Appendix: Design Decisions on Intelligent Operations Management for VMware Cloud Foundation

The design decisions determine the deployment configuration, resource sizing, and monitoring support of VMware Aria Operations in the SDDC.

Deployment Specification

Table 1. Design Decisions on Deployment of VMware Aria Operations
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-CFG-001	Deploy VMware Aria Operations as a cluster of three nodes - one primary, one primary replica, and one data node, in the default management vSphere cluster.	Provides the scale capacity required for monitoring of up to 12,000 virtual machine or objects. Supports scale-out with additional data nodes.	You must size all nodes identically, which increases the resource requirements in the SDDC.
IOM-VAOPS-CFG-002	Deploy two VMware Cloud Proxy appliances in the default management vSphere cluster.	Removes the load from the analytics cluster from collecting metrics from local-instance applications.	You must assign a collector group when configuring the monitoring of a solution.
IOM-VAOPS-CFG-003	To deploy VMware Aria Operations , use the VMware Aria Suite Lifecycle instance in the corresponding VMware Cloud Foundation instance.	VMware Aria Suite Lifecycle manages the VMware Aria Operations product binaries. The version of VMware Aria Operations is determined by the VMware interoperability matrix and SDDC Manager. When VMware Aria Suite Lifecycle is in VMware Cloud Foundation mode, during the deployment, SDDC Manager configures the load balancer for the analytics cluster.	You must deploy VMware Aria Suite Lifecycle by using SDDC Manager.
IOM-VAOPS-CFG-004	Protect all VMware Aria Operations nodes by using vSphere High Availability.	Supports the availability objective for VMware Aria Operations without requiring manual intervention during an ESXi host failure event.	None.
IOM-VAOPS-CFG-005	Apply a vSphere Distributed Resource Scheduler (DRS) anti-affinity rule to the VMware Aria Operations analytics cluster.	Using vSphere DRS prevents the VMware Aria Operations analytics cluster virtual machines from running on the same ESXi host and risking the high availability of the cluster.	You must perform additional configuration to set up an anti- affinity rule. If additional data nodes are added, you must update the anti-affinity rule. For a default management vSphere cluster that consists of four ESXi hosts, you can put in maintenance mode only a single ESXi host at a time.
IOM-VAOPS-CFG-006	Apply a vSphere Distributed Resource Scheduler (DRS) anti-affinity rule to the VMware Cloud Proxy for VMware Aria Operations appliances.	Using vSphere DRS prevents the VMware Cloud Proxy for VMware Aria Operations appliances from running on the same ESXi host and risking the high availability of the cluster.	You must perform additional configuration to set up an anti-affinity rule.
IOM-VAOPS-CFG-007	Place the VMware Aria Operations analytics cluster virtual machines in a dedicated virtual machine folder.	Provides an organization of the VMware Aria Operations analytics cluster virtual machines in the management domain inventory.	You must create the virtual machine folder during or after the deployment.
IOM-VAOPS-CFG-008	Place the VMware Cloud Proxy for VMware Aria Operations appliances in a dedicated virtual machine folder.	Provides an organization of the VMware Cloud Proxy for VMware Aria Operations appliances in the management domain inventory.	You must create the virtual machine folder during or after the deployment.
IOM-VAOPS-CFG-009	Enable data persistence on all VMware Aria Operations Cloud Proxy appliances.	Provides the ability to store data in case of connectivity issues.	Storage availability on each VMware Cloud Proxy appliance must be monitored.

Table 2. Design Decisions on Deployment of VMware Aria Operations in Multiple Availability Zones
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-CFG-010	When using two availability zones, add the VMware Aria Operations virtual machines to the first availability zone VM group.	Ensures that, by default, the VMware Aria Operations virtual machines are powered on within the first availability zone hosts group.	If VMware Aria Operations is deployed after the creation of the stretched cluster for management domain availability zones, you must update the VM group for the first availability zone virtual machines to include the VMware Aria Operations virtual machines.

