The appendix aggregates design decisions that determine the deployment configuration to support Cloud-Based Workload Protection for VMware Cloud Foundation validated solution. You can use this design decisions list for reference related to the end state of the environment and potentially to track your level of adherence to the design and any justification for deviations.

Deployment Specification

Table 1. Design Decisions on the Deployment of a DRaaS Connector

Decision ID

Design Decision

Design Justification

Design Implication

CBW-CDP-CFG-001

Deploy two DRaaS Connector appliances in the default management vSphere cluster.

Required to establish secure communication between the VMware Cloud Foundation instance and VMware Live Cyber Recovery.

The DRaaS Connector appliances must be able to connect to the internet through a firewall.

CBW-CDP-CFG-002

Protect the DRaaS Connector appliances by using vSphere High Availability.

Supports the availability objective without requiring manual intervention during an ESXi host failure.

None.

CBW-CDP-CFG-003

Place the DRaaS Connector appliances in a designated virtual machine folder.

Provides organization of the appliances in the management domain vSphere inventory.

You must create the virtual machine folder during deployment.

CBW-CDP-CFG-004

Apply vSphere Distributed Resource Scheduler anti-affinity rules to the DRaaS Connector appliances.

vSphere Distributed Resource Scheduler prevents the DRaaS Connector appliances from residing on the same ESXi host and impacting the performance of replications.

  • You must perform an additional configuration to set up an anti-affinity rule.

  • For a default management vSphere cluster that consists of four ESXi hosts, you can put in maintenance mode only a single ESXi host at a time.

Table 2. Design Decisions on the Deployment of a DRaaS Connector in Multiple Availability Zones

Decision ID

Design Decision

Design Justification

Design Implication

CBW-CDP-CFG-005

When using two availability zones, add the DRaaS Connector appliances to the VM group of the first availability zone.

Ensures that the DRaaS Connector appliances runs in the primary availability zone hosts group.

After the implementation of the second availability zone for the management domain, you must update the VM group for the primary availability zone virtual machines to include the DRaaS Connector appliances.

Table 3. Design Decisions on the Deployment of an HCX Connector

Decision ID

Design Decision

Design Justification

Design Implication

CBW-CDP-CFG-006

Deploy the HCX Connector appliance in the default management vSphere cluster.

Required to establish secure communication between the VMware Cloud Foundation instance and VMware HCX.

The HCX Connector must be able to connect to the internet through a firewall.

CBW-CDP-CFG-007

Protect the HCX Connector appliance by using vSphere High Availability.

Supports the availability objective without requiring manual intervention during an ESXi host failure.

None.

CBW-CDP-CFG-008

Place the HCX Connector appliance in a designated virtual machine folder.

Provides organization of the appliances in the management domain vSphere inventory.

You must create the virtual machine folder during deployment.

Table 4. Design Decisions on the Deployment of an HCX Connector in Multiple Availability Zones

Decision ID

Design Decision

Design Justification

Design Implication

CBW-CDP-CFG-009

When using two availability zones, add the HCX Connector appliance to the VM group of the first availability zone.

Ensures that the HCX Connector appliance runs in the primary availability zone hosts group.

After the implementation of the second availability zone for the management domain, you must update the VM group for the primary availability zone virtual machines to include the HCX Connector appliance.

Network Design

Table 5. Design Decisions on the Network Segments for Cloud-Based Workload Protection

Decision ID

Design Decision

Design Justification

Design Implication

CBW-CDP-NET-001

Place the DRaaS Connector appliances on the management VLAN.

  • Places the DRaaS Connector appliances on the same network as the VMware Cloud Foundation components that the appliances must communicate with.

  • Provides a consistent deployment model for VMware Cloud services.

None.

CBW-CDP-NET-002

Place the HCX Connector appliance on the management VLAN.

  • Places the HCX Connector on the same network as the VMware Cloud Foundation components that the appliance must communicate with.

  • Provides a consistent deployment model for VMware Cloud services.

None.

Table 6. Design Decisions on the IP Addressing for Cloud-Based Workload Protection

Decision ID

Design Decision

Design Justification

Design Implication

CBW-CDP-NET-003

Allocate statically assigned IP addresses from the management VLAN to the DRaaS Connector appliances.

Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.

Requires precise IP address management.

CBW-CDP-NET-004

Allocate statically assigned IP addresses from the management VLAN to the HCX Connector appliance.

Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.

Requires precise IP address management.

Table 7. Design Decisions on Name Resolution for Cloud-Based Workload Protection

Decision ID

Design Decision

Design Justification

Design Implication

CBW-CDP-NET-005

Configure forward and reverse DNS records for the DRaaS Connector appliance IP addresses.

