The appendix aggregates all design decisions that determine the deployment configuration to support the Cloud-Based Intelligent Operations for VMware Cloud Foundation validated solution. You can use this design decision list for reference related to the end state of the environment and potentially to track your level of adherence to the design and any justification for deviations.

Deployment Specification

Table 1. Design Decisions on the Deployment of the VMware Cloud Proxy Appliances

Decision ID

Design Decision

Design Justification

Design Implication

CBO-CDP-CFG-001

Deploy two VMware Cloud Proxy appliances per region.

Provides resilient data collector functionality for VMware Aria Operations.

None.

CBO-CDP-CFG-002

Deploy the VMware Cloud Proxy appliances in the default management vSphere cluster.

Required to establish secure communication between the VMware Cloud Foundation instance and VMware Aria Operations.

The VMware Cloud Proxy appliances must be able to connect to VMware Aria Operations through a firewall.

CBO-CDP-CFG-003

Protect the VMware Cloud Proxy appliances by using vSphere High Availability.

Supports the availability objective without requiring manual intervention during an ESXi host failure.

None.

CBO-CDP-CFG-004

Deploy the VMware Cloud Proxy appliances with the Standard size.

Provides support for the required number of monitored objects.

None.

CBO-CDP-CFG-005

Place the VMware Cloud Proxy appliances in a designated virtual machine folder.

Provides organization of the appliances in the management domain vSphere inventory.

You must create the virtual machine folder before deployment.

CBO-CDP-CFG-006

Enable data persistence on all VMware Cloud Proxy appliances.

Provides the ability to store data in case of connectivity issues.

Storage availability on each VMware Cloud Proxy appliance must be monitored.

CBO-CDP-CFG-007

Create a collector group for each region and assign respective VMware Cloud Proxy appliances per region.

The use of collector groups allows the pooling of Cloud Proxies into a single group, which can be used to define the appropriate Cloud Proxies to be used per cloud account.

None.

CBO-CDP-CFG-008

Configure each cloud account to use the appropriate collector group per region.

Ensures that region-specific collector groups are used.

None.

CBO-CDP-CFG-009

Apply a vSphere Distributed Resource Scheduler (DRS) anti-affinity rule to the VMware Cloud Proxy appliances.

Using vSphere DRS prevents the VMware Cloud Proxy appliances from running on the same ESXi host and risking the high availability of the collection group.

You must perform additional configuration to set up an anti- affinity rule.

Table 2. Design Decisions on the Deployment of the VMware Cloud Proxy Appliances in Multiple Availability Zones.

Decision ID

Design Decision

Design Justification

Design Implication

CBO-CDP-CFG-010

When using two availability zones, add the VMware Cloud Proxy appliances to the VM group of the first availability zone.

Ensures that the VMware Cloud Proxy appliances run in the primary availability zone hosts group.

After the implementation of the second availability zone for the management domain, you must update the VM group for the primary availability zone virtual machines to include the VMware Cloud Proxy appliance.

Network Design

Table 3. Design Decisions on Network Segments for the VMware Cloud Proxy Appliances

Decision ID

Design Decision

Design Justification

Design Implication

CBO-CDP-NET-001

Place the VMware Cloud Proxy appliances on the management VLAN.

  • Places the VMware Cloud Proxy appliances on the same network as the VMware Cloud Foundation management components.

  • Cross-region failover is not a requirement for the VMware Cloud Proxy appliances.

Ensures connectivity between the VMware Cloud Proxy appliances and the management domain components in the event of a routing issue.

Table 4. Design Decisions on IP Addressing for the VMware Cloud Proxy Appliances

Decision ID

Design Decision

Design Justification

Design Implication

CBO-CDP-NET-002

Allocate statically assigned IP addresses from the management VLAN to the VMware Cloud Proxy appliances.

Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.

Requires precise IP address management.

Table 5. Design Decisions on Name Resolution for the VMware Cloud Proxy Appliances

Decision ID

Design Decision

Design Justification

Design Implication

CBO-CDP-NET-003

Configure forward and reverse DNS records for the VMware Cloud Proxy appliances IP addresses.

Ensures that the appliances are accessible by using easy-to-remember fully qualified domain names (FQDN) rather than IP addresses.

  • You must create A and PTR records in DNS for the virtual appliances.

CBO-CDP-NET-004

Configure DNS servers on the VMware Cloud Proxy appliances.

Ensures that the virtual appliances have accurate name resolution.

  • DNS infrastructure services should be highly-available in the environment.

  • Firewalls between the appliance and the DNS servers must allow DNS traffic.

  • You must provide two or more DNS servers unless a DNS geographic load balancing is active.

Table 6. Design Decisions on Time Synchronization for the VMware Cloud Proxy Appliances

Decision ID

Design Decision

Design Justification

Design Implication

CBO-CDP-NET-005

Configure NTP servers for the VMware Cloud Proxy appliances.

  • Ensures that the virtual appliances have accurate time synchronization.

  • Assists in the prevention of time mismatch between the appliance and its dependencies.

  • NTP infrastructure services should be highly-available in the environment.

  • Firewalls between the appliance and the NTP servers must allow NTP traffic.

