The document presents architectural considerations for deploying VMware vSphere 6.0, including compatibility, deployment models, and features such as the Platform Services Controller and VMware Certificate Authority. It outlines various architectural decisions and deployment strategies based on business needs, emphasizing the importance of choosing the right platform and configuration. The content further discusses additional technologies like Virtual SAN and Fault Tolerance, providing recommendations on their usage and management in diverse environments.

1. Just Because You COULD, Doesn't Mean You SHOULD -
vSphere 6.0 Architecture Considerations
from Real World Experiences
Jonathan McDonald, VMware, Inc
INF4712
#INF4712

2. • This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these
features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or
sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not
been determined.
Disclaimer
CONFIDENTIAL 2

3. My Team and I…
• Jonathan McDonald
– Technical Solutions Architect
– Professional Services Engineering
Global Technology & Professional Services
• What does Professional Services Engineering do?
– Develop, build and validate architecture designs with
VMware Products for Professional Services
– Training VMware and partner field resources
– Assistance with customer designs
CONFIDENTIAL 3

4. Agenda
4
1 Compatibility and Maximums
2 vCenter Server for Windows vs. vCenter Server Appliance
3 Platform Services Controller
4 Enhanced Linked Mode
5 VMware Certificate Authority
6 Standard vs. Distributed Virtual Switches
7 Virtual SAN
8 Fault Tolerance SMP
9 Content Library
CONFIDENTIAL

5. Just Because You COULD
Doesn’t Mean You SHOULD

6. Compatibility and Maximums
6CONFIDENTIAL

7. vCenter 6 Platform Choice
7
Metric / Feature vSphere 5.5
Operating System Windows Appliance
Hosts Per vCenter Server 1,000 100 or 1,000
Powered-ON VMs 10,000 10,000
Hosts per Cluster 32 32
Linked Mode Yes No
• Replication Technology
Microsoft AD
LDS / ADAM
-
Mixed Platforms No No
vSphere 6.0
Windows Appliance
1,000 1,000
10,000 10,000
64 64
Yes Yes
In-House
(from PSC)
In-House
(from PSC)
Yes Yes
CONFIDENTIAL

8. vCenter 6 Platform Choice (Continued)
• The question becomes which platform should you use?
– More Importantly does it really matter?
• Remember the two platforms are functionally identical
• Make the decision based on your business needs
– Will there be multiple sites being configured?
– Is there prior experience with vCenter?
– Is there Linux experience?
– Is there Oracle or Postgres experience?
– Are licensing costs a concern?
8CONFIDENTIAL

9. vCenter – New Deployment Architecture
• The Platform Services Controller includes:
– vCenter Single Sign-On™
– License service
– Lookup service
– Directory services (vmdir)
– VMware Certificate Authority
• The vCenter installation includes:
– vCenter Server
– vSphere Web Client
– Inventory Service
– vSphere Auto Deploy™
– vSphere ESXi Dump Collector
– vSphere Syslog Collector (Windows) or
vSphere Syslog Service (Appliance)
9
The services are split between the Platform Services Controller and vCenter Server
PSC Server Host OS
Platform Services
Controller
vCenter Server Host OS
vCenter Server
CONFIDENTIAL

10. vCenter – New Deployment Architecture (Continued)
• #1 Architectural Decision which needs to be made prior to deploying vSphere 6.0
• Greatly simplified since vSphere 5.x, with only two deployment types:
• Single or multiple node systems can be used
• Depending on size, the environment can become complex
10
PSC Server Host OS
External PSC
vCenter Server Host OS
vCenter ServervCenter Server Host OS
vCenter Server
Embedded PSC
CONFIDENTIAL

11. Enhanced Linked Mode
• Allows for a single pane of glass view of all vCenter Servers connected to a
Single Sign On Domain
11CONFIDENTIAL

12. Enhanced Linked Mode (Continued)
• Platform Services Controllers replicate configuration information between nodes
– Microsoft AD LDS / ADAM used previously
• Dramatically simplifies management of the environment
12
vSphere 5.5 vSphere 6.0
vCenter Server for Windows Yes Yes
vCenter Server Appliance No Yes
Single Inventory View Yes Yes
Single Inventory Search Yes Yes
Replication Technology Microsoft AD LDS / ADAM In-House (from PSC)
Roles and Permissions Yes Yes
Licenses Yes Yes
Policies No Yes
Tags No Yes
CONFIDENTIAL

13. Platform Services
Controller Architecture –
What Should I Do?
It depends of course!
(Did you expect me to say anything else?)

