VMware Cloud Foundation

on Dell VxRail Guide

VMware Cloud Foundation 5.2
VMware Cloud Foundation on Dell VxRail Guide

You can find the most up-to-date technical documentation on the VMware by Broadcom website at:

https://docs.vmware.com/

VMware by Broadcom
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

©
Copyright 2019-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc.
and/or its subsidiaries. For more information, go to https://www.broadcom.com. All trademarks, trade
names, service marks, and logos referenced herein belong to their respective companies.

VMware by Broadcom 2
 Contents

1 About VMware Cloud Foundation on Dell VxRail 13

2 VMware Cloud Foundation on Dell VxRail 15

3 Prepare a VxRail Environment for Cloud Builder Appliance Deployment 16

Imaging the VxRail Management Nodes 16
VxRail First Run for the Management Cluster 16

4 Deploy VMware Cloud Builder Appliance 18

5 Deploy the Management Domain Using VMware Cloud Builder 22

About the Deployment Parameter Workbook 23
Credentials Worksheet 24
Hosts and Networks Worksheet 26
Deploy Parameters Worksheet: Existing Infrastructure Details 29
Deploy Parameters Worksheet: VxRail Manager Details 30
Deployment Parameters Worksheet: License Keys 31
Deploy Parameters Worksheet: vSphere Infrastructure 31
Deploy Parameters Worksheet: VMware NSX 33
Deploy Parameters Worksheet: SDDC Manager 34

6 Troubleshooting VMware Cloud Foundation Deployment 35

Using the SoS Utility on VMware Cloud Builder 35
VMware Cloud Builder Log Files 39

7 Getting Started with SDDC Manager 41

Log in to the SDDC Manager User Interface 41
Guided SDDC Manager Onboarding 42
Tour of the SDDC Manager User Interface 42
Log out of the SDDC Manager User Interface 44

8 Configure the Customer Experience Improvement Program Settings for VMware

Cloud Foundation 46

9 Managing Certificates in VMware Cloud Foundation 48

View Certificate Information 49
Configure VMware Cloud Foundation to Use Microsoft CA-Signed Certificates 50

VMware by Broadcom 3
VMware Cloud Foundation on Dell VxRail Guide

Prepare Your Microsoft Certificate Authority to Allow SDDC Manger to Manage Certificates
50
Install Microsoft Certificate Authority Roles 50
Configure the Microsoft Certificate Authority for Basic Authentication 51
Create and Add a Microsoft Certificate Authority Template 52
Assign Certificate Management Privileges to the SDDC Manager Service Account 53
Configure a Microsoft Certificate Authority in SDDC Manager 55
Install Microsoft CA-Signed Certificates using SDDC Manager 56
Configure VMware Cloud Foundation to Use OpenSSL CA-Signed Certificates 58
Configure OpenSSL-signed Certificates in SDDC Manager 58
Install OpenSSL-signed Certificates using SDDC Manager 60
Install Third-Party CA-Signed Certificates Using Server Certificate and Certificate Authority Files
62
Install Third-Party CA-Signed Certificates in VMware Cloud Foundation Using a Certificate
Bundle 64
Remove Old or Unused Certificates from SDDC Manager 68

10 Managing License Keys in VMware Cloud Foundation 69

Add a Component License Key in the SDDC Manager UI 70
Edit a Component License Key Description in the SDDC Manager UI 70
Delete a Component License Key in the SDDC Manager UI 71
Update Component License Keys for Workload Domain Components 71

11 ESXi Lockdown Mode 73

12 Managing Storage in VMware Cloud Foundation 74

vSAN Storage with VMware Cloud Foundation 75
Fibre Channel Storage with VMware Cloud Foundation 77
Sharing Remote Datastores with HCI Mesh for VI Workload Domains 78

13 Managing Workload Domains in VMware Cloud Foundation 79

About VI Workload Domains 79
Prerequisites for a Workload Domain 80
Change the VxRail Manager IP Address 82
Update the VxRail Manager Certificate 83
Creating VxRail VI Workload Domains 84
Create a VxRail VI Workload Domain in the SDDC Manager UI 84
Create a VxRail VI Workload Domain Using the Workflow Optimization Script 90
Delete a VI Workload Domain 91
View Workload Domain Details 92
Expand a Workload Domain 94
Add a VxRail Cluster to a Workload Domain Using the SDDC Manager UI 94

VMware by Broadcom 4
VMware Cloud Foundation on Dell VxRail Guide

Add VxRail Hosts to a Cluster in VMware Cloud Foundation 97

Reduce a Workload Domain 98
Remove a Host from a Cluster in a Workload Domain 98
Delete a VxRail Cluster 99
Rename a Workload Domain 100
vSphere Cluster Management 100
View vSphere Cluster Details 100
Rename a Cluster in the SDDC Manager UI 101
Tag Management 102
Tag a Workload Domain 102
Remove a Tag from your Workload Domain 103
Tag a Cluster 103
Remove a Tag from your Cluster 104
Tag a Host 104
Remove a Tag from your Host 105

14 Managing NSX Edge Clusters in VMware Cloud Foundation 106

Prerequisites for an NSX Edge Cluster 107
Deploy an NSX Edge Cluster 107
Add Edge Nodes to an NSX Edge Cluster 113
Remove Edge Nodes from an NSX Edge Cluster 118

15 Managing Avi Load Balancer in VMware Cloud Foundation 120

Deploy Avi Load Balancer for a Workload Domain 121
Remove Avi Load Balancer from a Workload Domain 124

16 Deploying Application Virtual Networks in VMware Cloud Foundation 126

Deploy Overlay-Backed NSX Segments 127
Deploy VLAN-Backed NSX Segments 129

17 VMware Cloud Foundation with VMware Tanzu 131

Enable Workload Management 131
View Workload Management Cluster Details 133
Update Workload Management License 133

18 VMware Aria Suite Lifecycle in VMware Cloud Foundation mode 135

VMware Aria Suite Lifecycle Implementation 136
Deploy VMware Aria Suite Lifecycle 137
Replace the Certificate of the VMware Aria Suite Lifecycle Instance 138
Configure Data Center and vCenter Server in VMware Aria Suite Lifecycle 139
Workspace ONE Access Implementation 140

VMware by Broadcom 5
VMware Cloud Foundation on Dell VxRail Guide

Import the Workspace ONE Access Certificate to VMware Aria Suite Lifecycle 141
Add Workspace ONE Access Passwords to VMware Aria Suite Lifecycle 143
Deploy a Standard Workspace ONE Access Instance Using VMware Aria Suite Lifecycle
144
Deploy Clustered Workspace ONE Access Instance Using VMware Aria Suite Lifecycle 146
Configure an Anti-Affinity Rule and a Virtual Machine Group for a Clustered Workspace ONE
Access Instance 148
Configure NTP on Workspace ONE Access 149
Configure the Domain and Domain Search Parameters on Workspace ONE Access 150
Configure an Identity Source for Workspace ONE Access 150
Add the Clustered Workspace ONE Access Cluster Nodes as Identity Provider Connectors
152
Assign Roles to Active Directory Groups for Workspace ONE Access 153
Assign Roles to Active Directory Groups for VMware Aria Suite Lifecycle 153

19 Working with NSX Federation in VMware Cloud Foundation 155

NSX Federation Key Concepts 155
Configuring NSX Federation in VMware Cloud Foundation 156
Create Global Manager Clusters for VMware Cloud Foundation 159
Deploy Global Manager Nodes 160
Join Global Manager Nodes to Form a Cluster 162
Create Anti-Affinity Rule for Global Manager Cluster in VMware Cloud Foundation 162
Assign a Virtual IP Address to Global Manager Cluster 163
Prepare Local Manager for NSX Federation in VMware Cloud Foundation 163
Enable NSX Federation in VMware Cloud Foundation 164
Set Active Global Manager 164
Add Location to Global Manager 165
Stretch Segments between VMware Cloud Foundation Instances 167
Create and Configure Cross-Instance Tier-1 Gateway 168
Connect Cross-Instance Segments to Cross-Instance Tier-1 Gateway 168
Delete Existing Tier-0 Gateways in Additional Instances 169
Connect Additional VMware Cloud Foundation Instances to Cross-Instance Tier-0
Gateway 169
Connect Local Tier-1 Gateway to Cross-Instance Tier-0 Gateway 171
Add Additional Instance as Locations to the Cross-Instance Tier-1 Gateway 171
Set Standby Global Manager 172
Replacing Global Manager Cluster Certificates in VMware Cloud Foundation 173
Import a CA-Signed Certificate to the Global Manager Cluster 173
Replace the Certificate for the First Global Manager Node 173
Replace Certificates and Virtual IP for the Remaining Global Manager Nodes 175
Update Local Manager Certificate Thumbprint in Global Manager Cluster 177
Password Management for NSX Global Manager Cluster in VMware Cloud Foundation 178
Backup and Restore of NSX Global Manager Cluster in VMware Cloud Foundation 178

VMware by Broadcom 6
VMware Cloud Foundation on Dell VxRail Guide

Configure NSX Global Manager Cluster Backups 178

Restore an NSX Global Manager Cluster Backup 180

20 Stretching vSAN Clusters in VMware Cloud Foundation on Dell VxRail 182

About Availability Zones and Regions 182
Stretched Cluster Requirements 183
Deploy and Configure vSAN Witness Host 185
Deploy vSAN Witness Host 185
Configure the Management Network on the vSAN Witness Host 186
Register vSAN Witness Host 187
Configure NTP on the Witness Host 188
Configure the VMkernel Adapters on the vSAN Witness Host 188
Stretch a VxRail Cluster in VMware Cloud Foundation 189
NSX Configuration for Availability Zone 2 194
Configure IP Prefixes in the Tier-0 Gateway for Availability Zone 2 194
Configure Route Maps in the Tier-0 Gateway for Availability Zone 2 195
Configure BGP in the Tier-0 Gateway for Availability Zone 2 196
Configure Witness Traffic Separation for VMware Cloud Foundation on Dell VxRail 198
Create Distributed Port Groups for Witness Traffic 199
Delete Routes to the Witness Host 199
Add VMkernel Adapters for Witness Traffic 200
Configure the VMkernel Adapters for Witness Traffic 201
Expand a Stretched VxRail Cluster 201
Replace a Failed Host in a Stretched VxRail Cluster 203

21 Monitoring Capabilities in the VMware Cloud Foundation System 204

Viewing Tasks and Task Details 204
API Activity Logging 206

22 Updating VMware Cloud Foundation DNS and NTP Servers 208

Update DNS Server Configuration 208
Update NTP Server Configuration 209

23 Supportability and Serviceability (SoS) Utility 211

SoS Utility Options 211
Collect Logs for Your VMware Cloud Foundation System 217
Component Log Files Collected by the SoS Utility 219

24 Managing Users and Groups in VMware Cloud Foundation 222

Configuring the Identity Provider for VMware Cloud Foundation 223
Add Active Directory over LDAP or OpenLDAP as an Identity Source for VMware Cloud
Foundation 223

VMware by Broadcom 7
VMware Cloud Foundation on Dell VxRail Guide

Configure Microsoft ADFS as the Identity Provider in the SDDC Manager UI 225
Configure Identity Federation in VMware Cloud Foundation Using Okta 228
Create an OpenID Connect application for VMware Cloud Foundation in Okta 229
Configure Okta as the Identity Provider in the SDDC Manager UI 230
Update the Okta OpenID Connect application with the Redirect URI from SDDC Manager
234
Create a SCIM 2.0 Application for Using Okta with VMware Cloud Foundation 234
Assign Okta Users and Groups as Administrators in SDDC Manager, vCenter Server, and
NSX Manager 236
Configure Identity Federation in VMware Cloud Foundation Using Microsoft Entra ID 241
Create an OpenID Connect application for VMware Cloud Foundation in Microsoft Entra
ID 242
Configure Microsoft Entra ID as the Identity Provider in the SDDC Manager UI 244
Update the Microsoft Entra ID OpenID Connect application with the Redirect URI from
SDDC Manager 247
Create a SCIM 2.0 Application for Using Microsoft Entra ID with VMware Cloud
Foundation 248
Assign Microsoft Entra ID Users and Groups as Administrators in SDDC Manager, vCenter
Server, and NSX Manager 252
Add a User or Group to VMware Cloud Foundation 255
Remove a User or Group 256
Create a Local Account 256
Create an Automation Account 258

25 Managing Passwords in VMware Cloud Foundation 262

Rotate Passwords 264
Manually Update Passwords 266
Remediate Passwords 268
Look Up Account Credentials 269
Updating SDDC Manager Passwords 269
Update SDDC Manager Root and Super User Passwords 270
Update SDDC Manager Local Account Password 270
Update Expired SDDC Manager Root Password 271

26 Backing Up and Restoring SDDC Manager and NSX Manager 273

Reconfigure SFTP Backups for SDDC Manager and NSX Manager 274
File-Based Backups for SDDC Manager and vCenter Server 275
Back Up SDDC Manager 276
Configure a Backup Schedule for vCenter Server 277
Manually Back Up vCenter Server 278
Export the Configuration of the vSphere Distributed Switches 279
File-Based Restore for SDDC Manager, vCenter Server, and NSX 280
Restore SDDC Manager 280

VMware by Broadcom 8
VMware Cloud Foundation on Dell VxRail Guide

Prepare for Restoring SDDC Manager 281

Restore SDDC Manager from a File-Based Backup 282
Validate the Status of SDDC Manager 284
Restore vCenter Server 285
Prepare for Restoring vCenter Server 286
Restore a vCenter Server Instance from a File-Based Backup 289
Move the Restored vCenter Server Appliance to the Correct Folder 292
Validate the vCenter Server State 292
Validate the SDDC Manager State After a vCenter Server Restore 293
Restore the Configuration of a vSphere Distributed Switch 293
Restore an NSX Manager Cluster Node 294
Prepare for Restoring an NSX Manager Cluster Node 295
Restore the First Node of a Failed NSX Manager Cluster 297
Deactivate the NSX Manager Cluster 300
Restore an NSX Manager Node to an Existing NSX Manager Cluster 301
Update or Recreate the VM Anti-Affinity Rule for the NSX Manager Cluster Nodes 307
Validate the SDDC Manager Inventory State 307
Restoring NSX Edge Cluster Nodes 308
Prepare for Restoring NSX Edge Cluster Nodes 308
Replace the Failed NSX Edge Node with a Temporary NSX Edge Node 311
Replace the Temporary NSX Edge Node with the Redeployed NSX Edge Node 314
Image-Based Backup and Restore of VMware Cloud Foundation 319

27 Upgrading to VMware Cloud Foundation 5.2.x on Dell VxRail 320

SDDC Manager Functionality During an Upgrade to VMware Cloud Foundation 5.2.x 321
vSphere UI Client Plug-ins 324
Monitor VMware Cloud Foundation Updates 324
View VMware Cloud Foundation Update History 325
Access VMware Cloud Foundation Upgrade Log Files 325
Downloading VMware Cloud Foundation Upgrade Bundles 325
Connect SDDC Manager to a Software Depot for Downloading Bundles 326
Download Bundles Using SDDC Manager 328
Configure a Proxy Server for Downloading VMware Cloud Foundation Bundles 329
Offline Download of VMware Cloud Foundation 5.2.x Upgrade Bundles 329
Offline Download of Independent SDDC Manager Bundles 334
Offline Download of Async Patch Bundles 337
Offline Download of Flexible BOM Upgrade Bundles 340
HCL Offline Download for VMware Cloud Foundation 343
Download Bundles to an Offline Depot 346
VMware Cloud Foundation Upgrade Prerequisites 347
VMware Cloud Foundation 5.2.x Upgrade Overview 348

VMware by Broadcom 9
VMware Cloud Foundation on Dell VxRail Guide

Upgrade the Management Domain to VMware Cloud Foundation 5.2.x 353

Perform Update Precheck - Versions Prior to SDDC Manager 5.0 354
Perform Update Precheck in SDDC Manager 357
Apply the VMware Cloud Foundation 5.2.x Upgrade Bundle 361
Apply VMware Cloud Foundation Configuration Updates 362
Upgrade VMware Aria Suite Lifecycle and VMware Aria Suite Products for VMware Cloud
Foundation 367
Upgrade NSX for VMware Cloud Foundation in a Federated Environment 368
Download NSX Global Manager Upgrade Bundle 368
Upgrade the Upgrade Coordinator for NSX Federation 368
Upgrade NSX Global Managers for VMware Cloud Foundation 369
Upgrade NSX for VMware Cloud Foundation 5.2.x 369
Upgrade vCenter Server for VMware Cloud Foundation 5.2.x 372
Upgrade VxRail Manager and ESXi Hosts for VMware Cloud Foundation 375
Upgrade vSAN Witness Host for VMware Cloud Foundation 376
Upgrade vSphere Distributed Switch versions 378
Upgrade vSAN on-disk format versions 378
Update License Keys for a Workload Domain 379
Upgrade VI Workload Domains to VMware Cloud Foundation 5.2.x 380
Plan VI Workload Domain Upgrade 381
Perform Update Precheck in SDDC Manager 382
Upgrade NSX for VMware Cloud Foundation in a Federated Environment 386
Download NSX Global Manager Upgrade Bundle 386
Upgrade the Upgrade Coordinator for NSX Federation 386
Upgrade NSX Global Managers for VMware Cloud Foundation 387
Upgrade NSX for VMware Cloud Foundation 5.2.x 387
Upgrade vCenter Server for VMware Cloud Foundation 5.2.x 390
Upgrade VxRail Manager and ESXi Hosts for VMware Cloud Foundation 393
Upgrade vSAN Witness Host for VMware Cloud Foundation 394
Upgrade vSphere Distributed Switch versions 396
Upgrade vSAN on-disk format versions 396
Update License Keys for a Workload Domain 397
Independent SDDC Manager Upgrade using the SDDC Manager UI 398
Flexible BOM Upgrade in VMware Cloud Foundation 399
Patching the Management and Workload Domains 401
Troubleshooting for Upgrading VMware Cloud Foundation 402
SDDC Manager Troubleshooting 403
On-demand pre-checks for vCenter bundle might fail 403
SDDC Manager bundle pre-check failure when upgrading to VMware Cloud Foundation
5.1 403
Extra RPM packages on SDDC Manager may cause upgrade failure 404
False warning for missing compatibility data in plan upgrade wizard 404

VMware by Broadcom 10
VMware Cloud Foundation on Dell VxRail Guide

Updating licenses for a WLD shows insufficient license error 405

vCenter Troubleshooting 405
vCenter Server Upgrade Failed Due to Reuse of Temporary IP Address 405

28 Shutdown and Startup of VMware Cloud Foundation 407

Shutting Down VMware Cloud Foundation 407
Shut Down a Virtual Infrastructure Workload Domain 408
Shut Down the NSX Edge Nodes 409
Shut Down the NSX Manager Nodes 409
Shut Down vSphere Cluster Services Virtual Machines, VxRail Manager, VMware vSAN,
and ESXi Hosts 410
Shut Down vCenter Server for a Virtual Infrastructure Workload Domain 410
Shut Down a Virtual Infrastructure Workload Domain with vSphere with Tanzu 411
Find Out the Location of the vSphere with Tanzu Virtual Machines on the ESXi Hosts 412
Shut Down the vSphere Cluster Services Virtual Machines 412
Shut Down vCenter Server for a Virtual Infrastructure Workload Domain with vSphere
with Tanzu 413
Shut Down the NSX Edge Nodes for vSphere with Tanzu 414
Shut Down the NSX Manager Nodes 415
Shut Down the VxRail Manager Virtual Machine in a VI Workload Domain with vSphere
with Tanzu 415
Shut Down vSAN and the ESXi Hosts in a Virtual Infrastructure Workload Domain with
vSphere with Tanzu 415
Shut Down the Management Domain 417
Shut Down the Clustered Workspace ONE Access Virtual Machines 418
Shut Down the VMware Aria Suite Lifecycle Virtual Machine 419
Shut Down the NSX Edge Nodes 419
Shut Down the NSX Manager Nodes 419
Shut Down the SDDC Manager Virtual Machine 420
Shut Down the VxRail Manager Virtual Machine in the Management Domain 420
Shut Down the Skyline Health Diagnostics Virtual Machine 421
Shut Down the vSphere Cluster Services Virtual Machines 421
Shut Down the vCenter Server Instance in the Management Domain 422
Shut Down vSAN and the ESXi Hosts in a Virtual Infrastructure Workload Domain with
vSphere with Tanzu 423
Starting Up VMware Cloud Foundation 424
Start the Management Domain 425
Start the vSphere and vSAN Components for the Management Domain 426
Start the vCenter Server Instance in the Management Domain 428
Start the vSphere Cluster Services 429
Start the VxRail Manager Virtual Machine 429
Start the SDDC Manager Virtual Machine 430
Start the Skyline Health Diagnostics Virtual Machine 430

VMware by Broadcom 11
VMware Cloud Foundation on Dell VxRail Guide

Start the NSX Manager Virtual Machines 430

Start the NSX Edge Nodes 431
Start the VMware Aria Suite Lifecycle Virtual Machine 431
Start the Clustered Workspace ONE Access Virtual Machines 432
Start a Virtual Infrastructure Workload Domain 433
Start the vCenter Server Instance for a VxRail Virtual Infrastructure Workload Domain
433
Start ESXi hosts, vSAN and VxRail Manager in a Virtual Infrastructure Workload Domain
434
Start the NSX Manager Virtual Machines 434
Start the NSX Edge Nodes 435
Start a Virtual Infrastructure Workload Domain with vSphere with Tanzu 435
Start the vSphere and vSAN Components for the Management Domain 436
Start vCenter Server for a Virtual Infrastructure Workload Domain 437
Start the vSphere Cluster Services 438
Start the VxRail Manager Virtual Machine 438
Start the NSX Manager Virtual Machines 439
Start the NSX Edge Nodes 439

VMware by Broadcom 12
About VMware Cloud Foundation
on Dell VxRail 1
The VMware Cloud Foundation on Dell VxRail Guide provides information on managing the
integration of VMware Cloud Foundation and Dell VxRail. As this product is an integration of
VMware Cloud Foundation and Dell VxRail, the expected results are obtained only when the
configuration is done from both the products. This guide covers all the information regarding the
VMware Cloud Foundation workflows. For the instructions on configuration to be done on Dell
VxRail, this guide provides links to the Dell VxRail documentation.

Intended Audience
The VMware Cloud Foundation on Dell VxRail Guide is intended for the system administrators of
the VxRail environments who want to adopt VMware Cloud Foundation. The information in this
document is written for experienced data center system administrators who are familiar with:

n Concepts of virtualization, software-defined data centers, and virtual infrastructure (VI).

n VMware virtualization technologies, such as VMware ESXi™, the hypervisor

®
n Software-defined networking using VMware NSX

n Software-defined storage using VMware vSAN™

n IP networks

Additionally, you should be familiar with these software products, software components, and
their features:

n Dell EMC VxRail Manager

®
n VMware vSphere
® ®
n VMware vCenter Server and VMware vCenter Server Appliance™
®
n VMware vRealize Log Insight™
®
n VMware vSphere with VMware Tanzu™

Related Publications
The Planning and Preparation Workbook provides detailed information about the software, tools,
and external services that are required to deploy VMware Cloud Foundation on Dell EMC VxRail.

VMware by Broadcom 13
VMware Cloud Foundation on Dell VxRail Guide

The VMware Cloud Foundation on Dell Release Notes provide information about each release,
including:

n What's new in the release

n Software components and versions included in the Bill of Materials (BOM)

n Resolved issues

n Known issues

The VMware Cloud Foundation on Dell VxRail API Reference Guide provides information about
using the API.

VMware by Broadcom 14
VMware Cloud Foundation on Dell
VxRail 2
VMware Cloud Foundation on Dell VxRail enables VMware Cloud Foundation on top of the Dell
VxRail platform.

An administrator of a VMware Cloud Foundation on Dell VxRail system performs tasks such as:

n Deploy VMware Cloud Foundation on Dell VxRail.

n Manage certificates.

n Add capacity to your system.

n Configure and provision workload domains.

n Manage provisioned workload domains.

n Monitor alerts and the health of the system.

n Troubleshoot issues and prevent problems across the physical and virtual infrastructure.

n Perform life cycle management on the software components.

VMware by Broadcom 15
Prepare a VxRail Environment
for Cloud Builder Appliance
Deployment
3
Before you can deploy the VMware Cloud Builder Appliance on the VxRail cluster, you must
complete the following tasks.

Procedure

1 Imaging the VxRail Management Nodes

Image the VxRail management nodes by using Dell RASR (Rapid Appliance Self Recovery)
process. Ensure that you update the RASR image in each server node SD card before you
start the imaging process.

2 VxRail First Run for the Management Cluster

Before you can deploy the management domain using VMware Cloud Builder, you must
perform the VxRail first run.

Imaging the VxRail Management Nodes

Image the VxRail management nodes by using Dell RASR (Rapid Appliance Self Recovery)
process. Ensure that you update the RASR image in each server node SD card before you start
the imaging process.

For detailed information about how to image the VxRail management nodes, contact Dell
Support.

VxRail First Run for the Management Cluster

Before you can deploy the management domain using VMware Cloud Builder, you must perform
the VxRail first run.

The VxRail first run for the management cluster consists of the following tasks:

n The discovery of the VxRail Nodes occurs. All the nodes that were imaged are detected.

n Upload the JSON configuration file. Trigger the validation.

VMware by Broadcom 16
VMware Cloud Foundation on Dell VxRail Guide

n All the configuration inputs are validated.

Note You specify the vSphere Lifecycle Manager method (vSphere Lifecycle Manager images or
vSphere Lifecycle Manager baselines) during the VxRail first run or in the vCenter Server VxRail
UI after the first run, but before bring-up. See the Dell VxRail documentation for details.

Note vSAN Express Storage Architecture (ESA) requires vSphere Lifecycle Manager images.

The following components are deployed and enabled:

n vCenter

n vSAN

n VxRail Manager

Click Manage VxRail to log in to the VMware vCenter server.

For information on VxRail First Run, contact Dell Support.

VMware by Broadcom 17
Deploy VMware Cloud Builder
Appliance 4
VMware Cloud Builder is a virtual appliance that is used to deploy and configure the first cluster
of the management domain and transfer inventory and control to SDDC Manager. During the
deployment process, the VMware Cloud Builder appliance validates network information you
provide in the deployment parameter workbook such as DNS, network (VLANS, IPs, MTUs), and
credentials.

This procedure describes deploying the VMware Cloud Builder appliance to the cluster that was
created during the VxRail first run.

Prerequisites

Before you deploy the VMware Cloud Builder appliance, verify that your environment fulfills the
requirements for this process.

Prerequisite Value

Environment n Verify that your environment is configured for

deployment of VMware Cloud Builder and the
management domain.
n Verify that you have available virtual infrastructure that
has access to the management network that will be
used by the management domain. You deploy VMware
Cloud Builder on that virtual infrastructure.

Resource Requirements n 4 CPUs

n 4 GB of Memory
n 279 GB of Storage
n 25.1 GB (thin provisioned)
n 253.8 GB (thick provisioned)

Installation Packages Verify that you download the OVA file(s) for VMware
Cloud Builder.

Network n Verify that the static IP address and FQDN for the
VMware Cloud Builder appliance are available.
n Verify that connectivity is in place from the VMware
Cloud Builder appliance and the management VLAN
used in the deployment.

The VMware Cloud Builder appliance must be on the same management network as the hosts to
be used. It must also be able to access all required external services, such as DNS and NTP.

VMware by Broadcom 18
VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 Download the VMware Cloud Builder appliance OVA.

2 Log in to vCenter Server using the vSphere Client.

3 In the navigator, select the cluster that was created during the VxRail first run.

4 Click Actions > Deploy OVF Template.

5 Select Local file and click Upload Files.

6 Browse to the VMware Cloud Builder appliance OVA, select it, and click Open.

7 Click Next.

8 Enter a name for the virtual machine, select a target location, and click Next.

9 Select the cluster you created during the VxRail first run and click Next.

10 Review the details and click Next.

11 Accept the license agreement and click Next.

12 On the Select Storage page, select the storage for the VMware Cloud Builder appliance and
click Next.

13 On the Select networks dialog box, select the management network and click Next.

VMware by Broadcom 19
VMware Cloud Foundation on Dell VxRail Guide

14 On the Customize template page, enter the following information for the VMware Cloud
Builder appliance and click Next:

Setting Details

Admin Username The admin user name cannot be one of the following pre-defined user
names:
n root
n bin
n daemon
n messagebus
n systemd-bus-proxy
n systemd-journal-gateway
n systemd-journal-remote
n systemd-journal-upload
n systemd-network
n systemd-resolve
n systemd-timesync
n nobody
n sshd
n named
n rpc
n tftp
n ntp
n smmsp
n cassandra

Admin Password/Admin Password The admin password must be a minimum of 15 characters and include at
confirm least one uppercase, one lowercase, one digit, and one special character.
Supported special characters:
@ ! # $ % ? ^

Note A password cannot be based on a dictionary word (for example,

VMware1!)

Root password/Root password The root password must be a minimum of 15 characters and include at
confirm least one uppercase, one lowercase, one digit, and one special character.
Supported special characters:
@ ! # $ % ? ^

Note A password cannot be based on a dictionary word (for example,

VMware1!)

Hostname Enter the hostname for the VMware Cloud Builder appliance.

Network 1 IP Address Enter the IP address for the VMware Cloud Builder appliance.

Network 1 Subnet Mask For example, 255.255.255.0.

Default Gateway Enter the default gateway for the VMware Cloud Builder appliance.

DNS Servers IP address of the primary and secondary DNS servers (comma separated).
Do not specify more than two servers.

DNS Domain Name For example, vsphere.local.

VMware by Broadcom 20
VMware Cloud Foundation on Dell VxRail Guide

Setting Details

DNS Domain Search Paths Comma separated. For example vsphere.local, sf.vsphere.local.

NTP Servers Comma separated.

15 Review the deployment details and click Finish.

Note Make sure your passwords meet the requirements specified above before clicking
Finish or your deployment will not succeed.

16 After the VMware Cloud Builder appliance is deployed, SSH in to the VM with the admin
credentials provided in step 14.

17 Ensure that you can ping the ESXi hosts.

18 Verify that the VMware Cloud Builder appliance has access to the required external services,
such as DNS and NTP by performing forward and reverse DNS lookups for each host and the
specified NTP servers.

VMware by Broadcom 21
Deploy the Management Domain
Using VMware Cloud Builder 5
The VMware Cloud Foundation deployment process is referred to as bring-up. You specify
deployment information specific to your environment such as networks, hosts, license keys, and
other information in the deployment parameter workbook and upload the file to the VMware
Cloud Builder appliance to initiate bring-up of the management domain.

During bring-up, the management domain is created on the ESXi hosts specified in the
deployment parameter workbook. The VMware Cloud Foundation software components
are automatically deployed, configured, and licensed using the information provided. The
deployment parameter workbook can be reused to deploy multiple VMware Cloud Foundation
instances of the same version.

The following procedure describes how to perform bring-up of the management domain using
the deployment parameter workbook. You can also perform bring-up using a custom JSON
specification. See the VMware Cloud Foundation API Reference Guide for more information.

Externalizing the vCenter Server that gets created during the VxRail first run is automated as part
of the bring-up process.

Procedure

1 In a web browser, log in to the VMware Cloud Builder appliance administration interface:
https://Cloud_Builder_VM_FQDN.

2 Enter the admin credentials you provided when you deployed the VMware Cloud Builder
appliance and then click Log In.

3 On the End-User License Agreement page, select the I Agree to the End User License
Agreement check box and click Next.

4 Select VMware Cloud Foundation on Dell EMC VxRail and click Next.

5 Review and acknowledge the prerequisties and click Next.

If there are any gaps, ensure they are fixed before proceeding to avoid issues during the
bring-up process. You can download or print the prerequisite list for reference.

6 Download the deployment parameter workbook from the Broadcom Support portal and fill it
in with the required information.

See About the Deployment Parameter Workbook.

7 Click Next.

VMware by Broadcom 22
VMware Cloud Foundation on Dell VxRail Guide

8 Click Select File, browse to the completed workbook, and click Open to upload the
workbook.

9 Click Next to begin validation of the uploaded file.

To access the bring-up log file, SSH to the VMware Cloud Builder appliance as admin and
open the /opt/vmware/bringup/logs/vcf-bringup-debug.log file.

If there is an error during the validation and the Next button is grayed out, you can either
make corrections to the environment or edit the deployment parameter workbook and
upload it again. Then click Retry to perform the validation again.

If any warnings are displayed and you want to proceed, click Acknowledge and then click
Next.

10 Click Deploy SDDC.

During the bring-up process, the vCenter Server, NSX, and SDDC Manager appliances are
deployed and the management domain is created. The status of the bring-up tasks is
displayed in the UI.

After bring-up is completed, a green bar is displayed indicating that bring-up was successful.
A link to the SDDC Manager UI is also displayed. If there are errors during bring-up, see
Chapter 6 Troubleshooting VMware Cloud Foundation Deployment.

11 Click Download to download a detailed deployment report. This report includes information
on assigned IP addresses and networks that were configured in your environment.

12 After bring-up is completed, click Finish.

13 Click Launch SDDC Manager.

14 Power off the VMware Cloud Builder appliance.

About the Deployment Parameter Workbook

The deployment parameter workbook contains worksheets categorizing the information required
for deploying VMware Cloud Foundation. The information provided is used to create the
management domain using the VMware Cloud Builder appliance.

Before you begin filling in the deployment parameter workbook, download the workbook from
the Broadcom Support portal.

The fields in yellow contain sample values that you should replace with the information for your
environment. If a cell turns red, the required information is missing, or validation input has failed.

Important The deployment parameter workbook is not able to fully validate all inputs due
to formula limitations of Microsoft Excel. Some validation issues may not be reported until you
upload the deployment parameter workbook to the VMware Cloud Builder appliance.

Note Do not copy and paste content between cells in the deployment parameter workbook,
since this may cause issues.

VMware by Broadcom 23
VMware Cloud Foundation on Dell VxRail Guide

The Introduction worksheet in the deployment parameter workbook contains an overview of

the workbook and guidance on how to complete it. For information about the prerequisites for
deploying the management domain, see the Planning and Preparation Workbook.

VxRail Prerequistes
n The VxRail first run is completed and vCenter Server and VxRail Manager VMs are deployed.

n The vCenter Server version matches the build listed in the Cloud Foundation Bill of Materials
(BOM). See the VMware Cloud Foundation Release Notes for the BOM.

Credentials Worksheet
The Credentials worksheet details the accounts and initial passwords for the VMware Cloud
Foundation components. You must provide input for each yellow box. A red cell may indicate
that validations on the password length has failed.

Input Required
Update the Default Password field for each user (including the automation user in the last row).
Passwords can be different per user or common across multiple users. The tables below provide
details on password requirements.

Table 5-1. Password Complexity

Password Requirements

VxRail Manager root account Standard

VxRail Manager service account (mystic) Standard. The service account password must be different than the
VxRail Manager root account password.

ESXi Host root account This is the password which you configured on the hosts during ESXi
installation.

Default Single-Sign on domain 1 Length 8-20 characters

administrator user 2 Must include:
n mix of upper-case and lower-case letters
n a number
n a special character, such as @ ! # $ % ^ or ?
3 Must not include * { } [ ] ( ) / \ ' " ` ~ , ; : . < >

vCenter Server virtual appliance root 1 Length 8-20 characters

account 2 Must include:
n mix of upper-case and lower-case letters
n a number
n a special character, such as @ ! # $ % ^ or ?
3 Must not include: * { } [ ] ( ) / \ ' " ` ~ , ; : . < >

VMware by Broadcom 24
VMware Cloud Foundation on Dell VxRail Guide

Table 5-1. Password Complexity (continued)

Password Requirements

NSX virtual appliance root account 1 Length 12-127 characters

2 Must include:
n mix of uppercase and lowercase letters
n a number
n a special character, such as @ ! # $ % ^ or ?
n at least five different characters
3 Must not include: * { } [ ] ( ) / \ ' " ` ~ , ; : . < >

NSX user interface and default CLI admin 1 Length 12-127 characters
account 2 Must include:
n mix of uppercase and lowercase letters
n a number
n a special character, such as @ ! # $ % ^ or ?
n at least five different characters
3 Must not include: * { } [ ] ( ) / \ ' " ` ~ , ; : . < >

NSX audit CLI account 1 Legnth 12-127 characters

2 Must include:
n mix of uppercase and lowercase letters
n a number
n a special character, such as @ ! # $ % ^ or ?
n at least five different characters
3 Must not include: * { } [ ] ( ) / \ ' " ` ~ , ; : . < >

SDDC Manager appliance root account 1 Minimum length 15 characters

2 Must include:
n mix of uppercase and lowercase letters
n a number
n a special character, such as @ ! # $ % ^ or ?
3 Must not include:
n *{}[]()/\'"`~,;:.<>
n A dictionary word (for example, VMware1!)

VMware by Broadcom 25
VMware Cloud Foundation on Dell VxRail Guide

Table 5-1. Password Complexity (continued)

Password Requirements

SDDC Manager super user (vcf) 1 Minimum length 15 characters

2 Must include:
n mix of uppercase and lowercase letters
n a number
n a special character, such as @ ! # $ % ^ or ?
3 Must not include:
n *{}[]()/\'"`~,;:.<>
n A dictionary word (for example, VMware1!)

SDDC Manager local account (admin@local) 1 Length 12-127 characters

2 Must include:
n mix of uppercase and lowercase letters
n a number
n a special character, such as @ ! # $ % ^ or ?
3 Must not include: * { } [ ] ( ) / \ ' " ` ~ , ; : . < >

Hosts and Networks Worksheet

The Hosts and Networks worksheet specifies the details for all networks and hosts. This
information is configured on the appropriate VMware Cloud Foundation components.

Management Domain Networks

This section covers the VLANs, gateways, MTU, and expected IP ranges and subnet mask for
each network you have configured on the Top of Rack switches in your environment.

With VMware Cloud Foundation 5.1 and later, you have the ability to create separate distibuted
port groups for management VM (for example, vCenter Server and NSX Manager) traffic and
ESXi host management traffic. You can configure this during the VxRail first run.

Network Type VLAN Portgroup Name CIDR Notation Gateway MTU

Management Enter the VLAN You cannot Enter the CIDR Enter the Enter MTU for
Network ID. change the notation for gateway IP for the management
The VLAN ID can portgroup name the management the managment network only.
vMotion Network
be between 0 prefix. network only. network only.
Note VxRail
vSAN Network and 4094.
Note VxRail Note VxRail Manager
Note The VLAN Manager Manager configures the
ID for Uplink 1 configures the configures the vMotion and
and Uplink 2 vMotion and vMotion and vSAN networks.
Networks must vSAN networks. vSAN networks.
The MTU can
be unique and
be between 1500
not used by any
and 9000.
other network
type.

VMware by Broadcom 26
VMware Cloud Foundation on Dell VxRail Guide

System vSphere Distributed Switch Used for NSX Overlay and VLAN Traffic
In VxRail Manager, you can choose to create one or two vSphere Distributed Switches (vDS)
for system traffic and to map physical NICs (pNICs) to those vSphere Distributed Switches. The
following fields are used to specify which system vDS and vmnics to use for NSX traffic (NSX
Overlay, NSX VLAN, Edge Overlay, and Uplink networks). You can also choose to create two
additional vDSes to use for NSX traffic. The Transport Zone Type indicates the type of NSX
traffic the vDS will be associated with (Overlay, VLAN, or Overlay/VLAN).

Note At least one vDS needs to be marked for Overlay.

System vSphere Distributed Switch - Name Enter the name of the vDS to use for overlay traffic.

System vSphere Distributed Switch - vmnics to be used for Enter the vmnics to use for overlay traffic.
overlay traffic

System vSphere Distributed Switch - Transport Zone Type Select Overlay, VLAN, or Overlay/VLAN.

Secondary System vSphere Distributed Switch for NSX Overlay and VLAN Traffic
Choose Yes to use a secondary system vDS for overlay/VLAN traffic.

Secondary System vSphere Distributed Switch - Name Enter the name of the secondary system vSphere
Distributed Switch (vDS).

Secondary System vSphere Distributed Switch - vmnics Enter the vmnics to assign to the secondary system vDS.
For example: vmnic4, vmnic5

Secondary System vSphere Distributed Switch - Transport Select Overlay, VLAN, or Overlay/VLAN.
Zone Type

Create Separate vSphere Distributed Switch for NSX Overlay/VLAN Traffic

If you want to use one of the system vSphere Distributed Switches that you created in VxRail
Manager for overlay traffic (Host Overlay, Edge Overlay, and Uplink networks), choose No.
Choose Yes to create a new vDS for overlay/VLAN traffic.

New vSphere Distributed Switch - Name Enter a name for the new vSphere Distributed Switch
(vDS).

New vSphere Distributed Switch - vmnics Enter the vmnics to assign to the new vDS. For example:
vmnic4, vmnic5

New vSphere Distributed Switch - MTU Size Enter the MTU size for the new vDS. Default value is 9000.

New vSphere Distributed Switch - Transport Zone Type Select Overlay, VLAN, or Overlay/VLAN.

Management Domain ESXi Hosts

Specify the IP addresses of the ESXi hosts for the management domain. In a standard
deployment, only four hosts are required in the management domain. VMware Cloud Foundation
can also be deployed with a consolidated architecture. In a consolidated deployment, all
workloads are deployed in the management domain instead of to separate workload domains. As
such, additional hosts may be required to provide the capacity needed. In this section, only enter
values for the number of hosts desired in the management domain.

VMware by Broadcom 27
VMware Cloud Foundation on Dell VxRail Guide

Host Name IP Address

Enter host names for each of the four ESXi hosts. Enter IP Address for each of the four ESXi hosts.

ESXi Host Security Thumbprints

If you want bring-up to validate the SSH fingerprints of the ESXi hosts and the SSH fingerprint
and SSL thumbprint of the vCenter Server and VxRail Manager to reduce the chance of Man In
The Middle (MiTM) attack, select Yes in the Validate Thumbprints field.

If you set Validate Thumbprints to Yes, follow the steps below.

1 In a web browser, log in to the ESXi host using the VMware Host Client.

2 In the navigation pane, click Manage and click the Services tab.

3 Select the TSM-SSH service and click Start if not started.

4 Connect to the VMware Cloud Builder appliance using an SSH client such as Putty.

5 Enter the admin credentials you provided when you deployed the VMware Cloud Builder
appliance.

6 Retrieve the ESXi SSH fingerprints by entering the following command replacing hostname
with the FQDN of the first ESXi host:

ssh-keygen -lf <(ssh-keyscan hostname 2>/dev/null)

7 In the VMware Host Client, select the TSM-SSH service for the ESXi host and click Stop.

8 Repeat for the remaining ESXi hosts.

9 Retrieve the vCenter Server SSH fingerprint by entering the following command replacing
hostname with the FQDN of your vCenter Server:

ssh-keygen -lf <(ssh-keyscan hostname 2>/dev/null)

10 Retrieve the vCenter Server SSL thumbprint by entering the following command replacing
hostname with the FQDN of your vCenter Server:

openssl s_client -connect hostname:443 < /dev/null 2> /dev/null | openssl x509 -sha256
-fingerprint -noout -in /dev/stdin

11 Retrieve the VxRail Manager SSH fingerprint by entering the following command replacing
hostname with the FQDN of your VxRail Manager:

ssh-keygen -lf <(ssh-keyscan hostname 2>/dev/null)

12 Retrieve the VxRail Manager SSL thumbprint by entering the following command replacing
hostname with the FQDN of your VxRail Manager:

openssl s_client -connect hostname:443 < /dev/null 2> /dev/null | openssl x509 -sha256
-fingerprint -noout -in /dev/stdin

VMware by Broadcom 28
VMware Cloud Foundation on Dell VxRail Guide

13 Enter the information in the deployment parameter workbook.

NSX Host Overlay Network

By default, VMware Cloud Foundation uses DHCP for the management domain Host Overlay
Network TEPs. For this option, a DHCP server must be configured on the NSX host overlay (Host
TEP) VLAN of the management domain. When NSX creates TEPs for the VI workload domain,
they are assigned IP addresses from the DHCP server.

For the management domain and VI workload domains with uniform L2 clusters, you can choose
to use static IP addresses instead. Make sure the IP range includes enough IP addresses for the
number of hosts that will use the static IP Pool. The number of IP addresses required depends
on the number of pNICs on the ESXi hosts that are used for the vSphere Distributed Switch that
handles host overlay networking. For example, a host with four pNICs that uses two pNICs for
host overlay traffic requires two IP addresses in the static IP pool..

Table 5-2. DHCP Settings

Parameter Value

VLAN ID Enter a VLAN ID for the NSX host overlay network. The
VLAN ID can be between 0 and 4094.

Configure NSX Host Overlay Using a Static IP Pool Select No to use DHCP.

Table 5-3. Static IP Pool Settings

Parameter Value

VLAN ID Enter a VLAN ID for the NSX host overlay network. The
VLAN ID can be between 0 and 4094.

Configure NSX Host Overlay Using a Static IP Pool Select Yes to use a static IP pool.

Pool Description Enter a description for the static IP pool.

Pool Name Enter a name for the static IP pool.

CIDR Notation Enter CIDR notation for the NSX Host Overlay network.

Gateway Enter the gateway IP address for the NSX Host Overlay
network.

NSX Host Overlay Start IP Enter the first IP address to include in the static IP pool.

NSX Host Overlay End IP Enter the last IP address to include in the static IP pool.

Deploy Parameters Worksheet: Existing Infrastructure Details

Your existing DNS infrastructure is used to provide forward and reverse name resolution for all
hosts and VMs in the VMware Cloud Foundation SDDC. External NTP sources are also utilized to
synchronize the time between the software components.

VMware by Broadcom 29
VMware Cloud Foundation on Dell VxRail Guide

Table 5-4. Infrastructure

Parameter Value

DNS Server #1 Enter IP address of first DNS server.

DNS Server #2 Enter IP address of second DNS server.

Note If you have only one DNS server, enter n/a in this cell.

NTP Server #1 Enter IP address or FQDN of first NTP server.

NTP Server #2 Enter IP address or FQDN of second NTP server.

Note If you have only one NTP server, enter n/a in this cell.

Table 5-5. DNS Zone

Parameter Value

DNS Zone Name Enter root domain name for your SDDC management components.

Note VMware Cloud Foundation expects all components to be part of the same DNS zone.

Table 5-6. Customer Experience Improvement Program

Parameter Value

Enable Customer Select an option to activate or deactivate CEIP across vSphere, NSX, and vSAN during bring-
Experience up.
Improvement
Program (“CEIP”)

Table 5-7. Enable FIPS Security Mode on SDDC Manager

Parameter Value

Enable FIPS Security Select an option to activate or deactivate FIPS security mode during bring-up. VMware
Mode on SDDC Cloud Foundation supports Federal Information Processing Standard (FIPS) 140-2. FIPS
Manager 140-2 is a U.S. and Canadian government standard that specifies security requirements
for cryptographic modules. When you enable FIPS compliance, VMware Cloud Foundation
enables FIPS cipher suites and components are deployed with FIPS enabled.
To learn more about support for FIPS 140-2 in VMware products, see https://
www.vmware.com/security/certifications/fips.html.

Note This option is only available for new VMware Cloud Foundation installations and the
setting you apply during bring-up will be used for future upgrades. You cannot change the
FIPS security mode setting after bring-up.

Deploy Parameters Worksheet: VxRail Manager Details

The VxRail Manager Details section of the Deploy Parameters Worksheet specifies the details for
VxRail Manager.

VxRail Manager Details

Enter a host name and an IP address for VxRail Manager.

VMware by Broadcom 30
VMware Cloud Foundation on Dell VxRail Guide

Deployment Parameters Worksheet: License Keys

Provide licensing information for VMware Cloud Foundation.

1 Select Yes or No for License Now.

2 If you select Yes, in the License Keys section, update the red fields with your license keys.
Ensure the license key matches the product listed in each row and that the license key is valid
for the version of the product listed in the VMware Cloud Foundation BOM. The license key
audit during bring-up validates both the format and validity of the key.

Note When using the per-TiB license for vSAN, be aware that VI workload domain
components like vCenter and NSX Manager will also consume the TiB capacity.

3 If you select No, the VMware Cloud Foundation components are deployed in evaluation
mode.

Important After bring-up, you must switch to licensed mode by adding component license
keys in the SDDC Manager UI or adding and assigning a solution license key in the vSphere
Client. See the VMware Cloud Foundation Administration Guide for information about adding
component license keys in the SDDC Manager UI. See Managing vSphere Licenses for more
information about adding and applying a solution license key for VMware ESXi and vCenter
Server in the vSphere Client. If you are using a solution license key, you must also add a
separate VMware vSAN license key for vSAN clusters. See Configure License Settings for a
vSAN Cluster.

Deploy Parameters Worksheet: vSphere Infrastructure

The vSphere infrastructure section of the Deploy Parameters Worksheet details how you want to
configure the vCenter Server and its related objects.

This section of the deployment parameter workbook contains sample configuration information,
but you can update them with names that meet your naming standards.

Note All host names entries within the deployment parameter workbook expect the short name.
VMware Cloud Builder takes the host name and the DNS zone provided to calculate the FQDN
value and performs validation prior to starting the deployment. The specified host names and IP
addresses must be resolvable using the DNS servers provided, both forward (hostname to IP)
and reverse (IP to hostname), otherwise the bring-up process will fail.

VMware by Broadcom 31
VMware Cloud Foundation on Dell VxRail Guide

Table 5-8. vCenter Server

Parameter Host Name IP Address

vCenter Server Enter a host name for the vCenter Enter the IP address for the
Server. vCenter Server that is part of the
management VLAN.

Note This is the same VLAN and

IP address space where the ESXi
management VMKernels reside.

Table 5-9. vCenter Datacenter and Cluster

Parameter Value

Datacenter Name Enter a name for the management datacenter.

Cluster Name Enter a name for the management cluster.

Note You specify the vSphere Lifecycle Manager method (vSphere Lifecycle Manager images
or vSphere Lifecycle Manager baselines) for the vSAN cluster during the VxRail first run. vSAN
Express Storage Architecture (ESA) requires vSphere Lifecycle Manager images.

Note Enhanced vMotion Compatibility (EVC) is automatically enabled on the VxRail

management cluster.

Select the architecture model you plan to use. If you choose Consolidated, specify the names for
the vSphere resource pools. You do not need to specify resource pool names if you are using the
standard architecture model. See Introducing VMware Cloud Foundation for more information
about these architecture models.

Table 5-10. vSphere Resource Pools

Parameter Value

Resource Pool SDDC Management Specify the vSphere resource pool name for management
VMs.

Resource Pool User Edge Specify the vSphere resource pool name for user
deployed NSX VMs in a consolidated architecture.

Resource Pool User VM Specify the vSphere resource pool name for user
deployed workload VMs.

Note Resource pools are created with Normal CPU and memory shares.

VMware by Broadcom 32
VMware Cloud Foundation on Dell VxRail Guide

Table 5-11. vSphere Datastore

Parameter Value

vSAN Datastore Name Enter vSAN datastore name for your management
components.

Note You specify the vSAN storage architecture (vSAN ESA or vSAN OSA) during the VxRail
first run. To use vSAN Express Storage Architecture (ESA) you must use vSphere Lifecycle
Manager images for managing the lifecycle of ESXi hosts in the primary cluster of management
domain.

If the VMware Cloud Builder appliance does not have direct internet access, you can configure a
proxy server to download the vSAN HCL JSON. A recent version of the HCL JSON file is required
for vSAN ESA.

Table 5-12. Proxy Server Configuration

Parameter Value

Proxy Server Configuration Select Yes to configure a proxy server.

Proxy Server Enter the proxy server FQDN or IP address.

Proxy Port Enter the proxy server port.

Proxy Username

Proxy Password

Proxy Transfer Protocol

HTTPs Proxy Certificate (PEM Encoded)

Deploy Parameters Worksheet: VMware NSX

The NSX section of the Deploy Parameters Worksheet specifies the details you want to use for
deploying VMware NSX components.

Table 5-13. NSX Management Cluster

Parameter Value

NSX Management Cluster VIP Enter the host name and IP address for the NSX Manager
VIP.
The host name can match your naming standards but
must be registered in DNS with both forward and reverse
resolution matching the specified IP.

Note This is the same VLAN and IP address space where

the vCenter and ESXi management VMKernels reside.

NSX Virtual Appliance Node #1 Enter the host name and IP address for the first node in
the NSX Manager cluster.

VMware by Broadcom 33
VMware Cloud Foundation on Dell VxRail Guide

Table 5-13. NSX Management Cluster (continued)

Parameter Value

NSX Virtual Appliance Node #2 Enter the host name and IP address for the second node
in the NSX Manager cluster.

NSX Virtual Appliance Node #3 Enter the host name and IP address for the third node in
the NSX Manager cluster.

NSX Virtual Appliance Size Select the size for the NSX Manager virtual appliances.
The default is medium.

Deploy Parameters Worksheet: SDDC Manager

The SDDC Manager section of the Deploy Parameters Worksheet specifies the details for
deploying SDDC Manager.

Table 5-14. SDDC Manager

Parameter Value

SDDC Manager Hostname Enter a host name for the SDDC Manager VM.

SDDC Manager IP Address Enter an IP address for the SDDC Manager VM.

Cloud Foundation Management Domain Name Enter a name for the management domain. This name will
appear in Inventory > Workload Domains in the SDDC
Manager UI.

VMware by Broadcom 34
Troubleshooting VMware Cloud
Foundation Deployment 6
During the deployment stage of VMware Cloud Foundation you can use log files and the
Supportability and Serviceability (SoS) Tool to help with troubleshooting.

Read the following topics next:

n Using the SoS Utility on VMware Cloud Builder

n VMware Cloud Builder Log Files

Using the SoS Utility on VMware Cloud Builder

You can run the Supportability and Serviceability (SoS) Utility on the VMware Cloud Builder
appliance to generate a support bundle, which you can use to help debug a failed bring-up of
VMware Cloud Foundation.

Note After a successful bring-up, you should only run the SoS Utility on the SDDC Manager
appliance. See Supportability and Serviceability (SoS) Tool in the VMware Cloud Foundation
Administration Guide.

The SoS Utility is not a debug tool, but it does provide health check operations that can facilitate
debugging a failed deployment.

To run the SoS Utility in VMware Cloud Builder, SSH in to the VMware Cloud Builder appliance
using the admin administrative account, then enter su to switch to the root user, and navigate to
the /opt/vmware/sddc-support directory and type ./sos followed by the options required for
your desired operation.

./sos --option-1 --option-2 ... --option-n

SoS Utility Help Options

Use these options to see information about the SoS tool itself.

VMware by Broadcom 35
VMware Cloud Foundation on Dell VxRail Guide

Option Description

--help Provides a summary of the available SoS tool options

-h

--version Provides the SoS tool's version number.

-v

SoS Utility Generic Options

These are generic options for the SoS Utility.

Option Description

--configure-sftp Configures SFTP for logs.

--debug-mode Runs the SoS tool in debug mode.

--force Allows SoS operations from theVMware Cloud Builder appliance after bring-
up.

Note In most cases, you should not use this option. Once bring-up is
complete, you can run the SoS Utility directly from the SDDC Manager
appliance.

--history Displays the last twenty SoS operations performed.

--log-dir LOGDIR Specifies the directory to store the logs.

--log-folder LOGFOLDER Specifies the name of the log directory.

--setup-json SETUP_JSON Custom setup-json file for log collection.

SoS prepares the inventory automatically based on the environment where
it is running. If you want to collect logs for a pre-defined set of components,
you can create a setup.json file and pass the file as input to SoS. A sample
JSON file is available on the VMware Cloud Builder in the /opt/vmware/
sddc-support/ directory.

--skip-known-host-check Skips the specified check for SSL thumbprint for host in the known host.

--zip Creates a zipped tar file for the output.

SoS Utility Log File Options

Option Description

--api-logs Collects output from APIs.

--cloud-builder-logs Collects Cloud Builder logs.

--esx-logs Collects logs from the ESXi hosts only.

Logs are collected from each ESXi host available in the deployment.

VMware by Broadcom 36
VMware Cloud Foundation on Dell VxRail Guide

Option Description

--no-clean-old-logs Use this option to prevent the tool from removing any output from a
previous collection run.
By default, before writing the output to the directory, the tool deletes
the prior run's output files that might be present. If you want to retain
the older output files, specify this option.

--no-health-check Skips the health check executed as part of log collection.

--nsx-logs Collects logs from the NSX Manager instances only.

--rvc-logs Collects logs from the Ruby vSphere Console (RVC) only. RVC is an
interface for ESXi and vCenter.

Note If the Bash shell is not enabled in vCenter, RVC log collection will
be skipped .

Note RVC logs are not collected by default with ./sos log collection.

--sddc-manager-logs Collects logs from the SDDC Manager only.

--test Collects test logs by verifying the files.

--vc-logs Collects logs from the vCenter Server instances only.

Logs are collected from each vCenter server available in the
deployment.

--vm-screenshots Collects screen shots from all VMs.

SoS Utility JSON Generator Options

The JSON generator options within the SoS Utility provide a method to execute the creation of
the JSON file from a completed deployment parameter workbook. To run the JSON generator,
you must provide, as a minimum, a path to the deployment parameter workbook and the design
type using the following syntax:

./sos --jsongenerator --jsongenerator-input JSONGENERATORINPUT --jsongenerator-design

JSONGENERATORDESIGN

Option Description

--jsongenerator Invokes the JSON generator utility.

--jsongenerator-input Specify the path to the input file to be used by the JSON generator utility.
JSONGENERATORINPUT For example: /tmp/vcf-ems-deployment-parameter.xlsx.

--jsongenerator-design Use vcf-vxrail for VMware Cloud Foundation on Dell VxRail.

JSONGENERATORDESIGN

--jsongenerator-supress Supress confirmation to force cleanup directory. (optional)

--jsongenerator-logs Set the directory to be used for logs. (optional)

JSONGENERATORLOGS

VMware by Broadcom 37
VMware Cloud Foundation on Dell VxRail Guide

SoS Utility Health Check Options

The SoS Utility can be used to perform health checks on various components or services,
including connectivity, compute, and storage.

Note The health check options are primarily designed to run on the SDDC Manager appliance.
Running them on the VMware Cloud Builder appliance requires the --force parameter, which
instructs the SoS Utility to identify the SDDC Manager appliance deployed by VMware Cloud
Builder during the bring-up process, and then execute the health check remotely. For example:

./sos --health-check --force

Option Description

--certificate-health Verifies that the component certificates are valid (within the expiry
date).

--connectivity-health Performs a connectivity health check to inspect whether the different

components of the system such as the ESXi hosts, vCenter Servers, NSX
Manager VMs, and SDDC Manager VM can be pinged.

--compute-health Performs a compute health check.

--general-health Verifies ESXi entries across all sources, checks the Postgres DB
operational status for hosts, checks ESXi for error dumps, and gets NSX
Manager and cluster status.

--get-host-ips Returns server information.

--health-check Performs all available health checks.

--ntp-health Verifies whether the time on the components is synchronized with the
NTP server in the VMware Cloud Builder appliance.

--services-health Performs a services health check to confirm whether services are

running

--run-vsan-checks Runs proactive vSAN tests to verify the ability to create VMs within the
vSAN disks.

Sample Output
The following text is a sample output from an --ntp-health operation.

root@cloud-builder [ /opt/vmware/sddc-support ]# ./sos --ntp-health --skip-known-host --force

Welcome to Supportability and Serviceability(SoS) utility!

User passed --force flag, Running SOS from Cloud Builder VM, although Bringup is completed
and SDDC Manager is available. Please expe ct failures with SoS operations.
Health Check : /var/log/vmware/vcf/sddc-support/healthcheck-2020-02-11-23-03-53-24681
Health Check log : /var/log/vmware/vcf/sddc-support/healthcheck-2020-02-11-23-03-53-24681/
sos.log
SDDC Manager : sddc-manager.vrack.vsphere.local
NTP : GREEN

VMware by Broadcom 38
VMware Cloud Foundation on Dell VxRail Guide

+-----+-----------------------------------------+------------+-------+
| SL# | Area | Title | State |
+-----+-----------------------------------------+------------+-------+
| 1 | ESXi : esxi-1.vrack.vsphere.local | ESX Time | GREEN |
| 2 | ESXi : esxi-2.vrack.vsphere.local | ESX Time | GREEN |
| 3 | ESXi : esxi-3.vrack.vsphere.local | ESX Time | GREEN |
| 4 | ESXi : esxi-4.vrack.vsphere.local | ESX Time | GREEN |
| 5 | vCenter : vcenter-1.vrack.vsphere.local | NTP Status | GREEN |
+-----+-----------------------------------------+------------+-------+

Legend:

GREEN - No attention required, health status is NORMAL

YELLOW - May require attention, health status is WARNING
RED - Requires immediate attention, health status is CRITICAL

Health Check completed successfully for : [NTP-CHECK]

The following text is sample output from a --vm-screenshots log collection operation.

root@cloud-builder [ /opt/vmware/sddc-support ]# ./sos --vm-screenshots

--skip-known-host --force
Welcome to Supportability and Serviceability(SoS) utility!

User passed --force flag, Running SOS from Cloud Builder VM, although Bringup is completed
and SDDC Manager is available. Please expect failures with SoS operations.
Logs : /var/log/vmware/vcf/sddc-support/sos-2018-08-24-10-50-20-8013
Log file : /var/log/vmware/vcf/sddc-support/sos-2018-08-24-10-50-20-8013/sos.log
Log Collection completed successfully for : [VMS_SCREENSHOT]

VMware Cloud Builder Log Files

VMware Cloud Builder contains various log files for different components of the system.

VMware Cloud Builder has a number of components which are used during the bring-up process,
each component generates a log file which can be used for the purpose of troubleshooting. The
components and their purpose are:

n JsonGenerator: Used to convert the deployment parameter workbook into the required
configuration file (JSON) that is used by the Bringup Validation Service and Bringup Service.

n Bringup Service: Used to perform the validation of the configuration file (JSON), the ESXi
hosts and infrastructure where VMware Cloud Foundation will be deployed, and to perform
the deployment and configuration of the management domain components and the first
cluster.

n Supportability and Serviceability (SoS) Utility: A command line utility for troubleshooting
deployment issues.

The following table describes the log file locations:

VMware by Broadcom 39
VMware Cloud Foundation on Dell VxRail Guide

Component Log Name Location

JsonGenerator jsongenerator-timestamp /var/log/vmware/vcf/sddc-support/

Bringup Service vcf-bringup.log /var/log/vmware/vcf/bringup/

vcf-bringup-debug.log /var/log/vmware/vcf/bringup/

rest-api-debug.log /var/log/vmware/vcf/bringup/

SoS Utility sos.log /var/log/vmware/vcf/sddc-support/

sos-timestamp/

VMware by Broadcom 40
Getting Started with SDDC
Manager 7
You use SDDC Manager to perform administration tasks on your VMware Cloud Foundation
instance. The SDDC Manager UI provides an integrated view of the physical and virtual
infrastructure and centralized access to manage the physical and logical resources.

You work with the SDDC Manager UI by loading it in a web browser. For the list of supported
browsers and versions, see the Release Notes.

Read the following topics next:

n Log in to the SDDC Manager User Interface

n Guided SDDC Manager Onboarding

n Tour of the SDDC Manager User Interface

n Log out of the SDDC Manager User Interface

Log in to the SDDC Manager User Interface

Connect to the SDDC Manager appliance by logging into the SDDC Manager UI using a
supported web browser.

Prerequisites

To log in, you need the SDDC Manager IP address or FQDN and the password for the single-
sign on user (for example administrator@vsphere.local). You added this information to the
deployment parameter workbook before bring-up.

Procedure

1 In a web browser, type one of the following.

n https://FQDN where FQDN is the fully-qualified domain name of the SDDC Manager
appliance.

n https://IP_address where IP_address is the IP address of the SDDC Manager appliance.

2 Log in to the SDDC Manager UI with vCenter Server Single Sign-On user credentials.

Results

You are logged in to SDDC Manager UI and the Dashboard page appears in the web browser.

VMware by Broadcom 41
VMware Cloud Foundation on Dell VxRail Guide

Guided SDDC Manager Onboarding

VMware Cloud Foundation includes an onboarding dashboard to help you with configuring a
healthy SDDC Manager environment.

This dashboard appears when you log into SDDC Manager. It provides a walk-through for initial
configuration, including the recommended order for completing each task. After completing the
walk-through, a banner at the top of the screen offers a tour of the SDDC Manager UI.

You can skip sections and exit out of the guided setup at any point. This dashboard automatically
shows unless you click "Don't show onboarding screen again" and close the page. Clicking this
option also prevents the optional guided tour from automatically displaying in the future.

Use the Help Icon in the upper-right corner of the page to later access the onboarding dashboard
and guided tour.

Tour of the SDDC Manager User Interface

The SDDC Manager UI provides a single point of control for managing and monitoring your
VMware Cloud Foundation instance and for provisioning workload domains.

You use the navigation bar to move between the main areas of the user interface.

Navigation Bar
The navigation bar is available on the left side of the interface and provides a hierarchy for
navigating to the corresponding pages.

Category Functional Areas

Dashboard The Dashboard provides the high-level administrative

view for SDDC Manager in the form of widgets. There are
widgets for Solutions; Workload Domains; Host Types and
Usage; Ongoing and Scheduled Updates; Update History;
CPU, Memory, Storage Usage; and Recent Tasks.
You can control the widgets that are displayed and how
they are arranged on the dashboard.
n To rearrange widgets, click the heading of the widget
and drag it to the desired position.
n To hide a widget, hover the mouse anywhere over the
widget to reveal the X in the upper-right corner, and
click the X.
n To add a widget, click the three dots in the upper right
corner of the page and select Add New Widgets. This
displays all hidden widgets. Select a widget and click
Add.

Solutions Solutions include the following section:

n Kubernetes - Workload Management allows you to
start a Workload Management deployment and view
Workload Management cluster details.

VMware by Broadcom 42
VMware Cloud Foundation on Dell VxRail Guide

Category Functional Areas

Inventory Inventory includes the following sections:

n Workload Domains takes you to the Workload
Domains page, which displays and provides access to
all workload domains.

This page includes summary information about all

workload domains, including domain type, storage
usage, configuration status, owner, clusters, hosts and
update availability. It also displays CPU, memory, and
storage utilization for each workload domain, and
collectively across all domains.
n Hosts takes you to the Hosts page, which displays
and provides access to current hosts and controls for
managing hosts.

This page includes detailed information about all

hosts, including FQDN, host IP, network pool,
configuration status, host state, cluster, and storage
type. It also displays CPU and memory utilization for
each host, and collectively across all hosts.

Lifecycle Management Lifecycle Management includes the following sections:

n Release Versions displays the versions in your
environment and the associated component versions
in that release.
n Bundle Management displays the available install,
update, and upgrade bundles for your environment,
and your bundle download history.

Note To access bundles, you must be logged in to

your Broadcom Support Portal account through the
Administration > Depot Settings page.

VMware by Broadcom 43
VMware Cloud Foundation on Dell VxRail Guide

Category Functional Areas

Administration Administration includes the following sections:

n Network Settings allows you to update the DNS and
NTP servers that VMware Cloud Foundation uses.
n Licensing allows you to manage VMware product
licenses. You can also add licenses for the component
products in your VMware Cloud Foundation
deployment.
n Single Sign On allows you to manage VMware
Cloud Foundation users and groups, including adding
users and groups and assigning roles. You can
also configure identity providers for VMware Cloud
Foundation.
n Proxy Settings allows you to configure a proxy server
to download install and upgrade bundles from the
VMware Depot.
n Depot Settings allows you to log in to your Broadcom
Support Portal and Dell accounts to download install
and upgrade bundles.
n VMware Aria Suite allows you to deploy VMware Aria
Suite Lifecycle and configure connections between
workload domains and VMware Aria Suite products.
n Backup allows you to register an external SFTP
server with SDDC Manager for backing up SDDC
Manager and NSX Managers. You can also configure
the backup schedule for SDDC Manager.
n VMware CEIP to join or leave the VMware Customer
Experience Improvement Program.

Security n Password Management allows password

management actions, such as rotation, updates and
remediation.
n Certificate Authority allows you to integrate with your
Microsoft Certificate Authority Server.

Developer Center The VMware Cloud Foundation Developer Center includes

the following sections:
n Overview: API reference documentation. Includes
information and steps for all the Public APIs supported
by VMware Cloud Foundation.
n API Explorer: Lists the APIs and allows you to invoke
them directly on your VMware Cloud Foundation
system.

Log out of the SDDC Manager User Interface

Log out of the SDDC Manager UI when you have completed your tasks.

Procedure

1 In the SDDC Manager UI, click the logged-in account name in the upper right corner.

VMware by Broadcom 44
VMware Cloud Foundation on Dell VxRail Guide

2 Click Log out.

VMware by Broadcom 45
Configure the Customer
Experience Improvement Program
Settings for VMware Cloud
8
Foundation

VMware Cloud Foundation participates in the VMware Customer Experience Improvement

Program (CEIP). You can choose to activate or deactivate CEIP for your VMware Cloud
Foundation instance.

The Customer Experience Improvement Program provides VMware with information that allows
VMware to improve its products and services, to fix problems, and to advise you on how best to
deploy and use our products. As part of the CEIP, VMware collects technical information about
your organization’s use of the VMware products and services regularly in association with your
organization’s VMware license keys. This information does not personally identify any individual.
For additional information regarding the CEIP, refer to the Trust & Assurance Center at http://
www.vmware.com/trustvmware/ceip.html.

You can activate or deactive CEIP across all the components deployed in VMware Cloud
Foundation by the following methods:

n When you log into SDDC Manager for the first time, a pop-up window appears. The Join the
VMware Customer Experience Program option is selected by default. Deselect this option if
you do not want to join CEIP. Click Apply.

n You can activate or deactivate CEIP from the Administration tab in the SDDC Manager UI.

Procedure

1 In the navigation pane, click Administration > VMware CEIP.

VMware by Broadcom 46
VMware Cloud Foundation on Dell VxRail Guide

2 To activate CEIP, select the Join the VMware Customer Experience Improvement Program
option.

3 To deactivate CEIP, deselect the Join the VMware Customer Experience Improvement
Program option.

VMware by Broadcom 47
Managing Certificates in VMware
Cloud Foundation 9
You can use the SDDC Manager UI to manage certificates in a VMware Cloud Foundation
instance, including integrating a certificate authority, generating and submitting certificate signing
requests (CSR) to a certificate authority, and downloading and installing certificates.

Starting with VMware Cloud Foundation 5.2.1, you can also manage certificates using the vSphere
Client.

This section provides instructions for the SDDC Manager UI to:

n Use OpenSSL as a certificate authority, which is a native option in SDDC Manager.

n Integrate with Microsoft Active Directory Certificate Services.

n Provide signed certificates from another external Certificate Authority.

You can manage the certificates for the following components.

n vCenter Server

n NSX Manager

n VMware Avi Load Balancer (formerly known as NSX Advanced Load Balancer)

n SDDC Manager

n VxRail Manager

n VMware Aria Suite Lifecycle

Note Use VMware Aria Suite Lifecycle to manage certificates for the other VMware Aria
Suite components.

You replace certificates for the following reasons:

n A certificate has expired or is nearing its expiration date.

n A certificate has been revoked by the issuing certificate authority.

n You do not want to use the default VMCA-signed certificates.

n Optionally, when you create a new workload domain.

It is recommended that you replace all certificates after completing the deployment of the
VMware Cloud Foundation management domain. After you create a new VI workload domain,
you can replace certificates for the appropriate components as needed.

VMware by Broadcom 48
VMware Cloud Foundation on Dell VxRail Guide

Read the following topics next:

n View Certificate Information

n Configure VMware Cloud Foundation to Use Microsoft CA-Signed Certificates

n Configure VMware Cloud Foundation to Use OpenSSL CA-Signed Certificates

n Install Third-Party CA-Signed Certificates Using Server Certificate and Certificate Authority
Files

n Install Third-Party CA-Signed Certificates in VMware Cloud Foundation Using a Certificate

Bundle

n Remove Old or Unused Certificates from SDDC Manager

View Certificate Information

You can view details of an applied certificate for a resource directly through the SDDC Manager
UI.

The SDDC Manager UI provides a banner notification for any certificates that are expiring in the
next 30 days.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, from the table, in the domain column click the domain you
want to view.

3 On the domain summary page, click the Certificates tab.

This tab lists the certificates for each resource type associated with the workload domain. It
displays the following details:

n Resource type

n Issuer, the certificate authority name

n Resource hostname

VMware by Broadcom 49
VMware Cloud Foundation on Dell VxRail Guide

n Valid From

n Valid Until

n Certificate status: Active, Expiring, or Expired.

n Certificate operation status

4 To view certificate details, expand the resource next to the Resource Type column.

Configure VMware Cloud Foundation to Use Microsoft CA-

Signed Certificates
VMware Cloud Foundation supports the ability to manage certificates by integrating with
Microsoft Active Directory Certificate Services (Microsoft CA). Before you can perform certificate
operations using the SDDC Manager UI you must ensure that the Microsoft Certificate Authority
is configured correctly.

Complete the below tasks to manage Microsoft CA-Signed certificates using SDDC Manager.

Prepare Your Microsoft Certificate Authority to Allow SDDC Manger

to Manage Certificates
To ensure secure and operational connectivity between the SDDC components, you apply signed
certificates provided by a Microsoft Certificate Authority for the SDDC components.

You use SDDC Manager to generate the certificate signing request (CSRs) and request a signed
certificate from the Microsoft Certificate Authority. SDDC Manager is then used to install the
signed certificates to SDDC components it manages. In order to achieve this the Microsoft
Certificate Authority must be configured to allow integration with SDDC Manager.

Install Microsoft Certificate Authority Roles

Install the Certificate Authority and Certificate Authority Web Enrollment roles on the Microsoft
Certificate Authority server to facilitate certificate generation from SDDC Manager.

Note When connecting SDDC Manager to Microsoft Active Directory Certificate Services, ensure
that Web Enrollment role is installed on the same machine where the Certificate Authority role
is installed. SDDC Manager can't request and sign certificates automatically if the two roles
(Certificate Authority and Web Enrollment roles) are installed on different machines.

VMware by Broadcom 50
VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 Log in to the Microsoft Certificate Authority server by using a Remote Desktop Protocol
(RDP) client.

FQDN Active Directory Host

User Active Directory administrator

Password ad_admin_password

2 Add roles to Microsoft Certificate Authority server.

a Click Start > Run, enter ServerManager, and click OK.

b From the Dashboard, click Add roles and features to start the Add Roles and Features
wizard.

c On the Before you begin page, click Next.

d On the Select installation type page, click Next.

e On the Select destination server page, click Next.

f On the Select server roles page, under Active Directory Certificate Services, select
Certification Authority and Certification Authority Web Enrollment and click Next.

g On the Select features page, click Next.

h On the Confirm installation selections page, click Install.

Configure the Microsoft Certificate Authority for Basic Authentication

Configure the Microsoft Certificate Authority with basic authentication to allow SDDC Manager
the ability to manage signed certificates.

Prerequisites

The Microsoft Certificate Authority and IIS must be installed on the same server.

Procedure

1 Log in to the Active Directory server by using a Remote Desktop Protocol (RDP) client.

FQDN Active Directory Host

User Active Directory administrator

Password ad_admin_password

VMware by Broadcom 51
VMware Cloud Foundation on Dell VxRail Guide

2 Add Basic Authentication to the Web Server (IIS).

a Click Start > Run, enter ServerManager, and click OK.

b From the Dashboard, click Add roles and features to start the Add Roles and Features
wizard.

c On the Before you begin page, click Next.

d On the Select installation type page, click Next.

e On the Select destination server page, click Next.

f On the Select server roles page, under Web Server (IIS) > Web Server > Security, select
Basic Authentication and click Next.

g On the Select features page, click Next.

h On the Confirm installation selections page, click Install.

3 Configure the certificate service template and CertSrv web site, for basic authentication.

a Click Start > Run, enter Inetmgr.exe and click OK to open the Internet Information
Services Application Server Manager.

b Navigate to your_server > Sites > Default Web Site > CertSrv.

c Under IIS, double-click Authentication.

d On the Authentication page, right-click Basic Authentication and click Enable.

e In the navigation pane, select Default Web Site.

f In the Actions pane, under Manage Website, click Restart for the changes to take effect.

Create and Add a Microsoft Certificate Authority Template

You must set up a certificate template in the Microsoft Certificate Authority. The template
contains the certificate authority attributes for signing certificates for the VMware Cloud
Foundation components. After you create the template, you add it to the certificate templates of
the Microsoft Certificate Authority.

Procedure

1 Log in to the Active Directory server by using a Remote Desktop Protocol (RDP) client.

FQDN Active Directory Host

User Active Directory administrator

Password ad_admin_password

2 Click Start > Run, enter certtmpl.msc, and click OK.

VMware by Broadcom 52
VMware Cloud Foundation on Dell VxRail Guide

3 In the Certificate Template Console window, under Template Display Name, right-click Web
Server and select Duplicate Template.

4 In the Properties of New Template dialog box, click the Compatibility tab and configure the
following values.

Setting Value

Certification Authority Windows Server 2008 R2

Certificate recipient Windows 7 / Server 2008 R2

5 In the Properties of New Template dialog box, click the General tab and enter a name for
example, VMware in the Template display name text box.

6 In the Properties of New Template dialog box, click the Extensions tab and configure the
following.

a Click Application Policies and click Edit.

b Click Server Authentication, click Remove, and click OK.

c Click Basic Constraints and click Edit.

d Click the Enable this extension check box and click OK.

e Click Key Usage and click Edit.

f Click the Signature is proof of origin (nonrepudiation) check box, leave the defaults for
all other options and click OK.

7 In the Properties of New Template dialog box, click the Subject Name tab, ensure that the
Supply in the request option is selected, and click OK to save the template.

8 Add the new template to the certificate templates of the Microsoft CA.

a Click Start > Run, enter certsrv.msc, and click OK

b In the Certification Authority window, expand the left pane, right-click Certificate
Templates, and select New > Certificate Template to Issue.

c In the Enable Certificate Templates dialog box, select VMware, and click OK.

Assign Certificate Management Privileges to the SDDC Manager Service Account

Before you can use the Microsoft Certificate Authority and the pre-configured template, it is
recommended to configure least privilege access to the Microsoft Active Directory Certificate
Services using an Active Directory user account as a restricted service account.

Prerequisites

n Create a user account in Active Directory with Domain Users membership. For example,
svc-vcf-ca.

VMware by Broadcom 53
VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 Log in to the Microsoft Certificate Authority server by using a Remote Desktop Protocol
(RDP) client.

FQDN Active Directory Host

User Active Directory administrator

Password ad_admin_password

2 Configure least privilege access for a user account on the Microsoft Certificate Authority.

a Click Start > Run, enter certsrv.msc, and click OK.

b Right-click the certificate authority server and click Properties.

c Click the Security tab, and click Add.

d Enter the name of the user account and click OK.

e In the Permissions for .... section configure the permissions and click OK.

Setting Value (Allow)

Read Deselected

Issue and Manage Certificates Selected

Manage CA Deselected

Request Certificates Selected

3 Configure least privilege access for the user account on the Microsoft Certificate Authority
Template.

a Click Start > Run, enter certtmpl.msc, and click OK.

b Right-click the VMware template and click Properties.

c Click the Security tab, and click Add.

VMware by Broadcom 54
VMware Cloud Foundation on Dell VxRail Guide

d Enter the svc-vcf-ca service account and click OK.

e In the Permissions for .... section configure the permissions and click OK.

Setting Value (Allow)

Full Control Deselected

Read Selected

Write Deselected

Enroll Selected

Autoenroll Deselected

Configure a Microsoft Certificate Authority in SDDC Manager

You configure a connection between SDDC Manager and a Microsoft Certificate Authority by
entering your service account credentials.

