This post pulls together the notes I have made during the planning of VMware Cloud (VMC) on AWS (Amazon Web Serivces) deployment and migration planning of virtual machines from traditional on-premise vSphere infrastructure. It is intended as a list of considerations and not a comprehensive guide.
Capacity Planning
At the time of writing up to 10 SDDC’s can be deployed per organisation, each SDDC supporting up to 10 vSphere clusters and each cluster up to 16 physical nodes.
The standard I3 bare metal instance currently offers 2 sockets, 36 cores, 512 GiB RAM, 10.7 TB vSAN storage, a 16-node cluster therefore provides 32 sockets, 576 cores, 8192 GiB RAM, 171.2 TB.
New R5 metal instances are deployed with 2.5 GHz Intel Platinum 8000 series (Skylake-SP) processors; 2 sockets, 48 cores, 768 GiB RAM and AWS Elastic Block Storage (EBS) backed capacity scaling up to 105 TB for 3-node resources and 560 TB for 16-node resources.
When deploying the number of hosts in the SDDC consider the pay as you go pricing model and ability to scale out later on-demand; either manually or using Elastic DRS which can optimised for performance or cost.
The What-If analysis in both vRealize Business and vRealize Operations can help with capacity planning and cost comparisons for migrations to VMware Cloud on AWS. Use Network Insight to understand network egress costs and application topology in your current environment. If you are not licensed for these products download the free trial from VMware.
Migration Planning
If possible your migration team should be made up of the following: Infrastructure administrators for compute, storage, network, and data protection. Networking and Security teams for security and compliance. Application owners for applications, development, and lifecycle management. Support and Operations for automation, lifecycle, and change management.
Group services together based on downtime tolerance, as this could determine how the workload is moved: prolonged downtime, minimal downtime, and zero downtime.
Virtual machines can follow a ‘life and shift’ model from traditional vSphere by enabling vMotion between the on-premise vCenter Server and VMC. HCX can stretch L2 subnets into VMC for seamless migration of workloads.
There are additional requirements for hybrid linked mode if you are looking to vMotion machines into VMC, see here for full details.
Consider migration paths for any physical workloads, whether that be P2V, AWS Bare Metal instances, or co-locating equipment.
Consider any load balancing and edge security requirements. The AWS Elastic Load Balancer (ELB) can be used or alternative third party options can be deployed through virtual appliances. NSX load balancing as a service in VMC is planned for future releases.
You will likely still need Active Directory, DNS, DHCP, time synchronisation, so use native cloud services where possible, or migrate these services as VMs to VMC on AWS.
Remember Disaster Recovery (DR) still needs to be factored in. DR as a Service (DRaaS) is offered through Site Recovery Manager (SRM) between regions in the cloud or on-premise.
Make sure any existing monitoring tools are compatible with the new environment and think about integrating cloud monitoring and management with new or existing external tools.
Move backup tooling to the cloud and perform full backups initially to create a new baseline. Consider native cloud backup products that will backup straight to S3, or traditional backup methods that connect into vCenter. The reference architecture below has been updated to include Elastic Block Storage (EBS) backed Elastic Compute Cloud (EC2) instances running Veeam; which will backup virtual machines from the VMC vCenter into Simple Storage Service (S3) and Glacier.
Lockdown Mode has been enabled on an ESXi 6.x host and users are restricted from logging into the Direct Console User Interface (DCUI).
Which two statements are true given this configuration? (Choose two.)
A: A user granted administrative privileges in the Exception User list can login.
B: A user defined in the DCUI.Access without administrative privileges can login.
C: A user defined in the ESXi Admins domain group can login.
D: A user set to the vCenter Administrator role can login.
Correct Answer: AB
In normal lockdown mode the DCUI service is not stopped. If the connection to the vCenter Server is lost and access through the vSphere Web Client is no longer available, privileged accounts can log in to the ESXi host's Direct Console Interface and exit lockdown mode. Only these accounts can access the Direct Console User Interface:
Accounts in the Exception User list for lockdown mode who have administrative privileges on the host. The Exception Users list is meant for service accounts that perform very specific tasks. Adding ESXi administrators to this list defeats the purpose of lockdown mode.
Users defined in the DCUI.Access advanced option for the host. This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.
Question 2
Strict Lockdown Mode has been enabled on an ESXi host.
Which action should an administrator perform to allow ESXi Shell or SSH access for users with administrator privileges?
A: Grant the users the administrator role and enable the service.
B: Add the users to Exception Users and enable the service.
C: No action can be taken, Strict Lockdown Mode prevents direct access.
D: Add the users to vsphere.local and enable the service.
Correct Answer: B
Strict Lockdown mode:
In strict lockdown mode the DCUI service is stopped. If the connection to vCenter Server is lost and the vSphere Web Client is no longer available, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users are defined. If you cannot restore the connection to the vCenter Server system, you have to reinstall the host.
Question 3
A common root user account has been configured for a group of ESXi 6.x hosts.
Which two steps should be taken to mitigate security risks associated with this configuration? (Choose two.)
A: Remove the root user account from the ESXi host.
B: Set a complex password for the root account and limit its use.
