VMware Cloud Foundation 5.0

5.2 5.1 5.0 4.5
Deutsch Français Italiano 日本語 English

Best Practices for Operating
VMware Cloud Foundation

For flawless and non-disruptive operations, such as password management, backup and restore, certificate management, and license management, and for optimal performance of your
VMware Cloud Foundation
 environment, you can follow certain best practices based on industry expertise and previous successful experiences.

Applying Security Policies

As part of your
VMware Cloud Foundation
 environment deployment and operation, you include security considerations according to risk assessment, legal requirements, industry best practices, and the objectives of your organization.
Example Security Considerations When Operating
VMware Cloud Foundation
Area
More Information
Telemetry
Join the Customer Experience Improvement Program ("CEIP") to share technical information with VMware about the use of VMware products by your organization. See Configure the Customer Experience Improvement Program Settings for VMware Cloud Foundation.
Passwords
  • Password complexity
  • Password expiration
  • Account lockout
Users and roles
  • Implement role-based access control.
  • Limit the use of local accounts for both interactive or API access, or for solution integration.
  • Limit the scope and privileges for accounts used for both interactive or API access, or for solution integration.
  • Assign Active Directory security groups to default or custom roles, as applicable, for interactive or API access to solution components based on your organization's business and security requirements.
See Managing Users and Groups in VMware Cloud Foundation in the
VMware Cloud Foundation Administration Guide
.
Certificates
  • Certificate authority
  • Custom certificates
See Managing Certificates in VMware Cloud Foundation in
VMware Cloud Foundation Administration Guide
.
Backups
  • Backup configuration
  • Backup schedules
  • Backup retention intervals
See Backup and Restore of VMware Cloud Foundation in the
VMware Cloud Foundation Administration Guide
.