14. Architecture #1 – Embedded Deployment Model
• Sufficient for environments with:
– Only a single site
– No expansion past a single vCenter required
• Easiest to deploy and maintain
• Multiple standalone instances supported
• Replication between embedded instances not recommended.
14
vCenter Server Host OS
vCenter Server
Embedded PSC
CONFIDENTIAL

15. Architecture #2 – External Deployment Model
• Sufficient for environments with:
– Only a single site
– Up to 4 vCenter Servers
• Multiple Platform Service Controller nodes locally
• vCenter interacts with the Platform Service
Controller through a compatible load balancer
• Platform Service Controllers replicate state
information between them and provide a single
pane of glass view of the environment
• (Optional) vCenter instances can be clustered with
Windows Server Failover Clusters (WSFC)
15
PSC Server Host OS
External PSC
PSC Server Host OS
External PSC
Load Balancer
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
Replication
CONFIDENTIAL

16. Architecture #3 – External Deployment Model Multiple Sites
16
PSC Server Host OS
External PSC
PSC Server Host OS
External PSC
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
PSC Server Host OS
External PSC
vCenter Server Host OS
vCenter Server
Provides Enhanced Linked Mode
• Facilitated via Platform Services Controller
• Maintains single pane of glass management
• Replicates Licenses, permissions,
tags and roles
By Default
• Each site is independent
• PSC replication automated
• Site awareness
• No HA Shown
Site #1:
New York
Common SSOM Domain and Replication
Site #2:
San Francisco
Site #3:
Toronto
CONFIDENTIAL

17. Architecture #4: Platform Services Controller – Max Size
• Implementing the maximum supported size configuration is...complex.
17
Common SSO DomainCommon SSO DomainCommon SSO Domain
PSC Server Host OS
External PSC
PSC Server Host OS
External PSC
Load Balancer
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
PSC Server Host OS
External PSC
PSC Server Host OS
External PSC
Load Balancer
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
PSC Server Host OS
External PSC
PSC Server Host OS
External PSC
Load Balancer
vCenter Server Host OS
vCenter Server
vCenter Server Host OS
vCenter Server
CONFIDENTIAL

18. What Should You Use?
• Build based on business requirements, thinking of the future
• If there is only a single small site or if there is no desire for Enhanced Linked Mode:
– Use embedded nodes
– Allows for simplicity in the environment
– Reduces the administrative overhead of configuring the environment.
– High Availability (HA) is provided by VMware HA.
• If there are multiple sites and/or vCenter and Enhanced Linked Mode will be used:
– Use an external Platform Service Controller configuration
– The number of controllers and Load Balancers depends on the size of the environment:
– HA is provided by having multiple PSC, and load balancers as well as VMware HA
18
VMware Solutions
Without HA With HA
# PSC # PSC # Load Balancers
2 – 4 1 2 1
5 – 8 2 4 2
9 – 10 3 6 3
CONFIDENTIAL

19. Is There Anything to Be Aware Of?
• Once a deployment mode is chosen it cannot be changed without a full reinstallation (currently)
• It is not recommended to use embedded Platform Services Controllers if planning to use
enhanced linked mode
– It can however be configured in the installer
• If upgrading from vSphere 5.1 or 5.5 to vSphere 6.0 GA:
– Ensure that the 5.x installation is configured as you want the end outcome after upgrade
– Cannot change deployment mode during upgrade (embedded to external)
19CONFIDENTIAL

20. VMware Certificate Authority
• My FAVOURITE feature of this release!
• Secure communication is a top priority in the industry
• VMware uses SSL Certificates to secure communication between components
• With vSphere, there are many components that require a certificate
– Increased complexity to secure
– There is more than 20 different services in vCenter 6!
• VMware Certificate Authority aims to remove much of this complexity
– Fully functional Certificate Authority for VMware Components
• vCenter Server Components
• ESXi Hosts
– Not a General Purpose CA for the environment
– Can be root CA which manages its own certs or it can manage certs from external CA.
20CONFIDENTIAL

21. Single-Sign
On
Inventory
vCenter
vRealize
Orch.
Web
Client
Update
Manager
Log
Browser
5
1
2
6
7
3
15
18 17
9
13
12
4
8
11
10
14
16
Prior to VMware Certificate Authority (vSphere 5.1- 5.5)
n
n
Update Trust (may require
SSO Master password)
Replace SSL certificate
Trust Relationship
Old Certificate
New Certificate
CONFIDENTIAL 21

22. VMware Certificate Authority (vSphere 6.0)
22
• vCenter architecture has changed substantially between 5.x and 6.0
– Consolidation of Solution Users has occurred
– Fewer solution users and therefore fewer certificates
– No Longer not use self-signed certificates
– No longer need to replace certificates to be signed and secure
• Manage certificates in a wallet
– Uses VMware Endpoint Certificate Store (VECS) to store certs
– Certificates are no longer be stored on disk in various locations
– Are centrally managed in VECS
CONFIDENTIAL

23. VMware Certificate Authority (vSphere 6.0)
• Built into the Platform Services Controller
– Issues CA signed Certificates to all solutions
and ESXi hosts
• Operates in one of three modes:
– VMware Certificate Authority Self-Signed
Root Certificate (Default)
– VMware Certificate Authority Enterprise
Certificate
– Custom
• Can be updated from the GUI for ESXi
hosts, or command line
23CONFIDENTIAL

