Network Design for Cloud-Based Workload Protection for VMware Cloud Foundation

The network design details the design decisions for the network segment placement, IP addressing, name resolution, and time synchronization for the VMware Live Cyber Recovery and HCX Connector appliances.

Network Segments

The network segment design consists of characteristics and decisions for placement of the VMware Live Cyber Recovery and HCX Connector appliances in the management domain.

This validated solution places the VMware Live Cyber Recovery and HCX Connector appliances within the management VLAN of the VMware Cloud Foundation instance. This ensures connectivity and close proximity to vCenter Server.

The VMware Live Cyber Recovery and HCX Connectors are placed on the management network of the VMware Cloud Foundation instance together with the other components it communicates with. These components are the Workload Domain vCenter Server and Workload Domain NSX Manager instances. — Figure 1. Network Design for Cloud-Based Workload Protection for VMware Cloud Foundation

Table 1. Design Decisions on the Network Segments for Cloud-Based Workload Protection
Decision ID	Design Decision	Design Justification	Design Implication
CBW-CDP-NET-001	Place the VMware Live Cyber Recovery Connector appliances on the management VLAN.	Places the VMware Live Cyber Recovery Connector appliances on the same network as the VMware Cloud Foundation components that the appliances must communicate with. Provides a consistent deployment model for VMware Cloud services.	None.
CBW-CDP-NET-002	Place the HCX Connector appliance on the management VLAN.	Places the HCX Connector on the same network as the VMware Cloud Foundation components that the appliance must communicate with. Provides a consistent deployment model for VMware Cloud services.	None.

IP Addressing

Allocate statically assigned IP addresses and host names to the VMware Live Cyber Recovery and HCX Connector appliances from their corresponding network.

Table 2. Design Decisions on the IP Addressing for Cloud-Based Workload Protection
Decision ID	Design Decision	Design Justification	Design Implication
CBW-CDP-NET-003	Allocate statically assigned IP addresses from the management VLAN to the VMware Live Cyber Recovery Connector appliances.	Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.	Requires precise IP address management.
CBW-CDP-NET-004	Allocate statically assigned IP addresses from the management VLAN to the HCX Connector appliance.	Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.	Requires precise IP address management.

Name Resolution

Name resolution provides the translation between an IP address and a fully qualified domain name (FQDN), which makes it easier to remember and connect to components across the SDDC. The IP address of each VMware Live Cyber Recovery and HCX Connector appliance must have a valid internal DNS forward (A) and reverse (PTR) records.

Table 3. Design Decisions on Name Resolution for Cloud-Based Workload Protection
Decision ID	Design Decision	Design Justification	Design Implication
CBW-CDP-NET-005	Configure forward and reverse DNS records for the VMware Live Cyber Recovery Connector appliance IP addresses.	Ensures the appliances are accessible by using a fully qualified domain name instead of using IP addresses only.	You must provide a DNS record for the appliance IP address. Firewalls between the appliance and the DNS servers must allow DNS traffic.
CBW-CDP-NET-006	Configure DNS servers on the VMware Live Cyber Recovery Connector appliances.	Ensures the appliance has accurate name resolution.	Firewalls between the appliance and the DNS servers must allow DNS traffic. You must provide two or more DNS servers unless a DNS geographic load balancing is active.
CBW-CDP-NET-007	Configure forward and reverse DNS records for the HCX Connector appliance IP address.	Ensures the appliance is accessible by using a fully qualified domain name instead of using IP addresses only.	You must provide a DNS record for the appliance IP address. Firewalls between the appliance and the DNS servers must allow DNS traffic.
CBW-CDP-NET-008	Configure DNS servers on the HCX Connector appliance.	Ensures the appliance has accurate name resolution.	DNS infrastructure services must be highly-available in the environment. Firewalls between the appliance and the DNS servers must allow DNS traffic. You must provide two or more DNS servers unless a DNS geographic load balancing is active.

Time Synchronization

Time synchronization provided by the Network Time Protocol (NTP) ensures that all components within the SDDC are synchronized to the same time source. This section of the design consists of characteristics and decisions that support the time configuration for the VMware Live Cyber Recovery and HCX Connector appliances.

Table 4. Design Decisions on Time Synchronization for Cloud-Based Workload Protection
Decision ID	Design Decision	Design Justification	Design Implication
CBW-CDP-NET-009	Use VMware Tools™ to synchronize time from ESXi hosts for the VMware Live Cyber Recovery Connector appliances.	Prevents time mismatches between the the VMware Live Cyber Recovery Connector appliance and its dependencies.	Ensures that ESXi hosts are configured for NTP. NTP infrastructure services must be highly-available in the environment. Firewalls between ESXi hosts and the NTP servers must allow NTP traffic. You must provide two or more NTP servers unless an NTP geographic load balancing is active. NTP must already be set up on ESXi hosts before implementing the solution.
CBW-CDP-NET-010	Configure NTP servers for the HCX Connector appliance.	Ensures that the appliance has accurate time synchronization. Assists in the prevention of time mismatch between the appliance and dependencies.	NTP infrastructure services must be highly-available in the environment. Firewalls between the appliance and the NTP servers must allow NTP traffic. You must provide two or more NTP servers unless an NTP geographic load balancing is active.