Table 3. Design Decisions on Deployment of VMware Aria Operations for Multiple VMware Cloud Foundation Instances
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-CFG-011	In an environment with multiple VMware Cloud Foundation instances, deploy two VMware Cloud Proxy appliances in the default management vSphere cluster in each VMware Cloud Foundation instance by using the same VMware Aria Suite Lifecycle instance and environment in the first VMware Cloud Foundation instance.	Removes the load from the analytics cluster from collecting metrics from local-instance applications.	You must assign a collector group when configuring the monitoring of a solution.
IOM-VAOPS-CFG-012	In an environment with multiple VMware Cloud Foundation instances, place the VMware Cloud Proxy for VMware Aria Operations appliances in each instance, in a dedicated virtual machine folder.	Provides an organization of the VMware Cloud Proxy for VMware Aria Operations appliances in the management domain inventory.	You must create the virtual machine folder during or after the deployment.
IOM-VAOPS-CFG-013	In an environment with multiple VMware Cloud Foundation instances, apply a vSphere Distributed Resource Scheduler (DRS) anti-affinity rule to the VMware Cloud Proxy for VMware Aria Operations appliances.	Using vSphere DRS prevents the VMware Cloud Proxy for VMware Aria Operations appliances from running on the same ESXi host and risking the high availability of the cluster.	You must perform additional configuration to set up an anti-affinity rule.

Table 4. Design Decisions on Sizing of VMware Aria Operations
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-CFG-014	Deploy each node in the analytics cluster as a medium-size appliance.	Provides enough capacity for the metrics and objects generated by up to 12,000 objects while having high availability in the analytics cluster activated. Metrics are collected from the following components: vCenter Server instances ESXi hosts NSX components VMware Aria Automation VMware Aria Operations for Logs If you use fewer large-size VMware Aria Operations analytics cluster nodes, you must increase the minimum host memory size to handle the increased performance that is the result from stretching NUMA node boundaries.	The ESXi hosts in the default management vSphere cluster must have physical CPUs with a minimum of 8 cores per socket. In total, the VMware Aria Operations analytics cluster uses 24 vCPUs and 96 GB of memory in the default management vSphere cluster. When you exceed 12,000 objects, you must scale up the analytics cluster nodes size by using VMware Aria Suite Lifecycle.
IOM-VAOPS-CFG-015	If the number of SDDC objects exceeds 12,000, scale out the analytics cluster nodes size by using VMware Aria Suite Lifecycle.	Ensures that the analytics cluster has enough capacity to meet the SDDC object and metric growth.	The capacity of the physical ESXi hosts must be enough to accommodate virtual machines that require 32 GB RAM without bridging NUMA node boundaries. The default management vSphere cluster must have enough ESXi hosts so that VMware Aria Operations can run according to the vSphere DRS anti-affinity rule. The number of analytics cluster nodes must not exceed the number of ESXi hosts in the default management vSphere cluster minus one. For example, if the default management vSphere cluster contains six ESXi hosts, you can deploy up to five VMware Aria Operations nodes in the analytics cluster.
IOM-VAOPS-CFG-016	Increase the initial storage of each VMware Aria Operations analytics cluster node by 700 GB.	Supports the storage requirements for monitoring up to 12,000 objects. Supports projected growth of 20%. Supports data retention of six months.	None.
IOM-VAOPS-CFG-017	Deploy each VMware Cloud Proxy appliance as a small-size appliance.	Provides metric collection for maximum of 8,000 objects per VMware Cloud Proxy appliance in the SDDC when at full capacity. VMware Cloud Proxy appliances do not perform analytics operations or store data on disk, therefore no additional storage is required.	You must provide 2 vCPUs and 8 GB of memory in the default management vSphere cluster in each VMware Cloud Foundation instance for each VMware Cloud Proxy appliance.

Table 5. Design Decisions on Notifications for VMware Aria Operations
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-CFG-018	Configure VMware Aria Operations to use an outbound SMTP mail server to route notifications for system events.	Integrates VMware Aria Operations system events notifications to users by email to provide an enhanced user experience.	You must maintain an SMTP server.

