Each component of VMware Cloud Foundation publishes security and configuration guidelines. Some tested configurations are not compatible with VMware Cloud Foundation and must be avoided. Do not implement the folowing configurations because they can break your VMware Cloud Foundation environment.

Product

Configuration

Description

vCenter Server

Enforce multiple vCenter Server password complexity rules.

VI-VC-CFG-00410, VI-VC-CFG-00408, VI-VC-CFG-00413, VI-VC-CFG-00432, VI-VC-CFG-00433

When rotating passwords, SDDC Manager does not take into account password complexity configured on the target vCenter Server. This can result in a new password that does not meet those requirements.

vCenter Server

Isolate all IP-based storage traffic on distributed switches from other traffic types.

VI-VC-CFG-01225

As deployed by VMware Cloud Foundation the management domain components (vCenter Server, NSX-T Data Center, SDDC Manager) are on a shared network with the ESXi hosts. This architecture can not be changed after deployment.

vCenter Server

Isolate all management traffic on the vSphere Distributed Switch from other traffic types.

VI-VC-CFG-01223

As deployed by VMware Cloud Foundation the management domain components (vCenter Server, NSX-T Data Center, SDDC Manager) are on a shared network with the ESXi hosts. This architecture can not be changed after deployment.

vCenter Server

vCenter Server must be isolated from the public Internet but must still allow for patch notifications and delivery.

VI-VC-CFG-01231

Never apply patches to vCenter Server manually or by using vSphere Update Manager or VMware vCenter Lifecycle Manager in a VMware Cloud Foundation environment unless directed to do-so by support. Patching the environment without using SDDC Manager can not only lead to a less-secure environment, but can cause problems with automated upgrades or actions in the future.

ESXi

Do not permit root logins for the SSH daemon on the ESXi hosts.

VI-ESXi-CFG-00005

Root login is required to rotate and update the password for the root user.

ESXi

Enforce password complexity for the ESXi hosts.

VI-ESXi-CFG-00022

When rotating passwords, SDDC Manager does not take into account password complexity configured on the target ESXi host. This can result in a new password that does not meet those requirements.

ESXi

Disable non-essential capabilities by disabling SSH on the ESXi host.

VI-ESXi-CFG-00111

SDDC Manager requires SSH for bringup and lifecycle operations.

ESXi

Terminate shell services on the ESXi host.

VI-ESXi-CFG-00039

SDDC Manager requires SSH for bringup and lifecycle operations.

NSX-T Data Center

Multiple configurations for the NSX-T Data Center distributed firewall.

VI-NET-CFG-01409, VI-NET-CFG-01424, VI-NET-CFG-01425, VI-NET-CFG-01452, VI-NET-CFG-01453, VI-NET-CFG-01489

VMware Cloud Foundation does not support deploying a distributed firewall in the management domain.

NSX-T Data Center

Deny network communications traffic by default and allow network communications traffic by exception on the distributed firewall.

VI-NET-CFG-01412

Do not set the Default Layer3 Rule to Reject or Drop in the management domain to avoid the management domain inadvertently dropping or blocking required packets.

NSX-T Data Center

Enforce a minimum of 15 characters for password length for NSX-T Manager nodes.

VI-NET-CFG-01421

Do not configure manually. SDDC Manager handles password complexity rules.

NSX-T Data Center

Multiple configurations for the NSX-T Data Center gateway firewall.

VI-NET-CFG-01427, VI-NET-CFG-01428, VI-NET-CFG-01429, VI-NET-CFG-01431, VI-NET-CFG-01432, VI-NET-CFG-01456, VI-NET-CFG-01464

VMware Cloud Foundation does not support deploying a gateway firewall in the management domain.