Ensures the appliances are accessible by using a fully qualified domain name instead of using IP addresses only.

  • You must provide a DNS record for the appliance IP address.

  • Firewalls between the appliance and the DNS servers must allow DNS traffic.

CBW-CDP-NET-006

Configure DNS servers on the DRaaS Connector appliances.

Ensures the appliance has accurate name resolution.

  • Firewalls between the appliance and the DNS servers must allow DNS traffic.

  • You must provide two or more DNS servers unless a DNS geographic load balancing is active.

CBW-CDP-NET-007

Configure forward and reverse DNS records for the HCX Connector appliance IP address.

Ensures the appliance is accessible by using a fully qualified domain name instead of using IP addresses only.

  • You must provide a DNS record for the appliance IP address.

  • Firewalls between the appliance and the DNS servers must allow DNS traffic.

CBW-CDP-NET-008

Configure DNS servers on the HCX Connector appliance.

Ensures the appliance has accurate name resolution.

  • DNS infrastructure services must be highly-available in the environment.

  • Firewalls between the appliance and the DNS servers must allow DNS traffic.

  • You must provide two or more DNS servers unless a DNS geographic load balancing is active.

Table 8. Design Decisions on Time Synchronization for Cloud-Based Workload Protection

Decision ID

Design Decision

Design Justification

Design Implication

CBW-CDP-NET-009

Use VMware Tools™ to synchronize time from ESXi hosts for the DRaaS Connector appliances.

Prevents time mismatches between the the DRaaS Connector appliance and its dependencies.

  • Ensures that ESXi hosts are configured for NTP.

  • NTP infrastructure services must be highly-available in the environment.

  • Firewalls between ESXi hosts and the NTP servers must allow NTP traffic.

  • You must provide two or more NTP servers unless an NTP geographic load balancing is active.

  • NTP must already be set up on ESXi hosts before implementing the solution.

CBW-CDP-NET-010

Configure NTP servers for the HCX Connector appliance.

  • Ensures that the appliance has accurate time synchronization.

  • Assists in the prevention of time mismatch between the appliance and dependencies.

  • NTP infrastructure services must be highly-available in the environment.

  • Firewalls between the appliance and the NTP servers must allow NTP traffic.

  • You must provide two or more NTP servers unless an NTP geographic load balancing is active.

VMware Cloud on AWS Design

Table 9. Design Decisions on VMware Cloud on AWS for VMware Live Cyber Recovery

Decision ID

Design Decision

Design Justification

Design Implication

CBW-AWS-CFG-001

Deploy a pilot light VMware Cloud on AWS recovery SDDC.

  • Provides the lowest recovery time objective (RTO) due to the recovery SDDC being available instantly.

  • Provides a platform to perform networking configurations required at recovery time.

A minimal footprint VMware Cloud on AWS SDDC is always online.

CBW-AWS-CFG-002

Deploy a VMware Cloud on AWS recovery SDDC with a minimum of two nodes.

Ensures that the pre-provisioned recovery SDDC remains available. A single node expires after 60 days.

A pre-provisioned recovery SDDC consumes infrastructure that incurs a regular charge.

CBW-AWS-CFG-003

Configure the management gateway to allow access to VMware Cloud on AWS recovery SDDC vCenter Server over the internet.

Ensures users can access the vCenter Server UI of the recovery SDDC over the internet.

You must manually manage access to the vCenter Server by using an NSX group.

VMware HCX Design

Table 10. Design Decisions on HCX Integration

Decision ID

Design Decision

Design Justification

Design Implication

CBW-HCX-CFG-001

Register the HCX Connector with the VI workload domain vCenter Server.

Registering the HCX Connector with vCenter Server installs the plug-ins to integrate HCX with vCenter Server.

None.

CBW-HCX-CFG-002

Register the HCX Connector with the VI workload domain NSX Manager.

Registering the HCX Connector with NSX Manager is required to activate the networking configuration.

None.

CBW-HCX-CFG-003

Register the HCX Connector with the Single Sign-On Domain of the VI workload domain vCenter Server.

By registering the HCX Connector with Single Sign-On, you can create dedicated VMware HCX roles within vCenter Server.

None.

Table 11. Design Decisions on Site Paring for VMware HCX

Decision ID

Design Decision

Design Justification

Design Implication

CBW-HCX-CFG-004

Pair the HCX Connector with the HCX Cloud service.

Required to establish unidirectional communication between the VMware Cloud Foundation instance and the HCX Cloud service to create a Service Mesh.

The HCX Connector must be able to connect to the internet through a firewall.

