Network Design for Cloud-Based Ransomware Recovery for VMware Cloud Foundation

The network design details the design decisions for the network segment placement, IP addressing, name resolution, and time synchronization for the VMware Live Cyber Recovery Connector appliances.

Network Segments

The network segment design consists of characteristics and decisions for placement of the VMware Live Cyber Recovery Connector appliances in the management domain.

This validated solution places the VMware Live Cyber Recovery Connector appliances within the management VLAN of the VMware Cloud Foundation instance. This ensures connectivity and close proximity to vCenter Server.

The VMware VMware Live Cyber Recovery Connectors are placed on the management network of the VMware Cloud Foundation instance together with the other components they communicate with. These components are the Workload Domain vCenter Server and Workload Domain NSX Manager instances. — Figure 1. Network Design for Cloud-Based Ransomware Recovery for VMware Cloud Foundation

Table 1. Design Decisions on the Network Segments for Cloud-Based Ransomware Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-CDP-NET-001	Place the VMware Live Cyber Recovery Connector appliances on the management VLAN.	Places the VMware Live Cyber Recovery Connector appliances on the same network as the VMware Cloud Foundation components that the appliances must communicate with. Provides a consistent deployment model for VMware Cloud services.	None.

IP Addressing

Allocate statically assigned IP addresses and host names to the VMware Live Cyber Recovery Connector appliances from their corresponding network.

Table 2. Design Decisions on the IP Addressing for Cloud-Based Ransomware Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-CDP-NET-002	Allocate statically assigned IP addresses from the management VLAN to the VMware Live Cyber Recovery Connector appliances.	Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.	Requires precise IP address management.

Name Resolution

Name resolution provides the translation between an IP address and a fully qualified domain name (FQDN), which makes it easier to remember and connect to components across the SDDC. The IP address of each VMware Live Cyber Recovery Connector appliance must have a valid internal DNS forward (A) and reverse (PTR) records.

Table 3. Design Decisions on Name Resolution for Cloud-Based Ransomware Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-CDP-NET-003	Configure forward and reverse DNS records for the VMware Live Cyber Recovery Connector appliance IP addresses.	Ensures the appliances are accessible by using a fully qualified domain name instead of using IP addresses only.	You must provide a DNS record for the appliance IP address. Firewalls between the appliance and the DNS servers must allow DNS traffic.
CBR-CDP-NET-004	Configure DNS servers on the VMware Live Cyber Recovery Connector appliances.	Ensures the appliance has accurate name resolution.	Firewalls between the appliance and the DNS servers must allow DNS traffic. You must provide two or more DNS servers unless a DNS geographic load balancing is active.

Time Synchronization

Time synchronization provided by the Network Time Protocol (NTP) ensures that all components within the SDDC are synchronized to the same time source. This section of the design consists of characteristics and decisions that support the time configuration for the VMware Live Cyber Recovery Connector appliances.

Table 4. Design Decisions on Time Synchronization for Cloud-Based Ransomware Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBR-CDP-NET-005	Use VMware Tools™ to synchronize time from ESXi hosts for the VMware Live Cyber Recovery Connector appliances.	Prevents time mismatches between the the VMware Live Cyber Recovery Connector appliance and its dependencies.	Ensures that ESXi hosts are configured for NTP. NTP infrastructure services must be highly-available in the environment. Firewalls between ESXi hosts and the NTP servers must allow NTP traffic. You must provide two or more NTP servers unless an NTP geographic load balancing is active. NTP must already be set up on ESXi hosts before implementing the solution.