Table 6. Design Decisions on Costing for VMware Aria Operations
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-CFG-019	Configure the currency in the VMware Aria Operations global options based on your organization requirements..	Ensures accurate currency in the costing.	The currency cannot be changed after the initial configuration.

Network Design

Table 7. Design Decisions on the Network Segments for VMware Aria Operations
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-NET-001	Place the VMware Aria Operations analytics nodes on the cross-instance NSX network segment.	Provides a consistent deployment model for management applications and a potential to extend to a second VMware Cloud Foundation instance for disaster recovery.	You must use an implementation of NSX to support this network configuration.
IOM-VAOPS-NET-002	Place the VMware Cloud Proxy for VMware Aria Operations appliances on the local-instance NSX network segment.	Supports collection of metrics locally per VMware Cloud Foundation instance.	You must use an implementation in NSX to support this networking configuration.

Table 8. Design Decisions on the Network Segments for VMware Aria Operations for a Multiple VMware Cloud Foundation Instances
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-NET-003	In an environment with multiple VMware Cloud Foundation instances, place the VMware Cloud Proxy for VMware Aria Operations appliances in each instance on the local-instance NSX segment.	Supports collection of metrics locally per VMware Cloud Foundation instance.	You must use an implementation in NSX to support this networking configuration.

Table 9. Design Decisions on the IP Addressing for VMware Aria Operations
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-NET-004	Allocate statically assigned IP addresses and host names from the cross-instance NSX segment to the VMware Aria Operations analytics cluster nodes and the NSX load balancer.	Ensures stability across the SDDC, and makes it simpler to maintain and easier to track.	Requires precise IP address management.
IOM-VAOPS-NET-005	Allocate statically assigned IP addresses and host names from the local-instance NSX segment to the VMware Cloud Proxy for VMware Aria Operations appliances.	Ensures stability across the SDDC, and makes it simpler to maintain and easier to track.	Requires precise IP address management.

Table 10. Design Decisions on the IP Addressing for VMware Aria Operations for Multiple VMware Cloud Foundation Instances
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-NET-006	In an environment with multiple VMware Cloud Foundation instances, allocate statically assigned IP addresses and host names from each local-instance NSX segment to the corresponding VMware Cloud Proxy for VMware Aria Operations appliances in the instance.	Ensures stability across the SDDC, and makes it simpler to maintain and easier to track.	Requires precise IP address management.

Table 11. Design Decisions on Name Resolution for VMware Aria Operations
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-NET-007	Configure forward and reverse DNS records for all VMware Aria Operations nodes and for the NSX load balancer virtual IP address.	All nodes are accessible by using fully qualified domain names instead of by using IP addresses only.	You must provide DNS records for the VMware Aria Operations nodes.

Table 12. Design Decisions on Load Balancing for VMware Aria Operations
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-NET-008	Use the small-size load balancer that is configured by SDDC Manager on a dedicated NSX Tier-1 gateway in the management domain to load balance the clustered Workspace ONE Access nodes, to also load balance the connections across the VMware Aria Operations analytics cluster members.	Required to deploy a VMware Aria Operations analytics cluster deployment type with distributed user interface access across members.	You must use the NSX load balancer that is configured by SDDC Manager to support this network configuration.
IOM-VAOPS-NET-009	Do not use a load balancer for the VMware Cloud Proxy for VMware Aria Operations appliances.	VMware Cloud Proxy for VMware Aria Operations appliances must directly access the systems that they are monitoring. VMware Cloud Proxy for VMware Aria Operations appliances do not require access to and from the public network.	None.

Table 13. Design Decisions on Time Synchronization for VMware Aria Operations
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-NET-010	Configure NTP on each VMware Aria Operations node.	VMware Aria Operations depends on time synchronization.	None.
IOM-VAOPS-NET-011	Configure the timezone of VMware Aria Operations to use UTC.	You must use UTC to provide the integration with VMware Aria Automation , because VMware Aria Automation supports only UTC.	If you are in a timezone other than UTC, timestamps appear skewed.

