Appendix: Design Decisions for Cloud-Based Workload Protection for VMware Cloud Foundation

The appendix aggregates design decisions that determine the deployment configuration to support Cloud-Based Workload Protection for VMware Cloud Foundation validated solution. You can use this design decisions list for reference related to the end state of the environment and potentially to track your level of adherence to the design and any justification for deviations.

Deployment Specification

Table 1. Design Decisions on the Deployment of a DRaaS Connector
Decision ID	Design Decision	Design Justification	Design Implication
CBW-CDP-CFG-001	Deploy two DRaaS Connector appliances in the default management vSphere cluster.	Required to establish secure communication between the VMware Cloud Foundation instance and VMware Cloud Disaster Recovery.	The DRaaS Connector appliances must be able to connect to the internet through a firewall.
CBW-CDP-CFG-002	Protect the DRaaS Connector appliances by using vSphere High Availability.	Supports the availability objective without requiring manual intervention during an ESXi host failure.	None.
CBW-CDP-CFG-003	Place the DRaaS Connector appliances in a designated virtual machine folder.	Provides organization of the appliances in the management domain vSphere inventory.	You must create the virtual machine folder during deployment.
CBW-CDP-CFG-004	Apply vSphere Distributed Resource Scheduler anti-affinity rules to the DRaaS Connector appliances.	vSphere Distributed Resource Scheduler prevents the DRaaS Connector appliances from residing on the same ESXi host and impacting the performance of replications.	You must perform an additional configuration to set up an anti-affinity rule. For a default management vSphere cluster that consists of four ESXi hosts, you can put in maintenance mode only a single ESXi host at a time.

Table 2. Design Decisions on the Deployment of a DRaaS Connector in Multiple Availability Zones
Decision ID	Design Decision	Design Justification	Design Implication
CBW-CDP-CFG-005	When using two availability zones, add the DRaaS Connector appliances to the VM group of the first availability zone.	Ensures that the DRaaS Connector appliances runs in the primary availability zone hosts group.	After the implementation of the second availability zone for the management domain, you must update the VM group for the primary availability zone virtual machines to include the DRaaS Connector appliances.

Table 3. Design Decisions on the Deployment of an HCX Connector
Decision ID	Design Decision	Design Justification	Design Implication
CBW-CDP-CFG-006	Deploy the HCX Connector appliance in the default management vSphere cluster.	Required to establish secure communication between the VMware Cloud Foundation instance and VMware HCX.	The HCX Connector must be able to connect to the internet through a firewall.
CBW-CDP-CFG-007	Protect the HCX Connector appliance by using vSphere High Availability.	Supports the availability objective without requiring manual intervention during an ESXi host failure.	None.
CBW-CDP-CFG-008	Place the HCX Connector appliance in a designated virtual machine folder.	Provides organization of the appliances in the management domain vSphere inventory.	You must create the virtual machine folder during deployment.

Table 4. Design Decisions on the Deployment of a HCX Connector in Multiple Availability Zones
Decision ID	Design Decision	Design Justification	Design Implication
CBW-CDP-CFG-009	When using two availability zones, add the HCX Connector appliance to the VM group of the first availability zone.	Ensures that the HCX Connector appliance runs in the primary availability zone hosts group.	After the implementation of the second availability zone for the management domain, you must update the VM group for the primary availability zone virtual machines to include the HCX Connector appliance.

Network Design

Table 5. Design Decisions on the Network Segments for Cloud-Based Workload Protection
Decision ID	Design Decision	Design Justification	Design Implication
CBW-CDP-NET-001	Place the DRaaS Connector appliances on the management VLAN.	Places the DRaaS Connector appliances on the same network as the VMware Cloud Foundation components that the appliances must communicate with. Provides a consistent deployment model for VMware Cloud services.	None.
CBW-CDP-NET-002	Place the HCX Connector appliance on the management VLAN.	Places the HCX Connector on the same network as the VMware Cloud Foundation components that the appliance must communicate with. Provides a consistent deployment model for VMware Cloud services.	None.

