In VMware Cloud Foundation (VCF), the Standard Architecture provides a flexible and scalable design for deploying cloud infrastructure in an enterprise environment. When using dedicated NSX domains for each Workload Domain (WLD), the architecture is optimized for scenarios where you need isolated, independent network and security configurations for each workload domain, enhancing security, performance, and scalability.
In this model, each WLD gets its own dedicated NSX domain rather than sharing a single NSX domain across multiple WLDs. This setup ensures that each WLD has full control over its networking and security configuration, making it ideal for environments where workloads have different network and security requirements, such as multi-tenancy or strict segmentation between applications.
Key Characteristics:
-
Network Isolation and Flexibility:
- Each VI WLD has its own NSX Manager and NSX domain, meaning that networking configurations, such as logical switches, routers, firewalls, and VPNs, are completely isolated between domains.
- This provides strong isolation and flexibility, ensuring that any changes or updates to networking or security policies in one WLD do not affect other WLDs.
- This isolation is particularly useful in multi-tenant environments where different business units, applications, or customer workloads need to operate independently but within the same physical data center.
-
Independent NSX-T Management:
- Each NSX Manager (installed within the dedicated NSX domain) provides full networking and security management for the associated WLD.
- While NSX Manager in the Management Domain handles the initial configuration, each WLD's NSX Manager manages its distributed switches, routers, firewalls, and load balancers independently.
- This ensures that each WLD has complete control over its networking resources and policies.
-
Independent Security Policies:
- The use of dedicated NSX domains enables segmentation of network security policies across WLDs. For instance, you can apply specific micro-segmentation policies, firewall rules, and security group configurations unique to each workload domain.
- Security configurations are applied per domain, which can prevent unauthorized communication between workloads in different WLDs while allowing secure communication within a specific WLD.
-
Scalable and Highly Available Architecture:
- This architecture supports scalable deployments, where each NSX domain can independently scale according to the needs of the corresponding WLD.
- Each WLD is configured with its own vSphere cluster, and as workloads grow, additional ESXi hosts can be added to the WLD without affecting the configuration of other WLDs.
- Each NSX Manager is deployed in a highly available setup (typically a 3-node cluster) to ensure the redundancy and availability of networking and security services for the WLD.
-
Workload Domain Independence:
- Each WLD has its own vSphere cluster and vSAN storage, but also has a dedicated NSX-T domain to manage networking.
- This allows administrators to deploy workloads in each WLD independently, with each WLD having separate network overlays, IP address ranges, and other configurations tailored to the specific needs of that domain.
-
Centralized Management with Flexibility:
- While each NSX domain operates independently, VCF’s SDDC Manager provides centralized management across all the Workload Domains and their respective NSX domains.
- Administrators can manage each NSX domain individually while maintaining an overarching view of the entire VCF environment through the SDDC Manager.
-
Cross-WLD Connectivity (Optional):
- While each WLD is isolated in terms of networking, you can configure inter-WLD connectivity using NSX-T features such as VPNs or Layer 3 routing.
- This enables workloads in different WLDs to communicate securely when required, without compromising on the network isolation and security policies within each WLD.
