Appendix: Design Decisions for Cloud-Based Ransomware Recovery for VMware Cloud Foundation

The appendix aggregates design decisions that determine the deployment configuration to support Cloud-Based Ransomware Recovery for VMware Cloud Foundation validated solution. You can use this design decisions list for reference related to the end state of the environment and potentially to track your level of adherence to the design and any justification for deviations

Deployment Specification

Table 1. Design Decisions on the Deployment of the VMware Live Cyber Recovery Connector Appliances
Decision ID	Design Decision	Design Justification	Design Implication
CBR-CDP-CFG-001	Deploy two VMware Live Cyber Recovery Connector appliances in the default management vSphere cluster.	Required to establish secure communication between the VMware Cloud Foundation instance and VMware Live Cyber Recovery.	The VMware Live Cyber Recovery Connector appliances must be able to connect to the internet through a firewall.
CBR-CDP-CFG-002	Protect the VMware Live Cyber Recovery Connector appliances by using vSphere High Availability.	Supports the availability objective without requiring manual intervention during an ESXi host failure.	None.
CBR-CDP-CFG-003	Place the VMware Live Cyber Recovery Connector appliances in a designated virtual machine folder.	Provides organization of the appliances in the management domain vSphere inventory.	You must create the virtual machine folder during deployment.
CBR-CDP-CFG-004	Apply vSphere Distributed Resource Scheduler anti-affinity rules to the VMware Live Cyber Recovery Connector appliances.	vSphere Distributed Resource Scheduler prevents the VMware Live Cyber Recovery Connector appliances from residing on the same ESXi host and impacting the performance of replications.	You must perform an additional configuration to set up an anti-affinity rule. For a default management vSphere cluster that consists of four ESXi hosts, you can put in maintenance mode only a single ESXi host at a time.

Table 2. Design Decisions on the Deployment of the VMware Live Cyber Recovery Connector Appliances in Multiple Availability Zones
Decision ID	Design Decision	Design Justification	Design Implication
CBR-CDP-CFG-005	When using two availability zones, add the VMware Live Cyber Recovery Connector appliances to the VM group of the first availability zone.	Ensures that the VMware Live Cyber Recovery Connector appliances run in the primary availability zone hosts group.	After the implementation of the second availability zone for the management domain, you must update the VM group for the primary availability zone virtual machines to include the VMware Live Cyber Recovery Connector appliances.

Network Design

Table 3. Design Decisions on the Network Segments for Cloud-Based Ransomware Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-CDP-NET-001	Place the VMware Live Cyber Recovery Connector appliances on the management VLAN.	Places the VMware Live Cyber Recovery Connector appliances on the same network as the VMware Cloud Foundation components that the appliances must communicate with. Provides a consistent deployment model for VMware Cloud services.	None.

Table 4. Design Decisions on the IP Addressing for Cloud-Based Ransomware Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-CDP-NET-002	Allocate statically assigned IP addresses from the management VLAN to the VMware Live Cyber Recovery Connector appliances.	Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.	Requires precise IP address management.

Table 5. Design Decisions on Name Resolution for Cloud-Based Ransomware Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-CDP-NET-003	Configure forward and reverse DNS records for the VMware Live Cyber Recovery Connector appliance IP addresses.	Ensures the appliances are accessible by using a fully qualified domain name instead of using IP addresses only.	You must provide a DNS record for the appliance IP address. Firewalls between the appliance and the DNS servers must allow DNS traffic.
CBR-CDP-NET-004	Configure DNS servers on the VMware Live Cyber Recovery Connector appliances.	Ensures the appliance has accurate name resolution.	Firewalls between the appliance and the DNS servers must allow DNS traffic. You must provide two or more DNS servers unless a DNS geographic load balancing is active.

Table 6. Design Decisions on Time Synchronization for Cloud-Based Ransomware Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-CDP-NET-005	Use VMware Tools™ to synchronize time from ESXi hosts for the VMware Live Cyber Recovery Connector appliances.	Prevents time mismatches between the the VMware Live Cyber Recovery Connector appliance and its dependencies.	Ensures that ESXi hosts are configured for NTP. NTP infrastructure services must be highly-available in the environment. Firewalls between ESXi hosts and the NTP servers must allow NTP traffic. You must provide two or more NTP servers unless an NTP geographic load balancing is active. NTP must already be set up on ESXi hosts before implementing the solution.

VMware Cloud on AWS Design

Table 7. Design Decisions on VMware Cloud on AWS for VMware Live Cyber Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-AWS-CFG-001	Deploy a pilot light VMware Cloud on AWS recovery SDDC.	Provides the lowest recovery time objective (RTO) due to the recovery SDDC being available instantly. Provides a platform to perform networking configurations required at recovery time.	A minimal footprint VMware Cloud on AWS SDDC is always online.
CBR-AWS-CFG-002	Deploy a VMware Cloud on AWS recovery SDDC with a minimum of two nodes.	Ensures that the pre-provisioned recovery SDDC remains available. A single node expires after 60 days.	A pre-provisioned recovery SDDC consumes infrastrucutre that incurs a regular charge.
CBR-AWS-CFG-003	Configure the management gateway to allow access to VMware Cloud on AWS recovery SDDC vCenter Server over the internet.	Ensures that users can access the vCenter Server UI of the recovery SDDC over the internet.	You must manually manage access to the vCenter Server by using an NSX group.

