The appendix aggregates all design decisions that determine the deployment configuration to support the Cloud-Based Intelligent Operations for VMware Cloud Foundation validated solution. You can use this design decision list for reference related to the end state of the environment and potentially to track your level of adherence to the design and any justification for deviations.
Deployment Specification
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBO-CDP-CFG-001 |
Deploy two VMware Cloud Proxy appliances per region. |
Provides resilient data collector functionality for VMware Aria Operations. |
None. |
CBO-CDP-CFG-002 |
Deploy the VMware Cloud Proxy appliances in the default management vSphere cluster. |
Required to establish secure communication between the VMware Cloud Foundation instance and VMware Aria Operations. |
The VMware Cloud Proxy appliances must be able to connect to VMware Aria Operations through a firewall. |
CBO-CDP-CFG-003 |
Protect the VMware Cloud Proxy appliances by using vSphere High Availability. |
Supports the availability objective without requiring manual intervention during an ESXi host failure. |
None. |
CBO-CDP-CFG-004 |
Deploy the VMware Cloud Proxy appliances with the Standard size. |
Provides support for the required number of monitored objects. |
None. |
CBO-CDP-CFG-005 |
Place the VMware Cloud Proxy appliances in a designated virtual machine folder. |
Provides organization of the appliances in the management domain vSphere inventory. |
You must create the virtual machine folder before deployment. |
CBO-CDP-CFG-006 |
Enable data persistence on all VMware Cloud Proxy appliances. |
Provides the ability to store data in case of connectivity issues. |
Storage availability on each VMware Cloud Proxy appliance must be monitored. |
CBO-CDP-CFG-007 |
Create a collector group for each region and assign respective VMware Cloud Proxy appliances per region. |
The use of collector groups allows the pooling of Cloud Proxies into a single group, which can be used to define the appropriate Cloud Proxies to be used per cloud account. |
None. |
CBO-CDP-CFG-008 |
Configure each cloud account to use the appropriate collector group per region. |
Ensures that region-specific collector groups are used. |
None. |
CBO-CDP-CFG-009 |
Apply a vSphere Distributed Resource Scheduler (DRS) anti-affinity rule to the VMware Cloud Proxy appliances. |
Using vSphere DRS prevents the VMware Cloud Proxy appliances from running on the same ESXi host and risking the high availability of the collection group. |
You must perform additional configuration to set up an anti- affinity rule. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBO-CDP-CFG-010 |
When using two availability zones, add the VMware Cloud Proxy appliances to the VM group of the first availability zone. |
Ensures that the VMware Cloud Proxy appliances run in the primary availability zone hosts group. |
After the implementation of the second availability zone for the management domain, you must update the VM group for the primary availability zone virtual machines to include the VMware Cloud Proxy appliance. |
Network Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBO-CDP-NET-001 |
Place the VMware Cloud Proxy appliances on the management VLAN. |
|
Ensures connectivity between the VMware Cloud Proxy appliances and the management domain components in the event of a routing issue. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBO-CDP-NET-002 |
Allocate statically assigned IP addresses from the management VLAN to the VMware Cloud Proxy appliances. |
Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking. |
Requires precise IP address management. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBO-CDP-NET-003 |
Configure forward and reverse DNS records for the VMware Cloud Proxy appliances IP addresses. |
Ensures that the appliances are accessible by using easy-to-remember fully qualified domain names (FQDN) rather than IP addresses. |
|
CBO-CDP-NET-004 |
Configure DNS servers on the VMware Cloud Proxy appliances. |
Ensures that the virtual appliances have accurate name resolution. |
|
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBO-CDP-NET-005 |
Configure NTP servers for the VMware Cloud Proxy appliances. |
|
|
Life Cycle Management Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBO-CDP-LCM-001 |
Allow automatic life cycle management of the VMware Cloud Proxy appliances by VMware Aria Operations. |
Automated upgrades provide for the lowest level of management burden on administrators. |
You should be familiar with the manual upgrade process in case the automated upgrade fails. |
VMware Aria Operations Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBO-OPS-CFG-001 |
Configure the VMware Cloud Foundation integration for each VMware Cloud Foundation instance to enable monitoring in VMware Aria Operations. |
By configuring the integration for each VMware Cloud Foundation instance, you can configure cloud accounts and adapter instances for vCenter Server, vSAN, and NSX Local Manager. |
|
CBO-OPS-CFG-002 |
Activate the VMware Infrastructure Health integration in VMware Aria Operations. |
|
|
CBO-OPS-CFG-003 |
Activate the Ping integration in VMware Aria Operations. |
Provides metrics on the availability of endpoints. |
You must activate the integration manually. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBO-OPS-CFG-004 |
Configure a VMware Cloud Foundation cloud account for each VMware Cloud Foundation instance with a service account using least-privilege access. |
Provides the required access when enabling the VMware Cloud Foundation integration in VMware Aria Operations to collect SDDC Manager metric data. |
You must maintain the life cycle, availability, and security controls for the account in Active Directory. |
CBO-OPS-CFG-005 |
Configure a vCenter Server cloud account for each workload domain vCenter Server instance using a dedicated service account with least-privilage access. |
Provides the required access when enabling the VMware Cloud Foundation integration in VMware Aria Operations to collect vCenter Server metric data. |
You must maintain the life cycle, availability, and security controls for the service account in Active Directory. |
CBO-OPS-CFG-006 |
Enable the vSAN cloud account for each workload domain in the VMware Cloud Foundation instance. |
Provides VMware Aria Operations with integration and data collection from all vSAN enabled clusters in the VMware Cloud Foundation instance. |
Service account usage across vCenter Server instances expands the risk of losing connectivity from VMware Aria Operations in the event of an account issue. |
CBO-OPS-CFG-007 |
Configure an NSX-T cloud account for each workload domain NSX Local Manager instance using a client certificate credentials with least-privilege access and assign to the collector group. |
