When we talk about access control or admission control, we usually have in mind the policy of HA, although this is not the only function that uses access control. DRS, Storage DRS, and ESXi hosts have their own access control mechanism. I propose a detailed look at what is the access control mechanism, and what part it takes to run a virtual machine. What is the main function of access control? I like to call this feature a team of virtual balancers. Admission control is designed to ensure the provision of a virtual machine and configured with the required amount of resources. The last part explains the essence of access control.
During start-up or move, the VM access control checks for sufficient number of non-reserved resources available to this VM. If virtual machines are configured, it reserves CPU, memory, or both components at once, admission control must ensure that the cluster of stores, computer cluster, resource pool, and the host itself can provide the required resources. And if a guaranteed allocation of resources of any of the components is possible, the system can be taken into account. It was designed for this purpose and access control. Since the different components of vSphere can be configured differently, then each function uses its own access control mechanism, since it is very dangerous to use the mutual dependence in such an important component. Below is a diagram of admission control and the control points.
HA admission control: During the launch of VM, this function checks whether the operation is carried out in a proper way or not and takes care that the resources are reserved in the event of an accident. Once on the turn it gives access to control Storage, DRS verifies the correct VM cluster storage. SDRS verifies connectivity to host data, and selects the host with the most connections to ensure the mobility of VMs. If there are multiple hosts – it selects the least loaded. Next DRS checks the status of the cluster. DRS ensures that the cluster is available with a sufficient number of non-reserved resources for the launch. If the VM is located in the resource pool, the DRS checks whether enough resources are there in the pool or not.
Depending on the configuration options «expandable reservation», Resource Pool checks in their resources, and, if necessary, requests additional resources from the parent pool. If the cluster is using EVC, EVC access control checks whether the violation is not applied to the VM profile EVC profile used in the cluster. Further, DRS selects the host with the rules of conformity VM-VM and VM-Host. Well, finally, the access control host. In the end, it must give the host the VM resources required for the work. The cluster may not be having sufficient resources, they may be fragmented, and the host will not be able to provide resources under the Reserved VM. To solve this problem, initiated by DRS, which balances the load on the cluster and removes the desired host with the necessary resources. If DRS is turned off, the host refuses to run the VM due to lack of resources.
Also, access control, host checks the compatibility of the VM settings with the settings of the dedicated server – access to networks and data storage. Another check is performed if the VM is on the list, type must match the rules of VM-Host – Access control checks whether the VM is in the list and compatible with the host. And the final test is to verify access to the repository, the swap file is selected by the VM.