For flawless and non-disruptive operations, such as password management, backup and restore, certificate management, and license management, and for optimal performance of your VMware Cloud Foundation environment, you can follow certain best practices based on industry expertise and previous successful experiences.
Applying Security Policies
As part of your VMware Cloud Foundation environment deployment and operation, you include security considerations according to risk assessment, legal requirements, industry best practices, and the objectives of your organization.
Area |
More Information |
|
---|---|---|
Telemetry |
Join the Customer Experience Improvement Program ("CEIP") to share technical information with VMware about the use of VMware products by your organization. See Configure CEIP in the VMware Cloud Foundation Administration Guide. |
|
Passwords |
|
See Password Policy Configuration for VMware Cloud Foundation . |
Users and roles |
|
See Managing Users and Groups in VMware Cloud Foundation in the VMware Cloud Foundation Administration Guide. |
Certificates |
|
See Managing Certificates in VMware Cloud Foundation in VMware Cloud Foundation Administration Guide. |
Backups |
|
See Backup and Restore of VMware Cloud Foundation in the VMware Cloud Foundation Administration Guide. |
Monitoring and Alerting
Monitoring the underlying physical infrastructure, and the management and customer workloads in VMware Cloud Foundation in real time helps you prevent outages and plan future hardware needs.
Choose one or more monitoring solutions according to the setup of your environment.
Solution | Description |
---|---|
Intelligent Operations Management for VMware Cloud Foundation | Use VMware Aria Operations for proactive management of system failures by reviewing and acting on events and alerts. Information is collected in the form of structured data (metrics). |
PowerShell Module for VMware Cloud Foundation Reporting | Use the cmdlets in the VMware.CloudFoundation.Reporting PowerShell module to generate insights to the operational state of VMware Cloud Foundation. You can access quickly information from the PowerShell console and generate several types of reports in HTML format. |
Health Reporting and Monitoring for VMware Cloud Foundation | Generate reports in HTML format, and use custom dashboards, alerts, and notifications in VMware Aria Operations to monitor the health of your environment. |
Intelligent Network Visibility for VMware Cloud Foundation | Use VMware Aria Operations for Networks for network visibility and analytics to improve micro-segmentation security, minimize risk during application migration, optimize network performance and manage and scale NSX and Kubernetes deployments. |
Password Operations
Certain measures enhance the security setup of your VMware Cloud Foundation environment.
- Monitoring passwords ensures compliance, access control, and risk mitigation in your VMware Cloud Foundation environment.
- Password policies, including complexity, expiration, and account lockout, enforce secure practices.
- Password complexity requirements enhance password strength, expiration prompts regular updates, and account lockout prevents unauthorized access attempts.
Operation |
When or How Often |
Description |
---|---|---|
Set or update password policies. |
|
Configure password policies of the management components of VMware Cloud Foundation manually for each component or in an automated way by using the VMware.CloudFoundation.PasswordManagement PowerShell module. See Password Policy Configuration for VMware Cloud Foundation. For password policy configuration of products that are not part of the VMware Cloud Foundation automation, follow their product documentation. |
Monitor account password expiration. |
Once a week or according to the policy of your organization. |
The SDDC Manager UI shows a notification for account passwords managed by SDDC Manager that are expiring in the next 14 days. |
To monitor the account passwords managed by SDDC Manager by using custom dashboards, alerts, and notifications in VMware Aria Operations, use the open-source Python module for VMware Cloud Foundation health monitoring. See the Health Reporting and Monitoring for VMware Cloud Foundation validated solution. |
||
To generate a point-in-time health report for your VMware Cloud Foundation environment, use the open-source PowerShell module for VMware Cloud Foundation health reporting. See Generating a Health Report in the documentation of the module. |
||
Enable account password auto-rotation (schedule rotation). |
|
To enable password auto-rotation for an account in a management component, use the SDDC Manager UI. See Rotate Passwords in theVMware Cloud Foundation Administration Guide. |
To automate enabling auto-rotation for an account, use the VMware Cloud Foundation API. See Credentials in the VMware Cloud Foundation API reference documentation. |
||
You can integrate a third-party or custom utility that uses the VMware Cloud Foundation API for password rotation. See Credentials in the VMware Cloud Foundation API reference documentation. |
||
Rotate or update an account password. |
|
The following options for password rotation exist:
|
To automate the rotation of account passwords, use the VMware Cloud Foundation API. See Credentials in the VMware Cloud Foundation API reference documentation. |
||
To automate the rotation of account passwords by using PowerShell, use the |
||
Remediate an account password. |
If a password has expired. |
To remediate a password, use the SDDC Manager UI. See Remediate Passwords in the VMware Cloud Foundation Administration Guide.
