Best Practices for Operating VMware Cloud Foundation

For flawless and non-disruptive operations, such as password management, backup and restore, certificate management, and license management, and for optimal performance of your VMware Cloud Foundation environment, you can follow certain best practices based on industry expertise and previous successful experiences.

Applying Security Policies

As part of your VMware Cloud Foundation environment deployment and operation, you include security considerations according to risk assessment, legal requirements, industry best practices, and the objectives of your organization.

Table 1. Example Security Considerations When Operating VMware Cloud Foundation
Area		More Information
Telemetry		Join the Customer Experience Improvement Program ("CEIP") to share technical information with VMware about the use of VMware products by your organization. See Configure CEIP in the VMware Cloud Foundation Administration Guide.
Passwords	Password complexity Password expiration Account lockout	See Password Policy Configuration for VMware Cloud Foundation .
Users and roles	Implement role-based access control. Limit the use of local accounts for both interactive or API access, or for solution integration. Limit the scope and privileges for accounts used for both interactive or API access, or for solution integration. Assign Active Directory security groups to default or custom roles, as applicable, for interactive or API access to solution components based on your organization's business and security requirements.	See Managing Users and Groups in VMware Cloud Foundation in the VMware Cloud Foundation Administration Guide.
Certificates	Certificate authority Custom certificates	See Managing Certificates in VMware Cloud Foundation in VMware Cloud Foundation Administration Guide.
Backups	Backup configuration Backup schedules Backup retention intervals	See Backup and Restore of VMware Cloud Foundation in the VMware Cloud Foundation Administration Guide.

Monitoring and Alerting

Monitoring the underlying physical infrastructure, and the management and customer workloads in VMware Cloud Foundation in real time helps you prevent outages and plan future hardware needs.

Choose one or more monitoring solutions according to the setup of your environment.


Solution	Description
Intelligent Operations Management for VMware Cloud Foundation	Use VMware Aria Operations for proactive management of system failures by reviewing and acting on events and alerts. Information is collected in the form of structured data (metrics).
PowerShell Module for VMware Cloud Foundation Reporting	Use the cmdlets in the VMware.CloudFoundation.Reporting PowerShell module to generate insights to the operational state of VMware Cloud Foundation. You can access quickly information from the PowerShell console and generate several types of reports in HTML format.
Health Reporting and Monitoring for VMware Cloud Foundation	Generate reports in HTML format, and use custom dashboards, alerts, and notifications in VMware Aria Operations to monitor the health of your environment.
Intelligent Network Visibility for VMware Cloud Foundation	Use VMware Aria Operations for Networks for network visibility and analytics to improve micro-segmentation security, minimize risk during application migration, optimize network performance and manage and scale NSX and Kubernetes deployments.

Password Operations

Certain measures enhance the security setup of your VMware Cloud Foundation environment.

Monitoring passwords ensures compliance, access control, and risk mitigation in your VMware Cloud Foundation environment.
Password policies, including complexity, expiration, and account lockout, enforce secure practices.
Password complexity requirements enhance password strength, expiration prompts regular updates, and account lockout prevents unauthorized access attempts.

Table 2. Best Practices for Password Operations in VMware Cloud Foundation
Operation	When or How Often	Description
Set or update password policies.	After management domain deployment. After VI workload domain deployment. After adding a vSphere cluster. After expanding a vSphere cluster. If the password policies of your organization are updated.	Configure password policies of the management components of VMware Cloud Foundation manually for each component or in an automated way by using the VMware.CloudFoundation.PasswordManagement PowerShell module. See Password Policy Configuration for VMware Cloud Foundation. For password policy configuration of products that are not part of the VMware Cloud Foundation automation, follow their product documentation.
Monitor account password expiration.	Once a week or according to the policy of your organization.	The SDDC Manager UI shows a notification for account passwords managed by SDDC Manager that are expiring in the next 14 days.

