The design decisions determine the deployment configuration to support the Intelligent Network Visibility for VMware Cloud Foundation validated solution.

Deployment Specification

Table 1. Design Decisions on Deployment of VMware Aria Operations for Networks

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-CFG-001 Deploy VMware Aria Operations for Networks as a non-clustered, single platform node in the default management vSphere cluster.
  • Provides capacity for monitoring of up to 10,000 virtual machine or objects.
  • Supports scale-out with additional VMware Aria Operations for Networks platform nodes to a platform cluster.
A 100% reservation for CPU and RAM for the deployed VMware Aria Operations for Networks platform node will be applied.
INV-VAON-CFG-002 Deploy a single VMware Aria Operations for Networks collector node in the default management vSphere cluster. A minimum of one VMware Aria Operations for Networks collector node is required to provide the VMware Aria Operations for Networks platform node with network monitoring data.

A 100% reservation for CPU and RAM for the deployed VMware Aria Operations for Networks collector node will be applied.

INV-VAON-CFG-003

To deploy VMware Aria Operations for Networks, use the VMware Aria Suite Lifecycle instance in the corresponding VMware Cloud Foundation instance.

  • VMware Aria Suite Lifecycle manages the VMware Aria Operations for Networks product binaries. The version of VMware Aria Operations for Networks is determined by the interoperability matrix and SDDC Manager.

  • VMware Aria Suite Lifecycle automates the deployment of VMware Aria Operations for Networks.

You must deploy VMware Aria Suite Lifecycle by using SDDC Manager.

INV-VAON-CFG-004

Protect all VMware Aria Operations for Networks nodes by using vSphere High Availability.

Supports the availability objective for VMware Aria Operations for Networks without requiring manual intervention during an ESXi host failure event.

You must ensure sufficient spare capacity for vSphere High Availability failover operations.

INV-VAON-CFG-005

Place the VMware Aria Operations for Networks platform node(s) in a dedicated virtual machine folder.

Provides an organization of the VMware Aria Operations for Networks platform node(s) in the management domain inventory.

You must create the virtual machine folder in vCenter Server.

INV-VAON-CFG-006

Place the VMware Aria Operations for Networks collector node(s) in a dedicated virtual machine folder.

Provides an organization of the VMware Aria Operations for Networks collector node(s) in the management domain inventory.

You must create the virtual machine folder in vCenter server.

Table 2. Design Decisions on Deployment of VMware Aria Operations for Networks in Multiple Availability Zones

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-CFG-007

When using two availability zones, add the VMware Aria Operations for Networks virtual machines to the first availability zone VM group.

Ensures that, by default, the VMware Aria Operations for Networks virtual machines are powered on within the first availability zone hosts group.

After the implementation of the second availability zone for the management domain, you must update the VM group for the primary availability zone virtual machines to include the VMware Aria Operations for Networks virtual machines.

Table 3. Design Decisions on Deployment of VMware Aria Operations for Networks for Multiple VMware Cloud Foundation Instances

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-CFG-008

In an environment with multiple VMware Cloud Foundation instances, deploy the VMware Aria Operations for Networks collector node(s) in the default management vSphere cluster in each VMware Cloud Foundation instance by using the same VMware Aria Suite Lifecycle instance and environment in the first VMware Cloud Foundation instance.

  • Ensures a consistent deployment in each VMware Cloud Foundation regarding network data collection.

  • It is assumed that each VMware Cloud Foundation instance introduces a sufficiently high number of virtual machines, so that the deployment of dedicated VMware Aria Operations for Networks collector nodes is justified.

Each VMware Aria Operations for Networks collector node must be registered with a VMware Aria Operations for Networks platform node.

INV-VAON-CFG-009

In an environment with multiple VMware Cloud Foundation instances, place the VMware Aria Operations for Networks collector node(s) for each instance in a dedicated virtual machine folder.

Provides an organization of VMware Aria Operations for Networks collector nodes in the management domain inventory.

You must create the virtual machine folder in vCenter Server.

Table 4. Design Decisions on Sizing of VMware Aria Operations

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-CFG-010

Deploy a VMware Aria Operations for Networks platform node with an Extra Large brick size.

  • Provides enough capacity for the metrics and objects generated by up to 10,000 virtual machines and 8 million flows.

  • The features "Network Verification and Assurance" and "Flow based Application Discovery" are only available with brick size "Extra Large".