Caution:
If you try to rotate an expired password, the task might fail. You must cancel or resolve and retry the failed password management tasks in the SDDC Manager UI. |
You can automate password remediation by using the VMware Cloud Foundation API. See Credentials in the VMware Cloud Foundation API reference documentation. |
||
To automate password remediation by using PowerShell, use the |
||
Look up account credentials. |
If you must log in using an account managed by SDDC Manager. |
To look up account credentials manually, use the |
You can automate password retrieval, by using the VMware Cloud Foundation API. See Credentials in the VMware Cloud Foundation API reference documentation. |
||
To automate credential retrieval by using PowerShell, use the |
||
Reset a password. |
If a lost account password cannot be retrieved from SDDC Manager or other secure storage. |
See the following documentation: If the account password is managed by SDDC Manager, after the reset operation is complete, follow the guidelines for remediating passwords in this table.
Important:
You cannot reset a lost ESXi root password. You must remove the ESXi host from the SDDC Manager inventory and reinstall ESXi. |
License Operations
When deploying management components, VMware Cloud Foundation requires access to valid license keys. You add license keys to the SDDC Manager inventory so that they can be consumed at deployment time, but they are not synchronized between SDDC Manager and the underlying components.
Operation |
When or How Often |
Description |
---|---|---|
Add licenses. |
Insufficient license capacity for expanding an environment. |
To add license keys manually, use the SDDC Manager UI. See Managing License Keys in the VMware Cloud Foundation Administration Guide. |
You can automate adding license keys by using the VMware Cloud Foundation API. See License Keys in the VMware Cloud Foundation API reference documentation. |
||
To automate adding license keys by using PowerShell, use the open-source PowerShell Module for VMware Cloud Foundation. See PowerShell Module for VMware Cloud Foundation `. |
||
Replace expired licenses. |
А licenses has expired or is expiring. |
You must update or delete the license key. You have the same management options as when adding licenses. |
Replace existing licenses. |
You upgrade product licenses to a higher edition. |
You must update the license keys. You have the same management options as when adding licenses. |
Monitor licenses. |
Once a week |
The SDDC Manager UI shows an alert if a license is expiring in the next 30 days. SDDC Manager pulls license information from managed products to determine if they are using a license that is in the SDDC Manager inventory. SDDC Manager UI shows license usage on the page. |
Certificate Operations
By actively managing certificates in VMware Cloud Foundation, organizations can maintain secure communication, establish trust, protect sensitive data, meet compliance requirements, and respond effectively to certificate-related incidents or vulnerabilities.
Operation |
When or How Often |
Description |
---|---|---|
Replace self-signed certificates. |
|
You can upload custom certificates to ESXi hosts manually on each host or in an automated way by using the VMware.CloudFoundation.CertificateManagement PowerShell module. See ESXi Certificate Management for VMware Cloud Foundation.
Note:
|
Replace signed certificates from a trusted certificate authority. |
|
Follow the same guidelines as when replacing self-signed certificates. |
Identify expiring certificates. |
At least once a month. |
The SDDC Manager UI shows an alert if a certificate is expiring. |
To monitor the expiring certificates managed by SDDC Manager by using custom dashboards, alerts, and notifications in VMware Aria Operations, use the open-source Python module for VMware Cloud Foundation health monitoring. See the Health Reporting and Monitoring for VMware Cloud Foundation validated solution. |
||
To generate a point-in-time health report for your VMware Cloud Foundation environment, use the open-source PowerShell module for VMware Cloud Foundation health reporting. See Generating a Health Report in the documentation of the module. |
||
Replace expired certificates. | The certificate of a management component that is managed by SDDC Manager has expired. | For step-by-step information about replacing expired certificates managed by SDDC Manager, see below. For information about replacing expired certificates of management components not included in the SDDC Manager automation, see the relevant product documentation. |
Order of Replacing Expired Certificates for a Workload Domain
If the certificates of multiple management components have expired, replace them in a certain order.