Prerequisites

n Verify connectivity between SDDC Manager and the Microsoft Certificate Authority Server.
See VMware Ports and Protocols.

n Verify that the Microsoft Certificate Authority Server has the correct roles installed on the
same machine where the Certificate Authority role is installed. See Install Microsoft Certificate
Authority Roles.

n Verify the Microsoft Certificate Authority Server has been configured for basic authentication.
See Configure the Microsoft Certificate Authority for Basic Authentication.

n Verify a valid certificate template has been configured on the Microsoft Certificate Authority.
See Create and Add a Microsoft Certificate Authority Template.

n Verify least privileged user account has been configured on the Microsoft Certificate
Authority Server and Template. See Assign Certificate Management Privileges to the SDDC
Manager Service Account.

n Verify that time is synchronized between the Microsoft Certificate Authority and the SDDC
Manager appliance. Each system can be configured with a different timezone, but it is
recommended that they receive their time from the same NTP source.

Procedure

1 In the navigation pane, click Security > Certificate Authority.

2 Click Edit.

VMware by Broadcom 55
VMware Cloud Foundation on Dell VxRail Guide

3 Configure the settings and click Save.

Setting Value

Certificate Authority Type Microsoft

CA Server URL Specify the URL for the issuing certificate authority.
This address must begin with https:// and end with
certsrv. For example, https://ca.rainpole.io/certsrv.

User Name Enter a least privileged service account. For example,

svc-vcf-ca.

Password Enter the password for the least privileged service

account.

Template Name Enter the issuing certificate template name. You must
create this template in Microsoft Certificate Authority.
For example, VMware.

4 In the CA Server Certificate Details dialog box, click Accept.

Install Microsoft CA-Signed Certificates using SDDC Manager

Replace the self-signed certificates with signed certificates from the Microsoft Certificate
Authority by using SDDC Manager.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, from the table, in the domain column click the workload
domain you want to view.

3 On the domain summary page, click the Certificates tab.

VMware by Broadcom 56
VMware Cloud Foundation on Dell VxRail Guide

4 Generate CSR files for the target components.

a From the table, select the check box for the resource type for which you want to
generate a CSR.

b Click Generate CSRs.

c On the Details dialog, configure the settings and click Next.

Option Description

Algorithm Select the key algorithm for the certificate.

Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit)
from the drop-down menu.

Email Optionally, enter a contact email address.

Organizational Unit Use this field to differentiate between divisions

within your organization with which this certificate is
associated.

Organization Name Type the name under which your company is known.
The listed organization must be the legal registrant of
the domain name in the certificate request.

Locality Type the city or locality where your company is

legally registered.

State Type the full name (do not abbreviate) of the state,
province, region, or territory where your company is
legally registered.

Country Type the country name where your company is

legally registered. This value must use the ISO 3166
country code.

d (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s)
and click Next.

e On the Summary dialog, click Generate CSRs.

5 Generate signed certificates for each component.

a From the table, select the check box for the resource type for which you want to
generate a signed certificate for.

b Click Generate Signed Certificates.

VMware by Broadcom 57
VMware Cloud Foundation on Dell VxRail Guide

c In the Generate Certificates dialog box, from the Select Certificate Authority drop-down
menu, select Microsoft.

d Click Generate Certificates.

6 Install the generated signed certificates for each component.

a From the table, select the check box for the resource type for which you want to install a
signed certificate.

b Click Install Certificates.

Configure VMware Cloud Foundation to Use OpenSSL CA-

Signed Certificates
VMware Cloud Foundation supports the ability to manage certificates using OpenSSL configured
on the SDDC Manager appliance.

Complete the following tasks to be able to manage OpenSSL-signed certificates issued by SDDC
Manager.

Configure OpenSSL-signed Certificates in SDDC Manager

To generate OpenSSL-signed certificates for the VMware Cloud Foundation components you
must first configure the certificate authority details.

Procedure

1 In the navigation pane, click Security > Certificate Authority.

2 Click Edit.

3 Configure the settings and click Save.

VMware by Broadcom 58
VMware Cloud Foundation on Dell VxRail Guide

Setting Value

Certificate Authority OpenSSL

Common Name Specify the FQDN of the SDDC Manager appliance.

Organizational Unit Use this field to differentiate between the divisions

within your organization with which this certificate is
associated.

Organization Specify the name under which your company is known.

The listed organization must be the legal registrant of
the domain name in the certificate request.

Locality Specify the city or the locality where your company is

legally registered.

State Enter the full name (do not abbreviate) of the state,
province, region, or territory where your company is
legally registered.

Country Select the country where your company is registered.

This value must use the ISO 3166 country code.

VMware by Broadcom 59
VMware Cloud Foundation on Dell VxRail Guide

Install OpenSSL-signed Certificates using SDDC Manager

Replace the self-signed certificates with OpenSSL-signed certificates generated by SDDC
Manager.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, from the table, in the domain column click the workload
domain you want to view.

3 On the domain summary page, click the Certificates tab.

4 Generate CSR files for the target components.

a From the table, select the check box for the resource type for which you want to
generate a CSR.

b Click Generate CSRs.

The Generate CSRs wizard opens.

VMware by Broadcom 60
VMware Cloud Foundation on Dell VxRail Guide

c On the Details dialog, configure the settings and click Next.

Option Description

Algorithm Select the key algorithm for the certificate.

Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit)
from the drop-down menu.

Email Optionally, enter a contact email address.

Organizational Unit Use this field to differentiate between divisions

within your organization with which this certificate is
associated.

Organization Name Type the name under which your company is known.
The listed organization must be the legal registrant of
the domain name in the certificate request.

Locality Type the city or locality where your company is

legally registered.

State Type the full name (do not abbreviate) of the state,
province, region, or territory where your company is
legally registered.

Country Type the country name where your company is

legally registered. This value must use the ISO 3166
country code.

d (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s)
and click Next.

You can enter multiple values separated by comma (,), semicolon (;), or space ( ). For
NSX, you can enter the subject alternative name for each node along with the Virtual IP
(primary) node.

Note Wildcard subject alternate name, such as *.example.com is not recommended.

e On the Summary dialog, click Generate CSRs.

5 Generate signed certificates for each component.

a From the table, select the check box for the resource type for which you want to
generate a signed certificate.

b Click Generate Signed Certificates.

c In the Generate Certificates dialog box, from the Select Certificate Authority drop-down
menu, select OpenSSL.

d Click Generate Certificates.

VMware by Broadcom 61
VMware Cloud Foundation on Dell VxRail Guide

6 Install the generated signed certificates for each component.

a From the table, select the check box for the resource type for which you want to install a
signed certificate.

b Click Install Certificates.

Install Third-Party CA-Signed Certificates Using Server

Certificate and Certificate Authority Files
VMware Cloud Foundation supports two ways to install third-party certificates. This procedure
describes the new method, which is the default method for VMware Cloud Foundation 4.5.1 and
later.

If you prefer to use the legacy method for installing third-party CA-signed certificates, see Install
Third-Party CA-Signed Certificates in VMware Cloud Foundation Using a Certificate Bundle.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, from the table, in the domain column click the workload
domain you want to view.

3 On the domain summary page, click the Certificates tab.

4 Generate CSR files for the target components.

a From the table, select the check box for the resource type for which you want to
generate a CSR.

b Click Generate CSRs.

The Generate CSRs wizard opens.

VMware by Broadcom 62
VMware Cloud Foundation on Dell VxRail Guide

c On the Details dialog, configure the settings and click Next.

Option Description

Algorithm Select the key algorithm for the certificate.

Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit)
from the drop-down menu.

Email Optionally, enter a contact email address.

Organizational Unit Use this field to differentiate between divisions

within your organization with which this certificate is
associated.

Organization Name Type the name under which your company is known.
The listed organization must be the legal registrant of
the domain name in the certificate request.

Locality Type the city or locality where your company is

legally registered.

State Type the full name (do not abbreviate) of the state,
province, region, or territory where your company is
legally registered.

Country Type the country name where your company is

legally registered. This value must use the ISO 3166
country code.

d (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s)
and click Next.

You can enter multiple values separated by comma (,), semicolon (;), or space ( ). For
NSX, you can enter the subject alternative name for each node along with the Virtual IP
(primary) node.

Note Wildcard subject alternative name, such as *.example.com are not recommended.

e On the Summary dialog, click Generate CSRs.

5 Download and save the CSR files by clicking Download CSR.

6 When the downloads complete, request signed certificates from your third-party Certificate
Authority for each .csr.

7 After you receive the signed certificates, open the SDDC Manager UI and click Upload and
Install.

8 In the Install Signed Certificates dialog box, select the resource for which you want to install
a signed certificate.

The drop-down menu includes all resources for which you have generated and downloaded
CSRs.

VMware by Broadcom 63
VMware Cloud Foundation on Dell VxRail Guide

9 Select a Source and enter the required information.

Source Required Information

Paste Text Copy and paste the:

n Server Certificate
n Certificate Authority
Paste the server certificate and the certificate authority in PEM format
(base64-encoded) . For example:

-----BEGIN CERTIFICATE-----
<certificate content>
-----END CERTIFICATE------

If the Certificate Authority includes intermediate certificates, it should be in

the following format:

-----BEGIN CERTIFICATE-----
<Intermediate certificate content>
-----END CERTIFICATE------
-----BEGIN CERTIFICATE-----
<Root certificate content>
-----END CERTIFICATE-----

File Upload Click Browse to upload the:

n Server Certificate
n Certificate Authority
Files with .crt, .cer, .pem, .p7b and .p7c extensions are supported.

Certificate Chain Click Browse to upload the certificate chain.

Files with .crt, .cer, .pem, .p7b and .p7c extensions are supported.

10 Click Validate.

If validation fails, resolve the issues and try again, or click Remove to skip the certificate
installation.

11 To install a signed certificate for another resource, click Add Another and repeat steps 8-10
for each resource.

12 Once all signed certificates have been validated successfully, click Install.

Install Third-Party CA-Signed Certificates in VMware Cloud

Foundation Using a Certificate Bundle
VMware Cloud Foundation supports two ways to install third-party certificates. This procedure
describes the legacy method of using a certificate bundle. To use the legacy method, you must
modify your preferences and then use this procedure to generate CSRs, sign the CSRs with a
third-party CA, and finally upload and install the certificates.

VMware by Broadcom 64
VMware Cloud Foundation on Dell VxRail Guide

Prerequisites

VMware Cloud Foundation 4.5.1 introduces a new method for installing third-party CA-signed
certificates. By default, VMware Cloud Foundation use the new method. See Install Third-Party
CA-Signed Certificates Using Server Certificate and Certificate Authority Files for information
using the new method. If you prefer to use the legacy method, you must modify your
preferences.

1 In the SDDC Manager UI, click the logged in user and select Preferences.

2 Use the toggle to switch to legacy certificate management.

Uploading CA-signed certificates from a third-party Certificate Authority using the legacy method
requires that you collect the relevant certificate files in the correct format and then create a
single .tar.gz file with the contents. It's important that you create the correct directory structure
within the .tar.gz file as follows:

n The name of the top-level directory must exactly match the name of the workload domain as
it appears in the list on the Inventory > Workload Domains. For example, sfo-m01.

n The PEM-encoded root CA certificate chain file (must be named rootca.crt) must
reside inside this top-level directory. The rootca.crt chain file contains a root certificate
authority and can have n number of intermediate certificates.

For example:

-----BEGIN CERTIFICATE-----
<Intermediate1 certificate content>
-----END CERTIFICATE------
-----BEGIN CERTIFICATE-----
<Intermediate2 certificate content>
-----END CERTIFICATE------
-----BEGIN CERTIFICATE-----
<Root certificate content>
-----END CERTIFICATE-----

In the above example, there are two intermediate certificates, intermediate1 and
intermediate2, and a root certificate. Intermediate1 must use the certificate issued by
intermediate2 and intermediate2 must use the certificate issued by Root CA.

VMware by Broadcom 65
VMware Cloud Foundation on Dell VxRail Guide

n The root CA certificate chain file, intermediate certificates, and root certificate must
contain the Basic Constraints field with value CA:TRUE.

n This directory must contain one sub-directory for each component resource for which
you want to replace the certificates.

n Each sub-directory must exactly match the resource hostname of a corresponding

component as it appears in the Resource Hostname column in the Inventory > Workload
Domains > Certificates tab.

For example, nsxManager.vrack.vsphere.local, vcenter-1.vrack.vsphere.local, and

so on.

n Each sub-directory must contain the corresponding .csr file, whose name must exactly
match the resource as it appears in the Resource Hostname column in the Inventory >
Workload Domains > Certificates tab.

n Each sub-directory must contain a corresponding .crt file, whose name must exactly
match the resource as it appears in the Resource Hostname column in the Inventory
> Workload Domains > Certificates tab. The content of the .crt files must end with a
newline character.

For example, the nsxManager.vrack.vsphere.local sub-directory would contain the

nsxManager.vrack.vsphere.local.crt file.

n All certificates including rootca.crt must be in UNIX file format.

n Additional requirements for NSX certificates:

n Server certificate (NSX_FQDN.crt) must contain the Basic Constraints field with value
CA:FALSE.

n If the NSX certificate contains HTTP or HTTPS based CRL Distribution Point it must be
reachable from the server.

n The extended key usage (EKU) of the generated certificate must contain the EKU of the
CSR generated.

Note All resource and hostname values can be found in the list on the Inventory > Workload
Domains > Certificates tab.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, from the table, in the domain column click the workload
domain you want to view.

3 On the domain summary page, click the Certificates tab.

VMware by Broadcom 66
VMware Cloud Foundation on Dell VxRail Guide

4 Generate CSR files for the target components.

a From the table, select the check box for the resource type for which you want to
generate a CSR.

b Click Generate CSRs.

The Generate CSRs wizard opens.

c On the Details dialog, configure the settings and click Next.

Option Description

Algorithm Select the key algorithm for the certificate.

Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit)
from the drop-down menu.

Email Optionally, enter a contact email address.

Organizational Unit Use this field to differentiate between divisions

within your organization with which this certificate is
associated.

Organization Name Type the name under which your company is known.
The listed organization must be the legal registrant of
the domain name in the certificate request.

Locality Type the city or locality where your company is

legally registered.

State Type the full name (do not abbreviate) of the state,
province, region, or territory where your company is
legally registered.

Country Type the country name where your company is

legally registered. This value must use the ISO 3166
country code.

d (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s)
and click Next.

You can enter multiple values separated by comma (,), semicolon (;), or space ( ). For
NSX, you can enter the subject alternative name for each node along with the Virtual IP
(primary) node.

Note Wildcard subject alternative name, such as *.example.com are not recommended.

e On the Summary dialog, click Generate CSRs.

5 Download and save the CSR files to the directory by clicking Download CSR.

6 Complete the following tasks outside of the SDDC Manager UI:

a Verify that the different .csr files have successfully generated and are allocated in the
required directory structure.

b Request signed certificates from a Third-party Certificate authority for each .csr.

VMware by Broadcom 67
VMware Cloud Foundation on Dell VxRail Guide

c Verify that the newly acquired .crt files are correctly named and allocated in the required
directory structure.

d Create a new .tar.gz file of the directory structure ready for upload to SDDC Manager. For
example: <domain name>.tar.gz.

7 Click Upload and Install.

8 In the Upload and Install Certificates dialog box, click Browse to locate and select the newly
created <domain name>.tar.gz file and click Open.

9 Click Upload.

10 If the upload is successful, click Install Certificate. The Certificates tab displays a status of
Certificate Installation is in progress.

Remove Old or Unused Certificates from SDDC Manager

Old or unused certificates are stored in a trust store in SDDC Manager. You can delete old
certificates using the VMware Cloud Foundation API.

See Delete Trusted Certificate in the VMware Cloud Foundation API Reference Guide for more
information.

Procedure

1 Log in to the SDDC Manager UI as a user with the ADMIN role.

For more information about roles, see Chapter 24 Managing Users and Groups in VMware
Cloud Foundation.

2 In the navigation pane, click Developer Center > API Explorer.

3 Browse to and expand API Categories > Trusted Certificates.

4 Expand GET /v1/sddc-manager/trusted-certificates and click EXECUTE.

5 In the Response, click TrustedCertificate and copy the alias for the certificate you want
to remove.

6 Expand DELETE /v1/sddc-manager/trusted-certificates/{alias}, enter the alias, and

click EXECUTE.

VMware by Broadcom 68
Managing License Keys in
VMware Cloud Foundation 10
You can add component license keys in the SDDC Manager UI or add a solution license key in
vSphere Client.

Starting with VMware Cloud Foundation 5.1.1, you can license VMware Cloud Foundation
components using a solution license key or individual component license keys.

Note VMware Cloud Foundation 5.1.1 supports a combination of solution and component license
keys. For example, Workload Domain 1 can use component license keys and Workload Domain
2 can use the solution license key.

For more information about the VCF solution license key, VMware vSphere 8 Enterprise Plus for
VCF, see https://knowledge.broadcom.com/external/article?articleNumber=319282.

SDDC Manager does not manage the solution license key. If you are using a solution license
key, VMware Cloud Foundation components are deployed in evaluation mode and then you
use the vSphere Client to add and assign the solution key. See Managing vSphere Licenses for
information about using a solution license key for VMware ESXi and vCenter Server. If you are
using a solution license key, you must also add a separate VMware vSAN license key for vSAN
clusters. See Configure License Settings for a vSAN Cluster.

Note VMware vCenter Server, VMware NSX, VMware Aria Suite components, and VMware HCX
are all licensed when you assign a solution license key to a vCenter Server.

Use the SDDC Manager UI to manage component license keys. If you entered component license
keys in the deployment parameter workbook that you used to create the management domain,
those component license keys appear in the Licensing screen of the SDDC Manager UI. You can
add additional component license keys to support your requirements. You must have adequate
license units available before you create a VI workload domain, add a host to a vSphere cluster,
or add a vSphere cluster to a workload domain. Add the necessary component license keys
before you begin any of these tasks.

Read the following topics next:

n Add a Component License Key in the SDDC Manager UI

n Edit a Component License Key Description in the SDDC Manager UI

n Delete a Component License Key in the SDDC Manager UI

VMware by Broadcom 69
VMware Cloud Foundation on Dell VxRail Guide

n Update Component License Keys for Workload Domain Components

Add a Component License Key in the SDDC Manager UI

You can use the SDDC Manager UI to add component license keys to the SDDC Manager
inventory.

SDDC Manager does not manage solution license keys. See Chapter 10 Managing License Keys in
VMware Cloud Foundation for more information about solution license keys.

Procedure

1 In the navigation pane, click Administration > Licensing.

2 Click + License Key.

3 Select a product from the drop-down menu.

4 Enter the license key.

5 Enter a description for the license.

A description can help in identifying the license.

6 Click Add.

What to do next

If you want to replace an existing license with a newly added license, you must add and assign
the new license in the management UI (for example, vSphere Client or NSX Manager) of the
component whose license you are replacing.

Edit a Component License Key Description in the SDDC

Manager UI
If you have multiple component license keys for a product, the description can help in identifying
the license key. For example, you may want to use one license key for high-performance
workload domains and the other license key for regular workload domains.

Procedure

1 In the navigation pane, click Administration > Licensing.

2 Click the vertical ellipsis (three dots) next to the license key and click Edit Description.

3 On the Edit License Key Description dialog, edit the description and click Save.

VMware by Broadcom 70
VMware Cloud Foundation on Dell VxRail Guide

Delete a Component License Key in the SDDC Manager UI

Deleting a component license key removes it from the SDDC Manager inventory. If the license
key has been applied to any workload domain, host, or vSphere cluster, it is not removed from
them, but it cannot be applied to new workload domains, hosts, or vSphere clusters.

Procedure

1 In the navigation pane, click Administration > Licensing.

2 Click the vertical ellipsis (three dots) next to the license key you want to delete and click
Remove.

3 In the Remove License key dialog, click Remove.

Results

The component license key is removed from the SDDC Manager inventory

Update Component License Keys for Workload Domain

Components
You can use the SDDC Manager UI to update the license keys for components whose license
keys have expired, are expiring, or are incompatible with upgraded components.

You can update component license keys for:

n vCenter Server

n VMware NSX

n VMware vSAN

n ESXi

Updates are specific to the selected workload domain. If you want to update component license
keys for multiple workload domains, you must update each workload domain separately.

Prerequisites

The new component license key(s) must already be added to the SDDC Manager inventory. See
Add a Component License Key in the SDDC Manager UI.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 Click a workload domain name in the Domain column.

3 Select Actions > Update Licenses.

VMware by Broadcom 71
VMware Cloud Foundation on Dell VxRail Guide

4 Read the overview and click Next.

5 Select one or more products to update and click Next.

6 Select a component license key for each product.

For VMware vSAN and ESXi, you must select the clusters that you want to update with new
license keys.

7 Review the new component license keys and click Submit.

VMware by Broadcom 72
ESXi Lockdown Mode
11
You can activate or deactivate normal lockdown mode in VMware Cloud Foundation to increase
the security of your ESXi hosts.

To activate or deactivate normal lockdown mode in VMware Cloud Foundation, you must
perform operations through the vCenter Server. For information on how to activate or
deactivate normal lockdown mode, see "Lockdown Mode" in vSphere Security at https://
docs.vmware.com/en/VMware-vSphere/index.html.

You can activate normal lockdown mode on a host after the host is added to workload
domain. VMware Cloud Foundation creates service accounts that can be used to access the
hosts. Service accounts are added to the Exception Users list during the bring-up or host
commissioning. You can rotate the passwords for the service accounts using the password
management functionality in the SDDC Manager UI.

VMware by Broadcom 73
Managing Storage in VMware
Cloud Foundation 12
To create and manage a workload domain, VMware Cloud Foundation requires at least one
shared storage type for all ESXi hosts within a cluster. This initial shared storage type, known
as principal storage, is configured during VxRail first run. Additional shared storage, known as
supplemental storage, can be added using the vSphere Client after a cluster has been created.

Principal Storage
During the VxRail first run, you configure the initial shared storage type. This initial shared
storage type is known as principal storage. Once created, the principal storage type for a cluster
cannot be changed. However, a VI workload domain can include multiple clusters with unique
principal storage types.

VMware Cloud Foundation supports the following types of principal storage:

n vSAN

n vSAN Original Storage Architecture (vSAN OSA)

n vSAN Express Storage Architecture (vSAN ESA)

Note You cannot convert vSAN OSA to vSAN ESA or vice versa.

n VMFS on FC (Fibre Channel)

Supplemental Storage
Additional shared storage, known as supplemental storage, can be manually added or removed
using the vSphere Client after a cluster has been created. All supplemental storage must be listed
in the VMware Compatibility Guide. Multiple supplemental storage types can be presented to a
cluster in the management domain or any VI workload domain.

VMware Cloud Foundation supports using the vSphere Client to add the following datastore
types to a cluster:

n vSphere VMFS

Read the following topics next:

n vSAN Storage with VMware Cloud Foundation

VMware by Broadcom 74
VMware Cloud Foundation on Dell VxRail Guide

n Fibre Channel Storage with VMware Cloud Foundation

n Sharing Remote Datastores with HCI Mesh for VI Workload Domains

vSAN Storage with VMware Cloud Foundation

vSAN is the preferred principal storage type for VMware Cloud Foundation. It is an enterprise-
class storage integrated with vSphere and managed by a single platform. vSAN is optimized for
flash storage and can non-disruptively expand capacity and performance by adding hosts to a
cluster (scale-out) or by adding disks to a host (scale-up).

Consolidated Workload
Storage Type Domain Management Domain VI Workload Domain

Principal Yes Yes Yes

Supplemental No No No

Prerequisites for vSAN Storage

To create a VI workload domain that uses vSAN as principal storage you must ensure the
following:

n A minimum of three ESXi hosts that meet the vSAN hardware, cluster, software, networking
and license requirements. For information, see the vSAN Planning and Deployment Guide.

n Perform a VxRail first run specifying the vSAN configuration settings. For information on the
VxRail first run, contact Dell Support.

n A valid vSAN license. See Chapter 10 Managing License Keys in VMware Cloud Foundation.
You cannot use vSAN ESA without a qualifying license.

In some instances SDDC Manager may be unable to automatically mark the host disks as
capacity. Follow the Mark Flash Devices as Capacity Using ESXCLI procedure in the vSAN
Planning and Deployment Guide.

Procedures for vSAN Storage

n To use vSAN as principal storage for a new VI workload domain, perform the VxRail first run
and then create the VI workload domain. See Creating VxRail VI Workload Domains.

n To use vSAN as principal storage for a new cluster, perform the VxRail first run and then add
the VxRail cluster. See Add a VxRail Cluster to a Workload Domain Using the SDDC Manager
UI.

VMware by Broadcom 75
VMware Cloud Foundation on Dell VxRail Guide

vSAN Original Storage Architecture (OSA)

With vSAN OSA, each host that contributes storage devices to the vSAN datastore must provide
at least one device for flash cache and at least one device for capacity. The devices on the
contributing host form one or more disk groups. Each disk group contains one flash cache
device, and one or multiple capacity devices for persistent storage. Each host can be configured
to use multiple disk groups.

vSAN OSA clusters can mount a remote datastore from other vSAN OSA clusters.

vSAN Express Storage Architecture (ESA)

With vSAN ESA, all storage devices claimed by vSAN contribute to capacity and performance.
Each host's storage devices claimed by vSAN form a storage pool. The storage pool represents
the amount of caching and capacity provided by the host to the vSAN datastore.

vSAN ESA clusters can mount a remote datastore from other vSAN ESA clusters.

To use vSAN ESA, you need:

n A direct or proxy internet connection OR a downloaded copy of the vSAN HCL JSON file

Note SDDC Manger will keep the HCL file updated if it has direct or proxy internet
connection.

n ESXi host disks to support vSAN ESA

n A vLCM image to manage clusters.

vSAN Compute Clusters

A vSAN compute cluster is a vSphere cluster with a small vSAN element that enables it to mount
a remote datastore. The hosts in a compute cluster do not have local storage. A compute cluster
can only mount a remote datastore from a cluster within the same workload domain.

A vSAN compute cluster can mount a datastore from one of the following cluster types:

n vSAN OSA

n vSAN ESA

Once you mount a remote datastore on a vSAN compute cluster, you can only mount additional
datastores of the same cluster type.

NOTE: Datastores on clusters created outside of VMware Cloud Foundation cannot be mounted
on VCF-created clusters. Likewise, clusters created outside of VMware Cloud Foundation cannot
mount a datastore from a VCF-created cluster.

VMware by Broadcom 76
VMware Cloud Foundation on Dell VxRail Guide

Fibre Channel Storage with VMware Cloud Foundation

Fibre Channel (FC) is a storage protocol that the SAN uses to transfer data traffic from ESXi hosts
to shared storage. The protocol packages SCSI commands into FC frames. To connect to the FC
SAN, the ESXi host uses Fibre Channel host bus adapters (HBAs).

Fibre Channel can be used as supplemental storage for the management domain and
consolidated workload domains, however it can be used as principal storage for VI workload
domains and can also be used a principal storage in a management domain converted from
vSphere infrastructure.

Consolidated Workload
Storage Type Domain Management Domain VI Workload Domain

Principal No Only for a management Yes

domain converted from
vSphere infrastructure

Supplemental Yes Yes Yes

Prerequisites for FC Storage

n A minimum of three ESXi hosts. Review the ESXi Fibre Channel SAN Requirements in the
vSphere Storage Guide.

Note If you are using VMFS on FC as principal storage, and your VI workload domain is
using vSphere Lifecycle Manager images as the update method, then only two hosts are
required. Workload Management requires a vSphere cluster with a minimum of three ESXi
hosts.

n Perform a VxRail first run specifying the VMFS on FC configuration settings. For information
on the VxRail first run, contact Dell Support.

n A pre-created VMFS datastore.

Procedures for FC Storage

n To use Fibre Channel as principal storage for a new VI workload domain, perform the VxRail
first run and then create the VI workload domain. See Creating VxRail VI Workload Domains.

n To use Fibre Channel as principal storage for a new cluster, perform the VxRail first run and
then add the VxRail cluster. See Add a VxRail Cluster to a Workload Domain Using the SDDC
Manager UI

n To use Fibre Channel as supplemental storage, see the vSphere Storage Guide.

VMware by Broadcom 77
VMware Cloud Foundation on Dell VxRail Guide

Sharing Remote Datastores with HCI Mesh for VI Workload

Domains
HCI Mesh is a software-based approach for disaggregation of compute and storage resources
in vSAN. HCI Mesh brings together multiple independent vSAN clusters by enabling cross-
cluster utilization of remote datastore capacity within vCenter Server. HCI Mesh enables
you to efficiently utilize and consume data center resources, which provides simple storage
management at scale.

VMware Cloud Foundation supports sharing remote datastores with HCI Mesh for VI workload
domains.

You can create HCI Mesh by mounting remote vSAN datastores on vSAN clusters and enable
data sharing from the vCenter Server. It can take upto 5 minutes for the mounted remote vSAN
datastores to appear in the .

It is recommended that you do not mount or configure remote vSAN datastores for vSAN
clusters in the management domain.

For more information on sharing remote datastores with HCI Mesh, see Sharing Remote
Datastores with HCI Mesh.

Note You cannot mount remote vSAN datastores on stretched clusters.

Note After enabling HCI Mesh by mounting remote vSAN datastores, you can migrate VMs from
the local datastore to a remote datastore. Since each cluster has its own VxRail Manager VM, you
should not migrate VxRail Manager VMs to a remote datastore.

VMware by Broadcom 78
Managing Workload Domains in
VMware Cloud Foundation 13
Workload domains are logical units that carve up the compute, network, and storage resources
of the VMware Cloud Foundation system. The logical units are groups of ESXi hosts managed by
vCenter Server instances with specific characteristics for redundancy and VMware best practices.

Each workload domain include these VMware capabilities by default:

n vCenter Server Appliance

n vSphere High Availability (HA)

n vSphere Distributed Resource Scheduler (DRS)

n vSphere Distributed Switch

n VMware vSAN

n NSX Manager Cluster

Read the following topics next:

n About VI Workload Domains

n Creating VxRail VI Workload Domains

n Delete a VI Workload Domain

n View Workload Domain Details

n Expand a Workload Domain

n Reduce a Workload Domain

n Rename a Workload Domain

n vSphere Cluster Management

n Tag Management

About VI Workload Domains

When deploying a workload domain, you specify the name, compute, and networking details for
the VI workload domain. You then select the hosts for the VI workload domain and start the
workflow.

VMware by Broadcom 79
VMware Cloud Foundation on Dell VxRail Guide

When you deploy a new VI workload domain, VMware Cloud Foundation deploys a new vCenter
Server for that workload domain. The vCenter Server is associated with a vCenter Single Sign-On
Domain (SSO) to determine the local authentication space. Prior to VMware Cloud Foundation
5.0, the management vCenter Server and all VI workload domain vCenter Servers were members
of a single vSphere SSO domain, joined together with vCenter Enhanced Linked Mode. Starting
with VMware Cloud Foundation 5.0, when you deploy a new VI workload domain, you can
choose to join the management domain SSO domain, or create a new SSO domain.

The workflow automatically:

n Deploys a vCenter Server Appliance for the new VI workload domain within the management
domain. By using a separate vCenter Server instance per VI workload domain, software
updates can be applied without impacting other VI workload domains. It also allows for each
VI workload domain to have additional isolation as needed.

n Configures networking on each host.

n Configures vSAN storage on the ESXi hosts.

n For the first VI workload domain, the workflow deploys a cluster of three NSX Managers
in the management domain and configures a virtual IP (VIP) address for the NSX Manager
cluster. The workflow also configures an anti-affinity rule between the NSX Manager VMs
to prevent them from being on the same host for high availability. Subsequent VI workload
domains can share an existing NSX Manager cluster or deploy a new one. To share an
NSX Manager cluster, the VI workload domains must use the same update method. The VI
workload domains must both use vSphere Lifecycle Manager (vLCM) images, or they must
both use vLCM baselines.

n By default, VI workload domains do not include any NSX Edge clusters and are isolated.
To provide north-south routing and network services, add one or more NSX Edge clusters
to a VI workload domain. See Chapter 14 Managing NSX Edge Clusters in VMware Cloud
Foundation .

Note Starting with VMware Cloud Foundation 5.2, when you deploy a new VI workload domain,
it uses the same versions of vCenter Server and NSX Manager that the management domain
uses. For example, if you applied an async patch to the vCenter Server in the management
domain, a new VI workload domain will deploy the same patched version of vCenter Server.

Prerequisites for a Workload Domain

Review the prerequisites before you deploy a VI workload domain.

n If you plan to use DHCP for the NSX host overlay network, a DHCP server must be configured
on the NSX host overlay VLAN for the VI workload domain. When VMware NSX creates NSX
Edge tunnel endpoints (TEPs) for the VI workload domain, they are assigned IP addresses
from the DHCP server.

Note If you do not plan to use DHCP, you can use a static IP pool for the NSX host overlay
network. The static IP pool is created or selected as part of VI workload domain creation.

VMware by Broadcom 80
VMware Cloud Foundation on Dell VxRail Guide

n Change the VxRail Manager IP Address

n Update the VxRail Manager Certificate

n A minimum of three hosts available for the VI workload domain.

Note If you are using VMFS on FC as principal storage, and the VI workload domain is using
vSphere Lifecycle Manager images as the update method, then only two hosts are required.
Workload Management requires a vSphere cluster with a minimum of three ESXi hosts.

n The install bundles for the versions of NSX Manager and vCenter Server that are running
in the management domain must be available in SDDC Manager before you can create
a VI workload domain. For example, if you have patched the versions of NSX Manager
and/or vCenter Server in the management domain to a version higher than what is
listed in the BOM, you must download the new install bundles. You can refer to https://
knowledge.broadcom.com/external/article?legacyId=88287 for information about the install
bundles required for specific async patches.

n Decide on a name for your VI workload domain. Each VI workload domain must have a
unique name. It is good practice to include the region and site information in the name
because resource object names (such as host and vCenter names) are generated based on
the VI workload domain name. The name can be three to 20 characters long and can contain
any combination of the following:

n Lowercase alphabetic characters

n Numbers

Note Spaces are not allowed in any of the names you specify when creating a VI workload
domain.

n Decide on the following passwords:

n vCenter Server root password

n NSX Manager admin password

Although the individual VMware Cloud Foundation components support different password
requirements, you must set passwords following a common set of requirements across all
components:

n Minimum length: 12

n Maximum length: 16

n At least one lowercase letter, one uppercase letter, a number, and one of the following
special characters: ! @ # $ ^ *

n Must NOT include:

n A dictionary word

n A palindrome

VMware by Broadcom 81
VMware Cloud Foundation on Dell VxRail Guide

n More than four monotonic character sequences

n Three of the same consecutive characters

n Verify that you have the completed Planning and Preparation Workbook with the VI
workload domain deployment option included.

n The IP addresses and Fully Qualified Domain Names (FQDNs) for the vCenter Server and NSX
Manager instances must be resolvable by DNS.

n If you are using VMFS on FC storage for the VI workload domain, you must configure zoning,
mount the associated volumes and create the datastore on the hosts.

n To use the License Now option, you must have valid license keys for the following products:

n VMware NSX

n vSAN (No license required for VMFS on FC)

n vSphere

Because vSphere and vSAN licenses are per CPU, ensure that you have sufficient licenses
for the ESXi hosts to be used for the VI workload domain. See Chapter 10 Managing
License Keys in VMware Cloud Foundation.

n If you plan to deploy a VI workload domain that has its vSphere cluster at a remote location,
you must meet the following requirements:

n Dedicated WAN connectivity is required between central site and remote site.

n Primary and secondary active WAN links are recommended for connectivity from the
central site to the remote site. The absence of WAN links can lead to two-failure states,
WAN link failure, or NSX Edge node failure, which can result in unrecoverable VMs and
application failure at the remote site.

n Minimum bandwidth of 10 Mbps and latency of 100 ms is required between the central
site and remote site. The network at the remote site must be able to reach the
management network at the central site. DNS and NTP server must be available locally at
or reachable from the remote site.

n See VMware Configuration Maximums for limitations related to VI workload domains at

remote locations.

n See VMware Cloud Foundation Edge Design Considerations for more information about
design options for deploying scalable edge solutions.

Change the VxRail Manager IP Address

In order to use the Workflow Optimization script to trigger VxRail APIs from the SDDC Manager
VM, you must change the static IP address of the VxRail Manager to an IP address that is in the
management network subnet.

VMware by Broadcom 82
VMware Cloud Foundation on Dell VxRail Guide

Prerequisites

n Ensure that a free IP address is available in the management network subnet

n Configure forward and reverse DNS settings for VxRail Manager

n The VxRail Manager static IP, 192.168.10.200, must be reachable and the UI available

Procedure

1 Enter the following address in a web browser on your host https://192.168.10.200/

rest/vxm/api-doc.html#/operations/v1_network_vxm_post.

2 Update the sample request body.

Option Description

ip Enter the new IP address for the VxRail Manager.

gateway Enter the network gateway address for VxRail Manager.

netmask Enter the subnet mask for VxRail Manager.

vlan_id Enter the management network VLAN ID

3 Click Send Request.

4 Verify that the new IP address is reachable.

What to do next

Update the VxRail Manager certificate. See Update the VxRail Manager Certificate.

Update the VxRail Manager Certificate

After you change the VxRail Manager IP address to support using the Workflow Optimization
script, you must update the VxRail Manager certificate.

Prerequisites

Change the VxRail Manager IP Address

Procedure

1 Using SSH, log in to VxRail Manager VM using the management IP address, with the user
name mystic and default mystic password.

2 Type su to switch to the root account and enter the default root password.

3 Navigate to the /mystic directory.

4 Run the script:

./generate_ssl.sh VxRail-Manager-FQDN

Replace VxRail-Manager-FQDN with the VxRail Manager hostname.

VMware by Broadcom 83
VMware Cloud Foundation on Dell VxRail Guide

Creating VxRail VI Workload Domains

You can create a VxRail VI workload domain using the SDDC Manager UI or using the Workflow
Optimization script.

When you use the product UI, you complete the steps in the SDDC Manager UI. Starting with
VMware Cloud Foundation 5.1, you can use the SDDC Manager UI to create a VI workload domain
with advanced switch configurations.

Alternatively, you can use the Workflow Optimization script to create a VI workload domain.
See Create a VxRail VI Workload Domain Using the Workflow Optimization Script. The Workflow
Optimization script supports using a JSON file for cluster configuration.

Create a VxRail VI Workload Domain in the SDDC Manager UI

Use the VxRail VI Configuration wizard to create a VI workload domain.

To create a VI workload domain that uses a static IP pool for the Host Overlay Network TEPs
for L3 aware and stretch clusters, you must use the VMware Cloud Foundation API. See Create a
Domain in the VMware Cloud Foundation on Dell VxRail API Reference Guide.

The SDDC Manager UI supports running multiple VxRail VI workload domain creation tasks in
parallel.

Procedure

1 In the SDDC Manager UI navigation, Inventory > Workload Domains .

2 Click + Workload Domain and then select VI-VxRail Virtual Infrastructure Setup.

3 Make sure the prerequisties are met. See Prerequisites for a Workload Domain. To continue,
click GET STARTED.

VMware by Broadcom 84
VMware Cloud Foundation on Dell VxRail Guide

4 Select the type of storage to use for this workload domain. Click SELECT.

Note vSAN Express Storage Architecture (ESA) requires vSphere Lifecycle Manager images.

VMware by Broadcom 85
VMware Cloud Foundation on Dell VxRail Guide

5 Provide the following information to complete the VxRail VI Configuration.

Option Description

VxRail Manager n VxRail Manager Hostname (must be an FQDN)

CONNECT to VxRail Manager and confirm the SSL thumbprints of VxRail

Manager.
n VxRail Manager Admin Credentials
n Admin Username
n Admin Password
n Confirm Admin Password
n VxRail Manager Root Credentials
n Root Username
n Root Password
n Confirm Root Password

General Info Provide basic information about the workload domain, including the SSO
domain. When you create a VI workload domain, you can join it to the
management domain's vCenter Single Sign-On domain or a new vCenter
Single Sign-On domain that is not used by any other workload domain.
Joining a new vCenter Single Sign-On domain enables a VI workload domain
to be isolated from the other workload domains in your VMware Cloud
Foundation instance. The vCenter Single Sign-On domain for a VI workload
domain determines the local authentication space.
n Virtual Infrastructure Name - The name must be unique and contain
between 3 and 20 characters. The VI name can include letters, numbers,
and hyphens, but it cannot include spaces.
n Datacenter Name
n SSO domain
n Create New SSO Domain

Note All components in the management domain must be upgraded

to VMware Cloud Foundation 5.0 before you can create a new SSO
domain.
n Join Management SSO Domain
n Lifecycle Management - Select the Manage clusters in this workload
domain using vLCM images check box to use vSphere Lifecycle
Manager images. If you do not select the check box, the clusters in the
workload domain use vSphere Lifecycle Manager baselines.

Note
n vLCM images are managed by VxRail Manager.
n vSAN Express Storage Architecture (ESA) requires vSphere Lifecycle
Manager images.
n Two-node clusters are not supported in a VI workload domain that
uses vSphere Lifecycle Manager baselines.
If you are creating a new SSO domain, provide the following information:
n Enter the domain name, for example mydomain.local.

Note Ensure that the domain name does not contain any upper-case
letters.
n Set the password for the SSO administrator account.

VMware by Broadcom 86
VMware Cloud Foundation on Dell VxRail Guide

Option Description

This is the password for the user administrator@your_domain_name.

n Confirm the administrator password.

Host Selection Add ESXi hosts with similar or identical configurations across all cluster
members, including similar or identical storage configurations. A minimum
of 3 hosts are required.

Note The Primary node is selected by default

a Select the ESXi hosts to add and click Provide Host Details.
b Enter the FQDNs and passwords for the hosts.
c Click Resolve Hosts IP address.
d Click Next.

Cluster Enter a name for the first cluster in the new workload domain.
The name must be unique and contain between 3 and 80 characters. The
cluster name can include letters, numbers, and hyphens, and it can include
spaces.

Compute Provide information about the vCenter configuration.

n vCenter FQDN (Must be a fully qualified domain name. (FQDN)
n vCenter Subnet Mask
n vCenter Default Gateway
n vCenter Root Password
n Confirm vCenter Root Password

VMware by Broadcom 87
VMware Cloud Foundation on Dell VxRail Guide

Option Description

Networking Provide information about the NSX Manager cluster to use with the VI
workload domain. If you already have an NSX Manager cluster for a different
VI workload domain, you can reuse that NSX Manager cluster or create a
new one.
n Create New NSX instance

Note
n You must create an NSX Manager instance if this is the first VI
workload domain in your VMware Cloud Foundation instance.
n You must create a new NSX Manager instance if your VI workload
domain is joining a new SSO domain.

n Provide the NSX Manager cluster details:

n NSX Manager cluster FQDN
n FQDNs for three NSX Managers nodes
n Subnet mask
n Default gateway
n NSX Manager Admin password
n Use Existing NSX instance

Note
n You cannot share an NSX Manager instance between VI workload
domains that are in different SSO domains.
n If you are creating a new SSO domain for the VI workload domain,
the NSX Manager instance will be shared with one or more VI
workload domains in different SSO domains.
n In order to share an NSX Manager instance, the VI workload domains
must use the same update method. The VI workload domains must
both use vSphere Lifecycle Manager baselines or they must both use
vSphere Lifecycle Manager images.

n Select the NSX Manager instance.

Note NSX Managers for workload domains that are in the process
of deploying are not able to be shared and do not appear in the list
of available NSX Managers.

VMware by Broadcom 88
VMware Cloud Foundation on Dell VxRail Guide

Option Description

Switch Configuration Provide the distributed switch configuration to be applied to the hosts in
the VxRail cluster. Select a predefined vSphere distributed switch (VDS)
configuration profile or create a custom switch configuration.
For custom switch configuration, specify:
n VDS name
n MTU
n Number of uplinks
n Uplink to vmnic mapping
Click Configure Network Traffic to configure the following networks:
n Management
n vMotion
n vSAN
n Host Discovery
n System VM
For each network, specify:
n Distributed port group name
n MTU
n Load balancing policy
n Active and standby links
For the NSX network, specify:
n Operational mode
n Transport zone type
n NSX-Overlay Transport Zone Name
n For NSX Overlay, enter a VLAN ID and select the IP assignment type for
the Host Overlay Network TEPs.

Note For DHCP, a DHCP server must be configured on the NSX host
overlay (Host TEP) VLAN. When NSX creates TEPs for the VI workload
domain, they are assigned IP addresses from the DHCP server.

For static IP Pool, you can re-use an existing IP pool or create a new one.
Make sure the IP range includes enough IP addresses for the number
of hosts that will use the static IP Pool. The number of IP addresses
required depends on the number of pNICs on the ESXi hosts that
are used for the vSphere Distributed Switch that handles host overlay
networking. For example, a host with four pNICs that uses two pNICs for
host overlay traffic requires two IP addresses in the static IP pool.
n Teaming policy uplink mapping
n NSX Uplink Profile Name
n Teaming policy
n Active and standby links

Note VDS configuration requires homogeneous host network adapters

across all hosts. Only adapters of same enumeration across all hosts can be
used for configuring VDS.

VMware by Broadcom 89
VMware Cloud Foundation on Dell VxRail Guide

Option Description

Host Networks Configure the Host network details.

n Management Network: VLAN ID, CIDR, and Gateway
n vSAN: VLAN ID, CIDR, Gateway, and IP Range
n vMotion Network: VLAN ID, CIDR, Gateway, and IP Range
n VM Management Network: Activate Same as Host Management or enter
a VLAN ID, CIDR, and Gateway.

Licenses Select License Now or License Later.

n License Now: Select a license key for each of the components in the VI
workload domain.
n License Later: VMware Cloud Foundation components are deployed in
evaluation mode.

Important After your VI workload domain is created, you must switch

to licensed mode by:
n Adding component license keys in the SDDC Manager UI. See Add a
Component License Key in the SDDC Manager UI. Or,
n Adding a solution license key in the vSphere Client. See Managing
vSphere Licenses for information about using a solution license key
for vCenter Server. If you are using a solution license key, you
must also add a VMware vSAN license key for vSAN clusters. See
Configure License Settings for a vSAN Cluster.

Note After you assign a solution key for vCenter Server, VMware
NSX automatically uses that solution license key.

Review Review and confirm the Workload Domain settings.

Validation Validates the configuration

6 On the Validation page, wait until all of the inputs have been successfully validated and then
click Finish.

If validation is unsuccessful, you cannot proceed. Use the Back button to modify your
settings and try again.

Create a VxRail VI Workload Domain task is triggered.

Create a VxRail VI Workload Domain Using the Workflow

Optimization Script
You can create a VxRail VI workload domain using the Workflow Optimization script.

The Workflow Optimzation script uses the VMware Cloud Foundation on Dell VxRail API to
perform all of the steps to create a VI workload domain in one place. See Create a Domain with
Workflow Optimization for more information about the API.

Prerequisites

Make sure that the Prerequisites for a Workload Domain are met before using the Workflow
Optimization script.

VMware by Broadcom 90
VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 Download the .zip file for the Workflow Optimzation script.

See https://community.broadcom.com/vmware-code/viewdocument/vcf-on-vxrail-workflow-
optimization-8.

2 Unzip the file and copy the directory (WorkflowOptimization-VCF-<version>) to the /

home/vcf directory on the SDDC Manager VM.

3 Remove the storage name/value from the JSON.

4 Using SSH, log in to the SDDC Manager VM as vcf.

5 In the /home/vcf/WorkflowOptimization-VCF-<version> directory, run python

vxrail_workflow_optimization_automator.py.

6 Follow the prompts to create a VI workload domain.

The README.md file in the WorkflowOptimization-VCF-<version> directory provides

detailed instructions on how to use the script.

Delete a VI Workload Domain

You can delete a VI workload domain from SDDC Manager UI.

Deleting a VI workload domain also removes the components associated with the VI workload
domain from the management domain. This includes the vCenter Server instance and the NSX
Manager cluster instances.

Note If the NSX Manager cluster is shared with any other VI workload domains, it will not be
deleted.

Caution Deleting a workload domain is an irreversible operation. All clusters and virtual
machines within the VI workload domain are deleted and the underlying datastores are
destroyed.

It can take up to 20 minutes for a VI workload domain to be deleted. During this process, you
cannot perform any operations on workload domains.

Prerequisites

n If remote vSAN datastores are mounted on a cluster in the VI workload domain, then the
VI workload domain cannot be deleted. To delete such VI workload domains, you must first
migrate any virtual machines from the remote datastore to the local datastore and then
unmount the remote vSAN datastores from vCenter Server.

n If you require access after deleting a VI workload domain, back up the data. The datastores
on the VI workload domain are destroyed when it is deleted.

n Migrate the virtual machines that you want to keep to another workload domain using cross
vCenter vMotion.

VMware by Broadcom 91
VMware Cloud Foundation on Dell VxRail Guide

n Delete any workload virtual machines created outside VMware Cloud Foundation before
deleting the VI workload domain.

n Delete any NSX Edge clusters hosted on the VI workload domain. See KB 78635.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 Click the vertical ellipsis (three dots) next to the VI workload domain you want to delete and
click Delete Domain.

3 On the Delete Workload Domain dialog box, click Delete Workload Domain.

A message indicating that the VI workload domain is being deleted appears. When the
removal process is complete, the VI workload domain is removed from the domains table.

What to do next

If you delete an isolated VI workload domain that created an NSX Manager cluster that is shared
with another isolated VI workload domain, you need to register NSX Manager as a relying partner
to the remaining VI workload domain. See https://kb.vmware.com/s/article/95445.

View Workload Domain Details

The Workload Domains page displays high level information about the workload domains in a
VMware Cloud Foundation instance. CPU, memory, and storage utilized by the workload domain
is also displayed here.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

Tip

Click the show or hide columns icon to view additional information about the workload
domains, including the SSO domain.

2 In the workload domains table, click the name of the workload domain.

VMware by Broadcom 92
VMware Cloud Foundation on Dell VxRail Guide

Tab Information Displayed

Summary Provides information about:

n Resource usage: CPU, memory, and storage resources for the workload domain.
n Network: NSX Manager IP address and DNS name.
n General information, including SSO domain.
n Certificates
n Tags

Services SDDC software stack components deployed for the workload domain's virtual environment
and their IP addresses. Click a component name to navigate to that aspect of the virtual
environment. For example, click vCenter Server to reach the vSphere Client for that workload
domain.
All the capabilities of a VMware SDDC are available to you in the VI workload domain's
environment, such as creating, provisioning, and deploying virtual machines, configuring the
software-defined networking features, and so on.

Updates Available updates for the workload domain.

Update History Updates applied to this workload domain.

Hosts Names, IP addresses, status, associated clusters, and capacity utilization of the hosts in the
workload domain and the network pool they are associated with.

Clusters Names of the clusters, number of hosts in the clusters, and their capacity utilization.

Edge Clusters Names of the NSX Edge clusters, NSX Edge nodes, and their status.

Certificates Default certificates for the VMware Cloud Foundation components. For more information, see
Chapter 9 Managing Certificates in VMware Cloud Foundation.

VMware by Broadcom 93
VMware Cloud Foundation on Dell VxRail Guide

Expand a Workload Domain

You can expand a workload domain by adding a new VxRail cluster or adding hosts to an existing
VxRail cluster.

To add a VxRail cluster to a workload domain, you can use the SDDC Manager UI or the
Workflow Optimization script.

Method Details

SDDC Manager UI Supports most uses cases, including multiple vSphere

distributed switches and advanced switch configuration.

Workflow Optimization script Supports all SDDC Manager UI functionality. In addition,

supports custom datastore names, remote vSAN
datastores, and using a JSON file for cluster configuration.
Download the script and refer to the README.md for
instructions.

Add a VxRail Cluster to a Workload Domain Using the SDDC

Manager UI
You can expand an existing workload domain by adding a VxRail cluster using the SDDC
Manager UI.

Prerequisites

n Image the workload domain nodes. For information on imaging the nodes, refer to Dell EMC
VxRail documentation.

n The IP addresses and Fully Qualified Domain Names (FQDNs) for the ESXi hosts, VxRail
Manager, and NSX Manager instances must be resolvable by DNS.

n If you are using DHCP for the NSX Host Overlay Network, a DHCP server must be configured
on the NSX Host Overlay VLAN of the management domain. When VMware NSX creates
TEPs for the VI workload domain, they are assigned IP addresses from the DHCP server.

n Change the VxRail Manager IP Address

n Update the VxRail Manager Certificate

Procedure

1 In the navigation pane, click Inventory > Workload Domains. The Workload Domains page
displays information for all workload domains.

2 In the workload domains table, hover your mouse in the VxRail workload domain row.

A set of three dots appears on the left of the workload domain name.

3 Click these three dots. Click Add VxRail Cluster.

4 Make sure the prerequisites are met. To continue, click Get Started.

VMware by Broadcom 94
VMware Cloud Foundation on Dell VxRail Guide

5 Select the type of storage to use for this workload domain. Click Select.

For vSAN storage, you can enable vSAN ESA if the workload domain is using vSphere
Lifecycle Manager images.

6 Provide the following information to Add VxRail Cluster to VI-VxRail.

Option Description

VxRail Manager n VxRail Manager Hostname (must be an FQDN)

Click Connect and confirm the SSL fingerprint of the VxRail Manager.
n VxRail Manager Admin Credentials
n Admin Username
n Admin Password
n Confirm Admin Password
n VxRail Manager Root Credentials
n Root Username
n Root Password
n Confirm Root Password

Host Selection Add ESXi hosts with similar or identical configurations across all cluster
members, including similar or identical storage configurations. A minimum
of 3 hosts are required.

Note The Primary node is selected by default

a Select the ESXi hosts to add and click Provide Host Details.
b Enter the FQDNs and passwords for the hosts.
c Click Resolve Hosts IP address.
d Click Next.

Cluster Enter a name for the first cluster that will be created in this new workload
domain.
The name must be unique and contain between 3 and 80 characters. The
cluster name can include letters, numbers, and hyphens, and it can include
spaces.

VMware by Broadcom 95
VMware Cloud Foundation on Dell VxRail Guide

Option Description

Switch Configuration Provide the distributed switch configuration to be applied to the hosts in
the VxRail cluster. Select a predefined vSphere distributed switch (VDS)
configuration profile or create a custom switch confirguration.
For custom switch configuration, specify:
n VDS name
n MTU
n Number of uplinks
n Uplink to vmnic mapping
Click Configure Network Traffic to configure the following networks:
n Management
n vMotion
n vSAN
n Host Discovery
n System VM
For each network, specify:
n Distributed port group name
n MTU
n Load balancing policy
n Active and standby links
For the NSX network, specify:
n Operational mode
n Transport zone type
n NSX-Overlay Transport Zone Name
n For NSX Overlay, enter a VLAN ID and select the IP assignment type for
the Host Overlay Network TEPs.

Note For DHCP, a DHCP server must be configured on the NSX host
overlay (Host TEP) VLAN. When NSX creates TEPs for the VI workload
domain, they are assigned IP addresses from the DHCP server.

For static IP Pool, you can re-use an existing IP pool or create a new one.
Make sure the IP range includes enough IP addresses for the number
of hosts that will use the static IP Pool. The number of IP addresses
required depends on the number of pNICs on the ESXi hosts that
are used for the vSphere Distributed Switch that handles host overlay
networking. For example, a host with four pNICs that uses two pNICs for
host overlay traffic requires two IP addresses in the static IP pool.
n Teaming policy uplink mapping
n NSX Uplink Profile Name
n Teaming policy
n Active and standby links

Note VDS configuration requires homogeneous host network adapters

across all hosts. Only adapters of same enumeration across all hosts can be
used for configuring VDS.

VMware by Broadcom 96
VMware Cloud Foundation on Dell VxRail Guide

Option Description

Host Networks Configure the Host network details.

n Management Network: VLAN ID, CIDR, and Gateway
n vSAN: VLAN ID, CIDR, Gateway, and IP Range
n vMotion Network: VLAN ID, CIDR, Gateway, and IP Range
n VM Network: Select Same as Host Management to use the host
Management network information to create a new port group for VM
Management traffic or enter a VLAN ID, CIDR, and Gateway for the new
port group.

Licenses Select License Now or License Later.

n License Now: Select a license key for each of the components in the
cluster.
n License Later: VMware Cloud Foundation components are deployed in
evaluation mode.

Important After the cluster is created, you must switch to licensed

mode by:
n Adding component license keys in the SDDC Manager UI. See Add a
Component License Key in the SDDC Manager UI. Or,
n Adding a solution license key in the vSphere Client. See Managing
vSphere Licenses. If you are using a solution license key, you
must also add a VMware vSAN license key for vSAN clusters. See
Configure License Settings for a vSAN Cluster.

Review Review and confirm the Workload Domain settings.

Validation Validates the configuration

7 On the Validation page, wait until all of the inputs have been successfully validated.

If validation is unsuccessful, you cannot proceed. Use the Back button to modify your
settings and try again.

8 Click Finish.

The add VxRail cluster task is triggered.

Add VxRail Hosts to a Cluster in VMware Cloud Foundation

You can add new hosts to an existing VxRail cluster to provide more capacity.

If the vSphere cluster hosts an NSX Edge cluster, you can only add new hosts with the same
management, uplink, host TEP, and Edge TEP networks (L2 uniform) as the existing hosts.

If the cluster to which you are adding hosts uses a static IP pool for the Host Overlay Network
TEPs, that pool must include enough IP addresses for the hosts you are adding. The number of
IP addresses required depends on the number of pNICs on the ESXi hosts that are used for the
vSphere Distributed Switch that handles host overlay networking. For example, a host with four
pNICs that uses two pNICs for host overlay traffic requires two IP addresses in the static IP pool.

Prerequisites

n Image the new node(s).

VMware by Broadcom 97
VMware Cloud Foundation on Dell VxRail Guide

n Discover and add new node(s) to the cluster using the VxRail Manager plugin for vCenter
Server. See the Dell documentation.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 In the workload domains table, click the name of the workload domain that you want to
expand.

3 Click the Clusters tab.

4 Click the name of the cluster where you want to add a host.

5 Click Actions > Add VxRail Hosts.

6 Select the cluster expansion type.

This option only appears if the vSphere cluster hosts an NSX Edge cluster.

Option Description

L2 Uniform Select if all hosts you are adding to the vSphere cluster have the same
management, uplink, host TEP, and Edge TEP networks as the existing hosts
in the vSphere cluster.

L2 non-uniform and L3 You cannot proceed if you any of the hosts you are adding to the vSphere
cluster have different networks than the existing hosts in the vSphere
cluster. VMware Cloud Foundation does not support adding hosts to L2
non-uniform and L3 vSphere clusters that host an NSX Edge cluster.

7 On the Discovered Hosts page, enter the SSH password for the host and click Add.

8 On the Thumbprint Verification page, click to confirm the SSH thumbprints for the ESXi
hosts.

9 On the Validation page, wait until all of the inputs have been successfully validated.

If validation is unsuccessful, you cannot proceed. Use the Back button to modify your
settings and try again.

10 Click Finish.

Reduce a Workload Domain

You can reduce a workload domain by removing a host from a cluster in the workload domain or
by deleting a cluster.

Remove a Host from a Cluster in a Workload Domain

You can remove a host from a cluster in a workload domain through the Workload Domains
page in SDDC Manager UI.

VMware by Broadcom 98
VMware Cloud Foundation on Dell VxRail Guide

When a host is removed, the vSAN members are reduced. Ensure that you have enough hosts
remaining to facilitate the configured vSAN availability. Failure to do so might result in the
datastore being marked as read-only or in data loss.

Prerequisites

Use the vSphere Client to make sure that there are no critical alarms on the cluster from which
you want to remove the host.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 In the workload domains table, click the name of the workload domain that you want to
modify.

3 Click the Clusters tab.

4 Click the name of the cluster from which you want to remove a host.

5 Click the Hosts tab.

6 Select the host(s) to remove and click Remove Selected Hosts.

7 Click Remove to confirm the action.

The details page for the cluster appears with a message indicating that the host is being
removed. When the removal process is complete, the host is removed from the hosts table
and deleted from vCenter Server.

Delete a VxRail Cluster

You can delete a VxRail cluster from the management domain or from a VI workload domain.
Datastores on the ESXi hosts in the deleted cluster are destroyed.

You cannot delete the last cluster in a workload domain. Instead, delete the workload domain.

Prerequisites

n If vSAN remote datastores are mounted on the cluster, the cluster cannot be deleted. To
delete such clusters, you must first migrate any VMs from the remote datastore to the local
datastore and then unmount the vSAN remote datastores from vCenter Server.

n Delete any workload VMs created outside of VMware Cloud Foundation before deleting the
cluster.

n Migrate or backup the VMs and data on the datastore associated with the cluster to another
location.

n Delete the NSX Edge clusters hosted on the VxRail cluster or shrink the NSX Edge cluster
by deleting Edge nodes hosted on the VxRail cluster. You cannot delete Edge nodes if doing
so would result in an Edge cluster with fewer than two Edge nodes. For information about
deleting an NSX Edge cluster, see KB 78635.

VMware by Broadcom 99
VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

The Workload Domains page displays information for all workload domains.

2 Click the name of the workload domain that contains the cluster you want to delete.

3 Click the Clusters tab to view the clusters in the workload domain.

4 Hover your mouse in the cluster row you want to delete.

5 Click the three dots next to the cluster name and click Delete VxRail Cluster.

6 Click Delete Cluster to confirm that you want to delete the cluster.

The details page for the workload domain appears with a message indicating that the cluster
is being deleted. When the removal process is complete, the cluster is removed from the
clusters table.

Rename a Workload Domain

You can rename any workload domain from within the SDDC Manager UI.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 Click the vertical ellipsis (three dots) in the Domain row for the workload domain you want to
rename and click Rename Domain.

3 Enter a new name for the workload domain and click Rename.

vSphere Cluster Management

You can view vSphere cluster details from the SDDC Manager UI and rename the vSphere Cluster
using the vSphere Client if required.

View vSphere Cluster Details

The cluster summary page displays high level information about the vSphere cluster as well as
the hosts that form that cluster. CPU, memory, and storage utilization are also displayed.

Procedure

1 In the navigation pane, click Inventory > Workload Domain.

2 In the workload domains table, click the name of a workload domain.

3 Click the Clusters tab.

4 In the clusters table, click the name of a vSphere cluster.

VMware by Broadcom 100

VMware Cloud Foundation on Dell VxRail Guide

The cluster detail page appears. The tabs on the page display additional information as
described in the table below.

Tab Information Displayed

Summary Displays information about resource usage, storage, and cluster tags.

Hosts Details about the ESXi hosts in the vSphere cluster. You can click a name in the FQDN column
to access the host summary page.

What to do next

You can add or remove a host, or access the vSphere Client from this page.

Rename a Cluster in the SDDC Manager UI

You can rename a cluster managed by SDDC Manager in a Management Workload Domain. The
SDDC Manager UI is updated with the new name.

Prerequisites

Ensure that you do not rename a cluster in the following conditions:

n When the cluster belongs to a workflow that is in progress.

n When the cluster belongs to a failed VI workload domain workflow, cluster workflow or host
workflow. If you try to rename a cluster that belongs to a failed workflow, restart of the failed
workflow will not be supported.

Procedure

1 On the SDDC Manager Dashboard, click Inventory > Workload Domains.

2 Click a workload domain.

VMware by Broadcom 101

VMware Cloud Foundation on Dell VxRail Guide

3 Under the Clusters tab, click a cluster that you want to rename.

4 On the right side of the cluster's name, click ACTIONS > Rename Cluster.

You can also click the vertical ellipsis (three dots) in the clusters table for the cluster you want
to rename and click Rename Cluster.
The Rename Cluster window appears.

5 In the New Cluster Name textbox, enter a new name for the cluster and click RENAME.

6 Click DONE.

Results

In the Tasks panel, you can see the description and track the status of your newly renamed
cluster.

Tag Management
A tag is a label that you can apply to objects in the vSphere inventory. You can use tags to
capture a variety of metadata about your vSphere inventory and to organize and retrieve objects
quickly. You create tags and categories in the vSphere Client and then assign or remove tags for
your workload domains, clusters, and hosts in the SDDC Manager UI.

See vSphere Tags for more information about how to create and manage tags and categories.

If multiple vCenter Server instances in your VMware Cloud Foundation deployment are
configured to use Enhanced Linked Mode, tags and tag categories are replicated across all these
vCenter Server instances. This is the case for all VI workload domains that are joined to the same
SSO domain as the management domain. Isolated VI workload domains, that do not share the
management SSO domain, do not share its tags and categories.

Tag a Workload Domain

You can assign a tag to your Workload Domain from the SDDC Manager UI by performing the
following steps:

Procedure

1 On the SDDC Manager UI, click Inventory > Workload Domains > Management and click the
Workload Domain.

2 Under the Summary > Tags tile window, click ASSIGN.

VMware by Broadcom 102

VMware Cloud Foundation on Dell VxRail Guide

3 Select tags and click ASSIGN.

Note If there are no tags shown in the Assign Tag window, click OPEN VSPHERE TAG
MANAGEMENT that redirects you to vSphere Client, to create new tags and tag categories.
See vSphere Tags for more information on the tagging functionality.

Remove a Tag from your Workload Domain

You can remove a tag from your workload domain in the SDDC Manager UI by performing the
following steps:

Procedure

1 On the SDDC Manager UI, click Inventory > Workload Domains > Management and click the
workload domain.

2 Under the Summary > Tags tile window, you will see tags listed with a cross mark beside the
tag names.

3 Click the cross mark of a tag that you want to remove in the Tags tile window.

4 The Remove Tag window appears. Click REMOVE.

Tag a Cluster
You can assign a tag to your cluster from the SDDC Manager UI by performing the following
steps:

Procedure

1 On the SDDC Manager UI, click Inventory > Workload Domains > Management > Workload
Domain > Clusters tab and click on the cluster.

2 Under the Summary > Tags tile window, click ASSIGN.

VMware by Broadcom 103

VMware Cloud Foundation on Dell VxRail Guide

3 Select tags and click ASSIGN.

Note If there are no tags shown in the Assign Tag window, click OPEN VSPHERE TAG
MANAGEMENT that redirects you to vSphere Client, to create new tags and tag categories.
See vSphere Tags for more information on the tagging functionality.

Remove a Tag from your Cluster

You can remove a tag from your cluster in the SDDC Manager UI by performing the following
steps:

Procedure

1 On the SDDC Manager UI, click Inventory > Workload Domains > Management > Workload
Domain > Clusters tab and click on the cluster.

2 Under the Summary > Tags tile window, you will see tags listed with a cross mark beside the
tag names.

3 Click the cross mark of a tag that you want to remove in the Tags tile window.

4 The Remove Tag window appears. Click REMOVE.

Tag a Host
You can assign a tag to your host from the SDDC Manager UI by performing the following steps:

Procedure

1 On the SDDC Manager UI, click Inventory > Hosts tab and click on the host.

2 Under the Summary > Tags tile window, click ASSIGN.

VMware by Broadcom 104

VMware Cloud Foundation on Dell VxRail Guide

3 Select tags and click ASSIGN.

Note If there are no tags shown in the Assign Tag window, click OPEN VSPHERE TAG
MANAGEMENT that redirects you to vSphere Client, to create new tags and tag categories.
See vSphere Tags for more information on the tagging functionality.

Remove a Tag from your Host

You can remove a tag from your host in the SDDC Manager UI by performing the following steps:

Procedure

1 On the SDDC Manager UI, click Inventory > Hosts tab and click on the host.

2 Under the Summary > Tags tile window, you will see tags listed with a cross mark beside the
tag names.

3 Click the cross mark of a tag that you want to remove in the Tags tile window.

4 The Remove Tag window appears. Click REMOVE.

VMware by Broadcom 105

Managing NSX Edge Clusters in
VMware Cloud Foundation 14
An NSX Edge cluster with 2-tier routing provides north-south routing and network services in the
management domain and VI workload domains. Add multiple NSX Edge clusters to a workload
domain for scalability and resiliency.

An NSX Edge cluster is a logical grouping of NSX Edge nodes run on a vSphere cluster. NSX
supports a 2-tier routing model.

Component Connectivity Description

Tier-0 logical router Northbound The tier-0 logical router connects to

one or more physical routers or layer
3 switches and serves as a gateway
to the physical infrastructure.

Southbound The tier-0 logical router connects to

one or more tier-1 logical routers
or directly to one or more logical
switches.

Tier-1 logical router Northbound The tier-1 logical router connects to a

tier-0 logical router.

Southbound The tier-1 logical router connects to

one or more logical switches.

By default, workload domains do not include any NSX Edge clusters and workloads are isolated,
unless VLAN-backed networks are configured in vCenter Server. Add one or more NSX Edge
clusters to a workload domain to provide software-defined routing and network services.

Note You must create an NSX Edge cluster on the default management vSphere cluster in order
to deploy VMware Aria Suite products.

You can add multiple NSX Edge clusters to the management or the VI workload domains for
scalability and resiliency. For VMware Cloud Foundation configuration maximums refer to the
VMware Configuration Maximums website.

Note Unless explicitly stated in this matrix, VMware Cloud Foundation supports the
configuration maximums of the underlying products. Refer to the individual product configuration
maximums as appropriate.

VMware by Broadcom 106

VMware Cloud Foundation on Dell VxRail Guide

The north-south routing and network services provided by an NSX Edge cluster created for a
workload domain are shared with all other workload domains that use the same NSX Manager
cluster.

Read the following topics next:

n Prerequisites for an NSX Edge Cluster

n Deploy an NSX Edge Cluster

n Add Edge Nodes to an NSX Edge Cluster

n Remove Edge Nodes from an NSX Edge Cluster

Prerequisites for an NSX Edge Cluster

Before you deploy an NSX Edge cluster on a workload domain, review the prerequisites.

n The workload domain must have NSX deployed.

n Verify that separate VLANs and subnets are available for the NSX host overlay VLAN and
NSX Edge overlay VLAN. You cannot use DHCP for the NSX Edge overlay VLAN.

n Verify that the NSX host overlay VLAN and NSX Edge overlay VLAN are routed to each
other.

n For dynamic routing, set up two Border Gateway Protocol (BGP) peers on Top of Rack (ToR)
switches with an interface IP, BGP autonomous system number (ASN), and BGP password.

n Reserve a BGP ASN to use for the NSX Edge cluster’s Tier-0 gateway.

n Verify that DNS entries for the NSX Edge nodes are populated in the customer-managed
DNS server.

n The vSphere cluster hosting an NSX Edge cluster must include hosts with identical
management, uplink, NSX Edge overlay TEP, and NSX Edge overlay TEP networks (L2
uniform).

n The management network and management network gateway for the NSX Edge nodes must
be reachable from the NSX host overlay and NSX Edge overlay VLANs.

Note VMware Cloud Foundation 4.5 and later support deploying an NSX Edge cluster on a
vSphere cluster that is stretched. Edge nodes are placed on ESXi hosts in the first availability
zone (AZ1) during NSX Edge cluster deployment.

Deploy an NSX Edge Cluster

Deploy an NSX Edge cluster to provide north-south routing and network services to a workload
domain.

VMware by Broadcom 107

VMware Cloud Foundation on Dell VxRail Guide

SDDC Manager does not enforce rack failure resiliency for NSX Edge clusters. Make sure that the
number of NSX Edge nodes that you add to an NSX Edge cluster, and the vSphere clusters to
which you deploy the NSX Edge nodes, are sufficient to provide NSX Edge routing services in
case of rack failure.

After you create an NSX Edge cluster, you can use SDDC Manager to expand or shrink it by
adding or deleting NSX Edge nodes.

Note If you deploy the NSX Edge cluster with the incorrect settings or need to delete an NSX
Edge cluster for another reason, see KB 78635.

Prerequisites

See Prerequisites for an NSX Edge Cluster.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 In the Workload Domains page, click a domain name in the Domain column.

3 Select Actions > Add Edge Cluster.

4 Verify the prerequisites, select Select All, and click Begin.

5 Enter the configuration settings for the NSX Edge cluster and click Next.

Setting Description

Edge Cluster Name Enter a name for the NSX Edge cluster.

MTU Enter the MTU for the NSX Edge cluster. The MTU can be 1600-9000.

Tier-0 Router Name Enter a name for the tier-0 gateway.

Tier-1 Router Name Enter a name for the tier-1 gateway.

Edge Cluster Profile Type Select Default or, if your environment requires specific Bidirectional
Forwarding Detection (BFD) configuration, select Custom.

Edge Cluster Profile Name Enter an NSX Edge cluster profile name. (Custom Edge cluster profile only)

BFD Allowed Hop Enter the number of multi-hop Bidirectional Forwarding Detection (BFD)
sessions allowed for the profile. (Custom Edge cluster profile only)

BFD Declare Dead Multiple Enter the number of number of times the BFD packet is not received before
the session is flagged as down. (Custom Edge cluster profile only)

BFD Probe Interval (milliseconds) BFD is detection protocol used to identify the forwarding path failures. Enter
a number to set the interval timing for BFD to detect a forwarding path
failure. (Custom Edge cluster profile only)

Standby Relocation Threshold Enter a standby relocation threshold in minutes. (Custom Edge cluster profile
(minutes) only)

Edge Root Password Enter and confirm the password to be assigned to the root account of the
NSX Edge appliance.

VMware by Broadcom 108

VMware Cloud Foundation on Dell VxRail Guide

Setting Description

Edge Admin Password Enter and confirm the password to be assigned to the admin account of the
NSX Edge appliance.

Edge Audit Password Enter and confirm the password to be assigned to the audit account of the
NSX Edge appliance.

NSX Edge cluster passwords must meet the following requirements:

n At least 12 characters

n At least one lower-case letter

n At least one upper-case letter

n At least one digit

n At least one special character (!, @, ^, =, *, +)

n At least five different characters

n No dictionary words

n No palindromes

n More than four monotonic character sequence is not allowed

6 Specify the use case details and click Next.

Setting Description

Use Case n Select Kubernetes - Workload Management to create an NSX Edge

cluster that complies with the requirements for deploying vSphere IaaS
Control Plane. See Chapter 17 VMware Cloud Foundation with VMware
Tanzu . If you select this option, you cannot modify the NSX Edge form
factor or Tier-0 service high availability settings.
n Select Application Virtual Networks to create an NSX Edge cluster
that complies with the requirements deploying VMware Aria Suite
components. See Chapter 16 Deploying Application Virtual Networks in
VMware Cloud Foundation.

Note Management domain only.

n Select Custom if you want an NSX Edge cluster with a specific form
factor or Tier-0 service high availability setting.

Edge Form Factor n Small: 4 GB memory, 2 vCPU, 200 GB disk space. The NSX Edge Small
VM appliance size is suitable for lab and proof-of-concept deployments.
n Medium: 8 GB memory, 4 vCPU, 200 GB disk space. The NSX Edge
Medium appliance size is suitable for production environments with load
balancing.
n Large: 32 GB memory, 8 vCPU, 200 GB disk space. The NSX Edge
Large appliance size is suitable for production environments with load
balancing.
n XLarge: 64 GB memory, 16 vCPU, 200 GB disk space. The NSX Edge
Extra Large appliance size is suitable for production environments with
load balancing.

VMware by Broadcom 109

VMware Cloud Foundation on Dell VxRail Guide

Setting Description

Tier-0 Service High Availability In the active-active mode, traffic is load balanced across all members. In
active-standby mode, all traffic is processed by an elected active member. If
the active member fails, another member is elected to be active.
Workload Management requires Active-Active.
Some services are only supported in Active-Standby: NAT, load balancing,
stateful firewall, and VPN. If you select Active-Standby, use exactly two NSX
Edge nodes in the NSX Edge cluster.

Tier-0 Routing Type Select Static or EBGP to determine the route distribution mechanism for
the tier-0 gateway. If you select Static, you must manually configure the
required static routes in NSX Manager. If you select EBGP, VMware Cloud
Foundation configures eBGP settings to allow dynamic route distribution.

ASN Enter an autonomous system number (ASN) for the NSX Edge cluster. (for
EBGP only)

7 Enter the configuration settings for the first NSX Edge node and click Add Edge Node.

Setting Description

Edge Node Name (FQDN) Enter the FQDN for the NSX Edge node. Each node must have a unique
FQDN.

Cluster Select a vSphere cluster to host the NSX Edge node.

You can select a standard vSphere cluster or a stretched vSphere cluster,
but all the NSX Edge nodes in an NSX Edge cluster must be hosted on
vSphere clusters of the same type.

Note If the vSphere cluster you select already hosts management virtual
machines that are connected to the host Management port group, the
VM Management Portgroup VLAN and VM Management Portgroup VLAN
settings are not available.

Cluster Type Select L2 Uniform if all hosts in the vSphere cluster have identical
management, uplink, host TEP, and Edge TEP networks.
Select L2 non-uniform and L3 if any of the hosts in the vSphere cluster have
different networks.

Important VMware Cloud Foundation does not support Edge cluster

creation onL2 non-uniform and L3 vSphere clusters.

First NSX VDS Uplink Click Advanced Cluster Settings to map the first NSX Edge node uplink
network interface to a physical NIC on the host, by specifying the ESXi
uplink. The default is uplink1.
When you create an NSX Edge cluster, SDDC Manager creates two trunked
VLAN port groups. The information you enter here determines the active
uplink on the first VLAN port group. If you enter uplink3, then uplink3 is the
active uplink and the uplink you specify for the second NSX VDS uplink is
the standby uplink.
The uplink must be prepared for overlay use.

VMware by Broadcom 110

VMware Cloud Foundation on Dell VxRail Guide

Setting Description

Second NSX VDS Uplink Click Advanced Cluster Settings to map the second NSX Edge node uplink
network interface to a physical NIC on the host, by specifying the ESXi
uplink. The default is uplink2.
When you create an NSX Edge cluster, SDDC Manager creates two trunked
VLAN port groups. The information you enter here determines the active
uplink on the second VLAN port group. If you enter uplink4, then uplink4
is the active uplink and the uplink you specify for the first NSX VDS uplink is
the standby uplink.
The uplink must be prepared for overlay use.

Management IP (CIDR) Enter the management IP for the NSX Edge node in CIDR format. Each node
must have a unique management IP.

Management Gateway Enter the IP address for the management network gateway.

VM Management Portgroup VLAN If the VM Management port group exists on the vSphere distributed switch
of the vSphere cluster that you selected to host the Edge node, then the VM
Management port group VLAN is displayed and cannot be edited.
If the VM Management port group does not exist on the vSphere distributed
switch of the vSphere cluster that you selected to host the Edge node, enter
a VLAN ID to create a new VM Management port group or click Use ESXi
Management VMK's VLAN to use the host Management Network VLAN to
create a new VM Management port group.

VM Management Portgroup Name If the VM Management port group exists on the vSphere distributed switch
of the vSphere cluster that you selected to host the Edge node, then the VM
Management port group name is displayed and cannot be edited.
Otherwise, type a name for the new port group.

Edge TEP 1 IP (CIDR) Enter the CIDR for the first NSX Edge TEP. Each node must have a unique
Edge TEP 1 IP.

Note It is possible to configure Edge TEPs using an NSX IP pool instead

of static addresses. IP pools may only be specified when using the VCF API
only, not the UI.

Edge TEP 2 IP (CIDR) Enter the CIDR for the second NSX Edge TEP. Each node must have a
unique Edge TEP 2 IP. The Edge TEP 2 IP must be different than the Edge
TEP 1 IP.

Edge TEP Gateway Enter the IP address for the NSX Edge TEP gateway.

Edge TEP VLAN Enter the NSX Edge TEP VLAN ID.

First Tier-0 Uplink VLAN Enter the VLAN ID for the first uplink.
This is a link from the NSX Edge node to the first uplink network.

First Tier-0 Uplink Interface IP Enter the CIDR for the first uplink. Each node must have unique uplink
(CIDR) interface IPs.

