Thanks Pragg!

Hopefully this response isn't confusing, I know this is has been tricky for me to write to give enough detail on the layout. So you're correct. We are performing the following:

VCSA 1 - Controls vSphere 1

VCSA 2 - Controls vSphere 2

VCSA 2 is going to be migrated to VCSA 1 / vSphere 1's equipment. VCSA 2 will still only manage vSphere 2, and VCSA 1 will only treat it as another virtual machine, and the two will not necessarily co-exist with each other. I know that I am going to have to update the firewalls at all of the sites under vSphere 2 so that their ESXi hosts can communicate with the new IP address of VCSA 2, which you have confirmed in your thoughtful reply.

I guess what I am attempting to figure out: For any reason, do the ESXi hosts in vSphere 2 need to communicate with the ESXi hosts in vSphere 1, since that is where VCSA 2 is going to reside? Or do hosts in vSphere 2 not need to directly communicate for any reason within vSphere 1 other than the VCSA server that controls them?

In addition to that question, here are some thoughts on your reply below:

1. ESXi , vCenter

This i figured would be required, so the ESXi hosts under vSphere 2 will now have a new opening to the new IP address for VCSA 2 once it is migrated.

2. vCenter, AD (DNS, NTP, SMTP, SNMP, LDAP, etc)

As VCSA 2 will be behind the same firewall as two of the domain controllers for the domain, this is already in place and won't be an issue.

3. vCenter, Syslog server

Hmm this is something that we need to double check. Is there a way to find out what syslog server your VCSA server is pointing to now?

4. Client, vCenter

For this you're referring to the guests right? Ok, that makes sense. Any new guest that I create at a remote site needs to communicate with VCSA. This would already be in place once the changes are made for #1, however it also means going forward if I create any additional guests, additional firewall openings are going to have to be made. Understood!

5. vCenter and other 3rd party software like backup, vRealize etc.

The only thing that we have going on right now is CommVault however that may change with the implementation of VEEAM (MAYBE). I've already reached out to our corporate representative for CommVault for information.

Thanks again!

I guess what I am attempting to figure out: For any reason, do the ESXi hosts in vSphere 2 need to communicate with the ESXi hosts in vSphere 1, since that is where VCSA 2 is going to reside? Or do hosts in vSphere 2 not need to directly communicate for any reason within vSphere 1 other than the VCSA server that controls them?

If I have got your queries correctly, then - No and Yes.

Basically, hosts in VCSA 2 do not need to communicate with hosts in VCSA 1 and vice versa.The VCSA as a VM can be managed by other VCSA with no issues.

Hmm this is something that we need to double check. Is there a way to find out what syslog server your VCSA server is pointing to now?

Refer to Forward vCenter Server Appliance Log Files to Remote Syslog Server

Thanks for the reply again Pragg.

So basically while I'm looking at it, we aren't doing anything with remote copying of logs to a different server, so that's a plus. So basically, all I need to do is on the remote site firewalls, allow bidirectional communication back and forth between their two ESXi hosts and the new IP address of the VCSA server?

If that's right, then this is easy peasy. Then, I plan on vMotioning the VCSA to the new environment, and as long as I don't have to update anything other than DNS we should be rocking and rolling. Does this all sound good to you?

So basically while I'm looking at it, we aren't doing anything with remote copying of logs to a different server, so that's a plus. So basically, all I need to do is on the remote site firewalls, allow bidirectional communication back and forth between their two ESXi hosts and the new IP address of the VCSA server?

Yes, correct. Refer to the network port diagram which I shared earlier and make sure required ports are opened wherever required. If you face any issue, check the ports. Let us know in case of any issue.

Good Luck. 🙂

Pragg,

There is one thing that is confusing me and I am hoping that you can answer this pretty easily. I took a look at the diagram but will have to study it further. When I am dealing with the firewall rules, do I only need to open up communication between the global ESXi servers and the VCSA server? Or, do I have to worry about having entries for every single VM Guest IP address to ensure it can talk to the VCSA server as well? That second part doesn't make sense to me as you can create a server and operate on it before it even has an IP address.

If the former is true, and we just need to make sure the hosts can talk to the VCSA, then that makes my life a lot easier and I don't have to worry about as many IP addresses being added and tracked.

Thanks!

When I am dealing with the firewall rules, do I only need to open up communication between the global ESXi servers and the VCSA server?

Yes, if there's no other services connected with VMware environment like Syslog, which you have already confirmed in previous response.

Or, do I have to worry about having entries for every single VM Guest IP address to ensure it can talk to the VCSA server as well?

This is not required. You need to ensure vCenter talks with ESXi hosts and that will be enough to manage VMs on the same ESXi hosts.