|
You must manage the credentials and the life cycle of certificates and their corresponding private keys. |
CBO-OPS-CFG-008 |
Configure a Ping cloud account for the VMware Cloud Proxy appliances and assign to the collector group. |
Provides metrics on the availability of the VMware Cloud Proxy appliances. |
None. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBO-OPS-CFG-009 |
In an environment with multiple VMware Cloud Foundation instances, configure an SDDC Manager cloud account for each VMware Cloud Foundation instance using a dedicated service account with least-privilege access and assign to the a VMware Cloud Proxy collector group. |
Provides the VMware Aria Operations integration with and data collection from all SDDC Manager instances. |
None. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBO-OPS-CFG-010 |
Define and configure application, virtual machine, and container related alerts. |
Alerts can be used to detect and notify administrators about conditions that endanger the operation of individual or groups of workloads running in your environment. |
Individual alerts may need to be manually created and maintained. |
CBO-OPS-CFG-011 |
Define and configure virtual infrastructure and ESXi host related alerts. |
Alerts can be used to detect and notify administrators about conditions that endanger the operation of your virtual infrastructure as a whole or down to its discrete components. |
Individual alerts may need to be manually created and maintained. |
CBO-OPS-CFG-012 |
Define and configure software-defined networking related alerts. |
Alerts can be used to detect and notify administrators about conditions that endanger the operation of NSX software-defined networking components. |
Individual alerts may need to be manually created and maintained. |
CBO-OPS-CFG-013 |
Define and configure storage related alerts. |
Alerts can be used to detect and notify administrators about conditions that endanger the operation of vSAN or disk/file-based storage or individual storage layer components. |
Individual alerts may need to be manually created and maintained. |
Information Security and Access Control Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBO-IAM-SEC-001 |
Limit the use of local accounts for interactive or API access and solution integration. |
Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity. |
You must define and manage service accounts, security groups, group membership, and security controls in Active Directory. |
CBO-IAM-SEC-002 |
Limit the scope and privileges for accounts used for interactive or API access and solution integration. |
The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy. |
You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration. |
CBO-IAM-SEC-003 |
Assign VMware Aria Operations service roles to designated users. |
To provide access to VMware Aria Operations service, you assign users to service roles. |
You must maintain the service roles required for users of your organization. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBO-OPS-SEC-001 |
Create and assign least privilege access to an Active Directory user account as a service account in each SDDC Manager instance for application-to-application communication between VMware Aria Operations and SDDC Manager. |
Provides integration and data collection of objects managed by SDDC Manager for a VMware Cloud Foundation instance. |
You must maintain the life cycle, availability, and security controls for the account in Active Directory. |
CBO-OPS-SEC-002 |
Define a custom vCenter Server role for VMware Aria Operations that has minimum privileges required to support a vCenter Server cloud account. |
VMware Aria Operations integrates with each workload domain vCenter Server instances using a minimum set of privileges required to support the cloud account. |
|
CBO-OPS-SEC-003 |
Create and assign the Enterprise Admin role using an NSX client certificate credential for each Workload Domain NSX Local Manager instance for application-to-application communication between VMware Aria Operations and NSX Manager. |
|
You must manage the credential and the life cycle management of certificates and their corresponding private keys. |
CBO-OPS-SEC-004 |
Create and assign the custom vCenter Server role to an Active Directory user account as a service account for each workload domain vCenter Server instance for application-to-application communication between VMware Aria Operations and vCenter Server. |
|
You must maintain the life cycle, availability, and security controls for the account in Active Directory. |
CBO-OPS-SEC-005 |
Use the vCenter Server service account for data collection on vSAN cloud accounts. |
As a service managed by vCenter Server, vSAN does not require separate credentials for the integration to function. |
None. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBO-CDP-SEC-001 |
Configure the local user password expiration policy for each VMware Cloud Proxy instance. |
|
You must manage the local user password expiration settings on each VMware Cloud Proxy instance by using the appliance console. |
CBO-CDP-SEC-002 |
Configure the local user password complexity policy for each VMware Cloud Proxy instance. |
|
You must manage the local user password complexity settings on each VMware Cloud Proxy instance by using the appliance console. |
CBO-CDP-SEC-003 |
Configure the local user account lockout policy for each VMware Cloud Proxy instance. |
|
You must manage the local user account lockout settings on each VMware Cloud Proxy instance by using the appliance console. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
CBO-CDP-SEC-004 |
Change the root password for each VMware Cloud Proxy appliance on a recurring or event-initiated schedule. |
By default, the password for the VMware Cloud Proxy appliance root account expires every 90 days. |
You must manage the local user password expiration settings on each VMware Cloud Proxy appliance using the virtual appliance console. |
CBO-OPS-SEC-006 |
For each vCenter Server cloud account, change the service account password on a recurring or event-initiated schedule. |
In order to maintain a secure platform, the service account passwords should be rotated on a regular basis. |
Performing password rotation for a service account is a manual process. Update the associated credentials in the VMware Aria Operations service. |
CBO-OPS-SEC-007 |
For each SDDC Manager cloud account, change the service account password on a recurring or event-initiated schedule. |
In order to maintain a secure platform, the service account passwords should be rotated on a regular basis. |
Performing password rotation for a service account is a manual process. Update the associated credentials in the VMware Aria Operations service. |