Peer IP (CIDR) Enter the CIDR for the first uplink peer. (EBGP only)

Peer ASN Enter the ASN for the first uplink peer. (EBGP only)

BGP Peer Password Enter and confirm the BGP password. (EBGP only).

Second Tier-0 Uplink VLAN Enter the VLAN ID for the second uplink.
This is a link from the NSX Edge node to the second uplink network.

VMware by Broadcom 111

VMware Cloud Foundation on Dell VxRail Guide

Setting Description

Second Tier-0 Uplink Interface IP Enter the CIDR for the second uplink. Each node must have unique uplink
(CIDR) interface IPs. The second uplink interface IP must be different than the first
uplink interface IP.

Peer IP (CIDR) Enter the CIDR for the second uplink peer. (EBGP only)

ASN Peer Enter the ASN for the second uplink peer. (EBGP only)

BGP Peer Password Enter and confirm the BGP password. (EBGP only).

8 Click Add More Edge Nodes to enter configuration settings for additional NSX Edge nodes.

A minimum of two NSX Edge nodes is required. NSX Edge cluster creation allows up to 8 NSX
Edge nodes if the Tier-0 Service High Availability is Active-Active and two NSX Edge nodes
per NSX Edge cluster if the Tier-0 Service High Availability is Active-Standby.

Note All Edge nodes in the NSX Edge cluster must use the same VM Management port
group VLAN and name.

9 When you are done adding NSX Edge nodes, click Next.

10 Review the summary and click Next.

SDDC Manager validates the NSX Edge node configuration details.

11 If validation fails, use the Back button to edit your settings and try again.

To edit or delete any of the NSX Edge nodes, click the three vertical dots next to an NSX
Edge node in the table and select an option from the menu.

12 If validation succeeds, click Finish to create the NSX Edge cluster.

You can monitor progress in the Tasks panel.

Example

The following example shows a scenario with sample data. You can use the example to guide
you in creating NSX Edge clusters in your environment. Refer to the Planning and Preparation
Workbook for a complete list of sample values for creating an NSX Edge cluster.

VMware by Broadcom 112

VMware Cloud Foundation on Dell VxRail Guide

Figure 14-1. Two-node NSX Edge cluster in a single rack

Legend:
VLANs
Tier-1 to Tier-0 Connection
Segment

Physical Layer 3 Devices

ASN 65001

ECMP

NSX
ASN 65005 Edge Cluster

Edge VM 1 Edge VM 2

Tier-0
Gateway
Active/ Active

Tier-1
Gateway

VM VM VM VM VM VM

Segment 1 - 192.168.11.0/24 Segment 2 - 192.168.31.0/24

What to do next

In NSX Manager, you can create segments connected to the NSX Edge cluster's tier-1 gateway.
You can connect workload virtual machines to these segments to provide north-south and east-
west connectivity.

Add Edge Nodes to an NSX Edge Cluster

You can add NSX Edge nodes to an NSX Edge Cluster that you created with SDDC Manager.

You might want to add NSX Edge nodes to an NSX Edge cluster, for:

n Rack failure resiliency

VMware by Broadcom 113

VMware Cloud Foundation on Dell VxRail Guide

n When the Tier-0 Service High Availability is Active-Standby and you require more than two
NSX Edge nodes for services.

Note Only two of the NSX Edge nodes can have uplink interfaces, but you can add more
nodes without uplink interfaces.

n When the Tier-0 Service High Availability is Active-Active and you require more than 8 NSX
Edge nodes for services.

n When you add Supervisor Clusters to a Workload Management workload domain and need
to support additional tier-1 gateways and services.

The available configuration settings for a new NSX Edge node vary based on:

n The Tier-0 Service High Availability setting (Active-Active or Active-Standby) of the NSX
Edge cluster.

n The Tier-0 Routing Type setting (static or EBGP) of the NSX Edge cluster.

n Whether the new NSX Edge node is going to be hosted on the same vSphere cluster as the
existing NSX Edge nodes (in-cluster) or on a different vSphere cluster (cross-cluster).

Prerequisites

n Verify that separate VLANs and subnets are available for the NSX host overlay VLAN and
NSX Edge overlay VLAN. You cannot use DHCP for the NSX Edge overlay VLAN.

n Verify that the NSX host overlay VLAN and NSX Edge overlay VLAN are routed to each
other.

n For dynamic routing, set up two Border Gateway Protocol (BGP) peers on Top of Rack (ToR)
switches with an interface IP, BGP autonomous system number (ASN), and BGP password.

n Reserve a BGP ASN to use for the NSX Edge cluster’s Tier-0 gateway.

n Verify that DNS entries for the NSX Edge nodes are populated in the customer-managed
DNS server.

n The vSphere cluster hosting the NSX Edge nodes must include hosts with identical
management, uplink, NSX Edge overlay TEP, and NSX Edge overlay TEP networks (L2
uniform).

n The vSphere cluster hosting the NSX Edge nodes must have the same pNIC speed for NSX-
enabled VDS uplinks chosen for Edge overlay.

n All NSX Edge nodes in an NSX Edge cluster must use the same set of NSX-enabled VDS
uplinks. These uplinks must be prepared for overlay use.

n The NSX Edge cluster must be Active.

n The NSX Edge cluster must be hosted on one or more vSphere clusters from the same
workload domain.

VMware by Broadcom 114

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 In the Workload Domains page, click a domain name in the Domain column.

3 Click the Edge Clusters tab.

4 Click the vertical ellipsis menu for the Edge Cluster you want to expand and select Expand
Edge Cluster.

5 Verify the prerequisites, select Select All, and click Begin.

6 Enter and confirm the passwords for the NSX Edge cluster.

7 (Optional) Enter a name to create a new tier-1 gateway.

8 Enter the configuration settings for the new NSX Edge node and click Add Edge Node.

Setting Description

Edge Node Name (FQDN) Enter the FQDN for the NSX Edge node. Each node must have a unique
FQDN.

Cluster Select a vSphere cluster to host the NSX Edge node.

If the workload domain has multiple vSphere clusters, you can select the
vSphere cluster hosting the existing NSX Edge nodes (in-cluster expansion)
or select a different vSphere cluster to host the new NSX Edge nodes
(cross-cluster expansion).

Note If the vSphere cluster you select already hosts management virtual
machines that are connected to the host Management port group, the
VM Management Portgroup VLAN and VM Management Portgroup VLAN
settings are not available.

Cluster Type Select L2 Uniform if all hosts in the vSphere cluster have identical
management, uplink, host TEP, and Edge TEP networks.
Select L2 non-uniform and L3 if any of the hosts in the vSphere cluster have
different networks.

Important VMware Cloud Foundation does not support Edge cluster

creation onL2 non-uniform and L3 vSphere clusters.

Management IP (CIDR) Enter the management IP for the NSX Edge node in CIDR format. Each node
must have a unique management IP.

Management Gateway Enter the IP address for the management network gateway.

VMware by Broadcom 115

VMware Cloud Foundation on Dell VxRail Guide

Setting Description

VM Management Portgroup VLAN For in-cluster expansion, the new Edge node uses the same VM
Management port group VLAN as the other Edge nodes in the Edge cluster.
For cross-cluster expansion:
n If the VM Management port group exists on the vSphere distributed
switch of the vSphere cluster that you selected to host the Edge node,
then the VM Management port group VLAN is displayed and cannot be
edited.
n If the VM Management port group does not exist on the vSphere
distributed switch of the vSphere cluster that you selected to host the
Edge node, enter a VLAN ID to create a new VM Management port
group or click Use ESXi Management VMK's VLAN to use the host
Management Network VLAN for the VM Management port group.

VM Management Portgroup Name For in-cluster expansion, the new Edge node uses the same VM
Management port group name as the other Edge nodes in the Edge cluster.
For cross-cluster expansion:
n If the VM Management port group exists on the vSphere distributed
switch of the vSphere cluster that you selected to host the Edge node,
then the VM Management port group name is displayed and cannot be
edited.
n Otherwise, type a name for the port group.

Edge TEP 1 IP (CIDR) Enter the CIDR for the first NSX Edge TEP. Each node must have a unique
Edge TEP 1 IP.

Edge TEP 2 IP (CIDR) Enter the CIDR for the second NSX Edge TEP. Each node must have a
unique Edge TEP 2 IP. The Edge TEP 2 IP must be different than the Edge
TEP 1 IP.

Edge TEP Gateway Enter the IP address for the NSX Edge TEP gateway.

Edge TEP VLAN Enter the NSX Edge TEP VLAN ID.

First NSX VDS Uplink Specify an ESXi uplink to map the first NSX Edge node uplink network
interface to a physical NIC on the host. The default is uplink1.
The information you enter here determines the active uplink on the first
VLAN port group used by the NSX Edge node. If you enter uplink3, then
uplink3 is the active uplink and the uplink you specify for the second NSX
VDS uplink is the standby uplink.
(cross-cluster only)

Note For in-cluster NSX Edge cluster expansion, new NSX Edge nodes use
the same NSX VDS uplinks as the other Edge nodes hosted on the vSphere
cluster.

VMware by Broadcom 116

VMware Cloud Foundation on Dell VxRail Guide

Setting Description

Second NSX VDS Uplink Specify an ESXi uplink to map the second NSX Edge node uplink network
interface to a physical NIC on the host. The default is uplink2.
The information you enter here determines the active uplink on the second
VLAN port group used by the NSX Edge node. If you enter uplink4, then
uplink4 is the active uplink and the uplink you specify for the first NSX VDS
uplink is the standby uplink.
(cross-cluster only)

Note For in-cluster NSX Edge cluster expansion, new NSX Edge nodes use
the same NSX VDS uplinks as the other Edge nodes hosted on the vSphere
cluster.

Add Tier-0 Uplinks Optional. Click Add Tier-0 Uplinks to add tier-0 uplinks.
(Active-Active only)

First Tier-0 Uplink VLAN Enter the VLAN ID for the first uplink.
This is a link from the NSX Edge node to the first uplink network.
(Active-Active only)

First Tier-0 Uplink Interface IP Enter the CIDR for the first uplink. Each node must have unique uplink
(CIDR) interface IPs.
(Active-Active only)

Peer IP (CIDR) Enter the CIDR for the first uplink peer.
(EBGP only)

Peer ASN Enter the ASN for the first uplink peer.
(EBGP only)

BGP Peer Password Enter and confirm the BGP password.

(EBGP only)

Second Tier-0 Uplink VLAN Enter the VLAN ID for the second uplink.
This is a link from the NSX Edge node to the second uplink network.
(Active-Active only)

Second Tier-0 Uplink Interface Enter the CIDR for the second uplink. Each node must have unique uplink
IP(CIDR) interface IPs. The second uplink interface IP must be different than the first
uplink interface IP.
(Active-Active only)

Peer IP (CIDR) Enter the CIDR for the second uplink peer.
(EBGP only)

ASN Peer Enter the ASN for the second uplink peer.
(EBGP only)

BGP Peer Password Enter and confirm the BGP password.

(EBGP only)

9 Click Add More Edge Nodes to enter configuration settings for additional NSX Edge nodes.

An NSX Edge cluster can contain a maximum of 10 NSX Edge nodes.

n For an NSX Edge cluster with a Tier-0 Service High Availability setting of Active-Active,
up to 8 of the NSX Edge nodes can have uplink interfaces.

VMware by Broadcom 117

VMware Cloud Foundation on Dell VxRail Guide

n For an NSX Edge cluster with a Tier-0 Service High Availability setting of Active-Standby,
up to 2 of the NSX Edge nodes can have uplink interfaces.

10 When you are done adding NSX Edge nodes, click Next.

11 Review the summary and click Next.

SDDC Manager validates the NSX Edge node configuration details.

12 If validation fails, use the Back button to edit your settings and try again.

To edit or delete any of the NSX Edge nodes, click the three vertical dots next to an NSX
Edge node in the table and select an option from the menu.

13 If validation succeeds, click Finish to add the NSX Edge node(s) to the NSX Edge cluster.

You can monitor progress in the Tasks panel.

Remove Edge Nodes from an NSX Edge Cluster

You can remove NSX Edge nodes from an NSX Edge Cluster that you created with SDDC
Manager if you need to scale down to meet business needs.

For information about deleting an NSX Edge cluster, see KB 78635.

Prerequisites

n The NSX Edge cluster must be available in the SDDC Manager inventory and must be Active.

n The NSX Edge node must be available in the SDDC Manager inventory.

n The NSX Edge cluster must be hosted on one or more vSphere clusters from the same
workload domain.

n The NSX Edge cluster must contain more than two NSX Edge nodes.

n The NSX Edge cluster must not be federated or stretched.

n If the NSX Edge cluster was deployed with a Tier-0 Service High Availability of Active-Active,
the NSX Edge cluster must contain two or more NSX Edge nodes with two or more Tier-0
routers (SR component) after the NSX Edge nodes are removed.

n If selected edge cluster was deployed with a Tier-0 Service High Availability of Active-
Standby, you cannot remove NSX Edge nodes that are the active or standby node for the
Tier-0 router.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 In the Workload Domains page, click a domain name in the Domain column.

3 Click the Edge Clusters tab.

4 Click the vertical ellipsis menu for the Edge Cluster you want to expand and select Shrink
Edge Cluster.

VMware by Broadcom 118

VMware Cloud Foundation on Dell VxRail Guide

5 Select the Edge node(s) to remove and click Next.

6 Review the summary and click Next.

SDDC Manager validates the request.

7 If validation fails, use the Back button to edit your settings and try again.

Note You cannot remove the active and standby Edge nodes of a Tier-1 router at the same
time. You can remove one and then remove the other after the first operation is complete.

8 If validation succeeds, click Finish to remove the NSX Edge node(s) from the NSX Edge
cluster.

You can monitor progress in the Tasks panel.

VMware by Broadcom 119

Managing Avi Load Balancer in
VMware Cloud Foundation 15
®
VMware Avi™ Load Balancer (formerly known as NSX Advanced Load Balancer) allows you to
implement centrally-managed distributed load balancing for your application workloads within
VMware Cloud Foundation and configure enterprise grade load-balancing, global server load
balancing, application security, and container ingress services.

Starting with VMware Cloud Foundation 5.2, you can use SDDC Manager to deploy Avi Load
®
Balancer as a high availability cluster of three VMware Avi™ Controller instances, each running
on a separate VM.

Note Previous version of VMware Cloud Foundation support Avi Load Balancer, but do not
deploy or manage the Avi Controller Cluster.

The Avi Controller cluster functions as the control plane and stores and manages all policies
related to services and management. All Avi Controllers are deployed in the management
domain, even when the Avi Load Balancer is deployed in a VI workload domain.

When you deploy Avi Load Balancer in a workload domain, it is associated with the workload
domain's NSX Manager.

Note VMware Cloud Foundation 5.2 does not support deploying Avi Load Balancer on a
workload domain that shares its NSX Manager with another workload domain.

VMware Cloud Foundation does not deploy or manage the Service Engine VMs (SEs) that
function as the data plane. After deploying the Avi Controller cluster, you can use the Avi Load
Balancer UI/API, VMware Aria Automation, or Avi Kubernetes Operator to deploy virtual services
for an application, which creates the required Service Engine virtual machines. Service Engines
(SEs) are deployed in the workload domain in which the Avi Load Balancer is providing load
balancing services. All SEs deployed in a VI workload domain are managed by the Avi Controller
that is part of the Avi Load Balancer deployment that is associated with the corresponding NSX
instance managing the VI workload domain.

Other important considerations:

n VMware Cloud Foundation does not manage license updates for Avi Load Balancer.

n VMware Cloud Foundation does not manage backing up of Avi Load Balancer configuration
database. See the VMware Avi Load Balancer Documentation for information about
configuring scheduled and on-demand backups.

VMware by Broadcom 120

VMware Cloud Foundation on Dell VxRail Guide

n VMware Cloud Foundation does not manage upgrading Avi Controller Cluster. See the
VMware Avi Load Balancer Documentation for information about upgrading.

n The lifecycle of the Avi Service Engines is managed by each Avi Controller Cluster. You
perform updates and upgrades in the Avi Load Balancer web interface, which has checks in
place to ensure that you can only upgrade to supported versions.

n If you upgraded from an earlier version of VMware Cloud Foundation and had deployed Avi
Load Balancer, SDDC Manager will not be aware of or manage that Avi Load Balancer. You
can use SDDC Manager to deploy additional Avi Load Balancers in such an environment.

n In order to use Avi Load Balancer for load balancing services in a vSphere IaaS Control
Plane environment, the Avi Load Balancer must be registered with the NSX Manager. See
Registering an Avi Load Balancer cluster with an NSX Manager instance.

For more information about how to use and manage Avi Load Balancer see:

n VMware Avi Load Balancer Documentation

n The Advanced Load Balancing for VMware Cloud Foundation validated solution

Limitations of Avi Load Balancer in VMware Cloud

Foundation
Avi Load Balancer is not supported with the following functionality:

n Management appliances, such as VMware Aria Suite

n Workload domains with a shared NSX Manager instance

Read the following topics next:

n Deploy Avi Load Balancer for a Workload Domain

n Remove Avi Load Balancer from a Workload Domain

Deploy Avi Load Balancer for a Workload Domain

You can deploy Avi Load Balancer for workload domains that do not share their NSX Manager
with any other workload domains.

Avi Load Balancer was formerly known as NSX Advanced Load Balancer. The SDDC Manager UI
still refers to NSX Advanced Load Balancer.

You cannot deploy Avi Load Balancer on a workload domain that shares its NSX Manager with
another workload domain.

Prerequisites

Download the install bundle for a supported version of NSX Advanced Load Balancer. See
Downloading VMware Cloud Foundation Upgrade Bundles.

VMware by Broadcom 121

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 In the Workload Domains page, click a domain name in the Domain column.

3 Select Actions > Deploy NSX Advanced Load Balancer.

4 Select the NSX Advanced Load Balancer version and click Next.

5 Select the appliance size and click Next.

Make sure that the management domain has enough resources for the selected size.

6 Enter the settings for the NSX Advanced Load Balancer Controller cluster and click Next.

Administrator password Enter an administrator password. Although individual VMware Cloud

Foundation accounts support different password requirements, it is
recommended that you set passwords following a common set of
requirements across all accounts:
n Minimum length: 12
n Maximum length: 20
n At least one lowercase letter, one uppercase letter, a number, and one
of the following special characters: ! @ # $ ^ *
n Must NOT include:
n A dictionary word
n A palindrome
n More than four monotonic character sequences
n Three of the same consecutive characters

Node 1 IP Address Enter the IP address of the first Avi Controller.

VMware by Broadcom 122

VMware Cloud Foundation on Dell VxRail Guide

Node 2 IP Address Enter the IP address of the second Avi Controller.

Node 3 IP Address Enter the IP address of the third Avi Controller.

Cluster VIP Enter the Avi Load Balancer Controller cluster IP address.
The Avi Load Balancer Controller cluster IP address is a single IP address
shared by the Avi Controllers within the cluster. It is the address to which
the web interface, CLI commands, and REST API calls are directed. As a
best practice, to access the Avi Controller, you must log in to the cluster IP
address instead of the IP addresses of individual Avi Controller nodes.

Cluster FQDN Enter the Avi Controller cluster FQDN.

Note When creating a service account for the NSX Advanced Load
Balancer Controller cluster, VMware Cloud Foundation 5.2 combines the Avi
Load Balancer VIP host name and the NSX Manager VIP host name to create
the account, svc-<alb hostname>-<nsx hostname>. The total characters
cannot exceed 32. VCF 5.2.1 automatically truncates the service account
name to avoid deployment failures based on account name length.

Cluster Name Enter a name for the Avi Controller cluster.

7 Click Start Deployment.

You can monitor the deployment in the Tasks panel.

What to do next

After the Avi Load Balancer Controller cluster deploys successfully, you can access the web
interface from the Services tab for the workload domain by clicking the NSX Advanced Load
Balancer link.

VMware by Broadcom 123

VMware Cloud Foundation on Dell VxRail Guide

You can manage the Avi Load Balancer Controller cluster administrator password and certificate
using the SDDC Manager UI.

n Chapter 25 Managing Passwords in VMware Cloud Foundation

n Chapter 9 Managing Certificates in VMware Cloud Foundation

Remove Avi Load Balancer from a Workload Domain

If you deployed an Avi Load Balancer to a workload domain and you no longer need it, you can
remove it from the workload domain. If a workload domain includes an Avi Load Balancer, you
cannot delete the workload domain until you remove the Avi Load Balancer.

Prerequisites

The Avi Load Balancer must not be in use.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 In the Workload Domains page, click a domain name in the Domain column.

3 Select Actions > Remove NSX Advanced Load Balancer.

VMware by Broadcom 124

VMware Cloud Foundation on Dell VxRail Guide

4 Click Remove to confirm.

VMware by Broadcom 125

Deploying Application Virtual
Networks in VMware Cloud
Foundation
16
Before you can deploy VMware Aria Suite components or implement the Identity and Access
Management for VMware Cloud Foundation validated solution, you must deploy Application
Virtual Networks in the management domain.

An Application Virtual Network (AVN) is a software-defined networking concept based on NSX

that allows the hosting of management applications on NSX segments. In NSX, segments are
virtual layer-2 domains.

You can create overlay-backed NSX segments or VLAN-backed NSX segments. Both options
create two NSX segments (Region-A and X-Region) on the NSX Edge cluster deployed in the
default management vSphere cluster. Those NSX segments are used when you deploy the
VMware Aria Suite products. Region-A segments are local instance NSX segments and X-Region
segments are cross-instance NSX segments.

Important You cannot create AVNs if the NSX for the management domain is part of an NSX
Federation.

Overlay-Backed NSX Segments

Overlay-backed segments provide flexibility for workload placement by removing the
dependence on traditional data center networks. Using overlay-backed segments improves the
security and mobility of management applications and reduces the integration effort with existing
networks. Overlay-backed segments are created in an overlay transport zone.

In an overlay-backed segment, traffic between two VMs on different hosts but attached to the
same overlay segment have their layer-2 traffic carried by a tunnel between the hosts. NSX
instantiates and maintains this IP tunnel without the need for any segment-specific configuration
in the physical infrastructure. As a result, the virtual network infrastructure is decoupled from
the physical network infrastructure. That is, you can create segments dynamically without any
configuration of the physical network infrastructure.

VMware by Broadcom 126

VMware Cloud Foundation on Dell VxRail Guide

VLAN-Backed NSX Segments

VLAN-backed segments leverage the physical data center networks to isolate management
applications, while still taking advantage of NSX to manage these networks. VLAN-backed
network segments ensure the security of management applications without requiring support
for overlay networking. VLAN-backed segments are created in a VLAN transport zone.

A VLAN-backed segment is a layer-2 broadcast domain that is implemented as a traditional

VLAN in the physical infrastructure. This means that traffic between two VMs on two different
hosts but attached to the same VLAN-backed segment is carried over a VLAN between the two
hosts. The resulting constraint is that you must provision an appropriate VLAN in the physical
infrastructure for those two VMs to communicate at layer-2 over a VLAN-backed segment.

VMware Aria Suite Components and NSX Segments

When you deploy the VMware Aria Suite components, they use the NSX segments that you
created.

VMware Aria Suite Component NSX Segment

VMware Aria Operations for Logs Region-A

VMware Aria Operations Manager X-Region

Workspace ONE Access X-Region

VMware Aria Automation X-Region

VMware Aria Suite Lifecycle X-Region

Identity and Access Management for VMware Cloud

Foundation
See Identity and Access Management for VMware Cloud Foundation for more information about
how that validated solution uses Application Virtual Networks.

Read the following topics next:

n Deploy Overlay-Backed NSX Segments

n Deploy VLAN-Backed NSX Segments

Deploy Overlay-Backed NSX Segments

Create overlay-backed NSX segments, also known as Application Virtual Networks (AVNs), for
use with VMware Aria Suite components.

This procedure describes creating overlay-backed NSX segments. If you want to create VLAN-
backed NSX segments instead, see Deploy VLAN-Backed NSX Segments.

VMware by Broadcom 127

VMware Cloud Foundation on Dell VxRail Guide

Prerequisites

Create an NSX Edge cluster for Application Virtual Networks, using the recommended settings, in
the default management vSphere cluster. See Deploy an NSX Edge Cluster.

Procedure

1 In the navigation page, click Inventory > Workload Domains.

2 Click on the management domain.

3 Select Actions > Add AVNs.

4 Select Overlay-backed network segment and click Next.

5 Select an NSX Edge cluster and a Tier-1 gateway.

6 Enter information for each of the NSX segments (Region-A and X-Region):

Option Description

Name Enter a name for the NSX segment. For example, Mgmt-RegionA01.

Subnet Enter a subnet for the NSX segment.

Subnet mask Enter a subnet mask for the NSX segment.

Gateway Enter a gateway for the NSX segment.

MTU Enter an MTU for the NSX segment.

7 Click Validate Settings and then click Next.

If validation does not succeed, verify and update the information you entered for the NSX
segments and click Validate Settings again.

8 Review the settings and click Finish.

Example

Example Network Topology for Overlay-Backed NSX Segments

VMware by Broadcom 128

VMware Cloud Foundation on Dell VxRail Guide

Deploy VLAN-Backed NSX Segments

Create VLAN-backed NSX segments, also known as Application Virtual Networks (AVNs), for use
with VMware Aria Suite components.

This procedure describes creating VLAN-backed NSX segments. If you want to create overlay-
backed NSX segments instead, see Deploy Overlay-Backed NSX Segments.

Prerequisites

Create an NSX Edge cluster for Application Virtual Networks, using the recommended settings, in
the default management vSphere cluster. See Deploy an NSX Edge Cluster.

You must have an available VLAN ID for each NSX segment.

Procedure

1 In the navigation page, click Inventory > Workload Domains.

2 Click on the management domain.

3 Select Actions > Add AVNs.

4 Select VLAN-backed network segment and click Next.

5 Select an NSX Edge cluster.

VMware by Broadcom 129

VMware Cloud Foundation on Dell VxRail Guide

6 Enter information for each of the NSX segments (Region-A and X-Region):

Option Description

Name Enter a name for the NSX segment. For example, Mgmt-RegionA01.

Subnet Enter a subnet for the NSX segment.

Gateway Enter a gateway for the NSX segment.

MTU Enter an MTU for the NSX segment.

VLAN ID Enter the VLAN ID for the NSX segment.

7 Click Validate Settings and then click Next.

If validation does not succeed, verify and update the information you entered for the NSX
segments and click Validate Settings again.

8 Review the settings and click Finish.

Example

Example Network Topology for VLAN-Backed NSX Segments

VMware by Broadcom 130

VMware Cloud Foundation with
VMware Tanzu 17
VMware Cloud Foundation™ with VMware Tanzu™ enables you to deploy and operate the
compute, networking, and storage infrastructure for vSphere IaaS Control Plane workloads.
vSphere IaaS Control Plane transforms vSphere to a platform for running Kubernetes workloads
natively on the hypervisor layer.

When enabled on a vSphere cluster, vSphere IaaS Control Plane provides the capability to run
Kubernetes workloads directly on ESXi hosts and to create upstream Kubernetes clusters within
dedicated resource pools. vSphere IaaS Control Plane can also be enabled on the management
domain default cluster.

Note Starting with vSphere 8.0 Update 3, vSphere with Tanzu was renamed to vSphere IaaS
Control Plane.

You validate the underlying infrastructure for vSphere IaaS Control Plane from the SDDC
Manager UI and then complete the deployment in the vSphere Client. The SDDC Manager UI
refers to the vSphere IaaS Control Plane functionality as Kubernetes - Workload Management.

The Developer Ready Infrastructure for VMware Cloud Foundation validated solution provides
design, implementation, and operational guidance for a workload domain that runs vSphere with
Tanzu workloads in the Software-Defined Data Center (SDDC).

For more information about vSphere IaaS Control Plane, see What Is vSphere Iaas control plane?.

Read the following topics next:

n Enable Workload Management

n View Workload Management Cluster Details

n Update Workload Management License

Enable Workload Management

With Workload Management, you validate the underlying infrastructure for vSphere IaaS Control
Plane. You then complete the deployment using the vSphere Client.

VMware by Broadcom 131

VMware Cloud Foundation on Dell VxRail Guide

Prerequisites

n A VI workload domain must be deployed.

Note If you deployed VMware Cloud Foundation with a consolidated architecture, you can
enable Workload Management on the management domain.

n An Workload Management ready NSX Edge cluster must be deployed on the workload
domain.

You must select Workload Management on the Use Case page of the Add Edge Cluster
wizard. See step 6 in Deploy an NSX Edge Cluster.

n All hosts in the vSphere cluster for which you enable Workload Management must be
licensed for vSphere IaaS Control Plane.

n Workload Management requires a vSphere cluster with a minimum of three ESXi hosts.

n The following IP address subnets must be defined:

n A non-routable subnet for pod networking, minimum of a /22 subnet.

n A non-routable subnet for Service IP addresses, minimum of a /24 subnet

n A routable subnet for ingress, minimum of a /27 subnet

n A routable subnet for egress, minimum of a /27 subnet

n In order to use Avi Load Balancer for load balancing services in a vSphere IaaS Control
Plane environment, the Avi Load Balancer must be registered with the NSX Manager. See
Registering an Avi Load Balancer cluster with an NSX Manager instance.

Procedure

1 In the navigation pane, click Solutions.

2 In the Kubernetes - Workload Management section, click Deploy.

VMware by Broadcom 132

VMware Cloud Foundation on Dell VxRail Guide

3 Review the Workload Management prerequisites, click Select All, and click Begin.

4 Select the workload domain associated with the vSphere cluster where you want to enable
Workload Management.

The Workload Domain drop-down menu displays all Workload Management ready workload
domains, including the management domain.
vSphere clusters in the selected workload domain that are compatible with Workload
Management are displayed in the Compatible section. Incompatible clusters are displayed in
the Incompatible section, along with the reason for the incompatibility. If you want to get an
incompatible cluster to a usable state, you can exit the Workload Management deployment
wizard while you resolve the issue.

5 From the list of compatible clusters on the workload domain, select the cluster where you
want to enable Workload Management and click Next.

6 On the Validation page, wait for validation to complete successfully and click Next.

The following validations are performed.

n vCenter Server validation (vCenter Server credentials, vSphere cluster object, and
version)

n Network validation (NSX Manager credentials and version)

n Compatibility validation (vSphere cluster and content library)

7 On the Review page, review your selections and click Complete in vSphere.

You are automatically redirected to the vSphere Client.

What to do next

Follow the deployment wizard within the vSphere Client to complete the Workload Management
deployment and configuration steps.

View Workload Management Cluster Details

The Workload Management page displays clusters with Workload Management. The status of
each cluster, number of hosts in the cluster, and associated workload domain is also displayed.

Procedure

1 In the navigation pane, click Solutions.

2 In the Kubernetes - Workload Management section, click View Details.

3 Click vSphere Workload Management Clusters to see cluster details in vSphere.

Update Workload Management License

Once you enable Workload Management on a cluster, you must assign a Tanzu edition license to
the cluster before the evaluation license expires.

VMware by Broadcom 133

VMware Cloud Foundation on Dell VxRail Guide

Prerequisites

You must have added a VMware Tanzu license key to the Cloud Foundation license inventory.
See Add a Component License Key in the SDDC Manager UI.

Procedure

1 In the navigation pane, click Solutions.

2 Click the dots to the left of the cluster for which you want to update the license and click
Update Workload Management license.

3 Select the appropriate license and click Apply.

After the license update processing is completed, the Workload Management page is
displayed. The task panel displays the licensing task and its status.

VMware by Broadcom 134

VMware Aria Suite Lifecycle in
VMware Cloud Foundation mode 18
When you deploy VMware Aria Suite Lifecycle from the SDDC Manager UI, VMware Cloud
Foundation mode is enabled in VMware Aria Suite Lifecycle, and the behavior of VMware Aria
Suite Lifecycle is aligned with the VMware Cloud Foundation architecture.

VMware Aria Suite Lifecycle in VMware Cloud Foundation mode introduces the following
features:

n Automatic load balancer configuration. Load balancer preparation and configuration are no
longer a prerequisite when you use VMware Aria Suite Lifecycle to deploy or perform a
cluster expansion on Workspace ONE Access, VMware Aria Operations, or VMware Aria
Automation. Load balancer preparation and configuration take place as part of the deploy or
expand operation.

n Automatic infrastructure selection in the VMware Aria Suite Lifecycle deployment wizards.
When you deploy a VMware Aria Suite product through VMware Aria Suite Lifecycle,
infrastructure objects such as clusters and networks are pre-populated. They are fixed and
cannot be changed to ensure alignment with the VMware Cloud Foundation architecture.

n Cluster deployment for a new environment. You can deploy VMware Aria Operations for
Logs, VMware Aria Operations, or VMware Aria Automation in clusters. You can deploy
Workspace ONE Access either as a cluster or a single node. If you deploy Workspace ONE
Access as a single node, you can expand it to a cluster later.

n Consistent Bill Of Materials (BOM). VMware Aria Suite Lifecycle in VMware Cloud Foundation
mode only displays product versions that are compatible with VMware Cloud Foundation to
ensure product interoperability.

n Inventory synchronization between VMware Aria Suite Lifecycle and SDDC Manager. VMware
Aria Suite Lifecycle can detect changes made to VMware Aria Suite products and update
its inventory through inventory synchronization. When VMware Cloud Foundation mode is
enabled in VMware Aria Suite Lifecycle, inventory synchronization in VMware Aria Suite
Lifecycle also updates SDDC Manager’s inventory to get in sync with the current state of
the system.

n Product versions. VMware Cloud Foundation supports flexible VMware Aria Suite upgrades.
You can upgrade VMware Aria Suite products as new versions become available in VMware
Aria Suite Lifecycle. VMware Aria Suite Lifecycle will only allow upgrades to compatible and
supported versions of VMware Aria Suite products.

VMware by Broadcom 135

VMware Cloud Foundation on Dell VxRail Guide

n Resource pool and advanced properties. The resources in the Resource Pools under the
Infrastructure Details are blocked by the VMware Aria Suite Lifecycle UI, so that the VMware
Cloud Foundation topology does not change. Similarly, the Advanced Properties are also
blocked for all products except for Remote Collectors. VMware Aria Suite Lifecycle also
auto-populates infrastructure and network properties by calling VMware Cloud Foundation
deployment API.

n Federal Information Processing Standard (FIPS) compliance.

n Watermark.

Read the following topics next:

n VMware Aria Suite Lifecycle Implementation

n Workspace ONE Access Implementation

VMware Aria Suite Lifecycle Implementation

You deploy VMware Aria Suite Lifecycle in VMware Cloud Foundation mode by using SDDC
Manager. After that, you perform the necessary post-deployment configurations.

By default, VMware Cloud Foundation uses NSX to create NSX segments and deploys VMware
Aria Suite Lifecycle and the VMware Aria Suite products to these NSX segments. Starting with
VMware Cloud Foundation 4.3, NSX segments are no longer configured during the management
domain bring-up process, but instead are configured using the SDDC Manager UI. The new
process offers the choice of using either overlay-backed or VLAN-backed segments. See
Chapter 16 Deploying Application Virtual Networks in VMware Cloud Foundation.

VMware Aria Suite Lifecycle runs in VMware Cloud Foundation mode, the integration ensures
awareness between the two components. You launch the deployment of VMware Aria Suite
products from the SDDC Manager UI and are redirected to the VMware Aria Suite Lifecycle UI
where you complete the deployment process.

Prerequisites

n Download the VMware Software Install Bundle for VMware Aria Suite Lifecycle from the
VMware Depot to the local bundle repository. See Downloading VMware Cloud Foundation
Upgrade Bundles.

n Allocate an IP address for the VMware Aria Suite Lifecycle virtual appliance on the cross-
instance NSX segment and prepare both forward (A) and reverse (PTR) DNS records.

n Allocate an IP address for the NSX standalone Tier-1 Gateway on the cross-instance NSX
segment. This address is used for the service interface of the standalone NSX Tier 1 Gateway
created during the deployment. The Tier 1 Gateway is used for load-balancing of specific
VMware Aria Suite products and Workspace ONE Access.

n Ensure you have enough storage capacity:

n Required storage: 178 GB

VMware by Broadcom 136

VMware Cloud Foundation on Dell VxRail Guide

n Virtual disk provisioning: Thin

n Verify that the management domain vCenter Server is operational.

n Verify that NSX Manager is operational.

n Verify the Prerequisite Checklist sheet in the Planning and Preparation Workbook.

Deploy VMware Aria Suite Lifecycle

You deploy the VMware Aria Suite Lifecycle in VMware Cloud Foundation mode by using the
SDDC Manager UI.

Procedure

1 In the navigation pane, click Administration > VMware Aria Suite.

2 Click Deploy.

3 Review and verify the prerequisites.

Click each prerequisite check box and then click Begin.

4 On the Network Settings page, review the settings and click Next.

5 On the Virtual Appliance Settings page, enter the settings and click Next.

Setting Description

Virtual Appliance: FQDN The FQDN for the VMware Aria Suite Lifecycle virtual
appliance.

Note The reverse (PTR) DNS record of this fully

qualified domain name is used as the IP address for the
virtual appliance.

NSX Tier 1 Gateway: IP Address A free IP Address within the cross-instance virtual
network segment.

Note Used to create a service interface on the

NSX Tier 1 Gateway, where VMware Cloud Foundation
automatically configures the load-balancer for the
VMware Aria Suite.

System Administrator Create and confirm the password for the VMware Aria
Suite Lifecycle administrator account, vcfadmin@local.
The password created is the credential that allows
SDDC Manager to connect to VMware Aria Suite
Lifecycle.

Note When VMware Aria Suite Lifecycle is deployed

by SDDC Manager it is enabled for VMware Cloud
Foundation mode. As a result, the administrator
account for is vcfadmin@local instead of admin@local.

SSH Root Account Create and confirm a password for the VMware Aria
Suite Lifecycle virtual appliance root account.

VMware by Broadcom 137

VMware Cloud Foundation on Dell VxRail Guide

6 On the Review Summary page, review the installation configuration settings and click Finish.

SDDC Manager validates the values and starts the deployment.

The VMware Aria Suite page displays the following message: Deployment in progress.

If the deployment fails, this page displays a deployment status of Deployment failed. In
this case, you can click Restart Task or Rollback.

7 (Optional) To view details about the individual deployment tasks, in the Tasks panel at the
bottom, click each task.

Replace the Certificate of the VMware Aria Suite Lifecycle Instance

To establish a trusted connection to VMware Aria Suite Lifecycle, you replace the SSL certificate
on the appliance by using the SDDC Manager UI.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domain page, from the table, in the domain column click the management
domain.

3 On the domain summary page, click the Certificates tab.

4 From the table, select the check box for the VMware Aria Suite Lifecycle resource type, and
click Generate CSRs.

5 On the Details page, enter the following settings and click Next.

Settings Description

Algorithm Select the key algorithm for the certificate.

Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit)
from the drop-down menu.

Email Optionally, enter a contact email address.

Organizational Unit Use this field to differentiate between divisions

within your organization with which this certificate is
associated.

Organization Name Type the name under which your company is known.
The listed organization must be the legal registrant of
the domain name in the certificate request.

Locality Type the city or locality where your company is legally

registered.

State Type the full name (do not abbreviate) of the state,
province, region, or territory where your company is
legally registered.

Country Type the country name where your company is legally

registered. This value must use the ISO 3166 country
code.

VMware by Broadcom 138

VMware Cloud Foundation on Dell VxRail Guide

6 On the Subject Alternative Name page, leave the default SAN and click Next.

7 On the Summary page, click Generate CSRs.

8 After the successful return of the operation, click Generate signed certificates.

9 In the Generate Certificates dialog box, from the Select Certificate Authority drop-down
menu, select Microsoft.

10 Click Generate certificates.

11 After the successful return of the operation, click Install certificates.

Wait for the successful return of the operation.

Configure Data Center and vCenter Server in VMware Aria Suite

Lifecycle
Before you can create a global environment for product deployments, you must add a cross-
instance data center and the associated management domain vCenter Server to VMware Aria
Suite Lifecycle.

You add the cross-instance data center, and the associated management domain vCenter Server
for the deployment of the global components, such as the clustered Workspace ONE Access.

Procedure

1 In a web browser, log in to VMware Aria Suite Lifecycle with the vcfadmin@local user by
using the user interface (https://<vrslcm_fqdn>).

2 On the My Services page, click Lifecycle Operations.

3 In the navigation pane, click Datacenters.

4 Click Add datacenter, enter the values for the global data center, and click Save.

Setting Value

Datacenter name Name for cross-instance datacenter

Use custom location Deactivated

Location Location of datacenter

VMware by Broadcom 139

VMware Cloud Foundation on Dell VxRail Guide

5 Add the management domain vCenter Server to the global data center.

a On the Datacenters page, expand the global data center and click Add vCenter.

b Enter the management domain vCenter Server information and click Validate.

Setting Value

vCenter name Enter a name for the vCenter Server

vCenter FQDN Enter the FQDN of the vCenter Server

vCenter credentials Select the <management_vcenter_name>-<uuid>

credential. For example: vcenter-1-35214fac-
caeb-4062-a184-350344e30c7f.

vCenter type Management

6 After the successful vCenter Server validation, click Save.

7 In the navigation pane, click Requests and verify that the state of the vCenter data collection
request is Completed.

Workspace ONE Access Implementation

Workspace ONE Access provides identity and access management services for the VMware Aria
Suite of products. You use VMware Aria Suite Lifecycle to deploy a Workspace ONE Access
instance. You then perform the necessary post-deployment configurations and customization.
VMware Cloud Foundation supports both standard and clustered Workspace ONE Access
deployments.

Prerequisites

n Download the installation binary directly from VMware Aria Suite Lifecycle. See "Configure
Product Binaries" in the VMware Aria Suite Lifecycle Installation, Upgrade, and Management
Guide for the version of VMware Aria Suite Lifecycle listed in the VMware Cloud Foundation
BOM.

n Allocate IP addresses:

Standard Deployment Clustered Deployment

One IP address from the cross-instance NSX segment Five IP addresses from the cross-instance NSX segment
and prepare both forward (A) and reverse (PTR) DNS and prepare both forward (A) and reverse (PTR) DNS
records. records.
n Three IP addresses for the clustered Workspace ONE
Access instance.
n One IP address for the embedded Postgres database
for the Workspace ONE Access instance.
n One IP address for the NSX external load balancer
virtual server for clustered Workspace ONE Access
instance.

VMware by Broadcom 140

VMware Cloud Foundation on Dell VxRail Guide

n Ensure you have enough storage capacity:

n Required storage per node: 100 GB

n Virtual disk provisioning: Thin

n Verify that the management domain vCenter Server is operational.

n Verify that the cross-instance NSX segment is available.

n Verify that the NSX Manager is operational.

n Verify the Prerequisite Checklist sheet in the Planning and Preparation Workbook.

n Verify that required Active Directory bind service account is created.

Verify that required Active Directory security groups are created.

n Download the CertGenVVS tool and generate the signed certificate for the Workspace ONE
Access instance. See KB 85527.

Import the Workspace ONE Access Certificate to VMware Aria Suite

Lifecycle
To prepare VMware Aria Suite Lifecycle for deploying Workspace ONE Access, you must
generate an SSL certificate using the PowerShell module for VMware Validated Solutions and
add the certificate to the VMware Aria Suite Lifecycle locker.

This procedure uses the PowerShell Module for VMware Validated Solutions to generate the
required certificates from a Microsoft Active Directory Certificate Services. However, the module
also supports generating certificate signing requests (CSRs) for third party certificate authorities
for import to the VMware Aria Suite Lifecycle locker.

Prerequisites

n Verify that a Microsoft Certificate Authority is available for the environment.

n Install the PowerShell module for VMware Validated Solutions together with the supporting
modules to request an SSL certificate from your Microsoft Certificate Authority.

n Verify that you have OpenSSL 3.0 or later installed on the system that will run the PowerShell
module. The OpenSSL Wiki has a list of third-party pre-compiled binaries for Microsoft
Windows.

VMware by Broadcom 141

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 Generate an SSL certificate using the PowerShell module for VMware Validated Solutions.

a Start PowerShell.

b Replace the sample values in the variables below and run the commands in the
PowerShell console.

$commonName = "xint-idm01.rainpole.io"
$subjectAltNames = "xint-idm01.rainpole.io, xint-idm01a.rainpole.io, xint-
idm01b.rainpole.io, xint-cidm01c.rainpole.io"
$encryptionKeySize = 2048
$certificateExpiryDays = 730
$orgName = "rainpole"
$orgUnitName = "Platform Engineering"
$orgLocalityName = "San Francisco"
$orgStateName = "California"
$orgCountryCode = "US"

$caType = "msca"
$caFqdn = "rpl-ad01.rainpole.io"
$caUsername = "Administrator"
$caPassword = "VMw@re1!"
$caTemplate = "VMware"

$outputPath = ".\certificates\"
$csrFilePath = Join-Path $outputPath "$commonName.csr"
$keyFilePath = Join-Path $outputPath "$commonName.key"
$crtFilePath = Join-Path $outputPath "$commonName.crt"
$rootCaFilePath = Join-Path $outputPath "$caFqdn-rootCa.pem"

c Perform the configuration by running the command in the PowerShell console.

Invoke-GeneratePrivateKeyAndCsr -outDirPath $outputPath -commonName $commonName

-subjectAlternativeNames $subjectAltNames -keySize $encryptionKeySize -expireDays
$certificateExpiryDays -organization $orgName -organizationUnit $orgUnitName
-locality $orgLocalityName -state $orgStateName -country $orgCountryCode

Invoke-RequestSignedCertificate -caFqdn $caFqdn -csrFilePath $csrFilePath -outDirPath

$outputPath -certificateAuthority $caType -username $caUsername -password $caPassword
-certificateTemplate $caTemplate -getCArootCert

Invoke-GenerateChainPem -outDirPath $outputPath -keyFilePath $keyFilePath -crtFilePath

$crtFilePath -rootCaFilePath $rootCaFilePath

2 Add the generated SSL certificate to the VMware Aria Suite Lifecycle locker.

a Log in to VMware Aria Suite Lifecycle at https://<aria_suite_lifecycle_fqdn> as

vcfadmin@local.

b On the My services page, click Locker.

c In the navigation pane, click Certificates.

VMware by Broadcom 142

VMware Cloud Foundation on Dell VxRail Guide

d On the Certificates page, click Import.

e On the Import certificate page, enter a name for the Workspace ONE Access certificate
according to your VMware Cloud Foundation Planning and Preparation Workbook.

f Click Browse file, navigate to the Workspace ONE Access certificate file (.pem), and click
Open.

g On the Import certificate page, click Import.

Add Workspace ONE Access Passwords to VMware Aria Suite

Lifecycle
To enable life cycle management and configuration management, you set the passwords for
the VMware Aria Suite Lifecycle cross-instance environment administrator account and for the
Workspace ONE Access administrator and configuration administrator accounts.

You add the following passwords for the corresponding local administrative accounts.

Value for Value for

Global Environment Value for Local Local Configuration Value for Appliance
Setting Administrator Administrator Administrator Root User

Password alias global-env-admin xint-wsa-admin xint-wsa-configadmin xint-wsa-root

Password global_env_admin_p xint_wsa_admin_pas xint_wsa_configadmi xint_wsa_root_pass

assword sword n_password word

Confirm password global_env_admin_p xint- xint_wsa_configadmi xint_wsa_root_pass

assword wsa_admin_passwor n_password word
d

Password description VMware Aria Suite Workspace ONE Workspace ONE Workspace ONE
Lifecycle global Access administrator Access configuration Access root user
environment default administrator
password
Used for Workspace
ONE Access
appliance sshuser.

Note You do not need to provide a user name when adding passwords. You can leave the User
Name field blank when configuring settings.

Procedure

1 In a web browser, log in to VMware Aria Suite Lifecycle with the vcfadmin@local user by
using the user interface (https://<vrslcm_fqdn>).

2 On the My Services page, click Locker.

3 In the navigation pane, click Passwords.

4 On the Passwords page, click Add.

5 On the Add password page, configure the settings and click Add.

VMware by Broadcom 143

VMware Cloud Foundation on Dell VxRail Guide

6 Repeat this procedure for all the remaining credentials.

Deploy a Standard Workspace ONE Access Instance Using VMware

Aria Suite Lifecycle
To provide identity and access management services to the cross-instance SDDC components,
you create a global environment in VMware Aria Suite Lifecycle in which you deploy a standard
Workspace ONE Access instance.

Procedure

1 In a web browser, log in to VMware Aria Suite Lifecycle with the vcfadmin@local user by
using the user interface (https://<vrslcm_fqdn>).

2 On the My Services page, click Lifecycle Operations.

3 On the Dashboard page, click Create environment.

4 On the Create environment page, configure the settings and click Next.

Setting Value

Install Identity Manager Selected

Default password global-env-admin

Datacenter Select the cross-instance datacenter.

JSON configuration Deactivated

Join the VMware customer experience improvement Selected

program

5 On the Select product page, select the check box for VMware Identity Manager, configure
these values, and click Next.

Setting Value

Installation type New install

Version Select a version. VMware Aria Suite Lifecycle will only

display supported versions.

Deployment type Standard

6 On the Accept license agreements page, scroll to the bottom and accept the license
agreement, and then click Next.

7 On the Certificate page, from the Select certificate drop-down menu, select the Workspace
One Access certificate, and click Next.
8 On the Infrastructure page, verify and accept the default settings, and click Next.

9 On the Network page, verify and accept the default settings, and click Next.

VMware by Broadcom 144

VMware Cloud Foundation on Dell VxRail Guide

10 On the Products page, configure the deployment properties of Workspace ONE Access and
click Next.

a In the Product properties section, configure the settings.

Setting Value

Certificate Workspace One Access

Node size Medium (VMware Aria Automation recommended

size)

Admin password Select the xint-wsa-admin

Default configuration admin email Enter a default email.

Default configuration admin user name configadmin

Default configuration admin password Select the xint-wsa-configadmin

Sync group members Selected

b In the Components section, configure the primary node.

Setting Value for vidm-primary

VM Name Enter a VM Name for vidm-primary.

FQDN Enter the FQDN for vidm-primary

IP address Enter the IP Address for vidm-primary.

c Click advanced configuration and click Select Root Password.

d Select xint-wsa-root and click Save.

11 On the Precheck page, click Run precheck.

12 On the Manual validations page, select the I took care of the manual steps above and am
ready to proceed check box and click Run precheck.

13 Review the validation report, remediate any errors, and click Re-run precheck.

14 Wait for all prechecks to complete with Passed messages and click Next.

15 On the Summary page, review the configuration details. To back up the deployment
configuration, click Export configuration.

16 To start the deployment, click Submit.

The Request details page displays the progress of deployment.

17 Monitor the steps of the deployment graph until all stages become Completed.

VMware by Broadcom 145

VMware Cloud Foundation on Dell VxRail Guide

Deploy Clustered Workspace ONE Access Instance Using VMware

Aria Suite Lifecycle
To provide identity and access management services to the cross-instance SDDC components,
you create a global environment in VMware Aria Suite Lifecycle in which you deploy a 3-node
clustered Workspace ONE Access instance.

Procedure

1 In a web browser, log in to VMware Aria Suite Lifecycle with the vcfadmin@local user by
using the user interface (https://<vrslcm_fqdn>).

2 On the My Services page, click Lifecycle Operations.

3 On the Dashboard page, click Create environment.

4 On the Create environment page, configure the settings and click Next.

Setting Value

Install Identity Manager Selected

Default password global-env-admin

Datacenter Select the cross-instance datacenter.

JSON configuration Deactivated

Join the VMware customer experience improvement Selected

program

5 On the Select product page, select the check box for VMware Identity Manager, configure
these values, and click Next.

Setting Value

Installation type New install

Version Select a version. VMware Aria Suite Lifecycle will only

display supported versions.

Deployment type Cluster

6 On the Accept license agreements page, scroll to the bottom and accept the license
agreement, and then click Next.

7 On the Certificate page, from the Select certificate drop-down menu, select the Clustered
Workspace One Certificate, and click Next.
8 On the Infrastructure page, verify and accept the default settings, and click Next.

9 On the Network page, verify and accept the default settings, and click Next.

VMware by Broadcom 146

VMware Cloud Foundation on Dell VxRail Guide

10 On the Products page, configure the deployment properties of clustered Workspace ONE
Access and click Next.

a In the Product properties section, configure the settings.

Setting Value

Certificate Workspace One Access

Node size Medium (VMware Aria Automation recommended

size)

Admin password Select the xint-wsa-admin

Default configuration admin email Enter a default email.

Default configuration admin user name configadmin

Default configuration admin password Select the xint-wsa-configadmin

Sync group members Selected

b In the Cluster Virtual IP section, click Add Load Balancer and configure its settings.

Setting Value

Controller Type VMware Cloud Foundation managed NSX-T

Load Balancer IP Use the IP address from your VMware Cloud Foundation Planning and
Preparation Workbook.

Load Balancer FQDN Use the FQDN from your VMware Cloud Foundation Planning and
Preparation Workbook.

c In the Cluster VIP FQDN section, configure the settings.

Setting Value

Controller Type Select VMware Cloud Foundation managed NSX-T

from the drop-down menu.

FQDN Select the Load Balancer FQDN from the drop-down

menu.

Locker certificate Clustered Workspace ONE Access Certificate

Database IP address Enter the IP address for the embedded Postgres

database.

Note The IP address must be a valid IP address for

the cross-instance NSX segment.

VMware by Broadcom 147

VMware Cloud Foundation on Dell VxRail Guide

d In the Components section, configure the three cluster node.

Value for vidm- Value for vidm-

Setting Value for vidm-primary secondary-1 secondary-2

VM Name Enter a VM Name for Enter a VM Name for Enter a VM Name for
vidm-primary. vidm-secondary-1. vidm-secondary-2.

FQDN Enter the FQDN for Enter the FQDN for Enter the FQDN for
vidm-primary vidm-secondary-1. vidm-secondary-2.

IP address Enter the IP Address for Enter the IP Address for Enter the IP Address for
vidm-primary. vidm-secondary-1. vidm-secondary-2.

e For each node, click advanced configuration and click Select Root Password.

Select xint-wsa-root and click Save.

11 On the Precheck page, click Run precheck.

12 On the Manual validations page, select the I took care of the manual steps above and am
ready to proceed check box and click Run precheck.

13 Review the validation report, remediate any errors, and click Re-run precheck.

14 Wait for all prechecks to complete with Passed messages and click Next.

15 On the Summary page, review the configuration details. To back up the deployment
configuration, click Export configuration.

16 To start the deployment, click Submit.

The Request details page displays the progress of deployment.

17 Monitor the steps of the deployment graph until all stages become Completed.

Configure an Anti-Affinity Rule and a Virtual Machine Group for a

Clustered Workspace ONE Access Instance
To protect the nodes in a clustered Workspace ONE Access instance from a host-level failure,
configure an anti-affinity rule to run the virtual machines on different hosts in the default
management vSphere cluster. You then configure a VM group to define the startup order to
ensure that vSphere High Availability powers on the clustered Workspace ONE Access nodes in
the correct order.

Procedure

1 In a web browser, log in to the management domain vCenter Server by using the vSphere
Client (https://<vcenter_server_fqdn>/ui).

2 In the Hosts and Clusters inventory, expand the management domain vCenter Server and
data center.

3 Select the cluster and click the Configure tab.

VMware by Broadcom 148

VMware Cloud Foundation on Dell VxRail Guide

4 Create the anti-affinity rule for the clustered Workspace ONE Access virtual machines.

a Navigate to Configuration > VM/Host rules and click Add.

b Configure the settings and click OK.

Setting Value

Name <management-domain-name>-anti-affinity-rule-wsa

Enable rule Selected

Type Separate Virtual Machines

Members Click Add, select the clustered Workspace ONE

Access nodes, and click OK.
n vidm-primary_VM

n vidm-secondary-1_VM

n vidm-secondary-2_VM

5 Create a virtual machine group for the clustered Workspace ONE Access nodes.

a Navigate to Configuration > VM/Host groups and click Add.

b Configure the settings and click OK.

Setting Value

Name Clustered Workspace ONE Access Appliances

Type VM Group

Members Click Add, select the clustered Workspace ONE

Access nodes, and click OK.
n vidm-primary_VM

n vidm-secondary-1_VM

n vidm-secondary-2_VM

Configure NTP on Workspace ONE Access

To keep NTP synchronized with the other SDDC components, configure NTP using the
Workspace ONE Access appliance configuration interface.

Procedure

1 In a web browser, log in to the Workspace ONE Access instance with the admin user by
using the appliance configuration interface (https://<wsa_node_fqdn>:8443/cfg/login).

2 In the navigator pane, click Time synchronization.

VMware by Broadcom 149

VMware Cloud Foundation on Dell VxRail Guide

3 Configure the settings and click Save.

Setting Description

Time sync NTP selected

NTP Server Enter the FQDN of the NTP server.

4 If you deployed a cluster, repeat this procedure for the remaining clustered Workspace ONE
Access nodes.

Configure the Domain and Domain Search Parameters on Workspace

ONE Access
To enable name translation and resolution between the region-specific and the cross-region
environments, configure the domain name and domain search parameters on Workspace ONE
Access.

Procedure

1 Log in to the cross-region Workspace ONE Access instance by using a Secure Shell (SSH)
client.

2 Switch to the super user by running the su command.

3 Open the /etc/resolv.conf file in a text editor.

vi /etc/resolv.conf

4 Add entries for Domain and search to the end of the file and save the file. For example:

Domain rainpole.io
search rainpole.io sfo.rainpole.io

5 If you deployed a clustered Workspace ONE Access instance, repeat this procedure for the
remaining nodes in the cluster.

Configure an Identity Source for Workspace ONE Access

To enable identity and access management in the SDDC, you integrate your Active Directory
with Workspace ONE Access and configure attributes to synchronize users and groups.

Procedure

1 In a web browser, log in to Workspace ONE Access by using the administration interface to
the System Domain with configadmin user (https://<wsa_fqdn>/admin).

2 On the main navigation bar, click Identity and access management.

3 Click the Directories tab, and from the Add directory drop-down menu, select Add Active
Directory over LDAP/IWA.

VMware by Broadcom 150

VMware Cloud Foundation on Dell VxRail Guide

4 On the Add directory page, configure the following settings, click Test connection and click
Save and next.

Setting Value

Directory name Enter a name for directory.

For example, sfo.rainpole.io.

Active Directory over LDAP Selected

Sync connector Select the FQDN of vidm-primary

Do you want this connector to also perform Yes

authentication?

Directory search attribute SAMAccountName

This Directory requires all connections to use If you want to secure communication between
STARTTLS (Optional) Workspace ONE Access and Active Directory select
this option and paste the Root CA certificate in the SSL
Certificate box.

Base DN Enter the Base Distinguished Name from which to start

user searches.
For example, cn=Users,dc=sfo,dc=rainpole,dc=io.

Bind DN Enter the DN for the user to connect to Active

Directory.
For example, cn=svc-wsa-ad,ou=Service
Accounts,dc=sfo,dc=rainpole,dc=io.

Bind user password Enter the password for the Bind user.
For example: svc-wsa-ad_password.

5 On the Select the domains page, review the domain name and click Next.

6 On the Map user attributes page, review the attribute mappings and click Next.

7 On the Select the groups (users) you want to sync page, enter the
distinguished name for the folder containing your groups (For example OU=Security
Groups,DC=sfo,DC=rainpole,DC=io) and click Select.

8 For each Group DN you want to include, select the group to use by Workspace ONE Access
for each of the roles, and click Save then Next.

Product Role Assigned via Group

Workspace ONE Access Super Admin

Directory Admin

ReadOnly Admin

VMware Aria Suite Lifecycle VCF Role

VMware by Broadcom 151

VMware Cloud Foundation on Dell VxRail Guide

Product Role Assigned via Group

Content Admin

Content Developers

9 On the Select the Users you would like to sync page, enter the distinguished name for the
folder containing your users (e.g. OU=Users,DC=sfo,DC=rainpole,DC=io) and click Next.

10 On the Review page, click Edit, from the Sync frequency drop-down menu, select Every 15
minutes, and click Save.

11 To initialize the directory import, click Sync directory.

Add the Clustered Workspace ONE Access Cluster Nodes as Identity

Provider Connectors
To provide high availability for the identity and access management services of a clustered
Workspace ONE Access instance, you add the cluster nodes as directory connectors.

This procedure in only applicable if you deployed a clustered Workspace ONE Access instance. It
does not apply to a standard Workspace ONE Access instance.

Procedure

1 In a web browser, log in to the clustered Workspace ONE Access instance by using
the administration interface to the System Domain with configadmin user (https://
<wsa_cluster_fqdn>/admin).

2 On the main navigation bar, click Identity and access management.

3 Click the Identity Providers tab.

4 Click the WorkspaceIDP__1 identity provider.

5 On the WorkspaceIDP__1 details page, under Connector(s) from the Add a connector drop-
down menu, select vidm-secondary-1_VM, configure the settings, and click Add connector.

Setting Value

Connector vidm-secondary-1_VM

Bind to AD Checked

Bind user password svc-wsa-ad_password

6 Repeat this step for the vidm-secondary-2_VM connector.

7 In the IdP Hostname text box, enter the FQDN of the NSX load balancer virtual server for
Workspace ONE Access cluster.

8 Click Save.

VMware by Broadcom 152

VMware Cloud Foundation on Dell VxRail Guide

Assign Roles to Active Directory Groups for Workspace ONE Access

Workspace ONE Access uses role-based access control to manage delegation of roles. You
assign the Super Admin, Directory Admin and ReadOnly roles to Active Directory groups to
manage access to Workspace ONE Access.

You assign the following administrator roles to the corresponding user groups.

Workspace ONE Access Role Example Active Directory Group Name

Super Admin wsa-admins

Directory Admin wsa-directory-admin

ReadOnly Admin wsa-read-only

Procedure

1 In a web browser, log in to Workspace ONE Access by using the administration interface to
the System Domain with configadmin user (https://<wsa_fqdn>/admin).

2 On the main navigation bar, click Roles.

3 Assign Workspace ONE Access roles to Active Directory groups.

a Select the Super Admin role and click Assign.

b In the Users / User Groups search box, enter the name of the Active Directory group you
want to assign the role to, select the group, and click Save.

c Repeat this step to configure the Directory Admin and the ReadOnly Admin roles.

Assign Roles to Active Directory Groups for VMware Aria Suite

Lifecycle
To enable identity and access management for VMware Aria Suite Lifecycle, you integrate the
component with the clustered Workspace ONE Access instance.

You assign the following administrative roles to corresponding Active Directory groups.

VMware Aria Suite Lifecycle Role Example Active Directory Group Name

VCF Role vrslcm-admins

Content Release Manager vrslcm-release-manager

Content Developer vrlscm-content-developer

Procedure

1 In a web browser, log in to VMware Aria Suite Lifecycle with the vcfadmin@local user by
using the user interface (https://<vrslcm_fqdn>).

2 On the My Services page, click Identity and Tenant Management.

VMware by Broadcom 153

VMware Cloud Foundation on Dell VxRail Guide

3 In the navigation pane, click User management and click Add user / group.

4 On the Select users / groups page, in the search box, enter the name of the group you want
to assign the role to, select the Active Directory group, and click Next.

5 On the Select roles page, select the VCF Role role, and click Next.

6 On the Summary page, click Submit.

7 Repeat this procedure to assign roles to the Content Release Manager and Content
Developer user groups.

VMware by Broadcom 154

Working with NSX Federation in
VMware Cloud Foundation 19
With NSX Federation, you can federate NSX environments across VMware Cloud Foundation
(VCF) instances. You can manage federated NSX environments with a single pane of glass,
create gateways and segments that span VMware Cloud Foundation instances, and configure
and enforce firewall rules consistently across instances.

Important If you plan to deploy VMware Aria Suite components, you must deploy Application
Virtual Networks before you configure NSX Federation. See Chapter 16 Deploying Application
Virtual Networks in VMware Cloud Foundation.

NSX Federation is supported between VCF and non-VCF deployments. If you choose to federate
NSX between VCF and non-VCF deployments, you are responsible for the deployment and
lifecycle of the NSX Global Managers, as well as maintaining version interoperability between
VCF-owned NSX Local Managers, non-VCF NSX Local Managers, and the NSX Global Manager.

Read the following topics next:

n NSX Federation Key Concepts

n Configuring NSX Federation in VMware Cloud Foundation

n Replacing Global Manager Cluster Certificates in VMware Cloud Foundation

n Password Management for NSX Global Manager Cluster in VMware Cloud Foundation

n Backup and Restore of NSX Global Manager Cluster in VMware Cloud Foundation

NSX Federation Key Concepts

NSX Federation introduces some new terms and concepts in VMware Cloud Foundation (VCF).

NSX Federation Systems: Global Manager and Local Manager

An NSX Federation environment within VMware Cloud Foundation includes two types of
management systems.

Global Manager: a system similar to NSX Manager that federates multiple Local Managers.

Local Manager: an NSX Manager system in charge of network and security services for a VMware
Cloud Foundation instance.

VMware by Broadcom 155

VMware Cloud Foundation on Dell VxRail Guide

NSX Federation Span: Local and Cross-Instance

When you create a networking object from Global Manager, it can span one or more VMware
Cloud Foundation instances.

Local: the object spans only one instance.

Cross-instance: the object spans more than one instance. You do not directly configure the span
of a segment. A segment has the same span as the gateway it is attached to.

NSX Federation Tunnel Endpoints

In an NSX Federation environment, there are two types of tunnel endpoints.

Tunnel End Point (TEP): the IP address of a transport node (Edge node or Host) used for Geneve
encapsulation within an instance.

Remote Tunnel End Points (RTEP): the IP address of a transport node (Edge node only) used for
Geneve encapsulation across instances.

NSX Federation Tier Gateways

An NSX Federation in VMware Cloud Foundation environment includes three types of tier-1
gateways.

Type Description Managed By Scope

standalone tier-1 gateway Configured in the Local Local Manager Single VMware Cloud
Manager and used for Foundation instance
services such as the Load
Balancer.

local-instance tier-1 Configured in the Global Global Manager Single VMware Cloud
gateway Manager at a single Foundation instance
location, this is a global
tier-1 gateway used for
segments that exist within
a single VMware Cloud
Foundation Instance.

cross-instance tier-1 Configured in the Global Global Manager Multiple VMware Cloud
gateway Manager, this is a global Foundation instance
Tier-1 gateway used for
segments that exist across
multiple VMware Cloud
instances.

Configuring NSX Federation in VMware Cloud Foundation

With NSX Federation, you can federate the management domain NSX or a VI workload domain
NSX across VMware Cloud Foundation (VCF) instances.

VMware by Broadcom 156

VMware Cloud Foundation on Dell VxRail Guide

See VMware Configuration Maximums for your version of NSX for information about the
maximum number of supported federated NSX Managers and other NSX federation maximums.

Note VI workload domains that share an NSX Manager are considered a single location.

Some tasks described in this section are to be performed on the first NSX instance while others
need to be performed on each NSX instance that is being federated. See the table below for
more information.

VMware by Broadcom 157

VMware Cloud Foundation on Dell VxRail Guide

NSX Intance Tasks to be Performed

First Instance 1 Create Global Manager Clusters for VMware Cloud

Foundation
2 Replacing Global Manager Cluster Certificates in
VMware Cloud Foundation

You can skip this step if you are using self-signed

cerificates.
3 Prepare Local Manager for NSX Federation in VMware
Cloud Foundation
4 Enable NSX Federation in VMware Cloud Foundation
5 Prepare for Stretching Segments between VMware
Cloud Foundation Instances:
a Create and Configure Cross-Instance Tier-1
Gateway
b Connect Cross-Instance Segments to Cross-
Instance Tier-1 Gateway

Enable high availability for NSX Federation Control Plane 1 Create Global Manager Clusters for VMware Cloud
on one additional instance Foundation
2 Replacing Global Manager Cluster Certificates in
VMware Cloud Foundation

You can skip this step if you are using self-signed

cerificates.
3 Set Standby Global Manager

Each additional instance 1 Prepare Local Manager for NSX Federation in VMware
Cloud Foundation
2 Add Location to Global Manager
3 Stretching Segments between VMware Cloud
Foundation Instances:
a Delete Existing Tier-0 Gateways in Additional
Instances
b Connect Additional VMware Cloud Foundation
Instances to Cross-Instance Tier-0 Gateway
c Connect Local Tier-1 Gateway to Cross-Instance
Tier-0 Gateway
d Add Additional Instance as Locations to the Cross-
Instance Tier-1 Gateway

What to read next

Procedure

1 Create Global Manager Clusters for VMware Cloud Foundation

An NSX Federation environment contains an active and a standby Global Manager cluster
and one or more Local Manager clusters. The standby Global Manager appliance provides
high availability and disaster recovery.

VMware by Broadcom 158

VMware Cloud Foundation on Dell VxRail Guide

2 Prepare Local Manager for NSX Federation in VMware Cloud Foundation

To prepare for NSX Federation, you create an IP pool in the Local Manager. The Global
Manager assigns IP addresses from this pool to the Edge nodes for remote tunnel end point
(RTEP) interfaces. You also set the global fabric MTU to match the end-to-end MTU between
instances.

3 Enable NSX Federation in VMware Cloud Foundation

To enable NSX Federation in VMware Cloud Foundation, set the Global Manager as active
and add the existing NSX Manager in the management domain or VI workload domain as a
location to the Global Manager.

4 Stretch Segments between VMware Cloud Foundation Instances

Each NSX Manager instance to be federated has a tier-0 gateway, tier-1 gateway, and two
segments created during NSX Edge deployment and Application Virtual Network (AVN)
creation. One of these segments is for local instance use and the other is for cross-instance
use. Both segments are initially connected to the same tier-1 gateway. When NSX Manager
instances are federated, you create an addtional tier-1 gateway for cross-instance use
and migrate the cross-instance segment from the original tier-1 gateway to the new tier-1
gateway. The new tier-1 gateway has locations for both instances enabled on it. This allows
you to manage the ingress and egress routing for cross-instance segments when you
move them between VMware Cloud Foundation instances independently of local instance
segments whose ingress and egress remain unaffected.

5 Set Standby Global Manager

You provide high availability of the active Global Manager by configuring the Global Manager
in the additional instance as standby to the active cluster. In case of failure of the cluster
in first instance, you can use the cluster in additional instance to provide the networking
capabilities.

Create Global Manager Clusters for VMware Cloud Foundation

An NSX Federation environment contains an active and a standby Global Manager cluster and
one or more Local Manager clusters. The standby Global Manager appliance provides high
availability and disaster recovery.

Procedure

1 Deploy Global Manager Nodes

You deploy three Global Manager nodes in the VMware Cloud Foundation management
domain.

2 Join Global Manager Nodes to Form a Cluster

Join the three Global Manager nodes you deployed in the VMware Cloud Foundation
management domain to form a cluster.

VMware by Broadcom 159

VMware Cloud Foundation on Dell VxRail Guide

3 Create Anti-Affinity Rule for Global Manager Cluster in VMware Cloud Foundation
Create an anti-affinity rule to ensure that the Global Manager nodes run on different ESXi
hosts. If an ESXi host is unavailable, the Global Manager nodes on the other hosts continue
to provide support for the NSX management and control planes.

4 Assign a Virtual IP Address to Global Manager Cluster

To provide fault tolerance and high availability to Global Manager nodes, assign a virtual IP
address (VIP) to the Global Manager cluster in VMware Cloud Foundation.

What to do next

n Set Active Global Manager

n Set Standby Global Manager

Deploy Global Manager Nodes

You deploy three Global Manager nodes in the VMware Cloud Foundation management domain.

Procedure

1 Download the NSX OVF file from the VMware download portal.

2 In a web browser, log in to vCenter Server at https://vcenter_server_fqdn/ui.

3 Select the default cluster in the management domain.

4 Right-click and select Deploy OVF template.

5 Select Local file, click Upload files, and navigate to the OVA file.

6 Click Next.

7 Enter a name and a location for the NSX Manager VM, and click Next.

The name you enter appears in the vSphere and vCenter Server inventory.

8 Select the compute resource on which to deploy the NSX Manager appliance page and click
Next.

9 Review and verify the OVF template details and click Next.

10 Accept the license agreement and click Next.

11 Specify the deployment configuration size and click Next.

The Description panel on the right side of the wizard shows the details of selected
configuration. You can also refer to VMware Configuration Maximums to ensure that you
choose the correct size for the scale or your environment.

12 Specify storage for the configuration and disk files.

n Select the virtual disk format.

n Select the VM storage policy.

n Specify the datastore to store the NSX Manager appliance files.

VMware by Broadcom 160

VMware Cloud Foundation on Dell VxRail Guide

n Click Next.

Note The virtual disk format is determined by the selected VM storage policy when using a
vSAN datastore.

13 Select the management network as the destination network and click Next.

The following steps are all located in the Customize Template section of the Deploy OVF
Template wizard.

14 In the Application section, enter the system root, CLI admin, and audit passwords for the NSX
Manager. The root and admin credentials are mandatory fields.

Your passwords must comply with the password strength restrictions.

n At least 12 characters

n At least one lower-case letter

n At least one upper-case letter

n At least one digit

n At least one special character

n At least five different characters

15 In the Optional parameters section, leave the password fields blank.

16 In the Network Properties section, enter the hostname of the NSX Manager.

17 For Rolename, select the NSX Global Manager role.

18 Enter the default gateway, management network IPv4, and management network netmask.

19 In the DNS section, enter the DNS Server list and Domain Search list.

20 In the Services Configuration section, enter the NTP Server list and enable SSH.

21 Verify that all your custom OVF template specification is accurate and click Finish to initiate
the deployment.

The deployment might take 7-8 minutes.

22 After the deployment is complete, power on the Global Manager node.

Right-click the Global Manager VM and, from the Actions menu, select Power > Power on.

23 In a web browser, log in to Global Manager at https://gm_node1_fqdn/.

24 Accept the end-user license agreement and click Continue.

25 Join the VMware Customer Experience Program and click Save.

26 Repeat steps 4 - 22 to deploy two additional Global Manager nodes.

VMware by Broadcom 161

VMware Cloud Foundation on Dell VxRail Guide

Join Global Manager Nodes to Form a Cluster

Join the three Global Manager nodes you deployed in the VMware Cloud Foundation
management domain to form a cluster.

Procedure

1 SSH into the first NSX Global Manager node using the admin user account.

2 Run the following command to retrieve the Global Manager cluster ID.

get cluster config | find Id:

3 Copy the output of the command and save it.

4 Run the following command to retrieve the thumbprint of the Global Manager API certificate.

get certificate api thumbprint

5 Copy the output of the command and save it.

6 Log in to the second Global Manager node and run the following command to join this node
to the cluster:

join first_node_IP cluster-id cluster_ID username admin password nsx_admin_password

thumbprint api_thumbprint

where cluster_ID is the value from step 3 and certificate_thumbprint is the value from step 5.

A warning message displays: Data on this node will be lost. Are you sure? (yes/
no).

7 Enter yes to confirm.

The joining and cluster stabilizing process might take from 10 to 15 minutes.

8 Run get cluster status to view the status.

Verify that the status for every cluster service group is UP before making any other cluster
changes.

9 Repeat steps 6-8 to join the third node to the cluster.

10 Verify the cluster status on the web interface.

a Log in to the Global Manager web interface and select Configuration > Global Manager
Appliances.

b Verify that the Cluster status is green that the cluster node is Available.

Create Anti-Affinity Rule for Global Manager Cluster in VMware Cloud

Foundation
Create an anti-affinity rule to ensure that the Global Manager nodes run on different ESXi hosts.
If an ESXi host is unavailable, the Global Manager nodes on the other hosts continue to provide
support for the NSX management and control planes.

VMware by Broadcom 162

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 In a web browser, log in to the management domain or VI workload domain vCenter Server at
https://vcenter_server_fqdn/ui.

2 Select Menu > Hosts and Clusters.

3 In the inventory, expand vCenter Server > Datacenter.

4 Select the Global Manager cluster and click the Configure tab.

5 Select VM/Host rules and click Add.

6 Enter the rule details.

Option Description

Name Type a name for the rule.

Enable rule Select this option.

Type Select Separate Virtual Machines.

Members Click Add, select the three Global Manager nodes, and
click OK.

7 Click OK in the Create VM/Host rule dialog box.

Assign a Virtual IP Address to Global Manager Cluster

To provide fault tolerance and high availability to Global Manager nodes, assign a virtual IP
address (VIP) to the Global Manager cluster in VMware Cloud Foundation.

Procedure

1 In a web browser, log in to a Global Manager node at https://gm_node_1-fqdn/.

2 Click System and then select Global Manager Appliances.

3 Click Set Virtual IP and enter the VIP address for the cluster. Ensure that VIP is part of the
same subnet as the other management nodes.

4 Click Save.

5 Verify that the VIP is working correctly.

From a browser, log in to the Global Manager using the virtual IP address assigned to the
cluster at https://gm_vip_fqdn/.

Prepare Local Manager for NSX Federation in VMware Cloud

Foundation
To prepare for NSX Federation, you create an IP pool in the Local Manager. The Global Manager
assigns IP addresses from this pool to the Edge nodes for remote tunnel end point (RTEP)
interfaces. You also set the global fabric MTU to match the end-to-end MTU between instances.

VMware by Broadcom 163

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 In a web browser, log in to Local Manager cluster for the management domain or VI workload
domain at https://lm_vip_fqdn/).

2 On the main navigation bar, click Networking.

3 Create an IP pool for RTEP in Local Manager

a In the navigation pane, select IP Address Pools and click Add IP address pool.

b Enter a name.

c Under Subnets, click Set.

d In the Set Subnets dialog box, click Add subnet > IP Ranges.

e Configure the settings and click Add.

f Click Add and then click Apply.

g Click Save.

4 Configure MTU for RTEP.

a On the main navigation bar, click System.

b Select Fabric > Settings.

c Under Global Fabric Settings, Click Edit for Remote Tunnel Endpoint.

d Enter 9000 in MTU and click Save.

Enable NSX Federation in VMware Cloud Foundation

To enable NSX Federation in VMware Cloud Foundation, set the Global Manager as active and
add the existing NSX Manager in the management domain or VI workload domain as a location to
the Global Manager.

Procedure

1 Set Active Global Manager

Activate the Global Manager.

2 Add Location to Global Manager

Add the NSX Manager in the management domain or VI workload domain as a location to
the Global Manager. This NSX Manager is now referred to as the Local Manager. You then
import segments, tier-0 gateways, and tier-1 gateways from the Local Manager to the Global
Manager.

Set Active Global Manager

Activate the Global Manager.

VMware by Broadcom 164

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 In a web browser, log in to Global Manager cluster for the management or VI workload
domain at https://gm_vip_fqdn/.

2 Click System and then select Location Manager.

3 Click Make Active and enter a name for the active Global Manager.

4 Click Save.

Add Location to Global Manager

Add the NSX Manager in the management domain or VI workload domain as a location to the
Global Manager. This NSX Manager is now referred to as the Local Manager. You then import
segments, tier-0 gateways, and tier-1 gateways from the Local Manager to the Global Manager.

Procedure

1 Obtain the certificate thumbprint of the NSX Local Manager cluster.

a Enable SSH on one of the NSX Manager VMs.

b From the vCenter UI, open the web console of one of the NSX Managers and login to the
Admin user.

c Run the command start service ssh to enable SSH on the NSX Manager.

d Use a Secure Shell (SSH) client and log in to the same NSX Manager with the Admin user.

e Run the command get certificate cluster thumbprint to retrieve the Local
Manager cluster VIP thumbprint.

sfo-m01-nsxt01c> get certificate cluster thumbprint

b88c4e052fe61309915527511e7f1b25970286a51cf1dd68ea881daba1ed0a9f

f Save the thumbprint.

g Run the stop service ssh command to deactivate SSH on the NSX Manager.

