VMware Cloud Foundation (VCF) 5.0 have been recently announced, and some of the major feature enhancements include in-place upgrade, Isolated workload domains, upgrade prechecks, etc. For more details, please refer to the below references:
Release notes: Release notes
Product Documentation: VMware Documentation.
In this blog, I want to focus on one of the key features, the Isolated workload domain and how it can be beneficial to the VMware Cloud Director (VCD) integration.
Below are the various workload and Isolated domain options which have been introduced with VCF 5.0.
- Option 1: Single Shared SSO Domains
By design, VMware Cloud Foundation 4.x deployments have been configured using a single SSO instance which is shared between the management domain and each VI workload domain.
Each new workload domain is configured to use the management domain SSO.
A user can be configured for SDDC Manager access and is authenticated via the Platform Services Controller (PSC). All workload domain vCenter Servers are connected to each other using Enhanced Linked Mode (ELM).
Once a user is logged into SDDC Manager, ELM provides seamless access to all the products in the stack without being challenged to authenticate again.
For example, A user logged in to SDDC Manager can easily jump between workload domain vCenter Servers, NSX Managers and vRealize/Aria Suite components.
- Option 2: Separate Isolated SSO Domains:
VMware Cloud Foundation 5.0 deployments allow administrators the option to configure new workload domains using a separate SSO instance.
This scenario is useful for Managed Service Providers who can allocate workload domains to different tenants with their own SSO domains. Isolated SSO domains within VCF 5.0 are each configured with their own NSX instance. The workload domain and NSX instance have a 1:1 relationship.
Configuring workload domains as isolated workload domains also allows the option to configure a separate identity provider (for example Active Directory or LDAP).
- Option 3: All domains are isolated.
Each workload domain within a VMware Cloud Foundation 5.0 deployment can also be configured to use its own SSO instance to support a maximum of 25 domains. There can be 1 x management domain and 24 x workload domains, each having a separate SSO per VCF Instance.
This is ideal for environments where providers want to dedicate an entire workload domain for tenant resource consumption.
Deployment models for VCD on VCF
- Multi-tenant Workload (WLD) Clusters- VPC
In a standard architecture, VCD multi-tenancy can be hosted where the core components like VMware Cloud Director appliance, NFS server storage, Usage Meter and other management components reside in the management domain and tenant workloads reside in the workload domain.
Shared resource and management– Clusters will be shared among the tenants for resource sharing and the management domain will be shared among other workload domains. The same is illustrated in the diagram above.
- Multi-tenant WLD Clusters & Dedicated WLD Clusters-(VPC+PC)
In this model, the tenant workloads will reside on a workload domain and there can be few tenants who will have shared hosting with few clusters shared among them for resource consumption, performance isn’t guaranteed among the tenants due to resource sharing.
Dedicated resources and shared management– For tenants who want dedicated resources and guaranteed performance, separate (dedicated) clusters can be allocated to them within the same workload domain. Refer to the diagram above for more details.
With the introduction of isolated and single-shared SSO domains (Option:1 above for more details), now providers can also allocate an entire workload domain to a tenant and other workload domains can be shared among multiple tenants. This gives them the flexibility for both shared and dedicated hosting per workload domain.
The dedicated workload domain can have the shared management domain SSO.
VMware Cloud Foundation instances with workload domains configured to use the shared management domain SSO can scale to a maximum of 15 domains. Kindly refer to the diagram above for more details.
- Single Tenant WLDs: CPoM (Centralized Point of Management) ST-SDDC
CPoM is the ability to present a dedicated vCenter instance to an organization, or tenant, via the VMware Cloud Director user interface. Kindly refer to the VMware Documentation for more details.
With the introduction of an isolated workload domain(Option:2 or 3) with VCF 5.0, cloud providers can configure a VCF instance in standard architecture with an isolated workload domain.
Tenants requiring CPoM will have their workloads in that isolated workload domain and a separate SSO. In that way, customers won’t be able to access/view other vCenters except those dedicated to them via isolated domains.
This simplifies the design process as we had to dedicate a consolidated VCF stack entirely to the customer earlier to enable CPoM.
Scalability Options for VCD on VCF
Multi-tenant WLD Clusters
The below diagram represents the horizontal scaling options in a Multi-tenant environment.
For example, clusters are allocated to small and large tenants in a workload domain.
However, when more tenants are onboarded, there can be resource constraints and the existing resource allocation may not suffice. In that scenario, more clusters need to be added to cater to the resource requirement.
A VMware Cloud Foundation 5.0 instance can support a maximum of 25 domains by adding additional isolated workload domains.To know more about the design options of VCD on VCF, please refer to the details below:
Visit VMware Validated Solutions for the updated guides.
Stay tuned for more updates and feel free to get back to us for any queries.