You must consider the additional resources required by VMware Aria Operations for Networks platform nodes when sizing the management vSphere cluster.

INV-VAON-CFG-011

If the number of virtual machines exceeds 10,000 or if any other object scale limitations are reached, scale out to a platform cluster deployment by adding additional VMware Aria Operations for Networks platform nodes using VMware Aria Suite Lifecycle.

Ensures that the VMware Aria Operations for Networks platform cluster has enough capacity to meet the SDDC object growth.

You must consider the additional resources required by VMware Aria Operations for Networks platform nodes in the management vSphere cluster when scaling out to a platform cluster.

INV-VAON-CFG-012

Deploy a VMware Aria Operations for Networks collector node as a large size appliance.

  • One VMware Aria Operations for Networks collector node provides sufficient capacity for collecting flows from the supported number of VMs as stated in the design objectives.

  • If the scale capacity exceeds the number of VMs as stated in the design objectives, additional VMware Aria Operations for Networks collector nodes can be deployed.

You must provide 8-10 vCPUs (depending on the CPU speed, see the official VMware Aria Operations for Networksdocumentation) and 16 GB of memory in the default management vSphere cluster in each VMware Cloud Foundation instance for each VMware Aria Operations for Networks collector node.

Network Design

Table 5. Design Decisions on Network Segments for VMware Aria Operations for Networks

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-NET-001

Place the VMware Aria Operations for Networks platform nodes on the cross-instance NSX network segment.

Provides a consistent deployment model for management applications and a potential to extend to a second VMware Cloud Foundation instance for disaster recovery.

You must use an implementation of NSX to support this network configuration.

INV-VAON-NET-002

Place the VMware Aria Operations for Networks collector nodes on the local-instance NSX network segment.

Supports collection of metrics and flows locally per VMware Cloud Foundation instance.

You must use an implementation in NSX to support this networking configuration.

Table 6. Design Decisions on the Network Segments for VMware Aria Operations for Networksfor Multiple VMware Cloud Foundation Instances

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-NET-003

In an environment with multiple VMware Cloud Foundation instances, place at least one VMware Aria Operations for Networks collector node in each instance on the local-instance NSX segment.

Supports collection of metrics and flows locally per VMware Cloud Foundation instance.

You must use an implementation in NSX to support this networking configuration.

Table 7. Design Decisions on IP Addresses for the VMware Aria Operations for Networks

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-NET-004

Allocate and assign static IP addresses from the cross-instance NSX segment for each VMware Aria Operations for Networks platform node.

Static IP addresses provides network reliability, simplifies maintenance, and aids in conflict avoidance, while necessitating robust security due to their predictability.

Requires precise IP address management.

INV-VAON-NET-005

Allocate and assign static IP addresses from the cross-instance NSX segment for each VMware Aria Operations for Networks collector node.

Static IP addresses provides network reliability, simplifies maintenance, and aids in conflict avoidance, while necessitating robust security due to their predictability.

Requires precise IP address management.

Table 8. Design Decisions on IP Addresses for the VMware Aria Operations for Networksfor Multiple VMware Cloud Foundation Instances

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-NET-006

In an environment with multiple VMware Cloud Foundation instances, allocate and assign static IP addresses from each local-instance NSX segment to the corresponding VMware Aria Operations for Networks collector nodes in the instance.

Static IP addresses provides network reliability, simplifies maintenance, and aids in conflict avoidance, while necessitating robust security due to their predictability.

Requires precise IP address management.

Table 9. Design Decisions on Name Resolution for the VMware Aria Operations for Networks

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-NET-007

Configure forward and reverse DNS records for each VMware Aria Operations for Networks platform and collector node.

Each VMware Aria Operations for Networks platform and collector node is accessible by using a unique fully qualified domain name.

You must provide the DNS records for the VMware Aria Operations for Networks nodes.

Table 10. Design Decisions on Time Synchronization for the VMware Aria Operations for Networks

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-NET-008

Configure the NTP servers on each VMware Aria Operations for Networks platform and collector node.

  • Ensures accurate time synchronization.

  • VMware Aria Operations for Networksdepends on time synchronization.

  • NTP infrastructure services should be highly-available in the environment.

  • Firewalls between the nodes and the NTP servers must allow NTP traffic.

  • You must provide two or more NTP servers unless an NTP geographic load balancing is active.