2 Add NSX Manager as a location to the Global Manager.

a Log in to Global Manager at https://active_gm_vip_fqdn/.

b Select System > Location Manager and click Add On-Prem Location.

VMware by Broadcom 165

VMware Cloud Foundation on Dell VxRail Guide

c In the Add New Location dialog box, enter the location details.

Option Description

Location Name Enter a name for the location.

FQDN/IP Enter the FQDN or IP address of the NSX Manager

cluster VIP. Do not enter an individual NSX Manager
FQDN or IP.

Username and Password Provide the admin user's credentials for the NSX
Manager at the location.

SHA-256 Thumbprint Add the thumbprint you retrieved in step 1.

Check Compatibility Click Check Compatibility to ensure that the location

can be added. This checks that the NSX version is
compatible.

d Click Save

3 Configure networking on the Local Manager nodes.

a On the Location Manager page, in the Locations section, click Networking under the
location you are adding then click Configure.

b On the Configure Edge Nodes for Stretch Networking page, click Select All

c In the Remote Tunnel Endpoint Configuration pane enter the following details.

Option Value

Host Switch nsxDefaultHostSwitch

Teaming Policy Name Select Use Default.

RTEP VLAN Enter the VLAN for the host.

IP Pool for all Nodes Select the IP pool.

d Click Save.

4 Import the Local Manager configuration to the Global Manager.

a Select the Global Manager context from the drop down menu.

Note You may need to refresh your browser or logout and log in to the Global Manager
to see the drop down menu.

b On the System tab, select the Location Manager pane.

c Under Locations, click Import.

This option may take 15 minutes or longer to appear.

VMware by Broadcom 166

VMware Cloud Foundation on Dell VxRail Guide

d Verify that you have a recent backup and click Proceed to import.

e In the Preparing for import dialog box, click Next and then click Import.

Wait for a confirmation that the import is successful.

Local Manager objects imported into the Global Manager are owned by the Global Manager
and appear in the Local Manager with a GM icon. You can modify these objects only from the
Global Manager.

5 Repeat these steps for each Local Manager cluster.

Stretch Segments between VMware Cloud Foundation Instances

Each NSX Manager instance to be federated has a tier-0 gateway, tier-1 gateway, and two
segments created during NSX Edge deployment and Application Virtual Network (AVN) creation.
One of these segments is for local instance use and the other is for cross-instance use. Both
segments are initially connected to the same tier-1 gateway. When NSX Manager instances
are federated, you create an addtional tier-1 gateway for cross-instance use and migrate the
cross-instance segment from the original tier-1 gateway to the new tier-1 gateway. The new tier-1
gateway has locations for both instances enabled on it. This allows you to manage the ingress
and egress routing for cross-instance segments when you move them between VMware Cloud
Foundation instances independently of local instance segments whose ingress and egress remain
unaffected.

Note Cross-instance segments cannot have overlapping IP addresses/ranges.

Procedure

1 Create and Configure Cross-Instance Tier-1 Gateway

You create a new tier-1 gateway in one of the VMware Cloud Foundation instances. You
then extend this gateway to the other federated instances.

2 Connect Cross-Instance Segments to Cross-Instance Tier-1 Gateway

You connect the cross-instance segments in the first instance to the cross-instance tier-1
gateway you created.

3 Delete Existing Tier-0 Gateways in Additional Instances

Since you will use the cross-instance tier-0 gateway for upstream connections, you delete
the local tier-0 gateway from each additional VCF instance.

4 Connect Additional VMware Cloud Foundation Instances to Cross-Instance Tier-0 Gateway

You turn the standard tier-0 gateway into a cross-instance tier-0 gateway by connecting
additional VMware Cloud Foundation instances to it. You configure uplink interfaces, BGP,
and route redistribution for the additional instances.

5 Connect Local Tier-1 Gateway to Cross-Instance Tier-0 Gateway

You connect the local tier-1 gateway at each VCF instance to the cross-instance tier-0
gateway.

VMware by Broadcom 167

VMware Cloud Foundation on Dell VxRail Guide

6 Add Additional Instance as Locations to the Cross-Instance Tier-1 Gateway

Add each additional instance as a location on the cross-instance Tier-1 gateway to enable
cross-instance workloads.

Create and Configure Cross-Instance Tier-1 Gateway

You create a new tier-1 gateway in one of the VMware Cloud Foundation instances. You then
extend this gateway to the other federated instances.

Procedure

1 In a web browser, log in to Global Manager for the management or VI workload domain at
https://gm_vip_fqdn/.

2 On the main navigation bar, click Networking.

3 In the navigation pane, select Tier-1 gateways.

4 Specify the gateway details.

Setting Specified Value

Tier-1 Gateway Name Enter a name for the new tier-1 gateway.

Linked Tier-0 Gateway Enter the global tier-0 gateway.

Edges Pool Allocation Size Select Routing.

Enable Edge Clusters for Services or Custom span Select Enabled.

Fail Over Select Non Preemptive.

Enable Standby Relocation Select Enabled.

Edge Cluster Select the Edge cluster.

Mode Select Primary

5 Click Save.

6 Click Yes to continue the configuration of the tier-1 gateway.

7 Configure route advertisement for the tier-1 gateway.

a Expand the Route advertisement section of the tier-1 gateway.

b Enable all available sources, click Save, and click Close editing.

Connect Cross-Instance Segments to Cross-Instance Tier-1 Gateway

You connect the cross-instance segments in the first instance to the cross-instance tier-1 gateway
you created.

Procedure

1 In a web browser, log in to Global Manager cluster at https://gm_vip_fqdn/.

VMware by Broadcom 168

VMware Cloud Foundation on Dell VxRail Guide

2 On the NSX Manager main navigation bar, click Networking.

3 In the navigation pane, select Segments.

4 On the Segments tab, click the vertical eclipses for the cross-instance_nsx_segment and click
Edit.

5 Change the Connected Gateway from instance_tier1 to cross-instance_tier1, click Save, and
then click Close editing.

Delete Existing Tier-0 Gateways in Additional Instances

Since you will use the cross-instance tier-0 gateway for upstream connections, you delete the
local tier-0 gateway from each additional VCF instance.

Procedure

1 In a web browser, log in to Global Manager cluster at https://active_gm_vip_fqdn/.

2 On the NSX Manager main navigation bar, click Networking.

3 Disconnect the tier-1 gateway for the NSX Local Manager.

a In the navigation pane, select Tier-1 Gateways.

b On the Tier-1 Gateways tab, click the vertical eclipses for the
additional_instance_tier1_gateway and click Edit.
c Under Linked Tier-0 gateway, click the X to disconnect the
additional_instance_tier0_gateway, click Save, and click Close editing.

Caution At this point any segments connected to additional_instance_tier1_gateway

will be unreachable until you have finished connecting the additional instance to the
cross-instance tier-0 infrastructure.

4 In the navigation pane, select Tier-0 Gateways.

5 On the Tier-0 Gateway page, click the vertical eclipses for the
additional_instance_tier0_gateway and click Delete.
6 Click Delete.

Connect Additional VMware Cloud Foundation Instances to Cross-Instance

Tier-0 Gateway
You turn the standard tier-0 gateway into a cross-instance tier-0 gateway by connecting
additional VMware Cloud Foundation instances to it. You configure uplink interfaces, BGP, and
route redistribution for the additional instances.

Procedure

1 In a web browser, log in to Global Manager cluster at https://active_gm_vip_fqdn/.

VMware by Broadcom 169

VMware Cloud Foundation on Dell VxRail Guide

2 Add the additional instance as a location on the tier-0 gateway.

a On the NSX Manager main navigation bar, click Networking.

b In the navigation pane, select Tier-0 Gateways.

c On the Tier-0 Gateway page, click the vertical eclipses for the cross-instance_tier0
gateway and click Edit.

d Click Add Location and enter the required information.

Setting Value

Location Select the location name of the instance being

added.

Edge Cluster Select the Edge cluster name of the instance being
added.

e Click Save.

3 Set interfaces for the instance on the tier-0 gateway.

a Expand Interfaces and click Set.

b Click Add interface.

c Enter a name for the interface and select the instance location.

d Set the type to External and enter the IP address for the interface.

e Select the segment that the interface is connected to and the Edge node corresponding
to the instance.

f Set the MTU to 9000.

g Repeat these steps to add three additional interfaces.

4 Configure BGP neighbors.

a Expand BGP and under BGP Neighbors, click Set.

You can enable BFD if the network supports it and is configured for BFD.

a Click Add BGP neighbor

b Enter the IP address for the neighbor and select the instance location.

c Enter the remote AS and source addresses for the neighbor.

d Click Timers & Password and set the Hold Down Time to 12 and Keep Alive Time to 4.

e Enter the BGP neighbor password, click Save, and then click Close.

f Repeat these steps to add another BGP neighbor.

5 Configure Route Re-Distribution

a Expand Route Re-Distribution and next to the location you are adding, click Set.

b In the Set Route Re-distribution dialog box, click Add Route-Redistribution.

VMware by Broadcom 170

VMware Cloud Foundation on Dell VxRail Guide

c Enter default as name and, under Route re-distribution, click Set.

d In the Set route redistribution dialog box, select all listed sources and click Apply.

e Click Add to finish editing the default route redistribution and click Apply.

f Click Save

6 Click Close editing.

Connect Local Tier-1 Gateway to Cross-Instance Tier-0 Gateway

You connect the local tier-1 gateway at each VCF instance to the cross-instance tier-0 gateway.

Procedure

1 In a web browser, log in to Global Manager cluster at https://active_gm_vip_fqdn/.

2 On the NSX Manager main navigation bar, click Networking.

3 In the navigation pane, select Tier-1 gateways.

4 On the Tier-1 Gateway page, click the vertical ellipses menu for the
this_instance_tier1_gateway and click Edit.
5 Change the Connected Gateway to cross_instance_tier0_gateway.

6 In the Location change dialog box, click Yes.

7 Under Locations, delete all locations except the location of the instance you are working with.

8 Click Save and click Close Editing.

Add Additional Instance as Locations to the Cross-Instance Tier-1 Gateway

Add each additional instance as a location on the cross-instance Tier-1 gateway to enable cross-
instance workloads.

Procedure

1 In a web browser, log in to Global Manager cluster at https://active_gm_vip_fqdn/.

2 On the NSX Manager main navigation bar, click Networking.

3 In the navigation pane, select Tier-1 Gateways.

4 On the Tier-1 Gateway page, click the vertical eclipses for the cross-instance_tier1 gateway
and click Edit.

5 Click Add Location and enter the following values.

Setting Value

Location Select the location of this instance

Edge Cluster Select the NSX Edge cluster of the this instance

Mode Set to Secondary.

VMware by Broadcom 171

VMware Cloud Foundation on Dell VxRail Guide

6 Click Save and click Close Editing.

Set Standby Global Manager

You provide high availability of the active Global Manager by configuring the Global Manager in
the additional instance as standby to the active cluster. In case of failure of the cluster in first
instance, you can use the cluster in additional instance to provide the networking capabilities.

Prerequisites

Create the standby Global Manager cluster. See Create Global Manager Clusters for VMware
Cloud Foundation.

Procedure

1 Obtain the certificate thumbprint of the Standby Global Manager cluster.

a Enable SSH on one of the NSX Manager VMs.

b From the vCenter UI, open the web console of one of the NSX Managers and login to the
Admin user.

c Run the command start service ssh to enable SSH on the NSX Manager.

d Use a Secure Shell (SSH) client and log in to the same NSX Manager with the Admin user.

e Run the command get certificate cluster thumbprint to retrieve the Global
Manager cluster thumbprint.

sfo-m01-nsxt01c> get certificate cluster thumbprint

b88c4e052fe61309915527511e7f1b25970286a51cf1dd68ea881daba1ed0a9f

f Save the thumbprint.

g Run the stop service ssh command to deactivate SSH on the NSX Manager.

2 Add additional Global Manager instance

a Log in to the Active Global Manager at https://active_gm_vip_fqdn/.

b On the main navigation bar, Select System > Location Manager.

c Click Add Standby.

d Enter the location name, FQDN, username and password, and the SHA-256 thumbprint
you had retrieved earlier.

e Click Check Compatibility and click Save.

VMware by Broadcom 172

VMware Cloud Foundation on Dell VxRail Guide

Replacing Global Manager Cluster Certificates in VMware

Cloud Foundation
To replace certificates for the Global Manager cluster, you import root and intermediate CA-
signed certificates as appropriate and replace the Global Manager default certificates with the
imported certificates using API calls.

Import a CA-Signed Certificate to the Global Manager Cluster

Import the root/leaf or machine certificate and intermediate certificate as appropriate to the first
Global Manager node.

Prerequisites

Generate root and intermediate CA-signed certificates.

Procedure

1 In a web browser, log in to Global Manager at https://gm_vip_fqdn/.

2 Import the root CA certificate.

a On the main navigation bar, System > Certificates.

b Click Import > Import CA certificate.

c In the Import CA Certificate dialog box, enter a name for the root CA certificate.

d For Certificate Contents, select the root CA certificate you created in step 2c and click
Import.

3 Import certificates for the Global Manager nodes and the load balanced virtual server
address.

a Click Import > Import certificate.

b In the Name field, enter gm_vip_fqdn.

c In the Certificate Contents, browse to the previously created certificate file with the
extension chain.pem and select the file.

d In the Private Key, browse to the previously created private key with the extension .key,
select the file, and click Import.

Replace the Certificate for the First Global Manager Node

Replace the default certificate of the first Global Manager node to establish a trusted connection
with the management components in the SDDC. You use APIs for this procedure.

Procedure

1 In a web browser, log in to Global Manager at https://gm_vip_fqdn/.

VMware by Broadcom 173

VMware Cloud Foundation on Dell VxRail Guide

2 Retrieve the certificate ID.

a On the main navigation bar, click System > Certificates.

b Copy the certificate ID value and save it.

3 Log in to the host that has access to your data center.

4 Replace the default certificate on the first Global Manager node with the CA-signed
certificate.

a Start the Postman application in your web browser and log in.

b On the Authorization tab, enter the following settings.

Setting Value

Type Select Basic Auth.

User name Enter admin.

Password Enter nsx_admin_password.

c Click Update request.

d On the Headers tab, add a key as follows.

Setting Value

Key Content-Type

Key Value application/xml

e In the request pane at the top, send the following HTTP request.

Setting Value

HTTP request method Select POST.

URL Enter https://gm_node1_fqdn/api/v1/node/

services/http?
action=apply_certificate&certificate_id=gm_vip_
fqdn_certificate_ID

After the Global Manager sends a response, a 200 OK status is displayed on the Body
tab.

5 Restart the first Global Manager node.

a Log in to vCenter Server.

b In the inventory expand vCenter Server > Datacenter > Cluster.

c Right-click the node and select Actions > Power > Restart guest OS.

VMware by Broadcom 174

VMware Cloud Foundation on Dell VxRail Guide

Replace Certificates and Virtual IP for the Remaining Global Manager

Nodes
Replace the default certificates on the remaining Global Manager nodes.

Table 19-1. URLs for Replacing the Global Manager Node Certificates

NSX Manager Node POST URL for Certificate Replacement

gm_node2_fqdn https://gm_node2_fqdn/api/v1/node/services/http?
action=apply_certificate&certificate_id=gm_vip_fqdn_certificat
e_ID

gm_node3_fqdn https://gm_node3_fqdn/api/v1/node/services/http?
action=apply_certificate&certificate_id=gm_fqdn_certificate_ID

gm_vip_fqdn https://gm_vip_fqdn/api/v1/cluster/api-certificate?
action=set_cluster_certificate&certificate_id=gm_vip_fqdn_cert
ificate_ID

Procedure

1 In a web browser, log in to the active Global Manager at https://gm_vip_fqdn/.

2 Log in to the host that has access to your data center.

VMware by Broadcom 175

VMware Cloud Foundation on Dell VxRail Guide

3 Replace the default certificate for the second Global Manager node with the CA-signed
certificate by using the first Global Manager node as a source.

a Start the Postman application in your web browser and log in.

b On the Authorization tab, configure the following settings.

Setting Value

Type Selecr Basic Auth.

User name Enter admin.

Password Enter the nsx_admin_password.

a Click Update request.

b On the Headers tab, enter the header details.

Setting Value to Select

Key Content-Type

Key Value application/xml

c In the request pane at the top, send the URL query.

Setting Value

HTTP request method Select POST.

URL Enter https://gm_node2_fqdn/api/v1/node/

services/http?
action=apply_certificate&certificate_id=firstin
stance_gm_vip_certificate_ID

After the NSX Manager appliance responds, the Body tab displays a 200 OK status.

4 To upload the CA-signed certificate on the third Global Manager node, repeat steps 2 to step
4 with appropriate values.

5 Restart the second and third Global Manager nodes.

a Log in to vCenter Server.

b In the inventory expand vCenter Server > Datacenter > Cluster

c Right-click the second and third Global Manager nodes and click Actions > Power >
Restart guest OS.

6 Verify the status of each Global Manager node.

a In a web browser, log in to the first Global Manager node at https://gm_node1_fqdn/.

b For each node, navigate to System > Global Manager Appliances > View Details and
confirm that the status is REPO_SYNC = SUCCESS.

VMware by Broadcom 176

VMware Cloud Foundation on Dell VxRail Guide

7 Assign a certificate to the Global Manager cluster.

a Start the Postman application in your web browser and log in.

b On the Authorization tab, configure the following settings.

Setting Value

Type Select Basic Auth.

User name Enter admin.

Password Enter nsx_admin_password.

c Click Update request.

d On the Headers tab, add a key as follows.

Setting Value

Key Content-Type

Key Value application/xml

e In the request pane at the top, send the URL query.

Setting Value

HTTP request method Select POST.

URL Enter https://gm_vip_fqdn/api/v1/cluster/api-

certificate?
action=set_cluster_certificate&certificate_id=g
m_vip_fqdn_certificate_ID

After the NSX Global Manager sends a response, a 200 OK status is displayed on the Body
tab.

Update Local Manager Certificate Thumbprint in Global Manager

Cluster
After you rotate the Local Manager certificates using SDDC Manager, you obtain the new
certificate thumbprint to update it in the Global Manager cluster.

Procedure

1 In a web browser, log in to Global Manager at https://nsx_gm_vip_fqdn/).

2 Obtain certificate thumbprint.

a Log in to a vCenter Server by using a Secure Shell (SSH) client.

b Run the shell command to switch to the bash shell.

VMware by Broadcom 177

VMware Cloud Foundation on Dell VxRail Guide

c Run the command to retrieve the SHA-256 thumbprint of the virtual IP for the NSX
Manager cluster certificate.

echo -n | openssl s_client -connect nsx_lm_vip_fqdn:443 2>/dev/null | openssl x509

-noout -fingerprint -sha256

d Save the thumbprint value.

3 Update the Local Manager certificate thumbprint in the Global Manager.

a On the main navigation bar, click System.

b In the navigation pane, select Location Manager.

c Under Locations, select the Local Manager instance, and click Actions.

d Click Edit Settings and update NSX Local Manager Certificate Thumbprint.

e Click Check Compatibility and click Save.

f Wait for the Sync Status to display success and verify that all Local Manager nodes
appear.

4 Under Locations, update the Local Manager certificate thumbprint for all the instances.

Password Management for NSX Global Manager Cluster in

VMware Cloud Foundation
You can manage NSX Global Manager user accounts using the NSX appliance's CLI. Resetting the
password for any of the local users on one node automatically resets the password for the other
NSX Managers in the cluster. The synchronization of the password can take a few minutes.

See Manage Local User’s Password or Name Using the CLI.

Backup and Restore of NSX Global Manager Cluster in

VMware Cloud Foundation
Regular backups of the NSX Global Manager components ensures that you can keep your
environment operational if a data loss or failure occurs.

The Global Manager cluster stores the configured state of the segments. If the Global Manager
appliances become unavailable, the network traffic in the data plane is intact but you can make
no configuration changes.

Configure NSX Global Manager Cluster Backups

Configure an SFTP server to store backup files. After a backup file server is configured, you can
start a backup at any time, or schedule recurring backups.

Procedure

1 In a web browser, log in to Global Manager at https://gm_vip_fqdn/.

VMware by Broadcom 178

VMware Cloud Foundation on Dell VxRail Guide

2 Select System > Backup & Restore.

3 On the Backup tab, click Edit.

4 Enter the IP address or FQDN of the backup file server.

5 Change the default port if necessary. The default port is 22.

6 The protocol text box is already filled in. SFTP is the only supported protocol.

7 In the Directory Path text box, enter the absolute directory path where the backups will be
stored.

8 Enter the user name and password required to log in to the backup file server.

The first time you configure a file server, you must provide a password. Subsequently, if you
reconfigure the file server, and the server IP or FQDN, port, and user name are the same, you
do not need to enter the password again.

9 Leave the SSH Fingerprint blank and accept the fingerprint provided by the server after you
click Save in a later step.

10 Enter a passphrase.

Note You will need this passphrase to restore a backup. If you forget the passphrase, you
cannot restore any backups.

11 Click Edit under the Schedule label.

You can schedule recurring backups or trigger backups for configuration changes.

a Click the Recurring Backup toggle.

b Click Weekly and set the days and time of the backup, or click Interval and set the interval
between backups.

c Enabling the Detect NSX configuration change option will trigger an unscheduled full
configuration backup when it detects any runtime or non-configuration related changes,
or any change in user configuration. For Global Manager, this setting triggers backup if
any changes in the database are detected, such as the addition or removal of a Local
Manager or Tier-0 gateway or DFW policy.

d You can specify a time interval for detecting database configuration changes. The valid
range is 5 minutes to 1,440 minutes (24 hours). This option can potentially generate a
large number of backups. Use it with caution.

e Click Save.

What to do next

After you configure a backup file server, you can click Backup Now to manually start a backup
at any time. Automatic backups run as scheduled. You see a progress bar of your in-progress
backup.

VMware by Broadcom 179

VMware Cloud Foundation on Dell VxRail Guide

Restore an NSX Global Manager Cluster Backup

Restoring a backup restores the state of the network at the time of the backup. In addition, the
configurations maintained by Global Manager appliances are also restored.

Do not change the configuration of the NSX Global Manager cluster while the restore process is
in progress.

Prerequisites

n Verify that you have the login credentials for the backup file server.

n Verify that you have the SSH fingerprint of the backup file server. Only SHA256 hashed
ECDSA (256 bit) host key is accepted as a fingerprint.

n Verify that you have the passphrase of the backup file.

Procedure

1 If any nodes in the appliance cluster that you are restoring are online, power them off.

2 Install one new appliance node on which to restore the backup.

n If the backup listing for the backup you are restoring contains an IP address, you must
deploy the new Global Manager node with the same IP address. Do not configure the
node to publish its FQDN.

n If the backup listing for the backup you are restoring contains an FQDN, you must
configure the new appliance node with this FQDN and publish the FQDN. Only lowercase
FQDN is supported for backup and restore.

3 In a web browser, log in to Global Manager at https://gm_vip_fqdn/.

4 Make the Global Manager active. You can restore a backup only on an active Global Manager.

a On the main navigation bar, click System.

b In the navigation pane, select Location Manager.

c On the Location Manager page, click Make Active, enter a name for the Global Manager,
and click Save.

5 On the main navigation bar, click System > Backup & Restore and then click Edit.

6 Enter the IP address or FQDN of the backup file server.

7 Change the default port if necessary. The default port is 22.

8 To log in to the server, enter the user name and password.

9 In the Destination Directory text box, enter the absolute directory path where the backups
are stored.

10 Enter the passphrase that was used to encrypt the backup data.

11 Leave the SSH Fingerprint blank and accept the fingerprint provided by the server after you
click Save in a later step.

VMware by Broadcom 180

VMware Cloud Foundation on Dell VxRail Guide

12 Select a backup and click Restore.

13 The restore process prompts you to take action, if necessary, as it progresses.

14 After the restored manager node is up and functional, deploy additional nodes to form a NSX
Global Manager cluster.

VMware by Broadcom 181

Stretching vSAN Clusters in
VMware Cloud Foundation on Dell
VxRail
20
You can stretch a vSAN cluster in a workload domain across two availability zones within a
region. Both availability zones must contain an equal number of hosts to ensure failover in case
any of the availability zones goes down.

The default management cluster must be stretched before a VI workload domain cluster can be
stretched. This ensures that the NSX control plane and management VMs (vCenter, NSX, SDDC
Manager) remain accessible if the stretched cluster in the second availability zone goes down.

Note You cannot stretch a cluster in the following conditions:

n The cluster uses vSAN ESA.

Note Starting with VMware Cloud Foundation 5.2.1.1 you can stretch a cluster that uses
vSAN ESA. Earlier versions of VMware Cloud Foundation only support stretching vSAN OSA
clusters.

n The cluster has a vSAN remote datastore mounted on it.

n The cluster shares a vSAN Storage Policy with any other clusters.

You may want to stretch a cluster for the following reasons.

n Planned maintenance

You can perform a planned maintenance on an availability zone without any downtime and
then migrate the applications after the maintenance is completed.

n Automated recovery

Stretching a cluster automatically initiates VM restart and recovery, and has a low recovery
time for the majority of unplanned failures.

n Disaster avoidance

With a stretched cluster, you can prevent service outages before an impending disaster.

This release of VMware Cloud Foundation does not support deleting or unstretching a cluster.

About Availability Zones and Regions

This section describes availability zones and regions as used for stretch clusters.

VMware by Broadcom 182

VMware Cloud Foundation on Dell VxRail Guide

Availability Zones
An availability zone is a collection of infrastructure components. Each availability zone runs on its
own physically distinct, independent infrastructure, and is engineered to be highly reliable. Each
zone should have independent power, cooling, network, and security.

Additionally, these zones should be physically separate so that disasters affect only one zone.
The physical distance between availability zones is short enough to offer low, single-digit latency
(less than 5 ms) and large bandwidth (10 Gbps) between the zones.

Availability zones can either be two distinct data centers in a metro distance, or two safety or fire
sectors (data halls) in the same large-scale data center.

Regions
Regions are in two distinct locations - for example, region A can be in San Francisco and region
B in Los Angeles (LAX). The distance between regions can be rather large. The latency between
regions must be less than 150 ms.

Stretched Cluster Requirements

In an environment with multiple availability zones, Layer 2 networks must be stretched between
the availability zones by the physical infrastructure. You also must provide a Layer 3 gateway
that is highly available between availability zones. The method for stretching these Layer 2
networks and providing a highly available Layer 3 gateway is vendor-specific.

VLANs and Subnets for Multiple Available Zones

This section displays a sample configuration for an environment with multiple availability zones.
The VM management, Uplink 01, Uplink 02, and Edge overlay networks in each availability zone
must be stretched to facilitate failover of the NSX Edge appliances between availability zones.
The Layer 3 gateway for the management and Edge overlay networks must be highly available
across the availability zones.

Note If VLAN is stretched between AZ1 and AZ2, the Layer 3 network must also be stretched
between the two AZs.

Table 20-1. Stretched Cluster Subnet Requirements

Recommended
Function Availability Zone 1 Availability Zone 2 HA Layer 3 Gateway MTU

VM Management ✓ ✓ ✓ 1500
VLAN

Management VLAN ✓ X ✓ 1500

(AZ1)

vMotion VLAN ✓ X ✓ 9000

vSAN VLAN (AZ1) ✓ X ✓ 9000

VMware by Broadcom 183

VMware Cloud Foundation on Dell VxRail Guide

Table 20-1. Stretched Cluster Subnet Requirements (continued)

Recommended
Function Availability Zone 1 Availability Zone 2 HA Layer 3 Gateway MTU

NSX Host Overlay ✓ X ✓ 9000

VLAN

NSX Edge Uplink01 ✓ ✓ X 9000

VLAN

NSX Edge Uplink02 ✓ ✓ X 9000

VLAN

NSX Edge Overlay ✓ ✓ ✓ 9000

VLAN

Management VLAN X ✓ ✓ 1500

(AZ2)

vMotion VLAN (AZ2) X ✓ ✓ 9000

vSAN VLAN (AZ2) X ✓ ✓ 9000

NSX Host Overlay X ✓ ✓ 9000

VLAN (AZ2)

Networking for Multiple Availability Zones

There are specific physical data center network requirements for a topology with multiple
availability zones. For information about the vSAN witness appliance requirements, see vSAN
Witness Network Design in the VMware Cloud Foundation Design Guide.

Table 20-2. Physical Network Requirements for Multiple Availability Zone

Component Requirement

MTU VLANs which are stretched between availability zones

must meet the same requirements as the VLANs for
intra-zone connection including MTU. MTU value must be
consistent end-to-end including components on the inter-
zone networking path. Set MTU values as follows.
n MTU for all VLANs and Switch Virtual Interfaces
(vMotion, Geneve, and Storage) to jumbo frames.
n Management MTU to 1500.
n Geneve overlay requires a minimum MTU of 1600.

Layer 3 gateway availability For VLANs that are are stretched between available
zones, configure data center provided method to failover
the Layer 3 gateway between availability zones. For
example, VRRP or HSRP.

DHCP availability For VLANs that are stretched between availability zones,
provide high availability for the DHCP server so that a
failover operation of a single availability zone will not
impact DHCP availability.

BGP routing Each availability zone data center must have its own
Autonomous System Number (ASN).

VMware by Broadcom 184

VMware Cloud Foundation on Dell VxRail Guide

Table 20-2. Physical Network Requirements for Multiple Availability Zone (continued)

Component Requirement

Ingress and egress traffic n For VLANs that are stretched between availability
zones, traffic flows in and out of a single zone. Local
egress is not supported.
n For VLANs that are not stretched between availability
zones, traffic flows in and out of the zone where the
VLAN is located.
n For NSX virtual network segments that are stretched
between regions, trafficflows in and out of a single
availability zone. Local egress is not supported.

Latency vSphere
n Less than 150 ms latency RTT for vCenter Server
connectivity.
n Less than 150 ms latency RTT for vMotion
connectivity.
n Less than 5 ms latency RTT for VSAN hosts
connectivity.
vSAN
n Less than 200 ms latency RTT for up to 10 hosts per
site.
n Less than 100 ms latency RTT for 11-15 hosts per site.
NSX Managers
n Less than 10 ms latency RTT between NSX Managers
n Less than 150 ms latency RTT between NSX Managers
and transport nodes.

Deploy and Configure vSAN Witness Host

Each vSAN stretched cluster requires a witness host deployed in a vSAN witness zone, which
must be different from the location of both availability zones.

You deploy the vSAN witness host using an appliance instead of using a dedicated physical ESXi
host as a witness host. The witness host does not run virtual machines and must run the same
version of ESXi as the ESXi hosts in the stretched cluster. It must also meet latency and Round
Trip Time (RTT) requirements.

There are separate vSAN witness appliances for vSAN OSA and vSAN ESA. You must deploy the
witness appliance that matches the cluster type that you are stretching.

See the Physical Network Requirements for Multiple Availability Zone table within Stretched
Cluster Requirements.

Deploy vSAN Witness Host

You deploy the vSAN witness host for a stretched cluster at a site which is isolated from the
existing availability zones to prevent propagation of failure or outage in the data center.

For more information, see vSAN Witness Design for VMware Cloud Foundation.

VMware by Broadcom 185

VMware Cloud Foundation on Dell VxRail Guide

Prerequisites

Download the VMware vSAN Witness Appliance .ova file from the Broadcom Support Portal.

n For stretching a vSAN OSA cluster download the appliance for vSAN OSA.

n For stretching a vSAN ESA cluster download the appliance for vSAN ESA.

Procedure

1 In a web browser, log in to vCenter Server at https://vcenter_server_fqdn/ui.

2 Select Menu > Hosts and Clusters.

3 In the inventory panel, expand vCenter Server > Datacenter.

4 Right-click the cluster and select Deploy OVF template.

5 On the Select an OVF template page, select Local file, click Upload files, browse to the
location of the vSAN witness host OVA file, and click Next.

6 On the Select a name and folder page, enter a name for the virtual machine and click Next.

7 On the Select a compute resource page, click Next.

8 On the Review details page, review the settings and click Next.

9 On the License agreements page, accept the license agreement and click Next.

10 On the Configuration page, select Medium and click Next.

11 On the Select storage page, select a datastore and click Next.

12 On the Select networks page, select a portgroup for the witness and management network,
and click Next.

13 On the Customize template page, enter the root password for the witness and click Next.

14 On the Ready to complete page, click Finish and wait for the process to complete.

15 Power on the vSAN witness host.

a In the inventory panel, navigate to vCenter Server > Datacenter > Cluster.

b Right-click the vSAN witness host and from the Actions menu, select Power > Power on.

Configure the Management Network on the vSAN Witness Host

Configure the management network for the vSAN witness host in the ESXi Direct Console User
Interface (DCUI).

Procedure

1 In the inventory panel of the vCenter Server Client, select vCenter Server > Datacenter.

VMware by Broadcom 186

VMware Cloud Foundation on Dell VxRail Guide

2 Open the DCUI of the ESXi host.

a Right-click the vSAN witness host and click Open remote console.

b Press F2 to enter the DCUI.

c Log in with the vsan_witness_root_password.

3 Configure the network.

a Select Configure Management Network and press Enter.

b Select IPv4 Configuration and press Enter.

c Select Set static IPv4 address and network configuration and press the Space bar.

d Enter IPv4 Address, Subnet Mask and Default Gateway and press Enter.

e Select DNS Configuration and press Enter.

f Select Use the following DNS Server address and hostname and press the Space bar.

g Enter Primary DNS Server, Alternate DNS Server and Hostname and press Enter.

h Select Custom DNS Suffixes and press Enter.

i Ensure that there are no suffixes listed and press Enter.

4 Press Escape to exit and press Y to confirm the changes.

Register vSAN Witness Host

Before you can configure the vSAN Witness Host, you must register it with vCenter Server.

Procedure

1 Use the vSphere Client to log in to the vCenter Server containing the cluster that you want to
stretch.

2 In the vSphere Client, navigate to the data center.

3 Right-click the data center and select Add Host.

Important You must add the vSAN Witness Host to the datacenter. Do not add it to a folder.

4 On the Name and location page, enter the Fully Qualified Domain Name (FQDN) of the vSAN
Witness Host and click Next.

Note Do not use the IP address.

5 On the Connection settings page, enter administrator credentials and click Next.

6 On the Host summary page, review the summary of the host details and click Next.

7 On the Host lifecycle page, the check box Manage host with an image is selected by default.

n If you want to manage the host with an image, leave the check box selected and click
Next.

VMware by Broadcom 187

VMware Cloud Foundation on Dell VxRail Guide

n If you do not want to manage the host with an image, deselect the check box and click
Next.

8 If you manage the host with an image, on the Image page, set up the desired image and click
Next.

9 On the Assign license page, assign an existing license and click Next.

Note Do not create a new license.

10 Review the summary and click Finish.

Configure NTP on the Witness Host

To prevent time synchronization issues, configure the NTP service on the vSAN witness host.

Procedure

1 In the inventory panel of the vCenter Server Client, select vCenter Server > Datacenter.

2 Select the vSAN witness host and click the Configure tab.

3 Configure the NTP client on the vSAN witness host.

a In the System section, click Time configuration and click the Edit button.

b Select Use Network Time Protocol (enable NTP client).

c Configure the following settings and click OK.

Setting Value

NTP Servers NTP server address

Start NTP Service Selected

NTP Service Startup Policy Start and stop with host

Configure the VMkernel Adapters on the vSAN Witness Host

To enable vSAN data network communication between the availability zones, configure the
witness network on the vSAN witness host.

Procedure

1 In the inventory panel of the vCenter Server Client, select vCenter Server > Datacenter.

2 Select the vSAN witness host and click the Configure tab.

3 Remove the dedicated witness traffic VMkernel adapter on the vSAN Witness host.

a In the Networking section, click VMkernel adapters.

b Select the kernel adapter vmk1 with secondaryPg as Network label and click Remove.

c On the Remove VMkernel adapter dialog box, click Remove

VMware by Broadcom 188

VMware Cloud Foundation on Dell VxRail Guide

4 Remove the virtual machine network port group on the vSAN witness host.

a In the left pane, select Networking > Virtual switches.

b Expand the Standard switch: secondary switch section.

c Click the vertical ellipsis and from the drop-down menu, select Remove.

d On the Remove standard switch dialog box, click Yes.

e Expand the Standard switch: vSwitch0 section.

f In the VM Network pane, click the vertical ellipsis and from the drop-down menu, select
Remove.

g On the Remove port group dialog box, click Yes.

5 Enable witness traffic on the VMkernel adapter for the management network of the vSAN
witness host.

a On the VMkernel adapters page, select the vmk0 adapter and click Edit.

b In the vmk0 - edit settings dialog box, click Port properties, select the vSAN check box,
and click OK.

Stretch a VxRail Cluster in VMware Cloud Foundation

This procedure describes how to stretch a VxRail cluster across two availability zones. You can
stretch a vSAN cluster in the management domain or VI workload domain.

When you stretch a cluster, VMware Cloud Foundation modifies the site disaster tolerance
setting for storage policy associated with datastore of that cluster from None - standard cluster
to Site mirroring - stretched cluster. This affects all VMs using default datastore policy in that
cluster. If you do not want to change the site disaster tolerance setting for specific VMs, apply a
different storage policy to those VMs before stretching the cluster.

This example use case has two availability zones in two buildings in an office campus - AZ1 and
AZ2. Each availability zone has its own power supply and network. The management domain is
on AZ1 and contains the default cluster, SDDC-Cluster1. This cluster contains four ESXi hosts.
VSAN network VLAN ID=1623

MTU=9000

Network=172.16.234.0

netmask 255.255.255.0

gateway 172.16.23.253

IP range=172.16.23.11 - 172.16.234.59

vMotion network VLAN ID=1622

MTU=9000

VMware by Broadcom 189

VMware Cloud Foundation on Dell VxRail Guide

Network=172.16.22.0

netmask 255.255.255.0

gateway 172.16.22.253

IP range=172.16.22.11 - 172.16.22.59

There are four ESXi hosts in AZ2 that are not in the VMware Cloud Foundation inventory yet.

We will stretch the default cluster SDDC-Cluster1 in the management domain from AZ1 to AZ2.

VMware by Broadcom 190

VMware Cloud Foundation on Dell VxRail Guide

Figure 20-1. Stretch Cluster Example

vSAN witness Management host name: sfo-m01-cl01-vsw01

appliance in Management IP address (vmk0): 172.17.11.201/24
offisite location Gateway: 172.17.11.253

vSAN
L3 routing between AZ1 & AZ2 Hosts
L3 routing between AZ1/AZ2 hosts & witness

VMotion
L3 routing between AZ1 & AZ2 hosts

Stretched Networks

Management (VLAN:1611) 172.16.11.0/24

Edge Uplink 1 (VLAN: 2711) 172.27.11.0/24
Edge Uplink 2 (VLAN: 2712) 172.27.12.0/24
Edge Overlay (VLAN: 2713) 172.27.13.0/24

ToR ToR ToR ToR

Switch Switch Switch Switch

Host 1 Host 5
Host 2 Management cluster stretched Host 6
Host 3 across AZ1 and AZ2 Host 7
Host 4 Host 8

vMotion: NSX-T Host Overlay: vSAN: vMotion: NSX-T Host Overlay: vSAN:
VLAN 1612 VLAN 1614 VLAN 1613 VLAN 1622 VLAN 1624 VLAN 1623
172.16.12.0/24 172.16.14.0/24 172.16.13.0/24 172.16.22.0/24 172.16.24.0/24 172.16.23.0/24
GW 172.16.12.253 GW 172.16.14.253 GW 172.16.13.253 GW 172.16.22.253 GW 172.16.24.253 GW 172.16.23.253

AZ1 AZ2

VMware by Broadcom 191

VMware Cloud Foundation on Dell VxRail Guide

To stretch a cluster for VMware Cloud Foundation on Dell VxRail, perform the following steps:

Prerequisites

n Verify that vCenter Server is operational.

n Verify that you have completed the Planning and Preparation Workbook with the
management domain or VI workload domain deployment option included.

n Verify that your environment meets the requirements listed in the Prerequisite Checklist sheet
in the Planning and Preparation Workbook.

n Ensure that you have enough hosts such that there is an equal number of hosts on each
availability zone. This is to ensure that there are sufficient resources in case an availability
zone goes down completely.

n Deploy and configure a vSAN witness host. See Deploy and Configure vSAN Witness Host.

n If you are stretching a cluster in a VI workload domain, the default management vSphere
cluster must have been stretched.

n Download https://community.broadcom.com/vmware-code/viewdocument/vcf-on-vxrail-
stretch-cluster-7.

Note You cannot stretch a cluster in the following conditions:

n The cluster uses vSAN ESA.

Note Starting with VMware Cloud Foundation 5.2.1.1 you can stretch a cluster that uses
vSAN ESA. Earlier versions of VMware Cloud Foundation only support stretching vSAN OSA
clusters.

n The cluster has a vSAN remote datastore mounted on it.

n The cluster shares a vSAN Storage Policy with any other clusters.

Procedure

1 Using an SSH File Transfer tool, copy initiate_stretch_cluster_vxrail_<version>.py

to the /home/vcf/ directory on the SDDC Manager appliance.

2 Using SSH, log in to the SDDC Manager appliance with the user name vcf and the password
you specified in the deployment parameter workbook.

3 Run the script with -h option for details about the script options.

python initiate_stretch_cluster_vxrail_<version>.py -h

4 Run the following command to prepare the cluster to be stretched. The command creates
affinity rules for the VMs to run on the preferred site:

python initiate_stretch_cluster_vxrail_<version>.py --workflow prepare-stretch --sc-domain

<SDDC-valid-domain-name> --sc-cluster <valid-cluster-name>

VMware by Broadcom 192

VMware Cloud Foundation on Dell VxRail Guide

Replace <SDDC-valid-domain-name> and <valid-cluster-name> with the correct values for

your environment. For example:

python initiate_stretch_cluster_vxrail_<version>.py --workflow prepare-stretch --sc-domain

wdc1-workflowspec-vxrail --sc-cluster VxRail-Virtual-SAN-Cluster-8d2c9f37-e230-4238-ab35-
cafd5033a59e

Enter the SSO user name and password when prompted to do so.
Once the workflow is triggered, track the task status in the SDDC Manager UI. If the task fails,
debug and fix the issue and retry the task from the SDDC Manager UI. Do not run the script
again.

5 Use the VxRail vCenter plug-in to add the additional hosts in Availability Zone 2 to the cluster
by performing the VxRail Manager cluster expansion work flow.

6 Run the following command to stretch the cluster:

python initiate_stretch_cluster_vxrail_<version>.py --workflow stretch-vsan --sc-domain

<SDDC-valid-domain-name> --sc-cluster <valid cluster name which is a part of the domain
to be stretched> --sc-hosts <valid host names> --witness-host-fqdn <witness host/appliance
IP or fqdn> --witness-vsan-ip <witness vsan IP address> --witness-vsan-cidr <witness-vsan-
network-IP-address-with-mask>

Replace <SDDC-valid-domain-name>, <valid cluster name which is a part of the domain to

be stretched>, <valid host names>, <witness vsan IP address>, <witness host/appliance IP
or fqdn>, <witness vsan IP address>, and <witness-vsan-network-IP-address-with-mask> with
the correct values for your environment. For example:

python initiate_stretch_cluster_vxrail_<version>.py --workflow stretch-vsan --sc-domain

wdc1-workflowspec-vxrail --sc-cluster VxRail-Virtual-SAN-Cluster-8d2c9f37-e230-4238-ab35-
cafd5033a59e --sc-hosts wdc3-005-proxy.vxrail.local --witness-host-fqdn 172.16.10.235 --
witness-vsan-ip 172.16.20.235 --witness-vsan-cidr 172.16.20.0/24

7 When prompted, enter the following information:

n SSO user name and password

n Root user password for ESXi hosts

n vSAN gateway IP for the preferred (primary) and non-preferred (secondary) site

n vSAN CIDR for the preferred (primary) and non-preferred (secondary) site

n VLAN ID for the non-preferred site overlay VLAN

n IP address pool details (if supported and required)

n Confirm the SSH thumbprints for the hosts

Once the workflow is triggered, the task is tracked in the SDDC Manager UI. If the task fails,
debug and fix the issue and retry from SDDC Manager UI. Do not run the script again.

VMware by Broadcom 193

VMware Cloud Foundation on Dell VxRail Guide

8 Monitor the progress of the AZ2 hosts being added to the cluster.

a In the SDDC Manager UI, click View All Tasks.

b Refresh the window to monitor the status.

9 Validate that stretched cluster operations are working correctly by logging in to the vSphere
Web Client.

a Verify vSAN Health.

1 On the home page, click Host and Clusters and then select the stretched cluster.

2 Click Monitor > vSAN > Skyline Health.

3 Click Retest.

4 Fix errors, if any.

b Verify the vSAN Storage Policy.

1 On the home page, click Policies and Profiles > VM Storage Policies > vSAN Default
Storage Policies.

2 Select the policy associated with the vCenter Server for the stretched cluster and click
Check Compliance.

3 Click VM Compliance and check the Compliance Status column for each VM.

4 Fix errors, if any.

NSX Configuration for Availability Zone 2

To provide the necessary networking services for fail-over of SDDC components from availability
zone 1 to availability zone 2 in the management domain, you configure NSX for availability zone 2.

Configure IP Prefixes in the Tier-0 Gateway for Availability Zone 2

You configure default and any IP prefixes on the tier-0 gateway to permit access to route
advertisement by any network and by the 0.0.0.0/0 network. These IP prefixes are used in
route maps to prepend a path to one or more autonomous systems (AS-path prepend) for BGP
neighbors and to configure local-reference on the learned default-route for BGP neighbors in
availability zone 2.

Procedure

1 In a web browser, log in to NSX Manager for the management or workload domain to be
stretched at https://nsx_manager_fqdn/login.jsp?local=true.

2 On the main navigation bar, click Networking.

3 In the navigation pane, click Tier-0 gateways.

4 Select the gateway and from the ellipsis menu, click Edit.

VMware by Broadcom 194

VMware Cloud Foundation on Dell VxRail Guide

5 Create the Any IP prefix list.

a Expand the Routing section and in the IP prefix list section, click Set.

b In the Set IP prefix list dialog box, click Add IP prefix list.

c Enter Any as the prefix name and under Prefixes, click Set.

d In the Set prefixes dialog box, click Add Prefix and configure the following settings.

Setting Value

Network any

Action Permit

e Click Add and then click Apply.

6 Repeat step 5 to create the default route IP prefix set with the following configuration.

Setting Value

Name Default Route

Network 0.0.0.0/0

Action Permit

7 On the Set IP prefix list dialog box, click Close.

Configure Route Maps in the Tier-0 Gateway for Availability Zone 2

To define which routes are redistributed in the domain, you configure route maps in the tier-0
gateway.

Procedure

1 On the NSX Manager main navigation bar, click Networking.

2 In the navigation pane, click Tier-0 gateways.

3 Select the gateway, and from the ellipsis menu, click Edit.

4 Create a route map for traffic incoming to availability zone 2.

a Expand the Routing section and in the Route maps section, click Set.

b In the Set route maps dialog box, click Add route map.

c Enter a name for the route map.

For example, rm-in-az2.

d In the Match criteria column, click Set.

VMware by Broadcom 195

VMware Cloud Foundation on Dell VxRail Guide

e On the Set match criteria dialog box, click Add match criteria and configure the following
settings.

Setting Value for Default Route Value for Any

Type IP Prefix IP Prefix

Members Default Route Any

Local Preference 80 90

Action Permit Permit

f Click Add and then click Apply.

g In the Set route maps dialog box, click Save.

5 Repeat step 4 to create a route map for outgoing traffic from availability zone 2 with the
following configuration.

Setting Value

Route map name rm-out-az2

Type IP Prefix

Members Any

As Path Prepend bgp_asn

Local Preference 100

Action Permit

6 In the Set route maps dialog box, click Close.

Configure BGP in the Tier-0 Gateway for Availability Zone 2

To enable fail-over from availability zone 1 to availability zone 2, you configure BGP neighbors on
the tier-0 gateway in the management or workload domain to be stretched. You add route filters
to configure localpref on incoming traffic and prepend of AS on outgoing traffic.

You configure two BGP neighbors with route filters for the uplink interfaces in availability zone 2.

Table 20-3. BGP Neighbors for Availability Zone 2

Setting BGP Neighbor 1 BGP Neighbor 2

IP address ip_bgp_neighbor1 ip_bgp_neighbor2

BFD Deactivated Deactivated

Remote AS asn_bgp_neighbor1 asn_bgp_neighbor2

Hold downtime 12 12

VMware by Broadcom 196

VMware Cloud Foundation on Dell VxRail Guide

Table 20-3. BGP Neighbors for Availability Zone 2 (continued)

Setting BGP Neighbor 1 BGP Neighbor 2

Keep alive time 4 4

Password bgp_password bgp_password

Table 20-4. Route Filters for BGP Neighbors for Availability Zone 2

Setting BGP Neighbor 1 BGP Neighbor 2

IP Address Family IPV4 IPV4

Activated Activated Activated

Out Filter rm-out-az2 rm-out-az2

In Filter rm-in-az2 rm-in-az2

Maximum Routes - -

Procedure

1 On the NSX Manager main navigation bar, click Networking.

2 In the navigation pane, click Tier-0 gateways.

3 Select the gateway and from the ellipsis menu, click Edit.

4 Add the uplink interfaces to the NSX Edge nodes.

a Expand BGP and in the BGP neighbors section, click 2.

b In the Set BGP neighbors dialog box, click Add BGP neighbor and configure the following
settings.

Setting Value

IP address ip_bgp_neighbor1

BFD Deactivated

Note Activate BFD only if the network supports and

is configured for BFD.

Remote AS asn_bgp_neighbor1

Source addresses Select AZ2 interfaces

Hold downtime 12

Keep alive time 4

Password bgp_password

c In the Route filter section, click Set.

VMware by Broadcom 197

VMware Cloud Foundation on Dell VxRail Guide

d In the Set route filter dialog box, click Add route filter and configure the following
settings.

Setting Value

IP Address Family IPV4

Enabled Activated

Out Filter rm-out-az2

In Filter rm-in-az2

Maximum Routes -

e Click Add and then click Apply.

5 Repeat step 4 to configure BGP neighbor ip_bgp_neighbor2and the corresponding route

filter.

6 On the Tier-0 gateway page, click Close editing.

Configure Witness Traffic Separation for VMware Cloud

Foundation on Dell VxRail
Witness traffic separation allows you to use a VMkernel adapter for vSAN witness traffic that is
different from the adapter for vSAN data traffic.

By default, when you stretch a cluster, the vSAN-tagged VMkernel adapter is used to carry traffic
destined for the vSAN witness host. With witness traffic separation, you can use a separately
tagged VMkernel adapter instead of extending the vSAN data network to the witness host. This
feature allows for a more flexible network configuration by allowing for separate networks for
node-to-node and node-to-witness communication.

Prerequisites

You must have a stretched cluster before you can configure it for witness traffic separation.

Procedure

1 Create Distributed Port Groups for Witness Traffic

Create a distributed port group for each availability zone on the vSphere Distributed Switch.

2 Delete Routes to the Witness Host

When you stretch a cluster, a route to the witness host is added to each ESXi host in the
stretched cluster. You must delete these routes to use witness traffic separation.

3 Add VMkernel Adapters for Witness Traffic

Add VMkernel adapters for witness traffic to each availability zone's distributed port group.

VMware by Broadcom 198

VMware Cloud Foundation on Dell VxRail Guide

4 Configure the VMkernel Adapters for Witness Traffic

Enable witness traffic for the witness traffic VMkernel adapter on each ESXi host

Create Distributed Port Groups for Witness Traffic

Create a distributed port group for each availability zone on the vSphere Distributed Switch.

Procedure

1 Log in to the vSphere Client.

2 Click Menu > Networking.

3 Right-click the vSphere distributed switch for the cluster and select Distributed Port Group >
New Distributed Port Group.

4 Enter a name for the port group for the first availability zone and click Next.

For example, AZ1_WTS_PG.

5 Change the VLAN type to VLAN and enter a VLAN ID.

6 Select Customize default policies and click Next.

7 On the Security page, click Next.

8 On the Traffic shaping page, click Next.

9 On the Teaming and failover page, modify the failover order of the uplinks to match the
existing failover order of the management traffic and click Next.

10 On the Monitoring page, click Next.

11 On the Miscellaneous page, click Next.

12 On the Ready to Complete page, review your selections and click Finish.

13 Repeat these steps for the second availability zone.

Delete Routes to the Witness Host

When you stretch a cluster, a route to the witness host is added to each ESXi host in the
stretched cluster. You must delete these routes to use witness traffic separation.

Procedure

1 In a web browser, log in to the first ESXi host in the stretched cluster using the VMware Host
Client.

2 In the navigation pane, click Manage and click the Services tab.

3 Select the TSM-SSH service and click Start if not started.

4 Open an SSH connection to the first ESXi host in the stretched cluster.

5 Log in as root.

VMware by Broadcom 199

VMware Cloud Foundation on Dell VxRail Guide

6 Run the following command:

esxcli network ip route ipv4 list

The output returns something like:

Network Netmask Gateway Interface Source

----------- ------------- ------------ --------- ------
default 0.0.0.0 172.18.15.1 vmk2 MANUAL
169.254.0.0 255.255.255.0 0.0.0.0 vmk1 MANUAL
172.18.7.0 255.255.255.0 0.0.0.0 vmk3 MANUAL
172.18.13.0 255.255.255.0 0.0.0.0 vmk5 MANUAL
172.18.14.0 255.255.255.0 172.18.7.253 vmk3 MANUAL
172.18.15.0 255.255.255.0 0.0.0.0 vmk2 MANUAL
172.18.21.0 255.255.255.0 172.18.7.253 vmk3 MANUAL

7 Delete the route to the witness host. For example:

esxcfg-route -d 172.18.14.0/24 172.18.7.253

8 In the VMware Host Client, select the TSM-SSH service for the ESXi host and click Stop.

9 Repeat these steps for each ESXi host in the stretched cluster.

Add VMkernel Adapters for Witness Traffic

Add VMkernel adapters for witness traffic to each availability zone's distributed port group.

Procedure

1 Log in to the vSphere Client.

2 Click Menu > Networking.

3 Right-click the witness distributed port group for the first availability zone, for example,
AZ1_WTS_PG, and select Add VMkernel Adapters.

4 Click + Attached Hosts, select the availability zone 1 hosts from the list, and click OK.

5 Click Next.

6 Accept the default VMkernel port settings and click Next.

Note Do not select any services.

7 Select Use static IPv4 settings and enter the IP addresses and the subnet mask to use for the
witness traffic separation network.

8 Click Next.

9 Review your selections and click Finish.

10 Repeat these steps for the witness distributed port group for the second availability zone.

VMware by Broadcom 200

VMware Cloud Foundation on Dell VxRail Guide

Configure the VMkernel Adapters for Witness Traffic

Enable witness traffic for the witness traffic VMkernel adapter on each ESXi host

Procedure

1 Log in to the vSphere Client.

2 Click Menu > Hosts and Clusters.

3 For each host in the stretched cluster, click Configure > Networking > VMkernel adapters to
determine which VMkernel adapter to use for witness traffic. For example, vmk5.

4 In a web browser, log in to the first ESXi host in the stretched cluster using the VMware Host
Client.

5 In the navigation pane, click Manage and click the Services tab.

6 Select the TSM-SSH service and click Start if not started.

7 SSH to the first ESXi host in the stretched cluster.

8 Log in as root and run the following command:

esxcli vsan network ip add -i <vmkernel_adapter> -T=witness

For example:

esxcli vsan network ip add -i vmk5 -T=witness

9 Verify that the VMkernel adapter is configured for witness traffic:

esxcli vsan network list

10 Verify that the ESXi host can access the witness host:

vmkping -I <vmkernel_adapter> <witness_host_ip_address>

Replace <vmkernel_adapter> with the VMkernel adapter configured for witness traffic, for
example vmk5. Replace <witness_host_ip_address> with the witness host IP address.

11 In the VMware Host Client, select the TSM-SSH service for the ESXi host and click Stop.

12 Repeat for each ESXi host in the stretched cluster.

Expand a Stretched VxRail Cluster

You can expand a stretched cluster by adding more VxRail nodes to the preferred and non-
preferred sites.

Prerequisites

You must have a stretched cluster.

VMware by Broadcom 201

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 Use the VxRail vCenter plug-in to add the additional hosts in availability zone 1 or availability
zone 2 to the cluster by performing the VxRail Manager cluster expansion work flow.

Refer to the Dell VxRail documentation for more details.

2 Log in to SDDC Manager and run the script to trigger the workflow to import the newly
added hosts in the SDDC Manager inventory.

In the script, provide the root credentials for each host and specify which fault domain the
host should be added to.

3 Using SSH, log in to the SDDC Manager VM with the username vcf and the password you
specified in the deployment parameter workbook.

4 Run the following command to expand the stretched cluster:

python initiate_stretch_cluster_vxrail.py --workflow expand-stretch-cluster --sc-domain

<SDDC-valid-domain-name> --sc-cluster <valid cluster name which is a part of the domain
to be stretched> --sc-hosts <valid host names> --witness-host-fqdn <witness host/appliance
IP or fqdn> --witness-vsan-ip <witness vsan IP address> --witness-vsan-cidr <witness-vsan-
network-IP-address-with-mask>

Replace <SDDC-valid-domain-name>, <valid cluster name which is a part of the domain to

be stretched>, <valid host names>, <witness vsan IP address>, <witness host/appliance IP
or fqdn>, <witness vsan IP address>, and <witness-vsan-network-IP-address-with-mask> with
the correct values for your environment.

5 When prompted, enter the following information:

n SSO user name and password

n Root user password for ESXi hosts

n Fault domain for ESXi hosts

n vSAN gateway IP for the preferred (primary) and non-preferred (secondary) site

n vSAN CIDR for the preferred (primary) and non-preferred (secondary) site

n Confirm the SSH thumbprints for the hosts

6 Once the workflow is triggered, track the task status in the SDDC Manager UI.

If the task fails, debug and fix the issue and retry from SDDC Manager UI. Do not run the
script again.

What to do next

If you add hosts to a stretched cluster configured for witness traffic separation, perform the
following tasks for the added hosts:

n Add VMkernel Adapters for Witness Traffic

n Delete Routes to the Witness Host

VMware by Broadcom 202

VMware Cloud Foundation on Dell VxRail Guide

n Configure the VMkernel Adapters for Witness Traffic

Replace a Failed Host in a Stretched VxRail Cluster

If a host or host component in a stretched cluster fails, it is recommended that you replace the
host with a new host.

Prerequisites

n Check the health of the cluster.

See "Check vSAN Health" in Administering VMware vSAN.

Procedure

1 Remove the failed host from the cluster.

See Remove a Host from a Cluster in a Workload Domain.

2 Expand the cluster to add the new host to the cluster.

See Expand a Stretched VxRail Cluster .

Results

vSAN automatically rebuilds the stretch cluster.

VMware by Broadcom 203

Monitoring Capabilities in the
VMware Cloud Foundation
System
21
The VMware Cloud Foundation system provides built-in capabilities to help you perform effective
operations monitoring, troubleshooting, performance management, infrastructure capacity
planning, and compliance monitoring and auditing.

You use the built-in monitoring capabilities for these typical scenarios.

Scenario Examples

Are the systems online? A host or other component shows a failed or unhealthy status.

Why did a storage drive fail? Hardware-centric views spanning inventory, configuration, usage, and event
history to provide for diagnosis and resolution.

Is the infrastructure meeting Analysis of system and device-level metrics to identify causes and resolutions.
tenant service level agreements
(SLAs)?

At what future time will the Trend analysis of detailed system and device-level metrics, with summarized
systems get overloaded? periodic reporting.

What person performed which History of secured user actions, with periodic reporting.
action and when? Workflow task history of actions performed in the system.

The monitoring capabilities involve these features:

Read the following topics next:

n Viewing Tasks and Task Details

n API Activity Logging

Viewing Tasks and Task Details

From SDDC Manager UI, you can access all tasks. By default, the Dashboard displays the Recent
Tasks widget, providing general information at a glance about the most recent tasks. A task is
a unit of work or a series of subtasks that perform an overall goal, such as creating a workload
domain.

VMware by Broadcom 204

VMware Cloud Foundation on Dell VxRail Guide

In addition to the most recent tasks, you can view and search for all tasks by clicking View All
Tasks at the bottom of the Recent Tasks widget. This opens the Tasks panel.

Note For more information about controlling the widgets that appear on the Dashboard page of
SDDC Manager UI, see Tour of the SDDC Manager User Interface.

Viewing and Filtering Task Details

The Tasks panel provides a high level view all tasks, displaying the descriptive task name, task
status (for example, running, succeeded, or failed), and the timestamp for the last change in task
status. You can also filter and search the task information as follows:

n Search tasks by clicking the filter icon in the Task column header and entering a search string.

n Filter tasks by status by clicking the filter icon in Status column. Select by category All,
Failed, Successful, Running, or Pending.

Note Each category also displays the number of tasks with that status.

n Clear all filters by clicking Reset Filter at the top of the Tasks panel.

n Click Refresh to refresh the task list.

Note You can also sort the table by the contents of the Status and Last Occurrence columns.

Managing Tasks and Subtask Details

Expand a task to view details including the subtasks that comprise the task and their individual
statuses.

n If a task is in a Failed state, you can also attempt to restart it by clicking Restart Task.

Note Not all tasks are restartable.

n If a task is in a Failed state, click on the icon next to the Failed status to view a detailed report
on the cause.

n To view subtasks and their details, click View Subtasks.

Note You can filter subtasks in the same way you filter tasks.

Note You can also sort the table by the contents of the Status and Last Occurrence columns.

Resizing the Task Panel

Use the icons on the task panel to increase or decrease the panel size, or to close or reopen it.

VMware by Broadcom 205

VMware Cloud Foundation on Dell VxRail Guide

API Activity Logging

When you invoke APIs or log in to or log out from the SDDC Manager UI, VMware Cloud
Foundation creates activity log files that track the request. Activity logs can be used to analyze
the pattern of user actions and gather metrics.

The following logs are available on the SDDC Manager appliance:

Log Name Location

sddc-manager-ui-activity.log /var/log/vmware/vcf/sddc-manager-ui-app

domainmanager-activity.log /var/log/vmware/vcf/domainmanager

operationsmanager-activity.log /var/log/vmware/vcf/operationsmanager

lcm-activity.log /var/log/vmware/vcf/lcm

vcf-commonsvcs-activity.log /var/log/vmware/vcf/commonsvcs

Activity Log Structure

All activity logs use the following JSON schema:

{
"timestamp":"", "username":"", "clientIP":"", "userAgent":"", "api":"", "httpMethod":"",
"httpStatus" :"", "operation" :"", "remoteIP" :""
}

Activity Log Example

The following example is from the domainmanager-activity.log:

{"username":"administrator@vsphere.local", "timestamp":"2022-01-19T16:59:01.9192 ", "client

IP":"10.0.0.253", "userAgent":"Mozilla/5.0 (Windows NT 6.3; Win 64; x64) AppleWebKit/
537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "api":"/domainmanager/vl/vra/
domains","httpMethod":"GET", "httpStatus":200, "operation":"Gets VMware
Aria Automation integration status for workload domains","remote
IP":"127.0.0.1"}

n username: The username of the system from which the API request is triggered. For example:
"administrator@vsphere.local".

n timestamp: Date and time of the operation performed in the UTC format "YYYY-MM-
DD'T'HH:MM:SS.SSSXXX". For example: "2022-01-19T16:59:01.9192".

n client IP: The IP address of the user’s system. For example: "10.0.0.253".

n userAgent: The user’s system information such as the web browser name, web browser
version, operating system name, and operating system architecture type. For example:
"Mozilla/5.0 (Windows NT 6.3; Win 64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/97.0.4692.71 Safari/537.36".

VMware by Broadcom 206

VMware Cloud Foundation on Dell VxRail Guide

n api: The API invoked to perform the opeartion. For example: "/domainmanager/vl/vra/
domains".

n httpMethod: HTTP method of the REST API. For example: "GET".

n httpStatus: The response code received after invoking the API. For example: 200.

n operation: The operation or activity that was performed. For example: "Gets VMware Aria
Automation integration status for workload domains".

n remoteIP: remoteIP of the request initiator. For example: "127.0.0.1"

Activity Logs Retention Policy

Log files are rolled over daily to a file using the following naming format: <service-
name>.<YYYY>-<MM>-<DD>.0.log.gz. For example: domainmanager.2022-01-22.0.log.gz.

The log history is stored for 30 days. The maximum file size of the log retention file is set to 100
MB.

Log Analysis
You can perform log aggregation and analysis by integrating VMware Aria Operations for Logs
with VMware Cloud Foundation. For more information, see Implementation of Intelligent Logging
and Analytics for VMware Cloud Foundation.

VMware by Broadcom 207

Updating VMware Cloud
Foundation DNS and NTP Servers 22
If you need to update the DNS or NTP servers that VMware Cloud Foundation uses, you can
update the servers using the SDDC Manager UI.

When you initially deploy VMware Cloud Foundation, you complete the deployment parameter
workbook to provide the system with the information required for bring-up. This includes up to
two DNS servers and up to two NTP servers. You can reconfigure these settings at a later date,
using the SDDC Manager UI.

Read the following topics next:

n Update DNS Server Configuration

n Update NTP Server Configuration

Update DNS Server Configuration

Use this procedure to update the DNS server configuration across VMware Cloud Foundation
components.

SDDC Manager uses DNS servers to provide name resolution for the components in the system.
When you update the DNS server configuration, SDDC Manager performs DNS configuration
updates for the following components:

n SDDC Manager

n vCenter Servers

n ESXi hosts

n NSX Managers

n NSX Edge nodes

n VMware Aria Suite Lifecycle

n VMware Aria Operations for Logs

n VxRail Manager

VMware by Broadcom 208

VMware Cloud Foundation on Dell VxRail Guide

If the update fails, SDDC Manager rolls back the DNS settings for the failed component. Fix the
underlying issue and retry the update starting with the failed component.

Note There is no rollback for VMware Aria Suite Lifecycle. Check the logs, resolve any issues,
and retry the update.

Updating the DNS server configuration can take some time to complete, depending on the size
of your environment. Schedule DNS updates at a time that minimizes the impact to the system
users.

This procedure uses the SDDC Manager UI.

Prerequisites

n Verify that both forward and reverse DNS resolution are functional for each VMware Cloud
Foundation component using the updated DNS server information.

n Verify that the new DNS server is reachable from each of the VMware Cloud Foundation
components.

n Verify all VMware Cloud Foundation components are reachable from SDDC Manager.

n Verify that all VMware Cloud Foundation components are in an Active state.

Procedure

1 In the SDDC Manager UI, click Administration > Network Settings.

2 On the Network Settings page, click the DNS Configuration tab.

3 To update the DNS servers, click Edit.

4 Update the DNS configuration.

a Expand the Overview section, and click Next.

b Expand the Prerequisites section, and click Next.

c Expand the Edit DNS configuration section, update the Primary DNS server and
Alternative DNS server, and click Save.

Note Alternative DNS server is optional.

Update NTP Server Configuration

Use this procedure to update the NTP server configuration across VMware Cloud Foundation
components.

SDDC Manager uses NTP servers to synchronize time between the components in the system.
You must have at least one NTP server. When you update the NTP server configuration, SDDC
Manager performs NTP configuration updates for the following components:

n SDDC Manager

VMware by Broadcom 209

VMware Cloud Foundation on Dell VxRail Guide

n vCenter Servers

n ESXi hosts

n NSX Managers

n NSX Edge nodes

n VMware Aria Suite Lifecycle

n VMware Aria Operations for Logs

n VMware Aria Operations

n VMware Aria Automation

n VxRail Manager

If the update fails, SDDC Manager rolls back the NTP settings for the failed component. Fix the
underlying issue and retry the update starting with the failed component.

Note There is no rollback for the VMware Aria Suite Lifecycle. Check the logs, resolve any
issues, and retry the update.

Updating the NTP server configuration can take some time to complete, depending on the size
of your environment. Schedule NTP updates at a time that minimizes the impact to the system
users.

This procedure uses the SDDC Manager UI.

Prerequisites

n Verify the new NTP server is reachable from the VMware Cloud Foundation components.

n Verify the time skew between the new NTP servers and the VMware Cloud Foundation
components is less than 5 minutes.

n Verify all VMware Cloud Foundation components are reachable from SDDC Manager.

n Verify all VMware Cloud Foundation components are in an Active state.

Procedure

1 In the SDDC Manager UI, click Administration > Network Settings.

2 On the Network Settings page, click the NTP Configuration tab.

3 To update the NTP servers, click Edit.

4 Update the NTP configuration.

a Expand the Overview section, and click Next.

b Expand the Prerequisites section, and click Next.

c Expand the Edit NTP configuration section, update the NTP server, and click Save.

VMware by Broadcom 210

Supportability and Serviceability
(SoS) Utility 23
The SoS utility is a command-line tool that you can use to run health checks, collect logs for
VMware Cloud Foundation components, and so on.

To run the SoS utility, SSH in to the SDDC Manager appliance using the vcf user account. For
basic operations, enter the following command:

sudo /opt/vmware/sddc-support/sos --option-1 --option-2 --option-3 ... --option-n

To list the available command options, use the --help long option or the -h short option.

sudo /opt/vmware/sddc-support/sos --help

sudo /opt/vmware/sddc-support/sos -h

Note You can specify options in the conventional GNU/POSIX syntax, using -- for the long
option and - for the short option.

For privileged operations, enter su to switch to the root user, and navigate to the /opt/vmware/
sddc-support directory and type ./sos followed by the options required for your desired
operation.

Read the following topics next:

n SoS Utility Options

n Collect Logs for Your VMware Cloud Foundation System

SoS Utility Options

This section lists the specific options you can use with the SoS utility.

For information about collecting log files using the SoS utility, see Collect Logs for Your VMware
Cloud Foundation System.

SoS Utility Help Options

Use these options to see information about the SoS utility itself. For these options, SSH in to the
SDDC Manager VM using the vcf user account and enter the following command:

sudo /opt/vmware/sddc-support/sos --option-name

VMware by Broadcom 211

VMware Cloud Foundation on Dell VxRail Guide

Enter the vcf password when prompted.

Option Description

--help Provides a summary of the available SoS utility options

-h

--version Provides the SoS utility's version number.

-v

SoS Utility Generic Options

These are generic options for the SoS utility. For these options, SSH in to the SDDC Manager VM
using the vcf user account and enter the following command:

sudo /opt/vmware/sddc-support/sos --option-name

Enter the vcf password when prompted.

Option Description

--history Displays the last 20 SoS operations performed.

--force Allows SoS operations to be performed while workflows are running.

Note It is recommended that you do not use this option.

--configure-sftp Configures SFTP for logs.

--setup-json SETUPJSON Custom setup-json file for log collection.

SoS prepares the inventory automatically based on the environment where it is
running. If you want to collect logs for a pre-defined set of components, you can create
a setup.json file and pass the file as input to SoS. A sample JSON file is available on
the SDDC Manager appliance at /opt/vmware/sddc-support/setup.sample.json.

--log-folder LOGFOLDER Specifies the name of the log directory.

--log-dir LOGDIR Specifies the directory to store the logs.

--enable-stats Activate SoS execution stats collection.

--debug-mode Runs the SoS utility in debug mode.

--zip Creates a zipped TAR file for the output.

--short Display detailed health results only for failures and warnings.

VMware by Broadcom 212

VMware Cloud Foundation on Dell VxRail Guide

Option Description

--domain-name DOMAINNAME Specify the name of the workload domain name on which to perform the SoS
operation.
To run the operation on all workload domains, specify --domain-name ALL.

Note If you omit the --domain-name flag and workload domain name, the SoS
operation is performed only on the management domain.

You can combine --domain-name with --clusternames to further limit the scope of an
operation. This can be useful in a scaled environment with a large number of ESXi
hosts.

--clusternames Specify the vSphere cluster names associated with a workload domain for which you
CLUSTERNAMES want to collect ESXi and Workload Management (WCP) logs.
Enter a comma-separated list of vSphere clusters. For example, --clusternames
cluster1, cluster2.

Note If you specify --domain-name ALL then the --clusternames option is ignored.

--skip-known-host-check Skips the specified check for SSL thumbprint for host in the known host.

--include-free-hosts Collect logs for free ESXi hosts, in addition to in-use ESXi hosts.

--include-precheck-report This option runs LCM upgrade prechecks and includes the LCM upgrade prechecks run
report in SoS health check operations.

SoS Utility VMware Cloud Foundation Summary Options

These options provide summary details of the SDDC Manager instance, including components,
services, and tasks.. For these options, SSH in to the SDDC Manager VM using the vcf user
account and enter the following command:

sudo /opt/vmware/sddc-support/sos --option-name

Enter the vcf password when prompted.

Option Description

--get-vcf-summary Returns information about your VMware Cloud Foundation system, including
CEIP,workload domains, vSphere clusters, ESXi hosts, licensing, network pools, SDDC
Manager, and VCF services.

--get-vcf-tasks-summary Returns information about VMware Cloud Foundation tasks, including the time the task
was created and the status of the task.

--get-vcf-services- Returns information about SDDC Manager uptime and when VMware Cloud Foundation
summary services (for example, LCM) started and stopped.

VMware by Broadcom 213

VMware Cloud Foundation on Dell VxRail Guide

SoS Utility Fix-It-Up Options

Use these options to manage ESXi hosts and vCenter Servers, including enabling SSH and locking
down hosts. For these options, SSH in to the SDDC Manager VM using the vcf administrative
user account, enter su to switch to the root user, navigate to the /opt/vmware/sddc-support
directory, and type the following command:

./sos --option-name

Note For Fix-It-Up options, if you do not specify a workload domain, the command affects only
the management domain.

Option Description

--enable-ssh-esxi Applies SSH on all ESXi nodes in the specified workload domains.
n To enable SSH on ESXi nodes in a specific workload domain, include the flag
--domain-name DOMAINNAME.

n To enable SSH on ESXi nodes in all workload domains, include the flag --domain-
name ALL.

--disable-ssh-esxi Deactivates SSH on all ESXi nodes in the specified workload domains.
n To deactivate SSH on ESXi nodes in a specific workload domain, include the flag
--domain-name DOMAINNAME.

n To deactivate SSH on ESXi nodes in all workload domains, include the flag --
domain-name ALL.

--enable-ssh-vc Applies SSH on vCenter Server in the specified workload domains.

n To enable SSH on vCenter in a specific workload domain, include the flag --
domain-name DOMAINNAME.

n To enable SSH on vCenter Servers in all workload domains, include the flag --
domain-name ALL.

--disable-ssh-vc Deactivates SSH on vCenter Servers in the specified workload domains.

n To deactivate SSH on vCenter Server in a specific workload domain, include the
flag --domain-name DOMAINNAME.
n To deactive SSH on vCenter Servers in all workload domains, include the flag
--domain-name ALL.

--enable-lockdown-esxi Applies normal lockdown mode on all ESXi nodes in the specified workload domains.
n To enable lockdown on ESXi nodes in a specific workload domain, include the flag
--domain-name DOMAINNAME.

n To enable lockdown on ESXi nodes in all workload domains, include the flag
--domain-name ALL.

--disable-lockdown-esxi Deactivates normal lockdown mode on ESXi nodes in the specified workload
domains.
n To deactivate lockdown on ESXi nodes in a specific workload domain, include the
flag --domain-name DOMAINNAME.
n To deactivate lockdown on ESXi nodes in all workload domains, include the flag
--domain-name ALL.

VMware by Broadcom 214

VMware Cloud Foundation on Dell VxRail Guide

Option Description

--ondemand-service Execute commands on ESXi hosts, vCenter Servers. or SDDC Manager entities
ONDEMANDSERVICE for a given workload domain. Specify the workload domain using --domain-name
DOMAINNAME.

Replace ONDEMANDSERVICE with the path to a .yml input file. (Sample file available
at: /opt/vmware/sddc-support/ondemand_command_sample.yml).

Warning Contact Broadcom Support before using this option.

--ondemand-service JSON Include this flag to execute commands in the JSON format on all ESXi hosts in a
file path workload domain. For example, /opt/vmware/sddc-support/<JSON file name>

--refresh-ssh-keys Refreshes the SSH keys.

SoS Utility Health Check Options

These SoS commands are used for checking the health status of various components or services,
including connectivity, compute, storage, database, workload domains, and networks. For these
options, SSH in to the SDDC Manager VM using the vcf user account and enter the following
command:

sudo /opt/vmware/sddc-support/sos --option-name

Enter the vcf password when prompted.

A green status indicates that the health is normal, yellow provides a warning that attention might
be required, and red (critical) indicates that the component needs immediate attention.

Option Description

--health-check Performs all available health checks.

Can be combined with --run-vsan-checks. For example:

sudo /opt/vmware/sddc-support/sos --health-check --run-vsan-checks

--connectivity-health Performs connectivity checks and validations for SDDC resources (NSX Managers,
ESXi hosts, vCenter Servers, and so on). This check performs a ping status check, SSH
connectivity status check, and API connectivity check for SDDC resources.

--services-health Performs a services health check to confirm whether services within the SDDC
Manager (like Lifecycle Management Server) and vCenter Server are running.

--compute-health Performs a compute health check, including ESXi host licenses, disk storage, disk
partitions, and health status.

--storage-health Performs a check on the vSAN disk health of the ESXi hosts and vSphere clusters.
Can be combined with --run-vsan-checks. For example:

sudo /opt/vmware/sddc-support/sos --storage-health --run-vsan-

checks

VMware by Broadcom 215

VMware Cloud Foundation on Dell VxRail Guide

Option Description

--run-vsan-checks This option cannot be run on its own and must be combined with --health-check or
--storage-health.

Runs a VM creation test to verify the vSAN cluster health. Running the test creates a
virtual machine on each host in the vSAN cluster. The test creates a VM and deletes
it. If the VM creation and deletion tasks are successful, assume that the vSAN cluster
components are working as expected and the cluster is functional.

Note You must not conduct the proactive test in a production environment as it
creates network traffic and impacts the vSAN workload.

--ntp-health Verifies whether the time on the components is synchronized with the NTP server in
the SDDC Manager appliance. It also ensures that the hardware and software time
stamp of ESXi hosts are within 5 minutes of the SDDC Manager appliance.

--dns-health Performs a forward and reverse DNS health check.

--general-health Checks ESXi for error dumps and gets NSX Manager and cluster status.

--certificate-health Verifies that the component certificates are valid and when they are expiring.
n GREEN: Certificate expires in more than 30 days.
n YELLOW: Certificate expires in 15-30 days.
n RED: Certificate expires in less than 15 days.

--get-host-ips Returns host names and IP addresses of ESXi hosts.

--get-inventory-info Returns inventory details for the VMware Cloud Foundation components, such as
vCenter Server NSX, SDDC Manager, and ESXi hosts. Optionally, add the flag --
domain-name ALL to return details for all workload domains.

--password-health Checks the status of passwords across VMware Cloud Foundation components. It
lists components with passwords managed by VCF, the date a password was last
changed, the password expiration date, and the number of days until expiration.
n GREEN: Password expires in more than 15 days.
n YELLOW: Password expires in 5-15 days.
n RED: Password expires in less than 5 days.

--hardware-compatibility- Validates ESXi hosts and vSAN devices and exports the compatibility report.
report

--version-health This operation checks the version of BOM components (vCenter Server, NSX, ESXi,
and SDDC Manager). It compares the SDDC Manager inventory, the actual installed
BOM component version, and the BOM component versions to detect any drift.

--json-output-dir JSONDIR Outputs the results of any health check as a JSON file to the specified directory,
JSONDIR.

