IBM Cloud Docs
Post-deployment considerations for your VMware instance

Post-deployment considerations for your VMware instance

IBM Cloud® for VMware Solutions offerings are not managed services. You are responsible for the configuration, security, management, and monitoring of all software components. With complete administrative access to the solution, you have great power and flexibility that requires significant technical, administrative, and operational expertise across various domains. Managing a VMware® instance in the IBM Cloud requires the same planning and expertise as planning for an on-premises instance. Software-defined technologies such as VMware NSX® and VMware vSAN™ greatly simplify some aspects of instance management, but might require new skills and tools to be properly managed and operated. Combining the power, speed, and reliability of IBM Cloud automated VMware deployment with the appropriate operational planning and testing ensures quick and successful navigation to hybrid cloud.

Review the following considerations to understand your responsibilities for managing and operating the instance before and after it is deployed.

IBM Cloud account access

To manage access to your IBM Cloud account, permit other members of your team to access your instance in the IBM Cloud for VMware Solutions console. For more information, see Inviting users to access services and resources.

Limitations

Familiarize yourself with the following limitations for your instance:

Network design and connectivity

Complete the following steps to manage access to your IBM Cloud network and to your VMware management components and to plan your IBM Cloud network topology.

  • Access instance management endpoints by using the IBM Cloud VPN or your IBM Cloud Direct Link.
  • Devise a strategy for public network connectivity from within your instance. Your options include the sample customer VMware NSX Edge™ Services Gateway (ESG), gateway appliances such as Vyatta and FortiGate, and proxy servers deployed in the IBM Cloud network or on your own network accessed through Direct Link.
  • Plan whether to deploy your workload on IBM Cloud VLANs with IBM Cloud portable IP addresses or on NSX-T logical switches using your own IP addresses. When you use NSX software-defined networking (SDN), it gives you the greatest flexibility to manage and secure your workload network in the IBM Cloud.
  • Use NSX ESGs, IBM Cloud Vyatta, and Direct Link peering to plan for connectivity to workloads (Network Address Translation, Virtual Private Network, routing).
  • If you implement Cross-vCenter NSX, ensure that your local segment ID ranges are not overlapping before you deploy any local workloads.

Security planning and hardening

You are responsible for securing, encrypting, and monitoring your VMware instance and workloads to meet your corporate, industry, and regulatory standards. Complete the following steps to ensure proper security.

  • Change all passwords displayed in the IBM Cloud for VMware Solutions console and use your own password management system. IBM retains distinct user IDs needed for ongoing automation and support.
  • Review password policies, such as complexity and expiration period, across all components.
  • Review encryption settings across all components.
  • Plan and implement appropriate physical or virtual firewall solutions, such as NSX Distributed Firewall (DFW), NSX ESGs, FortiGate Virtual Appliance, and IBM Cloud Vyatta.
  • Plan and implement appropriate application load balancing and security solutions, such as F5 BIG-IP.
  • Plan and implement appropriate security information and event management (SIEM) solutions, such as IBM Security QRadar SIEM.
  • Plan and implement appropriate vulnerability scanning.

Customization

Complete the following steps to customize the base VMware instance installation to fit your requirements.

  • Use your own certificate authority (CA) to generate certificates for components such as vCenter (with embedded PSC) and NSX Manager.
  • Configure deployed services. For example,
    • For Zerto, plan for IP addressing and routing of Zerto Virtual Replication Appliance (VRA) communications since network address translator (NAT) traversal is not supported. Consider either tunneling or redeployment of your VRAs for appropriate addressing and routing.
    • For backup services such as Veeam® and IBM Spectrum® Protect Plus, configure your backup job, optionally configure additional storage, and configure monitoring alerts.
    • For networking and security services such as F5® BIG-IP and FortiGate Virtual Appliance, configure network interfaces, certificates, high availability (HA) configuration, and rules according to your network topology and other requirements.

Active Directory

Complete the following steps to ensure proper single sign-on (SSO) configuration and management.