Life Cycle Management Design

Table 14. Design Decisions on Life Cycle Management of VMware Aria Operations
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-LCM-001	Use VMware Aria Suite Lifecycle to perform the life cycle management of VMware Aria Operations .	VMware Aria Suite Lifecycle manages the product binaries and VMware Aria Operations upgrades.	You must deploy VMware Aria Suite Lifecycle by using SDDC Manager. VMware Aria Suite Lifecycle manages patches, updates, and hot fixes for VMware Aria Operations .

VMware Aria Operations Design

Table 15. Design Decisions on Integrations for Intelligent Operations Management
Design Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-CFG-020	Activate the VMware Cloud Foundation integration in VMware Aria Operations.	Provides the ability to configure VMware Cloud Foundation instance specific cloud accounts to gather metrics for SDDC Manager, vCenter Server, vSAN, and NSX Local Manager.	You must activate the integration manually.
IOM-VAOPS-CFG-021	Activate the VMware Identity Manager integration for VMware Aria Operations.	Provides the ability for VMware Aria Operations to communicate with Workspace ONE Access endpoints.	The integration is installed and activated by SDDC Manager.
IOM-VAOPS-CFG-022	Activate the VMware Infrastructure Health integration in VMware Aria Operations.	Provides a unified operations view of each VMware Cloud Foundation instance including the associated management and workload domains. Provides information on the health of associated management components.	You must configure a VMware Cloud Foundation cloud account before activating the integration. You must activate the integration manually.
IOM-VAOPS-CFG-023	Activate the Ping integration in VMware Aria Operations.	Provides metrics on the availability of endpoints.	You must activate the integration manually.

Table 16. Design Decision on Cloud Accounts for Intelligent Operations Management
Design Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-CFG-024	Remove the existing vCenter Server cloud account created by SDDC Manager.	The existing cloud account is not used when utlizing the VMware Cloud Foundation integration.	You must manually remove the existing cloud account.
IOM-VAOPS-CFG-025	Remove the existing Principal Credential for the vCenter Server created by SDDC Manager.	The existing Principal Credential is not used when utlizing the VMware Cloud Foundation integration.	You must manually remove the existing credential.
IOM-VAOPS-CFG-026	Configure a credential for each VMware Cloud Foundation instance with a service account using least privileage access.	Provides the required access when enabling the VMware Cloud Foundation integration in VMware Aria Operations to collect SDDC Manager domain and metric data.	You must maintain the life cycle, availability, and security controls for the account in Active Directory.
IOM-VAOPS-CFG-027	Configure a VMware Cloud Foundation cloud account for each VMware Cloud Foundation instance using a credential and assign to the local-instance collector group.	Provides metric collection of SDDC Manager and workload domains.	You must manually create the cloud account.
IOM-VAOPS-CFG-028	Configure a Principal Credential for each workload domain vCenter Server for each VMware Cloud Foundation instance with a service account using least privileage access.	Provides the required access when enabling the VMware Cloud Foundation integration in VMware Aria Operations to collect vCenter Server metric data.	You must maintain the life cycle, availability, and security controls for the service account in Active Directory.
IOM-VAOPS-CFG-029	Configure a vCenter Server cloud account for each workload domain vCenter Server instance using a Principal Credential and assign to the local-instance collector group.	Provides metric collection of vCenter Server.	You must manually create the cloud account.
IOM-VAOPS-CFG-030	Enable the vSAN cloud account for each workload domain in the VMware Cloud Foundation instance.	Provides metric collection from all vSAN enabled clusters in a workload domain.	Service account usage across vCenter Server instances expands the risk of losing connectivity from VMware Aria Operations in the event of an account issue.
IOM-VAOPS-CFG-031	Configure a NSX-T Client Certificate Credential for each NSX Manger instance with least privileage access.	Provides the required access when enabling the VMware Cloud Foundation integration in VMware Aria Operations to collect NSX Manager metric data.	You must manage the credentials and the life cycle of certificates and their corresponding private keys.
IOM-VAOPS-CFG-032	Configure an NSX cloud account for each workload domain NSX Manager instance for each VMware Cloud Foundation using a NSX Client Certificate credential and assign to the local-instance collector group.	Provides metric collection for an NSX Manager.	You must manually add the credentials for the cloud account.
IOM-VAOPS-CFG-033	Configure a VMware Identity Manager cloud account for the clustered Workspace ONE Access instance and assign to the default collector group.	Provides metric collection from the clustered Workspace ONE Access instance.	The cloud account is configured by SDDC Manager. The load on the analytics cluster, though minimal, increases.
IOM-VAOPS-CFG-034	Configure a Ping cloud account for the VMware Aria Operations analytics cluster nodes and assign to the default collector group.	Provides metrics on the availability of VMware Aria Operations analytic nodes.	You must add the cloud account instance manually.
IOM-VAOPS-CFG-035	Configure a Ping cloud account for the VMware Cloud Proxy for VMware Aria Operations appliances and assign to the local-instance collector group.	Provides metrics on the availability of VMware Cloud Proxy for VMware Aria Operations appliances.	You must add the cloud account instance manually.
IOM-VAOPS-CFG-036	Configure a Ping adapter for the clustered Workspace ONE Access nodes and assign to the default collector group.	Provides metrics on the availability of the clustered Workspace ONE Access nodes.	You must add the cloud account instance manually.

