A deployed Private Cloud will have a number of appliances that manage different aspects of the infrastructure.

These appliances are managed by Google as part of the Shared Responsibility Model and include vCenter Server, NSX Manager, and NSX Edge appliances by default. If enabled there may also be HCX Manager, All appliances are joined to the private Cloud’s Single Sign-on (SSO) domain, gve.local . This SSO domain is local to the deployed SDDC  Customer are provided a Cloudowner account that has restricted management permissions as part of the Shared Responsibility Model and is allowed to perform operations in support of workloads. Full administrative control of the SDDC is reserved for Google itself.

The initial credentials for [email protected] are displayed in the Google Cloud VMware Engine Console. The password for this account can also be changed through the Console A vCenter Server allows for the integration of an LDAP-based identity source which allows customers to use existing directories and authentication sources.

Ideas to consider:

  • Use private DNS resolution for vCenter & HCX Manager so that these appliances are accessed from the on-premises network. SRM, vSphere Replication & NSX Manager only support private DNS and private IP connectivity, Adding individual user accounts to the Administrators group, rather than importing an Active Directory group, helps separate authorization from authentication, reducing attack vectors in case of Active Directory compromise.

  • Use tiered access models where everyday tasks can be handled by regular accounts/group access, but any privileged access should use a separate account, individually added to the vCenter group.

  • Rotate the password for the cloudowner according to your password policy.

  • Access to management components should not depend solely on IP address restrictions, as the compromise of an administrator desktop often also includes the compromise of the administrator’s credentials, too. A bastion host or “jump box” solution may be implemented with multi-factor authentication.

  • Appropriate hardening and monitoring should be applied to bastion hosts, including considerations for the compromise of an organizations central Active Directory or authentication source. Use of separate administrator accounts is also recommended as a way to help identify the presence of attackers. The compromise of an administrator’s regular desktop account would not automatically lead to the compromise of infrastructure, and may force the attacker to generate login failures which can be monitored.

  • Limit connectivity to the Private Cloudss ESXi hosts for destinations using the services required:

  • vMotion can be proxied through HCX for a controlled, secure channel.

  • IPFix data will originate from SDDC ESXi hosts, and traffic should be restricted through the on-premises firewall to only the IPFix collectors.

  • Port Mirroring traffic also originates from the Private Cloud ESXi hosts in a GRE tunnel, and traffic should be restricted through the on-premises firewall to only the necessary ERSPAN destinations.

  • vSphere Replication traffic will originate from the SDDC ESXi hosts and traffic should be restricted through the on-premises (or destination SDDC Management gateway) firewall to only the necessary vSphere Replication appliances where VMs are being protected.