The design decisions determine the deployment configuration to support the Intelligent Network Visibility for VMware Cloud Foundation validated solution.
Deployment Specification
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-CFG-001 | Deploy VMware Aria Operations for Networks as a non-clustered, single platform node in the default management vSphere cluster. |
|
A 100% reservation for CPU and RAM for the deployed VMware Aria Operations for Networks platform node will be applied. |
INV-VAON-CFG-002 | Deploy a single VMware Aria Operations for Networks collector node in the default management vSphere cluster. | A minimum of one VMware Aria Operations for Networks collector node is required to provide the VMware Aria Operations for Networks platform node with network monitoring data. | A 100% reservation for CPU and RAM for the deployed VMware Aria Operations for Networks collector node will be applied. |
INV-VAON-CFG-003 |
To deploy VMware Aria Operations for Networks, use the VMware Aria Suite Lifecycle instance in the corresponding VMware Cloud Foundation instance. |
|
You must deploy VMware Aria Suite Lifecycle by using SDDC Manager. |
INV-VAON-CFG-004 |
Protect all VMware Aria Operations for Networks nodes by using vSphere High Availability. |
Supports the availability objective for VMware Aria Operations for Networks without requiring manual intervention during an ESXi host failure event. |
You must ensure sufficient spare capacity for vSphere High Availability failover operations. |
INV-VAON-CFG-005 |
Place the VMware Aria Operations for Networks platform node(s) in a dedicated virtual machine folder. |
Provides an organization of the VMware Aria Operations for Networks platform node(s) in the management domain inventory. |
You must create the virtual machine folder in vCenter Server. |
INV-VAON-CFG-006 |
Place the VMware Aria Operations for Networks collector node(s) in a dedicated virtual machine folder. |
Provides an organization of the VMware Aria Operations for Networks collector node(s) in the management domain inventory. |
You must create the virtual machine folder in vCenter server. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-CFG-007 |
When using two availability zones, add the VMware Aria Operations for Networks virtual machines to the first availability zone VM group. |
Ensures that, by default, the VMware Aria Operations for Networks virtual machines are powered on within the first availability zone hosts group. |
After the implementation of the second availability zone for the management domain, you must update the VM group for the primary availability zone virtual machines to include the VMware Aria Operations for Networks virtual machines. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-CFG-008 |
In an environment with multiple VMware Cloud Foundation instances, deploy the VMware Aria Operations for Networks collector node(s) in the default management vSphere cluster in each VMware Cloud Foundation instance by using the same VMware Aria Suite Lifecycle instance and environment in the first VMware Cloud Foundation instance. |
|
Each VMware Aria Operations for Networks collector node must be registered with a VMware Aria Operations for Networks platform node. |
INV-VAON-CFG-009 |
In an environment with multiple VMware Cloud Foundation instances, place the VMware Aria Operations for Networks collector node(s) for each instance in a dedicated virtual machine folder. |
Provides an organization of VMware Aria Operations for Networks collector nodes in the management domain inventory. |
You must create the virtual machine folder in vCenter Server. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-CFG-010 |
Deploy a VMware Aria Operations for Networks platform node with an Extra Large brick size. |
|
You must consider the additional resources required by VMware Aria Operations for Networks platform nodes when sizing the management vSphere cluster. |
INV-VAON-CFG-011 |
If the number of virtual machines exceeds 10,000 or if any other object scale limitations are reached, scale out to a platform cluster deployment by adding additional VMware Aria Operations for Networks platform nodes using VMware Aria Suite Lifecycle. |
Ensures that the VMware Aria Operations for Networks platform cluster has enough capacity to meet the SDDC object growth. |
You must consider the additional resources required by VMware Aria Operations for Networks platform nodes in the management vSphere cluster when scaling out to a platform cluster. |
INV-VAON-CFG-012 |
Deploy a VMware Aria Operations for Networks collector node as a large size appliance. |
|
You must provide 8-10 vCPUs (depending on the CPU speed, see the official VMware Aria Operations for Networksdocumentation) and 16 GB of memory in the default management vSphere cluster in each VMware Cloud Foundation instance for each VMware Aria Operations for Networks collector node. |
Network Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-NET-001 |
Place the VMware Aria Operations for Networks platform nodes on the cross-instance NSX network segment. |
Provides a consistent deployment model for management applications and a potential to extend to a second VMware Cloud Foundation instance for disaster recovery. |
You must use an implementation of NSX to support this network configuration. |
INV-VAON-NET-002 |
Place the VMware Aria Operations for Networks collector nodes on the local-instance NSX network segment. |
Supports collection of metrics and flows locally per VMware Cloud Foundation instance. |
You must use an implementation in NSX to support this networking configuration. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-NET-003 |