- Replace the certificates of the NSX Manager cluster and nodes.
Skip installing CA-signed certificates for NSX Manager by using SDDC Manager.
- Replace the vCenter Server certificate with a VMCA-signed one.
Skip installing a CA-signed certificate for vCenter Server by using SDDC Manager.
- If you are replacing expired certificates in the management domain, replace the SDDC Manager certificate.
- After you have all temporary certificates ready to be replaced with CA-signed ones, use SDDC Manager UI to replace the certificates for NSX Manager and vCenter Server with CA-signed ones.
Replace Expired NSX Manager Certificates
In VMware Cloud Foundation, you temporarily replace an expired SSL certificate of the NSX Manager cluster or an individual NSX Manager node for a workload domain with a self-signed certificate generated by NSX Manager. Then, you add the self-signed certificate to the SDDC Manager trust store.
- Log in to NSX Manager cluster at https://<nsx_manager_fqdn>/login.jsp?local=true as admin.
Add a certificate exception to your Web browser if the certificate of the NSX Manager cluster FQDN has expired.
- Identify the expired certificates.
- In the navigation bar, click System.
- In the left pane, under Settings, click Certificates.
- On the Certificates tab, check the Validity column.
- Generate self-signed certificates for the NSX Manager entities with expired certificates.
- On the Certificates tab, select .
- Enter the CSR information and click Save.
Option Description Common Name Enter the fully qualified domain name (FQDN) of the node.
For example, nsx-wld-01.vrack.vsphere.local.
Name Assign a name for the certificate. For example, nsx-wld-01.vrack.vsphere.local.
Organization Unit Enter the department in your organization that is handling this certificate.
For example, VMware Engineering.
Organization Name Enter your organization name with applicable suffixes.
For example, VMware.
Locality Add the city in which your organization is located.
For example, Palo Alto.
State Add the state in which your organization is located.
For example, California.
Country/Region Add your organization location.
For example, United States (US).
Algorithm Set the encryption algorithm for your certificate.
For example, RSA.Key Size Set the key bits size of the encryption algorithm.
For example, 2048.Service Certificate To use the certificate with an NSX Manager appliance, toggle to No. Number of days Enter the validity of the certificate starting from today. Description Enter specific details to help you identify this certificate at a later date. - Click Save.
- Repeat the steps for all remaining NSX Manager entities whose certificates have expired.
- Аpply the self-signed certificates to the NSX Manager entities.
- On the Certificates tab, locate and copy the ID of the certificate for the NSX Manager entity.
- From a system that supports the curl command and has access to the NSX Manager nodes, such as the vCenter Server or SDDC Manager appliance, run the following command to install the self-signed certificate on the NSX Manager cluster or an NSX Manager node.
You run the command on the cluster or on the individual node.
Use the certificate ID you copied from the NSX Manager UI.
NSX Manager Entity with Expired Certificate Certificate Replacement Command NSX Manager cluster curl -H 'Accept: application/json' -H 'Content-Type: application/json' --insecure -u 'admin:<nsx_admin_password>' -X POST 'https://<nsx_manager_cluster_fqdn>/api/v1/trust-management/certificates/<certificate-id>?action=apply_certificate&service_type=MGMT_CLUSTER'
NSX Manager node curl -H 'Accept: application/json' -H 'Content-Type: application/json' --insecure -u 'admin:<nsx_admin_password>' -X POST 'https://<nsx_manager_node_fqdn>/api/v1/node/services/http?action=apply_certificate&certificate_id=<certificate_id>'
- Repeat the steps for all remaining NSX Manager nodes with expired certificate.
- Add the self-signed NSX Manager certificates to the trust store of SDDC Manager.
- Log in to SDDC Manager at https://<sddc_manager_fqdn> as [email protected].
- In the navigation pane, click .
- On the Workload Domains page, click the workload domain the NSX Manager cluster or nodes are part of.