VMware Live Cyber Recovery Design

Table 8. Design Decisions on Cloud File System for VMware Live Cyber Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-VLCR-CFG-001	Deploy a cloud file system in the same availability zone inside one AWS region as the recovery SDDC.	Cloud file systems and recovery SDDCs must be in the same availability zone inside one AWS region.	None.

Table 9. Design Decisions on Protected Site for VMware Live Cyber Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-VLCR-CFG-002	Create a protected site for your VMware Cloud Foundation instance using a public internet connection.	Defines the VMware Cloud Foundation instance where business workloads will be protected.	None.
CBR-VLCR-CFG-003	Associate the VMware Live Cyber Recovery Connector appliances with the protected site.	Provides secure communication over the internet between the on-premises vCenter Server and the VMware Live Cyber Recovery service.	Deploy the VMware Live Cyber Recovery Connector appliances manually into your VMware Cloud Foundation management domain vCenter Server.
CBR-VLCR-CFG-004	Register the VI workload domain vCenter Server with the protected site in the VMware Live Cyber Recovery service.	Connects the on-premises vCenter Server of the VI workload domain with the VMware Live Cyber Recovery service to enable protection of business workloads.	Requires at least one VMware Live Cyber Recovery Connector appliance deployed within the on-premises vCenter Server.

Table 10. Design Decisions on Recovery SDDC for VMware Live Cyber Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-VLCR-CFG-005	Attach the pilot light VMware Cloud on AWS recovery SDDC to the VMware Live Cyber Recovery service.	Provides a target SDDC for virtual machine recovery.	None.

Table 11. Design Decisions on Email Alerts for VMware Live Cyber Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-VLCR-CFG-006	Configure the VMware Live Cyber Recovery service to send SLA status alerts.	Ensures that if any SLA status alerts are triggered, they are communicated to support representatives.	VMware Live Cyber Recovery uses the AWS mail service. Recipients must respond to the AWS email address verification request before receiving an email from VMware Live Cyber Recovery.

Life Cycle Management Design

Table 12. Design Decisions on Life Cycle Management of Cloud-Based Ransomware Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-CDP-LCM-001	Use the VMware Cloud Services automatic over-the-air service to perform the upgrades to the VMware Live Cyber Recovery Connector appliances.	The VMware Live Cyber Recovery service pushes upgrades automatically.	None.

Information Security and Access Control Design

Table 13. Design Decisions on Identity Management for Cloud-Based Ransomware Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-IAM-SEC-001	Limit the use of local accounts for interactive or API access and solution integration.	Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.	You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.
CBR-IAM-SEC-002	Limit the scope and privileges for accounts used for interactive or API access, and for solution integration.	The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.	You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.
CBR-IAM-SEC-003	Assign VMware Live Cyber Recovery service roles to designated users.	To provide access to VMware Live Cyber Recovery service, you assign users to service roles.	You must maintain the service roles required for users of your organization.
CBR-IAM-SEC-004	Assign VMware Cloud on AWS service roles to designated users.	To provide access to VMware Cloud on AWS service, you assign users to service roles.	You must maintain the service roles required for users of your organization.
CBR-IAM-SEC-005	Assign VMware Carbon Black Cloud service roles to designated users.	To provide access to VMware Carbon Black Cloud service, you assign users to service roles.	You must maintain the service roles required for users of your organization.

Table 14. Design Decisions on Service Accounts for Cloud-Based Ransomware Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-IAM-SEC-006	Define a custom vCenter Server role for VMware Live Cyber Recovery with minimum privileges required to support the registration of a vCenter Server.	VMware Live Cyber Recovery integrates with each workload domain vCenter Server instance using a minimum set of privileges required to support registration.	You must maintain the privileges required by the custom vSphere role. If additional workload domain vCenter Server instances are not in the same vCenter Single Sign-On domain, you must apply the custom role to each vCenter Single Sign-On domain.
CBR-IAM-SEC-007	Assign the custom vCenter Server role to a user from the vsphere.local domain as a service account for each VI workload domain vCenter Server instance for application-to-application communication between VMware Live Cyber Recovery and vCenter Server.	Provides integration and data collection of objects managed by the vCenter Server for a given VI workload domain. Limiting the use of a service account reduces the risk in the case of either a security or a password-related event. Using a named vsphere.local account provides for auditability unlike generic administrative accounts.	You must maintain the life cycle, availability, and security controls for the account in the vsphere.local domain.

Table 15. Design Decisions on Password Management for Cloud-Based Ransomware Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-IAM-SEC-008	For each vCenter Server, change the VMware Live Cyber Recovery service account password on a recurring or event-initiated schedule.	To maintain a secure platform, you should rotate the VMware Live Cyber Recovery service account passwords on a regular basis.	Performing password rotation for a service account is a manual process. You update the associated credentials in the VMware Live Cyber Recovery service.

Solution Interoperability

Table 16. Design Decisions on Monitoring and Alerting Using Intelligent Operations Management for VMware Cloud Foundation
Decision ID	Design Decision	Design Justification	Design Implication
CBR-MON-IOM-001	Add a Ping adapter for the VMware Live Cyber Recovery Connector appliances.	Provides metrics on the availability of the VMware Live Cyber Recovery Connector appliances.	You must add the adapter instances manually.
CBR-MON-IOM-002	Configure the Ping adapter for the VMware Live Cyber Recovery Connector appliances to use the remote collector group.	Offloads data collection for local management components from the analytics cluster.	None.