In an environment with multiple VMware Cloud Foundation instances, place at least one VMware Aria Operations for Networks collector node in each instance on the local-instance NSX segment. |
Supports collection of metrics and flows locally per VMware Cloud Foundation instance. |
You must use an implementation in NSX to support this networking configuration. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-NET-004 |
Allocate and assign static IP addresses from the cross-instance NSX segment for each VMware Aria Operations for Networks platform node. |
Static IP addresses provides network reliability, simplifies maintenance, and aids in conflict avoidance, while necessitating robust security due to their predictability. |
Requires precise IP address management. |
INV-VAON-NET-005 |
Allocate and assign static IP addresses from the cross-instance NSX segment for each VMware Aria Operations for Networks collector node. |
Static IP addresses provides network reliability, simplifies maintenance, and aids in conflict avoidance, while necessitating robust security due to their predictability. |
Requires precise IP address management. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-NET-006 |
In an environment with multiple VMware Cloud Foundation instances, allocate and assign static IP addresses from each local-instance NSX segment to the corresponding VMware Aria Operations for Networks collector nodes in the instance. |
Static IP addresses provides network reliability, simplifies maintenance, and aids in conflict avoidance, while necessitating robust security due to their predictability. |
Requires precise IP address management. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-NET-007 |
Configure forward and reverse DNS records for each VMware Aria Operations for Networks platform and collector node. |
Each VMware Aria Operations for Networks platform and collector node is accessible by using a unique fully qualified domain name. |
You must provide the DNS records for the VMware Aria Operations for Networks nodes. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-NET-008 |
Configure the NTP servers on each VMware Aria Operations for Networks platform and collector node. |
|
|
Life Cycle Management
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-LCM-001 |
Use VMware Aria Suite Lifecycle to perform the life cycle management of VMware Aria Operations for Networks. |
VMware Aria Suite Lifecycle manages the product binaries and upgrades of VMware Aria Operations for Networks. |
|
VMware Aria Operations for Networks Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-CFG-013 |
Configure a vCenter Server data source in VMware Aria Operations for Networks, for each management domain and VI workload domain vCenter Server. |
Provides network visibility to the VMware Cloud Foundation instance, for vSphere networking. |
You must configure a data source for the management domain and each VI workload domain vCenter Server instance in each region. |
INV-VAON-CFG-014 |
For each vCenter Server data source, enable NetFlow on each vSphere Distributed Switch within the domain. |
Provides the collection of network flows via the IPFIX protocol. |
For the management domain and VI workload domains in each region, VMware Aria Operations for Networks will automatically update the NetFlow settings for each cluster's vSphere Distributed Switch. |
INV-VAON-CFG-015 |
Configure an NSX Manager data source in VMware Aria Operations for Networks, for each management domain and VI workload domain NSX Local Manager cluster. |
Provides network visibility to the VMware Cloud Foundation instance, for NSX networking. |
You must configure a NSX Manager data source for the management domain and VI workload domains in each region. |
INV-VAON-CFG-016 |
For each NSX data source, enable IPFIX for the distributed firewall. |
Provides the collection of network flows via the IPFIX protocol. |
The distributed firewall service must be enabled on the NSX Local Manager for the management domain and VI workload domain. The service account used to integrate VMware Aria Operations for Networks with NSX requires the Enterprise Admin role to be assigned in NSX Local Manager for the management domain and each VI workload domain. |
INV-VAON-CFG-017 |
For each NSX Manager data source, enable latency metric collection. |
Provides the collection of latency metrics from NSX Transport Nodes. |
Any firewall rule sets from all ESXi hosts to the VMware Aria Operations for Networks collector must allow traffic on TCP 1991. |
INV-VAON-CFG-018 |
For environments using NSX Federation use the NSX Local Manager as the data source. |
NSX Global Managers can not be added as a data source in VMware Aria Operations for Networks. NSX Federation data is fetched from the NSX Local Managers. |
You must configure the NSX Local Manager as the NSX Manager data source if you are using NSX Federation. |
Data Retention
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-CFG-019 |
Use the default retention period of one month for the VMware Aria Operations for Networks platform node. |
Keeping the default value for retention minimizes required storage resources administrative efforts. |
None. |
Alert Notifications
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-CFG-020 |
Configure VMware Aria Operations for Networks to use an outbound SMTP mail server to route notifications for system events. |
Activates alerts from VMware Aria Operations for Networks to be sent to administrators and operators. |
|
Information Security and Access Control Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-SEC-001 |