Example Health Check Commands:

n Check the password health on the management domain only:

./sos --password-health

VMware by Broadcom 216

VMware Cloud Foundation on Dell VxRail Guide

n Check the connectivity health for all workload domains:

./sos --connectivity-health --domain-name ALL

n Check the DNS health for the workload domain named sfo-w01:

./sos --dns-health --domain-name sfo-w01

Collect Logs for Your VMware Cloud Foundation System

Use the SoS utility to collect the logs for various software components in the system.

Use these options when retrieving support logs from your environment's various components.

n If you run the SoS utility from SDDC Manager without specifying any component-specific
options, the SoS tool collects SDDC Manager, API, and VMware Cloud Foundation summary
logs. To collect all logs, use the --collect-all-logs options.

Note SoS log collection may time out after 60 minutes, which could be an issue with large
workload domains. If the SoS utility does time out, collect component-specific logs or limit log
collection to specific clusters using the options described below.

n If you run the SoS utility from Cloud Builder without specifying any component-specific
options, the SoS tool collects SDDC Manager, API, and Cloud Builder logs.

n To collect logs for a specific component, run the utility with the appropriate options.

For example, the --domain-name option is important. If omitted, the SoS operation is
performed only on the management domain. See SoS Utility Options.

After running the SoS utility, you can examine the resulting logs to troubleshoot issues, or
provide to VMware Technical Support if requested. VMware Technical Support might request
these logs to help resolve technical issues when you have submitted a support request. The
diagnostic information collected using the SoS utility includes logs for the various VMware
software components and software products deployed in your VMware Cloud Foundation
environment.

Table 23-1. SoS Utility Log File Options

Option Description

--esx-logs Collects logs from the ESXi hosts only.

Logs are collected from each ESXi host available in the deployment.

--vc-logs Collects logs from the vCenter Server instances only.

Logs are collected from each vCenter server available in the deployment.

--sddc-manager-logs Collects logs from the SDDC Manager only. sddc<timestamp>.tgz contains logs from the
SDDC Manager file system's etc, tmp, usr, and var partitions.

--vxrail-manager-logs Collects logs from VxRail Manager instances only.

--psc-logs Collects logs from the Platform Services Controller instances only.

VMware by Broadcom 217

VMware Cloud Foundation on Dell VxRail Guide

Table 23-1. SoS Utility Log File Options (continued)

Option Description

--nsx-logs Collects logs from the NSX Manager and NSX Edge instances only.

--wcp-logs Collects logs from Workload Management clusters only.

--vrealize-logs Collects logs from VMware Aria Suite Lifecycle.

--no-clean-old-logs Use this option to prevent the utility from removing any output from a previous collection
run.
By default, before writing the output to the directory, the utility deletes the prior run's
output files that might be present. If you want to retain the older output files, specify this
option.

--test Collects test logs by verifying the files.

--no-health-check Skips the health check executed as part of log collection.

--api-logs Collects output from REST endpoints for SDDC Manager inventory and LCM.

--rvc-logs Collects logs from the Ruby vSphere Console (RVC) only. RVC is an interface for ESXi and
vCenter.

Note If the Bash shell is not enabled in vCenter Server, RVC log collection will be skipped .

Note RVC logs are not collected by default with ./sos log collection. You must enable RVC
to collect RVC logs.

--vm-screenshots Collects all VM screenshots.

--system-debug-logs Collects system logs to help with debugging uncommon issues.

--collect-all-logs Collects logs for all components, except Workload Management and system debug logs. By
default, logs are collected for the management domain components.
To collect logs for all workload domain, specify --domain-name ALL.
To collect logs for a specific workload domain, specify --domain-name domain_name.

--log-dir LOGDIR Specifies the directory to store the logs.

--log-folder Specifies the name of the log directory.

LOGFOLDER

--domain-name Specify the name of the workload domain name on which the SoS operation is to be
DOMAINNAME performed.
To run the operation on all domains, specify --domain-name ALL.

Note If you omit the --domain-name flag and domain name, the SoS operation is
performed only on the management domain.

Procedure

1 Using SSH, log in to the SDDC Manager appliance as the vcf user.

2 To collect the logs, run the SoS utility without specifying any component-specific options.

sudo /opt/vmware/sddc-support/sos

VMware by Broadcom 218

VMware Cloud Foundation on Dell VxRail Guide

Enter the vcf password when prompted.

To collect logs for a specific component, run the utility with the appropriate options.

sudo /opt/vmware/sddc-support/sos --option-name

Note By default, before writing the output to the directory, the utility deletes the prior run's
output files that might be present. If you want to retain the older output files, specify the
--no-clean-old-logs option.

If you do not specify the --log-dir option, the utility writes the output to the /var/log/
vmware/vcf/sddc-support directory in the SDDC Manager appliance

Results

The utility collects the log files from the various software components in all of the racks and
writes the output to the directory named in the --log-dir option. Inside that directory, the utility
generates output in a specific directory structure.

Example

vcf@sddc-manager [ ~ ]$ sudo /opt/vmware/sddc-support/sos --domain-name MGMT --skip-known-

host-check --log-dir /tmp/new
[sudo] password for vcf
Welcome to Supportability and Serviceability(SoS) utility!
Performing SoS operation for MGMT domain components
Logs : /tmp/new/sos-2019-09-03-21-04-40-11793
Log file : /tmp/new/sos-2019-09-03-21-04-40-11793/sos.log
Log Collection completed successfully for : [HEALTH-CHECK, SDDC-MANAGER, NSX_MANAGER, API-
LOGS, ESX, VMS_SCREENSHOT, VCENTER-SERVER, VCF-SUMMARY]

What to do next

Change to the output directory to examine the collected log files.

Component Log Files Collected by the SoS Utility

The SoS utility writes the component log files into an output directory structure within the file
system of the SDDC Manager instance in which the command is initiated, for example:

vcf@sddc-manager [ ~ ]$ sudo /opt/vmware/sddc-support/sos

[sudo] password for vcf
Welcome to Supportability and Serviceability(SoS) utility!
Performing SoS operation for MGMT domain components
Logs : /var/log/vmware/vcf/sddc-support/sos-2019-09-03-20-55-41-10053
Log file : /var/log/vmware/vcf/sddc-support/sos-2019-09-03-20-55-41-10053/sos.log
NOTE : The Health check operation was invoked without --skip-known-host-check, and so will skip
Connectivity Health, Password Health and Certificate Health Checks because of security reasons.

Log Collection completed successfully for : [HEALTH-CHECK, SDDC-MANAGER, NSX_MANAGER, API-LOGS, ESX,
VMS_SCREENSHOT, VCENTER-SERVER, VCF-SUMMARY]

VMware by Broadcom 219

VMware Cloud Foundation on Dell VxRail Guide

esx Directory Contents

In each rack-specific directory, the esx directory contains the following diagnostic files collected
for each ESXi host in the rack:

File Description

esx-FQDN.tgz Diagnostic information from running the vm-support command on the ESXi host.
An example file is esx-esxi-1.vrack.vsphere.local.tgz.

SmartInfo- S.M.A.R.T. status of the ESXi host's hard drive (Self-Monitoring, Analysis, and Reporting Technology).
FQDN.txt An example file is SmartInfo-esxi-1.vrack.vsphere.local.txt.

vsan-health- VMware vSAN cluster health information from running the standard command python /usr/lib/
FQDN.txt vmware/vsan/bin/vsan-health-status.pyc on the ESXi host.
An example file is vsan-health-esxi-1.vrack.vsphere.local.txt.

nsx Directory Contents

In each rack-specific directory, the nsx directory contains the diagnostic information files
collected for the NSX Managers and NSX Edge instances deployed in that rack.

The number of files in this directory depends on the number of NSX Manager and NSX Edge
instances that are deployed in the rack. In a given rack, each management domain has a cluster
of three NSX Managers. The first VI workload domain has an additional cluster of three NSX
Managers. Subsequent VI workload domains can deploy their own NSX Manager cluster, or use
the same cluster as an existing VI workload domain. NSX Edge instances are optional.

File Description

VMware-NSX-Manager-tech-support- Standard NSX Manager compressed support bundle, generated using the
nsxmanagerIPaddr.tar.gz NSX API POST https://nsxmanagerIPaddr/api/1.0/appliance-management/
techsupportlogs/NSX, where nsxmanagerIPaddr is the IP address of the NSX
Manager instance.
An example is VMware-NSX-Manager-tech-support-10.0.0.8.tar.gz.

VMware-NSX-Edge-tech-support- Standard NSX Edge support bundle, generated using the NSX API to query
nsxmanagerIPaddr-edgeId.tgz the NSX Edge support logs: GET https://nsxmanagerIPaddr/api/4.0/edges/
edgeId/techsupportlogs, where nsxmanagerIPaddr is the IP address of the
Note This information is only collected
NSX Manager instance and edgeID identifies the NSX Edge instance.
if NSX Edges are deployed.
An example is VMware-NSX-Edge-tech-support-10.0.0.7-edge-1.log.gz.

vc Directory Contents
In each rack-specific directory, the vc directory contains the diagnostic information files collected
for the vCenter Server instances deployed in that rack.

The number of files in this directory depends on the number of vCenter Server instances that are
deployed in the rack. In a given rack, each management domain has one vCenter Server instance,
and any VI workload domains in the rack each have one vCenter Server instance.

VMware by Broadcom 220

VMware Cloud Foundation on Dell VxRail Guide

File Description

vc-vcsaFQDN-vm- Standard vCenter Server support bundle downloaded from the vCenter Server Appliance
support.tgz instance having a fully qualified domain name vcsaFQDN. The support bundle is obtained from
the instance using the standard vc-support.sh command.

VMware by Broadcom 221

Managing Users and Groups in
VMware Cloud Foundation 24
You can add users and groups to VMware Cloud Foundation to provide users with access to the
SDDC Manager UI as well as the vCenter Server and NSX Manager instances that are deployed
in your VMware Cloud Foundation system. Users can log in and perform tasks based on their
assigned role.

Before you can add users and groups to VMware Cloud Foundation, you must configure an
identity provider that has access to user and group data. VMware Cloud Foundation supports the
following identity providers:

n vCenter Single Sign-On is vCenter Server's built-in identity provider. By default, it uses the
system domain (for example, vsphere.local) as its identity source. You can add Active
Directory over LDAP and OpenLDAP as identity sources for vCenter Single Sign-On.

n You can also use any of the following external identity providers instead of vCenter Single
Sign-On:

n Microsoft ADFS

n Okta

n Microsoft Entra ID (formerly known as Azure Active Directory)

Once you have configured an identity provider, you can add users and groups, and assign
roles to determine what tasks they can perform from the SDDC Manager UI and VMware Cloud
Foundation API.

Note SDDC Manager only manages users and groups for the management SSO domain. If you
created isolated VI workload domains that use different SSO domains, you must use the vSphere
Client to manage users and groups for those SSO domains. Use the vSphere Client to connect to
the VI workload domain's vCenter Server and then click Administration > Single Sign On.

In addition to user accounts, VMware Cloud Foundation includes the following accounts:

n Automation accounts for accessing VMware Cloud Foundation APIs. You can use these
accounts in automation scripts.

n Local account for accessing VMware Cloud Foundation APIs when vCenter Server is down.

n Service accounts are automatically created by VMware Cloud Foundation for inter-product
interaction. These are for system use only.

VMware by Broadcom 222

VMware Cloud Foundation on Dell VxRail Guide

Read the following topics next:

n Configuring the Identity Provider for VMware Cloud Foundation

n Add a User or Group to VMware Cloud Foundation

n Remove a User or Group

n Create a Local Account

n Create an Automation Account

Configuring the Identity Provider for VMware Cloud

Foundation
You can use vCenter Single Sign-On, Microsoft ADFS, Okta, or Microsoft Entra ID as the identity
provider for VMware Cloud Foundation.

By default, VMware Cloud Foundation uses vCenter Single Sign-On as its identity provider and
the system domain (for example, vsphere.local) as its identity source. You can add Active
Directory over LDAP and OpenLDAP as identity sources for vCenter Single Sign-On. See Add
Active Directory over LDAP or OpenLDAP as an Identity Source for VMware Cloud Foundation.

You can also configure VMware Cloud Foundation to use Microsoft ADFS, Okta, or Microsoft
Entra ID as an external identity provider, instead of using vCenter Single Sign-On:

n Configure Microsoft ADFS as the Identity Provider in the SDDC Manager UI

n Configure Okta as the Identity Provider in the SDDC Manager UI

n Configure Identity Federation in VMware Cloud Foundation Using Microsoft Entra ID

Add Active Directory over LDAP or OpenLDAP as an Identity Source

for VMware Cloud Foundation
Users can log in to the SDDC Manager UI only if they are in a domain that has been added as
a vCenter Single Sign-On identity source. vCenter Single Sign-On administrator users can add
identity sources, or change the settings for identity sources that they added.

You can use identity sources to attach one or more domains to vCenter Single Sign-On. A
domain is a repository for users and groups that the vCenter Single Sign-On server can use for
user authentication with VMware Cloud Foundation. By default, vCenter Single Sign-On includes
the system domain (for example, vsphere.local) as an identity source. You can add Active
Directory over LDAP or an OpenLDAP directory service as idenitity sources.

Procedure

1 In the navigation pane, click Administration > Single Sign On.

2 Click Identity Provider.

3 Click Add and select AD over LDAP or OpenLDAP.

VMware by Broadcom 223

VMware Cloud Foundation on Dell VxRail Guide

4 Click Next.

5 Enter the server settings and click Next.

Table 24-1. Active Directory over LDAP and OpenLDAP Server Settings

Option Description

Identity Source Name Name of the identity source.

Base Distinguished Name for Users Base Distinguished Name for users. Enter the DN
from which to start user searches. For example,
cn=Users,dc=myCorp,dc=com.

Base Distinguished Name for Groups The Base Distinguished Name for groups. Enter the
DN from which to start group searches. For example,
cn=Groups,dc=myCorp,dc=com.

Domain Name The FQDN of the domain.

Domain Alias For Active Directory identity sources, the domain's

NetBIOS name. Add the NetBIOS name of the Active
Directory domain as an alias of the identity source if
you are using SSPI authentications.
For OpenLDAP identity sources, the domain name in
capital letters is added if you do not specify an alias.

VMware by Broadcom 224

VMware Cloud Foundation on Dell VxRail Guide

Table 24-1. Active Directory over LDAP and OpenLDAP Server Settings (continued)

Option Description

User Name ID of a user in the domain who has a minimum of read-

only access to Base DN for users and groups. The ID
can be in any of these formats:
n UPN (user@domain.com)
n NetBIOS (DOMAIN\user)
n DN (cn=user,cn=Users,dc=domain,dc=com)
The user name must be fully-qualified. An entry of
"user" does not work.

Password Password of the user who is specified by Username.

Primary Server URL Primary domain controller LDAP server for the domain.
You can use either the host name or the IP address.
Use the format ldap://
hostname_or_IPaddress:port or ldaps://
hostname_or_IPaddress:port. The port is typically
389 for LDAP connections and 636 for LDAPS
connections. For Active Directory multi-domain
controller deployments, the port is typically 3268 for
LDAP and 3269 for LDAPS.
A certificate that establishes trust for the LDAPS
endpoint of the Active Directory server is required
when you use ldaps:// in the primary or the
secondary LDAP URL.

Secondary Server URL Address of a secondary domain controller LDAP server

that is used for failover. You can use either the host
name or the IP address.

Certificates (for LDAPS) If you want to use LDAPS with your Active Directory
LDAP Server or OpenLDAP Server identity source, click
Browse to select a certificate. To export the root CA
certificate from Active Directory, consult the Microsoft
documentation.

6 Review the information and click Submit.

What to do next

After you successfully add an identity source, you can add users and groups from the domain.
See Add a User or Group to VMware Cloud Foundation .

Configure Microsoft ADFS as the Identity Provider in the SDDC

Manager UI
You can configure VMware Cloud Foundation to use Microsoft ADFS as an external identity
provider, instead of using vCenter Single Sign-On. In this configuration, the external identity
provider interacts with the identity source on behalf of vCenter Server.

You can only add one external identity provider to VMware Cloud Foundation.

VMware by Broadcom 225

VMware Cloud Foundation on Dell VxRail Guide

Prerequisites

Microsoft Active Directory Federation Services (ADFS) requirements:

n Microsoft ADFS for Windows Server 2016 or later must already be deployed.

n Microsoft ADFS must be connected to Active Directory.

n You have created a vCenter Server administrators group in Microsoft ADFS that contains the
users you want to grant vCenter Server administrator privileges to.

For more information about configuring Microsoft ADFS, see the Microsoft documentation.

vCenter Server and other requirements:

n vSphere 7.0 or later

n vCenter Server must be able to connect to the Microsoft ADFS discovery endpoint, and
the authorization, token, logout, JWKS, and any other endpoints advertised in the discovery
endpoint metadata.

Procedure

1 Log in to the SDDC Manager UI as a user with the ADMIN role

2 In the navigation pane, click Administration > Single Sign On.

3 Click Identity Provider.

4 Click Change Identity Provider and select Microsoft ADFS.

5 Click Next.

6 Select the checkbox to confirm the prerequisites and click Next.

7 If your Microsoft ADFS server certificate is signed by a publicly trusted Certificate Authority,
click Next. If you are using a self-signed certificate, add the Microsoft ADFS root CA
certificate added to the Trusted Root Certificates Store.

a Click Browse.

b Navigate to the certificate and click Open.

c Click Next.

8 Copy the redirect URIs.

You will need them when you create the Microsoft ADFS Application Group in the next step.

VMware by Broadcom 226

VMware Cloud Foundation on Dell VxRail Guide

9 Create an OpenID Connect configuration in Microsoft ADFS.

To establish a relying party trust between vCenter Server and an identity provider, you must
establish the identifying information and a shared secret between them. In Microsoft ADFS,
you do so by creating an OpenID Connect configuration known as an Application Group,
which consists of a Server application and a Web API. The two components specify the
information that vCenter Server uses to trust and communicate with the Microsoft ADFS
server. To enable OpenID Connect in Microsoft ADFS, see the VMware knowledge base
article at https://kb.vmware.com/s/article/78029.

Note the following when you create the Microsoft ADFS Application Group.

n You need the two Redirect URIs from the previous step.

n Copy the following information to a file or write it down for use when configuring the
identity provider in the next step.

n Client Identifier

n Shared Secret

n OpenID address of the Microsoft ADFS server

10 Enter the Application Group information and click Next.

Use the information you gathered in the previous step and enter the:

n Client Identifier

n Shared Secret

n OpenID address of the Microsoft ADFS server

11 Enter user and group information for the Active Directory over LDAP connection to search
for users and groups.

vCenter Server derives the AD domain to use for authorization and permissions from the
Base Distinguished Name for users. You can add permissions on vSphere objects only for
users and groups from this AD domain. Users or groups from AD child domains or other
domains in the AD forest are not supported by vCenter Server Identity Provider Federation.

Option Description

Base Distinguished Name for Users Base Distinguished Name for users.

Base Distinguished Name for Groups The base Distinguished Name for groups.

User Name ID of a user in the domain who has a minimum of read-only access to Base
DN for users and groups.

Password ID of a user in the domain who has a minimum of read-only access to Base
DN for users and groups.

VMware by Broadcom 227

VMware Cloud Foundation on Dell VxRail Guide

Option Description

Primary Server URL Primary domain controller LDAP server for the domain.
Use the format ldap://hostname:port or ldaps://hostname:port. The
port is typically 389 for LDAP connections and 636 for LDAPS connections.
For Active Directory multi-domain controller deployments, the port is
typically 3268 for LDAP and 3269 for LDAPS.
A certificate that establishes trust for the LDAPS endpoint of the Active
Directory server is required when you use ldaps:// in the primary or
secondary LDAP URL.

Secondary Server URL Address of a secondary domain controller LDAP server that is used for
failover.

Certificates (for LDAPS) If you want to use LDAPS, click Browse to select a certificate.

12 Review the information and click Submit.

What to do next

After you successfully add Microsoft ADFS as an external identity provider, you can add
users and groups to VMware Cloud Foundation. See Add a User or Group to VMware Cloud
Foundation .

Configure Identity Federation in VMware Cloud Foundation Using

Okta
Using Okta as the identity provider for the management domain vCenter Server allows for
identity federation across SDDC Manager, vCenter Server, and NSX Manager.

Configuring identity federation with Okta involves performing tasks in the Okta Admin Console
and the SDDC Manager UI. After the users and groups are synced, you can assign permissions in
SDDC Manager, vCenter Server, and NSX Manager.

1 Create an OpenID Connect application for VMware Cloud Foundation in Okta.

2 Configure Okta as the Identity Provider in the SDDC Manager UI.

3 Update the Okta OpenID Connect application with the Redirect URI from SDDC Manager.

4 Create a SCIM 2.0 Application for VMware Cloud Foundation.

5 Assign Permissions for Okta Users and Groups in SDDC Manager, vCenter Server, and NSX
Manager.

Note If you created isolated VI workload domains that use different SSO domains, you must use
the vSphere Client to configure Okta as the identity provider for those SSO domains. When you
configure Okta as the identity provider for an isolated workload domain in the vSphere Client,
NSX Manager is automatically registered as a relying party. This means that once an Okta user
with the necessary permissions has logged in to the isolated VI workload domain vCenter Server,
they can directly access the VI workload domain's NSX Manager from the SDDC Manager UI
without having to log in again.

VMware by Broadcom 228

VMware Cloud Foundation on Dell VxRail Guide

Prerequisites

Integrate Active Directory (AD) with Okta. See Manage your Active Directory integration in the
Okta documentation for more information.

Note This is not required if you do not want to integrate with AD or have previously integrated
AD and Okta.

Create an OpenID Connect application for VMware Cloud Foundation in Okta

Before you can use Okta as the identity provider in VMware Cloud Foundation, you need to
create an OpenID Connect application in Okta and assign users and groups to the OpenID
Connect application.

Procedure

1 Log in to the Okta Admin console and follow the Okta documentation, Create OIDC app
integrations, to create an OpenID Connect application.

When creating the OpenID Connect application in the Create a new app integration wizard:

n Select OIDC - OpenID Connect as the Sign-in method.

n Select Native Application as the Application type.

n Enter an appropriate name for the OpenID Connect application, for example, Okta-VCF-
app.

n In General Settings, leave Authorization Code checked, and check Refresh Token and
Resource Owner Password.

n For now, ignore Sign-in redirect URIs and Sign-out redirect URIs. (you will input these
values later.)

n When selecting how to control access, you can select Skip group assignment for now if
you want.

2 After the OpenID Connect application is created, generate the Client Secret.

a Select the General tab.

b In Client Credentials, click Edit and for Client Authentication check Client Secret.

c For Proof Key for Code Exchange (PKCE), uncheck Require PKCE as additional
verification.

d Click Save.

The Client Secret is generated.

e Copy both the Client ID and Client Secret and save them for use in creating the Okta
identity provider in SDDC Manager.

Note SDDC Manager uses the terms Client Identifier and Shared Secret.

VMware by Broadcom 229

VMware Cloud Foundation on Dell VxRail Guide

3 Assign users and groups to the OpenID Connect application.

a Select the Assignments tab and select Assign to Groups from the Assign drop-down.

b Enter the group to search for in the Search field.

c Select the group and click Assign.

d Search for, select, and assign, other groups as needed.

e When done assigning groups, click Done.

To view the users that have been assigned, click People under Filters on the Assignment
page.

Okta assigns the group(s).

Configure Okta as the Identity Provider in the SDDC Manager UI

You can configure VMware Cloud Foundation to use Okta as an external identity provider,
instead of using vCenter Single Sign-On. In this configuration, the external identity provider
interacts with the identity source on behalf of vCenter Server.

You can only add one external identity provider to VMware Cloud Foundation.

This procedure configures Okta as the identity provider for the management domain vCenter
Server. The VMware Identity Services information endpoint is replicated to all other vCenter
Server nodes that are part of the management domain vCenter Server enhanced linked mode
(ELM) group. This means that when a user logs into and is authorized by the management
domain vCenter Server, the user is also authorized on any VI workload domain vCenter Server
that is part of the same ELM group. If the user logs in to a VI workload domain vCenter Server
first, the same holds true.

Note The Okta configuration information and user/group information is not replicated between
vCenter Server nodes in enhanced linked mode. Do not use the vSphere Client to configure Okta
as the identity provider for any VI workload domain vCenter Server that is part of the ELM group.

Prerequisites

Okta requirements:

n You are customer of Okta and have a dedicated domain space. For example: https://your-
company.okta.com.

n To perform OIDC logins and manage user and group permissions, you must create the
following Okta applications.

n An Okta native application with OpenID Connect as the sign-on method. The native
application must include the grant types of authorization code, refresh token, and
resource owner password.

VMware by Broadcom 230

VMware Cloud Foundation on Dell VxRail Guide

n A System for Cross-domain Identity Management (SCIM) 2.0 application with an OAuth
2.0 Bearer Token to perform user and group synchronization between the Okta server
and the vCenter Server.

Okta connectivity requirements:

n vCenter Server must be able to connect to the Okta discovery endpoint, and the
authorization, token, JWKS, and any other endpoints advertised in the discovery endpoint
metadata.

n Okta must also be able to connect with vCenter Server to send user and group data for the
SCIM provisioning.

Networking requirements:

n If your network is not publicly available, you must create a network tunnel between your
vCenter Server system and your Okta server, then use the appropriate publicly accessible
URL as the SCIM 2.0 Base Uri.

vSphere and NSX requirements:

n vSphere 8.0 Update 2 or later.

n NSX 4.1.2 or later.

Note If you added vCenter group memberships for any remote AD/LDAP users or groups,
vCenter Server attempts to prepare these memberships so that the are compatible with the
new identity provider configuration. This preparation process happens automatically at service
startup, but it must complete in order to continue with Okta configuration. Click Run Prechecks to
check the status of this process before proceeding.

Procedure

1 Log in to the SDDC Manager UI as a user with the ADMIN role

2 In the navigation pane, click Administration > Single Sign On.

3 Click Identity Provider.

4 Click Change Identity Provider and select OKTA.

5 Click Next.

6 In the Prerequisites panel review and confirm the prerequisites.

VMware by Broadcom 231

VMware Cloud Foundation on Dell VxRail Guide

7 Click Run Prechecks to ensure that the system is ready to change identity providers.

If the precheck finds errors, click View Details and take steps to resolve the errors as
indicated.

8 In the Directory Info panel, enter the following information.

n Directory Name: Name of the local directory to create on vCenter Server that stores the
users and groups pushed from Okta. For example, vcenter-okta-directory.

n Domain Name(s): Enter the Okta domain names that contain the Okta users and groups
you want to synchronize with vCenter Server.

After you enter your Okta domain name, click the Plus icon (+) to add it. If you enter
multiple domain names, specify the default domain.

9 Click Next.

10 In the OpenID Connect Configuration panel, enter the following information.

VMware by Broadcom 232

VMware Cloud Foundation on Dell VxRail Guide

n Redirect URIs: Filled in automatically. You give the redirect URI to your Okta administrator
for use in creating the OpenID Connect application.

n Identity Provider Name: Filled in automatically as Okta.

n Client Identifier: Obtained when you created the OpenID Connect application in Okta.
(Okta refers to Client Identifier as the Client ID.)

n Shared Secret: Obtained when you created the OpenID Connect application in Okta.
(Okta refers to Shared Secret as the Client Secret.)

n OpenID Address: Takes the form https://Okta domain space/oauth2/

default/.well-known/openid-configuration.

For example, if your Okta domain space is example.okta.com, then the

OpenID Address is: https://example.okta.com/oauth2/default/.well-known/
openid-configuration.

See https://developer.okta.com/docs/reference/api/oidc/#well-known-openid-
configuration for more information.

11 Click Next.

12 Review the information and click Finish.

VMware by Broadcom 233

VMware Cloud Foundation on Dell VxRail Guide

Update the Okta OpenID Connect application with the Redirect URI from SDDC
Manager
After you create the Okta identity provider configuration in the SDDC Manager UI, update the
Okta OpenID Connect application with the Redirect URI from SDDC Manager.

Prerequisites

Copy the Redirect URI from the SDDC Manager UI.

1 Log in to the SDDC Manager UI.

2 In the navigation pane, click Administration > Single Sign On.

3 Click Identity Provider.

4 In the OpenID Connect section, copy and save the Redirect URI.

Procedure

1 Log in to the Okta Admin Console.

2 In the General Settings screen for the OpenID Connect application created, click Edit.

3 In the Sign-in redirect URIs text box, paste the copied Redirect URI from SDDC Manager.

4 Click Save.

Create a SCIM 2.0 Application for Using Okta with VMware Cloud Foundation
Creating a SCIM 2.0 application for Okta enables you to specify which Active Directory users and
groups to push to vCenter Server.

Prerequisites

Copy the Tenant URL and Secret Token from the SDDC Manager UI.

1 Log in to the SDDC Manager UI.

2 In the navigation pane, click Administration > Single Sign On.

3 Click Identity Provider.

4 In the User Provisioning section, click Generate and then copy and save the Secret Token and
Tenant URL.

VMware by Broadcom 234

VMware Cloud Foundation on Dell VxRail Guide

You will use this information in step 4 below.

Procedure

1 Log in to the Okta Admin Console.

2 Browse the app catalog for SCIM 2.0 Test App (OAuth Bearer Token), and click Add
Integration.

Note The word "Test" is of Okta's choosing. The SCIM application you create using this
"Test" template is of production quality.

3 Use the following settings when creating the SCIM 2.0 application:

n Enter an appropriate name for the SCIM 2.0 application, such as VCF SCIM 2.0 app.

n In the General settings · Required page, leave Automatically log in when user lands on
login page checked.

n In the Sign-on Options page:

n For Sign-on methods, leave SAML 2.0 checked.

n For Credential Details:

n Application username format: Select AD SAM Account name.

n Update application username on: Leave Create and update selected.

n Password reveal: Leave Allow users to securely see their password selected.

4 Assign users and groups to the SCIM 2.0 application to push from your Active Directory to
vCenter Server:

a In the Okta SCIM 2.0 application, under Provisioning, click Configure API integration.

b Check the Enable API integration checkbox.

c Enter the SCIM 2.0 Base Url and OAuth Bearer Token.

SDDC Manager calls the SCIM 2.0 Base Url the "Tenant URL," and the OAuth Bearer
Token the "Secret Token."

Note If you have a network tunnel between the vCenter Server system and the Okta
server, then use the appropriate publicly accessible URL as the Base Url.

VMware by Broadcom 235

VMware Cloud Foundation on Dell VxRail Guide

d Leave Import Groups selected.

e To verify the SCIM credentials, click Test API Credentials.

f Click Save.

5 Provision users.

a Click the Provisioning tab and select To App, then click Edit.

b Check Create Users, Update User Attributes, and Deactivate Users.

c Do not check Sync Password.

d Click Save.

6 Make assignments.

a Click the Assignments tab and select Assign to Groups from the Assign drop-down.

b Enter the group to search for in the Search field.

c Select the group and click Assign.

d If necessary, enter attribute information, then click Save and Go Back.

e Search for, and select and assign, other groups as needed.

f When done assigning groups, click Done.

g Under Filters, select People and Groups to view the users and groups assigned.

7 Click the Push Groups tab and select an options from the Push Groups drop-down menu.

n Find groups by name: Select this option to locate groups by name.

n Find groups by rule: Select this option to create a search rule that pushes matching
groups to the app.

Note Unless you uncheck the Push group memberships immediately check box, the
selected membership is pushed immediately, and the Push Status shows Active. For more
information, see Enable Group Push in the Okta documentation.

Assign Okta Users and Groups as Administrators in SDDC Manager, vCenter

Server, and NSX Manager
After you have succesfully configured Okta and synced its users and groups, you can add users
and groups as administrators in SDDC Manager, vCenter Server , and NSX Manager. This enables
admin users to sign in to one product UI (for example, SDDC Manager) and not be prompted for
credentials again when signing in to another product UI (for example, NSX Manager).

VMware by Broadcom 236

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 Add Okta users/groups as administrators in SDDC Manager.

a In the SDDC Manager UI, click Administration > Single Sign On.

b Click Users and Groups and then click + User or Group.

c Select one or more users or group by clicking the check box next to the user or group.

You can either search for a user or group by name, or filter by user type or domain.

Note Okta users and groups appear in the domain(s) that you specified when you
configured Okta as the identity provider in the SDDC Manager UI.

d Select the ADMIN role for each user and group.

e Scroll down to the bottom of the page and click Add.

2 Add Okta users/groups as administrators in vCenter Server.

a Log in to the vSphere Client as a local administrator.

b Select Administration and click Global Permissions in the Access Control area.

c Click Add.

d From the Domain drop-down menu, select the domain for the user or group.

e Enter a name in the Search box.

The system searches user names and group names.

f Select a user or group.

VMware by Broadcom 237

VMware Cloud Foundation on Dell VxRail Guide

g Select Administrator from the Role drop-down menu.

h Select the Propagate to children check box.

i Click OK.

VMware by Broadcom 238

VMware Cloud Foundation on Dell VxRail Guide

3 Verify logging in to SDDC Manager with an Okta user.

a Log out of the SDDC Manager UI.

b Click Sign in with SSO.

c Enter a username and password and click Sign In.

VMware by Broadcom 239

VMware Cloud Foundation on Dell VxRail Guide

4 Verify logging in to vCenter Server with an Okta user.

a Log out of the vSphere Client.

b Click Sign in with SSO.

5 Add Okta users/groups as administrators in NSX Manager.

a Log in to NSX Manager.

b Navigate to System > User Management .

c On the User Role Assignment tab, click Add Role for OpenID Connect User.

d Select vcenter-idp-federation from the drop-down menu and then enter text to search
for and select an Okta user or group.

e Click Set in the Roles column.

f Click Add Role.

VMware by Broadcom 240

VMware Cloud Foundation on Dell VxRail Guide

g Select Enterprise Admin from the drop-down menu and click Add.

h Click Apply.

i Click Save.

6 Verify logging in to NSX Manager with an Okta user.

a Log out of NSX Manager.

b Click Sign in with vCenter-IPD-Federation.

Configure Identity Federation in VMware Cloud Foundation Using

Microsoft Entra ID
Using Microsoft Entra ID as the identity provider for the management domain vCenter Server
allows for identity federation across SDDC Manager, vCenter Server, and NSX Manager.

VMware by Broadcom 241

VMware Cloud Foundation on Dell VxRail Guide

Configuring identity federation with Microsoft Entra ID involves performing tasks in the Microsoft
Entra Admin Console and the SDDC Manager UI. After the users and groups are synced, you can
assign permissions in SDDC Manager, vCenter Server, and NSX Manager.

1 Create an OpenID Connect application for VMware Cloud Foundation in Microsoft Entra ID.

2 Configure Microsoft Entra ID as the Identity Provider in the SDDC Manager UI.

3 Update the Microsoft Entra ID OpenID Connect application with the Redirect URI from SDDC
Manager.

4 Create a SCIM 2.0 Application for VMware Cloud Foundation.

5 Assign Permissions for Microsoft Entra ID Users and Groups in SDDC Manager, vCenter
Server, and NSX Manager.

Note If you created isolated VI workload domains that use different SSO domains, you must
use the vSphere Client to configure Microsoft Entra ID as the identity provider for those SSO
domains. When you configure Microsoft Entra ID as the identity provider for an isolated workload
domain in the vSphere Client, NSX Manager is automatically registered as a relying party. This
means that once an Microsoft Entra ID user with the necessary permissions has logged in to the
isolated VI workload domain vCenter Server, they can directly access the VI workload domain's
NSX Manager from the SDDC Manager UI without having to log in again.

Prerequisites

Integrate Active Directory (AD) with Microsoft Entra ID. See the Microsoft documentation for
more information.

Note This is not required if you do not want to integrate with AD or have previously integrated
AD and Microsoft Entra ID.

Create an OpenID Connect application for VMware Cloud Foundation in

Microsoft Entra ID
Before you can use Microsoft Entra ID as the identity provider in VMware Cloud Foundation, you
need to create an OpenID Connect application in Microsoft Entra ID and assign users and groups
to the OpenID Connect application.

Procedure

1 Log in to the Microsoft Entra Admin console and follow the Microsoft documentation, to
create an OpenID Connect application.

When creating the OpenID Connect application in the Create a new app integration wizard:

n Select Home > Azure AD Directory > App Registration > New Registration.

n Enter an appropriate name for the OpenID Connect application, for example, EntraID-
vCenter-app.

n Leave Supported account types as default or select per requirement.

VMware by Broadcom 242

VMware Cloud Foundation on Dell VxRail Guide

n Set Redirect URI as Web. There is no need to enter a redirect URI, this can be filled in
later.

2 After the OpenID Connect application is created, generate the Client Secret.

a Click Certificates & secrets > Client secrets > New client secret.

b Enter a description for the client secret and select the validity in Expiry drop-down menu.

c Click Add.

d Once a secret is generated, copy the content under Value and save it for use in creating
the Microsoft Entra ID identity provider in SDDC Manager.

Note SDDC Manager uses the term Shared Secret for the Client Secret.

3 Retrieve the Client ID.

a Click Overview.

b Copy the value from Application (client) ID.

Note SDDC Manager uses SDDC Manager uses the term Client Identifier for the Client ID.

4 Click Overview > Endpoints and copy the value for the OpenID Connect metadata document.

5 Click Manage > Authentication, scroll to the Advanced settings section, slide the toggle to
Yes for Enable the following mobile and desktop flows and click Save.

6 Click Manage > API permissions and click Grant admin consent for
<tenant_organization_name>. For example, Grant admin consent for vcenter auth services.

What to do next

Configure Microsoft Entra ID as the identity provider in the SDDC Manager UI using the Client
Secret, Client ID, and OpenID Connect information you copied.

VMware by Broadcom 243

VMware Cloud Foundation on Dell VxRail Guide

Configure Microsoft Entra ID as the Identity Provider in the SDDC Manager UI

You can configure VMware Cloud Foundation to use Microsoft Entra ID as an external identity
provider, instead of using vCenter Single Sign-On. In this configuration, the external identity
provider interacts with the identity source on behalf of vCenter Server.

You can only add one external identity provider to VMware Cloud Foundation.

This procedure configures Microsoft Entra ID as the identity provider for the management
domain vCenter Server. The VMware Identity Services information endpoint is replicated to all
other vCenter Server nodes that are part of the management domain vCenter Server enhanced
linked mode (ELM) group. This means that when a user logs into and is authorized by the
management domain vCenter Server, the user is also authorized on any VI workload domain
vCenter Server that is part of the same ELM group. If the user logs in to a VI workload domain
vCenter Server first, the same holds true.

Note The Microsoft Entra ID configuration information and user/group information is not
replicated between vCenter Server nodes in enhanced linked mode. Do not use the vSphere
Client to configure Microsoft Entra ID as the identity provider for any VI workload domain
vCenter Server that is part of the ELM group.

Prerequisites

Microsoft Entra ID requirements:

n You are customer of Microsoft Entra ID and have an Azure AD account.

n To perform OIDC logins and manage user and group permissions, you must create the
following Microsoft Entra ID applications.

n A Microsoft Entra ID native application with OpenID Connect as the sign-on method. The
native application must include the grant types of authorization code, refresh token, and
resource owner password.

n A System for Cross-domain Identity Management (SCIM) 2.0 application with an OAuth
2.0 Bearer Token to perform user and group synchronization between the Microsoft
Entra ID server and the vCenter Server.

Networking requirements:

n If your network is not publicly available, you must create a network tunnel between your
vCenter Server system and your Microsoft Entra ID server, then use the appropriate publicly
accessible URL as the SCIM 2.0 Tenant URL.

vSphere and NSX requirements:

n vSphere 8.0 Update 2 or later.

VMware by Broadcom 244

VMware Cloud Foundation on Dell VxRail Guide

n NSX 4.1.2 or later.

Note If you added vCenter group memberships for any remote AD/LDAP users or groups,
vCenter Server attempts to prepare these memberships so that the are compatible with the
new identity provider configuration. This preparation process happens automatically at service
startup, but it must complete in order to continue with Microsoft Entra ID configuration. Click Run
Prechecks to check the status of this process before proceeding.

Procedure

1 Log in to the SDDC Manager UI as a user with the ADMIN role

2 In the navigation pane, click Administration > Single Sign On.

3 Click Identity Provider.

4 Click Change Identity Provider and select Microsoft Entra ID.

5 Click Next.

6 In the Prerequisites panel review and confirm the prerequisites.

7 Click Run Prechecks to ensure that the system is ready to change identity providers.

If the precheck finds errors, click View Details and take steps to resolve the errors as
indicated.

8 In the Directory Info panel, enter the following information.

VMware by Broadcom 245

VMware Cloud Foundation on Dell VxRail Guide

n Directory Name: Name of the local directory to create on vCenter Server that stores
the users and groups pushed from Microsoft Entra ID. For example, vcenter-entra-
directory.

n Domain Name(s): Enter the domain names that contain the Microsoft Entra ID users and
groups you want to synchronize with vCenter Server.

After you enter a domain name, click the Plus icon (+) to add it. If you enter multiple
domain names, specify the default domain.

9 Click Next.

10 In the OpenID Connect Configuration panel, enter the following information.

VMware by Broadcom 246

VMware Cloud Foundation on Dell VxRail Guide

n Redirect URIs: Filled in automatically. You give the redirect URI to your Microsoft Entra ID
administrator for use in creating the OpenID Connect application.

n Identity Provider Name: Filled in automatically as Entra.

n Client Identifier: Obtained when you created the OpenID Connect application in Microsoft
Entra ID. (Microsoft Entra ID refers to Client Identifier as the Client ID.)

n Shared Secret: Obtained when you created the OpenID Connect application in Microsoft
Entra ID. (Microsoft Entra ID refers to Shared Secret as the Client Secret.)

n OpenID Address: Obtained when you created the OpenID Connect application in
Microsoft Entra ID. (Microsoft Entra ID refers to OpenID Address as the OpenID Connect
metadata document).

11 Click Next.

12 Review the information and click Finish.

Update the Microsoft Entra ID OpenID Connect application with the Redirect URI
from SDDC Manager
After you create the Microsoft Entra ID identity provider configuration in the SDDC Manager
UI, update the Microsoft Entra ID OpenID Connect application with the Redirect URI from SDDC
Manager.

Prerequisites

Copy the Redirect URI from the SDDC Manager UI.

1 Log in to the SDDC Manager UI.

VMware by Broadcom 247

VMware Cloud Foundation on Dell VxRail Guide

2 In the navigation pane, click Administration > Single Sign On.

3 Click Identity Provider.

4 In the OpenID Connect section, copy and save the Redirect URI.

Procedure

1 Log in to the Microsoft Entra Admin Console.

2 In the App Registrations screen for your OpenID Connect application, click Authentication.

3 Select Add a platform and then select Web.

4 In the Redirect URIs text box, paste the copied Redirect URI from SDDC Manager.

5 Click Configure.

Create a SCIM 2.0 Application for Using Microsoft Entra ID with VMware Cloud
Foundation
Creating a SCIM 2.0 application for Microsoft Entra ID enables you to specify which Active
Directory users and groups to push to vCenter Server.

If your vCenter Server accepts inbound traffic, follow the procedure below to create a SCIM 2.0
application. If your vCenter Server does not accept inbound traffic, see the Microsoft Entra ID
documentation for alternative methods:

n Microsoft Entra Connect Provisioning Agent

n Microsoft Entra Application Proxy Agent

Prerequisites

Copy the Tenant URL and Secret Token from the SDDC Manager UI.

1 Log in to the SDDC Manager UI.

2 In the navigation pane, click Administration > Single Sign On.

3 Click Identity Provider.

4 In the User Provisioning section, click Generate and then copy and save the Secret Token and
Tenant URL.

VMware by Broadcom 248

VMware Cloud Foundation on Dell VxRail Guide

You will use this information to configure the Provisioning settings below.

Procedure

1 Log in to the Microsoft Entra Admin Console.

2 Navigate to Applications > Enterprise Applications and click New application.

3 Search for "VMware Identity Service" and select it in the search results.

4 Enter an appropriate name for the SCIM 2.0 application, for example, VCF SCIM 2.0 app.

5 Click Create.

6 After the SCIM 2.0 application is created, click Manage > Provisioning and specify the
Provisioning settings.

a Select Automatic as the Provisioning Mode.

b Enter the Tenant URL and Secret Token that you copied from the SDDC Manager UI and
click Test Connection.

Note If you have a network tunnel between the vCenter Server system and the Microsoft
Entra ID server, then use the appropriate publicly accessible URL as the Tenant URL.

c Click Save.

d Expand the Mappings section and click Provision Azure Active Directory Users.

e On the Attribute Mapping screen, click userPrincipalName.

VMware by Broadcom 249

VMware Cloud Foundation on Dell VxRail Guide

f On the Edit Attribute screen, update the settings and then click OK.

Option Description

Mapping type Select Expression.

Expression Enter the following text:

Item(Split[userPrincipalName], "@"), 1)

g Click Add New Mapping.

VMware by Broadcom 250

VMware Cloud Foundation on Dell VxRail Guide

h On the Edit Attribute screen, update the settings and then click OK.

Option Description

Mapping type Select Expression.

Expression Enter the following text:

Item(Split[userPrincipalName], "@"), 2)

Target attribute Select urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:domain.

i Click Save.

j Set the Provisioning Status to On.

VMware by Broadcom 251

VMware Cloud Foundation on Dell VxRail Guide

7 Provision users.

a Click Manage > Users and groups.

b Click Add user/group.

c Search for users and groups and click Select.

d Click Assign.

e Click Manage > Provisioning.

f Click Start provisioning.

Assign Microsoft Entra ID Users and Groups as Administrators in SDDC Manager,

vCenter Server, and NSX Manager
After you have successfully configured Microsoft Entra ID and synced its users and groups,
you can add users and groups as administrators in SDDC Manager, vCenter Server , and NSX
Manager. This enables admin users to sign in to one product UI (for example, SDDC Manager)
and not be prompted for credentials again when signing in to another product UI (for example,
NSX Manager).

Procedure

1 Add Microsoft Entra ID users/groups as administrators in SDDC Manager.

a In the SDDC Manager UI, click Administration > Single Sign On.

b Click Users and Groups and then click + User or Group.

c Select one or more users or group by clicking the check box next to the user or group.

You can either search for a user or group by name, or filter by user type or domain.

Note Microsoft Entra ID users and groups appear in the domain(s) that you specified
when you configured Microsoft Entra ID as the identity provider in the SDDC Manager UI.

d Select the ADMIN role for each user and group.

e Scroll down to the bottom of the page and click Add.

VMware by Broadcom 252

VMware Cloud Foundation on Dell VxRail Guide

2 Add Microsoft Entra ID users/groups as administrators in vCenter Server.

a Log in to the vSphere Client as a local administrator.

b Select Administration and click Global Permissions in the Access Control area.

c Click Add.

d From the Domain drop-down menu, select the domain for the user or group.

e Enter a name in the Search box.

The system searches user names and group names.

f Select a user or group.

g Select Administrator from the Role drop-down menu.

h Select the Propagate to children check box.

i Click OK.

VMware by Broadcom 253

VMware Cloud Foundation on Dell VxRail Guide

3 Verify logging in to SDDC Manager with an Microsoft Entra ID user.

a Log out of the SDDC Manager UI.

b Click Sign in with SSO.

c Enter a username and password and click Sign In.

4 Verify logging in to vCenter Server with an Microsoft Entra ID user.

a Log out of the vSphere Client.

b Click Sign in with SSO.

5 Add Microsoft Entra ID users/groups as administrators in NSX Manager.

a Log in to NSX Manager.

b Navigate to System > User Management .

c On the User Role Assignment tab, click Add Role for OpenID Connect User.

d Select vcenter-idp-federation from the drop-down menu and then enter text to search
for and select a Microsoft Entra ID user or group.

e Click Set in the Roles column.

f Click Add Role.

VMware by Broadcom 254

VMware Cloud Foundation on Dell VxRail Guide

g Select Enterprise Admin from the drop-down menu and click Add.

h Click Apply.

i Click Save.

6 Verify logging in to NSX Manager with an Microsoft Entra ID user.

a Log out of NSX Manager.

b Click Sign in with vCenter-IPD-Federation.

Add a User or Group to VMware Cloud Foundation

You can add users or groups so that they can access the SDDC Manager UI and VMware Cloud
Foundation API.

SDDC Manager UI displays user and group information based on the configured identity provider
and identity sources. See Configuring the Identity Provider for VMware Cloud Foundation.

VMware by Broadcom 255

VMware Cloud Foundation on Dell VxRail Guide

Prerequisites

Only a user with the ADMIN role can perform this task.

Procedure

1 In the navigation pane, click Administration > Single Sign On.

2 Click Users and Groups and then click + User or Group.

3 Select one or more users or group by clicking the check box next to the user or group.

You can either search for a user or group by name, or filter by user type or domain.

4 Select a Role for each user and group.

Role Description

ADMIN This role has access to all the functionality of the UI and API.

OPERATOR This role cannot access user management, password management, or

backup configuration settings.

VIEWER This role can only view the SDDC Manager. User management and password
management are hidden from this role.

5 Scroll down to the bottom of the page and click Add.

Remove a User or Group

You can remove a user or group, for example when an employee leaves the company. The
removed user or group will not be able to log in to the SDDC Manager UI.

Prerequisites

Only a user with the ADMIN role can perform this task.

Procedure

1 In the navigation pane, click Administration > Single Sign On.

2 Click the vertical ellipsis (three dots) next to a user or group name and click Remove.

3 Click Delete.

Create a Local Account

A local account is used to access VMware Cloud Foundation APIs when the management vCenter
Server is down. If you upgraded from a previous release or didn't configure the account when
deploying using the API, you can set a password using VMware Cloud Foundation APIs.

VMware by Broadcom 256

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 Log in to the SDDC Manager UI as a user with the ADMIN role.

For more information about roles, see Chapter 24 Managing Users and Groups in VMware
Cloud Foundation.

2 In the navigation pane, click Developer Center > API Explorer.

3 To verify if the local account is configured, perform the following tasks:

a Expand APIs for managing Users.

b Expand GET /v1/users/local/admin and click EXECUTE.

c In the Response, click LocalUser (admin@local).

You can also download the response by clicking the download icon to the right of
LocalUser (admin@local).

VMware by Broadcom 257

VMware Cloud Foundation on Dell VxRail Guide

4 If the local account is not configured, perform the following tasks to configure the local
account:

a Expand PATCH /v1/users/local/admin.

b Enter a password for the local account and click EXECUTE.

Password requirements are described below:

n Minimum length: 12

n Maximum length: 127

n At least one lowercase letter, one uppercase letter, a number, and one of the
following special characters ! % @ $ ^ # ? *

n A character cannot be repeated more than three times consecutively

n Must not include three of the same consecutive characters

Note You must remember the password that you created because it cannot be
retrieved. Local account passwords are used in password rotation.

Create an Automation Account

Automation accounts are used to access VMware Cloud Foundation APIs in automation scripts.

Procedure

1 Log in to the SDDC Manager UI as a user with the ADMIN role.

For more about roles, see Chapter 24 Managing Users and Groups in VMware Cloud
Foundation.

2 In the navigation pane, click Developer Center > API Explorer.

3 Get the ID for the ADMIN role.

a Expand APIs for managing Users.

b Expand GET /v1/roles and click Execute.

VMware by Broadcom 258

VMware Cloud Foundation on Dell VxRail Guide

c In the Response, click PageOfRole and Role (ADMIN).

d Copy the ID for the ADMIN role.

VMware by Broadcom 259

VMware Cloud Foundation on Dell VxRail Guide

4 Create a service account with the ADMIN role and get the service account's API key.

a Expand POST /v1/users and click User.

b Replace the Value with:

[
{
"name": "service_account",
"type": "SERVICE",
"role":
{
"id": "317cb292-802f-ca6a-e57e-3ac2b707fe34"
}
}
]

Paste the ADMIN role ID from step 3.

c Click Execute.

d In the Response, click PageOfUser and User (service_account).

e Copy the API key for the service account.

VMware by Broadcom 260

VMware Cloud Foundation on Dell VxRail Guide

5 Use the service account's API key to generate an access token.

a Expand APIs for managing access and refresh tokens.

b Expand POST /v1/tokens.

c Click TokenCreationSpec.

d Replace Value with:

{
"apiKey": "qsfqnYgyxXQ892Jk90HXyuEMgE3SgfTS"
}

Paste the service account's API key from step 4.

e Click Execute.

f In the Response, click TokenPair and RefreshToken and save the access and refresh
tokens.

VMware by Broadcom 261

Managing Passwords in VMware
Cloud Foundation 25
For security reasons, you can change passwords for the accounts that are used by your SDDC
Manager instance. Changing these passwords periodically or when certain events occur, such as
an administrator leaving your organization, reduces the likelihood of security vulnerabilities.

You entered passwords for your VMware Cloud Foundation system as part of the bring-
up procedure. You can rotate and update some of these passwords using the password
management functionality in the SDDC Manager UI, including:

n Accounts used for service consoles, such as the ESXi root account.

n The root and mystic users of the VxRail Manager

n The single sign-on administrator account(s).

Note SDDC Manager manages passwords for all SSO administrator accounts, even if you
created isolated VI workload domains that use different SSO domains than the management
domain.

n The default administrative user account used by virtual appliances.

n Service accounts that are automatically generated during bring-up, host commissioning, and
workload creation.

Service accounts have a limited set of privileges and are created for communication between
products. Passwords for service accounts are randomly generated by SDDC Manager. You
cannot manually set a password for service accounts. To update the credentials of service
accounts, you can rotate the passwords.

To provide optimal security and proactively prevent any passwords from expiring, you must
rotate passwords every 80 days.

Note Do not change the passwords for system accounts and the
administrator@vsphere.local account outside SDDC Manager. This can break your VMware
Cloud Foundation system.

You can also use the VMware Cloud Foundation API to look up and manage credentials. In the
SDDC Manager UI, click Developer Center > API Explorer and browse to the APIs for managing
credentials.

VMware by Broadcom 262

VMware Cloud Foundation on Dell VxRail Guide

Starting with VMware Cloud Foundation 5.2.1, you can also manage passwords using the vSphere
Client.

Password Expiration Notifications

The SDDC Manager UI provides a banner notification for any passwords managed by VMware
Cloud Foundation that are expiring within the next 14 days. For example:

You can also click Security > Password Management in the navigation pane to view password
expiration information. For example:

Expired passwords will display a status of Disconnected. For example:

For an expired password, you must update the password outside of VMware Cloud Foundation
and then remediate the password using the SDDC Manager UI or the VMware Cloud Foundation
API. See Remediate Passwords .

Note Password expiration information in the SDDC Manager UI is updated once a day. To get
real-time information, use the VMware Cloud Foundation API.

Read the following topics next:

n Rotate Passwords

VMware by Broadcom 263

VMware Cloud Foundation on Dell VxRail Guide

n Manually Update Passwords

n Remediate Passwords

n Look Up Account Credentials

n Updating SDDC Manager Passwords

Rotate Passwords
As a security measure, you can rotate passwords for the components in your VMware Cloud
Foundation instance. The process of password rotation generates randomized passwords for
the selected accounts. You can rotate passwords manually or set up auto-rotation for accounts
managed by SDDC Manager.

You can rotate passwords for the following accounts.

n VxRail Manager

n ESXi

Note Auto-rotate is not suported for ESXi.

n vCenter Server

By default, the vCenter Server root password expires after 90 days.

Note Auto-rotate is automatically enabled for vCenter Server service accounts. It may take
up to 24 hours to configure the service account auto-rotate policy for a newly deployed
vCenter Server.

n vSphere Single-Sign On (PSC)

n NSX Edge nodes

n NSX Manager

n VMware Avi Load Balancer (formerly known as NSX Advanced Load Balancer)

n VMware Aria Suite Lifecycle

n VMware Aria Operations for Logs

n VMware Aria Operations

n VMware Aria Automation

n Workspace ONE Access

Note For Workspace ONE Access passwords, the password rotation method varies
depending on the user account. See the table below for details.

n SDDC Manager backup user

VMware by Broadcom 264

VMware Cloud Foundation on Dell VxRail Guide

Table 25-1. Password Rotation Details for Workspace ONE Access User Accounts
Workspace ONE Access VMware Aria Suite
User Account Lifecycle Locker Entry Password Rotation Method Password Rotation Scope

admin (443) xint-wsa-admin SDDC Manager Password Application

Rotation

admin (8443) xint-wsa-admin VMware Aria Suite Per node

Lifecycle Global
Environment

configadmin (443) xint-wsa-configadmin 1 Reset the configadmin Application

user password in
Workspace ONE
Access via the email
reset link.
2 Create a new credential
object in VMware Aria
Suite Lifecycle Locker
to match the new
password.
3 Update the credential
object referenced by
globalEnvironment in
VMware Aria Suite
Lifecycle locker to the
new credential object.

sshuser global-env-admin VMware Aria Suite Per node

Lifecycle Global
Environment

root (ssh) xint-wsa-root SDDC Manager Password Per node

Rotation

The default password policy for rotated passwords requires:

n 20 characters in length

n At least one uppercase letter, a number, and one of the following special characters: ! @ # $
^ *

n No more than two of the same characters consecutively

If you changed the vCenter Server password length using the vSphere Client or the ESXi
password length using the VMware Host Client, rotating the password for those components
from SDDC Manager generates a password that complies with the password length that you
specified.

To update the SDDC Manager root, super user, and API passwords, see Updating SDDC Manager
Passwords.

VMware by Broadcom 265

VMware Cloud Foundation on Dell VxRail Guide

Prerequisites

n Verify that there are no currently failed workflows in SDDC Manager. To check for failed
workflows, click Dashboard in the navigation pane and expand the Tasks pane at the bottom
of the page.

n Verify that no active workflows are running or are scheduled to run during the brief time
period that the password rotation process is running. It is recommended that you schedule
password rotation for a time when you expect to have no running workflows.

n Only a user with the ADMIN role can perform this task.

Procedure

1 In the navigation pane, click Security > Password Management.

2 Select one or more accounts and click one of the following operation.

n Rotate Now

n Schedule Rotation

You can set the password rotation interval (30 days, 60 days, or 90 days). You can also
deactivate the schedule.

Note The Schedule Rotation option is not available for ESXi.

Note Auto-rotate schedule is configured to run at midnight on the scheduled date. If

auto-rotate could not start due to any technical issue, there is a provision to auto-retry
every hour till start of the next day. In case schedule rotation is missed due to technical
issues the UI displays a global notification with failed task status. The status of the
schedule rotation can also be checked on the Tasks panel.

A message appears at the top of the page showing the progress of the operation. The Tasks
panel also shows detailed status for the password rotation operation. To view sub-tasks, click
the task name. As each of these tasks is run, the status is updated. If the task fails, you can
click Retry.

Results

Password rotation is complete when all sub-tasks are completed successfully.

Manually Update Passwords

You can manually change the password for a selected account. Unlike password rotation, which
generates a randomized password, you provide the new password.

You can update only one password at a time.

VMware by Broadcom 266

VMware Cloud Foundation on Dell VxRail Guide

Although individual VMware Cloud Foundation accounts support different password

requirements, it is recommended that you set passwords following a common set of
requirements across all accounts:

n Minimum length: 15

n Maximum length: 20

n At least one lowercase letter, one uppercase letter, a number, and one of the following
special characters: ! @ # $ ^ *

n Must NOT include:

n A dictionary word

n A palindrome

n More than four monotonic character sequences

n Three of the same consecutive characters

Prerequisites

n Verify that there are no currently failed workflows in your VMware Cloud Foundation system.
To check for failed workflows, click Dashboard in the navigation pane and expand the Tasks
pane at the bottom of the page.

n Verify that no active workflows are running or are scheduled to run during the manual
password update.

n Only a user with the ADMIN role can perform this task. For more information about roles, see
Chapter 24 Managing Users and Groups in VMware Cloud Foundation.

Procedure

1 From the navigation pane, select Security > Password Management.

2 Select the account whose password you want to update, click the vertical ellipsis (three dots),
and click Update Password.

3 Enter and confirm the new password.

4 Click Update.

A message appears at the top of the page showing the progress of the operation. The Tasks
panel also shows detailed status of the password update operation. To view sub-tasks, click
the task name.

Results

Password update is complete when all sub-tasks are completed successfully.

VMware by Broadcom 267

VMware Cloud Foundation on Dell VxRail Guide

Remediate Passwords
When an error occurs, for example after a password expires, you must manually reset the
password in the component product. After you reset the password in a component, you must
remediate the password in SDDC Manager to update the password in the SDDC Manager
database and the dependent VMware Cloud Foundation workflows.

To resolve any errors that might have occurred during password rotation or update, you must
use password remediation. Password remediation syncs the password of the account stored in
the SDDC Manager with the updated password in the component.

Note You can remediate the password for only one account at a time.

Although the individual VMware Cloud Foundation components support different password
requirements, you must set passwords following a common set of requirements across all
components.

For information on updating passwords manually, see Manually Update Passwords.

Prerequisites

n Verify that VMware Cloud Foundation system contain no failed workflows. To check for failed
workflows, click Dashboard in the navigation pane and expand the Tasks pane at the bottom
of the page.

n Verify that no workflows are running or are scheduled to run while you remediate the
password.

n Only a user with the ADMIN role can perform this task. For more information about roles, see
Chapter 24 Managing Users and Groups in VMware Cloud Foundation.

Procedure

1 From the navigation pane, select Security > Password Management.

2 Select the account whose password you want to remediate, click the vertical ellipsis (three
dots), and click Remediate Password.

The Remediate Password dialog box appears. This dialog box displays the entity name,
account type, credential type, and user name, in case you must confirm you have selected
the correct account.

3 Enter and confirm the password that was set manually on the component.

4 Click Remediate.

A message appears at the top of the page showing the progress of the operation. The Task
panel also shows detailed status of the password remediation operation. To view subtasks,
you can click the task name.

Results

Password remediation is complete when all sub-tasks are completed successfully.

VMware by Broadcom 268

VMware Cloud Foundation on Dell VxRail Guide

Look Up Account Credentials

To look up the account credentials for the built-in accounts that are managed and rotated
by SDDC Manager, you can log in to the SDDC Manager appliance using any SDDC Manager
account credentials.

Prerequisites

Only a user with the ADMIN role can perform this task.

Procedure

1 SSH in to the SDDC Manager appliance using the vcf user account.

2 (Optional) Change to the /usr/bin directory.

Note Although the password management CLI commands are located in /usr/bin, you can
run them from any directory.

3 Obtain the account credentials list by typing the command:

lookup_passwords

You must enter the user name and password for a user with the ADMIN role.

Note Accounts with type USER and SYSTEM will be displayed.

4 (Optional) Save the command output to a secure location with encryption so that you can
access it later and use it to log in to the accounts as needed.

Updating SDDC Manager Passwords

The process for updating SDDC Manager passwords varies, depending on which account you are
updating.

n Update SDDC Manager Root and Super User Passwords

For security reasons, you can change passwords for the SDDC Manager root (root) and
super user (vcf) accounts. Changing these passwords periodically or when certain events
occur, such as an administrator leaving your organization, reduces the likelihood of security
vulnerabilities.

n Update SDDC Manager Local Account Password

The SDDC Manager local account is used to access VMware Cloud Foundation APIs when
the management vCenter Server is down. For security reasons, you should periodically
update the password for this account.

n Update Expired SDDC Manager Root Password

This section describes the procedure for updating an expired password for the SDDC
Manager root (root) user.

VMware by Broadcom 269

VMware Cloud Foundation on Dell VxRail Guide

Update SDDC Manager Root and Super User Passwords

For security reasons, you can change passwords for the SDDC Manager root (root) and super
user (vcf) accounts. Changing these passwords periodically or when certain events occur, such
as an administrator leaving your organization, reduces the likelihood of security vulnerabilities.

The SDDC Manager root password expires after 90 days.

Procedure

1 SSH in to the SDDC Manager VM using the vcf user account.

2 Enter su to switch to the root user.

3 Enter one of the following commands:

Option Description

passwd vcf To change the super user password.

passwd root To change the root password.

4 Enter and retype the new password. For example:

root@sddc-manager [ /home/vcf ]# passwd vcf

New password:
Retype new password:
passwd: password updated successfully

Results

The password is updated.

Update SDDC Manager Local Account Password

The SDDC Manager local account is used to access VMware Cloud Foundation APIs when the
management vCenter Server is down. For security reasons, you should periodically update the
password for this account.

Password requirements for the SDDC Manager local account:

n At least 15 characters

n No more than 127 characters

n At least one lowercase letter

n At least one uppercase letter

n At least one digit

n At least one special character, such as @ ! # $ % ^ or ?

n A character cannot be repeated more than 3 times consecutively

VMware by Broadcom 270

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 Log in to the SDDC Manager UI as a user with the ADMIN role.

For more information about roles, see Chapter 24 Managing Users and Groups in VMware
Cloud Foundation.

2 Click Developer Center > API Explorer.

3 Expand APIs for managing Users.

4 Expand PATCH /v1/users/local/admin.

5 In the Description/Data Type column, click LocalAccountPasswordInfo{...}.

6 In the Value box, type the new and old passwords and click Execute.

7 Click Continue to confirm.

A response of Status: 204, No Content indicates that the password was successfully
updated.

Update Expired SDDC Manager Root Password

This section describes the procedure for updating an expired password for the SDDC Manager
root (root) user.

The password must meet the following requirements:

n Minimum length 15 characters

n Must include:

n mix of uppercase and lowercase letters

n a number

n a special character, such as @ ! # $ % ^ or ?

n Must not include:

n *{}[]()/\'"`~,;:.<>

n A dictionary word (for example, VMware1!)

Procedure

1 In a web browser, log in to the management domain vCenter Server using the vSphere Client
(https://<vcenter_server_fqdn>/ui).

2 In the VMs and Templates inventory, expand the management domain vCenter Server and
the management virtual machines folder.

3 Right-click the SDDC Manager virtual machine, and select Open Remote Console.

4 Click within the console window and press Enter on the Login menu item.

5 Type root as the user name and enter the current password for the root user.

VMware by Broadcom 271

VMware Cloud Foundation on Dell VxRail Guide

6 Type passwd root.

7 When prompted for a new password, enter a different password than the previous one and
click Enter.

VMware by Broadcom 272

Backing Up and Restoring SDDC
Manager and NSX Manager 26
Regular backups of the management VMs are important to avoid downtime and data loss in case
of a system failure. If a VM does fail, you can restore it to the last backup.

You can backup and restore SDDC Manager with an image-based or a file-based solution. File-
based backup is recommended for customers who are comfortable with configuring backups
using APIs, and are not using composable servers.

For a file-based backup of SDDC Manager VM, the state of the VM is exported to a file that
is stored in a domain different than the one where the product is running. You can configure
a backup schedule for the SDDC Manager VM and enable task-based (state-change driven)
backups. When task-based backups are enabled, a backup is triggered after each SDDC Manager
task (such as workload domain and host operations or password rotation).

You can also define a backup retention policy to comply with your company's retention policy.
For more information, see the VMware Cloud Foundation on Dell VxRail API Reference Guide.

By default, NSX Manager file-based backups are taken on the SFTP server that is built into SDDC
Manager. It is recommended that you configure an external SFTP server as a backup location for
the following reasons:

n An external SFTP server is a prerequisite for restoring SDDC Manager file-based backups.

n Using an external SFTP server provides better protection against failures because it
decouples NSX backups from SDDC Manager backups.

This section of the documentation provides instructions on backing up and restoring SDDC
Manager, and on configuring the built-in automation of NSX backups. For information on backing
up and restoring a full-stack SDDC, see VMware Validated Design Backup and Restore.

Read the following topics next:

n Reconfigure SFTP Backups for SDDC Manager and NSX Manager

n File-Based Backups for SDDC Manager and vCenter Server

n File-Based Restore for SDDC Manager, vCenter Server, and NSX

n Image-Based Backup and Restore of VMware Cloud Foundation

VMware by Broadcom 273

VMware Cloud Foundation on Dell VxRail Guide

Reconfigure SFTP Backups for SDDC Manager and NSX

Manager
By default, backups of SDDC Manager and NSX Manager are stored in the SDDC Manager
appliance. Change the destination of the backups to an external SFTP server.

Prerequisites

n Only a user with the ADMIN role can perform this task. See Chapter 24 Managing Users and
Groups in VMware Cloud Foundation.

n The external SFTP server must support a 256-bit length ECDSA SSH public key.

n The external SFTP server must support a 2048-bit length RSA SSH public key

n You will need the SHA256 fingerprint of RSA key of the SFTP server.

n Host Key algorithms: At least one of rsa-sha2-512 or rsa-sha2-256 and one of ecdsa-sha2-
nistp256, ecdsa-sha2-nistp384, or ecdsa-sha2-nistp521.

n Additional pre-requisites when FIPS Security Mode is enabled on SDDC Manager:

Algorithms and Ciphers Required when FIPS Security Mode is Enabled

Kex Algorithms At least one of:

n diffie-hellman-group-exchange-sha256
n ecdh-sha2-nistp256
n ecdh-sha2-nistp384
n ecdh-sha2-nistp521

Message Authentication Key (MAC) Algorithms hmac-sha2-256

Ciphers At least one of:

n TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
n TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
n TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
n TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
n TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
n TLS_RSA_WITH_AES_128_CBC_SHA256
n TLS_RSA_WITH_AES_256_CBC_SHA256
n TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
n TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
n TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
n TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
n TLS_AES_128_GCM_SHA256
n TLS_AES_256_GCM_SHA384

Note SHA1 algorithms are not supported.

Procedure

1 In the navigation pane, click Administration > Backup.

VMware by Broadcom 274

VMware Cloud Foundation on Dell VxRail Guide

2 On the Backup page, click the Site Settings tab and then click Register External.

3 On the Backup page, enter the settings and click Save.

To obtain the SSH Fingerprint of the target system to verify, connect to the SDDC Manager
Appliance over ssh and run the following command:

ssh-keygen -lf <(ssh-keyscan -p 22 -t rsa sftp_server_fqdn 2> /dev/null) |

cut -d' ' -f2

Setting Value

Host FQDN or IP The FQDN or IP Address of the SFTP server.

Port 22

Transfer Protocol SFTP

Username A service account with privileges to the SFTP server.

For example: svc-vcf-bck.

Password The password for the username provided.

Backup Directory The directory on the SFTP server where backups are
saved.
For example: /backups/.

SSH Fingerprint The SSH Fingerprint is automatically retreived from the

SFTP server, verify the SSH Fingerprint.

Confirm Fingerprint Selected

Encryption Passphrase The encryption passphrase used to encrypt the backup

data.

Note The encryption passphrase should be stored

safely as it is required during the restore process.

4 In the Confirm your changes to backup settings dialog box, click Confirm.

File-Based Backups for SDDC Manager and vCenter Server

You can use the native file-based backup capabilities of SDDC Manager, vCenter Server, and NSX
Manager. The NSX Manager backup is configured by SDDC Manager during the bring-up process.
You configure the file-based backup jobs for SDDC Manager and vCenter Server.

To ensure that all management components are backed up correctly, you must create a series
of backup jobs that capture the state of a set of related components at a common point in
time. With some components, simultaneous backups of the component nodes ensure that you
can restore the component a state where the nodes are logically consistent with each other and
eliminate the necessity for further logical integrity remediation of the component.

VMware by Broadcom 275

VMware Cloud Foundation on Dell VxRail Guide

Table 26-1. File-Based Backup Jobs

Component Recommended Frequency Recommended Retention Notes

SDDC Manager Daily 7 days You must configure the

backup jobs for the SDDC
vCenter Server Daily 7 days Manager instance and all
vCenter Server instances in
the vCenter Single Sign-On
domain to start within the
same 5-minute window.

vSphere Distributed Switch On-demand Retain last 3 configurations. -

NSX Manager Hourly 7 days Configured by SDDC

Manager during the bring-
up process.

Note
n You must monitor the space utilization on the SFTP server to ensure that you have sufficient
storage space to accommodate all backups taken within the retention period.

n Do not make any changes to the /opt/vmware/vcf directory on the SDDC Manager VM. If
this directory contains any large files, backups may fail.

Prerequisites

Verify that you have an SFTP server on the network to serve as a target of the file-based
backups.

Back Up SDDC Manager

You configure file-based daily backups of the SDDC Manager instances using the SDDC Manager
administration interface.

Only a user with the Admin role can perform this task.

Procedure

1 In the navigation pane, click Administration > Backup.

2 On the Backup page, click the SDDC Manager Configurations tab.

3 Under Backup Schedule, click Edit.

4 On the Backup Schedule page, enter the settings and click Save.

Setting Value

Automatic Backup Enabled

Backup Frequency Weekly

Days of the Week All selected

VMware by Broadcom 276

VMware Cloud Foundation on Dell VxRail Guide

Setting Value

Schedule Time 04:02 AM

Take Backup on State Change Enabled

Retain Last Backups 7

Retain Hourly Backups for Days 1

Retain Daily Backups for Days 7

5 To verify the backup, click Backup Now.

Results

The status and the start time of the backup is displayed on the UI. You have set the SDDC
Manager backup schedule to run daily at 04:02 AM and after each change of state.

If the backup is unsuccessful, verify if the SFTP server is available and able to provide its SSH
fingerprint:

n SSH to the SDDC Manager appliance run the following command as the root user:

sftp username@IP of sftp server

Enter the SFTP user password when prompted. The following message indicates a successful
connection:

Connected to username@IP of sftp server.

n To check that the SFTP server SSH fingerprint is available, run:

ssh-keygen -lf <(ssh-keyscan -t ssh-rsa -p port_number IP of sftp server 2>/dev/null)

Configure a Backup Schedule for vCenter Server

You configure file-based daily backups of the vCenter Server instances by using the vCenter
Server Management Interface of each vCenter Server instance.

Procedure

1 In a web browser, log in to the vCenter Server Management Interface (https://appliance-

IP-address-or-FQDN:5480).

2 In the left navigation pane, click Backup.

3 In the Backup schedule pane, click Configure.

VMware by Broadcom 277

VMware Cloud Foundation on Dell VxRail Guide

4 In the Create backup schedule dialog box, enter these values and click Create.

Setting Value

Backup location Enter the backup location from

SFTP server.
For example: sftp://
172.16.11.60/backups/

Backup server credentials User name A service account with privileges to

the SFTP server.
For example: svc-vcf-bck.

Password Enter the password for the

username provided.

Schedule Daily 11:00 PM

Encrypt backup Encryption password encryption_password

Confirm password encryption_password

Number of backups to retain Retain last 7 backups

Data Stats, events, and tasks Selected

Inventory and configuration Selected

The backup schedule information appears in the Backup schedule pane.

5 Repeat the procedure for the other vCenter Server instances.

Results

Any complete and in-progress backup appears in the Activity pane.

Manually Back Up vCenter Server

Before you upgrade a vCenter Server instance, you should use the vCenter Server Management
Interface to manually back it up.

Prerequisites

n In the vSphere Client, for each vSphere cluster that is managed by the vCenter Server, note
the current vSphere DRS Automation Level setting and then change the setting to Manual.
After the vCenter Server upgrade is complete, you can change the vSphere DRS Automation
Level setting back to its original value. See KB 87631 for information about using VMware
PowerCLI to change the vSphere DRS Automation Level.

n Ensure that there are not any active vMotion tasks.

Procedure

1 In a web browser, log in to the vCenter Server Management Interface (https://appliance-

IP-address-or-FQDN:5480).

VMware by Broadcom 278

VMware Cloud Foundation on Dell VxRail Guide

2 In the left navigation pane, click Backup.

3 Click Backup Now.

4 If you already have a backup schedule set up, select Use backup location and user name
from backup schedule and click Start.

5 If you do not already have a backup schedule, enter the following information and click Start.

Setting Value

Backup location Enter the backup location from

SFTP server.
For example: sftp://
172.16.11.60/backups/

Backup server credentials User name A service account with privileges to

the SFTP server.
For example: svc-vcf-bck.

Password Enter the password for the

username provided.

Encrypt backup Encryption password encryption_password

Confirm password encryption_password

Data Stats, events, and tasks Selected

Inventory and configuration Selected

What to do next

In order to restore vCenter Server, you will need the VMware vCenter Server Appliance ISO file
that matches the version you backed up.

n Identify the required vCenter Server version. In the vCenter Server Management Interface,
click Summary in the left navigation pane to see the vCenter Server version and build
number.

n Download the VMware vCenter Server Appliance ISO file for that version from the Broadcom
Support Portal.

Export the Configuration of the vSphere Distributed Switches

The vCenter Server backup includes the configuration of the entire vCenter Server instance. To
have a backup only of the vSphere Distributed Switch and distributed port group configurations,
you export a configuration file that includes the validated network configurations. If you want to
recover only the vSphere Distributed Switch, you can import this configuration file to the vCenter
Server instance.

You can use the exported file to create multiple copies of the vSphere Distributed Switch
configuration on an existing deployment, or overwrite the settings of existing vSphere
Distributed Switch instances and port groups.

VMware by Broadcom 279

VMware Cloud Foundation on Dell VxRail Guide

You must backup the configuration of a vSphere Distributed Switch immediately after each
change in configuration of that switch.

Procedure

1 In a web browser, log in to vCenter Server by using the vSphere Client.

2 Select Menu > Networking.

3 In the inventory expand vCenter Server > Datacenter.

4 Expand the Management Networks folder, right-click the distributed switch, and select
Settings > Export configuration.

5 In the Export configuration dialog box, select Distributed switch and all port groups.

6 In the Description text box enter the date and time of export, and click OK.

7 Copy the backup zip file to a secure location from where you can retrieve the file and use it if
a failure of the appliance occurs.

8 Repeat the procedure for the other vSphere Distributed Switches.

File-Based Restore for SDDC Manager, vCenter Server, and

NSX
When SDDC Manager, vCenter Server, or NSX Manager in the SDDC fails, you can restore the
component to a fully operational state by using its file-based backup. When an NSX Edge node
fails, you redeploy the node from the NSX Manager instance.

Use this guidance as appropriate based on the exact nature of the failure encountered within
your environment. Sometimes, you can recover localized logical failures by restoring individual
components. In more severe cases, such as a complete and irretrievable hardware failure,
to restore the operational status of your SDDC, you must perform a complex set of manual
deployments and restore sequences. In failure scenarios where there is a risk of data loss, there
has already been data loss or where it involves a catastrophic failure, contact Broadcom Support
to review your recovery plan before taking any steps to remediate the situation.

Restore SDDC Manager

If SDDC Manager fails, you can restore it from its file-based backup.

Prerequisites

n Power off and rename the failed SDDC Manager instance.

n Verify that you have a valid file-based backup of the failed SDDC Manager instance.

To be valid, the backup must be of the same version as the version of the SDDC Manager
appliance on which you plan to restore the instance.

VMware by Broadcom 280

VMware Cloud Foundation on Dell VxRail Guide

n Verify that you have the SFTP server details:

n SFTP Server IP

n SFTP Server Username

n SFTP Server Password

n Encryption Password

Procedure

1 Prepare for Restoring SDDC Manager

Before restoring SDDC Manager, you must download and decrypt the encrypted backup file
from the SFTP server.

2 Restore SDDC Manager from a File-Based Backup

First, you deploy a new SDDC Manager appliance by using the OVA file that you
downloaded during the preparation for the restore. After that, you restore the file-based
backup on the newly deployed SDDC Manager appliance.

3 Validate the Status of SDDC Manager

After a successful restore of SDDC Manager, you must validate its status. You run the health
checks by using the sos tool.

What to do next

After a successful recovery, securely delete the decrypted backup files.

Prepare for Restoring SDDC Manager

Before restoring SDDC Manager, you must download and decrypt the encrypted backup file
from the SFTP server.

The backup file contains sensitive data about your VMware Cloud Foundation instance, including
passwords in plain text. As a best practice, you must control access to the decrypted files and
securely delete them after you complete the restore operation.

Prerequisites

Verify that your host machine with access to the SDDC has OpenSSL installed.

Note The procedures have been written based on the host machine being a Linux-based
operating system.