Password Operations

Certain measures enhance the security setup of your
VMware Cloud Foundation
 environment.
  • Monitoring passwords ensures compliance, access control, and risk mitigation in your
    VMware Cloud Foundation
     environment.
  • Password policies, including complexity, expiration, and account lockout, enforce secure practices.
  • Password complexity requirements enhance password strength, expiration prompts regular updates, and account lockout prevents unauthorized access attempts.
Best Practices for Password Operations in
VMware Cloud Foundation
Operation
When or How Often
Description
Set or update password policies.
  • After management domain deployment.
  • After VI workload domain deployment.
  • After adding a vSphere cluster.
  • After expanding a vSphere cluster.
  • If the password policies of your organization are updated.
Configure password policies of the management components of
VMware Cloud Foundation
 manually for each component or in an automated way by using the
VMware.CloudFoundation.PasswordManagement
 PowerShell module. See Password Policy Configuration for VMware Cloud Foundation.
For password policy configuration of products that are not part of the
VMware Cloud Foundation
 automation, follow their product documentation.
Monitor account password expiration.
Once a week or according to the policy of your organization.
The SDDC Manager UI shows a notification for account passwords managed by SDDC Manager that are expiring in the next 14 days.
To create and run health checks for your
VMware Cloud Foundation
 environment, use
VMware Skyline Health Diagnostics
. See Proactive Diagnostics of VMware Cloud Foundation with Skyline Health Diagnostics.
To monitor the account passwords managed by SDDC Manager by using custom dashboards, alerts, and notifications in
vRealize Operations
, use the open-source Python module for
VMware Cloud Foundation
 health monitoring. See the Health Monitoring for VMware Cloud Foundation validated solution.
To generate a point-in-time health report for your
VMware Cloud Foundation
 environment, use the open-source PowerShell module for
VMware Cloud Foundation
 health reporting. See Generating a Health Report in the documentation of the module.
Enable account password auto-rotation (schedule rotation).
  • After management domain deployment.
  • After VI workload domain deployment.
To enable password auto-rotation for an account in a management component, use the SDDC Manager UI. See Managing Passwords in VMware Cloud Foundation in the
VMware Cloud Foundation Administration Guide
.
To automate enabling auto-rotation for an account, use the
VMware Cloud Foundation
 API. See Credentials in the
VMware Cloud Foundation
 API reference documentation.
You can integrate a third-party or custom utility that uses the
VMware Cloud Foundation
 API for password rotation. See Credentials in the
VMware Cloud Foundation
 API reference documentation.
Rotate or update an account password.
  • Before the account password expires.
  • Over a regular interval.
  • Upon an event.
    • When the policies of your organization are changed.
    • When a privileged user is leaving the organization.
The following options for password rotation exist:
  • Rotate passwords for accounts in the components managed by SDDC Manager.
    SDDC Manager sets a randomly generated password according to the password complexity it supports.
    See Managing Passwords in VMware Cloud Foundation in the
    VMware Cloud Foundation Administration Guide
    .
  • Update the passwords of accounts in the SDDC Manager appliance and local account (API) passwords. See Updating SDDC Manager Passwords in the
    VMware Cloud Foundation Administration Guide
    .
To automate the rotation of account passwords, use the
VMware Cloud Foundation
 API. See Credentials in the
VMware Cloud Foundation
 API reference documentation.
To automate the rotation of account passwords by using PowerShell, use the
Get-VCFCredential
 and
Set-VCFCredential
 cmdlets in the open-source PowerShell Module for
VMware Cloud Foundation
. See PowerShell Module for VMware Cloud Documentation.
Remediate an account password.
If a password has expired.
To remediate a password, use the SDDC Manager UI. See Remediate Passwords in the
VMware Cloud Foundation Administration Guide
.
If you try to rotate an expired password, the task might fail. You must cancel or resolve and retry the failed password management tasks in the SDDC Manager UI.
You can automate password remediation by using the
VMware Cloud Foundation
 API. See Credentials in the
VMware Cloud Foundation
 API reference documentation.
To automate password remediation by using PowerShell, use the
Get-VCFCredential
 and
Set-VCFCredential
 cmdlets in the open-source PowerShell Module for
VMware Cloud Foundation
. See PowerShell Module for VMware Cloud Documentation.
Look up account credentials.
If you must log in using an account managed by SDDC Manager.
To look up account credentials manually, use the
lookup_passwords
 command in the SDDC Manager appliance. See Look Up Account Credentials in the
VMware Cloud Foundation Administration Guide
.
You can automate password retrieval, by using the VMware Cloud Foundation API. See Credentials in the
VMware Cloud Foundation
 API reference documentation.
To automate credential retrieval by using PowerShell, use the
Get-VCFCredential
 cmdlet in the open-source PowerShell Module for
VMware Cloud Foundation
. See PowerShell Module for VMware Cloud Documentation.
Reset a password.
If a lost account password cannot be retrieved from SDDC Manager or other secure storage.
See the following documentation:
If the account password is managed by SDDC Manager, after the reset operation is complete, follow the guidelines for remediating passwords in this table.
You cannot reset a lost ESXi
root
 password. You must remove the ESXi host from the SDDC Manager inventory and reinstall ESXi.
If a password management operation in SDDC Manager fails, you see a message on the
Security
Password Management
 page. Such a failed operation might have a lock that impacts other operations in SDDC Manager. To release the lock, click
Cancel
 in the message dialog box, or resolve the issue and click
Retry
.

License Operations

When deploying management components,
VMware Cloud Foundation
 requires access to valid license keys. You add license keys to the SDDC Manager inventory so that they can be consumed at deployment time, but they are not synchronized between SDDC Manager and the underlying components.
Best Practices for License Operations in
VMware Cloud Foundation
Operation
Licensing Model
When or How Often
Description
Add licenses.
Key-based
Insufficient license capacity for expanding an environment.
To add license keys manually, use the SDDC Manager UI. See Managing License Keys in VMware Cloud Foundation in the
VMware Cloud Foundation Administration Guide
.
You can automate adding license keys by using the
VMware Cloud Foundation
 API. See License Keys in the
VMware Cloud Foundation
 API reference documentation.
To automate adding license keys by using PowerShell, use the open-source PowerShell Module for
VMware Cloud Foundation
. See PowerShell Module for VMware Cloud Documentation.
Replace expired licenses.
Key-based
А licenses has expired or is expiring.
You must update or delete the license key. You have the same management options as when adding licenses.
Replace existing licenses.
Key-based
You upgrade product licenses to a higher edition.
You must update the license keys. You have the same management options as when adding licenses.
Monitor licenses.
Key-based
Once a week
The SDDC Manager UI shows an alert if a license is expiring in the next 30 days.
SDDC Manager pulls license information from managed products to determine if they are using a license that is in the SDDC Manager inventory. SDDC Manager UI shows license usage on the
Administration
Licensing
 page.
Update to subscription-based licensing.
Keyless
Licenses are transitioned from key-based mode for perpetual and term licenses to a keyless mode for cloud-connected subscription to
VMware Cloud Foundation+
.
You can update from key-based to keyless licensing.
To transition back to key-based licensing mode, you must re-deploy your
VMware Cloud Foundation
 environment.