Table 12. Design Decisions on Service Mesh for VMware HCX

Decision ID

Design Decision

Design Justification

Design Implication

CBW-HCX-CFG-005

Create a management network profile using the management network distributed switch port group and assign Management and HCX Uplink traffic types.

Provides management network configuration details used when deploying VMware HCX service appliances.

None.

CBW-HCX-CFG-006

Assign the management network profile a pool of 5 IP addresses from the VI workload domain management VLAN.

Provides a pool of IP addresses that can dynamically be assigned to the VMware HCX service appliances.

You must allocate a static pool of IP addresses from the VI workload domain management VLAN.

CBW-HCX-CFG-007

Create a vMotion network profile using the vMotion network distributed switch port group and assign vMotion traffic type.

Provides vMotion network configuration details used when deploying VMware HCX service appliances.

None.

CBW-HCX-CFG-008

Assign the vMotion network profile a pool of 5 IP addresses from the VI workload domain vMotion VLAN.

Provides a pool of IP addresses that can dynamically be assigned to the VMware HCX service appliances.

You must allocate of a static pool of IP addresses from the VI workload domain vMotion VLAN.

CBW-HCX-CFG-009

Create a compute profile and activate all available VMware HCX services.

Provides the compute, storage, and network settings that VMware HCX uses for deploying the interconnect-dedicated appliances when a Service Mesh is added.

Services that can be activated are dependent on the VMware HCX license applied during the activation of the HCX Connector.

CBW-HCX-CFG-010

Assign the VI workload domain cluster as a resource to the compute profile.

Provides compute capacity for the interconnect-dedicated appliances when a Service Mesh is added.

None.

CBW-HCX-CFG-011

Assign a vSphere resource pool as a container to the compute profile.

Provides a container to group the interconnect-dedicated appliances and the ability to configure resource priorities.

You must manually create a resource pool before configuring the compute profile.

CBW-HCX-CFG-012

Assign a virtual machine folder as a container to the compute profile.

Provides organization of the appliances in the management domain vSphere inventory.

You must manually create a virtual machine folder before configuring the compute profile.

CBW-HCX-CFG-013

Assign the management and vMotion network profiles to the compute profile.

Provides network settings for the interconnect-dedicated appliances when a Service Mesh is added.

None.

CBW-HCX-CFG-014

Create a Service Mesh between the VMware Cloud Foundation instance and VMware Cloud on AWS recovery SDDC.

Provides an interconnect between the on-premises and the VMware Cloud on AWS environments to enable extending VMware Cloud Foundation networks to facilitate disaster recovery without the need to re-IP application virtual machines.

None.

VMware Live Cyber Recovery Design

Table 13. Design Decisions on Cloud File System for VMware Live Cyber Recovery

Decision ID

Design Decision

Design Justification

Design Implication

CBW-VCDR-CFG-001

Deploy a cloud file system in the same availability zone inside one AWS region as the recovery SDDC.

Cloud file systems and recovery SDDCs must be the same availability zone inside one AWS region.

None.

Table 14. Design Decisions on Protected Site for VMware Live Cyber Recovery

Decision ID

Design Decision

Design Justification

Design Implication

CBW-VCDR-CFG-002

Create a protected site for your VMware Cloud Foundation instance using a public internet connection.

Defines the VMware Cloud Foundation instance where business workloads will be protected.

None.

CBW-VCDR-CFG-003

Associate the DRaaS Connector appliances with the protected site.

Provides secure communication over the internet between the on-premises vCenter Server and the VMware Live Cyber Recovery service.

Deploy the DRaaS Connector appliances manually into your VMware Cloud Foundation management domain vCenter Server.

CBW-VCDR-CFG-004

Register the VI workload domain vCenter Server with the protected site in the VMware Live Cyber Recovery service.

Connects the on-premises vCenter Server of the VI workload domain with the VMware Live Cyber Recovery service to enable protection of business workloads.

Requires at least one DRaaS Connector appliance deployed within the on-premises vCenter Server.

Table 15. Design Decisions on Recovery SDDC for VMware Live Cyber Recovery

Decision ID

Design Decision

Design Justification

Design Implication

CBW-VCDR-CFG-005

Attach the pilot light VMware Cloud on AWS recovery SDDC to the VMware Live Cyber Recovery service.

Provides a target SDDC for virtual machine recovery.

None.

Table 16. Design Decisions on Email Alerts for VMware Live Cyber Recovery

Decision ID

Design Decision

Design Justification

Design Implication

CBW-VCDR-CFG-006

Configure the VMware Live Cyber Recovery service to send SLA status alerts.

Ensures that if any SLA status alerts are triggered, they are communicated to support representatives.