  • Configure the Active Directory® (AD) server update and restart schedule.
  • If you choose the option to deploy AD servers into the VMware vSphere® cluster, provide Microsoft® Windows® licensing and activation for the servers to ensure compliance and availability.
  • Establish mutual trust between the instance and your on-premises AD server.
  • Integrate NSX VPN, if applicable, with AD SSO.
  • Integrate VMware ESXi® hosts with AD SSO.

Maintenance planning

Complete the following steps to ensure proper planning for software maintenance.

  • Set up VMware Update Manager (VUM) through a proxy to obtain VMware updates.
  • If applicable, set up vSAN through a proxy to maintain the vSAN Hardware Compatibility List (HCL) database.
  • Plan regular maintenance for VMware components that are not supported by VUM. For example, VMware vCenter, PSC, and NSX.
  • Review vSphere Enhanced vMotion Compatibility (EVC) configuration. Your cluster might not be configured with EVC enabled if the current version of vSphere does not support EVC for your hardware level.
  • Plan regular maintenance for add-on services such as Veeam, Zerto, and F5 BIG-IP.

Monitoring

Ensure to plan for and implement the following solutions for monitoring your instance and instance components.

  • A logging server that includes log forwarding or collection for all instance components and adequate log retention. The VMware Aria Operations and VMware Aria Operations for Logs offering can help you with log management and visibility.
  • An alert infrastructure, including configuration of the SMTP server and short message service (SMS) gateway, as needed.
  • Proactive monitoring of hosts, drives, management software, and network, including vSAN monitoring if applicable. The VMware Aria Operations on IBM Cloud offering can help you operate and monitor the performance, health, and capacity of your VMware environment.
  • Capacity monitoring and planning. You can add clusters, remove clusters, add hosts, and remove hosts for your instance from the IBM Cloud for VMware Solutions console.
  • Monitoring your backup infrastructure and backup jobs.
  • vSphere Distributed Switch Health Check is enabled by default and can generate a significant number of MAC addresses for testing team policy, MTU size, and VLAN configuration, which results in extra network traffic. Disable this health check and re-enable only as needed for network troubleshooting. For more information, see vSphere Distributed Switch Health Check.

Business continuity and availability

Your VMware instance is running on IBM Cloud bare metal servers.

Complete the following steps to ensure that you make adequate plans for high availability and business continuity.

  • Review vSphere HA and vSphere Distributed Resource Scheduler (DRS) configuration against your requirements.
  • Review network and storage I/O control configuration against your requirements.
  • Configure the virtual machine startup order against your requirements.
  • Configure resource pools, as needed, for management and workload.
  • Plan, implement, and monitor a backup solution for both instance management components and workload.
  • Plan for high availability of instance management, including the possibility of multiple instances, multiple clusters, vCenter HA, and PSC HA.
  • Use solutions such as Zerto Disaster Recovery or Veeam Backup and Replication to plan for business continuity for your workloads.

Storage planning

In addition to capacity planning, complete the following to ensure that your storage configuration meets your performance and availability requirements.

  • Storage performance depends on various factors, including RAID configuration and disk striping, network configuration, block size, configured IOPS (input/output operations per second) for network-attached storage, VM hardware configuration and method of storage attachment, clustering and replication methods, and use of storage policies such as encryption, deduplication, and compression. Plan time to test and tune your configuration to meet your storage performance needs.
  • Review your vSAN storage policy
    • RAID 1 provides better performance and smaller windows of susceptibility to sequential failure, such as shorter rebuild time, than RAID 5. However, RAID 5 has less storage overhead.
    • RAID 6 provides protection against dual failures, but requires a minimum of six hosts compared to four hosts for RAID 5.
  • To add more storage to your vSAN cluster, you must add new hosts to the cluster or add IBM Cloud Endurance NFS storage instead. Adding disks to the existing hosts is not currently supported.
  • If you mount additional IBM Cloud Endurance NFS storage to your cluster, ensure that you follow the architecture guidance and configure host routes to the storage that uses the cluster's NFS port group addresses. You must authorize these addresses, rather than the hosts themselves, to the storage. For more information, see Attached storage infrastructure management.