Managing the day-to-day operations of the VMware Cloud on AWS SDDC should be relatively easy, especially if you’re already familiar with how permissions work in vCenter Server. However, there are a number of different types of credentials and consoles used in conjunction with VMware Cloud on AWS that you should familiarize yourself with.

Amazon Web Services

One of the credentials you’ll need for operating VMware Cloud on AWS is an AWS account. You will use this account to create a VPC in the region in which you wish to deploy your SDDC, followed by subnets within the Availability Zones (AZ). This also lets you integrate paid AWS services such as Amazon S3, Amazon EC2, etc. Within the SDDC Deployment wizard, you will link this account to your VMware Cloud on AWS service. While Amazon hosts this account, you own and manage this account through the AWS Services Console.

VMware Cloud Services

Secondly, you’ll need a VMware Cloud Services account. This account allows you to access the VMware Cloud on AWS SDDC console, as well as other VMware Cloud services such as VMware Network InsightVMware Log Intelligence, and VMware HCX to name a few. The VMware Cloud Services Console is how you will manage the organization, billing, identity, and access to VMware Cloud on AWS. VMware hosts this account, and you own and manage it through the Cloud Services Console.

Within VMware Cloud Services there are two types of roles – Organization Roles and Service Roles. Organization Roles give users access to the Cloud Services Console, while Service Roles provide different levels of access to various components within the Cloud Services you’re subscribed to.

VMware Cloud on AWS

VMware Cloud on AWS accounts are based on an Organization Name and ID; the very first user will need a valid MyVMware account. This account is used to create an Organization (Name and ID), and the initial user account used is setup as the Organization Owner. Within the organization, there are two types of Organization Roles – Organization Owner and Organization Member. An Organization Owner can add, remove, and modify users as well as access VMware Cloud Services. There can be multiple owners. Organization Members can access Cloud Services, but cannot add, remove, or modify users.

Within the Cloud Services Console, you can assign specific service roles to organization members. For example, the VMware Cloud on AWS service allows you to assign roles such as Administrator, Administrator (Delete Restricted), NSX Cloud Auditor, and NSX Cloud Admin roles.

Just as it is a best practice to limit access to the vSphere Client, it is also a best practice to limit access to the Cloud Services and SDDC console. Users requiring access to the vSphere Client do not necessarily require access to the Cloud Services and SDDC console. Only users who are responsible for the entire SDDC or NSX components (VPN, Firewall, etc.) should have access.

It is best practice to configure Hybrid Linked Mode and grant access through security groups and vCenter roles.

vCenter Roles

From an administration perspective, your on-premises vCenter environment likely has Active Directory security groups assigned to the vCenter Administrator role, and administrators have access to administrator@vsphere.local. This is not the case within VMware Cloud on AWS – there will be no access to the default Administrator role or administrator@vsphere.local.

There are two new admin roles:

  • CloudAdmin Role: The CloudAdmin role has the necessary privileges for you to create and modify vCenter objects in your SDDC (virtual machines, resource pools, datastores, and networks) as well as delegate access to others in the organization to be cloud administrators. However, you cannot access or configure certain management components that are supported and managed by VMware, such as hosts, clusters, and management virtual machines.
  • CloudGlobalAdmin Role: The CloudGlobalAdmin role is associated with global privileges and allows you to create and manage Content Library objects, Tagging, Storage Profiles, etc.

Flexible Permissions Model for Role-Based Access

Users assigned the CloudAdmin role have the ability to create custom roles to provide more granular, or restricted, role-based access to vCenter objects in your SDDC. This feature allows you to apply these permissions at any level of the inventory tree, while still protecting the management objects. For example, a user with the CloudAdmin role could create a new role providing certain users with read-only access to a folder of VMs rather than having the ability to modify or delete those VMs.  

Identity Sources

VMware Cloud on AWS supports OpenLDAP and Microsoft Active Directory LDAP server as an identity source. Multiple identity sources are supported. Ensure the DNS is configured for your management gateway so that it can resolve the FQDN for the identity source. For more information on configuring DNS, see Set a Compute Gateway DNS

Audit Quality Logging

VMware is the internal operator with the administrator ownership and is responsible for audit, compliance, and troubleshooting the infrastructure. The customer cloud administrator is responsible for virtual machine troubleshooting and the auditing of operations they perform on the Cloud SDDC.

check-circle-line exclamation-circle-line close-line
Scroll to top icon