Table 6. Design Decisions on the IP Addressing for Cloud-Based Workload Protection
Decision ID	Design Decision	Design Justification	Design Implication
CBW-CDP-NET-003	Allocate statically assigned IP addresses from the management VLAN to the DRaaS Connector appliances.	Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.	Requires precise IP address management.
CBW-CDP-NET-004	Allocate statically assigned IP addresses from the management VLAN to the HCX Connector appliance.	Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.	Requires precise IP address management.

Table 7. Design Decisions on Name Resolution for Cloud-Based Workload Protection
Decision ID	Design Decision	Design Justification	Design Implication
CBW-CDP-NET-005	Configure forward and reverse DNS records for the DRaaS Connector appliance IP addresses.	Ensures the appliances are accessible by using a fully qualified domain name instead of using IP addresses only.	You must provide a DNS record for the appliance IP address. Firewalls between the appliance and the DNS servers must allow DNS traffic.
CBW-CDP-NET-006	Configure DNS servers on the DRaaS Connector appliances.	Ensures the appliance has accurate name resolution.	Firewalls between the appliance and the DNS servers must allow DNS traffic. You must provide two or more DNS servers unless a DNS geographic load balancing is active.
CBW-CDP-NET-007	Configure forward and reverse DNS records for the HCX Connector appliance IP address.	Ensures the appliance is accessible by using a fully qualified domain name instead of using IP addresses only.	You must provide a DNS record for the appliance IP address. Firewalls between the appliance and the DNS servers must allow DNS traffic.
CBW-CDP-NET-008	Configure DNS servers on the HCX Connector appliance.	Ensures the appliance has accurate name resolution.	DNS infrastructure services should be highly-available in the environment. Firewalls between the appliance and the DNS servers must allow DNS traffic. You must provide two or more DNS servers unless a DNS geographic load balancing is active.

Table 8. Design Decisions on Time Synchronization for Cloud-Based Workload Protection
Decision ID	Design Decision	Design Justification	Design Implication
CBW-CDP-NET-009	Configure NTP servers for the DRaaS Connector appliances.	Ensures that the appliances have accurate time synchronization. Assists in the prevention of time mismatch between the appliance and dependencies.	NTP infrastructure services should be highly-available in the environment. Firewalls between the appliance and the NTP servers must allow NTP traffic. You must provide two or more NTP servers unless an NTP geographic load balancing is active.
CBW-CDP-NET-010	Configure NTP servers for the DRaaS Connector appliance.	Ensures that the appliance has accurate time synchronization. Assists in the prevention of time mismatch between the appliance and dependencies.	NTP infrastructure services should be highly-available in the environment. Firewalls between the appliance and the NTP servers must allow NTP traffic. You must provide two or more NTP servers unless an NTP geographic load balancing is active.

VMware Cloud on AWS Design

Table 9. Design Decisions on VMware Cloud on AWS for VMware Cloud Disaster Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBW-AWS-CFG-001	Deploy a pilot light VMware Cloud on AWS recovery SDDC.	Provides the lowest recovery time objective (RTO) due to the recovery SDDC being available instantly. Provides a platform to perform networking configurations required at recovery time.	A minimal footprint VMware Cloud on AWS SDDC is always online.
CBW-AWS-CFG-002	Deploy a VMware Cloud on AWS recovery SDDC with a minimum of two nodes.	Ensures that the pre-provisioned recovery SDDC remains available. A single node expires after 60 days.	A pre-provisioned recovery SDDC consumes infrastrucutre that incurs a regular charge.
CBW-AWS-CFG-003	Configure the management gateway to allow access to VMware Cloud on AWS recovery SDDC vCenter Server over the internet.	Enables users to access the vCenter Server UI of the recovery SDDC over the internet.	You must manually manage access to the vCenter Server by using an NSX group.