Life Cycle Management

Table 11. Design Decisions on Life Cycle Management for VMware Aria Operations for Networks

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-LCM-001

Use VMware Aria Suite Lifecycle to perform the life cycle management of VMware Aria Operations for Networks.

VMware Aria Suite Lifecycle manages the product binaries and upgrades of VMware Aria Operations for Networks.

  • You must deploy VMware Aria Suite Lifecycle by using SDDC Manager.

  • VMware Aria Suite Lifecycle manages patches, updates, and hot fixes for VMware Aria Operations for Networks

VMware Aria Operations for Networks Design

Table 12. Design Decisions on Data Sources for VMware Aria Operations for Networks

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-CFG-013

Configure a vCenter Server data source in VMware Aria Operations for Networks, for each management domain and VI workload domain vCenter Server.

Provides network visibility to the VMware Cloud Foundation instance, for vSphere networking.

You must configure a data source for the management domain and each VI workload domain vCenter Server instance in each region.

INV-VAON-CFG-014

For each vCenter Server data source, enable NetFlow on each vSphere Distributed Switch within the domain.

Provides the collection of network flows via the IPFIX protocol.

For the management domain and VI workload domains in each region, VMware Aria Operations for Networks will automatically update the NetFlow settings for each cluster's vSphere Distributed Switch.

INV-VAON-CFG-015

Configure an NSX Manager data source in VMware Aria Operations for Networks, for each management domain and VI workload domain NSX Local Manager cluster.

Provides network visibility to the VMware Cloud Foundation instance, for NSX networking.

You must configure a NSX Manager data source for the management domain and VI workload domains in each region.

INV-VAON-CFG-016

For each NSX data source, enable IPFIX for the distributed firewall.

Provides the collection of network flows via the IPFIX protocol.

The distributed firewall service must be enabled on the NSX Local Manager for the management domain and VI workload domain.

The service account used to integrate VMware Aria Operations for Networks with NSX requires the Enterprise Admin role to be assigned in NSX Local Manager for the management domain and each VI workload domain.

INV-VAON-CFG-017

For each NSX Manager data source, enable latency metric collection.

Provides the collection of latency metrics from NSX Transport Nodes.

Any firewall rule sets from all ESXi hosts to the VMware Aria Operations for Networks collector must allow traffic on TCP 1991.

INV-VAON-CFG-018

For environments using NSX Federation use the NSX Local Manager as the data source.

NSX Global Managers can not be added as a data source in VMware Aria Operations for Networks. NSX Federation data is fetched from the NSX Local Managers.

You must configure the NSX Local Manager as the NSX Manager data source if you are using NSX Federation.

Data Retention

Table 13. Design Decision on Data Retention for VMware Aria Operations for Networks

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-CFG-019

Use the default retention period of one month for the VMware Aria Operations for Networks platform node.

Keeping the default value for retention minimizes required storage resources administrative efforts.

None.

Alert Notifications

Table 14. Design Decision on Alert Notifications for VMware Aria Operations for Networks

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-CFG-020

Configure VMware Aria Operations for Networks to use an outbound SMTP mail server to route notifications for system events.

Activates alerts from VMware Aria Operations for Networks to be sent to administrators and operators.

  • If using email for notifications, you must configure the SMTP server settings in VMware Aria Operations for Networks.

  • You must select the system alerts and notifications for the system events that are relevant to the information you want to receive.

Information Security and Access Control Design

Table 15. Design Decisions on Identity Management for Intelligent Network Visibility

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-SEC-001

Limit the use of local accounts for interactive or API access and solution integration.

Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.

You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.

INV-VAON-SEC-002

Limit the scope and privileges for accounts used for interactive or API access and solution integration.

The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.

You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.

INV-VAON-SEC-003

Assign VMware Aria Operations for Networks service roles to designated groups.

By assigning Active Directory users with specific VMware Aria Operations for Networks service roles, you introduce improved accountability and facilitate access tracking.

You must maintain the service roles required for users of your organization.

Table 16. Design Decisions on Service Accounts for Intelligent Network Visibility

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-SEC-004

Define a custom vCenter Server role for VMware Aria Operations for Networks that has minimum privileges required to support a vCenter Server integration.

Connects VMware Aria Operations for Networks to the management domain and each VI workload domain vCenter Server instance using a minimum set of privileges.

You must maintain the privileges required by the custom vSphere role.

