010 Use the default critical and non-critical patch baselines for the management cluster and for the shared edge and compute cluster. Simplifies the configuration because you can use the default schedule without customization. All patches are added to the baselines as soon as they are released. SDDC-OPS-VUM-011 Use the default schedule of a once-per- day check and patch download. Simplifies the configuration because you can use the default schedule without customization. None. SDDC-OPS-VUM-012 Remediate hosts, virtual machines, and virtual appliances once a month or per business guidelines. Aligns the remediation schedule with the business policies. None.
  67. © 2017 VMware Inc. All rights reserved. | Slide 67

    Cloud Operations Layer – vSphere Update Manager What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-OPS-VUM-013 Use Image Builder to add NSX for vSphere software packages to the ESXi upgrade image. § Ensures that the ESXi hosts are ready for software-defined networking immediately after the upgrade. § Allows for parallel remediation of ESXi hosts. § Prevents from additional NSX remediation. § You must enable the Image Builder service. § NSX for vSphere updates might require new ESXi images updates. SDDC-OPS-VUM-014 Configure an HTTP Web server on each UMDS service that the connected vSphere Update Manager servers must use to download the patches from. Enables the automatic download of patches on vSphere Update Manager from UMDS. The alternative is to copy media from one place to another manually. You must be familiar with a third-party Web service such as Nginx or Apache.
  68. © 2017 VMware Inc. All rights reserved. | Slide 68

    § Nodes for vRealize Operations reduced to 3 Medium Nodes – Master, Replica, and a single Data Node. § Supports up to 1000 VMs. Sizing guidance expand up to the number of management nodes minus one. Cloud Operations Layer – vRealize Operations What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-OPS-MON-004 Initially deploy 3 medium-size nodes for the first 1,000 virtual machines in the compute pod. Provides enough capacity for the metrics and objects generated by 100 hosts and 1,000 virtual machines while having high availability enabled within the analytics cluster. The first 3 medium-size nodes take more resources per 1,000 virtual machines because they have to accommodate the requirements for high availability. Nodes that are deployed next can spread this load out more evenly. SDDC-OPS-MON-005 Add more medium-size nodes to the analytics cluster if the SDDC expands past 1,000 virtual machines. The number of nodes should not exceed number of ESXi hosts in the management pod - 1. For example, if the management pod contains 6 ESXi hosts, you deploy a maximum of 5 vRealize Operations Manager nodes in the analytics cluster. Ensures that the analytics cluster has enough capacity to meet the virtual machine object and metrics growth up to 10,000 virtual machines. Ensures that the management pod always has enough physical capacity to take a host offline for maintenance or other reasons. The capacity of the physical ESXi hosts must be large enough to accommodate virtual machines that require 32 GB RAM without bridging NUMA node boundaries. The management pod must have enough ESXi hosts so that vRealize Operations Manager can run without violating vSphere DRS anti-affinity rules.
  69. © 2017 VMware Inc. All rights reserved. | Slide 69

    § Addition of vSphere Distributed Resource Scheduler Anti-Affinity Rules for vRealize Log Insight Cluster Cloud Operations Layer – vSphere Update Manager What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-OPS-LOG-002 Apply vSphere Distributed Resource Scheduler (DRS) anti- affinity rules to the vRealize Log Insight cluster components Using DRS prevents vRealize Log Insight nodes from on the same ESXi host and thereby risking the cluster's high availability capability. Additional configuration is required to set up anti-affinity rules. Only a single ESXi host in the management cluster, of the four ESXi hosts, will be able to be put into maintenance mode at a time. § Enabled Launch In Context with vRealize Operations Manager Decision ID Design Decision Design Justification Design Implication SDDC-OPS-LOG-011 Allow for Launch In Context with vRealize Operation Manager Provides the ability to access vRealize Log Insight for context-based monitoring of an object in vRealize Operations Manager. You can register only one vRealize Log Insight cluster with vRealize Operations Manager at a time.
  70. © 2017 VMware Inc. All rights reserved. | Slide 70

    § vCenter Server and Platform Service Controller instances set as syslog sources for vRealize Log Insight Cluster Cloud Operations Layer – vRealize Log Insight What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-OPS-LOG-019 Configure vCenter Server Appliances and Platform Services Controller Appliances as syslog sources to send log data directly to vRealize Log Insight. Simplifies the design implementation for log sources that are syslog capable. § You must manually configure syslog sources to forward logs to the vRealize Log Insight VIP. § Certain dashboards within vRealize Log Insight require the use of the vRealize Log Insight Agent for proper ingestion. § Not all Operating System-level events are forwarded to vRealize Log Insight.
  71. © 2017 VMware Inc. All rights reserved. | Slide 71