Certificate Operations

By actively managing certificates in
VMware Cloud Foundation
, organizations can maintain secure communication, establish trust, protect sensitive data, meet compliance requirements, and respond effectively to certificate-related incidents or vulnerabilities.
Best Practices for Certificate Operations in
VMware Cloud Foundation
Operation
When or How Often
Description
Replace self-signed certificates.
  • After management domain deployment.
  • After VI workload domain deployment by using SDDC Manager.
You can upload custom certificates to ESXi hosts manually on each host or in an automated way by using the
VMware.CloudFoundation.CertificateManagement
 PowerShell module. See ESXi Certificate Management for VMware Cloud Foundation.
  • If you have deployed the management domain on ESXi hosts with external certificates, use ESXi hosts with custom certificates for the whole environment.
  • If you have switched to using ESXi hosts with external certificates in the management domain, all ESXi hosts in new workload domains must use external certificates.
  • If you replaced the certificate for a
    VMware Cloud Foundation
     component outside of SDDC Manager, add the certificate to the SDDC Manager trust store. See Managing Certificates in VMware Cloud Foundation.
Replace signed certificates from a trusted certificate authority.
  • After management domain deployment.
  • After VI workload domain deployment.
  • The key length must be modified.
  • A certificate has expired or its expiration date is close.
  • The certificate authority or the private key has been compromised.
  • A certificate has been revoked by the issuing certificate authority.
Follow the same guidelines as when replacing self-signed certificates.
Identify expiring certificates.
At least once a month.
The SDDC Manager UI shows an alert if a certificate is expiring.
To create and run health checks for your
VMware Cloud Foundation
 environment, use
VMware Skyline Health Diagnostics
.
To monitor the expiring certificates managed by SDDC Manager by using custom dashboards, alerts, and notifications in
vRealize Operations
, use the open-source Python module for
VMware Cloud Foundation
 health monitoring. See the Health Monitoring and Reporting for VMware Cloud Foundation validated solution.
To generate a point-in-time health report for your
VMware Cloud Foundation
 environment, use the open-source PowerShell module for
VMware Cloud Foundation
 health reporting. See Generating a Health Report in the documentation of the module.
Replace expired certificates.
The certificate of a management component that is managed by SDDC Manager has expired.
For step-by-step information about replacing expired certificates managed by SDDC Manager, see below.
For information about replacing expired certificates of management components not included in the SDDC Manager automation, see the relevant product documentation.

Order of Replacing Expired Certificates for a Workload Domain

If the certificates of multiple management components have expired, replace them in a certain order.
  1. Replace the certificates of the NSX Manager cluster and nodes.
    Skip installing CA-signed certificates for NSX Manager by using SDDC Manager.
  2. Replace the vCenter Server certificate with a VMCA-signed one.
    Skip installing a CA-signed certificate for vCenter Server by using SDDC Manager.
  3. If you are replacing expired certificates in the management domain, replace the SDDC Manager certificate.
  4. After you have all temporary certificates ready to be replaced with CA-signed ones, use SDDC Manager UI to replace the certificates for NSX Manager and vCenter Server with CA-signed ones.

