ESXi Design Decisions for a Virtual Infrastructure Workload Domain
Use this design decision list for reference related to the ESXi host configuration in an environment with a single or multiple VMware Cloud Foundation instances. The decisions determine the ESXi hardware configuration, networking, life cycle management and remote access.
For full design details, see ESXi Design for a Virtual Infrastructure Workload Domain.
Deployment Specification
Decision ID | Design Decision | Design Justification | Design Implication |
|---|---|---|---|
VCF-WLD-ESX-CFG-001 | For vSAN principal storage, use vSAN ReadyNodes for each ESXi host in the cluster in the VI workload domain. | Your VI workload domain is fully compatible with vSAN at deployment. For information about the models of physical servers that are vSAN-ready, see vSAN ReadyNode での vSAN 互換性ガイド. | Hardware choices might be limited. If you plan to use a server configuration that is not a vSAN ReadyNode, your CPU, disks and I/O modules must be listed on the VMware Compatibility Guide under CPU Series and vSAN Compatibility List aligned to the ESXi version specified in VMware Cloud Foundation 4.5 リリース ノート. |
VCF-WLD-ESX-CFG-002 | Allocate hosts with uniform configuration across the cluster in the VI workload domain. | A balanced cluster has these advantages:
| You must apply vendor sourcing, budgeting, and procurement considerations for uniform server nodes, on a per cluster basis. |
Decision ID | Design Decision | Design Justification | Design Implication |
|---|---|---|---|
VCF-WLD-ESX-CFG-003 | In a cluster in the VI workload domain, install each ESXi host with a minimum of 256 GB RAM. | Each of the two large-size NSX Edge appliances in this vSphere cluster of the VI workload domain requires 32 GB RAM. The remaining RAM is available for customer workloads. | In a four-node cluster, only 768 GB is available for use because the host redundancy in vSphere HA is configured to N+1. |
Decision ID | Design Decision | Design Justification | Design Implication |
|---|---|---|---|
VCF-WLD-ESX-CFG-004 | Install and configure all ESXi hosts in the VI workload domain cluster to boot using a 32-GB device or greater. | Provides hosts with large memory, that is, greater than 512 GB, with enough space for the core dump partition while using vSAN. | When you use SATA-DOM or SD devices, scratch partition and ESXi logs are not retained locally. Configure the scratch partition of each ESXi host on supplemental storage. |
Decision ID | Design Decision | Design Justification | Design Implication |
|---|---|---|---|
VCF-WLD-ESX-CFG-005 | For customer workloads running in the VI workload domain cluster, save the virtual machine swap file at the default location. | Simplifies the configuration process. | Increases the amount of on-disk storage required to host the entire virtual machine state. |
Network Design
Decision ID | Design Decision | Design Justification | Design Implication |
|---|---|---|---|
VCF-WLD-ESX-NET-001 | Place the ESXi hosts in the VI workload domain cluster on a new VLAN-backed management network segment dedicated for VI workload domain. |
| A new VLAN and a new subnet are required for the VI workload domain management network. |
Decision ID | Design Decision | Design Justification | Design Implication |
|---|---|---|---|
VCF-WLD-ESX-NET-002 | Allocate statically assigned IP addresses and host names across all ESXi hosts in the VI workload domain cluster. | Ensures stability across the SDDC and makes it simpler to maintain and makes it easier to track. | Requires precise IP address management. |
Decision ID | Design Decision | Design Justification | Design Implication |
|---|---|---|---|
VCF-WLD-ESX-NET-003 | Configure forward and reverse DNS records for each ESXi host in the VI workload domain cluster. | All ESXi hosts are accessible by using a fully qualified domain name instead of by using IP addresses only. | You must provide DNS records for each ESXi host. |
Decision ID | Design Decision | Design Justification | Design Implication |
|---|---|---|---|
VCF-WLD-ESX-NET-004 | Configure time synchronization by using an internal NTP time source across all ESXi hosts in the VI workload domain cluster. | Ensures consistent time across all devices in the environment, which can be critical for proper root cause analysis and auditing. | An operational NTP service must be available in the environment. |
VCF-WLD-ESX-NET-005 | Set the NTP service policy to Start and stop with host across all ESXi hosts in the VI workload domain cluster. | Ensures that the NTP service is available right after you restart an ESXi host. | None. |
Life Cycle Management Design
Decision ID | Design Decision | Design Justification | Design Implication |
|---|---|---|---|
VCF-WLD-ESX-LCM-001 | Use SDDC Manager to perform the life cycle management of ESXi hosts in the VI workload domain cluster. | SDDC Manager has a greater awareness of the full SDDC solution and therefore handles the patch update or upgrade of the VI workload domain as a single process. Directly performing life cycle management tasks on an ESXi host or through vCenter Server has the potential to cause issues within SDDC Manager. | The operations team must understand and be aware of the impact of performing a patch or upgrade by using SDDC Manager. |
Information Security and Access Control
Decision ID | Design Decision | Design Justification | Design Implication |
|---|---|---|---|
VCF-WLD-ESX-SEC-001 | Deactivate SSH access on all ESXi hosts in a VI workload domain cluster by having the SSH service stopped and using the default SSH service policy Start and stop manually . | Ensures compliance with the vSphere Security Configuration Guide and with security best practices.Disabling SSH access reduces the risk of security attacks on the ESXi hosts through the SSH interface. | You must enable SSH access manually for troubleshooting or support activities. |
VCF-WLD-ESX-SEC-002 | Set the advanced setting UserVars.SuppressShellWarning to 0 across all ESXi hosts in a VI workload domain cluster. | Ensures compliance with the vSphere Security Configuration Guide and with security best practicesA warning appears in the vSphere Client every time SSH access is enabled on an ESXi host drawing administrator's attention. | You must suppress SSH enablement warnings manually when performing troubleshooting or support activities. |
Decision ID | Design Decision | Design Justification | Design Implication |
|---|---|---|---|
VCF-WLD-ESX-SEC-003 | Regenerate the certificate of each ESXi host after assigning the host an FQDN. | Establishes a secure connection with SDDC Manager during the deployment of the VI workload domain and prevents man-in-the-middle (MiTM) attacks. | You must manually regenerate the certificates of the ESXi hosts before the deployment of the VI workload domain. |