HRM-VM-CFG-001

Deploy the host virtual machine using a supported guest operating systems (VMware Photon OS or Microsoft Windows Server).

A dedicated host virtual machine is deployed to ensure isolation of the PowerShell and Python modules from other production components.

The host virtual machine must be deployed, configured, and maintained outside of VMware Cloud Foundation automated workflows.

HRM-VM-CFG-002

Deploy the host virtual machine in the default management vSphere cluster.

Required to communicate with SDDC Manager and VMware Aria Operations.

The host virtual machine must be able to connect to SDDC Manager and VMware Aria Operations.

HRM-VM-CFG-003

Protect the host virtual machine by using vSphere High Availability.

Supports the availability objective without requiring manual intervention during an ESXi host failure.

None.

HRM-VM-CFG-004

Place the host virtual machine in a designated virtual machine folder.

Provides organization of the appliances in the management domain vSphere inventory.

You must create the virtual machine folder during deployment.

HRM-VM-CFG-005

When using two availability zones, add the host virtual machine to the VM group of the first availability zone.

Ensures that the host virtual machine runs in the primary availability zone hosts group.

After the implementation of the second availability zone for the management domain, you must update the VM group for the primary availability zone virtual machines to include the host virtual machine.

HRM-VM-CFG-006

In an environment with multiple VMware Cloud Foundation instances, deploy the host virtual machine in the management vSphere cluster in the first VMware Cloud Foundation instance.

Required to communicate with SDDC Manager in each VMware Cloud Foundation instance and VMware Aria Operations.

The host virtual machine must be able to connect to SDDC Manager in each VMware Cloud Foundation instance and VMware Aria Operations.

HRM-PWSH-CFG-001

Use or install a supported edition and version of PowerShell on the host virtual machine guest operating system.

The PowerShell module cmdlets may fail when run on an edition and version of PowerShell that is not supported by the PowerShell module and its dependencies.

None

HRM-PWSH-CFG-002

Install the PowerShell Module for VMware Cloud Foundation Reporting and its dependencies on the host virtual machine.

The PowerShell Module for VMware Cloud Foundation Reporting is required to generate HTML reports.

None

HRM-PY-CFG-001

Install Python 3.x on the host virtual machine.

Python 3 is required to run the Python script that pulls data from SDDC Manager and pushes it to VMware Aria Operations.

In an environment with multiple VMware Cloud Foundation instances, multiple copies of the Python module are installed, each corresponding to a VMware Cloud Foundation instance.

HRM-PY-CFG-002

Install the Nagini client, a Python binding package for VMware Aria Operations, on the host virtual machine.

The Nagini client enables the Python module to send data to VMware Aria Operations.

Manual installation and setup depends on the host virtual machine's operating system.

HRM-PY-CFG-003

On the host virtual machine, schedule daily runs of the Python module to collect health data from SDDC Manager and send it to VMware Aria Operations.

Automates gathering health data.

Manual installation and setup depends on the host virtual machine's operating system.

HRM-PY-CFG-004

Configure the default log retention for logs, generated by the Python module, to 30 days.

Automatic cleanup of logs generated when the send-data-to-vrops.py script saves capacity on the host virtual machine's local disk and ensures old data is removed.

You must manually set the log retention period by configuring the log_retention_in_days setting in the env.json file.

HRM-VM-NET-001

Place the host virtual machine on the management VLAN of the management domain.

Place the host virtual machine on the same network as SDDC Manager for direct communication.

None

HRM-VM-NET-002

Allocate statically assigned IP address from the management VLAN to the host virtual machine.

Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.

Requires precise IP address management.

HRM-VM-NET-003

Configure forward and reverse DNS records for the host virtual machine IP address.

Ensures the host virtual machine is accessible by using a fully qualified domain name instead of using IP address only.

• You must provide a DNS record for the host virtual machine IP address.

• Firewalls between the host virtual machine and the DNS servers must allow DNS traffic.

HRM-VM-NET-004

Configure DNS servers on the host virtual machine.

Ensures the host virtual machine has accurate name resolution.

• DNS infrastructure services should be highly-available in the environment.

• Firewalls between the appliance and the DNS servers must allow DNS traffic.

• You must provide two or more DNS servers unless a DNS geographic load balancing is active.

HRM-VM-NET-005

Configure NTP servers for the host virtual machine.

• Ensures that the host virtual machine has accurate time synchronization.

• Assists in the prevention of time mismatch between the host virtual machine and any dependencies.

• NTP infrastructure services should be highly-available in the environment.

• Firewalls between the host virtual machine and the NTP servers must allow NTP traffic.