    Cloud Operations Layer – vRealize Log Insight What’s New in VMware Validated Design for SDDC 4.0 § Configure vRealize Log Insight to ingest event, tasks, and alarms from vCenter Server Instances. Decision ID Design Decision Design Justification Design Implication SDDC-OPS-LOG-020 Configure vRealize Log Insight to ingest events, tasks, and alarms from the Management and Compute vCenter Server instances Ensures that all tasks, events and alarms generated across all vCenter Server instances in a specific region of the SDDC are captured and analyzed for the administrator. You must create a service account on vCenter Server to connect vRealize Log Insight for events, tasks, and alarms pulling. Configuring vSphere Integration within vRealize Log Insight does not capture events that occur on the Platform Services Controller.
  72. © 2017 VMware Inc. All rights reserved. | Slide 72

    Cloud Operations Layer – vRealize Log Insight What’s New in VMware Validated Design for SDDC 4.0 § Configure the vRealize Log Insight Agents not to automatically update. Decision ID Design Decision Design Justification Design Implication SDDC-OPS-LOG-021 Do not configure vRealize Log Insight to automatically update all deployed agents. Manually install updated versions of the Log Insight Agents for each of the specified components within the SDDC for precise maintenance. You must maintain manually the vRealize Log Insight agents on each of the SDDC components.
  73. © 2017 VMware Inc. All rights reserved. | Slide 73

    Cloud Operations Layer – vRealize Log Insight What’s New in VMware Validated Design for SDDC 4.0 § Configure vRealize Log Insight to forward logs between regions over SSL. § Provides increased security of logs transferred between regions. Decision ID Design Decision Design Justification Design Implication SDDC-OP-LOG-025 Configure log forwarding to use SSL. Ensures that the log forward operations from one region to the other are secure. § Event forwarding with SSL does not work with the self-signed certificate that is installed on the destination servers by default. You must set up a custom CA-signed SSL certificate. § If additional vRealize Log Insight nodes are added to a region's cluster, the SSL certificate used by the other region's vRealize Log Insight cluster must be injected into that nodes Java Keystore before SSL can be used.
  74. © 2017 VMware Inc. All rights reserved. | Slide 74

    Cloud Operations Layer – vRealize Log Insight What’s New in VMware Validated Design for SDDC 4.0 § Configure the vRealize Log Insight disk cache to 2GB. § Provides an approximate 2 hours buffer in the event of a cross-region connectivity outage. Decision ID Design Decision Design Justification Design Implication SDDC-OP-LOG-026 Configure disk cache for event forwarding to 2,000 MB (2 GB). Ensures that log forwarding between regions has a buffer for approximately 2 hours if a cross-region connectivity outage occurs. The disk cache size is calculated at a base rate of 150 MB per day per syslog source with 105 syslog sources. § If the event forwarder of vRealize Log Insight is restarted during the cross- region communication outage, messages that reside in the non- persistent cache will be cleared. § If a cross-region communication outage exceeds 2 hours, the oldest local events are dropped and not forwarded to the remote destination even after the cross-region connection is restored.
  75. © 2017 VMware Inc. All rights reserved. | Slide 75

    § Updated the design to use any vSphere APIs for Data Protection (VADP) compatible solution. § Protects against data loss, hardware failure, accidental deletion, or other disaster for each region. § Provides consistent image-level backups for the SDDC Management Stack. § Adapt and apply the design decisions to the selected backup solutions. Cloud Operations Layer – Backup and Recovery What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-OPS-BKP-001 Use VADP compatible backup software to back up all management components such as vSphere Data Protection. vSphere Data Protection provides the functionality that is required to back up full image VMs and applications in those VMs, for example, Microsoft SQL Server. vSphere Data Protection lacks some features that are available in other backup solutions.
  76. © 2017 VMware Inc. All rights reserved. | Slide 76

    § If used, retain a cross-region replicated backup for a minimum of 1 day. § Many VADP-based solutions have the ability to replicate backup job content. § Cross-region replication of backup jobs enables disaster recovery in the event of an unsuccessful cross-region failover. Cloud Operations Layer – Backup and Recovery What’s New in VMware Validated Design for SDDC 4.0 Decision ID Design Decision Design Justification Design Implication SDDC-OPS-BKP-009 Retain backups for cross-region replicated backup jobs for at least 1 day. Keeping 1 day of a backup for replicated jobs enables administrators, in the event of a disaster recovery situation in which failover was unsuccessful, to restore their region-independent applications to a state within the last 24 hours. Data that has changed since the lack backup, 24 hours ago, is lost. This data loss also increases the storage requirements for vSphere Data Protection in a multi-region configuration.