Procedure

1 Identify the backup file for the restore and download it from the SFTP server to your host
machine.

VMware by Broadcom 281

VMware Cloud Foundation on Dell VxRail Guide

2 On your host machine, open a terminal and run the following command to extract the content
of the backup file.

OPENSSL_FIPS=1 openssl enc -d -aes-256-cbc -md sha256 -in filename-of-restore-file | tar

-xz

3 When prompted, enter the encryption_password.

4 In the extracted folder, locate and open the metadata.json file in a text editor.

5 Locate the sddc_manager_ova_location value and copy the URL.

6 In a web browser, paste the URL and download the OVA file.

7 In the extracted folder, locate and view the contents of the

security_password_vault.json file.

8 Locate the entityType BACKUP value and record the backup password.

Restore SDDC Manager from a File-Based Backup

First, you deploy a new SDDC Manager appliance by using the OVA file that you downloaded
during the preparation for the restore. After that, you restore the file-based backup on the newly
deployed SDDC Manager appliance.

Procedure

1 In a web browser, log in to management domain vCenter Server by using the vSphere Client
(https://<vcenter_server_fqdn>/ui).

2 Select Menu > VMs and templates.

3 In the inventory expand vCenter Server > Datacenter.

4 Right-click the management folder and select Deploy OVF template.

5 On the Select an OVF template page, select Local file, click Upload files, browse to the
location of the SDDC Manager OVA file, click Open, and click Next.

6 On the Select a name and folder page, in the Virtual machine name text box, enter a virtual
machine name, and click Next.

7 On the Select a compute resource page, click Next.

8 On the Review details page, review the settings and click Next.

9 On the License agreements page, accept the license agreement and click Next.

10 On the Select storage page, select the vSAN datastore and click Next.

The datastore must match the vsan_datastore value in the metadata.json file that you
downloaded during the preparation for the restore.

VMware by Broadcom 282

VMware Cloud Foundation on Dell VxRail Guide

11 On the Select networks page, from the Destination network drop-down menu, select the
management network distributed port group and click Next.

The distributed port group must match the port_group value in the metadata.json file that
you downloaded during the preparation for the restore.

12 On the Customize template page, enter the following values and click Next.

Setting Description

Enter root user password You can use the original root user password or a new
password.

Enter login (vcf) user password You can use the original vcf user password or a new
password.

Enter basic auth user password You can use the original admin user password or a new
password.

Enter backup (backup) user password The backup password that you saved during the
preparation for the restore. This password can be
changed later if desired.

Enter Local user password You can use the original Local user password or a new
password.

Hostname The FQDN must match the hostname value in the

metadata.json file that you downloaded during the
preparation for the restore.

NTP sources The NTP server details for the appliance.

Enable FIPs Selected

Default gateway The default gateway for the appliance.

Domain name The domain name for the appliance.

Domain search path The domain search path(s) for the appliance.

Domain name servers The DNS servers for the appliance.

Network 1 IP address The IP address for the appliance.

Network 1 netmask The subnet mask for the appliance.

13 On the Ready to complete page, click Finish and wait for the process to complete.

14 When the SDDC Manager appliance deployment completes, expand the management folder.

15 Right-click the SDDC Manager appliance and select Snapshots > Take Snapshot.

16 Right-click the SDDC Manager appliance, select Power > Power On.

VMware by Broadcom 283

VMware Cloud Foundation on Dell VxRail Guide

17 On the host machine, copy the encrypted backup file to the /tmp folder on the newly
deployed SDDC Manager appliance by running the following command. When prompted,
enter the vcf_user_password.

scp filename-of-restore-file vcf@sddc_manager_fqdn:/tmp/

18 On the host machine, obtain the authentication token from the SDDC Manager appliance in
order to be able to execute the restore process by running the following command:

TOKEN=`curl https://<sddc_manager_fqdn>/v1/tokens -k -X POST -H "Content-Type: application/

json" -d '{"username": "admin@local","password": "<admin@local_password>"}' | awk -F "\""
'{ print $4}'`

19 On the host machine with access to the SDDC Manager, open a terminal and run the
command to start the restore process.

curl https://<sddc_manager_fqdn>/v1/restores/tasks -k -X POST -H "Content-Type:

application/json" -H "Authorization: Bearer $TOKEN" \
-d '{
"elements" : [ {
"resourceType" : "SDDC_MANAGER"
} ],
"backupFile" : "<backup_file>",
"encryption" : {
"passphrase" : "<encryption_password>"
}
}'

The command output contains the ID of the restore task.

20 Record the ID of the restore task.

21 Monitor the restore task by using the following command until the status becomes
Successful.

curl https://<sddc_manager_fqdn>/v1/restores/tasks/<restore_task_id> -k -X GET -H "Content-

Type: application/json" -H "Authorization: Bearer $TOKEN"

What to do next

Refresh the SSH keys that are stored in the SDDC Manager inventory. See VMware Cloud
Foundation SDDC Manager Recovery Scripts (79004).

Validate the Status of SDDC Manager

After a successful restore of SDDC Manager, you must validate its status. You run the health
checks by using the sos tool.

Procedure

1 Log in to SDDC Manager by using a Secure Shell (SSH) client.

VMware by Broadcom 284

VMware Cloud Foundation on Dell VxRail Guide

2 Run the health checks by using the SoS tool.

sudo /opt/vmware/sddc-support/sos --health-check

3 When prompted, enter the vcf_password.

All tests show green when SDDC Manager is in healthy state.

4 Manually delete the snapshot created in Restore SDDC Manager from a File-Based Backup.

What to do next

Refresh the SSH keys that are stored in the SDDC Manager inventory. See VMware Cloud
Foundation SDDC Manager Recovery Scripts (79004).

Restore vCenter Server

If a vCenter Server instance fails, you can restore it from its file-based backup.

Prerequisites

n Power off and rename the failed vCenter Server instance.

n Verify that you have a valid file-based backup of the failed vCenter Server instance.

To be valid, the backup must be of the version of the vCenter Server Appliance on which you
plan to restore the instance.

n Verify that you have the SFTP server details:

n SFTP Server IP

n SFTP Server Username

n SFTP Server Password

n Encryption Password

Procedure

1 Prepare for Restoring vCenter Server

Before restoring a vCenter Server instance, you must retrieve the vCenter Server build
number and deployment details, as well as vCenter Server and ESXi credentials from the
SDDC Manager inventory.

2 Restore a vCenter Server Instance from a File-Based Backup

If a vCenter Server instance fails, you can restore it from its file-based backup. If the
management domain vCenter Server and the VI workload domain vCenter Server are both
in a failed state, you must restore the management domain vCenter Server before restoring
the VI workload domain vCenter Server.

3 Move the Restored vCenter Server Appliance to the Correct Folder

After deploying and restoring a vCenter Server instance, you must move the new appliance
to the correct folder.

VMware by Broadcom 285

VMware Cloud Foundation on Dell VxRail Guide

4 Validate the vCenter Server State

After restoring a vCenter Server instance, you must validate the state of the vCenter Server
and vCenter Single Sign-On.

5 Validate the SDDC Manager State After a vCenter Server Restore

After a successful vCenter Server restore, verify that the SDDC Manager inventory is
consistent with the recovered VMs and that the vCenter Server instances are healthy. You
use the Supportability and Serviceability tool (SoS) and the SDDC Manager patch/upgrade
precheck function.

Prepare for Restoring vCenter Server

Before restoring a vCenter Server instance, you must retrieve the vCenter Server build number
and deployment details, as well as vCenter Server and ESXi credentials from the SDDC Manager
inventory.

Prerequisites

SDDC Manager must be available.

Retrieve the vCenter Server Deployment Details

Before restoring a vCenter Server instance, you must retrieve the vCenter Server build number
and deployment details from the SDDC Manager inventory. The vCenter Server instances in your
system might be running different build numbers if the backups are taken during an upgrade
process. You must restore each vCenter Server instance to its correct version.

Because the Management domain vCenter Server might be unavailable to authenticate the login,
you use the SDDC Manager API via the shell to retrieve this information.

Procedure

1 Log in to SDDC Manager by using a Secure Shell (SSH) client.

2 Run the command to get the list of vCenter Server instances.

curl http://localhost/inventory/vcenters -k | json_pp

3 For each vCenter Server instance, record the values of these settings.

Setting Value

domainType Name of the domain

vmName VM name of the vCenter Server

managementIpAddress IP address of the vCenter Server

datastoreForVmDeploymentName Datastore name

hostName FQDN of the vCenter Server

VMware by Broadcom 286

VMware Cloud Foundation on Dell VxRail Guide

Setting Value

version version_number-build_number

Size Size of the deployment

4 Verify that the vCenter Server version retrieved from SDDC Manager is the same as the
version associated with the backup file that you plan to restore.

Retrieve the Credentials for Restoring vCenter Server

Before restoring a vCenter Server instance, you must retrieve the vCenter Server root and
vCenter Single Sign-On administrator credentials from the SDDC Manager inventory. Before
restoring the Management domain vCenter Server, you must also retrieve the credentials of a
healthy Management domain ESXi host.

Before you can query the SDDC Manager API, you must obtain an API access token by using
admin@local account.

Prerequisites

Note If SDDC Manager is not operational, you can retrieve the required vCenter Server root,
vCenter Single Sign-On administrator, and ESXi root credentials from the file-based backup of
SDDC Manager. See Prepare for Restoring SDDC Manager.

Procedure

1 Log in to your host machine with access to the SDDC and open a terminal.

2 Obtain the API access token.

a Run the command to obtain an access token by using the admin@local credentials.

TOKEN=`curl https://<sddc_manager_fqdn>/v1/tokens -k -X POST -H "Content-Type:

application/json" -d '{"username": "admin@local","password": "admin@local_password"}'
| awk -F "\"" '{print $4}'`

The command returns an access token and a refresh token.

b Record the access token.

VMware by Broadcom 287

VMware Cloud Foundation on Dell VxRail Guide

3 Retrieve the vCenter Server root credentials.

a Run the following command to retrieve the vCenter Server root credentials.

curl https://<sddc_manager_fqdn>/v1/credentials?resourceType=VCENTER -k -X GET \-H

"Accept: application/json" -H "Authorization: Bearer $TOKEN" | json_pp

The command returns the vCenter Server root credentials.

Setting Value

domainName Name of the domain

resourceName FQDN of the vCenter Server

username root

password vcenter_server_root_password

b Record the vCenter Server root credentials.

4 Retrieve the vCenter Single Sign-On administrator credentials.

a Run the following command to retrieve the vCenter Single Sign-On administrator
credentials.

curl https://<sddc_manager_fqdn>/v1/credentials?resourceType=PSC -k -X GET \-H

"Accept: application/json" -H "Authorization: Bearer $TOKEN" | json_pp

The command returns the administrator@vsphere.local credentials.

Setting Value

domainName Name of hte domain

resourceName FQDN of the vCenter Server

username administrator@vsphere.local

password vsphere_admin_password

b Record the administrator@vsphere.local credentials.

VMware by Broadcom 288

VMware Cloud Foundation on Dell VxRail Guide

5 If you plan to restore the management domain vCenter Server, retrieve the credentials for a
healthy management domain ESXi host.

a Run the following command to retrieve the credentials for a management domain ESXi
host.

curl https://<sddc_manager_fqdn>/v1/credentials?resourceType=ESXI -k -X GET \-H

"Accept: application/json" -H "Authorization: Bearer $TOKEN" | json_pp

The command returns the ESXi root credentials.

Setting Value for first ESXi host

domainName management domain name

resourceName FQDN of the first ESXi host

username root

password esxi_root_password

b Record the ESXi root credentials.

Restore a vCenter Server Instance from a File-Based Backup

If a vCenter Server instance fails, you can restore it from its file-based backup. If the management
domain vCenter Server and the VI workload domain vCenter Server are both in a failed state, you
must restore the management domain vCenter Server before restoring the VI workload domain
vCenter Server.

You deploy a new vCenter Server appliance and perform a file-based restore. If you are restoring
the management domain vCenter Server, you deploy the new appliance on a healthy ESXi host
in the management domain vSAN cluster. If you are restoring the VI workload domain vCenter
Server, you deploy the new appliance on the management domain vCenter Server.

Prerequisites

n Download the vCenter Server ISO file for the version of the failed instance. See Retrieve the
vCenter Server Deployment Details.

n If you are recovering the VI workload domain vCenter Server, verify that the management
vCenter Server is available.

Procedure

1 Mount the vCenter Server ISO image to your host machine with access to the SDDC and run
the UI installer for your operating system.

For example, for a Windows host machine, open the dvd-drive:\vcsa-ui-

installer\win32\installer application file.

VMware by Broadcom 289

VMware Cloud Foundation on Dell VxRail Guide

2 Click Restore.

3 Complete the Restore - Stage 1: Deploy vCenter Server wizard.

a On the Introduction page, click Next.

b On the End user license agreement page, select the I accept the terms of the license
agreement check box and click Next.

c On the Enter backup details page, enter these values and click Next.

Setting Value for vCenter Server

Location or IP/hostname sftp://sftp_server_ip/backups/vCenter/

sn_vc_fqdn/backup_folder/

User name vSphere service account user

Password vsphere-service-account-password

d On the Review backup information page, review the backup details, record the vCenter
Server configuration information, and click Next.

You use the vCenter Server configuration information at a later step to determine the
deployment size for the new vCenter Server appliance.

e On the vCenter Server deployment target page, enter the values by using the
information that you retrieved during the preparation for the restore, and click Next.

Value for Management Domain Value for VI Workload Domain

Setting vCenter Server vCenter Server

ESXi host or vCenter Server name FQDN of the first ESXi host FQDN of the management vCenter
Server

HTTPS port 443 443

User name root administrator@vsphere.local

Password esxi_root_password vsphere_admin_password

f In the Certificate warning dialog box, click Yes to accept the host certificate.

g On the Set up a target vCenter Server VM page, enter the values by using the
information that you retrieved during the preparation for the restore, and click Next.

Setting Value

VM name vCenter Server VM name

Set root password vcenter_server_root_password

Confirm root password vcenter_server_root_password

VMware by Broadcom 290

VMware Cloud Foundation on Dell VxRail Guide

h On the Select deployment size page, select the deployment size that corresponds with
the vCenter Server configuration information from Step 3.d and click Next.

Refer to vSphere documentation to map CPU count recorded from Step 3.d to a vSphere
Server configuration size.

i On the Select datastore page, select these values, and click Next.

Setting Value

Datastore Datastore name

Enable thin disk mode Selected

j On the Configure network settings page, enter the values by using the information that
you retrieved during the preparation for the restore, and click Next.

Setting Value

Network Name of the vSphere distributed switch

IP version IPV4

IP assignment static

FQDN FQDN of the vCenter Server

IP address IP address of the vCenter Server

Subnet mask or prefix length 24

Default gateway Default gateway IP address

DNS servers DNS server IP addresses with comma separated

k On the Ready to complete stage 1 page, review the restore settings and click Finish.

l When stage 1 of the restore process completes, click Continue.

4 Complete the Restore - Stage 2: vCenter Server wizard.

a On the Introduction page, click Next.

b On the Backup details page, in the Encryption password text box, enter the encryption
password of the SFTP server and click Next.

c On the Single Sign-On configuration page, enter these values and click Next.

Setting Value

Single Sign-On user name administrator@vsphere.local

Single Sign-On password vsphere_admin_password

d On the Ready to complete page, review the restore details and click Finish.

VMware by Broadcom 291

VMware Cloud Foundation on Dell VxRail Guide

e In the Warning dialog box, click OK to confirm the restore.

f When stage 2 of the restore process completes, click Close.

What to do next

Refresh the SSH keys that are stored in the SDDC Manager inventory. See VMware Cloud
Foundation SDDC Manager Recovery Scripts (79004).

Move the Restored vCenter Server Appliance to the Correct Folder

After deploying and restoring a vCenter Server instance, you must move the new appliance to
the correct folder.

Procedure

1 In a web browser, log in to the management domain vCenter Server by using the vSphere
Client (https://<vcenter_server_fqdn>/ui).

2 Select Menu > VMs and Templates.

3 In the inventory expand vCenter Server > Datacenter.

4 Right-click the appliance of the restored vCenter Server instance and select Move to folder.

5 Select the management folder and click OK.

Validate the vCenter Server State

After restoring a vCenter Server instance, you must validate the state of the vCenter Server and
vCenter Single Sign-On.

Procedure

1 In a web browser, log in to the management domain vCenter Server by using the vSphere
Client (https://<vcenter_server_fqdn>/ui).

2 In the inventory, click the management domain vCenter Server inventory, click the Summary
tab, and verify that there are no unexpected vCenter Server alerts.

3 Click the Linked vCenter Server systems tab and verify that the list contains all other vCenter
Server instances in the vCenter Single Sign-On domain.

4 Log in to the recovered vCenter Server instance by using a Secure Shell (SSH) client.

5 Run the command to navigate to the bin directory.

cd /usr/lib/vmware-vmdir/bin

VMware by Broadcom 292

VMware Cloud Foundation on Dell VxRail Guide

6 Validate the current replication status.

a Run the command to list the current replication partners of the vCenter Server instance
with the current replication status between the nodes.

./vdcrepadmin -f showpartnerstatus -h localhost -u administrator -w

vsphere_admin_password

b Verify that for each partner, the vdcrepadmin command output contains Host
available: Yes, Status available: Yes, and Partner is 0 changes behind.

c If you observe significant differences, because the resyncing might take some time, wait
five minutes and repeat this step.

7 Repeat the procedure for the other vCenter Server instance.

Validate the SDDC Manager State After a vCenter Server Restore

After a successful vCenter Server restore, verify that the SDDC Manager inventory is consistent
with the recovered VMs and that the vCenter Server instances are healthy. You use the
Supportability and Serviceability tool (SoS) and the SDDC Manager patch/upgrade precheck
function.

Procedure

1 Log in to SDDC Manager by using a Secure Shell (SSH) client.

2 Run the SoS health check and verify the output.

sudo /opt/vmware/sddc-support/sos --health-check

All tests show green when SDDC Manager is in a healthy state.

3 In a Web browser, log in to SDDC Manager using the user interface.

4 In the navigation pane, click Inventory > Workload Domains.

5 For each workload domain, validate the vCenter Server status.

a Click the workload domain name and click the Updates/Patches tab.

b Click Precheck.

c Click View status to review the precheck result for the vCenter Server instance and verify
that the status is Succeeded.

Restore the Configuration of a vSphere Distributed Switch

To recover the configuration of a vSphere Distributed Switch, you can restore its settings from
the configuration file that you previously exported.

This procedure restores only the vSphere Distributed Switch configuration of a vCenter Server
instance.

VMware by Broadcom 293

VMware Cloud Foundation on Dell VxRail Guide

The restore operation changes the settings on the vSphere Distributed Switch back to the
settings saved in the configuration file. The operation overwrites the current settings of the
vSphere Distributed Switch and its port groups. The operation does not delete existing port
groups that are not a part of the configuration file.

The vSphere Distributed Switch configuration is part of the vCenter Server backup. If you want to
restore the entire vCenter Server instance, see Restore vCenter Server.

Procedure

1 In a web browser, log in to the vCenter Server by using the vSphere Client (https://
<vcenter_server_fqdn>/ui).

2 Select Menu > Networking.

3 In the inventory expand vCenter Server > Datacenter.

4 Expand the Management networks folder, right-click the distributed switch and select
Settings > Restore configuration.

5 On the Restore switch configuration page, click Browse, navigate to the location of the
configuration file for the distributed switch, and click Open.

6 Select the Restore distributed switch and all port groups radio-button and click Next.

7 On the Ready to complete page, review the changes and click Finish.

8 Repeat these steps for the other vSphere Distributed Switch.

9 Review the switch configuration to verify that it is as you expect after the restore.

Restore an NSX Manager Cluster Node

If an NSX Manager instance fails, you can restore it from its file-based backup.

Prerequisites

n Verify that you have a valid file-based backup of the failed NSX Manager instance.

n Verify that you have the SFTP server details:

n SFTP Server IP

n SFTP Server Username

n SFTP Server Password

n Encryption Password

Procedure

1 Prepare for Restoring an NSX Manager Cluster Node

Before restoring an NSX Manager node, you must retrieve the NSX Manager build number
and deployment details, as well as the credentials from the SDDC Manager inventory.

VMware by Broadcom 294

VMware Cloud Foundation on Dell VxRail Guide

2 Restore the First Node of a Failed NSX Manager Cluster

If all three NSX Manager nodes in an NSX Manager cluster are in a failed state, you begin the
restore process by restoring the first cluster node.

3 Deactivate the NSX Manager Cluster

If two of the three NSX Manager cluster nodes are in a failed state or if you restored the first
node of a failed NSX Manager cluster, you must deactivate the cluster.

4 Restore an NSX Manager Node to an Existing NSX Manager Cluster

If only one of the three NSX Manager cluster nodes is in a failed state, you restore the failed
node to the existing cluster. If two of the three NSX Manager cluster nodes are in a failed
state, you repeat this process for each of the failed nodes.

5 Update or Recreate the VM Anti-Affinity Rule for the NSX Manager Cluster Nodes
During the NSX Manager bring-up process, SDDC Manager creates a VM anti-affinity rule to
prevent the VMs of the NSX Manager cluster from running on the same ESXi host. If you
redeployed all NSX Manager cluster nodes, you must recreate this rule. If you redeployed
one or two nodes of the cluster, you must add the new VMs to the existing rule.

6 Validate the SDDC Manager Inventory State

After a successful restore of an NSX Manager cluster, you must verify that the SDDC
Manager inventory is consistent with the recovered virtual machines. You run this verification
by using the sos tool.

Prepare for Restoring an NSX Manager Cluster Node

Before restoring an NSX Manager node, you must retrieve the NSX Manager build number and
deployment details, as well as the credentials from the SDDC Manager inventory.

Procedure

1 Retrieve the NSX Manager Version from SDDC Manager

Before restoring a failed NSX Manager instance, you must retrieve its version from the SDDC
Manager inventory.

2 Retrieve the Credentials for Restoring NSX Manager from SDDC Manager
Before restoring a failed NSX Manager instance, you must retrieve the NSX Manager root
and admin credentials from the SDDC Manager inventory.

Retrieve the NSX Manager Version from SDDC Manager

Before restoring a failed NSX Manager instance, you must retrieve its version from the SDDC
Manager inventory.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 Click the domain name of the failed NSX Manager instance.

VMware by Broadcom 295

VMware Cloud Foundation on Dell VxRail Guide

3 Click the Update/Patches tab.

4 Under Current versions, in the NSX panel, locate and record the NSX upgrade coordinator
value.

5 Verify that the NSX version retrieved from SDDC Manager is the same as the version
associated with the backup file that you plan to restore.

Retrieve the Credentials for Restoring NSX Manager from SDDC Manager
Before restoring a failed NSX Manager instance, you must retrieve the NSX Manager root and
admin credentials from the SDDC Manager inventory.

Before you can query the SDDC Manager API, you must obtain an API access token by using an
API service account.

Procedure

1 Log in to your host machine with access to the SDDC and open a terminal.

2 Obtain the API access token.

a Run the command to obtain an access token by using the admin@local account
credentials.

curl 'https://<sddc_manager_fqdn>/v1/tokens' -k -X POST -H 'Content-Type: application/

json' -H 'Accept: application/json' -d '{"username" : "service_user","password" :
"service_user_password"}'

The command returns an access token and a refresh token.

b Record the access token.

3 Retrieve the NSX Manager root and admin credentials.

a Run the command to retrieve the NSX Manager root and admin credentials.

curl 'https://<sddc_manager_fqdn>/v1/credentials?resourceType=NSXT_MANAGER' -i -X GET

-H 'Accept: application/json' -H 'Authorization: Bearer access_token'

The command returns the NSX Manager root and admin credentials.

b Record the NSX Manager root and admin credentials for the instance you are restoring.

VMware by Broadcom 296

VMware Cloud Foundation on Dell VxRail Guide

Restore the First Node of a Failed NSX Manager Cluster

If all three NSX Manager nodes in an NSX Manager cluster are in a failed state, you begin the
restore process by restoring the first cluster node.

Important This procedure is not applicable in use cases when there are operational NSX
Manager cluster nodes.
n If two of the three NSX Manager nodes in the NSX Manager cluster are in a failed state,
you begin the restore process by deactivating the cluster. See Deactivate the NSX Manager
Cluster.

n If only one of the three NSX Manager nodes in the NSX Manager cluster is in a failed state,
you directly restore the failed node to the cluster. See Restore an NSX Manager Node to an
Existing NSX Manager Cluster.

What to read next

Procedure

1 Redeploy the First Node of a Failed NSX Manager Cluster

You deploy a new NSX Manager instance by using the configuration of the first NSX
Manager cluster node.

2 Restore the First Node in a Failed NSX Manager Cluster from a File-Based Backup
You restore the file-based backup of the first NSX Manager cluster node to the newly
deployed NSX Manager instance.

3 Validate the Status of the First NSX Manager Cluster Node

After you restored the first NSX Manager cluster node, you validate the services state from
the VM Web console of the restored node.

Redeploy the First Node of a Failed NSX Manager Cluster

You deploy a new NSX Manager instance by using the configuration of the first NSX Manager
cluster node.

Prerequisites

n Download the NSX Manager OVA file for the version of the failed NSX Manager cluster. See
Retrieve the NSX Manager Version from SDDC Manager.

n Verify that the backup file that you plan to restore is associated with the version of the failed
NSX Manager cluster.

Procedure

1 In a web browser, log in to the management domain vCenter Server by using the vSphere
Client (https://<vcenter_server_fqdn>/ui).

2 Select Menu > VMs and Templates.

VMware by Broadcom 297

VMware Cloud Foundation on Dell VxRail Guide

3 In the inventory, expand vCenter Server > Datacenter.

4 Right-click the NSX folder and select Deploy OVF Template.

5 On the Select an OVF template page, select Local file, click Upload files, navigate to the
location of the NSX Manager OVA file, click Open, and click Next.

6 On the Select a name and folder page, enter the VM name and click Next.

7 On the Select a compute resource page, click Next.

8 On the Review details page, click Next.

9 On the Configuration page, select the appropriate size and click Next.

For the management domain, select Medium and for workload domains, select Large unless
you changed these defaults during deployment.

10 On the Select storage page, select the vSAN datastore, and click Next.

11 On the Select networks page, from the Destination network drop-down menu, select the
management network distributed port group, and click Next.

12 On the Customize template page, enter these values and click Next.

Setting Value for first NSX Manager cluster node

System root user password nsx_root_password

CLI admin user password nsx_admin_password

CLI audit user password nsx_audit_password

Hostname Enter hostname for the appliance using FQDN format.

Default IPv4 gateway Enter the default gateway for the appliance.

Management network IPv4 address Enter the IP Address for the appliance.

Management network netmask Enter the subnet mask for the appliance.

DNS server list Enter the DNS servers for the appliance.

NTP server list Enter the NTP server for the appliance.

Enable SSH Deselected

Allow root SSH logins Selected

13 On the Ready to complete page, review the deployment details and click Finish.

Restore the First Node in a Failed NSX Manager Cluster from a File-Based Backup
You restore the file-based backup of the first NSX Manager cluster node to the newly deployed
NSX Manager instance.

VMware by Broadcom 298

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 In a web browser, log in to the NSX Manager node for the domain by using the user interface
(https://<nsx_manager_node_fqdn>/login.jsp?local=true)

2 On the main navigation bar, click System.

3 In the left navigation pane, under Lifecycle management, click Backup and restore.

4 In the NSX configuration pane, under SFTP server, click Edit.

5 In the Backup configuration dialog box, enter these values, and click Save.

Setting Value

FQDN or IP address IP address of SFTP server

Protocol SFTP

Port 22

Directory path /backups

Username Service account user name

For example, svc-vcf-bck@rainpole.io

Password service_account_password

SSH fingerprint SFTP_ssh_fingerprint

6 Under Backup history, select the target backup, and click Restore.

7 During the restore, when prompted, reject adding NSX Manager nodes by clicking I
understand and Resume.

Results

A progress bar displays the status of the restore operation with the current step of the process.

Validate the Status of the First NSX Manager Cluster Node

After you restored the first NSX Manager cluster node, you validate the services state from the
VM Web console of the restored node.

Procedure

1 In a web browser, log in to the management domain vCenter Server by using the vSphere
Client (https://<vcenter_server_fqdn>/ui).

2 Select Menu > VMs and Templates.

3 In the inventory expand vCenter Server > Datacenter > NSX Folder.

VMware by Broadcom 299

VMware Cloud Foundation on Dell VxRail Guide

4 Click the VM name of the newly deployed first NSX Manager cluster node, click Launch Web
Console, and log in by using administrator credentials.

Setting Value

User name admin

Password nsx_admin_password

5 Run the command to view the cluster status.

get cluster status

The services on the single-node NSX Manager cluster appear as UP.

Deactivate the NSX Manager Cluster

If two of the three NSX Manager cluster nodes are in a failed state or if you restored the first
node of a failed NSX Manager cluster, you must deactivate the cluster.

Important This procedure is not applicable in use cases when there are two operational NSX
Manager cluster nodes.

If only one of the three NSX Manager nodes in the NSX Manager cluster is in a failed state, after
you prepared for the restore, you directly restore the failed node to the cluster. See Restore an
NSX Manager Node to an Existing NSX Manager Cluster.

Procedure

1 In a web browser, log in to the management domain vCenter Server by using the vSphere
Client (https://<vcenter_server_fqdn>/ui).

2 Select Menu > VMs and Templates.

3 In the inventory expand vCenter Server > Datacenter > NSX Folder.

4 Click the VM of the operational NSX Manager node in the cluster, click Launch Web Console,
and log in by using administrator credentials.

Setting Value

User name admin

Password nsx_admin_password

5 Run the command to deactivate the cluster

deactivate cluster

VMware by Broadcom 300

VMware Cloud Foundation on Dell VxRail Guide

6 On the Are you sure you want to remove all other nodes from this cluster? (yes/no)prompt,
enter yes.

You deactivated the cluster.

What to do next

Power off and delete the two failed NSX Manager nodes from inventory.

Restore an NSX Manager Node to an Existing NSX Manager Cluster

If only one of the three NSX Manager cluster nodes is in a failed state, you restore the failed node
to the existing cluster. If two of the three NSX Manager cluster nodes are in a failed state, you
repeat this process for each of the failed nodes.

Procedure

1 Detach the Failed NSX Manager Node from the NSX Manager Cluster
Before you recover a failed NSX Manager node, you must detach the failed node from the
NSX Manager cluster.

2 Redeploy the Failed NSX Manager Node

You deploy a new NSX Manager instance by using the configuration of the failed node.

3 Join the New NSX Manager Node to the NSX Manager Cluster
You join the newly deployed NSX Manager node to the cluster by using the virtual machine
web console from the vSphere Client.

4 Validate the Status of the NSX Manager Cluster

After you added the new NSX Manager node to the cluster, you must validate the
operational state of the NSX Manager cluster.

5 Restore the NSX Manager SSL Certificate

After you add the new NSX Manager node to the cluster and validate the cluster status, you
must restore the SSL certificate to the new node.

6 Restart the NSX Manager Node

After assigning the certificate, you must restart the new NSX Manager node.

7 Validate the Status of the NSX Manager Cluster

After restoring an NSX Manager node, you must validate the system status of the NSX
Manager cluster.

Detach the Failed NSX Manager Node from the NSX Manager Cluster
Before you recover a failed NSX Manager node, you must detach the failed node from the NSX
Manager cluster.

VMware by Broadcom 301

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 In a web browser, log in to the management domain vCenter Server by using the vSphere
Client (https://<vcenter_server_fqdn>/ui).

2 Select Menu > VMs and Templates.

3 In the inventory expand vCenter Server > Datacenter > NSX Folder.

4 Click the VM of an operational NSX Manager node in the cluster, click Launch Web Console,
and log in by using administrator credentials.

Setting Value

User name admin

Password nsx_admin_password

5 Retrieve the UUID of the failed NSX Manager node.

a Run the command to view the details of the cluster members.

get cluster status

The status of the failed node is Down.

b Record the UUID of the failed NSX Manager node.

6 Run the command to detach the failed node from the cluster

detach node faild_node_uuid

The detach process might take some time.

7 When the detaching process finishes, run the command to view the cluster status.

get cluster status

The status of all cluster nodes is Up.

Redeploy the Failed NSX Manager Node

You deploy a new NSX Manager instance by using the configuration of the failed node.

Prerequisites

Download the NSX Manager OVA file for the version of the failed NSX Manager instance. See
Retrieve the NSX Manager Version from SDDC Manager.

Procedure

1 In a web browser, log in to the management domain vCenter Server by using the vSphere
Client (https://<vcenter_server_fqdn>/ui).

2 Select Menu > VMs and Templates.

VMware by Broadcom 302

VMware Cloud Foundation on Dell VxRail Guide

3 In the inventory expand vCenter Server > Datacenter.

4 Right-click the NSX folder and select Deploy OVF Template.

5 On the Select an OVF template page, select Local file, click Upload files, navigate to the
location of the NSX Manager OVA file, click Open, and click Next.

6 On the Select a name and folder page, in the Virtual machine name text box, enter VM name
of the failed node, and click Next.

7 On the Select a compute resource page, click Next.

8 On the Review details page, click Next.

9 On the Configuration page, select Medium, and click Next.

10 On the Select storage page, select the vSAN datastore, and click Next.

11 On the Select networks page, from the Destination network drop-down menu, select the
management network distributed port group, and click Next.

12 On the Customize template page, enter these values and click Next.

Setting Value

System root user password nsx_root_password

CLI admin user password nsx_admin_password

CLI audit password nsx_audit_password

Hostname failed_node_FQDN

Default IPv4 gateway Enter the default gateway for the appliance.

Management network IPv4 address failed_node_IP_address

Management network netmask Enter the subnet mask for the appliance.

DNS server list Enter the DNS servers for the appliance.

NTP servers list Enter the NTP services for the appliance.

Enable SSH Deselected

Allow root SSH logins Selected

13 On the Ready to complete page, review the deployment details and click Finish.

The NSX Manager virtual machine begins to deploy.

Join the New NSX Manager Node to the NSX Manager Cluster
You join the newly deployed NSX Manager node to the cluster by using the virtual machine web
console from the vSphere Client.

VMware by Broadcom 303

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 In a web browser, log in to the management domain vCenter Server by using the vSphere
Client (https://<vcenter_server_fqdn>/ui).

2 Select Menu > VMs and Templates.

3 In the inventory expand vCenter Server > Datacenter > NSX Folder.

4 Click the VM of an operational NSX Manager node in the cluster, click Launch web console,
and log in by using administrator credentials.

Setting Value

User name admin

Password nsx_admin_password

5 Retrieve the ID of the NSX Manager cluster.

a Run the command to view the cluster ID.

get cluster config | find Id:

b Record the cluster ID.

6 Retrieve the API thumbprint of the NSX Manager API certificate.

a Run the command to view the certificate API thumbprint.

get certificate api thumbprint

b Record the certificate API thumbprint.

7 Exit the VM Web console.

8 In the vSphere Client, click the VM of the newly deployed NSX Manager node, click Launch
Web console, and log in by using administrator credentials.

Setting Value

User name admin

Password nsx_admin_password

9 Run the command to join the new NSX Manager node to the cluster.

join existing_node_ip cluster-id cluster_id thumbprint api_thumbprint username admin

The new NSX Manager node joins the cluster.

Validate the Status of the NSX Manager Cluster

After you added the new NSX Manager node to the cluster, you must validate the operational
state of the NSX Manager cluster.

VMware by Broadcom 304

VMware Cloud Foundation on Dell VxRail Guide

To view the state of the NSX Manager cluster, you log in to the NSX Manager for the particular
domain.

Procedure

1 In a web browser, log in to the NSX Manager cluster for the domain by using the user
interface (https://<nsx_manager_cluster_fqdn>/login.jsp?local=true)

2 On the main navigation bar, click System.

3 In the left pane, under Configuration, click Appliances.

4 Verify that the Cluster status is green and Stable and that each cluster node is Available.

Restore the NSX Manager SSL Certificate

After you add the new NSX Manager node to the cluster and validate the cluster status, you must
restore the SSL certificate to the new node.

To view the certificate of the failed NSX Manager cluster node, you log in to the NSX Manager for
the domain.

Table 26-2. NSX Manager Clusters in the SDDC

NSX Manager Cluster NSX Manager URL

Management domain NSX Manager cluster https://<FQDN of management domain NSX

Manager>/login.jsp?local=true

Workload domain NSX Manager cluster https://<FQDN of workload domain NSX Manager>/
login.jsp?local=true

This procedure is an example for restoring the certificate of a management domain NSX Manager
cluster node.

Procedure

1 In a Web browser, log in to the NSX Manager cluster for the management domain.

Setting Value

URL https://<FQDN of management domain NSX

Manager>/login.jsp?local=true

User name admin

Password nsx_admin_password

2 On the main navigation bar, click System.

3 In the left pane, under Settings, click Certificates.

4 Locate and copy the ID of the certificate that was issued by CA to the node that you are
restoring.

VMware by Broadcom 305

VMware Cloud Foundation on Dell VxRail Guide

5 Run the command to install the CA-signed certificate on the new NSX Manager node.

curl -H 'Accept: application/json' -H 'Content-Type: application/json'\ --insecure

-u 'admin:nsx_admin_password' -X POST\ 'https://nsx_host_node/api/v1/node/services\/http
action=apply_certificate&certificate_id=certificate_id'

What to do next

Important If assigning the certificate fails because the certificate revocation list (CRL) verification
fails, see https://kb.vmware.com/kb/78794. If you disable the CRL checking to assign the
certificate, after assigning the certificate, you must re-enable the CRL checking.

Restart the NSX Manager Node

After assigning the certificate, you must restart the new NSX Manager node.

Procedure

1 In a web browser, log in to the management domain vCenter Server by using the vSphere
Client (https://<vcenter_server_fqdn>/ui).

2 Select Menu > VMs and Templates.

3 In the inventory expand vCenter Server > Datacenter > NSX Folder.

4 Right click the new NSX Manager VM and select Guest OS > Restart.

Validate the Status of the NSX Manager Cluster

After restoring an NSX Manager node, you must validate the system status of the NSX Manager
cluster.

To view the system status of the NSX Manager cluster, you log in to the NSX Manager for the
particular domain.

Procedure

1 In a web browser, log in to the NSX Manager cluster for the domain by using the user
interface (https://<nsx_manager_cluster_fqdn>/login.jsp?local=true)

2 On the Home page, click Monitoring Dashboards > System.

3 Verify that all components are healthy.

4 If the host transport nodes are in a Pending state, run Configure NSX on these nodes to
refresh the UI.

What to do next

Refresh the SSH keys that are stored in the SDDC Manager inventory. See VMware Cloud
Foundation SDDC Manager Recovery Scripts (79004).

VMware by Broadcom 306

VMware Cloud Foundation on Dell VxRail Guide

Update or Recreate the VM Anti-Affinity Rule for the NSX Manager Cluster
Nodes
During the NSX Manager bring-up process, SDDC Manager creates a VM anti-affinity rule to
prevent the VMs of the NSX Manager cluster from running on the same ESXi host. If you
redeployed all NSX Manager cluster nodes, you must recreate this rule. If you redeployed one or
two nodes of the cluster, you must add the new VMs to the existing rule.

Procedure

1 In a web browser, log in to the management domain vCenter Server by using the vSphere
Client (https://<vcenter_server_fqdn>/ui).

2 Select Menu > Hosts and Clusters.

3 In the inventory expand vCenter Server > Datacenter.

4 Click the cluster object.

5 Click the Configure tab and click VM/Host Rules.

6 Update or recreate the VM anti-affinity rule.

n If you redeployed one or two nodes of the cluster, add the new VMs to the existing rule.

a Click the VM anti-affinity rule name and click Edit.

b Click Add VM/Host rule member, select the new NSX Manager cluster nodes, and
click Add.

n If you redeployed all NSX Manager cluster nodes, click Add VM/Host rule, enter these
values to create the rule, and click OK.

Setting Value

Name Enter the name of the anti-affinity rule

Type Separate virtual machines

Members Click Add VM/Host rule member, select the NSX

Manager cluster nodes, and click Add.

Validate the SDDC Manager Inventory State

After a successful restore of an NSX Manager cluster, you must verify that the SDDC Manager
inventory is consistent with the recovered virtual machines. You run this verification by using the
sos tool.

Procedure

1 Log in to SDDC Manager by using a Secure Shell (SSH).

VMware by Broadcom 307

VMware Cloud Foundation on Dell VxRail Guide

2 Verify the SDDC Manager health.

a Run the command to view the details about the VMware Cloud Foundation system.

sudo /opt/vmware/sddc-support/sos --get-vcf-summary

b When prompted, enter the vcf_password.

All tests show green state.

3 Run the command to collect the log files from the restore of the NSX Manager cluster.

sudo /opt/vmware/sddc-support/sos --domain-name domain_name --nsx-logs

What to do next

Refresh the SSH keys that are stored in the SDDC Manager inventory. See VMware Cloud
Foundation SDDC Manager Recovery Scripts (79004).

Restoring NSX Edge Cluster Nodes

If one or both NSX Edge cluster nodes fail due to a hardware or software issue, you must
redeploy the failed NSX Edge instances. You do not restore the NSX Edge nodes from a backup.

Procedure

1 Prepare for Restoring NSX Edge Cluster Nodes

Before restoring an NSX Edge node, you must retrieve its deployment details from the
NSX Manager cluster and retrieve the credentials of the failed NSX Edge node from SDDC
Manager.

2 Replace the Failed NSX Edge Node with a Temporary NSX Edge Node
You deploy a temporary NSX Edge node in the domain, add it to the NSX Edge cluster, and
then delete the failed NSX Edge node.

3 Replace the Temporary NSX Edge Node with the Redeployed NSX Edge Node
After you replaced and deleted the failed NSX Edge node, to return the NSX Edge cluster
to its original state, you redeploy the failed node, add it to the NSX Edge cluster, and delete
then temporary NSX Edge node.

Prepare for Restoring NSX Edge Cluster Nodes

Before restoring an NSX Edge node, you must retrieve its deployment details from the NSX
Manager cluster and retrieve the credentials of the failed NSX Edge node from SDDC Manager.

Procedure

1 Retrieve the NSX Edge Node Deployment Details from NSX Manager Cluster
Before restoring a failed NSX Edge node, you must retrieve its deployment details from the
NSX Manager cluster.

VMware by Broadcom 308

VMware Cloud Foundation on Dell VxRail Guide

2 Retrieve the NSX Edge Node Credentials from SDDC Manager

Before restoring the failed NSX Edge node that is deployed by SDDC Manager, you must
retrieve its credentials from the SDDC Manager inventory.

3 Retrieve the Workload Domain vSphere Cluster ID from SDDC Manager

If you are restoring a failed workload domain NSX Edge node, you must retrieve the ID
of the vSphere cluster for the workload domain. During the restore process, you use this
vSphere cluster ID to recreate the vSphere DRS rule name with its original name.

Retrieve the NSX Edge Node Deployment Details from NSX Manager Cluster
Before restoring a failed NSX Edge node, you must retrieve its deployment details from the NSX
Manager cluster.

Procedure

1 In a web browser, log in to the NSX Manager cluster for the domain by using the user
interface (https://<nsx_manager_cluster_fqdn>/login.jsp?local=true)

2 On the main navigation bar, click System.

3 In the left pane, under Configuration, click Fabric > Nodes.

4 Click the Edge Transport Nodes tab.

5 Select the check-box for the failed NSX Edge node.

6 Click Actions and select Change node settings.

7 Record the Host name/FQDN value and click Cancel.

8 Click Actions and select Change Edge VM Resource Reservations.

9 Record the Existing form factor value and click Cancel.

10 Click the name of the NSX Edge node that you plan to replace and record the following
values.

n Name

n Management IP

n Transport Zones

n Edge Cluster

11 Click Edit, record the following values, and click Cancel.

n Edge Switch Name

n Uplink Profile

n IP Assignment

n Teaming Policy Uplink Mapping

VMware by Broadcom 309

VMware Cloud Foundation on Dell VxRail Guide

Retrieve the NSX Edge Node Credentials from SDDC Manager

Before restoring the failed NSX Edge node that is deployed by SDDC Manager, you must retrieve
its credentials from the SDDC Manager inventory.

Procedure

1 In the SDDC Manager user interface, from the navigation pane click Developer center.

2 Click the API explorer tab.

3 Expand APIs for managing credentials and click GET /v1/credentials.

4 In the resourceName text box, enter the FQDN of the failed NSX Edge node, and click
Execute.

5 Under Response, click PageOfCredential and click each credential ID.

6 Record the user names and passwords for these credentials.

Credential Type Username Password

SSH root edge_root_password

API admin edge_admin_password

AUDIT audit edge_audit_password

Retrieve the Workload Domain vSphere Cluster ID from SDDC Manager

If you are restoring a failed workload domain NSX Edge node, you must retrieve the ID of the
vSphere cluster for the workload domain. During the restore process, you use this vSphere
cluster ID to recreate the vSphere DRS rule name with its original name.

You use the SDDC Manager user interface to retrieve the ID of the vSphere cluster for the
workload domain.

Procedure

1 In the SDDC Manager user interface, from the navigation pane click Developer center.

2 Click the API explorer tab.

3 Expand APIs for managing clusters, click GET /v1/clusters, and click Execute.

4 Under Response, click PageOfClusters and click Cluster.

5 Record the ID of the cluster for the workload domain cluster ID.

VMware by Broadcom 310

VMware Cloud Foundation on Dell VxRail Guide

Replace the Failed NSX Edge Node with a Temporary NSX Edge Node
You deploy a temporary NSX Edge node in the domain, add it to the NSX Edge cluster, and then
delete the failed NSX Edge node.

Procedure

1 Deploy a Temporary NSX Edge Node

To avoid conflicts with the failed NSX Edge node, you deploy a temporary NSX Edge node
with a new FQDN and IP address.

2 Replace the Failed NSX Edge Node with the Temporary NSX Edge Node
You add the temporary NSX Edge node to the NSX Edge cluster by replacing the failed NSX
Edge node.

3 Delete the Failed NSX Edge Node from the NSX Manager Cluster
After replacing the failed NSX Edge node with the temporary NSX Edge node in the NSX
Edge cluster, you delete the failed node.

4 Validate the Temporary State of the NSX Edge Cluster Nodes

After replacing the failed NSX Edge node with a temporary NSX Edge node, you must verify
the state of the NSX Edge cluster nodes.

Deploy a Temporary NSX Edge Node

To avoid conflicts with the failed NSX Edge node, you deploy a temporary NSX Edge node with a
new FQDN and IP address.

Prerequisites

Allocate the FQDN and IP address for the temporary NSX Edge node for the domain of the failed
node.

Procedure

1 In a web browser, log in to the NSX Manager cluster for the domain by using the user
interface (https://<nsx_manager_cluster_fqdn>/login.jsp?local=true)

2 On the main navigation bar, click System.

3 In the left pane, under Configuration, click Fabric > Nodes.

4 Click the Edge transport nodes tab.

5 Click Add edge VM.

VMware by Broadcom 311

VMware Cloud Foundation on Dell VxRail Guide

6 On the Name and description page, enter these values and click Next.

Setting Value

Name Enter the VM name

Host name/FQDN Enter the FQDN

Form factor Medium

7 On the Credentials page, enter these values and the passwords recorded in the earlier steps
and then click Next.

Setting Value

CLI user name admin

CLI password edge_admin_password

CLI confirm password edge_admin_password

Allow SSH login Yes

System root password edge_root_password

System root password confirm edge_root_password

Allow root SSH login No

Audit user name audit

Audit password edge_audit_password

Audit confirm password edge_audit_password

8 On the Configure deployment page, select the following and click Next.

Setting Value

Compute manager Enter the vCenter Server FQDN

Cluster Select the cluster

Datastore Select the vSAN datastore

9 On the Configure node settings page, enter these values and click Next.

Setting Value

IP Assignment Static

Management IP Enter the management IP address.

Default Gateway Enter the default gateway

Management interface Select the management network distributed port group

VMware by Broadcom 312

VMware Cloud Foundation on Dell VxRail Guide

Setting Value

Search domain names Enter the search domain

DNS servers Enter the DNS servers

NTP Servers Enter the NTP servers

10 On the Configure NSX page, enter these values which are already recorded and click Finish.

Setting Value

Edge switch name Enter the edge switch name.

Transport zone Enter the transport zone names.

Uplink profile Enter the uplink profile name.

IP assignment Use static IP list

Static IP list Enter the static IP list.

Gateway Enter the gateway IP

Subnet mask Enter the subnet mask

Teaming policy switch mapping Enter the values for Uplink1 and Uplink2.

Replace the Failed NSX Edge Node with the Temporary NSX Edge Node
You add the temporary NSX Edge node to the NSX Edge cluster by replacing the failed NSX
Edge node.

Procedure

1 In a web browser, log in to the NSX Manager cluster for the domain by using the user
interface (https://<nsx_manager_cluster_fqdn>/login.jsp?local=true)

2 On the main navigation bar, click System.

3 In the left pane, under Configuration, click Fabric > Nodes.

4 Click the Edge clusters tab.

5 Select the check-box for the NSX Edge cluster.

6 Click Action and select Replace edge cluster member.

7 From the Replace drop down menu, select the Failed edge node and from the with drop
down menu, select the Temporary edge node and then click Save.

Delete the Failed NSX Edge Node from the NSX Manager Cluster
After replacing the failed NSX Edge node with the temporary NSX Edge node in the NSX Edge
cluster, you delete the failed node.

VMware by Broadcom 313

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 In a web browser, log in to the NSX Manager cluster for the domain by using the user
interface (https://<nsx_manager_cluster_fqdn>/login.jsp?local=true)

2 On the main navigation bar, click System.

3 In the left pane, under Configuration, click Fabric > Nodes.

4 Click the Edge transport nodes tab.

5 Select the check-box for the failed NSX Edge node and click Delete.

6 In the confirmation dialog box, click Delete.

Validate the Temporary State of the NSX Edge Cluster Nodes

After replacing the failed NSX Edge node with a temporary NSX Edge node, you must verify the
state of the NSX Edge cluster nodes.

You validate the state of the temporary NSX Edge node and the second NSX Edge node in the
cluster.

Procedure

1 In a web browser, log in to the NSX Manager cluster for the domain by using the user
interface (https://<nsx_manager_cluster_fqdn>/login.jsp?local=true)

2 On the main navigation bar, click System.

3 In the left pane, under Configuration, click Fabric > Nodes.

4 Click the Edge transport nodes tab.

5 Verify all edge transport nodes show these values.

Setting Value

Configuration state Success

Node status Up

Tunnels Upward arrow mark with number of tunnels

Replace the Temporary NSX Edge Node with the Redeployed NSX Edge Node
After you replaced and deleted the failed NSX Edge node, to return the NSX Edge cluster to
its original state, you redeploy the failed node, add it to the NSX Edge cluster, and delete then
temporary NSX Edge node.

Procedure

1 Redeploy the Failed NSX Edge Node

You deploy a new NSX Edge node by using the configurations of the failed NSX Edge node
that you retrieved during the preparation for the restore.

VMware by Broadcom 314

VMware Cloud Foundation on Dell VxRail Guide

2 Replace the Temporary NSX Edge Node with the Redeployed NSX Edge Node
After deploying the new NSX Edge node with the same configuration as the failed NSX Edge
node, you replace the temporary NSX Edge node with the redeployed failed node in the
NSX- Edge cluster.

3 Delete the Temporary NSX Edge Node

After replacing the temporary NSX Edge node with the new NSX Edge node in the NSX
Edge cluster, you delete the temporary node.

4 Update or Recreate the VM Anti-Affinity Rule for the NSX Edge Cluster Nodes
During the NSX Edge deployment process, SDDC Manager creates a VM anti-affinity rule
to prevent the nodes of the NSX Edge cluster from running on the same ESXi host. If you
redeployed the two NSX Edge cluster nodes, you must recreate this rule. If you redeployed
one node of the cluster, you must add the new VM to the existing rule.

5 Validate the State of the NSX Edge Cluster Nodes

After replacing the temporary NSX Edge node with the redeployed failed NSX Edge node,
you must verify the state of the NSX Edge cluster nodes.

Redeploy the Failed NSX Edge Node

You deploy a new NSX Edge node by using the configurations of the failed NSX Edge node that
you retrieved during the preparation for the restore.

To return the NSX Edge cluster to the original state, you must use the FQDN and IP address of
the failed NSX Edge node that you deleted. This procedure ensures that the inventory in SDDC
Manager is accurate.

Procedure

1 In a web browser, log in to the NSX Manager cluster for the domain by using the user
interface (https://<nsx_manager_cluster_fqdn>/login.jsp?local=true)

2 On the main navigation bar, click System.

3 In the left pane, under Configuration, click Fabric > Nodes.

4 Click the Edge transport nodes tab.

5 Click Add edge VM.

6 On the Name and description page, enter these values and click Next.

Setting Value

Name Enter the VM name

Host name/FQDN Enter the FQDN

Form factor Medium

VMware by Broadcom 315

VMware Cloud Foundation on Dell VxRail Guide

7 On the Credentials page, enter these values which are recorded earlier and click Next.

Setting Value

CLI user name admin

CLI password edge_admin_password

CLI confirm password edge_admin_password

Allow SSH login Yes

System root password edge_root_password

System root password confirm edge_root_password

Allow root SSH login No

Audit user name audit

Audit password edge_audit_password

Audit confirm password edge_audit_password

8 On the Configure deployment page, select these values and click Next.

Setting Value

Compute manager Enter the vCenter Server FQDN

Cluster Enter the cluster name

Resource pool Enter the resource pool

Datastore Enter the datastore

9 On the Configure Node Settings page, enter these values and click Next.

Setting Value

IP assignment Static

Management IP Enter the management IP address.

Default gateway Enter the default gateway

Management interface Select the management network distributed port group

Search domain names Enter the search domain

DNS servers Enter the DNS servers

NTP servers Enter the NTP servers

VMware by Broadcom 316

VMware Cloud Foundation on Dell VxRail Guide

10 On the Configure NSX page, enter these values which are recorded earlier and click Finish.

Setting Value

Edge switch name Enter the edge switch name.

Transport zone Enter the transport zone names.

Uplink profile Enter the uplink profile name.

IP assignment Use static IP list

Static IP list Enter the static IP list.

Gateway Enter the gateway IP

Subnet mask Enter the subnet mask

Teaming policy switch mapping Enter the values for Uplink1 and Uplink2.

Replace the Temporary NSX Edge Node with the Redeployed NSX Edge Node
After deploying the new NSX Edge node with the same configuration as the failed NSX Edge
node, you replace the temporary NSX Edge node with the redeployed failed node in the NSX-
Edge cluster.

Procedure

1 In a web browser, log in to the NSX Manager cluster for the domain by using the user
interface (https://<nsx_manager_cluster_fqdn>/login.jsp?local=true)

2 On the main navigation bar, click System.

3 In the left pane, under Configuration, click Fabric > Nodes.

4 Click the Edge clusters tab.

5 Select the check-box for the NSX Edge cluster.

6 Click Action and select Replace edge cluster member.

7 From the Replace drop down menu, select the temporary node and from the with drop down
menu, select the new node and then click Save.

Delete the Temporary NSX Edge Node

After replacing the temporary NSX Edge node with the new NSX Edge node in the NSX Edge
cluster, you delete the temporary node.

Procedure

1 In a web browser, log in to the NSX Manager cluster for the domain by using the user
interface (https://<nsx_manager_cluster_fqdn>/login.jsp?local=true)

2 On the main navigation bar, click System.

VMware by Broadcom 317

VMware Cloud Foundation on Dell VxRail Guide

3 In the left pane, under Configuration, click Fabric > Nodes > .

4 Click the Edge transport nodes tab.

5 Select the check-box for the temporary NSX Edge node and click Delete.

6 In the confirmation dialog box, click Delete.

Update or Recreate the VM Anti-Affinity Rule for the NSX Edge Cluster Nodes
During the NSX Edge deployment process, SDDC Manager creates a VM anti-affinity rule to
prevent the nodes of the NSX Edge cluster from running on the same ESXi host. If you
redeployed the two NSX Edge cluster nodes, you must recreate this rule. If you redeployed
one node of the cluster, you must add the new VM to the existing rule.

Procedure

1 In a web browser, log in to the domain vCenter Server by using the vSphere Client (https://
<vcenter_server_fqdn>/ui).

2 Select Menu > Hosts and Clusters.

3 In the inventory expand vCenter Server > Datacenter.

4 Click the cluster object.

5 Click the Configure tab and click VM/Host Rules.

6 Update or recreate the VM anti-affinity rule.

n If you redeployed one of the nodes in the NSX Edge cluster, add the new VM to the
existing rule.

a Click the VM anti-affinity rule name and click Edit.

b Click Add VM/Host rule member, select the new NSX Edge cluster node, and click
Add.

n If you redeployed the two nodes in the NSX Edge cluster, click Add VM/Host rule, enter
these values to create the rule, and click OK.

Setting Value

Name Enter the name of the anti-affinity rule

Type Separate virtual machines

Members Click Add VM/Host rule member, select the NSX

Edge cluster nodes, and click Add.

Validate the State of the NSX Edge Cluster Nodes

After replacing the temporary NSX Edge node with the redeployed failed NSX Edge node, you
must verify the state of the NSX Edge cluster nodes.

VMware by Broadcom 318

VMware Cloud Foundation on Dell VxRail Guide

You validate the state of the redeployed NSX Edge node and the second NSX Edge node in the
cluster.

Procedure

1 In a web browser, log in to the NSX Manager cluster for the domain by using the user
interface (https://<nsx_manager_cluster_fqdn>/login.jsp?local=true)

2 On the main navigation bar, click System.

3 In the left pane, under Configuration, click Fabric > Nodes.

4 Click the Edge transport nodes tab.

5 Verify all edge transport nodes show these values.

Setting Value

Configuration state Success

Node status Up

Tunnels Upward arrow mark with number of tunnels

Image-Based Backup and Restore of VMware Cloud

Foundation
For an image-based backup of the VMware Cloud Foundation, use a solution compatible with the
VMware vSphere Storage APIs - Data Protection (formerly known as VMware vStorage APIs for
Data Protection or VADP).

vSphere Storage APIs - Data Protection compatible backup software connects to the vCenter
servers in the management domain to perform backups. In the event of failure, the backup
software connects to the vCenter servers in the management domain to restore the VMs. If the
management domain is lost, the vCenter servers are no longer available and must be restored
first. Choosing a backup software that supports Direct Restore to an ESXi host allows restoring
the vCenter Servers.

Connect your backup solution with the management domain vCenter Server and configure it. To
reduce the backup time and storage cost, use incremental backups in addition to the full ones.

Acquiesced backups are enabled for VMware Aria Suite Lifecycle and Workspace ONE Access.

VMware by Broadcom 319

Upgrading to VMware Cloud
Foundation 5.2.x on Dell VxRail 27
The following procedures provide information about upgrading to VMware Cloud Foundation
5.2.x on Dell VxRail.

Note Review the VMware Interoperability Matrix to verify compatibility and upgradability before
planning and starting an upgrade.

You can perform a sequential or skip-level upgrade to VMware Cloud Foundation 5.2.x on Dell
VxRail from VMware Cloud Foundation 4.5 or later. If your environment is at a version earlier than
4.5, you must upgrade the management domain and all VI workload domains to VMware Cloud
Foundation 4.5 or later and then upgrade to VMware Cloud Foundation 5.2.x.

Warning vSphere with Tanzu enabled clusters, may require a specific upgrade sequence. See
KB 88962 for more information.

The first step is to download the bundles for each VMware Cloud Foundation on Dell VxRail
component that requires an upgrade. After all of the bundles are available in SDDC Manager,
upgrade the management domain and then your VI workload domains.

n Downloading VMware Cloud Foundation Upgrade Bundles

n Upgrade the Management Domain to VMware Cloud Foundation 5.2.x

n Upgrade VI Workload Domains to VMware Cloud Foundation 5.2.x

Read the following topics next:

n SDDC Manager Functionality During an Upgrade to VMware Cloud Foundation 5.2.x

n vSphere UI Client Plug-ins

n Monitor VMware Cloud Foundation Updates

n View VMware Cloud Foundation Update History

n Access VMware Cloud Foundation Upgrade Log Files

n Downloading VMware Cloud Foundation Upgrade Bundles

n VMware Cloud Foundation Upgrade Prerequisites

n VMware Cloud Foundation 5.2.x Upgrade Overview

n Upgrade the Management Domain to VMware Cloud Foundation 5.2.x

VMware by Broadcom 320

VMware Cloud Foundation on Dell VxRail Guide

n Upgrade VI Workload Domains to VMware Cloud Foundation 5.2.x

n Independent SDDC Manager Upgrade using the SDDC Manager UI

n Flexible BOM Upgrade in VMware Cloud Foundation

n Patching the Management and Workload Domains

n Troubleshooting for Upgrading VMware Cloud Foundation

SDDC Manager Functionality During an Upgrade to VMware

Cloud Foundation 5.2.x
During the upgrade to VMware Cloud Foundation 5.2.x, some SDDC Manager functionality may
be limited during each phase of the upgrade. Prior to initiating the upgrade determine if you will
need to perform any of these tasks.

Upgrade States and Terminology

n Source BOM - Prior to initiating the upgrade all components are at VMware Cloud Foundation
4.5.x, 5.0, or 5.1.

n SDDC Manager only - You have updated SDDC Manager to 5.2, but none of the other BOM
components.

n Split BOM - Management domain or VI Workload Domain is only partially updated to VMware
Cloud Foundation 5.2.

n Mixed 4.5.x/5.x BOM - Some workload domains (Management or VI) have been completely
upgraded to VMware Cloud Foundation 5.2 and at least one VI Workload Domain is at the
Source 4.5.x BOM version.

n Mixed 5.x BOM - Some workload domains (Management or VI) have been completely
upgraded to VMware Cloud Foundation 5.2 and at least one VI Workload Domain is at the
Source 5.0 or 5.1 BOM version.

n Target BOM - All components are at VMware Cloud Foundation 5.2.

When a VMware Cloud Foundation instance is in Source BOM or Target BOM, the features
available within SDDC Manager are as expected for that given release. However when in a Mixed
BOM the operations available vary per workload domain depending on which state the domain
itself is in.

The following table indicates the functions available within SDDC Manager during an upgrade.

VMware by Broadcom 321

VMware Cloud Foundation on Dell VxRail Guide

Table 27-1. SDDC Manager Functionality During Upgrade

SDDC Manager Mixed 4.5.x/5.x
Category Feature only Split BOM BOM Mixed 5.x BOM

Backup / Restore Configure and Y Y Y Y

perform Backup /
Restore

CEIP Activate / Y Y Y Y
Deactivate CEIP

Certificate View/Generate/ Y Y Y Y
Management Upload/Install

NSX Edge Expand edge Y Y Y Y

Cluster cluster

DNS / NTP Validate / Y Y Y Y

configuration Configure DNS

Validate / Y Y Y Y
Configure NTP

Licensing Update License Y Y Y Y

Key Information

Add License Key Y Y Y Y

Relicensing Y Y Y Y

License check Y Y Y Y

LCM Connect to Y Y Y Y
VMware or
Dell Depot /
Download
Bundles

LCM Pre checks Y Y Y Y

Schedule Bundle Y Y Y Y
Download

Install vCenter Y Y Y Y
Patch

Install ESXi Patch Y Y Y Y

Install NSX Patch Y Y Y Y

Password Rotate/Update/ Y Y Y Y
Management Retry/Cancel

User Operations Add / Remove Y Y Y Y

User / Group

Workload Add/Remove Y Y Y Y
Domain ESXi Host

Add/Remove Y Y Y Y
vSphere Cluster

VMware by Broadcom 322

VMware Cloud Foundation on Dell VxRail Guide

Table 27-1. SDDC Manager Functionality During Upgrade (continued)

SDDC Manager Mixed 4.5.x/5.x
Category Feature only Split BOM BOM Mixed 5.x BOM

Add 4.5.x Y Y Y N/A

Workload If the If the If the
Domain management management management
domain is at domain is at domain is at
4.5.x. 4.5.x. 4.5.x.

Note Contact Note Contact Note Contact

Broadcom Broadcom Broadcom
Support for a Support for a Support for a
workaround if workaround if workaround if
the management the management the management
domain is at 5.x. domain is at 5.x. domain is at 5.x.

Add 5.x Y Y Y Y
Workload
Domain in ELM
mode

Add 5.x Isolated Y Y Y Y

Workload
Domain

Remove 4.5.x Y Y Y N/A

Workload
Domain

Remove 5.0 Y Y Y Y
Workload
Domain

Stretch a You cannot You cannot You cannot Y

vSphere Cluster stretch clusters stretch clusters stretch clusters
in 4.5.x workload in 4.5.x workload in 4.5.x workload
domains, but can domains, but can domains, but can
stretch cluster stretch cluster stretch cluster
in 5.x workload in 5.x workload in 5.x workload
domains. domains. domains.

Expand a You cannot You cannot You cannot Y

Stretched expand clusters expand clusters expand clusters
vSphere Cluster in 4.5.x workload in 4.5.x workload in 4.5.x workload
domains, but can domains, but can domains, but can
expand clusters expand clusters expand clusters
in 5.x workload in 5.x workload in 5.x workload
domains. domains. domains.

Shrink a You cannot You cannot You cannot Y

Stretched shrink clusters in shrink clusters in shrink clusters in
vSphere Cluster 4.5.x workload 4.5.x workload 4.5.x workload
domains, but can domains, but can domains, but can
shrink clusters shrink clusters shrink clusters
in 5.x workload in 5.x workload in 5.x workload
domains. domains. domains.

VMware by Broadcom 323

VMware Cloud Foundation on Dell VxRail Guide

vSphere UI Client Plug-ins

Identify all vSphere UI client plug-ins prior to the upgrade.

It may be possible to upgrade some vSphere UI client plug-ins before upgrading to vSphere
8.0. Contact your 3rd Party vendor to determine the best upgrade path.

Monitor VMware Cloud Foundation Updates

You can monitor in-progress updates for VMware Cloud Foundation components.

Procedure

1 In the In-Progress Updates section, click View Status to view the high-level update progress
and the number of components to be updated.

2 Details of the component being updated is shown below that. The image below is an example
and may not reflect the actual versions.

3 Click the arrow to see a list of tasks being performed to update the component. As the task is
completed, it shows a green check mark.

4 When all tasks to update a component have been completed, the update status for the
component is displayed as Updated.

VMware by Broadcom 324

VMware Cloud Foundation on Dell VxRail Guide

5 If a component fails to be updated, the status is displayed as Failed. The reason for the failure
as well as remediation steps are displayed. The image below is an example and may not
reflect the actual versions in your environment.

6 After you resolve the issues, you can retry the update.

View VMware Cloud Foundation Update History

The Update History page displays all updates applied to a workload domain.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 Click the name of a workload domain and then click the Update History tab.

All updates applied to this workload domain are displayed. If an update bundle was applied
more than once, click View Past Attempts to see more information.

Access VMware Cloud Foundation Upgrade Log Files

You can check the log files for failed upgrades to help troubleshoot and resolve issues.

1 SSH in to the SDDC Manager appliance with the vcf user name and enter the password.

2 To access upgrade logs, navigate to the /var/log/vmware/vcf/lcm directory.

n lcm-debug log file contains debug level logging information.

n lcm.log contains information level logging.

3 To create an sos bundle for support, see Supportability and Serviceability (SoS) Utility in the
VMware Cloud Foundation Administration Guide.

Downloading VMware Cloud Foundation Upgrade Bundles

Before you can upgrade VMware Cloud Foundation, you must download the upgrade bundles for
each VMware Cloud Foundation component that requires an upgrade.

VMware by Broadcom 325

VMware Cloud Foundation on Dell VxRail Guide

Online and Offline Downloads

If the SDDC Manager appliance can connect to the internet (either directly or through a proxy
server), you can download upgrade bundles from the VMware Depot and the Dell Depot.

If the SDDC Manager appliance cannot connect to the internet, you can use the Bundle Transfer
Utility or connect to an offline depot.

See Public URL list for SDDC Manager for information about the URLs that must be accessible to
download bundles.

Other Bundle Types

In addition to upgrade bundles, VMware Cloud Foundation includes the following bundle types:

n Install Bundles

An install bundle includes software binaries to install VI workload domains (vCenter Server
and NSX) and VMware Aria Suite Lifecycle. You download install bundles using the same
process that you use for upgrade bundles.

n Async Patch Bundles

An async patch bundle allows you to apply critical patches to certain VMware Cloud
Foundation components (NSX Manager, and vCenter Server) when an update or upgrade
bundle is not available. If you are running VMware Cloud Foundation 5.1 or earlier, you
must use the Async Patch Tool to download an async patch bundle. See Async Patch Tool.
Starting with VMware Cloud Foundation 5.2, you can download async patches using the
SDDC Manager UI or Bundle Transfer Utility.

Connect SDDC Manager to a Software Depot for Downloading

Bundles
SDDC Manager can connect to a software depot to download software bundles, compatibility
data, and more.

SDDC Manager supports two types of software depots:

n Online depot

n Offline depot

You can only connect SDDC Manager to one type of depot. If SDDC Manager is connected to an
online depot and you configure a connection to an offline depot, the online depot connection is
disabled and deleted.

Prerequisites

To connect to the online depot, SDDC Manager must be able to connect to the internet, either
directly or through a proxy server.

VMware by Broadcom 326

VMware Cloud Foundation on Dell VxRail Guide

To connect to an offline depot, you must first configure it. See KB 312168 for information about
the requirements and process for creating an offline depot. To download bundles to an offline
depot, see "Download Bundles to an Offline Depot" in the VMware Cloud Foundation Lifecycle
Management Guide.

Procedure

1 In the navigation pane, click Administration > Depot Settings.

2 Connect SDDC Manager to an online depot or an offline depot.

Depot Type Configuration Steps

Online 1 Click Authenticate for the VMware Depot.

2 Type your Broadcom Support Portal user name and
password.
3 Type your Dell Depot user name and password.
4 Click Authenticate

Offline 1 Click Set Up for the Offline Depot.

2 Enter the following information for the offline depot:
n FQDN or IP address
n Port number
n User name
n Password
3 Click Set Up.

VMware by Broadcom 327

VMware Cloud Foundation on Dell VxRail Guide

SDDC Manager attempts to connect to the depot. If the connection is successful, SDDC
Manager starts looking for available bundles. To view available bundles, click Lifecycle
Management > Bundle Management and then click the Bundles tab. It may take some time
for all available bundles to appear.

Download Bundles Using SDDC Manager

After you connect SDDC Manager to an online or offline depot, you can view and download
available upgrade bundles.

If SDDC Manager does not have direct internet access, configure a proxy server or use the
Bundle Transfer Utility for offline bundle downloads.

n Configure a Proxy Server for Downloading VMware Cloud Foundation Bundles

n Offline Download of VMware Cloud Foundation 5.2.x Upgrade Bundles

When you download bundles, SDDC Manager verifies that the file size and checksum of the
downloaded bundles match the expected values.

Prerequisites

Connect SDDC Manager to an online or offline depot. See Connect SDDC Manager to a Software
Depot for Downloading Bundles.

Procedure

1 In the navigation pane, click Lifecycle Management > Bundle Management.

2 Click the Bundles tab to view available bundles.

Note If you just connected SDDC Manager to a depot, it can take some time for bundles to
appear.

All available bundles are displayed. Install bundles display an Install Only Bundle label. If the
bundle can be applied right away, the Bundle Details column displays the workload domains
to which the bundle needs to be applied to, and the Availability column says Available. If
another bundle must be applied before a particular bundle, the Availability field displays
Future.

To view more information about the bundle, click View Details. The Bundle Details section
displays the bundle version, release date, and additional details about the bundle.

3 For the bundle you want to download, do one of the following:

n Click Download Now for an immediate download.

The bundle download begins right away.

n Click Schedule Download to schedule a download.

Select the date and time for the bundle download and click Schedule.

4 Click the Download History tab to see the downloaded bundles.

VMware by Broadcom 328

VMware Cloud Foundation on Dell VxRail Guide

Configure a Proxy Server for Downloading VMware Cloud Foundation Bundles

If SDDC Manager does not have direct internet access, you can configure a proxy server
to download bundles. VMware Cloud Foundation 5.2 and later support proxy servers with
authentication.

Procedure

1 In the navigation pane, click Administration > Proxy Settings.

2 Click Set Up Proxy.

3 Toggle the Enable Proxy setting to the on position.

4 Select HTTP or HTTPS.

5 Enter the proxy server IP address and port number.

6 If your proxy server requires authentication, toggle the Authentication setting to the on
position and enter the user name and password.

7 Click Save.

What to do next

You can now download bundles as described in Download Bundles Using SDDC Manager.

Offline Download of VMware Cloud Foundation 5.2.x Upgrade

Bundles
If the SDDC Manager appliance does not have access to the VMware Depot and the Dell Depot,
you can use the Bundle Transfer Utility to download the bundles to a different computer and
then upload them to the SDDC Manager appliance.

Using the Bundle Transfer Utility to upgrade to VMware Cloud Foundation 5.2.x involves the
following steps:

n Download the latest version of the Bundle Transfer Utility.

n On a computer with access to the internet, use the Bundle Transfer Utility to download the
bundles and other required files.

n Copy the bundles and other required files to the SDDC Manager appliance.

n On the SDDC Manager appliance, use the Bundle Transfer Utility to upload the bundles and
other required files to the internal LCM repository.

If the computer with internet access can only access the internet using a proxy server, use the
following options when downloading:

VMware by Broadcom 329

VMware Cloud Foundation on Dell VxRail Guide

Option Description

--proxyServer, --ps Provide the proxy server FQDN and port.

For example: --proxyServer proxy.example.com:3128.

--proxyHttps Add this option if the proxy server uses HTTPs.

To use this option, the proxy certificate must be added to
Bundle Transfer Utility JRE default trust store. For example:

./btuJre/lin64/bin/keytool -importcert
-file proxy.crt -keystore ./btuJre/lin64/lib/
security/cacerts

--proxyUser For a proxy server that requires authentication, enter the

user name.

--proxyPasswordFile For a proxy server that requires authentication, enter the

path to a file where the password for proxy authentication
is stored. The file content is used as the proxy password.
For example, --proxyPasswordFile ../../
password.txt.

Example that combines the options:

./lcm-bundle-transfer-util --download --manifestDownload --depotUser Username --proxyServer

proxy.example.com:3128 --proxyUser vmwuser --proxyPasswordFile ../../password.txt --
proxyHttps

Prerequisites

n A Windows or Linux computer with internet connectivity (either directly or through a proxy)
for downloading the bundles and other required files.

n Configure TCP keepalive in your SSH client to prevent socket connection timeouts when
using the Bundle Transfer Utility for long-running operations.

Note The Bundle Transfer Utility is the only supported method for downloading bundles. Do not
use third-party tools or other methods to download bundles.

Procedure

1 Download the most recent version of the Bundle Transfer Utility on a computer with internet
access.

a Log in to the Broadcom Support Portal and browse to My Downloads > VMware Cloud
Foundation.

b Click the version of VMware Cloud Foundation to which you are upgrading.

c Click Drivers & Tools.

d Click the download icon for the Bundle Transfer Utility.

VMware by Broadcom 330

VMware Cloud Foundation on Dell VxRail Guide

e Extract lcm-tools-prod.tar.gz.

f Navigate to the lcm-tools-prod/bin/ and confirm that you have execute permission on all
folders.

2 Download bundles and other artifacts to the computer with internet access.

a Download the manifest file.

This is a structured metadata file that contains information about the VMware product
versions included in the release Bill of Materials.

./lcm-bundle-transfer-util --download --manifestDownload --depotUser Username

For --depotUser, enter your Broadcom Support Portal user name.

Note the location to which the Bundle Transfer Utility downloads the manifest. You will
use this as the --sourceManifestDirectory when you upload the manifest. For example:

b Download the compatibility data.

./lcm-bundle-transfer-util --download --compatibilityMatrix --depotUser Username --pdu

dell_depot_email

To specify a download location, use --outputDirectory followed by the path to the

directory.

c Download the vSAN HCL file.

./lcm-bundle-transfer-util --vsanHclDownload

VMware by Broadcom 331

VMware Cloud Foundation on Dell VxRail Guide

d Download the upgrade bundles.

./lcm-bundle-transfer-util --download "downloadPartnerBundle" --download

"withCompatibilitySets" --outputDirectory absolute-path-output-dir --depotUser
customer_connect_email --sv current-vcf-version --p target-vcf-version --pdu
dell_depot_email

where
absolute-path- Path to the directory where the bundle files should be downloaded. This directory folder
output-dir must have 777 permissions.
If you do not specify the download directory, bundles are downloaded to the default
directory with 777 permissions.

depotUser User name for the Broadcom Support Portal. You will be prompted to enter the depot
user password. If there are any special characters in the password, specify the password
within single quotes.

current-vcf- Current version of VMware Cloud Foundation. For example, 4.5.2.0.

version

target-vcf- Target version of VMware Cloud Foundation. For example, 5.2.1.0.

version

dell_depot_email Dell depot email address.

e Specify the bundles to download.

Enter one of the following options:

n all

n install

n patch

You can also enter a comma-separated list of bundle names to download specific
bundles. For example: bundle-38371, bundle-38378.
Download progress for each bundle is displayed. Wait until all bundles are downloaded
successfully.

3 Copy the following files/directories to the SDDC Manager appliance.

n Bundle Transfer Utility

n Manifest file

n Compatibility data files (VmwareCompatibilityData.json and

VxrailCompatibilityData.json)

n vSAN HCL

n Entire bundle output directory

VMware by Broadcom 332

VMware Cloud Foundation on Dell VxRail Guide

You can select any location on the SDDC Manager appliance that has enough free space
available. For example, /nfs/vmware/vcf/nfs-mount/.

Note Make sure to copy the entire output directory, including any VxRail bundles and JSON
files.

4 If you downloaded VxRail bundles:

a Copy the partner bundle to the /nfs/vmware/vcf/nfs-mount/bundle/depot/local/

bundles directory on the SDDC Manager appliance.

b Copy partnerBundleMetadata.json to the /nfs/vmware/vcf/nfs-mount/bundle/

depot/local directory on the SDDC Manager appliance.

c Copy softwareCompatibilitySets.json to the /nfs/vmware/vcf/nfs-mount/

bundle/depot/local directory on the SDDC Manager appliance.

d Run following commands on the SDDC Manager appliance:

chown -R vcf_lcm:vcf /nfs/vmware/vcf/nfs-mount/bundle/depot/local

chmod -R 755 /nfs/vmware/vcf/nfs-mount/bundle/depot/local

5 Copy the bundle transfer utility to the SDDC Manager appliance.

a SSH in to the SDDC Manager appliance using the vcf user account.

b Enter su to switch to the root user.

c Create the lcm-tools directory.

mkdir /opt/vmware/vcf/lcm/lcm-tools

Note If the /opt/vmware/vcf/lcm/lcm-tools directory already exists with an older

version of the Bundle Transfer Utility, you need to delete contents of the existing
directory before proceeding.

d Copy the Bundle Transfer Utility file (lcm-tools-prod.tar.gz) that you downloaded in
step 1 to the /opt/vmware/vcf/lcm/lcm-tools directory.

VMware by Broadcom 333

VMware Cloud Foundation on Dell VxRail Guide

e Extract the contents of lcm-tools-prod.tar.gz.

tar -xvf lcm-tools-prod.tar.gz

f Set the permissions for the lcm-tools directory.

cd /opt/vmware/vcf/lcm/

chown vcf_lcm:vcf -R lcm-tools

chmod 750 -R lcm-tools

6 From the SDDC Manager appliance, use the Bundle Transfer Utility to upload the bundles and
artifacts.

a Upload the manifest file.