		To monitor the account passwords managed by SDDC Manager by using custom dashboards, alerts, and notifications in VMware Aria Operations, use the open-source Python module for VMware Cloud Foundation health monitoring. See the Health Reporting and Monitoring for VMware Cloud Foundation validated solution.
		To generate a point-in-time health report for your VMware Cloud Foundation environment, use the open-source PowerShell module for VMware Cloud Foundation health reporting. See Generating a Health Report in the documentation of the module.
Enable account password auto-rotation (schedule rotation).	After management domain deployment. After VI workload domain deployment.	To enable password auto-rotation for an account in a management component, use the SDDC Manager UI. See Rotate Passwords in theVMware Cloud Foundation Administration Guide.
		To automate enabling auto-rotation for an account, use the VMware Cloud Foundation API. See Credentials in the VMware Cloud Foundation API reference documentation.
		You can integrate a third-party or custom utility that uses the VMware Cloud Foundation API for password rotation. See Credentials in the VMware Cloud Foundation API reference documentation.
Rotate or update an account password.	Before the account password expires. Over a regular interval. Upon an event. When the policies of your organization are changed. When a privileged user is leaving the organization.	The following options for password rotation exist: Rotate passwords for accounts in the components managed by SDDC Manager. SDDC Manager sets a randomly generated password according to the password complexity it supports. See Rotate Passwords in the VMware Cloud Foundation Administration Guide. Update the passwords of accounts in the SDDC Manager appliance and local account (API) passwords. See Updating SDDC Manager Passwords in the VMware Cloud Foundation Administration Guide.
		To automate the rotation of account passwords, use the VMware Cloud Foundation API. See Credentials in the VMware Cloud Foundation API reference documentation.
		To automate the rotation of account passwords by using PowerShell, use the `Get-VCFCredential` and `Set-VCFCredential` cmdlets in the open-source PowerShell Module for VMware Cloud Foundation. See PowerShell Module for VMware Cloud Foundation `.
Remediate an account password.	If a password has expired.	To remediate a password, use the SDDC Manager UI. See Remediate Passwords in the VMware Cloud Foundation Administration Guide. Caution: If you try to rotate an expired password, the task might fail. You must cancel or resolve and retry the failed password management tasks in the SDDC Manager UI.
		You can automate password remediation by using the VMware Cloud Foundation API. See Credentials in the VMware Cloud Foundation API reference documentation.
		To automate password remediation by using PowerShell, use the `Get-VCFCredential` and `Set-VCFCredential` cmdlets in the open-source PowerShell Module for VMware Cloud Foundation. See PowerShell Module for VMware Cloud Foundation `.
Look up account credentials.	If you must log in using an account managed by SDDC Manager.	To look up account credentials manually, use the `lookup_passwords` command in the SDDC Manager appliance. See Look Up Account Credentials in the VMware Cloud Foundation Administration Guide.
		You can automate password retrieval, by using the VMware Cloud Foundation API. See Credentials in the VMware Cloud Foundation API reference documentation.
		To automate credential retrieval by using PowerShell, use the `Get-VCFCredential` cmdlet in the open-source PowerShell Module for VMware Cloud Foundation. See PowerShell Module for VMware Cloud Foundation `.
Reset a password.	If a lost account password cannot be retrieved from SDDC Manager or other secure storage.	See the following documentation: Resetting SDDC Manager `root` Password Resetting vCenter Server Appliance `root` Password Resetting a vCenter Single Sign-On Passwords Resetting NSX Manager or NSX Edge Passwords If the account password is managed by SDDC Manager, after the reset operation is complete, follow the guidelines for remediating passwords in this table. Important: You cannot reset a lost ESXi root password. You must remove the ESXi host from the SDDC Manager inventory and reinstall ESXi.

Caution: If a password management operation in SDDC Manager fails, you see a message on the Security > Password Management page. Such a failed operation might have a lock that impacts other operations in SDDC Manager. To release the lock, click Cancel in the message dialog box, or resolve the issue and click Retry.

License Operations

When deploying management components, VMware Cloud Foundation requires access to valid license keys. You add license keys to the SDDC Manager inventory so that they can be consumed at deployment time, but they are not synchronized between SDDC Manager and the underlying components.