VMware HCX Design

Table 10. Design Decisions on HCX Integration
Decision ID	Design Decision	Design Justification	Design Implication
CBW-HCX-CFG-001	Register the HCX Connector with the VI workload domain vCenter Server.	Registering the HCX Connector with vCenter Server installs the plug-ins to integrate HCX with vCenter Server.	None.
CBW-HCX-CFG-002	Register the HCX Connector with the VI workload domain NSX Manager.	Registering the HCX Connector with NSX Manager is required to activate the networking configuration.	None.
CBW-HCX-CFG-003	Register the HCX Connecter with the Single Sign-On Domain of the VI workload domain vCenter Server.	By registering the HCX Connector with Single Sign-On, you can create dedicated VMware HCX roles within vCenter Server.	None.

Table 11. Design Decisions on Site Paring for VMware HCX
Decision ID	Design Decision	Design Justification	Design Implication
CBW-HCX-CFG-004	Pair the HCX Connector with the HCX Cloud service.	Required to establish unidirectional communication between the VMware Cloud Foundation instance and the HCX Cloud service to create a service mesh.	The HCX Connector must be able to connect to the internet through a firewall.

Table 12. Design Decisions on Service Mesh for VMware HCX
Decision ID	Design Decision	Design Justification	Design Implication
CBW-HCX-CFG-005	Create a management network profile using the management network distributed switch portgroup and assign Management and HCX Uplink traffic types.	Provides management network configuration details used when deploying VMware HCX service appliances.	None.
CBW-HCX-CFG-006	Assign the management network profile a pool of 5 IP addresses from the VI workload domain management VLAN.	Provides a pool of IP addresses that can dynamically be assigned to the VMware HCX service appliances.	You must allocate a static pool of IP addresses from the VI workload domain management VLAN.
CBW-HCX-CFG-007	Create a vMotion network profile using the vMotion network distributed switch portgroup and assign vMotion traffic type.	Provides vMotion network configuration details used when deploying VMware HCX service appliances.	None.
CBW-HCX-CFG-008	Assign the vMotion network profile a pool of 5 IP addresses from the VI workload domain vMotion VLAN.	Provides a pool of IP addresses that can dynamically be assigned to the VMware HCX service appliances.	You must allocate of a static pool of IP addresses from the VI workload domain vMotion VLAN.
CBW-HCX-CFG-009	Create a compute profile and activate all available VMware HCX services.	Provides the compute, storage, and network settings that VMware HCX uses for deploying the interconnect-dedicated appliances when a Service Mesh is added.	Services that can be activated are dependent on the VMware HCX license applied during the activation of the HCX Connector.
CBW-HCX-CFG-010	Assign the VI workload domain cluster as a resource to the compute profile.	Provides compute capacity for the interconnect-dedicated appliances when a Service Mesh is added.	None.
CBW-HCX-CFG-011	Assign a vSphere resource pool as a container to the compute profile.	Provides a container to group the interconnect-dedicated appliances and the ability to configure resource priorities.	You must manually create a resource pool prior to configuring the compute profile.
CBW-HCX-CFG-012	Assign a virtual machine folder as a container to the compute profile.	Provides organization of the appliances in the management domain vSphere inventory.	You must manually create a virtual machine folder prior to configuring the compute profile.
CBW-HCX-CFG-013	Assign the management and vMotion network profiles to the compute profile.	Provides network settings for the interconnect-dedicated appliances when a Service Mesh is added.	None.
CBW-HCX-CFG-014	Create a Service Mesh between the VMware Cloud Foundation instance and VMware Cloud on AWS recovery SDDC.	Provides an interconnect between the on-premises and the VMware Cloud on AWS environments to enable extending VMware Cloud Foundation networks to faciliate disaster recovery without the need to re-IP application virtual machines.	None.

VMware Cloud Disaster Recovery Design

Table 13. Design Decisions on Cloud File System for VMware Cloud Disaster Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBW-VCDR-CFG-001	Deploy a cloud file system in the same availability zone inside one AWS region as the recovery SDDC.	Cloud file systems and recovery SDDCs must be the same availability zone inside one AWS region.	None.