C: Use ESXi Active Directory capabilities to assign users the administrator role.
D: Use Lockdown mode to restrict root account access.
Correct Answer: BC
root User Privileges
By default each ESXi host has a single root user account with the Administrator role. That root user account can be used for local administration and to connect the host to vCenter Server.
This common root account can make it easier to break into an ESXi host and make it harder to match actions to a specific administrator.
Set a highly complex password for the root account and limit the use of the root account, for example, for use when adding a host to vCenter Server. Do not remove the root account. In vSphere 5.1 and later, only the root user and no other named user with the Administrator role is permitted to add a host to vCenter Server.
Best practice is to ensure that any account with the Administrator role on an ESXi host is assigned to a specific user with a named account. Use ESXi Active Directory capabilities, which allow you to manage Active Directory credentials if possible.
Question 4
An administrator wants to configure an ESXi 6.x host to use Active Directory (AD) to manage users and groups. The AD domain group ESX Admins is planned for administrative access to the host.
Which two conditions should be considered when planning this configuration? (Choose two.)
A: If administrative access for ESX Admins is not required, this setting can be altered.
B: The users in ESX Admins are not restricted by Lockdown Mode.
C: An ESXi host provisioned with Auto Deploy cannot store AD credentials.
D: The users in ESX Admins are granted administrative privileges in vCenter Server.
Correct Answer: AC
Configure a Host to Use Active Directory
You can configure a host to use a directory service such as Active Directory to manage users and groups.
When you add an ESXi host to Active Directory the DOMAIN group ESX Admins is assigned full administrative access to the host if it exists. If you do not want to make full administrative access available, see VMware Knowledge Base article 1025569 for a workaround.
If a host is provisioned with Auto Deploy, Active Directory credentials cannot be stored on the hosts. You can use the vSphere Authentication Proxy to join the host to an Active Directory domain. Because a trust chain exists between the vSphere Authentication Proxy and the host, the Authentication Proxy can join the host to the Active Directory domain. See Using vSphere Authentication Proxy.
Question 5
Which two advanced features should be disabled for virtual machines that are only hosted on a vSphere system? (Choose two.)
Disable Unexposed Features
VMware virtual machines are designed to work on both vSphere systems and hosted virtualization platforms such as Workstation and Fusion. Certain VMX parameters do not need to be enabled when you run a virtual machine on a vSphere system. Disable these parameters to reduce the potential for vulnerabilities.
Prerequisites
Turn off the virtual machine.
Procedure
Question 6
To reduce the attack vectors for a virtual machine, which two settings should an administrator set to false? (Choose two.)
Removing Unnecessary Hardware Devices
Any enabled or connected device represents a potential attack channel. Users and processes without privileges on a virtual machine can connect or disconnect hardware devices, such as network adapters and CD-ROM drives. Attackers can use this capability to breach virtual machine security. Removing unnecessary hardware devices can help prevent attacks.
Question 7
Which two groups of settings should be reviewed when attempting to increase the security of virtual machines (VMs)? (Choose two.)
A: Disable hardware devices
B: Disable unexposed features
C: Disable VMtools devices
D: Disable VM Template features
Correct Answer: AB
Securing Virtual Machines
The guest operating system that runs in the virtual machine is subject to the same security risks as a physical system. Secure virtual machines as you would secure physical machines.
Subtopics
General Virtual Machine Protection
Configuring Logging Levels for the Guest Operating System
Limiting Exposure of Sensitive Data Copied to the Clipboard
Disable Unexposed Features
Limiting Guest Operating System Writes to Host Memory
Removing Unnecessary Hardware Devices
Prevent a Virtual Machine User or Process from Disconnecting Devices
Prevent a Virtual Machine User or Process from Disconnecting Devices in the vSphere Web Client
Question 8
Which password meets ESXi 6.x host password requirements?
A: 8kMVnn2x!
B: zNgtnJBA2
C: Nvgt34kn44
D: !b74wr
Correct Answer: A
ESXi Passwords
By default, ESXi enforces requirements for user passwords.
Your user password must meet the following length requirements.
Passwords containing characters from one or two character classes must be at least eight characters long.
Passwords containing characters from three character classes must be at least seven characters long.
Passwords containing characters from all four character classes must be at least six characters long.
When you create a password, include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as an underscore or dash.
The password cannot contain the words root, admin, or administrator in any form.
Question 9
An administrator would like to use a passphrase for their ESXi 6.x hosts which has these characteristics:
Minimum of 21 characters
Minimum of 2 words
Which advanced options must be set to allow this passphrase configuration to be used?
B-) ESXi Passwords and Account Lockout
For ESXi hosts, you have to use a password with predefined requirements. You can change the required length and character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced option.ESXi uses the Linux PAM module pam_passwdqc for password management and control. See the manpages for pam_passwdqc for detailed information.
ESXi Passwords: ESXi enforces password requirements for direct access from the Direct Console User Interface, the ESXi Shell, SSH, or the vSphere Client. When you create a password, include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as underscore or dash.
Question 10
Which Advanced Setting should be created for the vCenter Server to change the expiration policy of the vpxuser password?