Table 3. Best Practices for License Operations in VMware Cloud Foundation
Operation	When or How Often	Description
Add licenses.	Insufficient license capacity for expanding an environment.	To add license keys manually, use the SDDC Manager UI. See Managing License Keys in the VMware Cloud Foundation Administration Guide.
		You can automate adding license keys by using the VMware Cloud Foundation API. See License Keys in the VMware Cloud Foundation API reference documentation.
		To automate adding license keys by using PowerShell, use the open-source PowerShell Module for VMware Cloud Foundation. See PowerShell Module for VMware Cloud Foundation `.
Replace expired licenses.	А licenses has expired or is expiring.	You must update or delete the license key. You have the same management options as when adding licenses.
Replace existing licenses.	You upgrade product licenses to a higher edition.	You must update the license keys. You have the same management options as when adding licenses.
Monitor licenses.	Once a week	The SDDC Manager UI shows an alert if a license is expiring in the next 30 days. SDDC Manager pulls license information from managed products to determine if they are using a license that is in the SDDC Manager inventory. SDDC Manager UI shows license usage on the Administration > Licensing page.

Certificate Operations

By actively managing certificates in VMware Cloud Foundation, organizations can maintain secure communication, establish trust, protect sensitive data, meet compliance requirements, and respond effectively to certificate-related incidents or vulnerabilities.

Table 4. Best Practices for Certificate Operations in VMware Cloud Foundation
Operation	When or How Often	Description
Replace self-signed certificates.	After management domain deployment. After VI workload domain deployment by using SDDC Manager.	To manage custom certificates for most management components, use the SDDC Manager UI. See Managing Certificates in the VMware Cloud Foundation Administration Guide. You can automate certificate management by using the VMware Cloud Foundation API. See Certificates in the VMware Cloud Foundation API reference documentation. To automate certificate management by using PowerShell, use the open-source PowerShell Module for VMware Cloud Foundation. See PowerShell Module for VMware Cloud Foundation `. You can upload custom certificates to ESXi hosts manually on each host or in an automated way by using the VMware.CloudFoundation.CertificateManagement PowerShell module. See ESXi Certificate Management for VMware Cloud Foundation. Note: If you have deployed the management domain on ESXi hosts with external certificates, use ESXi hosts with custom certificates for the whole environment. If you have switched to using ESXi hosts with external certificates in the management domain, all ESXi hosts in new workload domains must use external certificates. If you replaced the certificate for a VMware Cloud Foundation component outside of SDDC Manager, add the certificate to the SDDC Manager trust store. See Managing Certificates in the VMware Cloud Foundation Administration Guide.
Replace signed certificates from a trusted certificate authority.	After management domain deployment. After VI workload domain deployment. The key length must be modified. A certificate has expired or its expiration date is close. The certificate authority or the private key has been compromised. A certificate has been revoked by the issuing certificate authority.	Follow the same guidelines as when replacing self-signed certificates.
Identify expiring certificates.	At least once a month.	The SDDC Manager UI shows an alert if a certificate is expiring.

		To monitor the expiring certificates managed by SDDC Manager by using custom dashboards, alerts, and notifications in VMware Aria Operations, use the open-source Python module for VMware Cloud Foundation health monitoring. See the Health Reporting and Monitoring for VMware Cloud Foundation validated solution.
		To generate a point-in-time health report for your VMware Cloud Foundation environment, use the open-source PowerShell module for VMware Cloud Foundation health reporting. See Generating a Health Report in the documentation of the module.
Replace expired certificates.	The certificate of a management component that is managed by SDDC Manager has expired.	For step-by-step information about replacing expired certificates managed by SDDC Manager, see below. For information about replacing expired certificates of management components not included in the SDDC Manager automation, see the relevant product documentation.

Order of Replacing Expired Certificates for a Workload Domain

If the certificates of multiple management components have expired, replace them in a certain order.