Table 14. Design Decisions on Protected Site for VMware Cloud Disaster Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBW-VCDR-CFG-002	Create a protected site for your VMware Cloud Foundation instance using a public internet connection.	Defines the VMware Cloud Foundation instance where business workloads will be protected.	None.
CBW-VCDR-CFG-003	Associate the DRaaS Connector appliances with the protected site.	Provides secure communication over the internet between the on-premises vCenter Server and the VMware Cloud Disaster Recovery service.	Deploy the DRaaS Connector appliances manually into your VMware Cloud Foundation management domain vCenter Server.
CBW-VCDR-CFG-004	Register the VI workload domain vCenter Server with the protected site in the VMware Cloud Disaster Recovery service.	Connects the on-premises vCenter Server of the VI workload domain with the VMware Cloud Disaster Recovery service to enable protection of business workloads.	Requires at least one DRaaS Connector appliance deployed within the on-premises vCenter Server.

Table 15. Design Decisions on Recovery SDDC for VMware Cloud Disaster Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBW-VCDR-CFG-005	Attach the pilot light VMware Cloud on AWS recovery SDDC to the VMware Cloud Disaster Recovery service.	Provides a target SDDC for virtual machine recovery.	None.

Table 16. Design Decisions on Email Alerts for VMware Cloud Disaster Recovery
Decision ID	Design Decision	Design Justification	Design Implication
CBW-VCDR-CFG-006	Configure the VMware Cloud Disaster Recovery service to send SLA status alerts.	Ensures that if any SLA status alerts are triggered, they are communicated to support representatives.	VMware Cloud Disaster Recovery uses the AWS mail service. Recipients must respond to the AWS email address verification request before receiving an email from VMware Cloud Disaster Recovery.

Life Cycle Management Design

Table 17. Design Decisions on Life Cycle Management of the Connector Appliances
Decision ID	Design Decision	Design Justification	Design Implication
CBW-CDP-LCM-001	Use the VMware Cloud Services automatic over-the-air service to perform the upgrades to the DRaaS Connector appliances.	The VMware Cloud Disaster Recovery service pushes upgrades automatically.	None.
CBW-CDP-LCM-002	Manually upgrade the HCX Connector appliance using the built in tools.	An upgrade package has to be downloaded and applied to the HCX appliance in order to perform an upgrade.	None.

Table 18. Design Decisions on Life Cycle Management of the HCX Connector appliance
Decision ID	Design Decision	Design Justification	Design Implication
CBW-CDP-LCM-002	Use the VMware Cloud Services automatic over-the-air service to perform the upgrades to the HCX Connector appliance.	The VMware HCX service pushes upgrades automatically.	None.

Information Security and Access Control Design

Table 19. Design Decisions on Identity Management for Cloud-Based Workload Protection
Decision ID	Design Decision	Design Justification	Design Implication
CBW-IAM-SEC-001	Limit the use of local accounts for interactive or API access and solution integration.	Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.	You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.
CBW-IAM-SEC-002	Limit the scope and privileges for accounts used for interactive or API access and solution integration.	The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.	You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.
CBW-IAM-SEC-003	Assign VMware Cloud Disaster Recovery service roles to designated users.	To provide access to VMware Cloud Disaster Recovery service, you assign users to service roles.	You must maintain the service roles required for users of your organization.
CBW-IAM-SEC-004	Assign VMware Cloud on AWS service roles to designated users.	To provide access to VMware Cloud on AWS service, you assign users to service roles.	You must maintain the service roles required for users of your organization.
CBW-IAM-SEC-005	Assign VMware HCX service roles to designated users.	To provide access to VMware HCX service, you assign users to service roles.	You must maintain the service roles required for users of your organization.

