Secure operation of VMware Cloud Director requires a secure network environment. Configure and test this network environment before you begin installing VMware Cloud Director.
Connect all VMware Cloud Director servers to a network that is secured and monitored.
For information on the network ports and protocols used by VMware Cloud Director, see VMware Ports and Protocols.
VMware Cloud Director network connections have several additional requirements:
- Do not connect VMware Cloud Director directly to the public Internet. Always protect VMware Cloud Director network connections with a firewall. Only port 443 (HTTPS) must be open to incoming connections. Ports 22 (SSH) and 80 (HTTP) can also be opened for incoming connections if needed. In addition, the cell-management-tool requires access to the cell's loopback address. All other incoming traffic from a public network, including requests to JMX (port 8999) must be rejected by the firewall.
For information on the ports that must allow incoming packets from VMware Cloud Director hosts, see VMware Ports and Protocols.
- Do not connect the ports used for outgoing connections to the public network.
For information on the ports that must allow outgoing packets from VMware Cloud Director hosts, see VMware Ports and Protocols.
- Starting with version 10.1, service providers and tenants can use the VMware Cloud Director API to test connections to remote servers, and to verify server identity as part of an SSL handshake. To protect VMware Cloud Director network connections, configure a denylist of internal hosts that are unreachable to tenants who are using the VMware Cloud Director API for connection testing. Configure the denylist after VMware Cloud Director installation or upgrade and before granting tenants access to VMware Cloud Director. See Configure a Test Connection Deny List in the VMware Cloud Director Service Provider Admin Guide.
- Route traffic between VMware Cloud Director servers and the following servers over a dedicated private network.
- VMware Cloud Director database server
- RabbitMQ
- Cassandra
- If possible, route traffic between VMware Cloud Director servers, vSphere, and NSX over a dedicated private network.
- Virtual switches and distributed virtual switches that support provider networks must be isolated from each other. They cannot share the same layer 2 physical network segment.
- Use NFSv4 for transfer service storage. The most common NFS version, NFSv3, does not offer on transit encryption which, in some configurations, might create a risk in-flight sniffing or tampering with data being transferred. Threats inherent in NFSv3 are described in the SANS white paper NFS Security in Both Trusted and Untrusted Environments. Additional information about configuring and securing the VMware Cloud Director transfer service is available in VMware Knowledge Base article 2086127.
- To avoid host header injection vulnerabilities, activate host header verification.
- Log in directly or by using an SSH client to the VMware Cloud Director console as root.
- Activate host header verification using the cell management tool.
/opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n vcloud.http.enableHostHeaderCheck -v true