Table 17. Design Decisions on Alerts for Intelligent Operations Management
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-CFG-037	Define and configure application, virtual machine, and container related alerts.	Alerts can be used to detect and notify administrators about conditions that endanger the operation of individual or groups of workloads running in your environment.	Individual alerts may need to be manually created and maintained.
IOM-VAOPS-CFG-038	Define and configure virtual infrastructure and ESXi host related alerts.	Alerts can be used to detect and notify administrators about conditions that endanger the operation of your virtual infrastructure as a whole or down to its discrete components.	Individual alerts may need to be manually created and maintained.
IOM-VAOPS-CFG-039	Define and configure software-defined networking related alerts.	Alerts can be used to detect and notify administrators about conditions that endanger the operation of NSX software-defined networking components.	Individual alerts may need to be manually created and maintained.
IOM-VAOPS-CFG-040	Define and configure storage related alerts.	Alerts can be used to detect and notify administrators about conditions that endanger the operation of vSAN or disk/file-based storage or individual storage layer components.	Individual alerts may need to be manually created and maintained.

Information Security and Access Design

Table 18. Design Decision on Identity Management for VMware Aria Operations
Design Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-SEC-001	Activate VMware Aria Operations integration with your corporate identity source by using the clustered Workspace ONE Access deployment.	Allows authentication, including multi-factor, to VMware Aria Operations by using your corporate identity source. Allows authorization through the assignment of organization and cloud services roles to enterprise users and groups defined in your corporate identity source.	You must deploy and configure a Workspace ONE Access cluster to establish the integration between VMware Aria Operations and your corporate identity sources.
IOM-VAOPS-SEC-002	Assign the default Administrator role in VMware Aria Operations to an Active Directory security group.	Provides the following access control features: Access to VMware Aria Operations administration is granted to a managed set of individuals that are members of the security group. You can introduce improved accountability and tracking organization owner access to VMware Aria Operations .	You must maintain the life cycle and availability of the security group outside of the SDDC stack.
IOM-VAOPS-SEC-003	Assign the default ContentAdmin role in VMware Aria Operations to an Active Directory security group.	Provides the following access control features: Access to the VMware Aria Operations user interface is granted to a managed set of individuals that are members of the security group. You can introduce improved accountability and tracking organization owner access to VMware Aria Operations .	You must maintain the life cycle and availability of the security group outside of the SDDC stack.
IOM-VAOPS-SEC-004	Assign the default ReadOnly role in VMware Aria Operations to an Active Directory security group.	Provides the following access control features: Access to the VMware Aria Operations user interface is granted to a managed set of individuals that are members of the security group. You can introduce improved accountability and tracking organization owner access to VMware Aria Operations .	You must maintain the life cycle and availability of the security group outside of the SDDC stack.