  • You must provide two or more NTP servers unless an NTP geographic load balancing is active.

Life Cycle Management Design

Table 7. Design Decisions on Life Cycle Management for the VMware Cloud Proxy Appliances

Decision ID

Design Decision

Design Justification

Design Implication

CBO-CDP-LCM-001

Allow automatic life cycle management of the VMware Cloud Proxy appliances by VMware Aria Operations.

Automated upgrades provide for the lowest level of management burden on administrators.

You should be familiar with the manual upgrade process in case the automated upgrade fails.

VMware Aria Operations Design

Table 8. Design Decisions on Integrations for Cloud-Based Intelligent Operations

Decision ID

Design Decision

Design Justification

Design Implication

CBO-OPS-CFG-001

Configure the VMware Cloud Foundation integration for each VMware Cloud Foundation instance to enable monitoring in VMware Aria Operations.

By configuring the integration for each VMware Cloud Foundation instance, you can configure cloud accounts and adapter instances for vCenter Server, vSAN, and NSX Local Manager.

  • Dedicated credentials for cloud account connectivity must be manually created before configuring the intergration.

  • You must activate the integration manually.

CBO-OPS-CFG-002

Activate the VMware Infrastructure Health integration in VMware Aria Operations.
  • Provides a unified operations view of each VMware Cloud Foundation instance including the associated management and workload domains.
  • Provides information on the health of associated management components.
  • You must configure a VMware Cloud Foundation cloud account before activating the integration.
  • You must activate the integration manually.

CBO-OPS-CFG-003

Activate the Ping integration in VMware Aria Operations.

Provides metrics on the availability of endpoints.

You must activate the integration manually.

Table 9. Design Decisions on Cloud Accounts for Cloud-Based Intelligent Operations

Decision ID

Design Decision

Design Justification

Design Implication

CBO-OPS-CFG-004

Configure a VMware Cloud Foundation cloud account for each VMware Cloud Foundation instance with a service account using least-privilege access.

Provides the required access when enabling the VMware Cloud Foundation integration in VMware Aria Operations to collect SDDC Manager metric data.

You must maintain the life cycle, availability, and security controls for the account in Active Directory.

CBO-OPS-CFG-005

Configure a vCenter Server cloud account for each workload domain vCenter Server instance using a dedicated service account with least-privilage access.

Provides the required access when enabling the VMware Cloud Foundation integration in VMware Aria Operations to collect vCenter Server metric data.

You must maintain the life cycle, availability, and security controls for the service account in Active Directory.

CBO-OPS-CFG-006

Enable the vSAN cloud account for each workload domain in the VMware Cloud Foundation instance.

Provides VMware Aria Operations with integration and data collection from all vSAN enabled clusters in the VMware Cloud Foundation instance.

Service account usage across vCenter Server instances expands the risk of losing connectivity from VMware Aria Operations in the event of an account issue.

CBO-OPS-CFG-007

Configure an NSX-T cloud account for each workload domain NSX Local Manager instance using a client certificate credentials with least-privilege access and assign to the collector group.

  • Provides the required access when enabling the VMware Cloud Foundation integration in VMware Aria Operations to collect NSX Manager metric data.

  • Client certificate credentials remove the need to protect and maintain either a local or Active Directory domain account and password.

You must manage the credentials and the life cycle of certificates and their corresponding private keys.

CBO-OPS-CFG-008

Configure a Ping cloud account for the VMware Cloud Proxy appliances and assign to the collector group.

Provides metrics on the availability of the VMware Cloud Proxy appliances.

None.

Table 10. Design Decisions on Cloud Accounts in VMware Aria Operations for Multiple VMware Cloud Foundation Instances

Decision ID

Design Decision

Design Justification

Design Implication

CBO-OPS-CFG-009

In an environment with multiple VMware Cloud Foundation instances, configure an SDDC Manager cloud account for each VMware Cloud Foundation instance using a dedicated service account with least-privilege access and assign to the a VMware Cloud Proxy collector group.

Provides the VMware Aria Operations integration with and data collection from all SDDC Manager instances.

None.

Table 11. Design Decisions on VMware Aria Operations Alerts for Cloud-Based Intelligent Operations

Decision ID

Design Decision

Design Justification

Design Implication

CBO-OPS-CFG-010

Define and configure application, virtual machine, and container related alerts.

Alerts can be used to detect and notify administrators about conditions that endanger the operation of individual or groups of workloads running in your environment.

Individual alerts may need to be manually created and maintained.

CBO-OPS-CFG-011

Define and configure virtual infrastructure and ESXi host related alerts.

Alerts can be used to detect and notify administrators about conditions that endanger the operation of your virtual infrastructure as a whole or down to its discrete components.

Individual alerts may need to be manually created and maintained.

CBO-OPS-CFG-012

Define and configure software-defined networking related alerts.

Alerts can be used to detect and notify administrators about conditions that endanger the operation of NSX software-defined networking components.

Individual alerts may need to be manually created and maintained.

CBO-OPS-CFG-013

Define and configure storage related alerts.

Alerts can be used to detect and notify administrators about conditions that endanger the operation of vSAN or disk/file-based storage or individual storage layer components.