• You must provide two or more NTP servers unless an NTP geographic load balancing is active.

HRM-VM-LCM-001

Manage the updates for the host virtual machine's guest operating system using your organization's tools and processes.

Update the host virtual machine in accordance with your organizations processes and policies to ensure security and critical fixes are applied in a timely manner.

The host virtual machine is not managed by SDDC Manager.

HRM-LCM-001

Manually update PowerShell Module for VMware Cloud Foundation Reporting when new versions are available.

Updating the PowerShell Module for VMware Cloud Foundation Reporting when new versions are released ensures the latest features and bug fixes are applied.

None

HRM-LCM-002

Manually update the Python Module for VMware Cloud Foundation Health Monitoring in VMware Aria Operations. See the README.md in the GitHub repository.

Updating the Python module for VMware Cloud Foundation Health Monitoring in VMware Aria Operations when new versions are released ensures the latest features and bug fixes are applied.

None

HRM-SEC-001

Limit the use of local accounts for interactive or API access and solution integration.

Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.

You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.

HRM-SEC-002

Limit the scope and privileges for accounts used for interactive or API access and solution integration.

The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.

You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.

HRM-SEC-003

Assign an SDDC Manager role to a designated service account.

To provide least privilege access to SDDC Manager you assign the service account to a role.

None.

HRM-SEC-004

Assign a custom VMware Aria Operations role to a designated service account.

To provide least privilege access to VMware Aria Operations you assign the service account to a custom role.

You must maintain the custom role required for service account of your organization.

HRM-PWSH-SEC-001

Assign the ADMIN role to an Active Directory user account in each SDDC Manager instance for application-to-application communication between the PowerShell Module for VMware Cloud Foundation Reporting and SDDC Manager.

To generate reports by using the PowerShell Module for VMware Cloud Foundation Reporting, the service account requires the ADMIN role for least privilege access.

You must maintain the life cycle and availability of the service account outside of the SDDC stack.

HRM-PY-SEC-001

Create a custom role in VMware Aria Operations and assign it to an Active Directory user account for application-to-application communication between the Python Module for VMware Cloud Foundation Health Monitoring in VMware Aria Operations.

A custom role with least privileges is required to provide access to the REST API to push custom metrics to VMware Aria Operations.

• You must maintain the life cycle and availability of the service account outside of the SDDC stack.

• You must maintain the synchronization and availability of the service account in Workspace ONE Access.

HRM-PY-SEC-002

Import the service account to the Everyone user group in VMware Aria Operations.

The Everyone user group has no roles and scopes. You need to assign the scope and custom role to the service account.

No restrictions to limit access in VMware Aria Operations.

HRM-PY-SEC-003

Assign the scope of permissions to the custom role in VMware Aria Operations.

Provide the limited permission to required adapter instances.

• Limits access to objects to a custom role in VMware Aria Operations.

• This narrows the service account access to only NSX, vCenter, VMware Cloud Foundation, and vSAN adapter instance objects.

HRM-VM-SEC-001

Configure the local user password expiration policy for the host virtual machine.

You configure the local user password expiration policy for the host virtual machine to align with the requirements of your organization.

You must manage the local user password expiration settings on the host virtual machine.

HRM-VM-SEC-002

Configure the local user password complexity policy for the host virtual machine.

You configure the local user password complexity policy for the host virtual machine to align with the requirements of your organization.

You must manage the local user password complexity settings on the host virtual machine.

HRM-VM-SEC-003

Configure the local user account lockout policy for the host virtual machine.

You configure the local user account lockout policy for the host virtual machine to align with the requirements of your organization.

You must manage the local user account lockout settings on the host virtual machine.

HRM-SEC-005

If the SDDC Manager service account is changed, update the user credentials in the sddc_manager section of the env.json.

You must manually re-establish authentication to SDDC Manager after the service account is changed (including a password change) to ensure that the Python Module for VMware Cloud Foundation Health Monitoring has the correct credentials and access.

You must update the user credentials manually.

HRM-SEC-006

If the VMware Aria Operations service account is changed, update the user credentials in the vrops section of the env.json file.

You must manually re-establish authentication to VMware Aria Operations after service account is changed (including a password change) to ensure that the Python Module for VMware Cloud Foundation Health Monitoring has the correct credentials and access.

You must update the user credentials manually.

HRM-SEC-007

Encrypt the passwords for SDDC Manager and VMware Aria Operations service accounts by running encrypt-passwords.py Python script.

Password encryption enhances the security of the communication between the applications.

You must manually run the Python script to encrypt the passwords.