Replace the certificates of the NSX Manager cluster and nodes.
Skip installing CA-signed certificates for NSX Manager by using SDDC Manager.
Replace the vCenter Server certificate with a VMCA-signed one.
Skip installing a CA-signed certificate for vCenter Server by using SDDC Manager.
If you are replacing expired certificates in the management domain, replace the SDDC Manager certificate.
After you have all temporary certificates ready to be replaced with CA-signed ones, use SDDC Manager UI to replace the certificates for NSX Manager and vCenter Server with CA-signed ones.

Replace Expired NSX Manager Certificates

In VMware Cloud Foundation, you temporarily replace an expired SSL certificate of the NSX Manager cluster or an individual NSX Manager node for a workload domain with a self-signed certificate generated by NSX Manager. Then, you add the self-signed certificate to the SDDC Manager trust store.

Log in to NSX Manager cluster at https://<nsx_manager_fqdn>/login.jsp?local=true as admin.
Add a certificate exception to your Web browser if the certificate of the NSX Manager cluster FQDN has expired.
Identify the expired certificates.
1. In the navigation bar, click System.
2. In the left pane, under Settings, click Certificates.
3. On the Certificates tab, check the Validity column.

Generate self-signed certificates for the NSX Manager entities with expired certificates.

On the Certificates tab, select Generate > Self Signed Certificate.

Enter the CSR information and click Save.

Option	Description
Common Name	Enter the fully qualified domain name (FQDN) of the node. For example, `nsx-wld-01.vrack.vsphere.local`.
Name	Assign a name for the certificate. For example, `nsx-wld-01.vrack.vsphere.local`.
Organization Unit	Enter the department in your organization that is handling this certificate. For example, `VMware Engineering`.
Organization Name	Enter your organization name with applicable suffixes. For example, `VMware`.
Locality	Add the city in which your organization is located. For example, `Palo Alto`.
State	Add the state in which your organization is located. For example, `California`.
Country/Region	Add your organization location. For example, `United States (US)`.
Algorithm	Set the encryption algorithm for your certificate. For example, `RSA`.
Key Size	Set the key bits size of the encryption algorithm. For example, `2048`.
Service Certificate	To use the certificate with an NSX Manager appliance, toggle to No.
Number of days	Enter the validity of the certificate starting from today.
Description	Enter specific details to help you identify this certificate at a later date.

Click Save.
Repeat the steps for all remaining NSX Manager entities whose certificates have expired.

Аpply the self-signed certificates to the NSX Manager entities.

On the Certificates tab, locate and copy the ID of the certificate for the NSX Manager entity.

From a system that supports the curl command and has access to the NSX Manager nodes, such as the vCenter Server or SDDC Manager appliance, run the following command to install the self-signed certificate on the NSX Manager cluster or an NSX Manager node.

You run the command on the cluster or on the individual node.

Use the certificate ID you copied from the NSX Manager UI.

NSX Manager Entity with Expired Certificate	Certificate Replacement Command
NSX Manager cluster	curl -H 'Accept: application/json' -H 'Content-Type: application/json' --insecure -u 'admin:`<nsx_admin_password>`' -X POST 'https://`<nsx_manager_cluster_fqdn>`/api/v1/trust-management/certificates/`<certificate-id>`?action=apply_certificate&service_type=MGMT_CLUSTER'
NSX Manager node	curl -H 'Accept: application/json' -H 'Content-Type: application/json' --insecure -u 'admin:`<nsx_admin_password>`' -X POST 'https://`<nsx_manager_node_fqdn>`/api/v1/node/services/http?action=apply_certificate&certificate_id=`<certificate_id>`'

NSX Manager Entity with Expired Certificate

Certificate Replacement Command

NSX Manager cluster

curl -H 'Accept: application/json' -H 'Content-Type: application/json' --insecure -u 'admin:<nsx_admin_password>' -X POST 'https://<nsx_manager_cluster_fqdn>/api/v1/trust-management/certificates/<certificate-id>?action=apply_certificate&service_type=MGMT_CLUSTER'

NSX Manager node

curl -H 'Accept: application/json' -H 'Content-Type: application/json' --insecure -u 'admin:<nsx_admin_password>' -X POST 'https://<nsx_manager_node_fqdn>/api/v1/node/services/http?action=apply_certificate&certificate_id=<certificate_id>'

The curl command completes without an output message.

