One of the new components introduced in VMware vSphere Foundation (VVF) and VMware Cloud Foundation (VCF) 9.1 is the VCF Management Services (VCFMS), which provides a centralized system for unifying both existing and new capabilities for VCF Fleet management and operations.
When deploying a brand new VCF Fleet using the VCF Installer, the required input for the IP address allocation uses an IP range format (minimum of 12 consecutive addresses and up to 30 for additional component deployment and scale out).
When upgrading from an existing environment using the SDDC Manager, the required input for the IP address allocation uses an network CIDR format.
While the minimum IP allocation is the same for both a new installation or an upgrade, the actual IPs required will differ due to different input formats
For example, to meet the minimum 12 IP address range, I could use 172.30.0.145 to 172.30.0.157 for my IP range input. However, with a CIDR format, we are not able to express the exact minimum and smallest CIDR block would be /28 giving us 14 usable IP addresses, which is two more than the minimum (e.g. 172.30.0.144/28). For users that have sufficient IP capacity within the selected network, this is not a huge issue but for existing environments, you may or may not have a contiguous block of IP addresses that are available, which can make VCFMS deployment tricky.
With that said, the underlying VCF Installer and SDDC Manager API actually has support for additional IP allocations options that are more flexible to address network constrained environments.
The following are supported:
- IP Range
- CIDR
- Specific IP Addresses
VCF Installer
The VCFMS JSON configuration is defined by vspClusterSpec that includes the ipv4Pool network definition. The easiest way to modify the VVF/VCF deployment JSON is to go through the wizard and then export the file for modification and then re-import the modified file back into the VCF Installer UI to use the more flexible network deployment option.
Here is an example of what a default vspClusteSpec using IP Range from VCF Installer UI would look like:
"vspClusterSpec": {
"ipv4Pool": {
"ipRange": {
"startIpAddress": "172.30.0.113",
"endIpAddress": "172.30.0.125"
}
},
"platformFqdn": "vcf-msr02.vcf.lab",
"instanceFqdn": "vcf-int02.vcf.lab",
"fleetFqdn": "vcf-flt02.vcf.lab",
"size": "small",
"name": "vc01-vmsp-01",
"internalClusterCidrIpv4": "198.18.0.0/15"
}
We can modify IP allocation format to use any of the examples below:
VCFMS using IP Range
"vspClusterSpec": {
"ipv4Pool": {
"ipRange": {
"startIpAddress": "172.30.0.145",
"endIpAddress": "172.30.0.158"
"excludedAddresses": ["172.30.0.144", "172.30.0.145"]
}
}
}
VCFMS using CIDR
"vspClusterSpec": {
"ipv4Pool": {
"cidr": "http://172.30.0.144/28",
"excludedAddresses": ["172.30.0.157", "172.30.0.158"]
}
}
VCFMS using specific IP Addresses
"vspClusterSpec": {
"ipv4Pool": {
"addresses": [
"172.30.0.144",
"172.30.0.146",
"172.30.0.148",
"172.30.0.150",
"172.30.0.152",
"172.30.0.154",
"172.30.0.156",
"172.30.0.158",
"172.30.0.160",
"172.30.0.162",
"172.30.0.163",
"172.30.0.164"
]
}
}
You might have also noticed for the CIDR and IP Range input, we have one additional capability which is to exclude specific IP addresses from the block of available addresses, which can help for scenarios where you have non-contiguous IP addresses.
SDDC Manager
To use a different IP allocation for VCFMS deployment as part of VCF upgrade workflow, you will need to use the SDDC Manager API (POST to /vcf-management-components).
For those interested in a working API example, you can refer to this blog post for a working Powershell script that will allow users to select specific IP Addresses to use for the VCFMS services runtime network requirements.
This is an excellent addition with utmost importance for production deployments - that continue to expand - unlike initial proof of concept setups.
It’s easier to miss the scale with large number of IP addresses required to run modern workloads in connected environments and multiple application components. If not planned correctly or unable to expand it later can have a huge impact down the line.
With IP capacity management at the core infrastructure and containerized layers being critical, having such features for flexibility in these layers is a welcome addition.
What if the VCF 9.0 Management Network is already full and don't have enough spare IPs left for the minimum 12 required by the VCFMS 9.1 ? Is it possible to host VCFMS on a new subnet ?
We made it work at one of my customers site (greenfield vcf 9.0). They had vm-mgmt on vlan, and vcf ops+auto on NSX. We configured a second vlan for vcf-mgmt. To make this work, we had to use API. And the magic sauce is to use "xRegionNetwork" part to get the second network):
...
"vcfManagementComponentsInfrastructureSpec": {
"xRegionNetwork": {
"networkName": "v1022-vcf-mgmt-svc",
"gateway": "10.10.22.1",
"subnetMask": "255.255.255.224"
}
},
...
vIDB was also installed on NSX segment, so that was reinstalled on the vcf-mgmt vlan network, and later in the upgrade process upgraded fine to 9.1.
NB! If you have vcf ops for network installed, and the certificate does not include IPs in the SAN section, recreate the cert, preferable before you start deploying VCFMS. If not, you might hit thumbprint mismatch problem during VCFMS deployment at about 50%-mark of the task. See KB440459 (https://knowledge.broadcom.com/external/article/440459/upgrading-vcf-90-environment-to-91-fai.html)
I forgot to add that this second VLAN aligns with the VCF 9.1 design "VCF Management Dedicated VLAN and NSX Overlay Segment Network Model" documented here: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-1/design/design-library/fleet-level-components-networking-detailed-design/logical-application-virtual-network-design-for-vmware-cloud-foundation.html