VMware Live Cyber Recovery uses the AWS mail service. Recipients must respond to the AWS email address verification request before receiving an email from VMware Live Cyber Recovery.

Life Cycle Management Design

Table 17. Design Decisions on Life Cycle Management of the Connector Appliances

Decision ID

Design Decision

Design Justification

Design Implication

CBW-CDP-LCM-001

Use the VMware Cloud Services automatic over-the-air service to perform the upgrades to the DRaaS Connector appliances.

The VMware Live Cyber Recovery service pushes upgrades automatically.

None.

CBW-CDP-LCM-002

Manually upgrade the HCX Connector appliance using the built-in tools.

An upgrade package must be downloaded and applied to the HCX appliance to perform an upgrade.

None.

Information Security and Access Control Design

Table 18. Design Decisions on Identity Management for Cloud-Based Workload Protection

Decision ID

Design Decision

Design Justification

Design Implication

CBW-IAM-SEC-001

Limit the use of local accounts for interactive or API access, and solution integration.

Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.

You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.

CBW-IAM-SEC-002

Limit the scope and privileges for accounts used for interactive or API access and solution integration.

The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.

You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.

CBW-IAM-SEC-003

Assign VMware Live Cyber Recovery service roles to designated users.

To provide access to the VMware Live Cyber Recovery service, you assign users to service roles.

You must maintain the service roles required for users of your organization.

CBW-IAM-SEC-004

Assign VMware Cloud on AWS service roles to designated users.

To provide access to the VMware Cloud on AWS service, you assign users to service roles.

You must maintain the service roles required for users of your organization.

CBW-IAM-SEC-005

Assign VMware HCX service roles to designated users.

To provide access to the VMware HCX service, you assign users to service roles.

You must maintain the service roles required for users of your organization.

Table 19. Design Decisions on Service Accounts for Cloud-Based Workload Protection

Decision ID

Design Decision

Design Justification

Design Implication

CBW-IAM-SEC-006

Define a custom vCenter Server role for VMware Live Cyber Recovery with minimum privileges required to support the registration of a vCenter Server.

VMware Live Cyber Recovery integrates with each workload domain vCenter Server instance using a minimum set of privileges required to support registration.

  • You must maintain the privileges required by the custom vSphere role.

  • If additional workload domain vCenter Server instances are not in the same vCenter Single Sign-On domain, you must apply the custom role to each vCenter Single Sign-On domain.

CBW-IAM-SEC-007

Assign the custom vCenter Server role to a user from the vsphere.local domain as a service account for each VI workload domain vCenter Server instance for application-to-application communication between VMware Live Cyber Recovery and vCenter Server.

  • Provides integration and data collection of objects managed by the vCenter Server for a given VI workload domain.

  • Limiting the use of a service account reduces the risk in the case of either a security or a password-related event.

  • Using a named vsphere.local account provides for auditability unlike generic administrative accounts.

You must maintain the life cycle, availability, and security controls for the account in the vsphere.local domain.

CBW-IAM-SEC-008

Define a custom vCenter Server role for VMware HCX with minimum privileges required to support the registration of a vCenter Server.

VMware HCX integrates with each VI workload domain vCenter Server instance using a minimum set of privileges required to support registration and management.

  • You must maintain the privileges required by the custom vSphere role.

  • If additional VI workload domain vCenter Server instances are not in the same vCenter Single Sign-On domain, you must apply the custom role to each vCenter Single Sign-On domain.

CBW-IAM-SEC-009

Assign the custom vCenter Server role to an Active Directory user account as a service account for each VI workload domain vCenter Server instance for application-to-application communication between VMware HCX and vCenter Server.

  • Provides integration and data collection of objects managed by the vCenter Server for a given VI workload domain.

  • Limiting the use of a service account reduces the risk in the case of either a security or a password-related event.

  • Using a named Active Directory account provides for auditability unlike generic administrative accounts.

You must maintain the life cycle, availability, and security controls for the account in Active Directory.

CBW-IAM-SEC-010

Assign the default Enterprise Admin role in NSX Manager to a service account for each VI workload domain NSX Manager instance for application-to-application communication between VMware HCX and NSX.

VMware HCX integrates with each VI workload domain NSX Manager instance using a minimum set of privileges required to support registration and management.

None.

Table 20. Design Decisions on Password Policies for Cloud-Based Workload Protection

Decision ID

Design Decision

Design Justification

Design Implication

CBW-IAM-SEC-011

Configure the local user password expiration policy for each HCX Connector appliance.

  • You configure the local user password expiration policy for each HCX Connector appliance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user password expiration policy is applicable to the root and the admin accounts for the HCX Connector appliance.