Table 19. Design Decisions on Service Accounts for Intelligent Operations Management
Design Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-SEC-005	Create and assign least privilege access to an Active Directory user account as a service account in each SDDC Manager instance for application-to-application communication between VMware Aria Operations and SDDC Manager.	Provides integration and data collection of objects managed by SDDC Manager for a VMware Cloud Foundation instance.	You must maintain the life cycle, availability, and security controls for the account in Active Directory.
IOM-VAOPS-SEC-006	Define a custom vCenter Server role for VMware Aria Operations that has minimum privileges required to support a vCenter Server cloud account.	VMware Aria Operations integrates with each workload domain vCenter Server instances using a minimum set of privileges required to support the cloud account.	You must maintain the privileges required by the custom vSphere role. If additional workload domain vCenter Server instances are not in the same vCenter Single Sign-On domain, the custom role must be applied to each vCenter Single Sign-On domain.
IOM-VAOPS-SEC-007	Create and assign the custom vCenter Server role to an Active Directory user account as a service account for each workload domain vCenter Server instance for application-to-application communication between VMware Aria Operations and vCenter Server.	Provides integration and data collection of objects managed by the vCenter Server for a given workload domain. Limiting the use of a service account reduces the risk in the case of either a security or a password-related event. Using a named Active Directory account provides for auditability unlike generic administrative accounts.	You must maintain the life cycle, availability, and security controls for the account in Active Directory.
IOM-VAOPS-SEC-008	Use the vCenter Server service account for data collection on vSAN cloud accounts.	As a service managed by vCenter Server, vSAN does not require separate credentials for the integration to function.	None.
IOM-VAOPS-SEC-009	Create and assign the Enterprise Admin role using an NSX Principal Identity for each workload domain NSX Local Manager instance for application-to-application communication between VMware Aria Operations and NSX Manager.	Provides integration and data collection of objects managed by NSX Manager for a given workload domain. Limiting the use reduces the risk in the case of either a security or a password-related event. Principal Identity accounts remove the need to protect and maintain either a local or Active Directory Domain account and password.	You must manage the credential and the life cycle management of certificates and their corresponding private keys.

Table 20. Design Decisions on Password Policies for VMware Aria Operations
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-SEC-010	Configure the password expiration policy for the VMware Aria Operations appliance and VMware Cloud Proxy appliance.	You configure the password expiration policy for the VMware Aria Operationsappliance and VMware Cloud Proxy appliances to align with the requirements of your organization which might be based on industry compliance standards. The policy is applicable only to the local VMware Aria Operations users.	You can manage the password expiration policy on the VMware Aria Operations appliance and VMware Cloud Proxy appliance by using the virtual appliance console or a Secure Shell (SSH) client.
IOM-VAOPS-SEC-011	Configure the password complexity policy for the VMware Aria Operations appliance and VMware Cloud Proxy appliance.	You configure the password complexity policy for VMware Aria Operations and VMware Cloud Proxy appliances to align with the requirements of your organization which might be based on industry compliance standards. The policy is applicable only to the local VMware Aria Operationsusers.	You can manage the password complexity policy on the VMware Aria Operations appliance and VMware Cloud Proxy appliance by using the virtual appliance console or a Secure Shell (SSH) client.
IOM-VAOPS-SEC-012	Configure the account lockout policy for the VMware Aria Operations appliance and VMware Cloud Proxy appliance.	You configure the account lockout policy for VMware Aria Operations and VMware Cloud Proxy appliances to align with the requirements of your organization which might be based on industry compliance standards. The policy is applicable only to the local VMware Aria Operations users.	You can manage the account lockout policy on the VMware Aria Operations appliance and VMware Cloud Proxy appliance by using the virtual appliance console or a Secure Shell (SSH) client.