Repeat the steps for all remaining NSX Manager nodes with expired certificate.

Add the self-signed NSX Manager certificates to the trust store of SDDC Manager.
1. Log in to SDDC Manager at https://<sddc_manager_fqdn> as [email protected].
2. In the navigation pane, click Inventory > Workload Domains.
3. On the Workload Domains page, click the workload domain the NSX Manager cluster or nodes are part of.
4. On the workload domain summary page, click the Certificates tab.
  You see a status message that the certificates of the NSX Manager nodes and cluster are not trusted.
5. For a self-signed certificate, click review in the status message, review the certificate details and verify that the thumbprint matches the thumbprint of the self-signed certificate for the node.
6. After reviewing a self-signed certificate, click Trust Certificate.
7. Review and mark as trusted the remaining self-signed NSX Manager certificates.
After all certificates for NSX Manager become active, install CA-signed certificates for all FQDNs related to NSX Manager.
See Managing Certificates in the VMware Cloud Foundation Administration Guide
.
(Optional) Remove the self-signed certificates from the trust store of SDDC Manager after you replace them with а CA-signed one.
See Remove Old or Unused Certificates from SDDC Manager in the VMware Cloud Foundation Administration Guide.
Remove the expired and self-signed certificates from NSX Manager after you applied CA-signed ones.

Replace an Expired vCenter Server Certificate

In VMware Cloud Foundation, you temporarily replace an expired certificate of a workload domain vCenter Server with a VMCA-signed one by using the vSphere Certificate Manager utility.

Log in to vCenter Server as root by using a Secure Shell (SSH) client.
To switch to the Bash shell, run the shell command.
Start the vSphere Certificate Manager by running the following command.
```
/usr/lib/vmware-vmca/bin/certificate-manager
```
Select option 3, Replace Machine SSL certificate with VMCA Certificate.
Enter the [email protected] credentials.
If you are replacing the vCenter Server certificate with a new VMCA-signed certificate for the first time, enter the properties of the VMCA-signed certificate and confirm continuing the operation.
- Two-letter country code
- Company name
- Organization name
- Organization unit
- State
- Locality
- IP address (optional)
- Email address
- Host name, that is, the fully qualified domain name of the vCenter Server machine on which you want to replace the certificate. If the host name does not match the FQDN, certificate replacement does not complete correctly and your workload domain might end up in an unstable state.
- VMCA name, that is, the fully qualified domain name of the vCenter Server machine on which the certificate configuration is running.
The VMCA-signed certificate properties are stored in the /usr/lib/vmware-vmca/share/config/certool.cfg file.
Wait until the operation is complete.
If you have previously generated a VMCA-signed certificate on this workload domain vCenter Server and a certool.cfg file is available, do not reconfigure the certool.cfg file and confirm continuing the operation.
Wait until the operation is complete.
Verify the status of the vCenter Server instance in SDDC Manager.
1. Log in to SDDC Manager at https://<sddc_manager_fqdn> with a user assigned the Admin role.
2. In the navigation pane, click Inventory > Workload Domains.
3. On the Workload Domains page, click the workload domain that the vCenter Server instance is part of.
4. On the workload domain summary page, click the Certificates tab.
5. Verify that the status of the vCenter Server certificate is active.
Install a CA-signed for the vCenter Server instance in SDDC Manager. See Managing Certificates in the VMware Cloud Foundation Administration Guide.

Replace an Expired SDDC Manager Certificate

You replace an expired SDDC Manager certificate by using SDDC Manager.

Log in to SDDC Manager at https://<sddc_manager_fqdn> with a user assigned the Admin role.
Add a certificate exception to your Web browser because the certificate of the SDDC Manager has expired.
In the navigation pane, click Inventory > Workload Domains.
On the Workload Domains page, click the management domain.
On the workload domain summary page, click the Certificates tab.
Replace the SDDC Manager certificate. See Managing Certificates in the VMware Cloud Foundation Administration Guide.

Backup Operations

Managing backups of the management components of VMware Cloud Foundation regularly provides data protection, facilitates disaster recovery, enhances security and compliance, and supports system updates.

