Security Configurations Not Applicable or Not Compatible with VMware Cloud Foundation
Typical configuration guidelines apply to standalone implementations of VMware products. When these products are part of VMware Cloud Foundation, some configurations might not be applicable or might not be compatible with VMware Cloud Foundation. Do not implement these configurations. You can find mitigation steps for the configurations in the
VMware Cloud Foundation Audit Guide Appendix
.Product | Configuration | Context for Excluding Configuration |
|---|---|---|
vCenter Server | vCenter Server must be isolated from the public Internet but must still allow for patch notifications and delivery. VMW-VC-01231 | Never apply patches to vCenter Server manually, using VMware vSphere Update Manager, or VMware vCenter Lifecycle Manager in a VMware Cloud Foundation environment, unless directed to do so by support. Patching the environment without using SDDC Manager might cause problems with automated upgrades or actions in the future. |
ESXi | ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory. VMW-ESXI-00115 | VMware Cloud Foundation does not use host profiles to join ESXi hosts to Active Directory. |