IBM Cloud Docs
System context

System context

End of Marketing: As of 17 July 2025, new deployments of VMware Regulated Workloads instances are no longer available for new customers. If you are an existing customer, you can still add or delete clusters, add or delete VMware ESXi™ servers or NFS storage, and add or remove services for your existing Regulated Workloads instances. As an existing customer, you can also view or delete your Regulated Workloads instances.

Although IBM Cloud® for VMware® Regulated Workloads is a self-contained design, some external dependencies exist. IBM Cloud for Regulated Workloads is designed without the use of IBM Cloud shared offerings such as VSIs and shared storage offerings.

Regulated Workloads context
Regulated Workloads context

Connections between the on-premises environment, CSP (Cloud Service Provider), CHP (Cloud Hosting Provider), and IBM Cloud traverse the internet and are required to use IBM Cloud Direct Link, IPsec, or other secure protocol.

  • IBM Cloud Account administrator - manages the SaaS provider's IBM Cloud account through the IBM Cloud portal. The IBM Cloud administrator is the only administrator who can add or remove hosts or services from the cloud account.
  • Regulated Workloads administrator - manages the virtualized environment for the Regulated Workloads instances. The Regulated Workloads administrator manages all compute, storage, and network resources that are used by the client applications. For simplicity, the administrator who is illustrated is a collection of multiple administration roles. Separation of duties might require dedicated virtualization, network, and security administrator roles.
  • User (SaaS consumer) - uses the resources available in the Regulated Workloads instances to run their applications. The SaaS consumer has no access to the management plane.
  • IBM Cloud data centers - supply the needed racks, cooling, and power to support the vSphere hosts used to build out the regions of the Regulated Workloads.
  • IBM Cloud network services - enable the connection of the Regulated Workloads to the internet (disabled by default). The connection is done through the frontside network and through private connection to the SaaS provider and SaaS consumer over the backside network through IBM Cloud network offerings such as Direct Link.
  • Gateway cluster - provides compute, storage, and network services to support the gateway appliance. The gateway cluster is only present when a virtual appliance is deployed as the perimeter gateway.
  • Edge gateway appliance - a physical or virtual device that protects the management plane and supports secure network communication between the IBM Cloud for VMware Regulated Workloads Management region and the SaaS provider and SaaS consumer.
  • Management cluster - provides compute, storage, and network services to support management functions.
  • Management services - enable administrators to monitor, operate, and maintain the infrastructure to ensure it is compliant, secure, and available to support hosted applications.
  • Workload clusters - provides compute, storage, and network services to support hosted applications and operations.
  • Applications - applications are VMs that deliver services to the SaaS consumer that support business operations.
  • On-premises facilities - the existing facilities of the SaaS provider, SaaS consumer, or both.
  • CSP (Cloud Service Provider) - deliver ancillary services. Examples might include credit card transaction processing or ACH services.
  • CHP (Cloud Hosting Provider) - can provide hosting services to support disaster recovery or specialized application hosting.