Appendix: Design Decisions on Cloud-Based Intelligent Operations for VMware Cloud Foundation

The appendix aggregates all design decisions that determine the deployment configuration to support the Cloud-Based Intelligent Operations for VMware Cloud Foundation validated solution. You can use this design decision list for reference related to the end state of the environment and potentially to track your level of adherence to the design and any justification for deviations.

Deployment Specification

Table 1. Design Decisions on the Deployment of the Cloud Proxy Appliances
Decision ID	Design Decision	Design Justification	Design Implication
CBO-CDP-CFG-001	Deploy two Cloud Proxy appliances per region.	Provides collector functionality for vRealize Operations Cloud.	None.
CBO-CDP-CFG-002	Deploy the Cloud Proxy appliances in the default management vSphere cluster.	Required to establish secure communication between the VMware Cloud Foundation instance and vRealize Operations Cloud.	The Cloud Proxy appliances must be able to connect to vRealize Operations Cloud through a firewall.
CBO-CDP-CFG-003	Protect the Cloud Proxy appliances by using vSphere High Availability.	Supports the availability objective without requiring manual intervention during an ESXi host failure.	None.
CBO-CDP-CFG-004	Deploy the Cloud Proxy appliances with the Standard size.	Provides support for the required number of monitored objects.	None.
CBO-CDP-CFG-005	Place the Cloud Proxy appliances in a designated virtual machine folder.	Provides organization of the appliances in the management domain vSphere inventory.	You must create the virtual machine folder before deployment.
CBO-CDP-CFG-006	Enable data persistence on all Cloud Proxy appliances.	Provides the ability to store data in case of connectivity issues.	Storage availability on each Cloud Proxy appliance must be monitored.
CBO-CDP-CFG-007	Create a collector group for each region and assign respective Cloud Proxy appliances per region.	The use of collector groups allows the pooling of Cloud Proxies into a single group, which can be used to define the appropriate Cloud Proxies to be used per cloud account.	None.
CBO-CDP-CFG-008	Configure each cloud account to use the appropriate collector group per region.	Ensures that region-specific collector groups are used.	None.
CBO-CDP-CFG-009	Apply a vSphere Distributed Resource Scheduler (DRS) anti-affinity rule to the Cloud Proxy appliances.	Using vSphere DRS prevents the Cloud Proxy appliances from running on the same ESXi host and risking the high availability of the collection group.	You must perform additional configuration to set up an anti- affinity rule.

Table 2. Design Decisions on the Deployment of the Cloud Proxy Appliances in Multiple Availability Zones.
Decision ID	Design Decision	Design Justification	Design Implication
CBO-CDP-CFG-010	When using two availability zones, add the Cloud Proxy appliances to the VM group of the first availability zone.	Ensures that the Cloud Proxy appliances run in the primary availability zone hosts group.	After the implementation of the second availability zone for the management domain, you must update the VM group for the primary availability zone virtual machines to include the Cloud Proxy appliance.

Network Design

Table 3. Design Decisions on Network Segments for the Cloud Proxy Appliances
Decision ID	Design Decision	Design Justification	Design Implication
CBO-CDP-NET-001	Place the Cloud Proxy appliances on the management VLAN.	Places the Cloud Proxy appliances on the same network as the VMware Cloud Foundation management components. Cross-region failover is not a requirement for the Cloud Proxy appliances.	Ensures connectivity between the Cloud Proxy appliances and the management domain components in the event of a routing issue.

Table 4. Design Decisions on IP Addressing for the Cloud Proxy Appliances
Decision ID	Design Decision	Design Justification	Design Implication
CBO-CDP-NET-002	Allocate statically assigned IP addresses from the management VLAN to the Cloud Proxy appliances.	Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.	Requires precise IP address management.

Table 5. Design Decisions on Name Resolution for the Cloud Proxy Appliances
Decision ID	Design Decision	Design Justification	Design Implication
CBO-CDP-NET-003	Configure forward and reverse DNS records for the Cloud Proxy appliances IP addresses.	Ensures that the appliances are accessible by using easy-to-remember fully qualified domain names (FQDN) rather than IP addresses.	You must create A and PTR records in DNS for the virtual appliances.
CBO-CDP-NET-004	Configure DNS servers on the Cloud Proxy appliances.	Ensures that the virtual appliances have accurate name resolution.	DNS infrastructure services should be highly-available in the environment. Firewalls between the appliance and the DNS servers must allow DNS traffic. You must provide two or more DNS servers unless a DNS geographic load balancing is active.

Table 6. Design Decisions on Time Synchronization for the Cloud Proxy Appliances
Decision ID	Design Decision	Design Justification	Design Implication
CBO-CDP-NET-005	Configure NTP servers for the Cloud Proxy appliances.	Ensures that the virtual appliances have accurate time synchronization. Assists in the prevention of time mismatch between the appliance and its dependencies.	NTP infrastructure services should be highly-available in the environment. Firewalls between the appliance and the NTP servers must allow NTP traffic. You must provide two or more NTP servers unless an NTP geographic load balancing is active.