Individual alerts may need to be manually created and maintained.

Information Security and Access Control Design

Table 12. Design Decisions on Identity Management for Cloud-Based Intelligent Operations

Decision ID

Design Decision

Design Justification

Design Implication

CBO-IAM-SEC-001

Limit the use of local accounts for interactive or API access and solution integration.

Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.

You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.

CBO-IAM-SEC-002

Limit the scope and privileges for accounts used for interactive or API access and solution integration.

The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.

You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.

CBO-IAM-SEC-003

Assign VMware Aria Operations service roles to designated users.

To provide access to VMware Aria Operations service, you assign users to service roles.

You must maintain the service roles required for users of your organization.

Table 13. Design Decisions on Service Accounts for Cloud-Based Intelligent Operations

Decision ID

Design Decision

Design Justification

Design Implication

CBO-OPS-SEC-001

Create and assign least privilege access to an Active Directory user account as a service account in each SDDC Manager instance for application-to-application communication between VMware Aria Operations and SDDC Manager.

Provides integration and data collection of objects managed by SDDC Manager for a VMware Cloud Foundation instance.

You must maintain the life cycle, availability, and security controls for the account in Active Directory.

CBO-OPS-SEC-002

Define a custom vCenter Server role for VMware Aria Operations that has minimum privileges required to support a vCenter Server cloud account.

VMware Aria Operations integrates with each workload domain vCenter Server instances using a minimum set of privileges required to support the cloud account.

  • You must maintain the privileges required by the custom vSphere role.

  • If additional workload domain vCenter Server instances are not in the same vCenter Single Sign-On domain, the custom role must be applied to each vCenter Single Sign-On domain.

CBO-OPS-SEC-003

Create and assign the Enterprise Admin role using an NSX client certificate credential for each Workload Domain NSX Local Manager instance for application-to-application communication between VMware Aria Operations and NSX Manager.

  • Provides integration and data collection of objects managed by NSX Manager for a given workload domain.

  • Client certificate credentials remove the need to protect and maintain either a local or Active Directory Domain account and password.

You must manage the credential and the life cycle management of certificates and their corresponding private keys.

CBO-OPS-SEC-004

Create and assign the custom vCenter Server role to an Active Directory user account as a service account for each workload domain vCenter Server instance for application-to-application communication between VMware Aria Operations and vCenter Server.

  • Provides integration and data collection of objects managed by the vCenter Server for a given workload domain.

  • Limiting the use of a service account reduces the risk in the case of either a security or a password-related event.

  • Using a named Active Directory account provides for auditability unlike generic administrative accounts.

You must maintain the life cycle, availability, and security controls for the account in Active Directory.

CBO-OPS-SEC-005

Use the vCenter Server service account for data collection on vSAN cloud accounts.

As a service managed by vCenter Server, vSAN does not require separate credentials for the integration to function.

None.

Table 14. Design Decisions on Password Policies for Cloud-Based Intelligent Operations

Decision ID

Design Decision

Design Justification

Design Implication

CBO-CDP-SEC-001

Configure the local user password expiration policy for each VMware Cloud Proxy instance.

  • You configure the local user password expiration policy for each VMware Cloud Proxy instance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user password expiration policy is applicable to the root account for the VMware Cloud Proxy appliance.

You must manage the local user password expiration settings on each VMware Cloud Proxy instance by using the appliance console.

CBO-CDP-SEC-002

Configure the local user password complexity policy for each VMware Cloud Proxy instance.

  • You configure the local user password complexity policy for each VMware Cloud Proxy instance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user password complexity policy is applicable only to the local VMware Cloud Proxy appliance users.

You must manage the local user password complexity settings on each VMware Cloud Proxy instance by using the appliance console.

CBO-CDP-SEC-003

Configure the local user account lockout policy for each VMware Cloud Proxy instance.

  • You configure the local user account lockout policy for each VMware Cloud Proxy instance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user account lockout policy is applicable only to the local VMware Cloud Proxy appliance users.

You must manage the local user account lockout settings on each VMware Cloud Proxy instance by using the appliance console.

Table 15. Design Decisions on Password Management for Cloud-Based Intelligent Operations

Decision ID

Design Decision

Design Justification

Design Implication

CBO-CDP-SEC-004

Change the root password for each VMware Cloud Proxy appliance on a recurring or event-initiated schedule.

By default, the password for the VMware Cloud Proxy appliance root account expires every 90 days.

You must manage the local user password expiration settings on each VMware Cloud Proxy appliance using the virtual appliance console.

CBO-OPS-SEC-006

For each vCenter Server cloud account, change the service account password on a recurring or event-initiated schedule.

In order to maintain a secure platform, the service account passwords should be rotated on a regular basis.

Performing password rotation for a service account is a manual process. Update the associated credentials in the VMware Aria Operations service.

CBO-OPS-SEC-007

For each SDDC Manager cloud account, change the service account password on a recurring or event-initiated schedule.

In order to maintain a secure platform, the service account passwords should be rotated on a regular basis.

Performing password rotation for a service account is a manual process. Update the associated credentials in the VMware Aria Operations service.