You must manage the local user password expiration settings on each HCX Connector appliance by using the appliance console.

CBW-IAM-SEC-012

Configure the local user password complexity policy for each HCX Connector appliance.

  • You configure the local user password complexity policy for each HCX Connector appliance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user password complexity policy is applicable only to the local HCX Connector appliance users.

You must manage the local user password complexity settings on each HCX Connector appliance by using the appliance console.

CBW-IAM-SEC-013

Configure the local user account lockout policy for each HCX Connector appliance.

  • You configure the local user account lockout policy for each HCX Connector appliance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user account lockout policy is applicable only to the local HCX Connector appliance users.

You must manage the local user account lockout settings on each HCX Connector appliance by using the appliance console.

Table 21. Design Decisions on Password Management for Cloud-Based Workload Protection

Decision ID

Design Decision

Design Justification

Design Implication

CBW-IAM-SEC-014

For each vCenter Server, change the VMware Live Cyber Recovery service account password on a recurring or event-initiated schedule.

To maintain a secure platform, you must rotate the VMware Live Cyber Recovery service account passwords on a regular basis.

Performing password rotation for a service account is a manual process. You update the associated credentials in the VMware Live Cyber Recovery service.

CBW-IAM-SEC-015

For each vCenter Server, change the VMware HCX service account password on a recurring or event-initiated schedule.

To maintain a secure platform, you must rotate the VMware HCX service account passwords on a regular basis.

Performing password rotation for a service account is a manual process. You update the associated credentials in the HCX Connector appliance.

CBW-IAM-SEC-016

For each NSX Manager, change the VMware HCX service account password on a recurring or event-initiated schedule.

To maintain a secure platform, you must rotate the VMware HCX service account passwords on a regular basis.

Performing password rotation for a service account is a manual process. You update the associated credentials in the HCX Connector appliance.

CBW-IAM-SEC-017

Change the HCX Connector appliance root and admin passwords on a recurring or event-initiated schedule.

The password for the HCX Connector appliance root and admin accounts never expires based on the default password expiration policy.

  • You must manage the password change for the root and the admin accounts.

  • You must manage the password change on each HCX Connector appliance by using the virtual appliance console.

Table 22. Design Decisions on Certificate Management for Cloud-Based Workload Protection

Decision ID

Design Decision

Design Justification

Design Implication

CBW-IAM-SEC-018

Replace the default self-signed certificate with a CA-signed certificate during the deployment of the HCX Connector appliance.

Ensures that all communication to the user interface of the HCX Connector appliance is encrypted.

  • Replacing the default certificates with a trusted CA-signed certificate increases the deployment preparation time as certificates requests are generated and delivered.

  • You must manage the life cycle of the certificate replacement.

  • The SSL certificate key size must be 2048 or 4096 bits.

CBW-IAM-SEC-019

Use an SHA-2 or higher algorithm when signing certificates.

The SHA-1 algorithm is considered less secure and is deprecated.

Not all certificate authorities support SHA-2.

CBW-IAM-SEC-020

Rotate the CA-signed certificate of the HCX Connector appliance on a recurring or event-initiated schedule.

Ensures that all communication to the user interface of the HCX Connector appliance and between the components continues to be encrypted with a non-expired or non-compromised certificate.

  • Replacing the default certificates with a trusted CA-signed certificate might require preparation time as certificates requests are generated and delivered.

  • You must continue to manage the life cycle of the certificate replacement.

  • The SSL certificate key size must be 2048 or 4096 bits.

Solution Interoperability

Table 23. Design Decisions on Monitoring and Alerting Using Intelligent Operations Management for VMware Cloud Foundation

Decision ID

Design Decision

Design Justification

Design Implication

CBW-MON-IOM-001

Add a Ping adapter for the DRaaS and HCX Connector appliances.

Provides metrics on the availability of the DRaaS and HCX Connector appliances.

You must add the adapter instances manually.

CBW-MON-IOM-002

Configure the Ping adapter for the DRaaS and HCX Connector appliances to use the local-instance collector group.

Offloads data collection for local management components from the analytics cluster.

None.

Table 24. Design Decisions on Data Protection for VMware HCX

Decision ID

Design Decision

Design Justification

Design Implication

CBW-BCK-HCX-001

Configure an FTP server using the SFTP protocol as a target for the HCX Connector.

Provides an external target for storing backup sets.

An external FTP server supporting SFTP must be available in the environment.

CBW-BCK-HCX-002

Configure a backup schedule for the HCX Connector.

Ensures that regular backups, which facilitate recovery, are performed.

None.