Table 5. Best Practices for Backup Operations in VMware Cloud Foundation
Operation	When or How Often	Description
Configure a location and a schedule of an external backup.	After management domain deployment. After VI workload domain deployment.	See the following information in the VMware Cloud Foundation Administration Guide: After you deploy the management domain of VMware Cloud Foundation, Reconfigure SFTP Backups for SDDC Manager and NSX Manager . After you deploy the management domain or a VI workload domain, Configure a Backup Schedule for vCenter Server For NSX Manager backups, see NSX Manager Backup Configuration.
		You can automate the backup configuration of the SDDC Manager and NSX Local Manager by using the VMware Cloud Foundation API. See Backup and Restore in the VMware Cloud Foundation API reference documentation.
		To automate configuring the backup location and schedule of SDDC Manager and NSX Local Manager by using PowerShell, use the `Get-VCFBackupConfiguration` and `Set-VCFBackupConfiguration` cmdlets in the open-source PowerShell Module for VMware Cloud Foundation. See PowerShell Module for VMware Cloud Foundation `
Configure NSX Manager backup retention.	After management domain deployment. If the backup retention policy of your organization has changed.	NSX does not support a native option to configure a backup retention policy. To manage retention of the backups with a script, see Remove Old Backups in the NSX Administration Guide. The retention of the backups is for the backup location configured in SDDC Manager. You configure the script only once per VMware Cloud Foundation environment. It is then applied to all NSX Manager backups.
Run an on-demand backup.	After a successful recovery operation. After resolving asynchronously reported errors in SDDC components. After resolving an incomplete workflow in SDDC Manager. After noting the failure of a scheduled backup of an SDDC component. Before performing a system upgrade.	See Running On-Demand Backups.
		You can automate an on-demand backup of SDDC Manager by using the VMware Cloud Foundation API. See Backup and Restore in the VMware Cloud Foundation API reference documentation.
		To automate an on-demand backup of SDDC Manager by using PowerShell, use the `Start-VCFBackup` cmdlet in the open-source PowerShell Module for VMware Cloud Foundation. See PowerShell Module for VMware Cloud Foundation `.
Verify backups.	At least once a week.	Manual workflows: On the Administration > Backup page in the SDDC Manager UI, check Last Backup Status. In the vCenter Server Management Interface at `https://<vcenter-fqdn>:5480/`, go to Backup and check Activity for the date of the last successful backup. In the NSX Manager UI, on the System tab, go to Backup & Restore and check Last Backup Status and Backup History.
Verify backups.	At least once a week.	To generate a point-in-time health report for your VMware Cloud Foundation environment, use the open-source PowerShell module for VMware Cloud Foundation health reporting. See Generating a Health Report in the documentation of the module. You can also use the following cmdlets: `Request-SddcManagerBackupStatus` `Request-VcenterBackupStatus` `Request-NsxtManagerBackupStatus`

NSX Manager Backup Configuration

Follow additional guidelines when managing NSX Manager backups in VMware Cloud Foundation.

NSX does not offer an option to configure a backup retention policy. To manage retention of the backups with a script, see Remove Old Backups in the NSX Administration Guide.
NSX Global Managers are not managed by SDDC Manager. You must configure the backup for the NSX Global Manager manually. See to Configure Backups in theNSX Administration Guide.

To reuse the same backup retention policy, configure the backups to use the same SFTP destination as in SDDC Manager .
When the backup settings are configured in SDDC Manager, all NSX Local Managers are configured to back up in a common location.
When the backup settings are configured in SDDC Manager, the NSX Local Managers that might be deployed when a workload domain is created are configured to back up data in the location and with the schedule defined in SDDC Manager.
In the NSX Manager UI, you see backups from different NSX Manager nodes in the Backup History. This is expected.
By default, SDDC Manager configures the NSX Local Managers to back up once every hour. If you want to change the backup schedule or enable automatic backups when the configuration changes, perform these steps:
1. Log in to the NSX Local Manager cluster at https://<nsx_manager_cluster_fqdn> with a user assigned the Enterprise Administrator role.
2. On the System tab, click Backup & Restore and click Edit in Schedule section.
  
