Its looking like I need to break up our centralised, multi-tenant vCenter model up into a individual vCenters per tenant, pretty much because of the limitations of NSX - ie not able to scope access for distributed firewall admins to 'per tenant' ESX hosts (I want to prevent a tenant from pushing firewall rules to other tenant's esxi nodes).
Splitting up the vcenters I'm fine with - in many ways it'd make my life simpler. But I'm getting pressure internally to consider deploying all of them into a single SSO domain - and given my recent (bad) vCenter upgrade experiences, and the rollback / DR prep you need to do in order to recover from a failed upgrade when using linked mode, it fills me with dread.
I guess you're all aware - the only supported rollback method (outside of recovering from file based vcsa backups) is to:
- Power down ALL vcenters in the SSO domain (or at least stop services on all)
- Snap, power back up.
This makes sense, because it allows for a clean recovery point across the domain, avoiding the obvious issues you'll run into re: PSC replication. But, it's pretty inconvenient. If you have a failed upgrade on one vcenter, be prepared to roll them all back.
The potential scenario I'm looking at is a 9 x VCSA, single SSO deployment. (3 x tenants, 3 datacenters). To me, this spells bad news. Yes, I want centralised auth, I want global object searching....but I don't think I have enough confidence in VMware's directory service, nor do I think there's enough expertise out there to support this appropriately.
Interested to know if anyone here has a large linked mode environment and how this impacts routine patching an upgrades? It's crazy right? Someone convince me otherwise!
First of all if these tenants are completely unknown from each other and you are thinking about do billing per each of them and to isolate them completely i would recommend you to go over different vCenters per tenant even if they share the same authentication method.
I do not know what is for you a "Tenant" in business perspective but think about future expansion, different scopes, evolution, licensing, growth, etc. Having all the vCenters connected on the same SSO domain makes all of them dependent to each other in a certain point of view. In extreme cases where the SSO fails it can impact the other vCenter Server which will be a huge issue for the tenants that should not be impacted.
Think about everytime you need to plan a maintenance windows or do an upgrade, these tasks are always quite time consuming and you are adding the complexity x9 and in some scenarios even the businesses have different times or methods for doing different tasks.