Limit the use of local accounts for interactive or API access and solution integration. |
Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity. |
You must define and manage service accounts, security groups, group membership, and security controls in Active Directory. |
INV-VAON-SEC-002 |
Limit the scope and privileges for accounts used for interactive or API access and solution integration. |
The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy. |
You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration. |
INV-VAON-SEC-003 |
Assign VMware Aria Operations for Networks service roles to designated groups. |
By assigning Active Directory users with specific VMware Aria Operations for Networks service roles, you introduce improved accountability and facilitate access tracking. |
You must maintain the service roles required for users of your organization. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-SEC-004 |
Define a custom vCenter Server role for VMware Aria Operations for Networks that has minimum privileges required to support a vCenter Server integration. |
Connects VMware Aria Operations for Networks to the management domain and each VI workload domain vCenter Server instance using a minimum set of privileges. |
You must maintain the privileges required by the custom vSphere role. |
INV-VAON-SEC-005 |
Create and assign the custom vCenter Server role to an Active Directory user account as a service account for the management domain and each VI workload domain vCenter Server instance for application-to-application communication between VMware Aria Operations for Networks and vCenter Server. |
Provides the following access control features:
|
You must maintain the life cycle, availability, and security controls for the account in Active Directory. |
INV-VAON-SEC-006 | Create and assign the Enterprise Admin role using an NSX client certificate credential for the management domain and each VI workload domain NSX Local Manager instance for application-to-application communication between VMware Aria Operations for Networks and NSX Manager. |
|
You must manage the credential and the life cycle of certificates and their corresponding private keys. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-SEC-007 |
Configure the local user password expiration policy for each VMware Aria Operations for Networks platform and collector node. |
|
You must manage the local user passwords expiration settings on each VMware Aria Operations for Networks platform and collector node by using the appliance console. |
INV-VAON-SEC-008 |
Configure the local user password complexity policy for each VMware Aria Operations for Networks platform and collector node. |
|
You must manage the local user password complexity settings on each VMware Aria Operations for Networks platform and collector node by using the appliance console. |
INV-VAON-SEC-009 |
Configure the local user account lockout policy for each VMware Aria Operations for Networks platform and collector node. |
|
You must manage the local user account lockout settings on each VMware Aria Operations for Networks node by using the appliance console. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-SEC-010 |
Change the VMware Aria Operations for Networkssupport and consoleuser passwords on each VMware Aria Operations for Networks platform and collector node on a recurring or event-initiated schedule. |
The password for the VMware Aria Operations for Networkssupport and consoleuser accounts expires based on the default password expiration policy. |
|
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-VAON-SEC-011 |
Use a CA-Signed certificate containing the fully qualified domain names (FQDNs) of each VMware Aria Operations for Networks platform and collector node in the SAN attributes, when deploying VMware Aria Operations for Networks |
Configuring a CA-Signed certificate ensures that the communication to the externally facing Web UI and API for VMware Aria Operations for Networks is encrypted. |
|
INV-VAON-SEC-012 |
Use a SHA-2 or higher algorithm when signing certificates. |
The SHA-1 algorithm is considered less secure and has been deprecated. |
Not all certificate authorities support SHA-2. |
Solution Interoperability
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-MON-IOM-001 |
Add a Ping adapter for each VMware Aria Operations for Networks platform and collector node. |
Provides metrics on the availability of each VMware Aria Operations for Networks platform and collector node. |
You must add the adapter instances manually. |
INV-MON-IOM-002 |
Configure the Ping adapter for the VMware Aria Operations for Networks platform node to use the defaultcollector group. |
Provides metrics on the availability of the platform nodes. |
None. |
INV-MON-IOM-003 |
Configure the Ping adapter for the VMware Aria Operations for Networks collector node to use the local-instance collector group. |
Offloads data collection for local management components from the VMware Aria Operations for Networks analytics cluster. |
None. |
INV-MON-IOM-004 |
Configure the VMware Aria Operations for Logs integration in VMware Aria Operations. |
|
You can register only one VMware Aria Operations for Networks cluster with VMware Aria Operations at a time. You must manage the password life cycle of this endpoint. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
INV-LOG-ILA-001 |
Configure VMware Aria Operations for Networks to send logs to the VMware Aria Operations for Networks cluster in the corresponding VMware Cloud Foundation instance |
Allows logs from VMware Aria Operations for Networks to be forwarded to a VMware Aria Operations for Networks cluster. |
None. |