  Note:
  If an active backup task is in progress, this option is grayed-out.
3. Modify the Frequency setting to match your backup schedule.
4. Optional. Turn on Detect NSX configuration change and set the Update Interval to to check for configuration changes every hour.
5. Click Save.

Running On-Demand Backups


Management Component
SDDC Manager	Log in to SDDC Manager at `https://<sddc_manager_fqdn>` as [email protected]. In the navigation pane, click Administration > Backup and click Backup Now. Wait until the task is complete.
vCenter Server	For full vCenter Server backup, see Manually Back Up vCenter Server in the VMware Cloud Foundation Administration Guide. A vCenter Server backup includes the configuration of the entire vCenter Server instance. To back up only the configuration of a vSphere Distributed Switch and its distributed port groups, you export a configuration file that includes the validated network configurations. If you want to recover only the vSphere Distributed Switch, you can import this configuration file in to the vCenter Server instance. See Export the Configuration of the vSphere Distributed Switches in the VMware Cloud Foundation Administration Guide.
NSX Manager	Log in to the NSX Local Manager cluster at `https://<nsx_manager_cluster_fqdn>` with a user assigned the Enterprise Administrator role. On the System tab, click Backup & Restore and click Start Backup Wait until the task is complete.

ESXi Installation Operations

You install the required version of ESXi, that is compatible with the target VMware Cloud Foundation version, and perform basic configuration tasks right after the installation is complete.

Table 6. Best Practices for ESXi Installation in VMware Cloud Foundation
Operation	When or How Often	Description
Install ESXi	Before management domain deployment Before VI workload domain deployment	By default, you install ESXi interactively by using an ISO file you download from the Broadcom Support Portal. You can also create a custom ISO file, for example, to accommodate vendor-specific components. See Prepare ESXi Hosts for VMware Cloud Foundation.
Install ESXi		To automate ESXi installation and post-installation configuration for VMware Cloud Foundation, you can use a Python script for ESXi imaging that creates an ESXi ISO image with an installation script, that is, a kickstart file, from the base ISO image. See the open-source project of the Python script for ESXi imaging.

Life Cycle Operations

By updating to a later VMware Cloud Foundation version or applying a patch release, you have fixes of important security issues or new features in your environment. Efficient bundle management also reduces the time and number of errors during the upgrade process.

Table 7. Best Practices for Life Cycle Operations in VMware Cloud Foundation
Operation	When or How Often	Description
Upgrade or update	The later version contains important issue fixes. The later version introduces a new feature that you want to explore. The version that you are running will be out of support soon.	As a best practice, you run the latest software version to get latest bug fixes and security patches or more features. Before upgrading, check if all third-party integrations are compatible with the Bill of Materials (BoM) of the target version. For more information about upgrading VMware Cloud Foundation, see VMware Cloud Foundation Lifecycle Management . You can use the following options for managing upgrade bundles: To manage upgrade bundles for VMware Cloud Foundation step-by-step, use the SDDC Manager UI. See Managing Installation and Upgrade Bundles in VMware Cloud Foundation in the VMware Cloud Foundation Administration Guide. You can automate upgrade bundle management by using the VMware Cloud Foundation API. See Bundles To automate bundle management by using a PowerShell-based script, see VMware knowledge base article 94760. To delete bundles that are obsolete or that you do not need anymore, use the Bundle Cleanup Utility. See VMware knowledge base aritcle 75050.
Apply patches	A VMware Security Advisory on a security volnureability in the VMware Cloud Foundation version that you are using is published An issue that has been reported to VMware Support is fixed and distributed as a patch release	To apply critical patches to specific products, such as NSX Manager, vCenter Server, or ESXi, independently of VMware Cloud Foundation releases, use the Async Patch Tool. See the Async Patch Tool documentation. The VMware Security Advisories (VMSA) document contains remediation for security vulnerabilities that are reported in VMware products. Sign up for updates from VMSA and review new or changed advisories for issues that could affect your environment.