INV-VAON-SEC-005

Create and assign the custom vCenter Server role to an Active Directory user account as a service account for the management domain and each VI workload domain vCenter Server instance for application-to-application communication between VMware Aria Operations for Networks and vCenter Server.

Provides the following access control features:

  • VMware Aria Operations for Networks accesses each VI workload domain vCenter Server instance with a minimum set of permissions.

  • If there is a compromised account, the accessibility to the destination instance remains restricted.

  • You can introduce an improved accountability in tracking request-response interactions between VMware Aria Operations for Networks and the vCenter Server endpoint.

You must maintain the life cycle, availability, and security controls for the account in Active Directory.

INV-VAON-SEC-006 Create and assign the Enterprise Admin role using an NSX client certificate credential for the management domain and each VI workload domain NSX Local Manager instance for application-to-application communication between VMware Aria Operations for Networks and NSX Manager.
  • Provides integration and data collection of objects managed by NSX Manager for a given workload domain.
  • Client certificate credentials remove the need to protect and maintain either a local or Active Directory domain account and password.
You must manage the credential and the life cycle of certificates and their corresponding private keys.
Table 17. Design Decisions on Password Policies for Intelligent Network Visibility

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-SEC-007

Configure the local user password expiration policy for each VMware Aria Operations for Networks platform and collector node.

  • You configure the local user password expiration policy for each VMware Aria Operations for Networks node to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user password expiration policy is applicable to the support and consoleuseraccounts for the VMware Aria Operations for Networks.

You must manage the local user passwords expiration settings on each VMware Aria Operations for Networks platform and collector node by using the appliance console.

INV-VAON-SEC-008

Configure the local user password complexity policy for each VMware Aria Operations for Networks platform and collector node.

  • You configure the local user password complexity policy for each VMware Aria Operations for Networks to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user password complexity policy is applicable only to local VMware Aria Operations for Networks users.

You must manage the local user password complexity settings on each VMware Aria Operations for Networks platform and collector node by using the appliance console.

INV-VAON-SEC-009

Configure the local user account lockout policy for each VMware Aria Operations for Networks platform and collector node.

  • You configure the local user account lockout policy for each VMware Aria Operations for Networks node to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user account lockout policy is applicable only to local VMware Aria Operations for Networks users.

You must manage the local user account lockout settings on each VMware Aria Operations for Networks node by using the appliance console.

Table 18. Design Decisions on Password Management for Intelligent Network Visibility

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-SEC-010

Change the VMware Aria Operations for Networkssupport and consoleuserpasswords on each VMware Aria Operations for Networks platform and collector node on a recurring or event-initiated schedule.

The password for the VMware Aria Operations for Networkssupport and consoleuser accounts expires based on the default password expiration policy.

  • You must manage the password change for the support and consoleuser account.

  • You must manage the password change on each VMware Aria Operations for Networks node by using VMware Aria Suite Lifecycle.

  • You must monitor the password expiration for each account.

Table 19. Design Decisions on Certificate Management for Intelligent Network Visibility

Decision ID

Design Decision

Design Justification

Design Implication

INV-VAON-SEC-011

Use a CA-Signed certificate containing the fully qualified domain names (FQDNs) of each VMware Aria Operations for Networks platform and collector node in the SAN attributes, when deploying VMware Aria Operations for Networks

Configuring a CA-Signed certificate ensures that the communication to the externally facing Web UI and API for VMware Aria Operations for Networks is encrypted.

  • Using CA-signed certificates from a certificate authority might increase the deployment preparation time as certificate requests are generated and delivered.

  • Each time a node is added the certificate must be replaced to include the fully qualified domain name of the additional node.

INV-VAON-SEC-012

Use a SHA-2 or higher algorithm when signing certificates.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2.

Solution Interoperability

Table 20. Design Decisions on Monitoring and Alerting Using Intelligent Operations Management for VMware Cloud Foundation

Decision ID

Design Decision

Design Justification

Design Implication

INV-MON-IOM-001

Add a Ping adapter for each VMware Aria Operations for Networks platform and collector node.

Provides metrics on the availability of each VMware Aria Operations for Networks platform and collector node.

You must add the adapter instances manually.

INV-MON-IOM-002

Configure the Ping adapter for each VMware Aria Operations for Networks platform and collector node to use the local-instance collector group.

Offloads data collection for local management components from the VMware Aria Operations for Networks analytics cluster.

None.