Replace Expired NSX Manager Certificates

In
VMware Cloud Foundation
, you temporarily replace an expired SSL certificate of the NSX Manager cluster or an individual NSX Manager node for a workload domain with a self-signed certificate generated by NSX Manager. Then, you add the self-signed certificate to the SDDC Manager trust store.
  1. Log in to NSX Manager cluster at
    https://<nsx_manager_fqdn>/login.jsp?local=true
     as
    admin
    .
    Add a certificate exception to your Web browser if the certificate of the NSX Manager cluster FQDN has expired.
  2. Identify the expired certificates.
    1. In the navigation bar, click
      System
      .
    2. In the left pane, under
      Settings
      , click
      Certificates
      .
    3. On the
      Certificates
       tab, check the
      Validity
       column.
  3. Generate self-signed certificates for the NSX Manager entities with expired certificates.
    1. On the
      Certificates
       tab, select
      Generate
      Self Signed Certificate
      .
    2. Enter the CSR information and click
      Save
      .
      Option
      Description
      Common Name
      Enter the fully qualified domain name (FQDN) of the node.
      For example,
      nsx-wld-01.vrack.vsphere.local
      .
      Name
      Assign a name for the certificate.
      For example,
      nsx-wld-01.vrack.vsphere.local
      .
      Organization Unit
      Enter the department in your organization that is handling this certificate.
      For example,
      VMware Engineering
      .
      Organization Name
      Enter your organization name with applicable suffixes.
      For example,
      VMware
      .
      Locality
      Add the city in which your organization is located.
      For example,
      Palo Alto
      .
      State
      Add the state in which your organization is located.
      For example,
      California
      .
      Country/Region
      Add your organization location.
      For example,
      United States (US)
      .
      Algorithm
      Set the encryption algorithm for your certificate.
      For example,
      RSA
      .
      Key Size
      Set the key bits size of the encryption algorithm.
      For example,
      2048
      .
      Service Certificate
      To use the certificate with an NSX Manager appliance, toggle to
      No
      .
      Number of days
      Enter the validity of the certificate starting from today.
      Description
      Enter specific details to help you identify this certificate at a later date.
    3. Click
      Save
      .
    4. Repeat the steps for all remaining NSX Manager entities whose certificates have expired.
  4. Аpply the self-signed certificates to the NSX Manager entities.
    1. On the
      Certificates
       tab, locate and copy the ID of the certificate for the NSX Manager entity.
    2. From a system that supports the
      curl
       command and has access to the NSX Manager nodes, such as the vCenter Server or SDDC Manager appliance, run the following command to install the self-signed certificate on the NSX Manager cluster or an NSX Manager node.
      You run the command on the cluster or on the individual node.
      Use the certificate ID you copied from the NSX Manager UI.
      NSX Manager Entity with Expired Certificate
      Certificate Replacement Command
      NSX Manager cluster
      curl -H 'Accept: application/json' -H 'Content-Type: application/json' --insecure -u 'admin:
      <nsx_admin_password>
      ' -X POST 'https://
      <nsx_manager_cluster_fqdn>
      /api/v1/trust-management/certificates/
      <certificate-id>
      ?action=apply_certificate&service_type=MGMT_CLUSTER'
      NSX Manager node
      curl -H 'Accept: application/json' -H 'Content-Type: application/json' --insecure -u 'admin:
      <nsx_admin_password>
      ' -X POST 'https://
      <nsx_manager_node_fqdn>
      /api/v1/node/services/http?action=apply_certificate&certificate_id=
      <certificate_id>
      '
      The
      curl
       command completes without an output message.
    3. Repeat the steps for all remaining NSX Manager nodes with expired certificate.
  5. Add the self-signed NSX Manager certificates to the trust store of SDDC Manager.
    1. Log in to SDDC Manager at
      https://<sddc_manager_fqdn>
       as
      administrator@vsphere.local
      .
    2. In the navigation pane, click
      Inventory
      Workload Domains
      .
    3. On the
      Workload Domains
       page, click the workload domain the NSX Manager cluster or nodes are part of.
    4. On the workload domain summary page, click the
      Certificates
       tab.
      You see a status message that the certificates of the NSX Manager nodes and cluster are not trusted.
    5. For a self-signed certificate, click
      review
       in the status message, review the certificate details and verify that the thumbprint matches the thumbprint of the self-signed certificate for the node.
    6. After reviewing a self-signed certificate, click
      Trust Certificate
      .
    7. Review and mark as trusted the remaining self-signed NSX Manager certificates.
  6. After all certificates for NSX Manager become active, install CA-signed certificates for all FQDNs related to NSX Manager.
    See Managing Certificates in VMware Cloud Foundation in the
    VMware Cloud Foundation Administration Guide
    .
  7. Remove the self-signed certificates from the trust store of SDDC Manager after you replace them with а CA-signed one.
    See Remove Old or Unused Certificates from SDDC Manager in the
    VMware Cloud Foundation Administration Guide
    .
  8. Remove the expired and self-signed certificates from NSX Manager after you applied CA-signed ones.