- On the workload domain summary page, click the Certificates tab.
You see a status message that the certificates of the NSX Manager nodes and cluster are not trusted.
- For a self-signed certificate, click review in the status message, review the certificate details and verify that the thumbprint matches the thumbprint of the self-signed certificate for the node.
- After reviewing a self-signed certificate, click Trust Certificate.
- Review and mark as trusted the remaining self-signed NSX Manager certificates.
- After all certificates for NSX Manager become active, install CA-signed certificates for all FQDNs related to NSX Manager.
See Managing Certificates in the VMware Cloud Foundation Administration Guide
. - (Optional) Remove the self-signed certificates from the trust store of SDDC Manager after you replace them with а CA-signed one.
See Remove Old or Unused Certificates from SDDC Manager in the VMware Cloud Foundation Administration Guide.
- Remove the expired and self-signed certificates from NSX Manager after you applied CA-signed ones.
Replace an Expired vCenter Server Certificate
In VMware Cloud Foundation, you temporarily replace an expired certificate of a workload domain vCenter Server with a VMCA-signed one by using the vSphere Certificate Manager utility.
- Log in to vCenter Server as root by using a Secure Shell (SSH) client.
- To switch to the Bash shell, run the shell command.
- Start the vSphere Certificate Manager by running the following command.
/usr/lib/vmware-vmca/bin/certificate-manager
- Select option 3, Replace Machine SSL certificate with VMCA Certificate.
- Enter the [email protected] credentials.
- If you are replacing the vCenter Server certificate with a new VMCA-signed certificate for the first time, enter the properties of the VMCA-signed certificate and confirm continuing the operation.
- Two-letter country code
- Company name
- Organization name
- Organization unit
- State
- Locality
- IP address (optional)
- Email address
- Host name, that is, the fully qualified domain name of the vCenter Server machine on which you want to replace the certificate. If the host name does not match the FQDN, certificate replacement does not complete correctly and your workload domain might end up in an unstable state.
- VMCA name, that is, the fully qualified domain name of the vCenter Server machine on which the certificate configuration is running.
The VMCA-signed certificate properties are stored in the /usr/lib/vmware-vmca/share/config/certool.cfg file.
Wait until the operation is complete.
- If you have previously generated a VMCA-signed certificate on this workload domain vCenter Server and a certool.cfg file is available, do not reconfigure the certool.cfg file and confirm continuing the operation.
Wait until the operation is complete.
- Verify the status of the vCenter Server instance in SDDC Manager.
- Log in to SDDC Manager at https://<sddc_manager_fqdn> with a user assigned the Admin role.
- In the navigation pane, click .
- On the Workload Domains page, click the workload domain that the vCenter Server instance is part of.
- On the workload domain summary page, click the Certificates tab.
- Verify that the status of the vCenter Server certificate is active.
- Install a CA-signed for the vCenter Server instance in SDDC Manager. See Managing Certificates in the VMware Cloud Foundation Administration Guide.
Replace an Expired SDDC Manager Certificate
You replace an expired SDDC Manager certificate by using SDDC Manager.
- Log in to SDDC Manager at https://<sddc_manager_fqdn> with a user assigned the Admin role.
Add a certificate exception to your Web browser because the certificate of the SDDC Manager has expired.
- In the navigation pane, click .
- On the Workload Domains page, click the management domain.
- On the workload domain summary page, click the Certificates tab.
- Replace the SDDC Manager certificate. See Managing Certificates in the VMware Cloud Foundation Administration Guide.
Backup Operations
Managing backups of the management components of VMware Cloud Foundation regularly provides data protection, facilitates disaster recovery, enhances security and compliance, and supports system updates.