./lcm-bundle-transfer-util --update --sourceManifestDirectory Manifest-Directory --

sddcMgrFqdn FQDN --sddcMgrUser Username

Use your vSphere SSO credentials for the --sddcMgrUser parameter.

b Upload the compatibility files.

./lcm-bundle-transfer-util --update --compatibilityMatrix --inputDirectory

compatibility-file-directory --sddcMgrFqdn FQDN --sddcMgrUser Username

c Upload the HCL file.

./lcm-bundle-transfer-util --vsanHclUpload --inputDirectory hcl-file-path --

sddcMgrFqdn sddc-manager-fqdn --sddcMgrUser user

d Upload the bundle directory.

./lcm-bundle-transfer-util --upload "uploadPartnerBundle" --bundleDirectory absolute-

path-bundle-dir

Offline Download of Independent SDDC Manager Bundles

Once SDDC Manager is upgraded to 5.2 or later, new functionality is introduced that allows you
to get the latest SDDC Manager features and security fixes without having to upgrade the entire
VMware Cloud Foundation BOM. This procedure describes using the Bundle Transfer Utility to
download an SDDC Manager bundle released independently of the VMware Cloud Foundation
BOM when SDDC Manager is not connected to an online depot..

An independent SDDC Manager release includes a fourth digit in its version number, for example
SDDC Manager 5.2.0.1.

n On a computer with access to the internet, use the Bundle Transfer Utility to download the
independent SDDC Manager bundle and other required files.

VMware by Broadcom 334

VMware Cloud Foundation on Dell VxRail Guide

n Copy the bundle and other required files to the SDDC Manager appliance.

n On the SDDC Manager appliance, use the Bundle Transfer Utility to upload the bundle and
other required files to the internal LCM repository.

If the computer with internet access can only access the internet using a proxy server, use the
following options when downloading:

Option Description

--proxyServer, --ps Provide the proxy server FQDN and port.

For example: --proxyServer proxy.example.com:3128.

--proxyHttps Add this option if the proxy server uses HTTPs.

--proxyUser For a proxy server that requires authentication, enter the

user name.

--proxyPasswordFile For a proxy server that requires authentication, enter the

path to a file where the password for proxy authentication
is stored. The file content is used as the proxy password.
For example, --proxyPasswordFile ../../
password.txt.

Example that combines the options:

./lcm-bundle-transfer-util --download --manifestDownload --depotUser Username --proxyServer

proxy.example.com:3128 --proxyUser vmwuser --proxyPasswordFile ../../password.txt --
proxyHttps

Prerequisites

n A Windows or Linux computer with internet connectivity (either directly or through a proxy)
for downloading the bundles and other required files.

n Configure TCP keepalive in your SSH client to prevent socket connection timeouts when
using the Bundle Transfer Utility for long-running operations.

n The computer with internet connectivity and the SDDC Manager appliance must have the
latest version of the Bundle Transfer Utility installed and configured. See Offline Download of
VMware Cloud Foundation 5.2.x Upgrade Bundles for more information.

VMware by Broadcom 335

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 Download bundles and other artifacts to the computer with internet access.

a Download the manifest file.

This is a structured metadata file that contains information about the VMware product
versions included in the release Bill of Materials.

./lcm-bundle-transfer-util --download --manifestDownload --depotUser Username

For --depotUser, enter your Broadcom Support Portal user name.

b Download the compatibility data.

./lcm-bundle-transfer-util --download --compatibilityMatrix --depotUser Username --pdu

dell_depot_email

To specify a download location, use --outputDirectory followed by the path to the

directory.

c Download the independent SDDC Manager upgrade bundle.

./lcm-bundle-transfer-util --download --sddcMgrVersion four-digit-sddc-version --

depotUser Username --outputDirectory absolute-path-output-dir

where
depotUser User name for the Broadcom Support Portal. You will be prompted to enter the user
password. If there are any special characters in the password, specify the password
within single quotes.

four-digit-sddc- Target version of SDDC Manager. For example, 5.2.0.1.

version

absolute-path- Path to the directory where the bundle files should be downloaded. This directory folder
output-dir must have 777 permissions.
If you do not specify the download directory, bundles are downloaded to the default
directory with 777 permissions.

Follow the prompts in the Bundle Transfer Utility.

2 Copy the following files/directories to the SDDC Manager appliance.

n Manifest file

n Compatibility data files (VmwareCompatibilityData.json and

VxrailCompatibilityData.json)

n Entire bundle output directory

You can select any location on the SDDC Manager appliance that has enough free space
available. For example, /nfs/vmware/vcf/nfs-mount/.

VMware by Broadcom 336

VMware Cloud Foundation on Dell VxRail Guide

3 From the SDDC Manager appliance, use the Bundle Transfer Utility to upload the bundles and
artifacts.

a Upload the manifest file.

./lcm-bundle-transfer-util --update --sourceManifestDirectory Manifest-Directory --

sddcMgrFqdn FQDN --sddcMgrUser Username

Use your vSphere SSO credentials for the --sddcMgrUser parameter.

b Upload the compatibility files.

./lcm-bundle-transfer-util --update --compatibilityMatrix --inputDirectory

compatibility-file-directory --sddcMgrFqdn FQDN --sddcMgrUser Username

c Upload the bundle directory.

./lcm-bundle-transfer-util --upload --bundleDirectory absolute-path-bundle-dir

What to do next

After the upload completes successfully, you can use the SDDC Manager UI to upgrade SDDC
Manager. See Independent SDDC Manager Upgrade using the SDDC Manager UI.

Offline Download of Async Patch Bundles

Once SDDC Manager is upgraded to 5.2 or later, a new option for patching VMware Cloud
Foundation components is available in the SDDC Manager UI. This procedure describes using the
Bundle Transfer Utility to download async patches when SDDC Manager is not connected to an
online depot.

Offline download of async patches involves the following steps:

n On a computer with access to the internet, use the Bundle Transfer Utility to download the
async patch bundle and other required files.

n Copy the bundle and other required files to the SDDC Manager appliance.

n On the SDDC Manager appliance, use the Bundle Transfer Utility to upload the bundle and
other required files to the internal LCM repository.

If the computer with internet access can only access the internet using a proxy server, use the
following options when downloading:

Option Description

--proxyServer, --ps Provide the proxy server FQDN and port.

For example: --proxyServer proxy.example.com:3128.

--proxyHttps Add this option if the proxy server uses HTTPs.

VMware by Broadcom 337

VMware Cloud Foundation on Dell VxRail Guide

Option Description

--proxyUser For a proxy server that requires authentication, enter the

user name.

--proxyPasswordFile For a proxy server that requires authentication, enter the

path to a file where the password for proxy authentication
is stored. The file content is used as the proxy password.
For example, --proxyPasswordFile ../../
password.txt.

Example that combines the options:

./lcm-bundle-transfer-util --download --manifestDownload --depotUser Username --proxyServer

proxy.example.com:3128 --proxyUser vmwuser --proxyPasswordFile ../../password.txt --
proxyHttps

Prerequisites

n A Windows or Linux computer with internet connectivity (either directly or through a proxy)
for downloading the bundles and other required files.

n Configure TCP keepalive in your SSH client to prevent socket connection timeouts when
using the Bundle Transfer Utility for long-running operations.

n The computer with internet connectivity and the SDDC Manager appliance must have the
latest version of the Bundle Transfer Utility installed and configured. See Offline Download of
VMware Cloud Foundation 5.2.x Upgrade Bundles for more information.

Procedure

1 Download bundles and other artifacts to the computer with internet access.

a Download the manifest file.

This is a structured metadata file that contains information about the VMware product
versions included in the release Bill of Materials.

./lcm-bundle-transfer-util --download --manifestDownload --depotUser Username

For --depotUser, enter your Broadcom Support Portal user name.

b Download the compatibility data.

./lcm-bundle-transfer-util --download --compatibilityMatrix --depotUser Username --pdu

dell_depot_email

To specify a download location, use --outputDirectory followed by the path to the

directory.

c Download the product version catalog.

./lcm-bundle-transfer-util --depotUser Username --download productVersionCatalog --

outputDirectory directory-path

VMware by Broadcom 338

VMware Cloud Foundation on Dell VxRail Guide

d List the available async patches.

./lcm-bundle-transfer-util --listAsyncPatchBundles listAsyncPatchPartnerBundle --

depotUser Username

e Download an async patch.

./lcm-bundle-transfer-util --download --bundle bundle-number --depotUser Username

For example:

./lcm-bundle-transfer-util --download --bundle bundle-12345 --depotUser

user@example.com

2 Copy the following files/directories to the SDDC Manager appliance.

n Manifest file

n Compatibility data files (VmwareCompatibilityData.json and

VxrailCompatibilityData.json)

n Entire bundle output directory

You can select any location on the SDDC Manager appliance that has enough free space
available. For example, /nfs/vmware/vcf/nfs-mount/.

3 From the SDDC Manager appliance, use the Bundle Transfer Utility to upload the bundles and
artifacts.

a Upload the manifest file.

./lcm-bundle-transfer-util --update --sourceManifestDirectory Manifest-Directory --

sddcMgrFqdn FQDN --sddcMgrUser Username

Use your vSphere SSO credentials for the --sddcMgrUser parameter.

b Upload the compatibility files.

./lcm-bundle-transfer-util --update --compatibilityMatrix --inputDirectory

compatibility-file-directory --sddcMgrFqdn FQDN --sddcMgrUser Username

VMware by Broadcom 339

VMware Cloud Foundation on Dell VxRail Guide

c Upload the product version catalog.

./lcm-bundle-transfer-util --upload productVersionCatalog --inputDirectory directory-

path --sddcMgrFqdn FQDN --sddcMgrUser Username

d Upload the bundle directory.

./lcm-bundle-transfer-util --upload --bundle bundle-number --bundleDirectory absolute-

path-bundle-dir

n Replace number with the bundle number you are uploading. For example: 12345 for
bundle-12345.

n Replace absolute-path-bundle-dir with the path to the location where you copied the
output directory. For example: /nfs/vmware/vcf/nfs-mount/upgrade-bundles.

What to do next

After the upload completes successfully, you can use the SDDC Manager UI to apply the async
patch. See Patching the Management and Workload Domains.

Offline Download of Flexible BOM Upgrade Bundles

Once SDDC Manager is upgraded to version 5.2 or later, new functionality is introduced to
the upgrade planner that allows you to select specific target versions for each VMware Cloud
Foundation component you want to upgrade. This procedure describes using the Bundle
Transfer Utility to download the bundles for a flexible BOM upgrade when SDDC Manager is
not connected to an online depot.

After you download the bundles, you can use the upgrade planner in the SDDC Manager UI to
select any supported version for each of the VMware Cloud Foundation BOM components. This
includes async patch versions as well as VCF BOM versions.

Offline download of flexible BOM upgrade bundles involves the following steps:

n On a computer with access to the internet, use the Bundle Transfer Utility to download the
required files.

n Copy the required files to the SDDC Manager appliance.

n On the SDDC Manager appliance, use the Bundle Transfer Utility to upload the required files
to the internal LCM repository.

n Plan the upgrade using the SDDC Manager UI.

n On the SDDC Manager appliance, use the Bundle Transfer Utility to generate the
plannerFile.json.

n Copy plannerFile.json to the computer with internet access.

n On the computer with access to the internet, download bundles using plannerFile.json.

VMware by Broadcom 340

VMware Cloud Foundation on Dell VxRail Guide

n Copy the bundle directory to the SDDC Manager appliance and use the Bundle Transfer
Utility to upload the bundles to the internal LCM repository.

If the computer with internet access can only access the internet using a proxy server, use the
following options when downloading:

Option Description

--proxyServer, --ps Provide the proxy server FQDN and port.

For example: --proxyServer proxy.example.com:3128.

--proxyHttps Add this option if the proxy server uses HTTPs.

--proxyUser For a proxy server that requires authentication, enter the

user name.

--proxyPasswordFile For a proxy server that requires authentication, enter the

path to a file where the password for proxy authentication
is stored. The file content is used as the proxy password.
For example, --proxyPasswordFile ../../
password.txt.

Example that combines the options:

./lcm-bundle-transfer-util --download --manifestDownload --depotUser Username --proxyServer

proxy.example.com:3128 --proxyUser vmwuser --proxyPasswordFile ../../password.txt --
proxyHttps

Prerequisites

n A Windows or Linux computer with internet connectivity (either directly or through a proxy)
for downloading the bundles and other required files.

n A Windows or Linux computer with access to the SDDC Manager appliance for uploading the
bundles.

n To upload the manifest file from a Windows computer, you must have OpenSSL installed and
configured.

n Configure TCP keepalive in your SSH client to prevent socket connection timeouts when
using the Bundle Transfer Utility for long-running operations.

n The computer with internet connectivity and the SDDC Manager appliance must all have the
latest version of the Bundle Transfer Utility installed and configured. See Offline Download of
VMware Cloud Foundation 5.2.x Upgrade Bundles for more information.

Procedure

1 Download the required files to the computer with internet access.

./lcm-bundle-transfer-util --download --manifestDownload --depotUser Username --

outputDirectory directory-path

The manifest is a structured metadata file that contains information about the VMware
product versions included in the release Bill of Materials.

VMware by Broadcom 341

VMware Cloud Foundation on Dell VxRail Guide

For --depotUser, enter your Broadcom Support Portal user name.

./lcm-bundle-transfer-util --download --bundleManifests --depotUser Username --

bundleManifestsDir directory-path

./lcm-bundle-transfer-util --download --compatibilityMatrix --depotUser Username --pdu

dell_depot_email --outputDirectory directory-path

./lcm-bundle-transfer-util --depotUser Username --download productVersionCatalog --

outputDirectory directory-path

./lcm-bundle-transfer-util --depotUser Username --download partnerBundleMetadata

2 Copy the entire output directory to the SDDC Manager appliance.

You can select any location on the SDDC Manager appliance that has enough free space
available. For example, /nfs/vmware/vcf/nfs-mount/.

3 On the SDDC Manager appliance, upload/update the files.

./lcm-bundle-transfer-util --update --sourceManifestDirectory directory-path --

sddcMgrFqdn FQDN --sddcMgrUser Username

Use your vSphere SSO credentials for the --sddcMgrUser parameter.

./lcm-bundle-transfer-util --upload --bundleManifests --bundleManifestsDir directory-path

./lcm-bundle-transfer-util --update --compatibilityMatrix --inputDirectory directory-path

--sddcMgrFqdn FQDN --sddcMgrUser Username

./lcm-bundle-transfer-util --upload productVersionCatalog --inputDirectory directory-path

--sddcMgrFqdn FQDN --sddcMgrUser Username

./lcm-bundle-transfer-util --upload partnerBundleMetadata --inputDirectory directory-path

--sddcMgrFqdn FQDN --sddcMgrUser Username

4 In the SDDC Manager UI, plan the upgrade.

See Flexible BOM Upgrade in VMware Cloud Foundation.

5 On the SDDC Manager appliance, use the Bundle Transfer Utility to generate a planner file.

./lcm-bundle-transfer-util --generatePlannerFile --sddcMgrUser Username --sddcMgrFqdn FQDN

--outputDirectory directory-path --domainNames domain-name -p target-vcf-version

For example:

./lcm-bundle-transfer-util --generatePlannerFile --sddcMgrUser administrator@vsphere.local

--sddcMgrFqdn sddc-manager.example.com --outputDirectory /home/vcd --domainNames mgmt-
domain -p 5.2.0.0

VMware by Broadcom 342

VMware Cloud Foundation on Dell VxRail Guide

6 Copy plannerFile.json file to the computer with access to the internet.

7 On the computer with access to the internet, download the bundles using the
plannerFile.json.

./lcm-bundle-transfer-util --download downloadPartnerBundle --plannerFile directory-path --

depotUser Username --partnerDepotUser dell_depot_email

8 Copy the entire output directory to the SDDC Manager appliance.

9 If you downloaded VxRail bundles:

a Copy the partner bundle to the /nfs/vmware/vcf/nfs-mount/bundle/depot/local/

bundles directory on the SDDC Manager appliance.

b Copy partnerBundleMetadata.json to the /nfs/vmware/vcf/nfs-mount/bundle/

depot/local directory on the SDDC Manager appliance.

c Copy softwareCompatibilitySets.json to the /nfs/vmware/vcf/nfs-mount/

bundle/depot/local directory on the SDDC Manager appliance.

d Run following commands on the SDDC Manager appliance:

chown -R vcf_lcm:vcf /nfs/vmware/vcf/nfs-mount/bundle/depot/local

chmod -R 755 /nfs/vmware/vcf/nfs-mount/bundle/depot/local

10 Upload the bundle directory to the SDDC Manager appliance internal LCM repository.

./lcm-bundle-transfer-util --upload "uploadPartnerBundle" --bundleDirectory directory-path

What to do next

In the SDDC Manager UI browse to the Available Updates screen for the workload domain
you are upgrading and click Schedule Update or Update Now to update the first component.
Continue to update the VCF BOM components until they are all updated.

HCL Offline Download for VMware Cloud Foundation

If the SDDC Manager appliance does not have access to the VMware Depot, you can use the
Bundle Transfer Utility to manually download the HCL file from the depot on your local computer
and then upload it to the SDDC Manager appliance.

If the computer with internet access can only access the internet using a proxy server, use the
following options when downloading the HCL:

Option Description

--proxyServer, --ps Provide the proxy server FQDN and port.

For example: --proxyServer proxy.example.com:3128.

--proxyHttps Add this option if the proxy server uses HTTPs.

VMware by Broadcom 343

VMware Cloud Foundation on Dell VxRail Guide

Option Description

--proxyUser For a proxy server that requires authentication, enter the

user name.

--proxyPasswordFile For a proxy server that requires authentication, enter the

path to a file where the password for proxy authentication
is stored. The file content is used as the proxy password.
For example, --proxyPasswordFile ../../
password.txt.

Example that combines the options:

./lcm-bundle-transfer-util --vsanHclDownload --outputDirectory output-directory --proxyServer

proxy.example.com:3128 --proxyUser vmwuser --proxyPasswordFile ../../password.txt --
proxyHttps

Prerequisites

n A Windows or Linux computer with internet connectivity (either directly or through a proxy)
for downloading the HCL. To upload the HCL file from a Windows computer, you must have
OpenSSL installed and configured.

n Configure TCP keepalive in your SSH client to prevent socket connection timeouts when
using the Bundle Transfer Utility for long-running operations.

Note The Bundle Transfer Utility is the only supported method for downloading HCL. Do not use
third-party tools or other methods to download HCL.

Procedure

1 Download the most recent version of the Bundle Transfer Utility on a computer with internet
access.

a Log in to the Broadcom Support Portal and browse to My Downloads > VMware Cloud
Foundation.

b Click the version of VMware Cloud Foundation to which you are upgrading.

c Click Drivers & Tools.

d Click the download icon for the Bundle Transfer Utility.

2 Extract lcm-tools-prod.tar.gz.

3 Navigate to the lcm-tools-prod/bin/ and confirm that you have execute permission on all
folders.

4 Copy the bundle transfer utility to a computer with access to the SDDC Manager appliance
and then copy the bundle transfer utility to the SDDC Manager appliance.

a SSH in to the SDDC Manager appliance using the vcf user account.

b Enter su to switch to the root user.

VMware by Broadcom 344

VMware Cloud Foundation on Dell VxRail Guide

c Create the lcm-tools directory.

mkdir /opt/vmware/vcf/lcm/lcm-tools

Note If the /opt/vmware/vcf/lcm/lcm-tools directory already exists with an older

version of the Bundle Transfer Utility, you need to delete contents of the existing
directory before proceeding.

d Copy the Bundle Transfer Utility file (lcm-tools-prod.tar.gz) that you downloaded in
step 1 to the /opt/vmware/vcf/lcm/lcm-tools directory.

e Extract the contents of lcm-tools-prod.tar.gz.

tar -xvf lcm-tools-prod.tar.gz

f Set the permissions for the lcm-tools directory.

cd /opt/vmware/vcf/lcm/

chown vcf_lcm:vcf -R lcm-tools

chmod 750 -R lcm-tools

5 On the computer with internet access, download the HCL file.

./lcm-bundle-transfer-util --vsanHclDownload --outputDirectory output-directory

It can also be downloaded to the default path:

./lcm-bundle-transfer-util --vsanHclDownload

6 Copy the HCL file to the SDDC Manager appliance.

7 From the SDDC Manager appliance, use the Bundle Transfer Utility to upload the HCL file.

./lcm-bundle-transfer-util --vsanHclUpload --inputDirectory hcl-file-path --sddcMgrFqdn

sddc-manager-fqdn --sddcMgrUser user

hcl-file-path Path from where HCL file should be picked up to

upload. e.g /root/testdownload/vsan/hcl/all.json. If not
given default will be taken. (/root/PROD2/vsan/hcl/
all.json)

sddc-manager-fqdn SDDC Manager FQDN. If not given default will be taken.

user SDDC Manager user. After this, the tool will prompt for
the user password.

VMware by Broadcom 345

VMware Cloud Foundation on Dell VxRail Guide

Download Bundles to an Offline Depot

VMware Cloud Foundation 5.2 and later support an offline depot that you can connect to from
multiple instances of SDDC Manager. Use the Bundle Transfer Utility to download and transfer
bundles to the offline depot and then any SDDC Manager connected to the offline depot can
access the bundles.

You can use the Bundle Transfer Utility to download upgrade bundles and async patch bundles
to the offline depot.

Prerequisites

n Set up an offline depot.

n The offline depot must have:

n The latest version of the Bundle Transfer Utility. You can download it from the Broadcom
Support portal.

n Internet connectivity (either directly or through a proxy) for downloading the bundles and
other required files.

n Configure TCP keepalive in your SSH client to prevent socket connection timeouts when
using the Bundle Transfer Utility for long-running operations.

n Connect SDDC Manager to the offline depot. See Connect SDDC Manager to a Software
Depot for Downloading Bundles.

Note You can also connect SDDC Manager to the offline depot after you download bundles
to the offline depot.

Procedure

1 On the computer hosting offline depot, run the following command to download the bundles
required to upgrade VMware Cloud Foundation.

./lcm-bundle-transfer-util --setUpOfflineDepot downloadPartnerBundle -sv vcf-source-

version --offlineDepotRootDir offline-depot-root-dir --offlineDepotUrl url:port --
depotUser user-name --depotUserPasswordFile path-to-password-file --partnerDepotUser user-
name --partnerDepotUserPasswordFile path-to-password-file

For example:

./lcm-bundle-transfer-util --setUpOfflineDepot downloadPartnerBundle -sv 5.0.0.0

--offlineDepotRootDir /var/www --offlineDepotUrl https://10.123.456.78:8282 --
depotUser user@example.com --depotUserPasswordFile ../vmw-depot --partnerDepotUser
partner@example.com --partnerDepotUserPasswordFile ../partner-depot

2 Run the following command to download async patch bundles to the offline depot:

./lcm-bundle-transfer-util --setUpOfflineDepot --asyncPatches -offlineDepotRootDir offline-

depot-root-dir --offlineDepotUrl url:port --depotUser user-name --depotUserPasswordFile
path-to-password-file

VMware by Broadcom 346

VMware Cloud Foundation on Dell VxRail Guide

For example:

./lcm-bundle-transfer-util --setUpOfflineDepot --asyncPatches

-offlineDepotRootDir /var/www --offlineDepotUrl https://10.123.456.78:8282 --depotUser
user@example.com --depotUserPasswordFile ../vmw-depot

What to do next

After the bundles are available in the offline depot, you can use the SDDC Manager UI to apply
the bundles to workload domains. Multiple instances of SDDC Manager UI can connect to the
same offline depot.

VMware Cloud Foundation Upgrade Prerequisites

Before you upgrade VMware Cloud Foundation, make sure that the following prerequisites are
met.

Table 27-2. Upgrade Prerequisites

Prerequisite Additional Information

Allocate a temporary IP address for each vCenter Server [Conditional] When upgrading from VMware Cloud
upgrade Foundation 4.5.x.
Required for each vCenter Server upgrade. Must be
allocated from the management subnet. The IP address
can be reused.

Obtain updated licenses New licenses required for:

n vSAN 8.x
n vSphere 8.x

Verify there are no expired or expiring passwords Review the password management dashboard in SDDC
Manager.

Verify there are no expired or expiring certificates Review the Certificates tab in SDDC Manager for each
workload domain.

Verify ESXi host TPM module status [Conditional] If ESXi hosts have TPM modules in use,
verify they are running the latest 2.0 firmware. If not in
use they must be disabled in the BIOS. See KB 312159

Verify ESXi hardware is compatible with target version See ESXi Requirements and VMware
Compatibility Guide at http://www.vmware.com/
resources/compatibility/search.php.

Manually update the vSAN HCL database to ensure that it See KB 2145116
is up-to-date.

Back up SDDC Manager, all vCenter Server instances, and Take file-based backups or image-level backups of SDDC
NSX Manager instances. Manager, all vCenter Servers, and NSX Managers. Take a
cold snapshot of SDDC Manager.

Make sure that there are no failed workflows in your Caution If any of these conditions are true, contact
system and none of the VMware Cloud Foundation VMware Technical Support before starting the upgrade.
resources are in activating or error state.

VMware by Broadcom 347

VMware Cloud Foundation on Dell VxRail Guide

Table 27-2. Upgrade Prerequisites (continued)

Prerequisite Additional Information

Review the Release Notes for known issues related to

upgrades.

Deactivate all VMware Cloud Foundation 4.x async VMware Cloud Foundation 5.0 and later no longer require
patches and run an inventory sync before upgrading. using the Async Patch Tool to enable upgrades from an
async-patched VMware Cloud Foundation instance. See
VMware Cloud Foundation Async Patch Tool Options for
more information

Review Operational Impacts of NSX Upgrade in NSX

Upgrade Guide to understand the impact that each
component upgrade might have on your environment.

In the vSphere Client, ensure there are no active alarms

on hosts or vSphere clusters.

Download the upgrade bundles. See Downloading VMware Cloud Foundation Upgrade
Bundles.

VMware Cloud Foundation 5.2.x Upgrade Overview

This section describes the tasks required to perform an upgrade to VMware Cloud Foundation
5.2.x.

VMware Cloud Foundation Upgrade Preparation

Review the VMware Cloud Foundation Upgrade Prerequisites before starting an upgrade.

Management Domain Upgrade

Table 27-3. SDDC Manager Upgrade

Task Applies When Additional Information

n Precheck Update - Versions Prior

to SDDC Manager 5.0
n Perform Update Precheck in
SDDC Manager

Apply the VMware Cloud Foundation n The initial VMware Cloud If the current version of VMware
Upgrade Bundle Foundation version is Cloud Foundation is 4.5.x or 5.x
n 4.5.x or 5.x Upgrade SDDC Manager to 5.2.x.

Apply the VMware Cloud Foundation n Once the SDDC Manager has
Configuration Updates been upgraded to 5.2.x the
Configuration updates can be
applied collectively.

Update Compatibility Data with the [Conditional] Required when using

Bundle Transfer Utility offline bundle download

VMware by Broadcom 348

VMware Cloud Foundation on Dell VxRail Guide

Table 27-4. Upgrade VMware Aria Suite

Task Additional Information

Upgrade VMware Aria Suite Lifecycle for VMware Cloud [Conditional] If VMware Aria Suite Lifecycle is present
Foundation

Upgrade VMware Aria Suite products for VMware Cloud [Conditional] If VMware Aria Suite products are present
Foundation

Table 27-5. Upgrade NSX With Federation

Task Applies When Additional Information

Upgrade NSX Global Managers to 4.2 When NSX is deployed in n [Conditional] If NSX Federation is
the workload domain with NSX present
Federation configured. n Upgrade NSX Global Managers to
4.2 using the Global Manager UI
n Upgrade standby global
manager, followed by active
global manager
n [Conditonal] for VI Workload
Domain upgrades, If you are
upgrading by component rather
than by workload domain,
upgrade all NSX global managers
in your estate now.

Upgrade to NSX 4.2 n Upgrade NSX to 4.2 using SDDC

Manager
n [Optional] If you are upgrading
by component rather than by
workload domain, upgrade NSX
across all VI workload domains
now.
n NSX upgrades across VI workload
domains can be completed in
sequence or up to five in parallel.

Table 27-6. Upgrade NSX Without Federation

Task Applies When Additional Information

Upgrade to NSX 4.2 When NSX is deployed in the n Upgrade NSX to 4.2 using SDDC
workload domain and is not using Manager.
NSX Federation. n [Conditonal] for VI Workload
Domain upgrades, If you are
upgrading by component rather
than by workload domain,
upgrade NSX across all VI
workload domains now.

VMware by Broadcom 349

VMware Cloud Foundation on Dell VxRail Guide

Table 27-7. Upgrade vCenter Server

Task Additional Information

Upgrade vCenter Server for VMware Cloud Foundation n [Conditional] When upgrading from VMware Cloud
Foundation 4.5.x.

Requires a temporary IP address in the management

subnet
n [Conditional] When upgrading to VMware Cloud
Foundation 5.2.1 using vCenter Reduced Downtime
Upgrade (RDU).

Requires a temporary IP address in the management

subnet
n [Conditonal] for VI Workload Domain upgrades, If
you are upgrading by component rather than by
workload domain, upgrade vCenter Servers that share
a SSO Domain across all VI workload domains now
in a serial order. Isolated Workload Domains can be
upgraded in parallel

Table 27-8. Upgrade VxRail Manager and Management Domain vSphere clusters

Task Additional Information

Upgrade vSAN Witness Host for VMware Cloud [Conditional] If the vSphere cluster is a stretched vSAN
Foundation cluster

Upgrade VxRail Manager and ESXi Hosts n Choose an approach based on your requirements.
n [Optional] If you are upgrading by component rather
than by workload domain, upgrade vSphere clusters
across all VI workload domains now.

Table 27-9. Post Upgrade Tasks

Task Additional Information

Update Licenses for a Workload Domain [Conditional] If upgrading from a VMware Cloud
Foundation version prior to 5.0
Update licenses for:
n vSAN 8.x
n vSphere 8.x

Apply Configuration Updates [Conditional] If there are configuration updates required

VMware by Broadcom 350

VMware Cloud Foundation on Dell VxRail Guide

Table 27-9. Post Upgrade Tasks (continued)

Task Additional Information

Upgrade vSphere Distributed Switch versions n [Optional] The upgrade lets the distributed switch
take advantage of features that are available only in
the later versions.

Upgrade vSAN on-disk format versions n The upgrade lets the vSAN Cluster take advantage of
features that are available only in the later versions.
n The upgrade may cause temporary resynchronization
traffic and use additional space by moving data or
rebuilding object components to a new data structure.
n These updates can be performed at a time that is
most convenient for your organization..

VI Workload Domain Upgrade

Table 27-10. Upgrade Precheck

Task Additional Information

Perform an upgrade precheck

Table 27-11. Upgrade NSX Without Federation

Task Applies When Additional Information

Upgrade to NSX 4.2 When NSX is deployed in the n Upgrade NSX to 4.2 using SDDC
workload domain and is not using Manager.
NSX Federation. n [Conditonal] for VI Workload
Domain upgrades, If you are
upgrading by component rather
than by workload domain,
upgrade NSX across all VI
workload domains now.

VMware by Broadcom 351

VMware Cloud Foundation on Dell VxRail Guide

Table 27-12. Upgrade NSX With Federation

Task Applies When Additional Information

Upgrade NSX Global Managers to 4.2 When NSX is deployed in n [Conditional] If NSX Federation is
the workload domain with NSX present
Federation configured. n Upgrade NSX Global Managers to
4.2 using the Global Manager UI
n Upgrade standby global
manager, followed by active
global manager
n [Conditonal] for VI Workload
Domain upgrades, If you are
upgrading by component rather
than by workload domain,
upgrade all NSX global managers
in your estate now.

Upgrade to NSX 4.2 n Upgrade NSX to 4.2 using SDDC

Manager
n [Optional] If you are upgrading
by component rather than by
workload domain, upgrade NSX
across all VI workload domains
now.
n NSX upgrades across VI workload
domains can be completed in
sequence or up to five in parallel.

Table 27-13. Upgrade vCenter Server

Task Additional Information

Upgrade vCenter Server for VMware Cloud Foundation n [Conditional] When upgrading from VMware Cloud
Foundation 4.5.x.

Requires a temporary IP address in the management

subnet
n [Conditional] When upgrading to VMware Cloud
Foundation 5.2.1 using vCenter Reduced Downtime
Upgrade (RDU).

Requires a temporary IP address in the management

subnet
n [Conditonal] for VI Workload Domain upgrades, If
you are upgrading by component rather than by
workload domain, upgrade vCenter Servers that share
a SSO Domain across all VI workload domains now
in a serial order. Isolated Workload Domains can be
upgraded in parallel

VMware by Broadcom 352

VMware Cloud Foundation on Dell VxRail Guide

Table 27-14. Upgrade VxRail Manager and VI Workload Domain vSphere clusters

Task Additional Information

Upgrade vSAN Witness Host for VMware Cloud [Conditional] If the vSphere cluster is a stretched vSAN
Foundation cluster

Upgrade VxRail Manager and ESXi Hosts n Choose an approach based on your requirements.
n [Optional] If you are upgrading by component rather
than by workload domain, upgrade vSphere clusters
across all VI workload domains now.

Table 27-15. Post Upgrade Tasks

Task Additional Information

Update Licenses for a Workload Domain [Conditional] If upgrading from a VMware Cloud
Foundation version prior to 5.0
Update licenses for:
n vSAN 8.x
n vSphere 8.x

Apply Configuration Updates [Conditional] If there are configuration updates required

Upgrade vSphere Distributed Switch versions n [Optional] The upgrade lets the distributed switch
take advantage of features that are available only in
the later versions.

Upgrade vSAN on-disk format versions n The upgrade lets the vSAN Cluster take advantage of
features that are available only in the later versions.
n The upgrade may cause temporary resynchronization
traffic and use additional space by moving data or
rebuilding object components to a new data structure.
n These updates can be performed at a time that is
most convenient for your organization..

Upgrade the Management Domain to VMware Cloud

Foundation 5.2.x
To upgrade to VMware Cloud Foundation 5.2.x, the management domain must be at VMware
Cloud Foundation 4.5 or higher. If your environment is at a version lower than 4.5, you must
upgrade the management domain to 4.5 or later and then upgrade to 5.2.x.

Until SDDC Manager is upgraded to version 5.2.x, you must upgrade the management domain
before you upgrade VI workload domains. Once SDDC Manager is at version 5.2 or later, you can
upgrade VI workload domains before or after upgrading the management domain, as long as all
components in the workload domain are compatible.

Upgrade the components in the management domain in the following order:

1 SDDC Manager and VMware Cloud Foundation services.

2 VMware Aria Suite Lifecycle

VMware by Broadcom 353

VMware Cloud Foundation on Dell VxRail Guide

3 NSX Manager and NSX Global Managers (if applicable).

4 vCenter Server.

5 VxRail Manager and ESXi.

After all upgrades have completed successfully:

1 Remove the VM snapshots you took before starting the update.

2 Take a backup of the newly installed components.

Perform Update Precheck - Versions Prior to SDDC Manager 5.0

If you have not yet upgraded to SDDC Manager 5.0, these are the steps to run a Precheck.
You must perform a precheck before applying an update or upgrade bundle to ensure that your
environment is ready for the update.

If you silence a vSAN Skyline Health alert in the vSphere Client, SDDC Manager skips the related
precheck and indicates which precheck it skipped. Click Restore Precheck to include the silenced
precheck. For example:

You can also silence failed vSAN prechecks in the SDDC Manager UI by clicking Silence
Precheck. Silenced prechecks do not trigger warnings or block upgrades.

Important You should only silence alerts if you know that they are incorrect. Do not silence
alerts for real issues that require remediation.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, click the workload domain where you want to run the
precheck.

VMware by Broadcom 354

VMware Cloud Foundation on Dell VxRail Guide

3 On the domain summary page, click the Updates/Patches tab. The image below is a sample
screenshot and may not reflect the correct product versions.

4 Click Precheck to validate that the environment is ready to be upgraded.

Once the precheck begins, a message appears indicating the time at which the precheck was

started.

VMware by Broadcom 355

VMware Cloud Foundation on Dell VxRail Guide

5 Click View Status to see detailed tasks and their status. The image below is a sample
screenshot and may not reflect the correct versions.

6 To see details for a task, click the Expand arrow.

If a precheck task failed, fix the issue, and click Retry Precheck to run the task again. You can
also click Precheck Failed Resources to retry all failed tasks.

7 If the workload domain contains a host that includes pinned VMs, the precheck fails at the
Enter Maintenance Mode step. If the host can enter maintenance mode through vCenter
Server UI, you can suppress this check for NSX and ESXi in VMware Cloud Foundation by
following the steps below.

a Log in to SDDC Manager by using a Secure Shell (SSH) client with the user name vcf and
password you specified in the deployment parameter workbook.

b Open the /opt/vmware/vcf/lcm/lcm-app/conf/application-prod.properties file.

c Add the following line to the end of the file:

lcm.nsxt.suppress.dry.run.emm.check=true

VMware by Broadcom 356

VMware Cloud Foundation on Dell VxRail Guide

lcm.esx.suppress.dry.run.emm.check.failures=true

d Restart Lifecycle Management by typing the following command in the console window.

systemctl restart lcm

e After Lifecycle Management is restarted, run the precheck again.

Results

The precheck result is displayed at the top of the Upgrade Precheck Details window. If you click
Exit Details, the precheck result is displayed at the top of the Precheck section in the Updates/
Patches tab.

Ensure that the precheck results are green before proceeding. A failed precheck may cause the
update to fail.

Perform Update Precheck in SDDC Manager

You must perform a precheck in SDDC Manager before applying an update bundle to ensure that
your environment is ready for the update.

Bundle-level pre-checks for vCenter are available in VMware Cloud Foundation.

If you silence a vSAN Skyline Health alert in the vSphere Client, SDDC Manager skips the related
precheck and indicates which precheck it skipped. Click RESTORE PRECHECK to include the
silenced precheck. For example:

You can also silence failed vSAN prechecks in the SDDC Manager UI by clicking Silence
Precheck. Silenced prechecks do not trigger warnings or block upgrades.

Important Only silence alerts if you know that they are incorrect. Do not silence alerts for real
issues that require remediation.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, click the workload domain where you want to run the
precheck.

VMware by Broadcom 357

VMware Cloud Foundation on Dell VxRail Guide

3 On the domain summary page, click the Updates tab.

(The following image is a sample screenshot and may not reflect current product versions.)

Note It is recommended that you Precheck your workload domain prior to performing an
upgrade.

VMware by Broadcom 358

VMware Cloud Foundation on Dell VxRail Guide

4 Click RUN PRECHECK to select the components in the workload domain you want to
precheck.

a You can select to run a Precheck only on vCenter or the vSphere cluster. All components
in the workload domain are selected by default. To perform a precheck on certain
components, choose Custom selection.

Note For VMware Cloud Foundation on Dell EMC VxRail, you can run prechecks on
VxRail Manager.

b If there are pending upgrade bundles available, then the "Target Version" dropdown
contains "General Upgrade Readiness" and the available VMware Cloud Foundation
versions to upgrade to. If there is an available VMware Cloud Foundation upgrade
version, there will be extra checks - bundle-level prechecks for hosts, vCenter Server, and
so forth. The version specific prechecks will only run prechecks on components that have
available upgrade bundles downloaded.

VMware by Broadcom 359

VMware Cloud Foundation on Dell VxRail Guide

5 When the precheck begins, a progress message appears indicating the precheck progress
and the time when the precheck began.

Note Parallel precheck workflows are supported. If you want to precheck multiple domains,
you can repeat steps 1-5 for each of them without waiting for step 5 to finish.

6 Once the Precheck is complete, the report appears. Click through ALL, ERRORS,
WARNINGS, and SILENCED to filter and browse through the results.

7 To see details for a task, click the expander arrow.

If a precheck task failed, fix the issue, and click Retry Precheck to run the task again. You can
also click RETRY ALL FAILED RESOURCES to retry all failed tasks.

8 If the workload domain contains a host that includes pinned VMs, the precheck fails at the
Enter Maintenance Mode step. If the host can enter maintenance mode through vCenter
Server UI, you can suppress this check for NSX and ESXi in VMware Cloud Foundation by
following the steps below.

a Log in to SDDC Manager by using a Secure Shell (SSH) client with the user name vcf and
password.

b Open the /opt/vmware/vcf/lcm/lcm-app/conf/application-prod.properties file.

c Add the following line to the end of the file:

lcm.nsxt.suppress.dry.run.emm.check=true

lcm.esx.suppress.dry.run.emm.check.failures=true

VMware by Broadcom 360

VMware Cloud Foundation on Dell VxRail Guide

d Restart Lifecycle Management by typing the following command in the console window.

systemctl restart lcm

e After Lifecycle Management is restarted, run the precheck again.

Results

The precheck result is displayed at the top of the Upgrade Precheck Details window. If you click
Exit Details, the precheck result is displayed at the top of the Precheck section in the Updates
tab.

Ensure that the precheck results are green before proceeding. Although a failed precheck will
not prevent the upgrade from proceeding, it may cause the update to fail.

Apply the VMware Cloud Foundation 5.2.x Upgrade Bundle

The VMware Cloud Foundation Upgrade bundle upgrades the SDDC Manager appliance and
VMware Cloud Foundation services.

After SDDC Manager is upgraded to 5.2 or later, new functionality is introduced that allows
you to upgrade SDDC Manager without having to upgrade the entire VMware Cloud Foundation
BOM. See Independent SDDC Manager Upgrade using the SDDC Manager UI.

Prerequisites

n Download the VMware Cloud Foundation update bundle for your target release. See
Downloading VMware Cloud Foundation Upgrade Bundles.

n Ensure you have a recent successful backup of SDDC Manager using an external SFTP server.

n Ensure you have taken a snapshot of the SDDC Manager appliance.

n Ensure you have recent successful backups of the components managed by SDDC Manager.

n Perform Update Precheck in SDDC Manager and resolve any issues.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, click the management domain and then click the Updates
tab.

3 In the Available Updates section, select the target VMware Cloud Foundation release or click
Plan Upgrade.

The available options depend on the source version of VMware Cloud Foundation.

n For VMware Cloud Foundation 4.5.x, select the target version.

VMware by Broadcom 361

VMware Cloud Foundation on Dell VxRail Guide

n For VMware Cloud Foundation 5.x, click Plan Upgrade, select a target version, and click
Confirm.

4 Click Update Now or Schedule Update next to the VMware Cloud Foundation Upgrade
bundle.

5 If you selected Schedule Update, select the date and time for the bundle to be applied and
click Schedule.

If you clicked Update Now, the VMware Cloud Foundation Update Status window displays
the components that will be upgraded and the upgrade status. Click View Update Activity
to view the detailed tasks. After the upgrade is completed, a green bar with a check mark is
displayed.

6 Click Finish.

When the update completes successfully, you are logged out of the SDDC Manager UI and
must log in again.

Apply VMware Cloud Foundation Configuration Updates

VMware Cloud Foundation Configuration Updates identifies and resolves any discrepancies
between the intended/prescribed configuration and the actual configuration, ensuring that the

VMware by Broadcom 362

VMware Cloud Foundation on Dell VxRail Guide

deployment aligns with the recommended configuration. This process includes reconciling the
configuration for 2nd party software components listed in the VMware Cloud Foundation Bill of
Materials (BOM).

Configuration updates may be required after you apply software updates. Once a configuration
update becomes available, you can apply it immediately or wait until after you have applied all
software updates. Configuration Updates must be performed during a maintenance window.

Configuration Updates can be applied to multiple domains in parallel. However, if a Configuration

Update is in progress, another configuration update on the same domain should not be
attempted.

Note Configuration Updates in VCF detects and reconciles to a prescribed configuration for
the release. Once reconciled, it does not identify subsequent non-compliance arising from out of
band changes.

The following configuration updates may become available, depending on your source version of
VMware Cloud Foundation:

Required
Minimum
Configuration Introduced in Component
Update Description VCF Version Resource Type Update Type Versions

ConfigureVsanHaI Configures the 4.3.0.0 CLUSTER FIX vCenter 7.0.3

solationAddresses vSAN HA
ConfigDrift network isolation
address to
use the
vSAN vmkernel
interface
gateway, in
conformance
with VCF best
practices.

ToggleVSanReco Disables vSAN 4.4.1.0 CLUSTER FIX vCenter 7.0.0

mmendationConfi baseline
gDrift recommendation
s for vSAN
enabled clusters.

RemoveNfsDatast Removes NFS 5.0.0.0 CLUSTER FIX NA

oreConfigDrift datastore on
hosts.

CloudAdminRoleC Creates Cloud 5.0.0.0 DOMAIN FEATURE vCenter 7.0.3

onfigDrift Admin role
in vCenter
Server for
the management
domain.

VMware by Broadcom 363

VMware Cloud Foundation on Dell VxRail Guide

Required
Minimum
Configuration Introduced in Component
Update Description VCF Version Resource Type Update Type Versions

AllowBrokerConfig Adds 5.1.0.0 DOMAIN FEATURE vCneter 8.0.2

urationConfigDrift config.SDDC.Dep
loyed.AllowBrok
erConfiguration
advanced
property in
vCenter Server.
This property
restricts the user
from configuring
an external IDP
from the vCenter
UI in the ELM ring
( workload
domain
vCenters).
Configuration is
only possible
from the
management
domain vCenter
UI and isolated
workload domain
vCenter UI.

ClusterHaSettings Removes 5.1.0.0 DOMAIN FEATURE vCenter 8.0.1

ConfigDrift das.includeFTco
mplianceChecks
option HA
configuration
from all clusters
on the
management
domain.

ComputeManager Creates an 5.1.0.0 DOMAIN FEATURE vCenter

SettingsDrift internal NSX 7.0.2.00400, NSX
service account 3.1.3.0.0
to enable NSX
to vSphere
Lifecycle
Manager
communication.

VMware by Broadcom 364

VMware Cloud Foundation on Dell VxRail Guide

Required
Minimum
Configuration Introduced in Component
Update Description VCF Version Resource Type Update Type Versions

DvpgConfiguration Creates a new 5.1.0.0 CLUSTER FEATURE NA

Drift distributed virtual
port group
named
VM_MANAGEME
NT in the target
domain, and
migrates all VMs
connected to the
management
port group to this
new port group.
The purpose of
this feature is to
allow separation
of traffic coming
from
management
VMs and ESXi
hosts.
VMs migrated:
VCSA, SDDC
Manager, NSX
Manager and
Edge VMs.

EsxAdvancedOpti Configures 5.1.0.0 DOMAIN FEATURE NA

onsConfigDrift UserVars.Suppre
ssShellWarning
property on
every ESXi host
to false, to
enable warnings
for ESXi Shell and
SSH services.

WorkspaceOneBr Configures BOM 5.1.0.0 DOMAIN FEATURE vCenter 8.0.2, NSX

okerConfigDrift components as 4.1.2
OIDC relying
parties of
Workspace ONE
Broker in
vCenter.

VMware by Broadcom 365

VMware Cloud Foundation on Dell VxRail Guide

Required
Minimum
Configuration Introduced in Component
Update Description VCF Version Resource Type Update Type Versions

RegisterSDDCman Register SDDC 5.2.0.0 DOMAIN FEATURE vCenter 7.0.0

agerAsVCExtensio Manager as an
nConfigDrift extension in a
workload domain
vCenter.

SddcMgrVxRailSer Creates a 5.2.0.0 CLUSTER FEATURE vCenter 7.0.400

viceAccountConfig service account
Drift for SDDC
Manager to
VxRail Manager
communication.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, click the workload domain name and then click the Updates
tab.

3 Click Run Precheck to run the upgrade precheck.

Resolve any issues before proceeding with the upgrade.

4 Expand Available Configuration Updates, click Apply All.

n FEATURE: Configuration change required for a new feature.

n FIX: Configuration change associated with a fix for a defect.

5 Check the progress of a configuration update by clicking the task in the Tasks panel.

VMware by Broadcom 366

VMware Cloud Foundation on Dell VxRail Guide

6 After the configuration updates are successfully applied, they will no longer appear in the

table.

Pending Configuration Updates do not block future BOM upgrades.

Upgrade VMware Aria Suite Lifecycle and VMware Aria Suite

Products for VMware Cloud Foundation
VMware Cloud Foundation does not manage upgrades for VMware Aria Suite Lifecycle and the
VMware Aria Suite products. Use VMware Aria Suite Lifecycle to upgrade VMware Aria Suite
products.

If you had VMware Aria Suite Lifecycle, VMware Aria Operations for Logs, VMware Aria
Automation, VMware Aria Operations, or Workspace ONE Access in your pre-upgrade
environment, you must upgrade them from VMware Aria Suite Lifecycle.

Use VMware Aria Suite Lifecycle to:

n Download upgrade binaries

n Create snapshots of the virtual appliances

n Run pre-upgrade checks

n Upgrade VMware Aria Suite products

You can upgrade VMware Aria Suite products as new versions become available in VMware
Aria Suite Lifecycle. VMware Aria Suite Lifecycle will only allow upgrades to compatible and
supported versions of VMware Aria Suite products.

Note See the VMware Interoperability Matrix for information about which versions are
supported with your version of VMware Cloud Foundation and KB 88829 for more information
about supported upgrade paths using VMware Aria Suite Lifecycle.

Important The VMware Cloud Foundation 5.2 BOM requires VMware Aria Suite Lifecycle 8.18 or
higher.

Note The VMware Aria Suite of products were formerly known as the vRealize Suite of
products.

Procedure

1 Log in to VMware Aria Suite Lifecycle at https://

<aria_suite_lifecycle_manager_fqdn> as the administrator.

2 Upgrade VMware Aria Suite products.

Upgrade VMware Aria Suite Lifecycle first and then upgrade VMware Aria Suite products.

VMware by Broadcom 367

VMware Cloud Foundation on Dell VxRail Guide

See “Upgrading VMware Aria Suite Lifecycle and VMware Aria Suite Products” in the VMware
Aria Suite Lifecycle Installation, Upgrade, and Management Guide for your current version of
VMware Aria Suite Lifecycle.

Upgrade NSX for VMware Cloud Foundation in a Federated

Environment
If NSX Federation is configured between two VMware Cloud Foundation instances, SDDC
Manager does not manage the lifecycle of the NSX Global Managers. You must manually upgrade
the NSX Global Managers for each instance.

Download NSX Global Manager Upgrade Bundle

SDDC Manager does not manage the lifecycle of the NSX Global Managers. You must download
the NSX upgrade bundle manually to upgrade the NSX Global Managers.

Procedure

1 Log in to the Broadcom Support Portal and browse to My Downloads > VMware NSX.

2 Click the version of NSX to which you are upgrading.

3 Locate the NSX version Upgrade Bundle and verify that the upgrade bundle filename
extension ends with .mub.

The upgrade bundle filename has the following format VMware-NSX-upgrade-bundle-

versionnumber.buildnumber.mub.

4 Click the download icon to download the upgrade bundle to the system where you access
the NSX Global Manager UI.

Upgrade the Upgrade Coordinator for NSX Federation

The upgrade coordinator runs in the NSX Manager. It is a self-contained web application that
orchestrates the upgrade process of hosts, NSX Edge cluster, NSX Controller cluster, and the
management plane.

The upgrade coordinator guides you through the upgrade sequence. You can track the upgrade
process and, if necessary, you can pause and resume the upgrade process from the UI.

Procedure

1 In a web browser, log in to Global Manager for the domain at https://nsx_gm_vip_fqdn/).

2 Select System > Upgrade from the navigation panel.

3 Click Proceed to Upgrade.

4 Navigate to the upgrade bundle .mub file you downloaded or paste the download URL link.

n Click Browse to navigate to the location you downloaded the upgrade bundle file.

n Paste the VMware download portal URL where the upgrade bundle .mub file is located.

VMware by Broadcom 368

VMware Cloud Foundation on Dell VxRail Guide

5 Click Upload.

When the file is uploaded, the Begin Upgrade button appears.

6 Click Begin Upgrade to upgrade the upgrade coordinator.

Note Upgrade one upgrade coordinator at a time.

7 Read and accept the EULA terms and accept the notification to upgrade the upgrade
coordinator..

8 Click Run Pre-Checks to verify that all NSX components are ready for upgrade.

The pre-check checks for component connectivity, version compatibility, and component
status.

9 Resolve any warning notifications to avoid problems during the upgrade.

Upgrade NSX Global Managers for VMware Cloud Foundation

Manually upgrade the NSX Global Managers when NSX Federation is configured between two
VMware Cloud Foundation instances.

Prerequisites

Before you can upgrade NSX Global Managers, you must upgrade all VMware Cloud Foundation
instances in the NSX Federation, including NSX Local Managers, using SDDC Manager.

Procedure

1 In a web browser, log in to Global Manager for the domain at https://nsx_gm_vip_fqdn/).

2 Select System > Upgrade from the navigation panel.

3 Click Start to upgrade the management plane and then click Accept.

4 On the Select Upgrade Plan page, select Plan Your Upgrade and click Next.

The NSX Manager UI, API, and CLI are not accessible until the upgrade finishes and the
management plane is restarted.

Upgrade NSX for VMware Cloud Foundation 5.2.x

Upgrade NSX in the management domain and VI workload domains. VMware Cloud Foundation
5.2.1 supports in-place host upgrades for clusters that use vSphere Lifecycle Manager baselines.

Until SDDC Manager is upgraded to version 5.2, you must upgrade NSX in the management
domain before you upgrade NSX in a VI workload domain. Once SDDC Manager is at version
5.2 or later, you can upgrade NSX in VI workload domains before or after upgrading NSX in the
management domain.

Upgrading NSX involves the following components:

n Upgrade Coordinator

n NSX Edges/Clusters (if deployed)

VMware by Broadcom 369

VMware Cloud Foundation on Dell VxRail Guide

n Host clusters

n NSX Manager cluster

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, click the domain you are upgrading and then click the
Updates/Patches tab.

When you upgrade NSX components for a selected VI workload domain, those components
are upgraded for all VI workload domains that share the NSX Manager cluster.

3 Click Precheck to run the upgrade precheck.

Resolve any issues before proceeding with the upgrade.

Note The NSX precheck runs on all VI workload domains in your environment that share the
NSX Manager cluster.

4 For VMware Cloud Foundation 5.2:

a In the Available Updates section, click Update Now or Schedule Update next to the
VMware Software Update for NSX.

b On the NSX Edge Clusters page, select the NSX Edge clusters you want to upgrade and
click Next.

By default, all NSX Edge clusters are upgraded. To select specific NSX Edge clusters,
select the Upgrade only NSX Edge clusters check box and select the Enable edge
selection option. Then select the NSX Edges you want to upgrade.

c On the Host Cluster page,select the host cluster you want to upgrade and click Next.

By default, all host clusters across all workload domains are upgraded. If you want
to select specific host clusters to upgrade, select Custom Selection. Host clusters are
upgraded after all Edge clusters have been upgraded.

Note The NSX Manager cluster is upgraded only if you select all host clusters. If you
have multiple host clusters and choose to upgrade only some of them, you must go
through the NSX upgrade wizard again until all host clusters have been upgraded.

VMware by Broadcom 370

VMware Cloud Foundation on Dell VxRail Guide

d On the Upgrade Options dialog box, select the upgrade optimizations and click Next.

By default, Edge clusters and host clusters are upgraded in parallel. You can enable
sequential upgrade by selecting the relevant check box.

e If you selected the Schedule Upgrade option, specify the date and time for the NSX
bundle to be applied and click Next.

f On the Review page, review your settings and click Finish.

If you selected Upgrade Now, the NSX upgrade begins and the upgrade components
are displayed. The upgrade view displayed here pertains to the workload domain where
you applied the bundle. Click the link to the associated workload domains to see the
components pertaining to those workload domains. If you selected Schedule Upgrade,
the upgrade begins at the time and date you specified.

5 For VMware Cloud Foundation 5.2.1:

a In the Available Updates section, click the Configure Update button.

b On the NSX Edge Clusters page, select the NSX Edge clusters you want to upgrade and
click Next.

By default, all NSX Edge clusters are upgraded. To select specific NSX Edge clusters,
select the Upgrade only NSX Edge clusters check box and select the Enable edge
selection option. Then select the NSX Edges you want to upgrade.

c On the Host Cluster page,select the host cluster you want to upgrade and click Next.

By default, all host clusters across all workload domains are upgraded. If you want
to select specific host clusters to upgrade, select Custom Selection. Host clusters are
upgraded after all Edge clusters have been upgraded.

Note The NSX Manager cluster is upgraded only if you select all host clusters. If you
have multiple host clusters and choose to upgrade only some of them, you must go
through the NSX upgrade wizard again until all host clusters have been upgraded.

d On the Upgrade Options dialog box, select the upgrade optimizations and click Next.

By default ESXi hosts are placed into maintenance mode during an upgrade. Starting with
VMware Cloud Foundation 5.2.1, in-place upgrades are available for workload domains in
which all the clusters use vSphere Lifecycle Manager baselines. If NSX Manager is shared
between workload domains, in-place upgrade is only available if all the clusters in all
the workload domains that share the NSX Manager use vLCM baselines. If the option is
available, you can select In-place as the upgrade mode to avoid powering off and placing
hosts into maintenance mode before the upgrade.

Note To perform an in-place upgrade, the target NSX version must be the VMware
Cloud Foundation 5.2.1 BOM version or later.

By default, Edge clusters and host clusters are upgraded in parallel. You can enable
sequential upgrade by selecting the relevant check box.

VMware by Broadcom 371

VMware Cloud Foundation on Dell VxRail Guide

e On the Review page, review your settings and click Run Precheck.

The precheck begins. Resolve any issues until the precheck succeeds.

f After the precheck succeeds, click Schedule Update and select an option.

6 Monitor the upgrade progress. See Monitor VMware Cloud Foundation Updates.

If a component upgrade fails, the failure is displayed across all associated workload domains.
Resolve the issue and retry the failed task.

Results

When all NSX workload components are upgraded successfully, a message with a green
background and check mark is displayed.

Upgrade vCenter Server for VMware Cloud Foundation 5.2.x

The upgrade bundle for VMware vCenter Server is used to upgrade the vCenter Server instances
managed by SDDC Manager. Upgrade vCenter Server in the management domain before
upgrading vCenter Server in VI workload domains.

Prerequisites

n Download the VMware vCenter Server upgrade bundle. See Downloading VMware Cloud
Foundation Upgrade Bundles.

n Take a file-based backup of the vCenter Server appliance before starting the upgrade. See
Manually Back Up vCenter Server.

Note After taking a backup, do not make any changes to the vCenter Server inventory or
settings until the upgrade completes successfully.

n If your workload domain contains Workload Management (vSphere with Tanzu) enabled
clusters, the supported target release depends on the version of Kubernetes (K8s) currently
running in the cluster. Older versions of K8s might require a specific upgrade sequence. See
KB 92227 for more information.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, click the domain you are upgrading and then click the
Updates tab.

3 Click Precheck to run the upgrade precheck.

Resolve any issues before proceeding with the upgrade.

VMware by Broadcom 372

VMware Cloud Foundation on Dell VxRail Guide

4 Upgrading to VMware Cloud Foundation 5.2:

a In the Available Updates section, click Update Now or Schedule Update next to the
VMware Software Update for vCenter Server.

b Click Confirm to confirm that you have taken a file-based backup of the vCenter Server
appliance before starting the upgrade.

c If you selected Schedule Update, click the date and time for the bundle to be applied and
click Schedule.

d If you are upgrading from VMware Cloud Foundation 4.5.x, enter the details for the
temporary network to be used only during the upgrade. The IP address must be in the
management subnet.

e Review the upgrade settings and click Finish.

VMware by Broadcom 373

VMware Cloud Foundation on Dell VxRail Guide

5 Upgrading to VMware Cloud Foundation 5.2.1 from VMware Cloud Foundation 5.x:

a In the Available Updates section, click Configure Update.

b Select the upgrade mechanism and click Next.

Option Description

vCenter Reduced Downtime The reduced downtime upgrade process uses a migration-based
Upgrade approach. In this approach, a new vCenter Server Appliance is deployed
and the current vCenter data and configuration is copied to it.
During the preparation phase of a reduced downtime upgrade, the
source vCenter Server Appliance and all resources remain online. The
only downtime occurs when the source vCenter Server Appliance is
stopped, the configuration is switched over to the target vCenter,
and the services are started. The downtime is expected to take
approximately 5 minutes under ideal network, CPU, memory, and storage
provisioning.

Note To perform a vCenter Reduced Downtime Upgrade, the target

vCenter version must be the VMware Cloud Foundation 5.2.1 BOM
version or later.

vCenter Regular Upgrade During a regular upgrade, the vCenter Server Appliance is offline for the
duration of the upgrade.

c Select a backup option and click Next.

d For an RDU update, provide a temporary network to be used only during the upgrade
and click Next.

Option Description

Automatic Automatically assign network information.

Static Enter an IP address, subnet mask, and gateway. The IP address must be
in the management subnet.

e Schedule the update and click Next.

Option Description

For vCenter Reduced Downtime Select scheduling options for the preparation and switchover phases of
Upgrade the upgrade.

Note If you are scheduling the switchover phase, you must allow a
minimum of 4 hours between the start of preparation and the start of
switchover.

For vCenter Regular Upgrade Select an Upgrade Now or Schedule Update.

f Review the upgrade settings and click Finish.

VMware by Broadcom 374

VMware Cloud Foundation on Dell VxRail Guide

6 Upgrading to VMware Cloud Foundation 5.2.1 from VMware Cloud Foundation 4.5.x:

a In the Available Updates section, click Configure Update.

b Enter the details for the temporary network to be used only during the upgrade. The IP
address must be in the management subnet.

c Select a backup option and click Next.

d Schedule the update and click Next.

e Review the upgrade settings and click Finish.

7 Monitor the upgrade progress. See Monitor VMware Cloud Foundation Updates.

8 After the upgrade is complete, remove the old vCenter Server appliance (if applicable).

Note Removing the old vCenter is only required for major upgrades. If you performed a
vCenter RDU patch upgrade, the old vCenter is automatically removed after a successful
upgrade.

If the upgrade fails, resolve the issue and retry the failed task. If you cannot resolve the issue,
restore vCenter Server using the file-based backup. See Restore vCenter Server. vCenter
RDU upgrades perform automatic rollback if the upgrade fails.

What to do next

Once the upgrade successfully completes, use the vSphere Client to change the vSphere DRS
Automation Level setting back to the original value (before you took a file-based backup) for
each vSphere cluster that is managed by the vCenter Server. See KB 87631 for information about
using VMware PowerCLI to change the vSphere DRS Automation Level.

Upgrade VxRail Manager and ESXi Hosts for VMware Cloud

Foundation
Use the VxRail upgrade bundle to upgrade VxRail Manager and the ESXi hosts in the workload
domain. Upgrade the management domain first and then VI workload domains.

By default, the upgrade process upgrades the ESXi hosts in all clusters in a workload domain in
parallel. If you have multiple clusters in the management domain or in a VI workload domain, you
can select the clusters to upgrade. You can also choose to upgrade the clusters in parallel or
sequentially.

If you are using external (non-vSAN) storage, the following procedure updates the ESXi hosts
attached to the external storage. However, updating and patching the storage software and
drivers is a manual task and falls outside of SDDC Manager lifecycle management. To ensure
supportability after an ESXi upgrade, consult the vSphere HCL and your storage vendor.

Prerequisites

n Validate that the ESXi passwords are valid.

VMware by Broadcom 375

VMware Cloud Foundation on Dell VxRail Guide

n Download the VxRail upgrade bundle. See Downloading VMware Cloud Foundation Upgrade
Bundles.

n Ensure that the domain for which you want to perform cluster-level upgrade does not have
any hosts or clusters in an error state. Resolve the error state or remove the hosts and
clusters with errors before proceeding.

Procedure

1 Navigate to the Updates/Patches tab of the workload domain.

2 Click Precheck to run the upgrade precheck.

Resolve any issues before proceeding with the upgrade.

3 In the Available Updates section, select the target release.

4 Click Upgrade Now or Schedule Update.

If you selected Schedule Update, specify the date and time for the bundle to be applied.

5 Select the clusters to upgrade and click Next.

The default setting is to upgrade all clusters. To upgrade specific clusters, click Enable
cluster-level selection and select the clusters to upgrade.

6 Click Next.

7 Select the upgrade options and click Finish.

By default, the selected clusters are upgraded in parallel. If you selected more than five
clusters to be upgraded, the first five are upgraded in parallel and the remaining clusters are
upgraded sequentially. To upgrade all selected clusters sequentially, select Enable sequential
cluster upgrade.
Click Enable Quick Boot if desired. Quick Boot for ESXi hosts is an option that allows Update
Manager to reduce the upgrade time by skipping the physical reboot of the host.

8 Monitor the upgrade progress. See Monitor VMware Cloud Foundation Updates.

What to do next

Upgrade the vSAN Disk Format for vSAN clusters. The disk format upgrade is optional. Your
vSAN cluster continues to run smoothly if you use a previous disk format version. For best
results, upgrade the objects to use the latest on-disk format. The latest on-disk format provides
the complete feature set of vSAN. See Upgrade vSAN on-disk format versions.

Upgrade vSAN Witness Host for VMware Cloud Foundation

If your VMware Cloud Foundation environment contains stretched clusters, update and
remediate the vSAN witness host.

VMware by Broadcom 376

VMware Cloud Foundation on Dell VxRail Guide

Prerequisites

Download the ESXi ISO that matches the version listed in the the Bill of Materials (BOM) section
of the VMware Cloud Foundation Release Notes.

Procedure

1 In a web browser, log in to vCenter Server at https://vcenter_server_fqdn/ui.

2 Upload the ESXi ISO image file to vSphere Lifecycle Manager.

a Click Menu > Lifecycle Manager.

b Click the Imported ISOs tab.

c Click Import ISO and then click Browse.

d Navigate to the ESXi ISO file you downloaded and click Open.

e After the file is imported, click Close.

3 Create a baseline for the ESXi image.

a On the Imported ISOs tab, select the ISO file that you imported, and click New baseline.

b Enter a name for the baseline and specify the Content Type as Upgrade.

c Click Next.

d Select the ISO file you had imported and click Next.

e Review the details and click Finish.

4 Attach the baseline to the vSAN witness host.

a Click Menu > Hosts and Clusters.

b In the Inventory panel, click vCenter > Datacenter.

c Select the vSAN witness host and click the Updates tab.

d Under Attached Baselines, click Attach > Attach Baseline or Baseline Group.

e Select the baseline that you had created in step 3 and click Attach.

f Click Check Compliance.

After the compliance check is completed, the Status column for the baseline is displayed
as Non-Compliant.

5 Remediate the vSAN witness host and update the ESXi hosts that it contains.

a Right-click the vSAN witness and click Maintenance Mode > Enter Maintenance Mode.

b Click OK.

c Click the Updates tab.

d Select the baseline that you had created in step 3 and click Remediate.

e In the End user license agreement dialog box, select the check box and click OK.

VMware by Broadcom 377

VMware Cloud Foundation on Dell VxRail Guide

f In the Remediate dialog box, select the vSAN witness host, and click Remediate.

The remediation process might take several minutes. After the remediation is completed,
the Status column for the baseline is displayed as Compliant.

g Right-click the vSAN witness host and click Maintenance Mode > Exit Maintenance Mode.

h Click OK.

Upgrade vSphere Distributed Switch versions

[Optional] Upgrade the distributed switch to take advantage of features that are available only in
the later versions.

Prerequisites

ESXi and vCenter Upgrades are completed.

Procedure

1 On the vSphere Client Home page, click Networking and navigate to the distributed switch.

2 Right-click the distributed switch and select Upgrade > Upgrade Distributed Switch

3 Select the vSphere Distributed Switch version that you want to upgrade the switch to and
click Next

Results

The vSphere Distributed Switch is successfully upgraded.

Upgrade vSAN on-disk format versions

[Optional] Upgrade the vSAN on-disk format version to take advantage of features that are
available only in the later versions.

n The upgrade may cause temporary resynchronization traffic and use additional space by
moving data or rebuilding object components to a new data structure.

Prerequisites

n ESXi and vCenter Upgrades are completed

n Verify that the disks are in a healthy state. Navigate to the Disk Management page to verify
the object status.

n Verify that your hosts are not in maintenance mode. When upgrading the disk format, do not
place the hosts in maintenance mode.

n Verify that there are no component rebuilding tasks currently in progress in the vSAN cluster.
For information about vSAN resynchronization, see vSphere Monitoring and Performance

Procedure

1 Navigate to the vSAN cluster.

VMware by Broadcom 378

VMware Cloud Foundation on Dell VxRail Guide

2 Click the Configure tab.

3 Under vSAN, select Disk Management.

4 Click Pre-check Upgrade. The upgrade pre-check analyzes the cluster to uncover any issues
that might prevent a successful upgrade. Some of the items checked are host status, disk
status, network status, and object status. Upgrade issues are displayed in the Disk pre-check
status text box.

5 Click Upgrade.

6 Click Yes on the Upgrade dialog box to perform the upgrade of the on-disk format.

Results

vSAN successfully upgrades the on-disk format. The On-disk Format Version column displays the
disk format version of storage devices in the cluster

Update License Keys for a Workload Domain

If upgrading from a VMware Cloud Foundation version prior to 5.0, you need to update your
license keys to support vSAN 8.x and vSphere 8.x.

You first add the new component license key to SDDC Manager. This must be done once per
license instance. You then apply the license key to the component on a per workload domain
basis.

Prerequisites

You need a new license key for vSAN 8.x and vSphere 8.x. Prior to VMware Cloud Foundation
5.1.1, you must add and update the component license key for each upgraded component in the
SDDC Manager UI as described below.

With VMware Cloud Foundation 5.1.1 and later, you can add a component license key as
described below, or add a solution license key in the vSphere Client. See Managing vSphere
Licenses for information about using a solution license key for VMware ESXi and vCenter Server.
If you are using a solution license key, you must also add a VMware vSAN license key for vSAN
clusters. See Configure License Settings for a vSAN Cluster.

Procedure

1 Add a new component license key to the SDDC Manager inventory.

a In the navigation pane, click Administration > Licensing.

b On the Licensing page, click + License Key.

c Select a product from the drop-down menu.

d Enter the license key.

e Enter a description for the license key.

VMware by Broadcom 379

VMware Cloud Foundation on Dell VxRail Guide

f Click Add.

g Repeat for each license key to be added.

2 Update a license key for a workload domain component.

a In the navigation pane, click Inventory > Workload Domains.

b On the Workload Domains page, click the domain you are upgrading.

c On the Summary tab, expand the red error banner, and click Update Licenses.

d On the Update Licenses page, click Next.

e Select the products to update and click Next.

f For each product, select a new license key from the list, and select the entity to which the
licensekey should be applied and click Next.

g On the Review pane, review each license key and click Submit.

The new license keys will be applied to the workload domain. Monitor the task in the
Tasks pane in SDDC Manager.

Upgrade VI Workload Domains to VMware Cloud

Foundation 5.2.x
The management domain in your environment must be upgraded before you upgrade VI
workload domains. To upgrade to VMware Cloud Foundation 5.2.x, all VI workload domains in
your environment must be at VMware Cloud Foundation 4.5 or higher. If your environment is at
a version lower than 4.5, you must upgrade the workload domains to 4.5 and then upgrade to
5.2.x.

Within a VI workload domain, components must be upgraded in the following order.

1 NSX.

2 vCenter Server.

3 ESXi.

4 Workload Management on clusters that have vSphere with Tanzu. Workload Management
can be upgraded through vCenter Server. See Updating the vSphere with Tanzu
Environment.

5 If you suppressed the Enter Maintenance Mode prechecks for ESXi or NSX,
delete the following lines from the /opt/vmware/vcf/lcm/lcm-app/conf/application-
prod.properties file and restart the LCM service:

lcm.nsxt.suppress.dry.run.emm.check=true

lcm.esx.suppress.dry.run.emm.check.failures=true

6 If you have stretched clusters in your environment, upgrade the vSAN witness host. See
Upgrade vSAN Witness Host for VMware Cloud Foundation.

VMware by Broadcom 380

VMware Cloud Foundation on Dell VxRail Guide

After all upgrades have completed successfully:

1 Remove the VM snapshots you took before starting the update.

2 Take a backup of the newly installed components.

Plan VI Workload Domain Upgrade

Before proceeding with a VI workload domain upgrade you must first plan the upgrade to your
target version.

Prerequisites

Upgrade the Management Domain to VMware Cloud Foundation 5.2.x.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, click the workload domain you want to upgrade and click
the Updates tab.

3 Under Available Updates, click PLAN UPGRADE.

4 On the Plan Upgrade for VMware Cloud Foundation screen, select the target version from
the drop-down, and click CONFIRM.

Caution You must upgrade all VI workload domains to VMware Cloud Foundation 5.x.
Upgrading to a higher 4.x release once the management domain has been upgraded to 5.x is
unsupported.

Note If the taget version of VMware Cloud Foundation supports multipl versions of VxRail
Manager, the drop-down menu includes separate entires for each combination.

Results

Bundles applicable to the chosen release will be made available to the VI workload domain.

VMware by Broadcom 381

VMware Cloud Foundation on Dell VxRail Guide

Perform Update Precheck in SDDC Manager

You must perform a precheck in SDDC Manager before applying an update bundle to ensure that
your environment is ready for the update.

Bundle-level pre-checks for vCenter are available in VMware Cloud Foundation.

If you silence a vSAN Skyline Health alert in the vSphere Client, SDDC Manager skips the related
precheck and indicates which precheck it skipped. Click RESTORE PRECHECK to include the
silenced precheck. For example:

You can also silence failed vSAN prechecks in the SDDC Manager UI by clicking Silence
Precheck. Silenced prechecks do not trigger warnings or block upgrades.

Important Only silence alerts if you know that they are incorrect. Do not silence alerts for real
issues that require remediation.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, click the workload domain where you want to run the
precheck.

3 On the domain summary page, click the Updates tab.

(The following image is a sample screenshot and may not reflect current product versions.)

VMware by Broadcom 382

VMware Cloud Foundation on Dell VxRail Guide

Note It is recommended that you Precheck your workload domain prior to performing an
upgrade.

VMware by Broadcom 383

VMware Cloud Foundation on Dell VxRail Guide

4 Click RUN PRECHECK to select the components in the workload domain you want to
precheck.

a You can select to run a Precheck only on vCenter or the vSphere cluster. All components
in the workload domain are selected by default. To perform a precheck on certain
components, choose Custom selection.

Note For VMware Cloud Foundation on Dell EMC VxRail, you can run prechecks on
VxRail Manager.

b If there are pending upgrade bundles available, then the "Target Version" dropdown
contains "General Upgrade Readiness" and the available VMware Cloud Foundation
versions to upgrade to. If there is an available VMware Cloud Foundation upgrade
version, there will be extra checks - bundle-level prechecks for hosts, vCenter Server, and
so forth. The version specific prechecks will only run prechecks on components that have
available upgrade bundles downloaded.

VMware by Broadcom 384

VMware Cloud Foundation on Dell VxRail Guide

5 When the precheck begins, a progress message appears indicating the precheck progress
and the time when the precheck began.

Note Parallel precheck workflows are supported. If you want to precheck multiple domains,
you can repeat steps 1-5 for each of them without waiting for step 5 to finish.

6 Once the Precheck is complete, the report appears. Click through ALL, ERRORS,
WARNINGS, and SILENCED to filter and browse through the results.

7 To see details for a task, click the expander arrow.

If a precheck task failed, fix the issue, and click Retry Precheck to run the task again. You can
also click RETRY ALL FAILED RESOURCES to retry all failed tasks.

8 If the workload domain contains a host that includes pinned VMs, the precheck fails at the
Enter Maintenance Mode step. If the host can enter maintenance mode through vCenter
Server UI, you can suppress this check for NSX and ESXi in VMware Cloud Foundation by
following the steps below.

a Log in to SDDC Manager by using a Secure Shell (SSH) client with the user name vcf and
password.

b Open the /opt/vmware/vcf/lcm/lcm-app/conf/application-prod.properties file.

c Add the following line to the end of the file:

lcm.nsxt.suppress.dry.run.emm.check=true

lcm.esx.suppress.dry.run.emm.check.failures=true

VMware by Broadcom 385

VMware Cloud Foundation on Dell VxRail Guide

d Restart Lifecycle Management by typing the following command in the console window.

systemctl restart lcm

e After Lifecycle Management is restarted, run the precheck again.

Results

The precheck result is displayed at the top of the Upgrade Precheck Details window. If you click
Exit Details, the precheck result is displayed at the top of the Precheck section in the Updates
tab.

Ensure that the precheck results are green before proceeding. Although a failed precheck will
not prevent the upgrade from proceeding, it may cause the update to fail.

Upgrade NSX for VMware Cloud Foundation in a Federated

Environment
If NSX Federation is configured between two VMware Cloud Foundation instances, SDDC
Manager does not manage the lifecycle of the NSX Global Managers. You must manually upgrade
the NSX Global Managers for each instance.

Download NSX Global Manager Upgrade Bundle

SDDC Manager does not manage the lifecycle of the NSX Global Managers. You must download
the NSX upgrade bundle manually to upgrade the NSX Global Managers.

Procedure

1 Log in to the Broadcom Support Portal and browse to My Downloads > VMware NSX.

2 Click the version of NSX to which you are upgrading.

3 Locate the NSX version Upgrade Bundle and verify that the upgrade bundle filename
extension ends with .mub.

The upgrade bundle filename has the following format VMware-NSX-upgrade-bundle-

versionnumber.buildnumber.mub.

4 Click the download icon to download the upgrade bundle to the system where you access
the NSX Global Manager UI.

Upgrade the Upgrade Coordinator for NSX Federation

The upgrade coordinator runs in the NSX Manager. It is a self-contained web application that
orchestrates the upgrade process of hosts, NSX Edge cluster, NSX Controller cluster, and the
management plane.

The upgrade coordinator guides you through the upgrade sequence. You can track the upgrade
process and, if necessary, you can pause and resume the upgrade process from the UI.

Procedure

1 In a web browser, log in to Global Manager for the domain at https://nsx_gm_vip_fqdn/).

VMware by Broadcom 386

VMware Cloud Foundation on Dell VxRail Guide

2 Select System > Upgrade from the navigation panel.

3 Click Proceed to Upgrade.

4 Navigate to the upgrade bundle .mub file you downloaded or paste the download URL link.

n Click Browse to navigate to the location you downloaded the upgrade bundle file.

n Paste the VMware download portal URL where the upgrade bundle .mub file is located.

5 Click Upload.

When the file is uploaded, the Begin Upgrade button appears.

6 Click Begin Upgrade to upgrade the upgrade coordinator.

Note Upgrade one upgrade coordinator at a time.

7 Read and accept the EULA terms and accept the notification to upgrade the upgrade
coordinator..

8 Click Run Pre-Checks to verify that all NSX components are ready for upgrade.

The pre-check checks for component connectivity, version compatibility, and component
status.

9 Resolve any warning notifications to avoid problems during the upgrade.

Upgrade NSX Global Managers for VMware Cloud Foundation

Manually upgrade the NSX Global Managers when NSX Federation is configured between two
VMware Cloud Foundation instances.

Prerequisites

Before you can upgrade NSX Global Managers, you must upgrade all VMware Cloud Foundation
instances in the NSX Federation, including NSX Local Managers, using SDDC Manager.

Procedure

1 In a web browser, log in to Global Manager for the domain at https://nsx_gm_vip_fqdn/).

2 Select System > Upgrade from the navigation panel.

3 Click Start to upgrade the management plane and then click Accept.

4 On the Select Upgrade Plan page, select Plan Your Upgrade and click Next.

The NSX Manager UI, API, and CLI are not accessible until the upgrade finishes and the
management plane is restarted.

Upgrade NSX for VMware Cloud Foundation 5.2.x

Upgrade NSX in the management domain and VI workload domains. VMware Cloud Foundation
5.2.1 supports in-place host upgrades for clusters that use vSphere Lifecycle Manager baselines.