Life Cycle Management Design

Table 7. Design Decisions on Life Cycle Management for the Cloud Proxy Appliances
Decision ID	Design Decision	Design Justification	Design Implication
CBO-CDP-LCM-001	Allow automatic life cycle management of the Cloud Proxy appliances by vRealize Operations Cloud	Automated upgrades provide for the lowest level of management burden on administrators.	You should be familiar with the manual upgrade process in case the automated upgrade fails.

vRealize Operations Cloud Design

Table 8. Design Decisions on Integrations for Cloud-Based Intelligent Operations
Decision ID	Design Decision	Design Justification	Design Implication
CBO-OPS-CFG-001	Configure the VMware Cloud Foundation integration for each VMware Cloud Foundation instance to enable monitoring in vRealize Operations Cloud.	By configuring the integration for each VMware Cloud Foundation instance, you can configure cloud accounts and adapter instances for vCenter Server, vSAN, and NSX Local Manager.	Dedicated credentials for cloud account connectivity must be manually created before configuring the intergration.
CBO-OPS-CFG-002	Activate the Ping integration in vRealize Operations Cloud.	Provides metrics on the availability of endpoints.	You must activate the integration manually.

Table 9. Design Decisions on Cloud Accounts for Cloud-Based Intelligent Operations
Decision ID	Design Decision	Design Justification	Design Implication
CBO-OPS-CFG-003	Configure a VMware Cloud Foundation cloud account for each VMware Cloud Foundation instance with a service account using least-privilege access.	Provides the required access when enabling the VMware Cloud Foundation integration in vRealize Operations Cloud to collect SDDC Manager metric data.	You must maintain the life cycle, availability, and security controls for the account in Active Directory.
CBO-OPS-CFG-004	Configure a vCenter Server cloud account for each workload domain vCenter Server instance using a dedicated service account with least-privilage access.	Provides the required access when enabling the VMware Cloud Foundation integration in vRealize Operations Cloud to collect vCenter Server metric data.	You must maintain the life cycle, availability, and security controls for the service account in Active Directory.
CBO-OPS-CFG-005	Enable the vSAN cloud account for each workload domain in the VMware Cloud Foundation instance.	Provides vRealize Operations Cloud with integration and data collection from all vSAN enabled clusters in the VMware Cloud Foundation instance.	Service account usage across vCenter Server instances expands the risk of losing connectivity from vRealize Operations Cloud in the event of an account issue.
CBO-OPS-CFG-006	Configure an NSX-T cloud account for each workload domain NSX Local Manager instance using a client certificate credentials with least-privilege access and assign to the collector group.	Provides the required access when enabling the VMware Cloud Foundation integration in vRealize Operations Cloud to collect NSX Manager metric data. Client certificate credentials remove the need to protect and maintain either a local or Active Directory domain account and password.	You must manage the credentials and the life cycle of certificates and their corresponding private keys.
CBO-OPS-CFG-007	Configure a Ping cloud account for the Cloud Proxy appliances and assign to the collector group.	Provides metrics on the availability of the Cloud Proxy appliances.	None.

Table 10. Design Decisions on Cloud Accounts in vRealize Operations Cloud for Multiple VMware Cloud Foundation Instances
Decision ID	Design Decision	Design Justification	Design Implication
CBO-OPS-CFG-008	In an environment with multiple VMware Cloud Foundation instances, configure an SDDC Manager cloud account for each VMware Cloud Foundation instance using a dedicated service account with least-privilege access and assign to the a cloud proxy collector group.	Provides the vRealize Operations Cloud integration with and data collection from all SDDC Manager instances.	None.

Table 11. Design Decisions on vRealize Operations Cloud Alerts for Cloud-Based Intelligent Operations
Decision ID	Design Decision	Design Justification	Design Implication
CBO-OPS-CFG-009	Define and configure application, virtual machine, and container related alerts.	Alerts can be used to detect and notify administrators about conditions that endanger the operation of individual or groups of workloads running in your environment.	Individual alerts may need to be manually created and maintained.
CBO-OPS-CFG-010	Define and configure virtual infrastructure and ESXi host related alerts.	Alerts can be used to detect and notify administrators about conditions that endanger the operation of your virtual infrastructure as a whole or down to its discrete components.	Individual alerts may need to be manually created and maintained.
CBO-OPS-CFG-011	Define and configure software-defined networking related alerts.	Alerts can be used to detect and notify administrators about conditions that endanger the operation of NSX software-defined networking components.	Individual alerts may need to be manually created and maintained.
CBO-OPS-CFG-012	Define and configure storage related alerts.	Alerts can be used to detect and notify administrators about conditions that endanger the operation of vSAN or disk/file-based storage or individual storage layer components.	Individual alerts may need to be manually created and maintained.