Replace an Expired vCenter Server Certificate

In
VMware Cloud Foundation
, you temporarily replace an expired certificate of a workload domain vCenter Server with a VMCA-signed one by using the vSphere Certificate Manager utility.
  1. Log in to vCenter Server as
    root
     by using a Secure Shell (SSH) client.
  2. To switch to the Bash shell, run the
    shell
     command.
  3. Start the vSphere Certificate Manager by running the following command. 
    /usr/lib/vmware-vmca/bin/certificate-manager
  4. Select option 3,
    Replace Machine SSL certificate with VMCA Certificate
    .
  5. Enter the
    administrator@vsphere.local
     credentials.
  6. If you are replacing the vCenter Server certificate with a new VMCA-signed certificate for the first time, enter the properties of the VMCA-signed certificate and confirm continuing the operation.
    • Two-letter country code
    • Company name
    • Organization name
    • Organization unit
    • State
    • Locality
    • IP address (optional)
    • Email address
    • Host name, that is, the fully qualified domain name of the vCenter Server machine on which you want to replace the certificate. If the host name does not match the FQDN, certificate replacement does not complete correctly and your workload domain might end up in an unstable state.
    • VMCA name, that is, the fully qualified domain name of the vCenter Server machine on which the certificate configuration is running.
    The VMCA-signed certificate properties are stored in the
    /usr/lib/vmware-vmca/share/config/certool.cfg
     file.
    Wait until the operation is complete.
  7. If you have previously generated a VMCA-signed certificate on this workload domain vCenter Server and a
    certool.cfg
     file is available, do not reconfigure the
    certool.cfg
     file and confirm continuing the operation.
    Wait until the operation is complete.
  8. Verify the status of the vCenter Server instance in SDDC Manager.
    1. Log in to SDDC Manager at
      https://<sddc_manager_fqdn>
       with a user assigned the
      Admin
       role.
    2. In the navigation pane, click
      Inventory
      Workload Domains
      .
    3. On the
      Workload Domains
       page, click the workload domain that the vCenter Server instance is part of.
    4. On the workload domain summary page, click the
      Certificates
       tab.
    5. Verify that the status of the vCenter Server certificate is active.
  9. Install a CA-signed for the vCenter Server instance in SDDC Manager.
    See Managing Certificates in VMware Cloud Foundation in the
    VMware Cloud Foundation Administration Guide
    .

Replace an Expired SDDC Manager Certificate

You replace an expired SDDC Manager certificate by using SDDC Manager.
  1. Log in to SDDC Manager at
    https://<sddc_manager_fqdn>
     with a user assigned the
    Admin
     role.
    Add a certificate exception to your Web browser because the certificate of the SDDC Manager has expired.
  2. In the navigation pane, click
    Inventory
    Workload Domains
    .
  3. On the
    Workload Domains
     page, click the management domain.
  4. On the workload domain summary page, click the
    Certificates
     tab.
  5. Replace the SDDC Manager certificate.
    See Managing Certificates in VMware Cloud Foundation in the
    VMware Cloud Foundation Administration Guide
    .