VMware by Broadcom 387

VMware Cloud Foundation on Dell VxRail Guide

Until SDDC Manager is upgraded to version 5.2, you must upgrade NSX in the management
domain before you upgrade NSX in a VI workload domain. Once SDDC Manager is at version
5.2 or later, you can upgrade NSX in VI workload domains before or after upgrading NSX in the
management domain.

Upgrading NSX involves the following components:

n Upgrade Coordinator

n NSX Edges/Clusters (if deployed)

n Host clusters

n NSX Manager cluster

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, click the domain you are upgrading and then click the
Updates/Patches tab.

When you upgrade NSX components for a selected VI workload domain, those components
are upgraded for all VI workload domains that share the NSX Manager cluster.

3 Click Precheck to run the upgrade precheck.

Resolve any issues before proceeding with the upgrade.

Note The NSX precheck runs on all VI workload domains in your environment that share the
NSX Manager cluster.

4 For VMware Cloud Foundation 5.2:

a In the Available Updates section, click Update Now or Schedule Update next to the
VMware Software Update for NSX.

b On the NSX Edge Clusters page, select the NSX Edge clusters you want to upgrade and
click Next.

By default, all NSX Edge clusters are upgraded. To select specific NSX Edge clusters,
select the Upgrade only NSX Edge clusters check box and select the Enable edge
selection option. Then select the NSX Edges you want to upgrade.

VMware by Broadcom 388

VMware Cloud Foundation on Dell VxRail Guide

c On the Host Cluster page,select the host cluster you want to upgrade and click Next.

By default, all host clusters across all workload domains are upgraded. If you want
to select specific host clusters to upgrade, select Custom Selection. Host clusters are
upgraded after all Edge clusters have been upgraded.

Note The NSX Manager cluster is upgraded only if you select all host clusters. If you
have multiple host clusters and choose to upgrade only some of them, you must go
through the NSX upgrade wizard again until all host clusters have been upgraded.

d On the Upgrade Options dialog box, select the upgrade optimizations and click Next.

By default, Edge clusters and host clusters are upgraded in parallel. You can enable
sequential upgrade by selecting the relevant check box.

e If you selected the Schedule Upgrade option, specify the date and time for the NSX
bundle to be applied and click Next.

f On the Review page, review your settings and click Finish.

If you selected Upgrade Now, the NSX upgrade begins and the upgrade components
are displayed. The upgrade view displayed here pertains to the workload domain where
you applied the bundle. Click the link to the associated workload domains to see the
components pertaining to those workload domains. If you selected Schedule Upgrade,
the upgrade begins at the time and date you specified.

5 For VMware Cloud Foundation 5.2.1:

a In the Available Updates section, click the Configure Update button.

b On the NSX Edge Clusters page, select the NSX Edge clusters you want to upgrade and
click Next.

By default, all NSX Edge clusters are upgraded. To select specific NSX Edge clusters,
select the Upgrade only NSX Edge clusters check box and select the Enable edge
selection option. Then select the NSX Edges you want to upgrade.

c On the Host Cluster page,select the host cluster you want to upgrade and click Next.

By default, all host clusters across all workload domains are upgraded. If you want
to select specific host clusters to upgrade, select Custom Selection. Host clusters are
upgraded after all Edge clusters have been upgraded.

Note The NSX Manager cluster is upgraded only if you select all host clusters. If you
have multiple host clusters and choose to upgrade only some of them, you must go
through the NSX upgrade wizard again until all host clusters have been upgraded.

VMware by Broadcom 389

VMware Cloud Foundation on Dell VxRail Guide

d On the Upgrade Options dialog box, select the upgrade optimizations and click Next.

By default ESXi hosts are placed into maintenance mode during an upgrade. Starting with
VMware Cloud Foundation 5.2.1, in-place upgrades are available for workload domains in
which all the clusters use vSphere Lifecycle Manager baselines. If NSX Manager is shared
between workload domains, in-place upgrade is only available if all the clusters in all
the workload domains that share the NSX Manager use vLCM baselines. If the option is
available, you can select In-place as the upgrade mode to avoid powering off and placing
hosts into maintenance mode before the upgrade.

Note To perform an in-place upgrade, the target NSX version must be the VMware
Cloud Foundation 5.2.1 BOM version or later.

By default, Edge clusters and host clusters are upgraded in parallel. You can enable
sequential upgrade by selecting the relevant check box.

e On the Review page, review your settings and click Run Precheck.

The precheck begins. Resolve any issues until the precheck succeeds.

f After the precheck succeeds, click Schedule Update and select an option.

6 Monitor the upgrade progress. See Monitor VMware Cloud Foundation Updates.

If a component upgrade fails, the failure is displayed across all associated workload domains.
Resolve the issue and retry the failed task.

Results

When all NSX workload components are upgraded successfully, a message with a green
background and check mark is displayed.

Upgrade vCenter Server for VMware Cloud Foundation 5.2.x

The upgrade bundle for VMware vCenter Server is used to upgrade the vCenter Server instances
managed by SDDC Manager. Upgrade vCenter Server in the management domain before
upgrading vCenter Server in VI workload domains.

Prerequisites

n Download the VMware vCenter Server upgrade bundle. See Downloading VMware Cloud
Foundation Upgrade Bundles.

n Take a file-based backup of the vCenter Server appliance before starting the upgrade. See
Manually Back Up vCenter Server.

Note After taking a backup, do not make any changes to the vCenter Server inventory or
settings until the upgrade completes successfully.

VMware by Broadcom 390

VMware Cloud Foundation on Dell VxRail Guide

n If your workload domain contains Workload Management (vSphere with Tanzu) enabled
clusters, the supported target release depends on the version of Kubernetes (K8s) currently
running in the cluster. Older versions of K8s might require a specific upgrade sequence. See
KB 92227 for more information.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, click the domain you are upgrading and then click the
Updates tab.

3 Click Precheck to run the upgrade precheck.

Resolve any issues before proceeding with the upgrade.

4 Upgrading to VMware Cloud Foundation 5.2:

a In the Available Updates section, click Update Now or Schedule Update next to the
VMware Software Update for vCenter Server.

b Click Confirm to confirm that you have taken a file-based backup of the vCenter Server
appliance before starting the upgrade.

c If you selected Schedule Update, click the date and time for the bundle to be applied and
click Schedule.

d If you are upgrading from VMware Cloud Foundation 4.5.x, enter the details for the
temporary network to be used only during the upgrade. The IP address must be in the
management subnet.

e Review the upgrade settings and click Finish.

VMware by Broadcom 391

VMware Cloud Foundation on Dell VxRail Guide

5 Upgrading to VMware Cloud Foundation 5.2.1 from VMware Cloud Foundation 5.x:

a In the Available Updates section, click Configure Update.

b Select the upgrade mechanism and click Next.

Option Description

vCenter Reduced Downtime The reduced downtime upgrade process uses a migration-based
Upgrade approach. In this approach, a new vCenter Server Appliance is deployed
and the current vCenter data and configuration is copied to it.
During the preparation phase of a reduced downtime upgrade, the
source vCenter Server Appliance and all resources remain online. The
only downtime occurs when the source vCenter Server Appliance is
stopped, the configuration is switched over to the target vCenter,
and the services are started. The downtime is expected to take
approximately 5 minutes under ideal network, CPU, memory, and storage
provisioning.

Note To perform a vCenter Reduced Downtime Upgrade, the target

vCenter version must be the VMware Cloud Foundation 5.2.1 BOM
version or later.

vCenter Regular Upgrade During a regular upgrade, the vCenter Server Appliance is offline for the
duration of the upgrade.

c Select a backup option and click Next.

d For an RDU update, provide a temporary network to be used only during the upgrade
and click Next.

Option Description

Automatic Automatically assign network information.

Static Enter an IP address, subnet mask, and gateway. The IP address must be
in the management subnet.

e Schedule the update and click Next.

Option Description

For vCenter Reduced Downtime Select scheduling options for the preparation and switchover phases of
Upgrade the upgrade.

Note If you are scheduling the switchover phase, you must allow a
minimum of 4 hours between the start of preparation and the start of
switchover.

For vCenter Regular Upgrade Select an Upgrade Now or Schedule Update.

f Review the upgrade settings and click Finish.

VMware by Broadcom 392

VMware Cloud Foundation on Dell VxRail Guide

6 Upgrading to VMware Cloud Foundation 5.2.1 from VMware Cloud Foundation 4.5.x:

a In the Available Updates section, click Configure Update.

b Enter the details for the temporary network to be used only during the upgrade. The IP
address must be in the management subnet.

c Select a backup option and click Next.

d Schedule the update and click Next.

e Review the upgrade settings and click Finish.

7 Monitor the upgrade progress. See Monitor VMware Cloud Foundation Updates.

8 After the upgrade is complete, remove the old vCenter Server appliance (if applicable).

Note Removing the old vCenter is only required for major upgrades. If you performed a
vCenter RDU patch upgrade, the old vCenter is automatically removed after a successful
upgrade.

If the upgrade fails, resolve the issue and retry the failed task. If you cannot resolve the issue,
restore vCenter Server using the file-based backup. See Restore vCenter Server. vCenter
RDU upgrades perform automatic rollback if the upgrade fails.

What to do next

Once the upgrade successfully completes, use the vSphere Client to change the vSphere DRS
Automation Level setting back to the original value (before you took a file-based backup) for
each vSphere cluster that is managed by the vCenter Server. See KB 87631 for information about
using VMware PowerCLI to change the vSphere DRS Automation Level.

Upgrade VxRail Manager and ESXi Hosts for VMware Cloud

Foundation
Use the VxRail upgrade bundle to upgrade VxRail Manager and the ESXi hosts in the workload
domain. Upgrade the management domain first and then VI workload domains.

By default, the upgrade process upgrades the ESXi hosts in all clusters in a workload domain in
parallel. If you have multiple clusters in the management domain or in a VI workload domain, you
can select the clusters to upgrade. You can also choose to upgrade the clusters in parallel or
sequentially.

If you are using external (non-vSAN) storage, the following procedure updates the ESXi hosts
attached to the external storage. However, updating and patching the storage software and
drivers is a manual task and falls outside of SDDC Manager lifecycle management. To ensure
supportability after an ESXi upgrade, consult the vSphere HCL and your storage vendor.

Prerequisites

n Validate that the ESXi passwords are valid.

VMware by Broadcom 393

VMware Cloud Foundation on Dell VxRail Guide

n Download the VxRail upgrade bundle. See Downloading VMware Cloud Foundation Upgrade
Bundles.

n Ensure that the domain for which you want to perform cluster-level upgrade does not have
any hosts or clusters in an error state. Resolve the error state or remove the hosts and
clusters with errors before proceeding.

Procedure

1 Navigate to the Updates/Patches tab of the workload domain.

2 Click Precheck to run the upgrade precheck.

Resolve any issues before proceeding with the upgrade.

3 In the Available Updates section, select the target release.

4 Click Upgrade Now or Schedule Update.

If you selected Schedule Update, specify the date and time for the bundle to be applied.

5 Select the clusters to upgrade and click Next.

The default setting is to upgrade all clusters. To upgrade specific clusters, click Enable
cluster-level selection and select the clusters to upgrade.

6 Click Next.

7 Select the upgrade options and click Finish.

By default, the selected clusters are upgraded in parallel. If you selected more than five
clusters to be upgraded, the first five are upgraded in parallel and the remaining clusters are
upgraded sequentially. To upgrade all selected clusters sequentially, select Enable sequential
cluster upgrade.
Click Enable Quick Boot if desired. Quick Boot for ESXi hosts is an option that allows Update
Manager to reduce the upgrade time by skipping the physical reboot of the host.

8 Monitor the upgrade progress. See Monitor VMware Cloud Foundation Updates.

What to do next

Upgrade the vSAN Disk Format for vSAN clusters. The disk format upgrade is optional. Your
vSAN cluster continues to run smoothly if you use a previous disk format version. For best
results, upgrade the objects to use the latest on-disk format. The latest on-disk format provides
the complete feature set of vSAN. See Upgrade vSAN on-disk format versions.

Upgrade vSAN Witness Host for VMware Cloud Foundation

If your VMware Cloud Foundation environment contains stretched clusters, update and
remediate the vSAN witness host.

VMware by Broadcom 394

VMware Cloud Foundation on Dell VxRail Guide

Prerequisites

Download the ESXi ISO that matches the version listed in the the Bill of Materials (BOM) section
of the VMware Cloud Foundation Release Notes.

Procedure

1 In a web browser, log in to vCenter Server at https://vcenter_server_fqdn/ui.

2 Upload the ESXi ISO image file to vSphere Lifecycle Manager.

a Click Menu > Lifecycle Manager.

b Click the Imported ISOs tab.

c Click Import ISO and then click Browse.

d Navigate to the ESXi ISO file you downloaded and click Open.

e After the file is imported, click Close.

3 Create a baseline for the ESXi image.

a On the Imported ISOs tab, select the ISO file that you imported, and click New baseline.

b Enter a name for the baseline and specify the Content Type as Upgrade.

c Click Next.

d Select the ISO file you had imported and click Next.

e Review the details and click Finish.

4 Attach the baseline to the vSAN witness host.

a Click Menu > Hosts and Clusters.

b In the Inventory panel, click vCenter > Datacenter.

c Select the vSAN witness host and click the Updates tab.

d Under Attached Baselines, click Attach > Attach Baseline or Baseline Group.

e Select the baseline that you had created in step 3 and click Attach.

f Click Check Compliance.

After the compliance check is completed, the Status column for the baseline is displayed
as Non-Compliant.

5 Remediate the vSAN witness host and update the ESXi hosts that it contains.

a Right-click the vSAN witness and click Maintenance Mode > Enter Maintenance Mode.

b Click OK.

c Click the Updates tab.

d Select the baseline that you had created in step 3 and click Remediate.

e In the End user license agreement dialog box, select the check box and click OK.

VMware by Broadcom 395

VMware Cloud Foundation on Dell VxRail Guide

f In the Remediate dialog box, select the vSAN witness host, and click Remediate.

The remediation process might take several minutes. After the remediation is completed,
the Status column for the baseline is displayed as Compliant.

g Right-click the vSAN witness host and click Maintenance Mode > Exit Maintenance Mode.

h Click OK.

Upgrade vSphere Distributed Switch versions

[Optional] Upgrade the distributed switch to take advantage of features that are available only in
the later versions.

Prerequisites

ESXi and vCenter Upgrades are completed.

Procedure

1 On the vSphere Client Home page, click Networking and navigate to the distributed switch.

2 Right-click the distributed switch and select Upgrade > Upgrade Distributed Switch

3 Select the vSphere Distributed Switch version that you want to upgrade the switch to and
click Next

Results

The vSphere Distributed Switch is successfully upgraded.

Upgrade vSAN on-disk format versions

[Optional] Upgrade the vSAN on-disk format version to take advantage of features that are
available only in the later versions.

n The upgrade may cause temporary resynchronization traffic and use additional space by
moving data or rebuilding object components to a new data structure.

Prerequisites

n ESXi and vCenter Upgrades are completed

n Verify that the disks are in a healthy state. Navigate to the Disk Management page to verify
the object status.

n Verify that your hosts are not in maintenance mode. When upgrading the disk format, do not
place the hosts in maintenance mode.

n Verify that there are no component rebuilding tasks currently in progress in the vSAN cluster.
For information about vSAN resynchronization, see vSphere Monitoring and Performance

Procedure

1 Navigate to the vSAN cluster.

VMware by Broadcom 396

VMware Cloud Foundation on Dell VxRail Guide

2 Click the Configure tab.

3 Under vSAN, select Disk Management.

4 Click Pre-check Upgrade. The upgrade pre-check analyzes the cluster to uncover any issues
that might prevent a successful upgrade. Some of the items checked are host status, disk
status, network status, and object status. Upgrade issues are displayed in the Disk pre-check
status text box.

5 Click Upgrade.

6 Click Yes on the Upgrade dialog box to perform the upgrade of the on-disk format.

Results

vSAN successfully upgrades the on-disk format. The On-disk Format Version column displays the
disk format version of storage devices in the cluster

Update License Keys for a Workload Domain

If upgrading from a VMware Cloud Foundation version prior to 5.0, you need to update your
license keys to support vSAN 8.x and vSphere 8.x.

You first add the new component license key to SDDC Manager. This must be done once per
license instance. You then apply the license key to the component on a per workload domain
basis.

Prerequisites

You need a new license key for vSAN 8.x and vSphere 8.x. Prior to VMware Cloud Foundation
5.1.1, you must add and update the component license key for each upgraded component in the
SDDC Manager UI as described below.

With VMware Cloud Foundation 5.1.1 and later, you can add a component license key as
described below, or add a solution license key in the vSphere Client. See Managing vSphere
Licenses for information about using a solution license key for VMware ESXi and vCenter Server.
If you are using a solution license key, you must also add a VMware vSAN license key for vSAN
clusters. See Configure License Settings for a vSAN Cluster.

Procedure

1 Add a new component license key to the SDDC Manager inventory.

a In the navigation pane, click Administration > Licensing.

b On the Licensing page, click + License Key.

c Select a product from the drop-down menu.

d Enter the license key.

e Enter a description for the license key.

VMware by Broadcom 397

VMware Cloud Foundation on Dell VxRail Guide

f Click Add.

g Repeat for each license key to be added.

2 Update a license key for a workload domain component.

a In the navigation pane, click Inventory > Workload Domains.

b On the Workload Domains page, click the domain you are upgrading.

c On the Summary tab, expand the red error banner, and click Update Licenses.

d On the Update Licenses page, click Next.

e Select the products to update and click Next.

f For each product, select a new license key from the list, and select the entity to which the
licensekey should be applied and click Next.

g On the Review pane, review each license key and click Submit.

The new license keys will be applied to the workload domain. Monitor the task in the
Tasks pane in SDDC Manager.

Independent SDDC Manager Upgrade using the SDDC

Manager UI
Once SDDC Manager is upgraded to 5.2 or later, new functionality is introduced that allows you
to get the latest SDDC Manager features and security fixes without having to upgrade the entire
VMware Cloud Foundation BOM. An independent SDDC Manager release includes a fourth digit
in its version number, for example SDDC Manager 5.2.0.1.

You can upgrade SDDC Manager without upgrading the full VCF BOM when:

n The target version of SDDC Manager is compatible with all the BOM product versions running
in your current environment (management and workload domains).

n There is a supported upgrade path from your current SDDC Manager version to the target
SDDC Manager version.

Note You can use the SDDC Manager upgrade functionality to upgrade SDDC Manager even
when the target version of SDDC Manager is part of a full VCF BOM release, as long as it is
compatible.

Updating SDDC Manager without upgrading the full VCF BOM, does not change the version of
the management domain.

Prerequisites

n Download the SDDC Manager bundle. See Downloading VMware Cloud Foundation Upgrade
Bundles.

n SDDC Manager must be version 5.2 or later.

VMware by Broadcom 398

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 In the navigation pane, browse to Lifecycle Management > SDDC Manager.

The UI displays available SDDC Manager updates that are either SDDC Manager only updates
or SDDC Manager updates that are part of a full VCF BOM update.

2 Review and address any compatibility warnings.

3 Click Run Precheck.

Resolve any precheck issues before proceeding.

4 Schedule the update to run now or at a specific time and click Start Update.

When the update completes successfully, you are logged out of the SDDC Manager UI and
must log in again.

Flexible BOM Upgrade in VMware Cloud Foundation

Once SDDC Manager is upgraded to version 5.2 or later, new functionality is introduced to
the upgrade planner that allows you to select specific target versions for each VMware Cloud
Foundation component you want to upgrade.

You can use the upgrade planner to select any supported version for each of the VMware Cloud
Foundation BOM components. This includes async patch versions as well as VCF BOM versions.

To plan an upgrade when SDDC Manager does not have internet access, see Offline Download of
Flexible BOM Upgrade Bundles.

Prerequisites

n Download the bundles for the target versions of each VCF component. See Downloading
VMware Cloud Foundation Upgrade Bundles.

n SDDC Manager must be version 5.2 or later.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, click the domain you are upgrading and then click the
Updates tab.

3 Click Precheck to run the upgrade precheck.

Resolve any issues before proceeding with an upgrade.

4 In the Available Updates section, click Plan Upgrade create a new upgrade plan or select Edit
Upgrade Plan from the Actions menu to modify an upgrade plan.

VMware by Broadcom 399

VMware Cloud Foundation on Dell VxRail Guide

5 Select the target version of VMware Cloud Foundation and VxRail Manager from the drop-
down menu and click Next.

6 Click Customize Upgrade to select specific target versions for each VCF BOM component.

7 Use the drop-down menus in the Target Version column to select a target version for each
component and then click Validate Selection.

VMware by Broadcom 400

VMware Cloud Foundation on Dell VxRail Guide

8 After validation succeeds, click Confirm.

9 Review the update sequence based on your target version selections and click Done.

10 In the Available Updates screen, click Schedule Update or Update Now to update the first
component.

Continue to update the VCF BOM components until they are all updated.

Note If SDDC Manager does not have internet access, you need to perform additional steps
before you can start updating. See Offline Download of Flexible BOM Upgrade Bundles.

Patching the Management and Workload Domains

Once SDDC Manager is upgraded to 5.2 or later, a new option for patching VMware Cloud
Foundation components is available in the SDDC Manager UI.

The patch planner provides the ability to apply async patches to workload domain components.
If you are connected to the online depot, async patches are available in the patch planner. If
you do not have access to the online depot, use the Bundle Transfer Utility to download async
patches and add them to an offline depot or upload them directly to SDDC Manager.

Prerequisites

n Download the async patch bundles. See Downloading VMware Cloud Foundation Upgrade
Bundles.

n SDDC Manager must be version 5.2 or later. See Apply the VMware Cloud Foundation 5.2.x
Upgrade Bundle.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, click the domain you are patching and then click the
Updates tab.

3 Click Precheck to run the upgrade precheck.

Resolve any issues before proceeding with an upgrade.

4 In the Available Updates section, click Plan Patching create a new patching plan or select
Edit Patching Plan from the Actions menu to modify a patching plan.

VMware by Broadcom 401

VMware Cloud Foundation on Dell VxRail Guide

Note You cannot plan patching if you have an existing upgrade plan. Cancel the upgrade
plan to create a patching plan.

5 Select the components to patch and the target versions and then click Validate Selection.

Note When you select a target vCenter version, the UI indicates which versions support
vCenter Reduced Downtime Upgrade (RDU).

6 After validation succeeds, click Confirm.

7 Review the update sequence based on your target version selections and click Done.

8 In the Available Updates screen, click Schedule Update or Update Now to update the first
component.

Continue to update the VCF BOM components until they are all updated.

Troubleshooting for Upgrading VMware Cloud Foundation

A library of troubleshooting processes that may be referenced during the VMware Cloud
Foundation upgrade as appropriate.

VMware by Broadcom 402

VMware Cloud Foundation on Dell VxRail Guide

SDDC Manager Troubleshooting

A library of SDDC Manager troubleshooting processes that may be referenced during upgrade as
appropriate.

On-demand pre-checks for vCenter bundle might fail

The bundle pre-check failure can occur in a specific scenario. When SDDC Manager is upgraded
to VMware Cloud Foundation 5.0.0.x from 4.5.x, and BOM components are not upgraded to
VMware Cloud Foundation 5.0.0.x and Customer downloads the bundles for VMware Cloud
Foundation 5.1.0.0 and runs the pre-check by selecting target version as 5.1.0.0.

The format of the vCenter Server bundle is modified starting from VMware Cloud Foundation 5.1.
The new bundle is a unified bundle that bundles both the .iso and .zip files for the Target vCenter
Server build. This unified bundle can be used for both major and minor vCenter Server upgrades.
The SDDC Manager needs to be at least at the 5.1 version to understand the new format and run
the prechecks. As VMware Cloud Foundation 5.0.0.0 does not understand the format, the bundle
pre-check will fail.

Error Message: Upgrade Bundle Validation

Procedure

u Upgrade the SDDC Manager to VMware Cloud Foundation 5.1.0.0 and run the on-demand
prechecks for vCenter Server in VMware Cloud Foundation 5.1.0.0.

Results

https://kb.vmware.com/s/article/94862

SDDC Manager bundle pre-check failure when upgrading to VMware Cloud

Foundation 5.1
SDDC Manager Pre-check fails

Problem

SDDC Manager Pre-check "Upgrade Bundle Download Status" fails with an error

n "Could not find bundle for SDDC_MANAGER upgrade to version 5.1.0.0-<build_number>".

Cause

From VMware Cloud Foundation 5.1 onwards, we are deprecating the Config Drift bundle.
However, the previously released VCF versions expect that a config drift bundle will be applied
as part of a target release and hence indicate this as a pre-check failure.

Solution

This pre-check failure can be ignored for VCF 5.1+, and it is safe to proceed with the upgrade
despite this bundle pre-check failure.

VMware by Broadcom 403

VMware Cloud Foundation on Dell VxRail Guide

Example

https://kb.vmware.com/s/article/94271

Extra RPM packages on SDDC Manager may cause upgrade failure

SDDC Manager upgrade may fail if some RPMs on the current SDDC Manager are incompatible
with those on the upgraded SDDC Manager. In /var/log/vmware/capengine/cap-update/install-*,

This is unlikely for customers who have started in a greenfield environment in VMware Cloud
Foundation 4.x and have not performed any modifications to the SDDC Manager. This has
only been seen so far on environments in which the customer has started on VMware Cloud
Foundation 3.x.

Problem

You may see a message like:

n package systemd-udev-247.13-4.ph4.x86_64 requires libsystemd-shared-247.so()(64bit), but

none of the providers can be installed.

n package systemd-247.13-4.ph4.x86_64 requires libcrypto.so.3()(64bit), but none of the

providers can be installed.

n package rpm-4.16.1.3-17.ph4.x86_64 requires libcrypto.so.3()(64bit), but none of the providers

can be installed

Cause

RPMs may have been left behind by previous upgrades or greenfield deployments, or a user has
implicitly or explicitly installed RPMs that prevent the upgrade

Procedure

The workaround is to uninstall RPMs that are causing this upgrade conflict manually.

Example

https://kb.vmware.com/s/article/95047

False warning for missing compatibility data in plan upgrade wizard

When no compatibility data is missing, an incorrect warning message is populated

Problem

A warning message with an empty product list in the plan upgrade wizard appears

n "Unable to verify the compatibility for the following product versions. Please check the
product documentation before proceeding to upgrade:"

Solution

Users can ignore the warning and is not blocked.

VMware by Broadcom 404

VMware Cloud Foundation on Dell VxRail Guide

Example

https://kb.vmware.com/s/article/95409

Updating licenses for a WLD shows insufficient license error

When the 'Update Licenses' operation is performed for a Workload Domain, in certain cases, the
incorrect quantity of licenses is shown in the 'Available quantity' field

Problem

This is due to a miscalculation in the no. of available licenses. Along with the incorrect quantity,
an error alert might also be displayed saying,

n 'License key has insufficient license.'

Cause

A miscalculation in the code for the number of available licenses is causing the error alert to
appear.

Solution

The users can simply choose to ignore the incorrect license count in the 'Available quantity' field
when assigning the license. Also, the error alert should be ignored as it does not prohibit the user
from moving forward. Users can proceed with the addition of a license even with the error alert.
If there are sufficient licenses available, the operation will succeed.

Example

https://kb.vmware.com/s/article/95128

vCenter Troubleshooting
A library of vCenter troubleshooting processes that may be referenced during upgrade as
appropriate.

vCenter Server Upgrade Failed Due to Reuse of Temporary IP Address

vCenter Server Upgrade Failed Due to Reuse of Temporary IP Address with error "Cannot run the
revert networking command. revert_networking.py doesn't exist on target VC" or "VC upgrade is
failing during Install-"target vc upgrade precheck stage failing"

Reuse of temporary IP address causes an arp cache issue. Reset the arp cache on the
management domain vCenter Server.

Customers who have fewer Temporary IP Addresses than vCenter Servers that are conducting a
parallel upgrade have the hightest likelyhood of impact.

Procedure

1 SSH to the management domainvCenter Server as root.

VMware by Broadcom 405

VMware Cloud Foundation on Dell VxRail Guide

2 Run the following

ip -s -s neigh flush all

VMware by Broadcom 406

Shutdown and Startup of VMware
Cloud Foundation 28
Shutting down VMware Cloud Foundation, for example, during hardware or power maintenance,
and then starting it up must be done in a way that prevents data loss or appliance malfunction,
and supports collection of troubleshooting data.

You follow a strict order and steps for shutdown and startup of the VMware Cloud Foundation
management components.

Read the following topics next:

n Shutting Down VMware Cloud Foundation

n Starting Up VMware Cloud Foundation

Shutting Down VMware Cloud Foundation

To avoid data loss and maintain the SDDC components operational, you follow a specifc order
when shutting down the management virtual machines in VMware Cloud Foundation.

You shut down the customer workloads and the management components for the VI workload
domains before you shut down the components for the management domain.
® ®
If the VMware NSX Manager™ cluster and VMware NSX Edge™ cluster are shared with other
VI workload domains, shut down the NSX Manager and NSX Edge clusters as part of the
shutdown of the first VI workload domain.

Prerequisites

n Verify that you have complete backups of all management components.

n Verify that the management virtual machines are not running on snapshots.

n If a vSphere Storage APIs for Data Protection (VADP) based backup solution is running on
the management clusters, verify that the solution is properly shut down by following the
vendor guidance.

VMware by Broadcom 407

VMware Cloud Foundation on Dell VxRail Guide

n To reduce the startup time before you shut down the management virtual machines, migrate
®
the VMware vCenter Server instance for the management domain to the first VMware
ESXi™ host in the default management cluster in the management domain.

n Shut Down a Virtual Infrastructure Workload Domain

You shut down the components of a VI workload domain that runs virtualized workloads
in VMware Cloud Foundation in a specific order to keep components operational by
maintaining the necessary infrastructure, networking, and management services as long as
possible before shutdown.

n Shut Down a Virtual Infrastructure Workload Domain with vSphere with Tanzu
You shut down the components of a VI workload domain that runs containerized workloads
in VMware Cloud Foundation in a specific order to keep components operational by
maintaining the necessary infrastructure, networking, and management services as long as
possible before shutdown.

n Shut Down the Management Domain

You shut down the components of the management domain in VMware Cloud Foundation
in a specific order to keep components operational by maintaining the necessary
infrastructure, networking, and management services as long as possible before shutdown.

Shut Down a Virtual Infrastructure Workload Domain

You shut down the components of a VI workload domain that runs virtualized workloads in
VMware Cloud Foundation in a specific order to keep components operational by maintaining
the necessary infrastructure, networking, and management services as long as possible before
shutdown.

You shut down the management components for the VI workload domains before you shut down
the components for the management domain.

If the NSX Manager cluster and NSX Edge cluster are shared with other VI workload domains,
follow this general order:

1 Shut down the customer workloads in all VI workload domains that share the VMware
®
NSX instance. Otherwise, all NSX networking services in the customer workloads will be
interrupted when you shut down NSX.

2 Shut down the VI workload domain that runs the shared NSX Edge nodes.

3 Shut down the other VI workload domains.

Shutdown Order for a VI Workload Domain

Table 28-1. Shutdown Order for a VI Workload Domain

Shutdown Order SDDC Component

1 Virtualized customer workloads

2 Site Recovery Manager for the VI workload domain

VMware by Broadcom 408

VMware Cloud Foundation on Dell VxRail Guide

Table 28-1. Shutdown Order for a VI Workload Domain (continued)

Shutdown Order SDDC Component

3 vSphere Replication for the VI workload domain

4 NSX Edge nodes for the VI workload domain *

5 NSX Manager nodes for the VI workload domain *

6 vSphere Cluster Services virtual machines, VxRail

Manager,VMware vSAN™, and ESXi hosts in the VI
workload domain *

7 vCenter Server for the VI workload domain *

* For information on the shutdown steps, see below.

Shut Down the NSX Edge Nodes

You begin shutting down the NSX infrastructure in the management domain or in a VI workload
domain in VMware Cloud Foundation by shutting down the NSX Edge nodes that provide north-
south traffic connectivity between the physical data center networks and the NSX SDN networks

Procedure

1 Log in to vCenter Server for the management or VI workload domain at https://

<vcenter_server_fqdn>/ui as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the tree of workload domain vCenter Server and
expand data center for the workload domain.

3 Right-click an NSX Edge virtual machine for the management domain or VI workload domain
and select Power > Shut down Guest OS.

4 In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

5 Repeat the steps for the remaining NSX Edge nodes for the domain.

Shut Down the NSX Manager Nodes

You continue shutting down the NSX infrastructure for the management domain or for a VI
workload domain by shutting down the three-node NSX Manager cluster by using the vSphere
Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

VMware by Broadcom 409

VMware Cloud Foundation on Dell VxRail Guide

3 Right-click the primary NSX manager virtual machine and select Power > Shut down Guest
OS.

4 In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

5 Repeat the steps for the remaining NSX Manager virtual machines.

Shut Down vSphere Cluster Services Virtual Machines, VxRail Manager, VMware
vSAN, and ESXi Hosts
To shut down the vSphere Cluster Services (vCLS) virtual machines, VxRail Manager, VMware
vSAN, and ESXi hosts in a workload domain cluster, you use the VxRail plugin in the vSphere
Client.

Procedure

1 Log in to vCenter Server for the management or VI workload domain at https://

<vcenter_server_fqdn>/ui as administrator@vsphere.local.

2 In the Hosts and Clusters inventory, expand the tree of the workload domain vCenter Server
and expand the data center for the workload domain.

3 Right-click a cluster, select VxRail-Shutdown, and follow the prompts to shut down the
cluster.

4 Repeat these steps for all clusters in the workload domain.

5 Verify that all ESXi hosts are shut down.

Shut Down vCenter Server for a Virtual Infrastructure Workload Domain

To shut down the vCenter Server instance for a VI workload domain in VMware Cloud
Foundation, you use the vSphere Client.

Prerequisites

Verify that all ESXi hosts in all clusters are stopped and are disconnected.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

VMware by Broadcom 410

VMware Cloud Foundation on Dell VxRail Guide

3 Shut down vCenter Server.

a Locate the vCenter Server virtual machine for the VI workload domain.

b Right-click the virtual machine and select Power > Shut down Guest OS.

c In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

Shut Down a Virtual Infrastructure Workload Domain with vSphere

with Tanzu
You shut down the components of a VI workload domain that runs containerized workloads in
VMware Cloud Foundation in a specific order to keep components operational by maintaining
the necessary infrastructure, networking, and management services as long as possible before
shutdown.

You shut down the management components for the VI workload domains that run vSphere with
Tanzu and containers or that run virtualized workloads before you shut down the components for
the management domain.

If the NSX Manager cluster and NSX Edge cluster are shared with other VI workload domains,
follow this general order:

1 Shut down the customer workloads in all VI workload domains that share the NSX instance.
Otherwise, all NSX networking services in the customer workloads will be interrupted when
you shut down NSX.

2 Shut down the VI workload domain that runs the shared NSX Edge nodes.

3 Shut down the other VI workload domains.

Shutdown Order for a VI Workload Domain with vSphere with Tanzu

Table 28-2. Shutdown Order for a VI Workload Domain with vSphere with Tanzu

Shutdown Order SDDC Component

1 Containerized customer workloads

2 Find out the location of the vSphere with Tanzu virtual

machines *

3 vSphere Cluster Services virtual machines in the VI

workload domain *

4 vCenter Server for the VI workload domain *

5 Supervisor Cluster Control Plane virtual machines

6 Tanzu Kubernetes cluster control plane virtual machines

7 Tanzu Kubernetes cluster worker virtual machines

8 Harbor virtual machines

VMware by Broadcom 411

VMware Cloud Foundation on Dell VxRail Guide

Table 28-2. Shutdown Order for a VI Workload Domain with vSphere with Tanzu (continued)

Shutdown Order SDDC Component

9 NSX Edge nodes in the VI workload domain *

10 NSX Manager nodes for the VI workload domain *

11 VxRail Manager *

12 vSAN and ESXi hosts in the VI workload domain *

* For information on the shutdown steps, see below.

Find Out the Location of the vSphere with Tanzu Virtual Machines on the ESXi
Hosts
Before you begin shutting down a VI workload domain with vSphere with Tanzu, you get a
mapping between virtual machines in the workload domain and the ESXi hosts on which they
are deployed. You later use this mapping to log in to specific ESXi hosts and shut down specific
management virtual machines.

Procedure

1 Start PowerShell.

2 Connect to the VI workload domain vCenter Server by running the command.

Connect-VIServer -Server <workload_domain_vCenter_server_fqdn> -User

administrator@vsphere.local -Password vsphere_admin_password

3 Generate the virtual machine to host mapping in a C:\VMToHostMapping.csv file on the

Windows machine by running the command.

Get-VM | Select Name,VMHost | Export-Csv -Path C:\VMToHostMapping.csv -NoTypeInformation

Shut Down the vSphere Cluster Services Virtual Machines

To shut down the vSphere Cluster Services (vCLS) virtual machines in a cluster in a VI workload
domain in VMware Cloud Foundation, you put the cluster in retreat mode. The retreat mode
triggers clean-up of the vCLS virtual machines.

Procedure

1 Log in to the VI workload domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the Hosts and clusters inventory, expand the tree of the VI workload domain vCenter
Server and expand the data center for the VI workload domain.

3 Select the cluster on which vCLS must be shut down.

VMware by Broadcom 412

VMware Cloud Foundation on Dell VxRail Guide

4 Copy the cluster domain ID domain-c(cluster_domain_id) from the URL of the browser.

When you navigate to a cluster in the vSphere client, the URL is similar to this one:

https://<fqdn-of-vCenter-server>/ui/app/cluster;nav=h/
urn:vmomi:ClusterComputeResource:domain-c8:eef257af-fa50-455a-af7a-6899324fabe6/summary

You copy only domain-c8.

5 In the Host and Clusters inventory, select the vCenter Server instance and click the Configure
tab.

6 Under Advanced Settings, click the Edit Settings button.

7 Locate the config.vcls.clusters.domain-c(number).enabled property for the domain

cluster ID from Step 4 and set it to false.

If the property is not present, add it. The entry for the cluster cannot be deleted from the
vSphere Client then. However, keeping this entry is not an issue.

8 Click Save.

Results

The vCLS monitoring service initiates the clean-up of vCLS VMs. If vSphere DRS is activated for
the cluster, it stops working and you see an additional warning in the cluster summary. vSphere
DRS remains deactivated until vCLS is re-activated on this cluster.

Shut Down vCenter Server for a Virtual Infrastructure Workload Domain with
vSphere with Tanzu
To shut down the vCenter Server instance for a VI workload domain with vSphere with Tanzu in
VMware Cloud Foundation, you use the vSphere Client. You stop the Kubernetes services and
check the vSAN health status.

Procedure

1 Shut down the Kubernetes services on the workload domain vCenter Server.

a Log in to vCenter Server as root by using a Secure Shell (SSH) client.

b To switch to the Bash shell, run the shell command.

c Stop the Kubernetes services by running the command.

vmon-cli -k wcp

d Verify the Kubernetes services status by running the command.

vmon-cli -s wcp

The output must contain RunState: STOPPED.

VMware by Broadcom 413

VMware Cloud Foundation on Dell VxRail Guide

2 Log in to the VI workload domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

3 Verify the vSAN health and resynchronization status.

a Select the vSAN cluster and click the Monitor tab.

b In the left pane, navigate to vSAN > Skyline health, and verify the status of each vSAN
health check category under Health findings and that the cluster health score is 100%.

c In the left pane, under vSAN > Resyncing objects, verify that all synchronization tasks are
complete.

4 If a vSAN cluster in the workload domain has vSphere HA turned on, stop vSphere HA to
avoid vSphere HA initiated migrations of virtual machines after vSAN is partitioned during the
shutdown process.

a Select the vSAN cluster and click the Configure tab.

b In the left pane, select Services > vSphere Availability and click the Edit button.

c In the Edit Cluster Settings dialog box, turn off vSphere HA and click OK.

This operation takes several minutes to complete.

5 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

6 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

7 Shut down vCenter Server.

a Locate the vCenter Server virtual machine for the VI workload domain.

b Right-click the virtual machine and select Power > Shut down Guest OS.

c In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

Shut Down the NSX Edge Nodes for vSphere with Tanzu
You begin shutting down the NSX infrastructure in a VI workload domain with vSphere with
Tanzu by shutting down the NSX Edge nodes that provide north-south traffic connectivity
between the physical data center networks and the NSX SDN networks.

Because the vCenter Server instance for the domain is already down, you shut down the NSX
Edge nodes from the ESXi hosts where they are running.

Procedure

1 Log in to the ESXi host that runs the first NSX Edge node as root by using the VMware Host
Client.

2 In the navigation pane, click Virtual machines.

VMware by Broadcom 414

VMware Cloud Foundation on Dell VxRail Guide

3 Right-click an NSX Edge virtual machine, and select Guest OS > Shut down

4 In the confirmation dialog box, click Yes.

5 Repeat these steps to shut down the remaining NSX Edge nodes for the VI workload domain
with vSphere with Tanzu.

Shut Down the NSX Manager Nodes

You continue shutting down the NSX infrastructure for the management domain or for a VI
workload domain by shutting down the three-node NSX Manager cluster by using the vSphere
Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Right-click the primary NSX manager virtual machine and select Power > Shut down Guest
OS.

4 In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

5 Repeat the steps for the remaining NSX Manager virtual machines.

Shut Down the VxRail Manager Virtual Machine in a VI Workload Domain with
vSphere with Tanzu
Because the vCenter Server instance for the VI workload domain is already down, you shut down
the VxRail Manager virtual machine from the ESXi host on which it is running.

Procedure

1 Using the VMware Host Client, log in as root to the ESXi host that runs the VxRail Manager
virtual machine.

2 In the navigation pane, click Virtual machines.

3 Right-click the VxRail Manager virtual machine and select Guest OS > Shut down.

4 In the confirmation dialog box, click Yes.

Shut Down vSAN and the ESXi Hosts in a Virtual Infrastructure Workload
Domain with vSphere with Tanzu
You shut down vSAN and the ESXi hosts in a VI workload domain with vSphere with Tanzu
by preparing the vSAN cluster for shutdown, placing each ESXi host in maintenance mode to
prevent any virtual machines being deployed to or starting up on the host, and shutting down the
host.

VMware by Broadcom 415

VMware Cloud Foundation on Dell VxRail Guide

In a VI workload domain with vSphere with Tanzu, the vCenter Server instance for the domain
is already down. Hence, you perform the shutdown operation on the ESXi hosts by using the
VMware Host Client.

Procedure

1 Turn on SSH on the ESXi hosts in the workload domain by using the SoS utility of the SDDC
Manager appliance.

a Log in to the SDDC Manager appliance by using a Secure Shell (SSH) client as vcf.

b Switch to the root user by running the su command and entering the root password.

c Run this command.

/opt/vmware/sddc-support/sos --enable-ssh-esxi --domain domain-name

2 Log in to the first ESXi host in the workload domain cluster by using a Secure Shell (SSH)
client as root.

3 For a vSAN cluster, deactivate vSAN cluster member updates by running the command.

esxcfg-advcfg -s 1 /VSAN/IgnoreClusterMemberListUpdates

The command returns Value of IgnoreClusterMemberListUpdates is 1

4 Repeat Step 2 and Step 3 on the remaining hosts in the cluster.

5 On the first ESXi host per vSAN cluster, prepare the vSAN cluster for shutdown by running
the command.

python /usr/lib/vmware/vsan/bin/reboot_helper.py prepare

The command returns Cluster preparation is done!

6 Place the ESXi host in maintenance mode by running the command.

esxcli system maintenanceMode set -e true -m noAction

Ensure the prompt comes back after the command is complete.

7 Verify that the host is in maintenance mode.

esxcli system maintenanceMode get

8 Repeat Step 6 and Step 7 on the remaining hosts in the workload domain cluster.

9 Shut down the ESXi hosts in the workload domain cluster.

a Log in to the first ESXi host for the cluster at https://<esxi_host_fqdn>/ui as root.

b In the navigation pane, right-click Host and, from the drop-down menu, select Shut down.

VMware by Broadcom 416

VMware Cloud Foundation on Dell VxRail Guide

c In the confirmation dialog box, click Shut down.

d Repeat the steps for the remaining hosts in the cluster.

Shut Down the Management Domain

You shut down the components of the management domain in VMware Cloud Foundation in
a specific order to keep components operational by maintaining the necessary infrastructure,
networking, and management services as long as possible before shutdown.

After you shut down the components in all VI workload domains, you begin shutting down the
management domain.

Shutdown Order for the Management Domain

Note If your VMware Cloud Foundation instance is deployed with the consolidated architecture,
shut down any customer workloads or additional virtual machines in the management domain
before you proceed with the shutdown order of the management components.

You shut down Site Recovery Manager and vSphere Replication after you shut down the
management components that can be failed over between the VMware Cloud Foundation
instances. You also shut Site Recovery Manager and vSphere Replication down as late as
possible to have the management virtual machines protected as long as possible if a disaster
event occurs. The virtual machines in the paired VMware Cloud Foundation instance become
unprotected after you shut down Site Recovery Manager and vSphere Replication in the current
VMware Cloud Foundation instance.

You shut down VMware Aria Operations for Logs as late as possible to collect as much as log
®
data for potential troubleshooting. You shut down the Workspace ONE Access™ instances after
the management components they provide identity and access management services for.

Table 28-3. Shutdown Order for the Management Domain

Shutdown Order SDDC Component

1 VMware Aria Automation cluster

2 VMware Aria Operations cluster and remote collectors

3 Clustered Workspace ONE Access *

4 VMware Aria Suite Lifecycle™*

5 Site Recovery Manager for the management domain

6 vSphere Replication for the management domain

7 VMware Aria Operations for Logs cluster

8 NSX Edge nodes for the management domain *

9 NSX Manager nodes for the management domain *

VMware by Broadcom 417

VMware Cloud Foundation on Dell VxRail Guide

Table 28-3. Shutdown Order for the Management Domain (continued)

Shutdown Order SDDC Component

10 SDDC Manager *

11 VxRail Manager *

12 vSphere Cluster Services virtual machines in the

management domain *

13 vCenter Server for the management domain *

14 Management ESXi hosts and vSAN *

15 n External services, such as DNS, NTP and DHCP

servers, that are hosted on an external location
n Physical infrastructure, such as network switches.

* For information on the shutdown steps, see below.

Save the Credentials for the ESXi Hosts and vCenter Server for the Management
Domain
Before you shut down the management domain, get the credentials for the management domain
hosts and vCenter Server from SDDC Manager and save them. You need these credentials to
shut down the ESXi hosts and then to start them and vCenter Server back up. Because SDDC
Manager is down during each of these operations, you must save the credentials in advance.

To get the credentials, log in to the SDDC Manager appliance by using a Secure Shell (SSH) client
as vcf and run the lookup_passwords command.

Shutting Down a Management Domain with Infrastructure Services VMs

If the management domain contains virtual machines that are running infrastructure services like
Active Directory, NTP, DNS and DHCP servers, follow the shutdown order for VMware Cloud
Foundation 4.4.

Shut Down the Clustered Workspace ONE Access Virtual Machines

Use the VMware Aria Suite Lifecycle user interface to shut down the Workspace ONE Access
three-node cluster that provides identity and access management services to management
components that are available across VMware Cloud Foundation instances .

Procedure

1 Log in to VMware Aria Suite Lifecycle at https://<aria_suite_lifecycle_fqdn> as

vcfadmin@local.

2 On the My services page, click Lifecycle operations.

3 In the navigation pane, click Environments.

4 On the Environments page, on the globalenvironment card, click View details.

VMware by Broadcom 418

VMware Cloud Foundation on Dell VxRail Guide

5 In the VMware Identity Manager section, click the horizontal ellipsis icon and select Power
off.

6 In the Power off VMware Identity Manager dialog box, click Submit.

7 On the Requests page, ensure that the request completes successfully.

Shut Down the VMware Aria Suite Lifecycle Virtual Machine

Shut down the VMware Aria Suite Lifecycle virtual machine in the management domain of
VMware Cloud Foundation from the vSphere Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Right-click the VMware Aria Suite Lifecycle virtual machine and select Power > Shut down
Guest OS.

4 In the confirmation dialog box, click Yes.

Shut Down the NSX Edge Nodes

You begin shutting down the NSX infrastructure in the management domain or in a VI workload
domain in VMware Cloud Foundation by shutting down the NSX Edge nodes that provide north-
south traffic connectivity between the physical data center networks and the NSX SDN networks

Procedure

1 Log in to vCenter Server for the management or VI workload domain at https://

<vcenter_server_fqdn>/ui as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the tree of workload domain vCenter Server and
expand data center for the workload domain.

3 Right-click an NSX Edge virtual machine for the management domain or VI workload domain
and select Power > Shut down Guest OS.

4 In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

5 Repeat the steps for the remaining NSX Edge nodes for the domain.

Shut Down the NSX Manager Nodes

You continue shutting down the NSX infrastructure for the management domain or for a VI
workload domain by shutting down the three-node NSX Manager cluster by using the vSphere
Client.

VMware by Broadcom 419

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Right-click the primary NSX manager virtual machine and select Power > Shut down Guest
OS.

4 In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

5 Repeat the steps for the remaining NSX Manager virtual machines.

Shut Down the SDDC Manager Virtual Machine

Shut down the SDDC Manager virtual machine in the management domain by using the vSphere
Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Expand the Management VMs folder.

4 Right-click the SDDC Manager virtual machine and click Power > Shut down Guest OS.

5 In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

Shut Down the VxRail Manager Virtual Machine in the Management Domain
Shut down the VxRail Manager virtual machine in the management domain by using the vSphere
Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Expand the Management VMs folder.

4 Right-click the VxRail Manager virtual machine and click Power > Shut down Guest OS.

VMware by Broadcom 420

VMware Cloud Foundation on Dell VxRail Guide

5 In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

Shut Down the Skyline Health Diagnostics Virtual Machine

Shut down the Skyline Health Diagnostics virtual machine in the management domain of VMware
Cloud Foundation from the vSphere Client.

Procedure

1 Log in to the management domain vCenter Server at https://

<management_vcenter_server_fqdn>/ui by using an account with Administrator
privileges.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Right-click the Skyline Health Diagnostics virtual machine and select Power > Shutdown
Guest OS.

4 In the confirmation dialog box, click Yes.

Shut Down the vSphere Cluster Services Virtual Machines

To shut down the vSphere Cluster Services (vCLS) virtual machines in a cluster in a VI workload
domain in VMware Cloud Foundation, you put the cluster in retreat mode. The retreat mode
triggers clean-up of the vCLS virtual machines.

Procedure

1 Log in to the VI workload domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the Hosts and clusters inventory, expand the tree of the VI workload domain vCenter
Server and expand the data center for the VI workload domain.

3 Select the cluster on which vCLS must be shut down.

4 Copy the cluster domain ID domain-c(cluster_domain_id) from the URL of the browser.

When you navigate to a cluster in the vSphere client, the URL is similar to this one:

https://<fqdn-of-vCenter-server>/ui/app/cluster;nav=h/
urn:vmomi:ClusterComputeResource:domain-c8:eef257af-fa50-455a-af7a-6899324fabe6/summary

You copy only domain-c8.

5 In the Host and Clusters inventory, select the vCenter Server instance and click the Configure
tab.

6 Under Advanced Settings, click the Edit Settings button.

VMware by Broadcom 421

VMware Cloud Foundation on Dell VxRail Guide

7 Locate the config.vcls.clusters.domain-c(number).enabled property for the domain

cluster ID from Step 4 and set it to false.

If the property is not present, add it. The entry for the cluster cannot be deleted from the
vSphere Client then. However, keeping this entry is not an issue.

8 Click Save.

Results

The vCLS monitoring service initiates the clean-up of vCLS VMs. If vSphere DRS is activated for
the cluster, it stops working and you see an additional warning in the cluster summary. vSphere
DRS remains deactivated until vCLS is re-activated on this cluster.

Shut Down the vCenter Server Instance in the Management Domain

You check the vSAN cluster health and shut down the vCenter Server virtual machine from the
first management ESXi host by using the VMware Host Client.

To shut down the management domain vCenter Server, it must be running on the first
management ESXi host in the default management cluster.

Caution Before you shut down vCenter Server, migrate any virtual machines that are running
infrastructure services like Active Directory, NTP, DNS and DHCP servers in the management
domain to the first management host by using the vSphere Client. You can shut them down from
the first ESXi host after you shut down vCenter Server.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the Hosts and clusters inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Set the vSphere DRS automation level of the management cluster to manual to prevent
vSphere HA migrating the vCenter Server appliance.

a Select the default management cluster and click the Configure tab.

b In the left pane, select Services > vSphere DRS and click Edit.

c In the Edit cluster settings dialog box, click the Automation tab, and, from the drop-down
menu, in the Automation level section, select Manual

d Click OK.

4 If the management domain vCenter Server is not running on the first ESXi host in the default
management cluster, migrate it there.

VMware by Broadcom 422

VMware Cloud Foundation on Dell VxRail Guide

5 Verify the vSAN health and resynchronization status.

a Select the default management cluster and click the Monitor tab.

b In the left pane, under vSAN > Resyncing objects, verify that all synchronization tasks are
complete.

6 Stop vSphere HA to avoid vSphere HA initiated migrations of virtual machines after vSAN is
partitioned during the shutdown process.

a Select the management cluster and click the Configure tab.

b In the left pane, select Services > vSphere Availability and click the Edit button.

c In the Edit Cluster Settings dialog box, deactivate vSphere HA and click OK.

This operation takes several minutes to complete.

7 Log in to the first management ESXi host at https://<first_esxi_host_fqdn>/ui as root

by using VMware Host Client.

8 In the navigation pane, click Virtual machines.

9 Right-click the management domain vCenter Server and select Guest OS > Shut down.

10 In the confirmation dialog box, click Yes.

Shut Down vSAN and the ESXi Hosts in a Virtual Infrastructure Workload
Domain with vSphere with Tanzu
You shut down vSAN and the ESXi hosts in a VI workload domain with vSphere with Tanzu
by preparing the vSAN cluster for shutdown, placing each ESXi host in maintenance mode to
prevent any virtual machines being deployed to or starting up on the host, and shutting down the
host.

In a VI workload domain with vSphere with Tanzu, the vCenter Server instance for the domain
is already down. Hence, you perform the shutdown operation on the ESXi hosts by using the
VMware Host Client.

Procedure

1 Turn on SSH on the ESXi hosts in the workload domain by using the SoS utility of the SDDC
Manager appliance.

a Log in to the SDDC Manager appliance by using a Secure Shell (SSH) client as vcf.

b Switch to the root user by running the su command and entering the root password.

c Run this command.

/opt/vmware/sddc-support/sos --enable-ssh-esxi --domain domain-name

2 Log in to the first ESXi host in the workload domain cluster by using a Secure Shell (SSH)
client as root.

VMware by Broadcom 423

VMware Cloud Foundation on Dell VxRail Guide

3 For a vSAN cluster, deactivate vSAN cluster member updates by running the command.

esxcfg-advcfg -s 1 /VSAN/IgnoreClusterMemberListUpdates

The command returns Value of IgnoreClusterMemberListUpdates is 1

4 Repeat Step 2 and Step 3 on the remaining hosts in the cluster.

5 On the first ESXi host per vSAN cluster, prepare the vSAN cluster for shutdown by running
the command.

python /usr/lib/vmware/vsan/bin/reboot_helper.py prepare

The command returns Cluster preparation is done!

6 Place the ESXi host in maintenance mode by running the command.

esxcli system maintenanceMode set -e true -m noAction

Ensure the prompt comes back after the command is complete.

7 Verify that the host is in maintenance mode.

esxcli system maintenanceMode get

8 Repeat Step 6 and Step 7 on the remaining hosts in the workload domain cluster.

9 Shut down the ESXi hosts in the workload domain cluster.

a Log in to the first ESXi host for the cluster at https://<esxi_host_fqdn>/ui as root.

b In the navigation pane, right-click Host and, from the drop-down menu, select Shut down.

c In the confirmation dialog box, click Shut down.

d Repeat the steps for the remaining hosts in the cluster.

Starting Up VMware Cloud Foundation

To maintain the components integration and avoid operation faults, you follow a specified order
to start up the management virtual machines in VMware Cloud Foundation.

You start the management components for the management domain first. Then, you start the
management components for the VI workload domains and the customer workloads.

If the NSX Manager cluster and NSX Edge cluster are shared with other VI workload domains,
start the other VI workload domains first. Start up NSX Manager and NSX Edge nodes as part of
the startup of the last workload domain.

Prerequisites

n Verify that external services such as Active Directory, DNS, NTP, SMTP, and FTP or SFTP are
available.

VMware by Broadcom 424

VMware Cloud Foundation on Dell VxRail Guide

n If a vSphere Storage APIs for Data Protection (VADP) based backup solution is deployed on
the default management cluster, verify that the solution is properly started and operational
according to the vendor guidance.

n Start the Management Domain

You start the management components for the management domain in a specific order
to provide the necessary infrastructure, networking, and management services before
powering on the components for cloud management.

n Start a Virtual Infrastructure Workload Domain

You start the management components for a VI workload domain in a specific order
to provide the necessary infrastructure, networking, and management services to the
components you start next.

n Start a Virtual Infrastructure Workload Domain with vSphere with Tanzu

You start the management components for a VI workload domain with vSphere with Tanzu
in a specific order to provide the necessary infrastructure, networking, and management
services before powering on the components for containerized workload management.

Start the Management Domain

You start the management components for the management domain in a specific order to
provide the necessary infrastructure, networking, and management services before powering
on the components for cloud management.

You start the management components for the management domain first. Then, you start the
management components for the VI workload domains and the customer workloads.

Startup Order for the Management Domain

You start the virtual infrastructure of the management domain first. Then, you start the
components providing identity and access management and life cycle management to the
relevant cloud management components.

You start VMware Aria Operations for Logs as early as possible to collect log data that helps
troubleshooting potential issues. You also start Site Recovery Manager and vSphere Replication
as early as possible to protect the management virtual machines if a disaster event occurs.

Table 28-4. Startup Order for the Management Domain

Startup Order SDDC Component

1 Management ESXi hosts and vSAN *

2 vCenter Server for the management domain *

3 vSphere Cluster Services (vCLS) virtual machines *

4 VxRail Manager *

5 SDDC Manager *

VMware by Broadcom 425

VMware Cloud Foundation on Dell VxRail Guide

Table 28-4. Startup Order for the Management Domain (continued)

Startup Order SDDC Component

6 NSX Manager nodes for the management domain *

7 NSX Edge nodes for the management domain *

8 VMware Aria Operations for Logs cluster

9 vSphere Replication for the management domain

10 Site Recovery Manager for the management domain

11 VMware Aria Suite Lifecycle *

12 Clustered Workspace ONE Access *

13 VMware Aria Operations cluster and remote collectors

14 VMware Aria Automation cluster

* For information on the startup steps, see below.

Verify the Operational State of the Management Domain

After you start up the management domain, verify that the main functionality of the management
components is working according to the requirements. See the following documentation:

n Identity and Access Management for VMware Cloud Foundation

n Intelligent Logging and Analytics for VMware Clod Foundation

n Intelligent Operations Management for VMware Cloud Foundation

n Private Cloud Automation for VMware Cloud Foundation

n Site Protection and Disaster Recovery for VMware Cloud Foundation

Starting a Management Domain with Infrastructure Service VMs

If the management domain contains virtual machines that are running infrastructure services
like Active Directory, NTP, DNS and DHCP servers, follow the startup order for VMware Cloud
Foundation 4.4.

Start the vSphere and vSAN Components for the Management Domain
You start the management ESXi hosts using an out-of-band management interface, such as, ILO
or iDRAC to connect to the hosts and power them on. Then, restarting the vSAN cluster starts
automatically vSphere Cluster Services, vCenter Server and vSAN.

VMware by Broadcom 426

VMware Cloud Foundation on Dell VxRail Guide

Procedure

1 Power on the first ESXi host in the management domain.

a Log in to the first ESXi host in the management domain by using the out-of-band
management interface.

b Power on the ESXi host according to the hardware vendor guide.

2 Repeat the previous step to start all the remaining ESXi hosts in the management domain.

This operation takes several minutes to complete.

vCenter Server is started automatically. Wait until vCenter Server is running and the vSphere
Client is available again.

3 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

4 Restart the vSAN cluster.

a Right-click the vSAN cluster and select vSAN > Restart cluster.

b In the Restart dialog box, click Restart.

The vSAN Services page on the Configure tab changes to display information about the
restart process.

5 After the cluster has restarted, check the vSAN health service and resynchronization status,
and resolve any outstanding issues.

a Select the cluster and click the Monitor tab.

b In the left pane, under vSAN > Resyncing objects, verify that all synchronization tasks are
complete.

c In the left pane, navigate to vSAN > Skyline health and verify that the cluster health score
is 100%.

6 If you have added the root user of the ESXi hosts to the Exception Users list for lockdown
mode during shutdown, remove the user from the list on each host.

a Select the host in the inventory and click the Configure tab.

b In the left pane, select System > Security Profile.

c In the Lockdown Mode pane, click the Edit button.

d On the Exception Users page, from the vertical ellipsis menu in front of the root user,
select Remove User and click OK.

VMware by Broadcom 427

VMware Cloud Foundation on Dell VxRail Guide

Start the vCenter Server Instance in the Management Domain

The management domain vCenter Server resides on the first ESXi host in the first management
cluster. You log in to this ESXi host by using the VMware Host Client and start the vCenter Server
virtual machine.

Note Start any virtual machines that are running infrastructure services like Active Directory,
NTP, DNS and DHCP servers in the management domain before you start vCenter Server.

Procedure

1 Log in to the first management ESXi host at https://

<esxi_host_fqdn_for_management_domain> as root.
When you shut down the management domain vCenter Server, you migrate its appliance
to the first management ESXi host. See Shut Down the vCenter Server Instance in the
Management Domain.

2 In the navigation pane, click Virtual machines.

3 Right-click the management domain vCenter Server, and, from the drop-down menu, select
Power > Power on.

The startup of the virtual machine and the vSphere services takes some time to complete.

4 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

5 In the Hosts and clusters inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

6 Verify the vSAN health and resynchronization status.

a Select the management cluster and click the Monitor tab.

b In the left pane, navigate to vSAN > Skyline health and verify the status of each vSAN
health check category.

c In the left pane, navigate to vSAN > Resyncing objects and verify that all synchronization
tasks are complete.

7 Start vSphere HA on the management cluster.

a Select the vSAN cluster under the management domain data center and click the
Configure tab.

b In the left pane, select Services > vSphere Availability and click the Edit button.

c In the Edit Cluster Settings dialog box, enable vSphere HA and click OK.

8 Set the vSphere DRS automation level of the management cluster to automatic.

a Select the default management cluster and click the Configure tab.

b In the left pane, select Services > vSphere DRS and click Edit.

VMware by Broadcom 428

VMware Cloud Foundation on Dell VxRail Guide

c In the Edit cluster settings dialog box, click the Automation tab, and, from the drop-down
menu, in the Automation level section, select Fully automated.

d Click OK.

Start the vSphere Cluster Services

You start the vSphere Cluster Services (vCLS) virtual machines in a VI workload domain by
deactivating the retreat mode on the target cluster. Starting the vCLS virtual machines makes
vSphere DRS and vSphere HA available to the workloads running on the clusters in the workload
domain again.

Procedure

1 Log in to the VI workload domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the Hosts and clusters inventory, expand the tree of the VI workload domain vCenter
Server and expand the data center for the VI workload domain.

3 Select the cluster on which vCLS must be started.

4 Copy the cluster domain ID domain-c(cluster_domain_id) from the URL of the browser.

When you navigate to a cluster in the vSphere Client, the URL is similar to this one:

https://<fqdn-of-vCenter-server>/ui/app/cluster;nav=h/
urn:vmomi:ClusterComputeResource:domain-c8:eef257af-fa50-455a-af7a-6899324fabe6/summary

You copy only domain-c8.

5 In the Host and Clusters inventory, select the vCenter Server instance for the VI workload
domain and click the Configure tab.

6 Under Advanced Settings, click the Edit Settings button.

7 Locate the config.vcls.clusters.domain-c(number).enabled property for the domain

cluster ID from Step 4 and set it to true.

8 Click Save

9 Repeat the procedure on all clusters in the other workload domains.

Start the VxRail Manager Virtual Machine

Start the VxRail Manager virtual machine by using the vSphere Client.

Procedure

1 Log in to the workload domain vCenter Server at https://<vcenter_server_fqdn>/ui as

administrator@vsphere.local.

2 In the VMs and templates inventory, expand the workload domain vCenter Server tree and
expand the workload domain data center.

VMware by Broadcom 429

VMware Cloud Foundation on Dell VxRail Guide

3 Locate the VxRail Manager virtual machine, right-click it, and select Power > Power on.

This operation takes several minutes to complete.

Start the SDDC Manager Virtual Machine

Start the SDDC Manager virtual machine by using the vSphere Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Expand the Management VMs folder.

4 Right-click the SDDC Manager virtual machine and click Power > Power on.

This operation takes several minutes to complete.

Start the Skyline Health Diagnostics Virtual Machine

To start the Skyline Health Diagnostics virtual machine in the management domain, use the
vSphere Client.

Procedure

1 Log in to the management domain vCenter Server at https://

<management_vcenter_server_fqdn>/ui by using an account with Administrator
privileges.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Right-click the Skyline Health Diagnostics virtual machine and select Power > Power on.

4 After the Skyline Health Diagnostics virtual machine is powered on, verify its operational
state.

5 In the Skyline Health Diagnostics user interface, reactivate the Scheduler.

Start the NSX Manager Virtual Machines

You begin powering on the NSX infrastructure in the management domain or in a VI workload
domain by starting the three-node NSX Manager cluster by using the vSphere Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

VMware by Broadcom 430

VMware Cloud Foundation on Dell VxRail Guide

3 Power on the NSX Manager nodes for the management domain or the VI workload domain.

a Right-click the primary NSX Manager node and select Power > Power on.

b Repeat the steps to power on the remaining NSX Manager nodes.

This operation takes several minutes to complete until the NSX Manager cluster becomes
fully operational again and its user interface - accessible.

4 Log in to NSX Manager for the management domain or VI workload domain at https://
<nsxt_manager_cluster_fqdn> as admin.

5 Verify the system status of NSX Manager cluster.

a On the main navigation bar, click System.

b In the left pane, navigate to Configuration > Appliances.

c On the Appliances page, verify that the NSX Manager cluster has a Stable status and all
NSX Manager nodes are available.

Start the NSX Edge Nodes

You continue powering on the NSX infrastructure in the management domain or in a VI workload
domain by starting the NSX Edge nodes by using the vSphere Client.

Procedure

1 Log in to vCenter Server for the management or VI workload domain at https://

<vcenter_server_fqdn>/ui as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the tree of workload domain vCenter Server and
expand data center for the workload domain.

3 Right-click an NSX Edge virtual machine from the edge cluster and select Power > Power on.

This operations takes several minutes to complete.

4 Repeat these steps to power on the remaining NSX Edge nodes.

Start the VMware Aria Suite Lifecycle Virtual Machine

Start the VMware Aria Suite Lifecycle virtual machine in the management domain by using the
vSphere Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Right-click the VMware Aria Suite Lifecycle virtual machine and select Power > Power on.

VMware by Broadcom 431

VMware Cloud Foundation on Dell VxRail Guide

Start the Clustered Workspace ONE Access Virtual Machines

You start the three-node Workspace ONE Access cluster by using the VMware Aria Suite
Lifecycle user interface.

Procedure

1 Log in to VMware Aria Suite Lifecycle at https://<aria_suite_lifecycle_fqdn> as

vcfadmin@local.

2 Power on the Workspace ONE Access cluster and verify its status.

a On the My services page, click Lifecycle operations.

b In the navigation pane, click Environments.

c On the Environments page, in the globalenvironment card, click View details.

d In the VMware Identity Manager section, click the horizontal ellipsis icon and select
Power on.

e In the Power on VMware Identity Manager dialog box, click Submit.

f On the Requests page, ensure that the request completes successfully.

3 Configure the domain and domain search parameters on the Workspace ONE Access
appliances.

a Log in to the first appliances of the Workspace ONE Access cluster by using a Secure
Shell (SSH) client as sshuser.

b Switch to the super user by running the su command.

c Open the /etc/resolv.conf file for editing.

vi /etc/resolv.conf

d Add the following entries to the end of the file and save the changes.

Domain <domain_name>
search <space_separated_list_of_domains_to_search>

e Repeat this step to configure the domain and domain search parameters on the remaining
Workspace ONE Access appliances.

4 In the VMware Aria Suite Lifecycle user interface, check the health of the Workspace ONE
Access cluster.

a In the navigation pane, click Environments.

b On the Environments page, in the globalenvironment card, click View details.

c In the VMware Identity Manager section, click the horizontal ellipsis icon and select
Trigger cluster health.

VMware by Broadcom 432

VMware Cloud Foundation on Dell VxRail Guide

d In the Trigger health collection dialog box, click Submit.

e On the Requests page, ensure that the request completes successfully.

Start a Virtual Infrastructure Workload Domain

You start the management components for a VI workload domain in a specific order to provide
the necessary infrastructure, networking, and management services to the components you start
next.

You start the management components for the management domain first. Then, you start the
management components for the VI workload domains and the customer workloads.

If the NSX Manager cluster and NSX Edge cluster are shared with other VI workload domains,
follow this general order:

1 Start the other VI workload domains.

2 Start the VI workload domain that runs the shared NSX Edge nodes.

3 Start the customer workloads that rely on NSX services.

Startup Order for a VI Workload Domain

Table 28-5. Startup Order for a VI Workload Domain

Startup Order SDDC Component

1 vCenter Server for the VI workload domain *

2 ESXi hosts, VxRail Manager, and vSAN for the VI workload

domain *

4 NSX Manager nodes for the VI workload domain *

5 NSX Edge nodes for the VI workload domain *

6 vSphere Replication for the VI workload domain

Site Recovery Manager for the VI workload domain

8 Virtualized customer workloads

* For information on the startup steps, see below.

Start the vCenter Server Instance for a VxRail Virtual Infrastructure Workload
Domain
Use the vSphere Client to power on the vCenter Server appliance for the VxRail VI workload
domain.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

VMware by Broadcom 433

VMware Cloud Foundation on Dell VxRail Guide

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Locate the VxRail VI workload domain vCenter Server virtual machine.

4 Right-click the virtual machine of the VxRail VI workload domain vCenter Server and select
Power > Power on.

The startup of the virtual machine and the vSphere services takes some time to complete.

What to do next

Log in to the VxRail VI domain vCenter Server at https://<vcenter_server_fqdn>/ui as

administrator@vsphere.local to verify that the vCenter Server is started.

Start ESXi hosts, vSAN and VxRail Manager in a Virtual Infrastructure Workload
Domain
You start the ESXi hosts using an out-of-band management interface, such as, ILO or iDRAC to
connect to the hosts and power them on. Powering on the ESXi hosts starts VxRail Manager,
which starts vSAN and the vSphere Cluster Services (vCLS) virtual machines.

Procedure

1 Power on the first ESXi host in the VI workload domain.

a Log in to the first ESXi host in the VI workload domain by using the out-of-band
management interface.

b Power on the ESXi host according to the hardware vendor guide.

2 Repeat the previous step to start all the remaining ESXi hosts in the VI workload domain.

This operation takes several minutes to complete.

3 Log in in to the VI workload domain vCenter Server and wait until the VxRail Manager startup
for the cluster is finished.

Use the Recent Tasks pane in the cluster to monitor startup progress.

Once startup is complete, the VxRail Manager and vSphere Cluster Services (vCLS) virtual
machines in the cluster should be running.

Start the NSX Manager Virtual Machines

You begin powering on the NSX infrastructure in the management domain or in a VI workload
domain by starting the three-node NSX Manager cluster by using the vSphere Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

VMware by Broadcom 434

VMware Cloud Foundation on Dell VxRail Guide

3 Power on the NSX Manager nodes for the management domain or the VI workload domain.

a Right-click the primary NSX Manager node and select Power > Power on.

b Repeat the steps to power on the remaining NSX Manager nodes.

This operation takes several minutes to complete until the NSX Manager cluster becomes
fully operational again and its user interface - accessible.

4 Log in to NSX Manager for the management domain or VI workload domain at https://
<nsxt_manager_cluster_fqdn> as admin.

5 Verify the system status of NSX Manager cluster.

a On the main navigation bar, click System.

b In the left pane, navigate to Configuration > Appliances.

c On the Appliances page, verify that the NSX Manager cluster has a Stable status and all
NSX Manager nodes are available.

Start the NSX Edge Nodes

You continue powering on the NSX infrastructure in the management domain or in a VI workload
domain by starting the NSX Edge nodes by using the vSphere Client.

Procedure

1 Log in to vCenter Server for the management or VI workload domain at https://

<vcenter_server_fqdn>/ui as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the tree of workload domain vCenter Server and
expand data center for the workload domain.

3 Right-click an NSX Edge virtual machine from the edge cluster and select Power > Power on.

This operations takes several minutes to complete.

4 Repeat these steps to power on the remaining NSX Edge nodes.

Start a Virtual Infrastructure Workload Domain with vSphere with

Tanzu
You start the management components for a VI workload domain with vSphere with Tanzu in
a specific order to provide the necessary infrastructure, networking, and management services
before powering on the components for containerized workload management.

You start the management components for the management domain first. Then, you start the
management components for the VI workload domains and the customer workloads.

If the NSX Manager cluster and NSX Edge cluster are shared with other VI workload domains,
follow this general order:

1 Start the other VI workload domains.

VMware by Broadcom 435

VMware Cloud Foundation on Dell VxRail Guide

2 Start the VI workload domain that runs the shared NSX Edge nodes.

3 Start the customer workloads that rely on NSX services.

Startup Order for a VI Workload Domain with vSphere with Tanzu

Table 28-6. Startup Order for a VI Workload Domain with vSphere with Tanzu

Startup Order SDDC Component

1 ESXi hosts and vSAN for the VI workload domain

2 vCenter Server for the VI workload domain

3 vCLS virtual machines

4 VxRail Manager virtual machine

5 NSX Manager nodes for the VI workload domain

6 NSX Edge nodes for the VI workload domain

7 Started automatically after you start vCenter Server and

vCLS, and NSX for the VI workload domain.
n Supervisor Control Plane virtual machines
n Tanzu Kubernetes Cluster control plane virtual
machines
n Tanzu Kubernetes Cluster worker virtual machines
n Harbor registry virtual machines

8 Containerized customer workloads

For information on the startup steps, see below.

Start the vSphere and vSAN Components for the Management Domain
You start the management ESXi hosts using an out-of-band management interface, such as, ILO
or iDRAC to connect to the hosts and power them on. Then, restarting the vSAN cluster starts
automatically vSphere Cluster Services, vCenter Server and vSAN.

Procedure

1 Power on the first ESXi host in the management domain.

a Log in to the first ESXi host in the management domain by using the out-of-band
management interface.

b Power on the ESXi host according to the hardware vendor guide.

2 Repeat the previous step to start all the remaining ESXi hosts in the management domain.

This operation takes several minutes to complete.

vCenter Server is started automatically. Wait until vCenter Server is running and the vSphere
Client is available again.

VMware by Broadcom 436

VMware Cloud Foundation on Dell VxRail Guide

3 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

4 Restart the vSAN cluster.

a Right-click the vSAN cluster and select vSAN > Restart cluster.

b In the Restart dialog box, click Restart.

The vSAN Services page on the Configure tab changes to display information about the
restart process.

5 After the cluster has restarted, check the vSAN health service and resynchronization status,
and resolve any outstanding issues.

a Select the cluster and click the Monitor tab.

b In the left pane, under vSAN > Resyncing objects, verify that all synchronization tasks are
complete.

c In the left pane, navigate to vSAN > Skyline health and verify that the cluster health score
is 100%.

6 If you have added the root user of the ESXi hosts to the Exception Users list for lockdown
mode during shutdown, remove the user from the list on each host.

a Select the host in the inventory and click the Configure tab.

b In the left pane, select System > Security Profile.

c In the Lockdown Mode pane, click the Edit button.

d On the Exception Users page, from the vertical ellipsis menu in front of the root user,
select Remove User and click OK.

Start vCenter Server for a Virtual Infrastructure Workload Domain

Use the vSphere Client to power on the vCenter Server appliance in the management domain.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Start vCenter Server.

a Locate the vCenter Server virtual machine for the VI workload domain.

b Right-click the virtual machine and select Power > Power on.

The startup of the virtual machine and the vSphere services takes some time to complete.

VMware by Broadcom 437

VMware Cloud Foundation on Dell VxRail Guide

Start the vSphere Cluster Services

You start the vSphere Cluster Services (vCLS) virtual machines in a VI workload domain by
deactivating the retreat mode on the target cluster. Starting the vCLS virtual machines makes
vSphere DRS and vSphere HA available to the workloads running on the clusters in the workload
domain again.

Procedure

1 Log in to the VI workload domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the Hosts and clusters inventory, expand the tree of the VI workload domain vCenter
Server and expand the data center for the VI workload domain.

3 Select the cluster on which vCLS must be started.

4 Copy the cluster domain ID domain-c(cluster_domain_id) from the URL of the browser.

When you navigate to a cluster in the vSphere Client, the URL is similar to this one:

https://<fqdn-of-vCenter-server>/ui/app/cluster;nav=h/
urn:vmomi:ClusterComputeResource:domain-c8:eef257af-fa50-455a-af7a-6899324fabe6/summary

You copy only domain-c8.

5 In the Host and Clusters inventory, select the vCenter Server instance for the VI workload
domain and click the Configure tab.

6 Under Advanced Settings, click the Edit Settings button.

7 Locate the config.vcls.clusters.domain-c(number).enabled property for the domain

cluster ID from Step 4 and set it to true.

8 Click Save

9 Repeat the procedure on all clusters in the other workload domains.

Start the VxRail Manager Virtual Machine

Start the VxRail Manager virtual machine by using the vSphere Client.

Procedure

1 Log in to the workload domain vCenter Server at https://<vcenter_server_fqdn>/ui as

administrator@vsphere.local.

2 In the VMs and templates inventory, expand the workload domain vCenter Server tree and
expand the workload domain data center.

3 Locate the VxRail Manager virtual machine, right-click it, and select Power > Power on.

This operation takes several minutes to complete.

VMware by Broadcom 438

VMware Cloud Foundation on Dell VxRail Guide

Start the NSX Manager Virtual Machines

You begin powering on the NSX infrastructure in the management domain or in a VI workload
domain by starting the three-node NSX Manager cluster by using the vSphere Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Power on the NSX Manager nodes for the management domain or the VI workload domain.

a Right-click the primary NSX Manager node and select Power > Power on.

b Repeat the steps to power on the remaining NSX Manager nodes.

This operation takes several minutes to complete until the NSX Manager cluster becomes
fully operational again and its user interface - accessible.

4 Log in to NSX Manager for the management domain or VI workload domain at https://
<nsxt_manager_cluster_fqdn> as admin.

5 Verify the system status of NSX Manager cluster.

a On the main navigation bar, click System.

b In the left pane, navigate to Configuration > Appliances.

c On the Appliances page, verify that the NSX Manager cluster has a Stable status and all
NSX Manager nodes are available.

Start the NSX Edge Nodes

You continue powering on the NSX infrastructure in the management domain or in a VI workload
domain by starting the NSX Edge nodes by using the vSphere Client.

Procedure

1 Log in to vCenter Server for the management or VI workload domain at https://

<vcenter_server_fqdn>/ui as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the tree of workload domain vCenter Server and
expand data center for the workload domain.

3 Right-click an NSX Edge virtual machine from the edge cluster and select Power > Power on.

This operations takes several minutes to complete.

4 Repeat these steps to power on the remaining NSX Edge nodes.

VMware by Broadcom 439