CBN-CDP-CFG-001

Deploy the VMware Aria Operations for Networks Data Collector appliance in the default management vSphere cluster.

Required to establish secure communication between the VMware Cloud Foundation instance and VMware Aria Operations for Networks.

The VMware Aria Operations for Networks Data Collector must be able to connect to the internet through a firewall.

CBN-CDP-CFG-002

Protect the VMware Aria Operations for Networks Data Collector appliance by using vSphere High Availability.

Supports the availability objective without requiring manual intervention during an ESXi host failure.

None.

CBN-CDP-CFG-003

Place the VMware Aria Operations for Networks Data Collector appliance in a designated virtual machine folder.

Provides organization of the appliances in the management domain vSphere inventory.

You must create the virtual machine folder during deployment.

CBN-CDP-CFG-004

When using two availability zones, add the VMware Aria Operations for Networks Data Collector appliance to the VM group of the first availability zone.

Ensures that the VMware Aria Operations for Networks Data Collector appliance runs in the primary availability zone hosts group.

After the implementation of the second availability zone for the management domain, you must update the VM group for the primary availability zone virtual machines to include the VMware Aria Operations for Networks Data Collector appliance.

CBN-CDP-NET-001

Place the VMware Aria Operations for Networks Data Collector appliance on the management VLAN.

• Places the VMware Aria Operations for Networks Data Collector on the same network as the VMware Cloud Foundation components that the appliance must communicate with.

• Provides a consistent deployment model for VMware Cloud services.

None.

CBN-CDP-NET-002

Allocate statically assigned IP addresses from the management VLAN to the VMware Aria Operations for Networks Data Collector appliance.

Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.

Requires precise IP address management.

CBN-CDP-NET-003

Configure forward and reverse DNS records for the VMware Aria Operations for Networks Data Collector appliance IP address.

Ensures the appliance is accessible by using a fully qualified domain name instead of using IP addresses only.

• You must provide a DNS record for the appliance IP address.

• Firewalls between the appliance and the DNS servers must allow DNS traffic.

CBN-CDP-NET-004

Configure DNS servers on the VMware Aria Operations for Networks Data Collector appliance.

Ensures the appliance has accurate name resolution.

• DNS infrastructure services should be highly-available in the environment.

• Firewalls between the appliance and the DNS servers must allow DNS traffic.

• You must provide two or more DNS servers unless a DNS geographic load balancing is active.

CBN-CDP-NET-005

Configure NTP servers for the VMware Aria Operations for Networks Data Collector appliance.

• Ensures that the appliance has accurate time synchronization.

• Assists in the prevention of time mismatch between the appliance and dependencies.

• NTP infrastructure services should be highly-available in the environment.

• Firewalls between the appliance and the NTP servers must allow NTP traffic.

• You must provide two or more NTP servers unless an NTP geographic load balancing is active.

CBN-CDP-LCM-001

Use the VMware Cloud Services Console to perform the upgrades to the VMware Aria Operations for Networks Data Collector appliance.

You perform manual life cycle management of the VMware Aria Operations for Networks Data Collector appliance by using the VMware Cloud Services Console.

You must configure email notifications for new updates available. VMware Aria Operations for Networks does not provide automatic upgrades or UI reminders.

CBN-NVA-CFG-007

Use the retention period that aligns with your organizations policy requirements. 1 month is the default.

VMware Aria Operations for Networks SAAS allows the flexibily to choose anywhere between the default value of one month up to the maximum of 13 months.

You must manage this value in the VMware Aria Operations for Networks Data Management interface to align with your organizations policy requirements.

CBN-NVA-CFG-008

Configure VMware Aria Operations for Networks to send notifications and alerts for relevant system events via push or email.

Enables relevant system events to be sent to operational teams so remediation actions can be taken.

You must select the system alerts and notifications for the system events that are relevant to the information you want to see.

CBN-IAM-SEC-001

Limit the use of local accounts for interactive or API access and solution integration.

Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.

You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.

CBN-IAM-SEC-002

Limit the scope and privileges for accounts used for interactive or API access and solution integration.

The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.

You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.

CBN-IAM-SEC-003

Assign VMware Aria Operations for Networks service roles to designated users.

By assigning Active Directory users with specific VMware Aria Operations for Networks service roles, you introduce improved accountability and facilitate access tracking.

You must maintain the service roles required for users of your organization.

CBN-NVA-SEC-001

Connects VMware Aria Operations for Networks and each VI workload domain vCenter Server instance using a minimum set of privileges.

• You must maintain the privileges required by the custom vSphere role.

CBN-NVA-SEC-002

Provides the following access control features:

• VMware Aria Operations for Networks accesses each VI workload domain vCenter Server instance with a minimum set of permissions.

• If there is a compromised account, the accessibility to the destination instance remains restricted.

• You can introduce an improved accountability in tracking request-response interactions between VMware Aria Operations for Networks and the vCenter Server endpoint.

You must maintain the life cycle, availability, and security controls for the account in Active Directory.

CBN-NVA-SEC-003

Provides integration and data collection of network objects managed by NSX Manager for a given workload domain.

You must manage the local user activation and password expiration settings on each NSX Manager.

CBN-CDP-SEC-001

Configure the local user password expiration policy for each VMware Aria Operations for Networks Data Collector instance.

• You configure the local user password expiration policy for each VMware Aria Operations for Networks Data Collector instance to align with the requirements of your organization which might be based on industry compliance standards.

• The local user password expiration policy is applicable to the support and consoleuseraccounts for the VMware Aria Operations for Networks Data Collector appliance.

You must manage the local user passwords expiration settings on each VMware Aria Operations for Networks Data Collector instance by using the appliance console.

CBN-CDP-SEC-002

Configure the local user password complexity policy for each VMware Aria Operations for Networks Data Collector instance.

• You configure the local user password complexity policy for each VMware Aria Operations for Networks Data Collector instance to align with the requirements of your organization which might be based on industry compliance standards.

• The local user password complexity policy is applicable only to the local VMware Aria Operations for Networks Data Collector appliance users.

You must manage the local user password complexity settings on each VMware Aria Operations for Networks Data Collector instance by using the appliance console.

CBN-CDP-SEC-003

Configure the local user account lockout policy for each VMware Aria Operations for Networks Data Collector instance.

• You configure the local user account lockout policy for each VMware Aria Operations for Networks Data Collector instance to align with the requirements of your organization which might be based on industry compliance standards.

• The local user account lockout policy is applicable only to the local VMware Aria Operations for Networks Data Collector appliance users.

You must manage the local user account lockout settings on each VMware Aria Operations for Networks Data Collector instance by using the appliance console.

CBN-CDP-SEC-004

Change the VMware Aria Operations for Networks Data Collector support and consoleuserpasswords on a recurring or event-initiated schedule.

The password for the VMware Aria Operations for Networks Data Collector appliance support and consoleuser accounts expires based on the default password expiration policy.

• You must manage the password change for the support and consoleuser account.

• You must manage the password change on each VMware Aria Operations for Networks Data Collector appliance by using the virtual appliance console.

• You must monitor the password expiration of the accounts passwords.

CBN-CDP-SEC-005

Change the VMware Aria Operations for Networksguestuser2 password on a recurring or event-initiated schedule.

The password for the Guest Account that is used to integrate NSX and VMware Aria Operations for Networks expires based on the default password expiration policy.

You must manage the password change for the Guest Account account. You must monitor the password expiration of the Guest Account password.