Backup Operations

Managing backups of the management components of
VMware Cloud Foundation
 regularly provides data protection, facilitates disaster recovery, enhances security and compliance, and supports system updates.
Best Practices for Backup Operations in
VMware Cloud Foundation
Operation
When or How Often
Description
Configure a location and a schedule of an external backup.
  • After management domain deployment.
  • After VI workload domain deployment.
See the following information in the
VMware Cloud Foundation Administration Guide
:
For NSX Manager backups, see NSX Manager Backup Configuration.
You can automate the backup configuration of the SDDC Manager and NSX Local Manager by using the
VMware Cloud Foundation
 API. See Backup and Restore in the
VMware Cloud Foundation
 API reference documentation.
To automate configuring the backup location and schedule of SDDC Manager and NSX Local Manager by using PowerShell, use the
Get-VCFBackupConfiguration
 and
Set-VCFBackupConfiguration
 cmdlets in the open-source PowerShell Module for
VMware Cloud Foundation
. See PowerShell Module for VMware Cloud Documentation
Configure NSX Manager backup retention.
  • After management domain deployment.
  • If the backup retention policy of your organization has changed.
NSX does not support a native option to configure a backup retention policy. To manage retention of the backups with a script, see
Remove Old Backups
 in the
NSX Administration Guide
.
The retention of the backups is for the backup location configured in SDDC Manager. You configure the script only once per
VMware Cloud Foundation
 environment. It is then applied to all NSX Manager backups.
Run an on-demand backup.
  • After a successful recovery operation.
  • After resolving asynchronously reported errors in SDDC components.
  • After resolving an incomplete workflow in SDDC Manager.
  • After noting the failure of a scheduled backup of an SDDC component.
  • Before performing a system upgrade.
You can automate an on-demand backup of SDDC Manager by using the
VMware Cloud Foundation
 API. See Backup and Restore in the
VMware Cloud Foundation
 API reference documentation.
To automate an on-demand backup of SDDC Manager by using PowerShell, use the
Start-VCFBackup
 cmdlet in the open-source PowerShell Module for
VMware Cloud Foundation
. See PowerShell Module for VMware Cloud Documentation.
Verify backups.
At least once a week.
Manual workflows:
  • On the
    Administration
    Backup
     page in the SDDC Manager UI, check
    Last Backup Status
    .
  • In the vCenter Server Management Interface at
    https://<vcenter-fqdn>:5480/
    , go to
    Backup
     and check
    Activity
     for the date of the last successful backup.
  • In the NSX Manager UI, on the
    System
     tab, go to
    Backup & Restore
     and check
    Last Backup Status
     and
    Backup History
    .
To generate a point-in-time health report for your
VMware Cloud Foundation
 environment, use the open-source PowerShell module for
VMware Cloud Foundation
 health reporting. See Generating a Health Report in the documentation of the module.
You can also use the following cmdlets:
  • Request-SddcManagerBackupStatus
  • Request-VcenterBackupStatus
  • Request-NsxtManagerBackupStatus

NSX Manager Backup Configuration

Follow additional guidelines when managing NSX Manager backups in
VMware Cloud Foundation
.
  • NSX does not offer an option to configure a backup retention policy. To manage retention of the backups with a script, see
    Remove Old Backups
     in the
    NSX Administration Guide
    .
  • NSX Global Managers are not managed by SDDC Manager. You must configure the backup for the NSX Global Manager manually. See to
    Configure Backups
     in the
    NSX Administration Guide
    .
    To reuse the same backup retention policy, configure the backups to use the same SFTP destination as in SDDC Manager .
  • When the backup settings are configured in SDDC Manager, all NSX Local Managers are configured to back up in a common location.
  • When the backup settings are configured in SDDC Manager, the NSX Local Managers that might be deployed when a workload domain is created are configured to back up data in the location and with the schedule defined in SDDC Manager.
  • In the NSX Manager UI, you see backups from different NSX Manager nodes in the
    Backup History
    . This is expected.
  • By default, SDDC Manager configures the NSX Local Managers to back up once every hour. If you want to change the backup schedule or enable automatic backups when the configuration changes, perform these steps:
    1. Log in to the NSX Local Manager cluster at
      https://<nsx_manager_cluster_fqdn>
       with a user assigned the
      Enterprise Administrator
       role.
    2. On the
      System
       tab, click
      Backup & Restore
       and click
      Edit
       in
      Schedule
       section.
      If an active backup task is in progress, this option is grayed-out.
    3. Modify the
      Frequency
       setting to match your backup schedule.
    4. Optional. Turn on
      Detect NSX configuration change
       and set the
      Update Interval to
       to check for configuration changes every hour.
    5. Click
      Save
      .