Operation |
When or How Often |
Description |
---|---|---|
Configure a location and a schedule of an external backup. |
|
See the following information in the VMware Cloud Foundation Administration Guide:
For NSX Manager backups, see NSX Manager Backup Configuration. |
You can automate the backup configuration of the SDDC Manager and NSX Local Manager by using the VMware Cloud Foundation API. See Backup and Restore in the VMware Cloud Foundation API reference documentation. | ||
To automate configuring the backup location and schedule of SDDC Manager and NSX Local Manager by using PowerShell, use the |
||
Configure NSX Manager backup retention. |
|
NSX does not support a native option to configure a backup retention policy. To manage retention of the backups with a script, see Remove Old Backups in the NSX Administration Guide. The retention of the backups is for the backup location configured in SDDC Manager. You configure the script only once per VMware Cloud Foundation environment. It is then applied to all NSX Manager backups. |
Run an on-demand backup. |
|
|
You can automate an on-demand backup of SDDC Manager by using the VMware Cloud Foundation API. See Backup and Restore in the VMware Cloud Foundation API reference documentation. |
||
To automate an on-demand backup of SDDC Manager by using PowerShell, use the cmdlet in the open-source PowerShell Module for VMware Cloud Foundation. See PowerShell Module for VMware Cloud Foundation `. |
||
Verify backups. |
At least once a week. |
Manual workflows:
|
To generate a point-in-time health report for your VMware Cloud Foundation environment, use the open-source PowerShell module for VMware Cloud Foundation health reporting. See Generating a Health Report in the documentation of the module. You can also use the following cmdlets:
|
NSX Manager Backup Configuration
Follow additional guidelines when managing NSX Manager backups in VMware Cloud Foundation.
-
NSX does not offer an option to configure a backup retention policy. To manage retention of the backups with a script, see Remove Old Backups in the NSX Administration Guide.
-
NSX Global Managers are not managed by SDDC Manager. You must configure the backup for the NSX Global Manager manually. See to Configure Backups in theNSX Administration Guide.
To reuse the same backup retention policy, configure the backups to use the same SFTP destination as in SDDC Manager .
-
When the backup settings are configured in SDDC Manager, all NSX Local Managers are configured to back up in a common location.
-
When the backup settings are configured in SDDC Manager, the NSX Local Managers that might be deployed when a workload domain is created are configured to back up data in the location and with the schedule defined in SDDC Manager.
-
In the NSX Manager UI, you see backups from different NSX Manager nodes in the
Backup History
. This is expected. -
By default, SDDC Manager configures the NSX Local Managers to back up once every hour. If you want to change the backup schedule or enable automatic backups when the configuration changes, perform these steps:
-
Log in to the NSX Local Manager cluster at https://<nsx_manager_cluster_fqdn> with a user assigned the Enterprise Administrator role.
-
On the System tab, click Backup & Restore and click Edit in Schedule section.
Note:If an active backup task is in progress, this option is grayed-out.
-
Modify the Frequency setting to match your backup schedule.
-
Optional. Turn on Detect NSX configuration change and set the Update Interval to to check for configuration changes every hour.
-
Click Save.
-
Running On-Demand Backups
Management Component | |
---|---|
SDDC Manager |
|
vCenter Server |
|
NSX Manager |
|
ESXi Installation Operations
You install the required version of ESXi, that is compatible with the target VMware Cloud Foundation version, and perform basic configuration tasks right after the installation is complete.
Operation | When or How Often | Description |
---|---|---|
Install ESXi |
|
By default, you install ESXi interactively by using an ISO file you download from the Broadcom Support Portal. You can also create a custom ISO file, for example, to accommodate vendor-specific components. See Prepare ESXi Hosts for VMware Cloud Foundation. |
To automate ESXi installation and post-installation configuration for VMware Cloud Foundation, you can use a Python script for ESXi imaging that creates an ESXi ISO image with an installation script, that is, a kickstart file, from the base ISO image. See the open-source project of the Python script for ESXi imaging. |
Life Cycle Operations
By updating to a later VMware Cloud Foundation version or applying a patch release, you have fixes of important security issues or new features in your environment. Efficient bundle management also reduces the time and number of errors during the upgrade process.
Operation |
When or How Often |
Description |
---|---|---|
Upgrade or update |
|
As a best practice, you run the latest software version to get latest bug fixes and security patches or more features. Before upgrading, check if all third-party integrations are compatible with the Bill of Materials (BoM) of the target version. For more information about upgrading VMware Cloud Foundation, see VMware Cloud Foundation Lifecycle Management . You can use the following options for managing upgrade bundles:
|
Apply patches |
|
|