Table 21. Design Decision on Password Management for VMware Aria Operations
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-SEC-013	Change the VMware Aria Operations and VMware Cloud Proxy appliance root password on a recurring or event-initiated schedule by using the SDDC Manager user interface or API.	By default, the password for the VMware Aria Operations and VMware Cloud Proxy appliance root account expires every 365 days. When VMware Aria Operations is deployed into a VMware Cloud Foundation environment in VMware Aria Suite Lifecycle, the root password is managed from the SDDC Manager user interface or API, not VMware Aria Suite Lifecycle.	By using SDDC Manager, you manage the password change or automated password rotation schedule for the VMware Aria Operations and VMware Cloud Proxy root account in accordance with your organizational policies and regulatory standards.
IOM-VAOPS-SEC-014	Change the VMware Aria Operations admin account password on a recurring or event-initiated schedule by using the SDDC Manager UI or API.	When VMware Aria Operations is deployed into a VMware Cloud Foundation environment in VMware Aria Suite Lifecycle, the admin password is managed from the SDDC Manager user interface or API, not VMware Aria Suite Lifecycle.	You must routinely perform the password change for the admin account by using the SDDC Manager UI or API.

Table 22. Design Decisions on Certificates for VMware Aria Operations
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-SEC-015	Use a CA-signed certificate containing the analytics and VMware Cloud Proxy appliances in the SAN attributes, when deploying VMware Aria Operations .	Configuring a CA-signed certificate ensures that the communication to the externally facing Web UI and API for VMware Aria Operations , and cross-product, is encrypted.	Using CA-signed certificates from a certificate authority might increase the deployment preparation time as certificate requests are generated and delivered. Each time a node is added the certificate must be replaced to include the new node.
IOM-VAOPS-SEC-016	Use a SHA-2 or higher algorithm when signing certificates.	The SHA-1 algorithm is considered less secure and has been deprecated.	Not all certificate authorities support SHA-2.

Solution Interoperability Design

Table 23. Design Decision on Logging for Intelligent Operations Management
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-LOG-001	Use the VMware Aria Operations for Logs content pack for VMware Aria Operations .	Provides additional granular monitoring on the virtual infrastructure. The content pack for VMware Aria Operations is installed by default in VMware Aria Operations for Logs.	None.
IOM-VAOPS-LOG-002	Configure the VMware Aria Operations for Logs agent for the VMware Aria Operations nodes to forward logs to VMware Aria Operations for Logs in their corresponding VMware Cloud Foundation instance.	Simplifies configuration of log sources in the SDDC that are prepackaged with the VMware Aria Operations for Logs agent.	You must configure the VMware Aria Operations for Logs agent to forward logs to the VMware Aria Operations for Logs VIP.
IOM-VAOPS-LOG-003	Configure VMware Aria Operations to send logs to the VMware Aria Operations for Logs cluster in the corresponding VMware Cloud Foundation instance.	Allows logs from VMware Aria Operations to be forwarded to a VMware Aria Operations for Logs cluster.	None.
IOM-VAOPS-LOG-004	Communicate with the VMware Aria Operations for Logs using the default Ingestion API (cfapi) port `9000`and `ssl=no`.	Supports disaster recovery of VMware Aria Operations in the SDDC. During the failover, the DNS records for VMware Aria Operations for Logs in Region A are updated to redirect to the instance in Region B to ensure the log collection remains operational. The `ssl=no` setting must be used when there is a certificate mismatch post failover.	Transmission traffic for logs is not encrypted.
IOM-VAOPS-LOG-005	Configure a dedicated Photon OS agent group and assign the VMware Aria Operations Cluster and VMware Cloud Proxy appliances FQDNs.	Provides a standardized configuration to all VMware Aria Operations for Logs agents in each of the groups. Defines the VMware Aria Operations for Logs agent configuration for log collection and parsing in the context of the SDDC components, such as specific log directories, files, and formats.	Adds minimal load to the VMware Aria Operations for Logs cluster.