Running On-Demand Backups

Management Component
SDDC Manager
  1. Log in to SDDC Manager at
    https://<sddc_manager_fqdn>
     as
    administrator@vsphere.local
    .
  2. In the navigation pane, click
    Administration
    Backup
     and click
    Backup Now.
    Wait until the task is complete.
vCenter Server
  • For full vCenter Server backup, see Manually Back Up vCenter Server in the
    VMware Cloud Foundation Administration Guide
    .
  • A vCenter Server backup includes the configuration of the entire vCenter Server instance. To back up only the configuration of a vSphere Distributed Switch and its distributed port groups, you export a configuration file that includes the validated network configurations. If you want to recover only the vSphere Distributed Switch, you can import this configuration file in to the vCenter Server instance. See Export the Configuration of the vSphere Distributed Switches in the
    VMware Cloud Foundation Administration Guide
    .
NSX Manager
  1. Log in to the NSX Local Manager cluster at
    https://<nsx_manager_cluster_fqdn>
     with a user assigned the
    Enterprise Administrator
     role.
  2. On the
    System
     tab, click
    Backup & Restore
     and click
    Start Backup
    Wait until the task is complete.

ESXi Installation Operations

You install the required version of ESXi, that is compatible with the target
VMware Cloud Foundation
 version, and perform basic configuration tasks right after the installation is complete.
Best Practices for ESXi Installation in
VMware Cloud Foundation
Operation
When or How Often
Description
Install ESXi
  • Before management domain deployment
  • Before VI workload domain deployment
By default, you install ESXi interactively by using an ISO file you download from the Broadcom Support Portal. You can also create a custom ISO file, for example, to accommodate vendor-specific components. See Prepare ESXi Hosts for VMware Cloud Foundation.
To automate ESXi installation and post-installation configuration for
VMware Cloud Foundation
, you can use a Python script for ESXi imaging that creates an ESXi ISO image with an installation script, that is, a kickstart file, from the base ISO image. See the open-source project of the Python script for ESXi imaging.

Life Cycle Operations

By updating to a later
VMware Cloud Foundation
 version or applying a patch release, you have fixes of important security issues or new features in your environment. Efficient bundle management also reduces the time and number of errors during the upgrade process.
Best Practices for Life Cycle Operations in
VMware Cloud Foundation
Operation
When or How Often
Description
Upgrade or update
  • The later version contains important issue fixes.
  • The later version introduces a new feature that you want to explore.
  • The version that you are running will be out of support soon.
As a best practice, you run the latest software version to get latest bug fixes and security patches or more features.
Before upgrading, check if all third-party integrations are compatible with the Bill of Materials (BoM) of the target version. For more information about upgrading
VMware Cloud Foundation
, see Lifecycle Management Guide.
You can use the following options for managing upgrade bundles:
  • To manage upgrade bundles for
    VMware Cloud Foundation
     step-by-step, use the SDDC Manager UI. See Managing Installation and Upgrade Bundles in VMware Cloud Foundation in the
    VMware Cloud Foundation Administration Guide
    .
  • You can automate upgrade bundle management by using the
    VMware Cloud Foundation
     API. See Bundles.
  • To automate bundle management by using a PowerShell-based script, see VMware knowledge base article 94760.
  • To delete bundles that are obsolete or that you do not need anymore, use the Bundle Cleanup Utility. See VMware knowledge base aritcle 75050.
Apply patches
  • A VMware Security Advisory on a security volnureability in the
    VMware Cloud Foundation
     version that you are using is published
  • An issue that has been reported to VMware Support is fixed and distributed as a patch release
  • To apply critical patches to specific products, such as NSX Manager, vCenter Server, or ESXi, independently of
    VMware Cloud Foundation
     releases, use the Async Patch Tool. See the Async Patch Tool documentation.
  • The VMware Security Advisories (VMSA) document contains remediation for security vulnerabilities that are reported in VMware products. Sign up for updates from VMSA and review new or changed advisories for issues that could affect your environment.

Content feedback and comments