Typical configuration guidelines apply to standalone implementations of VMware products. When these products are part of VMware Cloud Foundation, some configurations might not be applicable or might not be compatible with VMware Cloud Foundation. Do not implement these configurations. You can find mitigation steps for the configurations in the VMware Cloud Foundation 4.2 Audit Guide Appendix.

Product

Configuration

Context for Excluding Configuration

vCenter Server

Enforce multiple vCenter Server password complexity rules.

VI-VC-CFG-00410

When rotating passwords, SDDC Manager does not take into account password complexity configured on the target vCenter Server. This might result in a new password that does not meet SDDC manager password requirements and workflows might fail.

vCenter Server

Isolate all management traffic on the vSphere Distributed Switch from other traffic types.

VI-VC-CFG-01223

VMware Cloud Foundation deploys vCenter Server, NSX-T Data Center, and SDDC Manager on a shared network across ESXi hosts. This architecture cannot be changed after deployment.

vCenter Server

vCenter Server must be isolated from the public Internet but must still allow for patch notifications and delivery.

VI-VC-CFG-01231

Never apply patches to vCenter Server manually, using VMware vSphere Update Manager, or VMware vCenter Lifecycle Manager in a VMware Cloud Foundation environment, unless directed to do so by support. Patching the environment without using SDDC Manager might cause problems with automated upgrades, or actions in the future.

ESXi

Enforce password complexity for the ESXi hosts.

VI-ESXi-CFG-00022

When generating passwords, SDDC Manager does not take into account password complexity that is configured on the target ESXi host. SDDC Manager enforces a minimum password length of 15 and maximum password length of 20 by default. If the ESXi host password length exceeds 20 or is less than 15, the rotate host password workflow fails.

ESXi

Disable non-essential capabilities by disabling SSH on the ESXi host.

VI-ESXi-CFG-00111

SDDC Manager requires SSH for bring up and lifecycle operations. Disabling SSH prevents SDDC Manager workflows from accessing requisite hosts.

ESXi

Terminate shell services on the ESXi host.

VI-ESXi-CFG-00039

SDDC Manager requires SSH for bring up and lifecycle operations. Disabling SSH prevents SDDC Manager workflows from accessing requisite hosts.

NSX-T Data Center

Enable logging for distributed firewall rules.

VI-NET-CFG-01409

Users can only enable logging for the default rules available in NSX-T Data Center. VMware Cloud Foundation does not support configuring additional distributed firewall rules in the management domain because most of the management appliances are deployed on Distributed Virtual Portgroups.

NSX-T Data Center

Multiple configurations for the NSX-T Data Center distributed firewall.

VI-NET-CFG-01424, VI-NET-CFG-01425, VI-NET-CFG-01452, VI-NET-CFG-01489

VMware Cloud Foundation does not support configuring additional distributed firewall rules in the management domain because most of the management appliances are deployed on Distributed Virtual Portgroups.

Impact: Management domain functionality may not work properly.

Mitigating Control: Evaluate network diagram and identify controls used to protect network activity.

NSX-T Data Center

Deny network communications traffic by default and allow network communications traffic by exception on the distributed firewall.

VI-NET-CFG-01412

There is no guidance on allowing or denying traffic in NSX-T Manager used in the management domain. Therefore, this configuration is not recommended. To avoid the management domain inadvertently dropping or blocking required packets needed to support management domain functionality, do not set the Default Layer3 Rule to Reject, which could drop traffic not captured by defined rules in the management domain.

NSX-T Data Center

Enforce a minimum character password length for NSX-T Manager nodes.

VI-NET-CFG-01421

SDDC Manager handles password complexity rules for NSX-T Manager and users must not enforce this on the NSX-T Manager nodes. This could result in a new password that does not meet SDDC manager password requirements and might cause workflows to fail.

NSX-T Data Center

Enforce password complexity rules on NSX-T Edge nodes.

VI-NET-CFG-1450

SDDC Manager enforces password complexity rules on the credentials. This could result in a new password that does not meet SDDC manager password requirements and might cause workflows to fail.

NSX-T Data Center

Restrict access to NSX Manager.

VI-NET-CFG-01491

VMware Cloud Foundation deploys NSX-T Manager nodes on the same management network as vCenter Server. This architecture cannot be changed after deployment.

NSX-T Data Center

Harden your VMware vSphere environment.

VI-NET-CFG-01446

Security for NSX-T Data Center requires a hardened vSphere environment. Due to specifics in the design of VMware Cloud Foundation, you must only use guidance for hardening vSphere as described in this guide. Configurations in other vSphere hardening guides might break VMware Cloud Foundation.