Information Security and Access Control Design

Table 12. Design Decisions on Identity Management for Cloud-Based Intelligent Operations
Decision ID	Design Decision	Design Justification	Design Implication
CBO-IAM-SEC-001	Limit the use of local accounts for interactive or API access and solution integration.	Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.	You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.
CBO-IAM-SEC-002	Limit the scope and privileges for accounts used for interactive or API access and solution integration.	The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.	You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.
CBO-IAM-SEC-003	Assign vRealize Operations Cloud service roles to designated users.	To provide access to vRealize Operations Cloud service, you assign users to service roles.	You must maintain the service roles required for users of your organization.

Table 13. Design Decisions on Service Accounts for Cloud-Based Intelligent Operations
Decision ID	Design Decision	Design Justification	Design Implication
CBO-OPS-SEC-001	Create and assign least privilege access to an Active Directory user account as a service account in each SDDC Manager instance for application-to-application communication between vRealize Operations Cloud and SDDC Manager.	Provides integration and data collection of objects managed by SDDC Manager for a VMware Cloud Foundation instance.	You must maintain the life cycle, availability, and security controls for the account in Active Directory.
CBO-OPS-SEC-002	Define a custom vCenter Server role for vRealize Operations Cloud that has minimum privileges required to support a vCenter Server cloud account.	vRealize Operations Cloud integrates with each workload domain vCenter Server instances using a minimum set of privileges required to support the cloud account.	You must maintain the privileges required by the custom vSphere role. If additional workload domain vCenter Server instances are not in the same vCenter Single Sign-On domain, the custom role must be applied to each vCenter Single Sign-On domain.
CBO-OPS-SEC-003	Create and assign the Enterprise Admin role using an NSX-T client certificate credential for each Workload Domain NSX Local Manager instance for application-to-application communication between vRealize Operations Cloud and NSX Manager.	Provides integration and data collection of objects managed by NSX Manager for a given workload domain. Client certificate credentials remove the need to protect and maintain either a local or Active Directory Domain account and password.	You must manage the credential and the life cycle management of certificates and their corresponding private keys.
CBO-OPS-SEC-004	Create and assign the custom vCenter Server role to an Active Directory user account as a service account for each workload domain vCenter Server instance for application-to-application communication between vRealize Operations Cloud and vCenter Server.	Provides integration and data collection of objects managed by the vCenter Server for a given workload domain. Limiting the use of a service account reduces the risk in the case of either a security or a password-related event. Using a named Active Directory account provides for auditability unlike generic administrative accounts.	You must maintain the life cycle, availability, and security controls for the account in Active Directory.
CBO-OPS-SEC-005	Use the vCenter Server service account for data collection on vSAN cloud accounts.	As a service managed by vCenter Server, vSAN does not require separate credentials for the integration to function.	None.

Table 14. Design Decisions on Password Policies for Cloud-Based Intelligent Operations
Decision ID	Design Decision	Design Justification	Design Implication
CBO-CDP-SEC-001	Configure the local user password expiration policy for each Cloud Proxy instance.	You configure the local user password expiration policy for each Cloud Proxy instance to align with the requirements of your organization which might be based on industry compliance standards. The local user password expiration policy is applicable to the root account for the Cloud Proxy appliance.	You must manage the local user password expiration settings on each Cloud Proxy instance by using the appliance console.
CBO-CDP-SEC-002	Configure the local user password complexity policy for each Cloud Proxy instance.	You configure the local user password complexity policy for each Cloud Proxy instance to align with the requirements of your organization which might be based on industry compliance standards. The local user password complexity policy is applicable only to the local Cloud Proxy appliance users.	You must manage the local user password complexity settings on each Cloud Proxy instance by using the appliance console.
CBO-CDP-SEC-003	Configure the local user account lockout policy for each Cloud Proxy instance.	You configure the local user account lockout policy for each Cloud Proxy instance to align with the requirements of your organization which might be based on industry compliance standards. The local user account lockout policy is applicable only to the local Cloud Proxy appliance users.	You must manage the local user account lockout settings on each Cloud Proxy instance by using the appliance console.

Table 15. Design Decisions on Password Management for Cloud-Based Intelligent Operations
Decision ID	Design Decision	Design Justification	Design Implication
CBO-CDP-SEC-004	Change the root password for each Cloud Proxy appliance on a recurring or event-initiated schedule.	By default, the password for the Cloud Proxy appliance root account expires every 90 days.	You must manage the local user password expiration settings on each Cloud Proxy appliance using the virtual appliance console.
CBO-OPS-SEC-006	For each vCenter Server cloud account, change the service account password on a recurring or event-initiated schedule.	In order to maintain a secure platform, the service account passwords should be rotated on a regular basis.	Performing password rotation for a service account is a manual process. Update the associated credentials in the vRealize Operations Cloud service.
CBO-OPS-SEC-007	For each SDDC Manager cloud account, change the service account password on a recurring or event-initiated schedule.	In order to maintain a secure platform, the service account passwords should be rotated on a regular basis.	Performing password rotation for a service account is a manual process. Update the associated credentials in the vRealize Operations Cloud service.