Table 20. Design Decisions on Service Accounts for Cloud-Based Workload Protection
Decision ID	Design Decision	Design Justification	Design Implication
CBW-IAM-SEC-006	Define a custom vCenter Server role for VMware Cloud Disaster Recovery with minimum privileges required to support the registration of a vCenter Server.	VMware Cloud Disaster Recovery integrates with each workload domain vCenter Server instance using a minimum set of privileges required to support registration.	You must maintain the privileges required by the custom vSphere role. If additional workload domain vCenter Server instances are not in the same vCenter Single Sign-On domain, you must apply the custom role to each vCenter Single Sign-On domain.
CBW-IAM-SEC-007	Assign the custom vCenter Server role to an Active Directory user account as a service account for each VI workload domain vCenter Server instance for application-to-application communication between VMware Cloud Disaster Recovery and vCenter Server.	Provides integration and data collection of objects managed by the vCenter Server for a given VI workload domain. Limiting the use of a service account reduces the risk in the case of either a security or a password-related event. Using a named Active Directory account provides for auditability unlike generic administrative accounts.	You must maintain the life cycle, availability, and security controls for the account in Active Directory.
CBW-IAM-SEC-008	Define a custom vCenter Server role for VMware HCX with minimum privileges required to support the registration of a vCenter Server.	VMware HCX integrates with each VI workload domain vCenter Server instance using a minimum set of privileges required to support registration and management.	You must maintain the privileges required by the custom vSphere role. If additional VI workload domain vCenter Server instances are not in the same vCenter Single Sign-On domain, you must apply the custom role to each vCenter Single Sign-On domain.
CBW-IAM-SEC-009	Assign the custom vCenter Server role to an Active Directory user account as a service account for each VI workload domain vCenter Server instance for application-to-application communication between VMware HCX and vCenter Server.	Provides integration and data collection of objects managed by the vCenter Server for a given VI workload domain. Limiting the use of a service account reduces the risk in the case of either a security or a password-related event. Using a named Active Directory account provides for auditability unlike generic administrative accounts.	You must maintain the life cycle, availability, and security controls for the account in Active Directory.
CBW-IAM-SEC-010	Assign the default Enterprise Admin role in NSX Manager to a service account for each VI workload domain NSX Manager instance for application-to-application communication between VMware HCX and NSX.	VMware HCX integrates with each VI workload domain NSX Manager instance using a minimum set of privileges required to support registration and management.	None.

Table 21. Design Decisions on Password Policies for Cloud-Based Workload Protection
Decision ID	Design Decision	Design Justification	Design Implication
CBW-IAM-SEC-011	Configure the local user password expiration policy for each HCX Connector appliance.	You configure the local user password expiration policy for each HCX Connector appliance to align with the requirements of your organization which might be based on industry compliance standards. The local user password expiration policy is applicable to the root and the admin accounts for the HCX Connector appliance.	You must manage the local user password expiration settings on each HCX Connector appliance by using the appliance console.
CBW-IAM-SEC-012	Configure the local user password complexity policy for each HCX Connector appliance.	You configure the local user password complexity policy for each HCX Connector appliance to align with the requirements of your organization which might be based on industry compliance standards. The local user password complexity policy is applicable only to the local HCX Connector appliance users.	You must manage the local user password complexity settings on each HCX Connector appliance by using the appliance console.
CBW-IAM-SEC-013	Configure the local user account lockout policy for each HCX Connector appliance.	You configure the local user account lockout policy for each HCX Connector appliance to align with the requirements of your organization which might be based on industry compliance standards. The local user account lockout policy is applicable only to the local HCX Connector appliance users.	You must manage the local user account lockout settings on each HCX Connector appliance by using the appliance console.

Table 22. Design Decisions on Password Management for Cloud-Based Workload Protection
Decision ID	Design Decision	Design Justification	Design Implication
CBW-IAM-SEC-014	For each vCenter Server, change the VMware Cloud Disaster Recovery service account password on a recurring or event-initiated schedule.	To maintain a secure platform, you should rotate the VMware Cloud Disaster Recovery service account passwords on a regular basis.	Performing password rotation for a service account is a manual process. You update the associated credentials in the VMware Cloud Disaster Recovery service.
CBW-IAM-SEC-015	For each vCenter Server, change the VMware HCX service account password on a recurring or event-initiated schedule.	To maintain a secure platform, you should rotate the VMware HCX service account passwords on a regular basis.	Performing password rotation for a service account is a manual process. You update the associated credentials in the HCX Connector appliance.
CBW-IAM-SEC-016	For each NSX Manager, change the VMware HCX service account password on a recurring or event-initiated schedule.	To maintain a secure platform, you should rotate the VMware HCX service account passwords on a regular basis.	Performing password rotation for a service account is a manual process. You update the associated credentials in the HCX Connector appliance.
CBW-IAM-SEC-017	Change the HCX Connector appliance root and admin passwords on a recurring or event-initiated schedule.	The password for the HCX Connector appliance root and admin accounts never expires based on the default password expiration policy.	You must manage the password change for the root and the admin accounts. You must manage the password change on each HCX Connector appliance by using the virtual appliance console.

