Begin the implementation of the Cloud-Based Workload Protection for VMware Cloud Foundation validated solution by preparing your VMware Cloud Foundation instance for connecting to the VMware Live Cyber Recovery service.

Define a Custom Role in vSphere for Cloud-Based Workload Protection for VMware Cloud Foundation

To limit the privileges and scope for VMware HCX integration with vSphere, you create a custom role in vSphere with the required privileges.

UI Procedure

  1. Log in to the VI workload domain vCenter Server at https://<vi_workload_domain_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
  2. From the vSphere Client Menu, select Administration.
  3. In the left pane, select Access Control > Roles.

  4. From the Roles provider drop-down menu, select vsphere.local.

  5. Create a role for VMware HCX.

    1. Select the Administrator role and click Clone.

    2. In the Clone role dialog box, enter VMware HCX to vSphere Integration, and click OK.

  6. Repeat the procedure for any isolated VI workload domain in your VMware Cloud Foundation instance.

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-w01"
    
    $hcxRole = "VMware HCX to vSphere Integration"
  3. Create a role for VMware HCX.

    1. Perform the configuration by running the command in the PowerShell console.

      Copy-vSphereRole -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $sddcDomainName -sourceRoleName "Admin" -targetRoleName $hcxRole
  4. Repeat the procedure for any isolated VI workload domain in your VMware Cloud Foundation instance.

Configure Service Account Permissions for vSphere Integration for Cloud-Based Workload Protection for VMware Cloud Foundation

To provide the necessary privileges to the service accounts for the VMware HCX service to vSphere integration, you assign the custom role to the integration service accounts in vCenter Server. To perform all HCX configurations and operations, the service account must be part of administrators group in vCenter Server.

UI Procedure

  1. Log in to the VI workload domain vCenter Server at https://<vi_workload_domain_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
  2. From the vSphere Client Menu, select Administration.
  3. In the left pane, select Access control > Global permissions, and click Add.

  4. In the Add permissions dialog box, configure the values for the VMware HCX service account from your VMware Cloud Foundation Planning and Preparation Workbook, select the Propagate to children check box, and click OK.

  5. In the left pane, select Single Sign on > Users and Groups, and click the Groups tab.

  6. Select the Administrators group and click Edit.

  7. In the Edit Group dialog box, in the Add a member section, select a domain and user account according to your VMware Cloud Foundation Planning and Preparation Workbook, and click Save.

  8. Repeat the procedure for any isolated VI workload domain in the VMware Cloud Foundation instance.

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-w01"
    
    $domainFqdn = "sfo.rainpole.io"
    $domainBindUser = "svc-vsphere-ad"
    $domainBindPass =  "VMw@re1!"
    
    $hcxServiceAccount = "svc-hcx-vsphere"
    $hcxRole = "VMware HCX to vSphere Integration"
  3. Perform the configuration by running the commands in the PowerShell console.
    Add-vCenterGlobalPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $sddcDomainName -domain $domainFqdn -domainBindUser $domainBindUser -domainBindPass $domainBindPass -principal $hcxServiceAccount -role $hcxRole -propagate true -type user
    Add-SsoPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $sddcDomainName -domain $domainFqdn -domainBindUser $domainBindUser -domainBindPass $domainBindPass -principal $hcxServiceAccount -ssoGroup "Administrators" -type user -source external
  4. Repeat the procedure for any isolated VI workload domains in the VMware Cloud Foundation instance.

Create Virtual Machine and Template Folder for the Connector Appliances for Cloud-Based Workload Protection for VMware Cloud Foundation

Create a folder in the management domain to group objects of the same type for easier management. You create a virtual machine folder on the management domain vCenter Server to manage the VMware Live Cyber Recovery and HCX Connector appliances.

UI Procedure

  1. Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
  2. In the VMs and templates inventory, expand the management domain vCenter Server tree.

  3. In the VMs and templates inventory, navigate to the default management data center, right-click the data center, and select New folder > New VM and template folder.

  4. In the New folder dialog box, enter the folder name according to your VMware Cloud Foundation Planning and Preparation Workbook, and click OK.

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-m01"
    
    $cbwFolder = "sfo-m01-fd-cbw"
  3. Perform the configuration by running the command in the PowerShell console.

    Add-VMFolder -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -folderName $cbwFolder

Create a Virtual Machine and Template Folder and a Resource Pool for the HCX Appliances for Cloud-Based Workload Protection for VMware Cloud Foundation

To group the automatically deployed VMware HCX appliances for the Service Mesh, you create a virtual machine folder and a resource pool on the VI workload domain vCenter Server .

UI Procedure

  1. Log in to the VI workload domain vCenter Server at https://<vi_workload_domain_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
  2. Create a folder for the VMware HCX appliances.

    1. In the VMs and templates inventory, expand the VI workload domain vCenter Server tree.

    2. Right-click the VI workload domain data center and select New folder > New VM and template folder.

    3. In the New folder dialog box, enter the folder name according to your VMware Cloud Foundation Planning and Preparation Workbook, and click OK.

  3. Create a resource pool for the VMware HCX appliances.

    1. In the Hosts and clusters inventory, expand the VI workload domain vCenter Server and the data center tree.

    2. Right-click the default cluster for the VI workload domain and select New resource pool.

    3. In the New resource pool dialog box, enter a resource pool name according to your VMware Cloud Foundation Planning and Preparation Workbook, and click OK.

  4. Repeat the procedure for each VI workload domain in the VMware Cloud Foundation instance.

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-w01"
    
    $vmFolder = "sfo-w01-fd-hcx"
    $resourcePoolName = "sfo-w01-cl01-rp-hcx"
  3. Perform the configuration by running the command in the PowerShell console.

    Add-VMFolder -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -folderName $vmFolder
    
    Add-ResourcePool -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -resourcePoolName $resourcePoolName
  4. Repeat the procedure for each VI workload domain in the VMware Cloud Foundation instance.

Configure Service Account Permissions for NSX Integration for Cloud-Based Workload Protection for VMware Cloud Foundation

To provide the necessary privileges to the service account for the VMware HCX to NSX Integration, you assign the Enterprise admin role to the integration service account in NSX Manager.

UI Procedure

  1. Log in to the NSX Manager cluster for the VI workload domain at https://<vi_workload_nsx_manager_fqdn>/login.jsp?local=true as admin.
  2. On the main navigation bar, click System.

  3. In the left pane, select Settings > User management.

  4. On the User role assignment tab, from the Add role for providers drop-down menu, select LDAP.

  5. In the Search Domain text box, enter the domain according to your VMware Cloud Foundation Planning and Preparation Workbook.

  6. In the Search user/user group text box, enter the service account for the VMware HCX to NSX Integration according to your VMware Cloud Foundation Planning and Preparation Workbook.

  7. Click Set in the Roles field.
    1. Click Add role in the Set Roles/Scope dialog box, and select Enterprise admin in Roles, drop-down, click Add and Apply.

    2. Click Save.

  8. Repeat the procedure for each VI workload domain in the VMware Cloud Foundation instance.

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-w01"
    
    $nsxServiceAccount = "[email protected]"
  3. Perform the configuration by running the command in the PowerShell console.

    Add-NsxtLdapRole -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -type user -principal $nsxServiceAccount -role enterprise_admin
  4. Repeat the procedure for each VI workload domain in the VMware Cloud Foundation instance.