24. VMware Certificate Authority – Should I use it?
• Yes.
• Recommended configuration varies
• For most environments using default configuration recommended
– All that is required is to download and install the VMware Certificate Authority Root Certificate to clients
• For environments that secure or have compliance requirements use the enterprise CA mode
– More difficult
– Subordinate CA certificate required
– Replacement of all other certificates then must be performed (Root Certificate, Solution User, ESXi host)
– Requires restarts of services or servers
• There are very few scenarios where manual configuration is recommended
• See KB:
Replacing default certificates with CA signed SSL certificates in vSphere 6.0 (2111219)
24CONFIDENTIAL

25. Standard vs. Distributed Switches
• One of the biggest questions in most design sessions
• My recommendation?
– Always use Distributed Virtual Switches if the licensing is available
• Included with Virtual SAN!
– Gives features such as Network I/O Control (NIOC) & both ingress and egress bandwidth control
• Allows for greater control of network traffic
• Many old arguments against using it now illogical
– Recovery capability built into the GUI
– Backup and Restore of switch configurations available
– NIOC in vSphere 6 allows for per VM bandwidth reservations
• Look into using VMware NSX for even more control
– Micro-segmentation of traffic
25CONFIDENTIAL

26. Virtual SAN and Virtual Volumes
26
VMware Software-Defined Storage
vSphere
Storage Policy-Based Mgmt
vSphere vSphere
Virtual SAN
CONFIDENTIAL
Storage Policy-Based Mgmt
VVOL-enabled arrays
VMware Software-Defined Storage
vSphere Virtual Volumes

27. Storage Policy-Based Mgmt.
Control Plane
Data Plane
Storage Policy Based Mgmt.
Virtual Volumes
VVOL-enabled SAN / NAS
APIs
Control Plane
Data Plane
Virtual SAN and Virtual Volumes
27
……
Virtual SAN 6.0
 All-Flash architecture
 2x greater scalability
 4x greater with All-Flash;
2x performance with
Hybrid
 Virtual SAN Snapshots
and Clones
Radically Simple
Hypervisor-Converged Storage
for VMs
NEW
vSphere Virtual Volumes
 Virtualizes SAN/NAS
devices
 Uses native array
capabilities
 VM-level operations
 Included with vSphere
Management & Integration
Framework for External Storage
NEW
HDDSSD HDDSSD HDDSSD
Virtual SAN
Hypervisor-converged
SDS Stack
External Storage
App-Centric Automation
CONFIDENTIAL

28. Virtual SAN 6.0
• So should you or should you not Virtual SAN / Virtual Volumes 6.0?
• It depends. (Am I starting to sound like a broken record? Do records even still exist?) 
• There are benefits:
– High Performance can be achieved with proper hardware
– Radically simple to administer
– No external storage is required for VSAN
– New Health reporting plug-in provides detail for the environment
– On demand policy and policy changes for performance and high availability of virtual machine disks
– Business critical applications now supported in Virtual SAN 6.0
• There are drawbacks:
– Not all vSphere supported hardware, supported with Virtual SAN
– Additional hardware required beyond simple servers (HDD/SSD/10 Gb Networking/HBA’s)
– Learning curve for operational procedures and recovery
• Many designs include it as a part of Greenfield deployments
28CONFIDENTIAL

29. Virtual Volumes
• So should you or should you not Virtual Volumes?
• If you have an array that supports it.
• There are benefits:
– Software-Defined constructs change the way that storage is administered
– On demand policy and policy changes revolutionize management of storage
• There are drawbacks:
– Very limited hardware support for Virtual Volumes currently.
– Storage Array required that supports Virtual Volumes
– Learning curve for operational procedures and recovery
29CONFIDENTIAL

30. SMP Fault Tolerance
• Long awaited, Fault Tolerance now supports up to 4 vCPUs in vSphere 6.0
• Completely rewritten architecture in vSphere 6.0
– Works similar to how VMware vMotion works…it just doesn’t stop until there is a failure
30CONFIDENTIAL

31. SMP Fault Tolerance (Continued)
• Should you use it?
• If you have a need for continuous availability and instantaneous failover use it
– An easy solution to Business Continuity without need for development!
• A significant hardware investment may be required
– 10 Gb Networking a requirement
– If there is significant load in the VM performance can be degraded
– By default, the maximum number of FT VMs per host is 4 and the maximum number of vCPUs is 8
including secondary VMs
• Depending on the number of FT vCPUs desired, upgraded licenses may be required
31CONFIDENTIAL

32. Content Library
• New to vSphere 6!
• Little known new feature
• Allows for storage and sharing of:
– Templates
– Appliances
– ISOs
– Scripts
– etc.
• Allows for a subscription and download
repository between nodes for these items
32CONFIDENTIAL

33. Content Library (Continued)
• Should you use it?
• Definitely!
• It is not until I bring it up that in many cases this is even thought of
– Simplifies the management of media/templates/etc. in everything from small to large environments
• Where the library is stored is the only thing you have to plan!
– Recommend putting it local to the sites on reliable storage
33CONFIDENTIAL

34. Questions?
34

37. Just Because You COULD, Doesn't Mean You SHOULD -
vSphere 6.0 Architecture Considerations
from Real World Experiences
Jonathan McDonald, VMware, Inc
INF4712
#INF4712