Table 23. Design Decisions on Certificate Management for Cloud-Based Workload Protection
Decision ID	Design Decision	Design Justification	Design Implication
CBW-IAM-SEC-018	Replace the default self-signed certificate with a CA-signed certificate during the deployment of the HCX Connector appliance.	Ensures that all communication to the user interface of the HCX Connector appliance is encrypted.	Replacing the default certificates with a trusted CA-signed certificates increases the deployment preparation time as certificates requests are generated and delivered. You must manage the life cycle of the certificate replacement. The SSL certificate key size must be 2048 or 4096 bits.
CBW-IAM-SEC-019	Use a SHA-2 or higher algorithm when signing certificates.	The SHA-1 algorithm is considered less secure and is deprecated.	Not all certificate authorities support SHA-2.
CBW-IAM-SEC-020	Rotate the CA-signed certificate of the HCX Connector appliance on a recurring or event-initiated schedule.	Ensures that all communication to the user interface of the HCX Connector appliance and between the components continues to be encrypted with a non-expired or non-compromised certificate.	Replacing the default certificates with a trusted CA-signed certificates may require preparation time as certificates requests are generated and delivered. You must continue to manage the life cycle of the certificate replacement. The SSL certificate key size must be 2048 or 4096 bits.

Solution Interoperability

Table 24. Design Decisions on Monitoring and Alerting Using Intelligent Operations Management for VMware Cloud Foundation
Decision ID	Design Decision	Design Justification	Design Implication
CBW-MON-IOM-001	Add a Ping adapter for the DRaaS and HCX Connector appliances.	Provides metrics on the availability of the DRaaS and HCX Connector appliances.	You must add the adapter instances manually.
CBW-MON-IOM-002	Configure the Ping adapter for the DRaaS and HCX Connector appliances to use the remote collector group.	Offloads data collection for local management components from the analytics cluster.	None.

Table 25. Design Decisions on Monitoring and Alerting Using Cloud-Based Intelligent Operations for VMware Cloud Foundation
Decision ID	Design Decision	Design Justification	Design Implication
CBW-MON-CBO-001	Add a Ping adapter for the DRaaS and HCX Connector appliances.	Provides metrics on the availability of the DRaaS and HCX Connector appliances.	You must add the adapter instances manually.
CBW-MON-CBO-002	Configure the Ping adapter for the DRaaS and HCX Connector appliances to use the remote collector group.	Offloads data collection for local management components from the analytics cluster.	None.

Table 26. Design Decisions on Logging Using Cloud-Based Intelligent Logging for VMware Cloud Foundation
Decision ID	Design Decision	Design Justification	Design Implication
CBW-LOG-CBL-001	Activate event forwarding to VMware Aria Operations for Logs.	Ensures the transmission of logs from VMware Cloud Disaster Recovery to VMware Aria Operations for Logs using the Ingestion API.	You must manually enable the integration.

Table 27. Design Decisions on Data Protection for VMware HCX
Decision ID	Design Decision	Design Justification	Design Implication
CBW-BCK-HCX-001	Configure an FTP server using the SFTP protocol as a target for the HCX Connector.	Provides an external target for storing backup sets.	An external FTP server supporting SFTP must be available in the environemnt.
CBW-BCK-HCX-002	Configure a backup schedule for the HCX Connector.	Ensures regular backups, which facilitate recovery, are performed.	None.