Category: Division of responsibility

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Division of responsibility, Exams of Microsoft, Landing zone concepts

The core components of a landing zone– Cloud Security Fundamentals

The primary goal of a landing zone is to ensure consistent deployment and governance across various environments, such as production (Prod), quality assurance (QA), user acceptance testing (UAT), and development (Dev). Let us understand the core concepts associated with landing zones:

  • Network segmentation: Network segmentation is a critical aspect of a landing zone architecture, and it involves dividing the cloud environment into distinct network segments to ensure isolation and security between different environments and workloads. Each environment (Prod, QA, UAT, and Dev) has a dedicated network segment. These segments are logically separated to prevent unauthorized access between environments. Network segmentation ensures that activities in one environment do not impact others and that sensitive data is adequately protected.
  • Isolation of environments: The network segments for each environment are isolated from each other to minimize the risk of data breaches or unauthorized access. This can be achieved through various means, such as Virtual Private Clouds (VPCs) in AWS, Virtual Networks (VNets) in Azure, or VPCs in GCP.
  • Connectivity between environments: While isolation is crucial, there are specific scenarios where controlled connectivity is required between environments, such as data migration or application integration. This connectivity should be strictly controlled and monitored to avoid security risks.
  • Identity and access management (IAM): IAM policies and roles are implemented to regulate access to cloud resources within each environment. This ensures that only authorized users have access to specific resources based on their roles and responsibilities.
  • Security measures: Each landing zone environment should have security measures, including firewall rules, security groups, network access control lists (NACLs), and other security-related settings. This helps safeguard resources and data from potential threats.
  • Centralized governance: A landing zone architecture also implements centralized governance and monitoring to maintain consistency, compliance, and visibility across all environments. This involves using a central management account or a shared services account for common services.
  • Resource isolation: Within each environment, further resource isolation can be achieved by using resource groups (Azure), projects (GCP), or organizational units (AWS) to logically group resources and manage access control more effectively.
  • Monitoring and auditing: To maintain the health and security of the landing zone, comprehensive monitoring and auditing practices should be implemented. This includes monitoring for suspicious activities, resource utilization, and compliance adherence.

Overall, a landing zone architecture provides a solid foundation for an organization’s cloud deployment by enforcing security, governance, and network segmentation across different environments. This architecture is cloud provider-agnostic and can be adapted to various cloud platforms such as Azure, AWS, and GCP while following their respective best practices and services. To read more about it, you can search for Cloud Adoption Framework, followed by the cloud provider’s name, via your favorite search engine – you will get plenty of resources.

Summary

Cloud security is an interesting topic and fun to learn. I hope you enjoyed it as much as I enjoyed writing some of these fundamental concepts. In this chapter, we introduced you to some important security and compliance concepts. This included shared responsibility in cloud security, encryption and its relevance in a cloud environment, compliance concepts, the Zero Trust model and its foundational pillars, and some of the most important topics related to cryptography. Finally, you were introduced to CAF and landing zones. All the terms and concepts discussed in this chapter will be referred to throughout this book. I encourage you to deep dive into these topics as much as you can.

In the next chapter, we will learn about cloud security posture management (CSPM) and the important concepts around it. Happy learning!

Further reading

To learn more about the topics that were covered in this chapter, look at the following resources:

Star Hand Avoiding common pitfalls, AWS Certification Exam, Division of responsibility

Compliance concepts – Cloud Security Fundamentals

We are in the age of data analytics and data science, where data has become more precious than ever. Organizations, institutions, and businesses now rely on data to function on a day-to-day basis. It has become even more crucial to take extra care when dealing with data when organizations are moving their data to the cloud. To protect personally identifiable information (PII), health-related data, and financial data, government agencies, regulatory authorities, and industry groups have issued regulations to help protect and govern the use of data.

Security and compliance are not the same concepts, even though they are very well interconnected and the line between them is blurred. Security refers to the set of policies, processes, and controls that a company implements to protect its assets, while compliance refers to the meeting that some regulatory body or third party has set as a best practice or legal requirement.

Some of the compliance concepts in cybersecurity include the following:

  • Regulatory compliance: This refers to adherence to legal requirements, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Regulatory compliance involves implementing security measures and protocols to protect sensitive data and ensure that organizations are following established legal requirements.
  • Industry-specific compliance: This refers to adherence to specific security requirements established by particular industries, such as the Payment Card Industry Data Security Standard (PCI DSS) for organizations that handle credit card information. Industry-specific compliance involves implementing security measures and protocols that are specific to the requirements of a particular industry. Another significant example would be the Health Insurance Portability and Accountability Act (HIPAA) as it ensures the protection and confidentiality of individuals’ sensitive health information, providing them with greater control over their medical data and promoting trust in the healthcare system. Its regulations establish standards for securely handling the protected health information of healthcare providers, insurers, and other entities in the United States.
  • Standards compliance: This refers to adherence to established security standards, such as the ISO/IEC 27001 and the National Institute of Standards and Technology (NIST) standards for information security management systems. Standards compliance involves implementing security measures and protocols that meet or exceed established industry standards.
  • Best practices compliance: This refers to adherence to established best practices for cybersecurity, such as the Center for Internet Security (CIS). Best practices compliance involves implementing security measures and protocols that are widely accepted as effective in the cybersecurity community. You can find the latest CIS benchmarks for cloud providers such as Alibaba, AWS, and Azure, as well as various other technologies, at https://www.cisecurity.org/cis-benchmarks.

Here are some important topics associated with data compliance:

  • Data residency: This refers to the physical or geographical location of the data. It sounds normal in the case of on-premises but it’s challenging to achieve when data is stored in the cloud. Some countries have regulations that their data must be stored on a server physically located within the country.
  • Data sovereignty: This refers to the laws and governance structures that data is subject to, due to the geographical location of where it is processed.
  • Data privacy: This refers to providing notice and being transparent about collecting, using, and sharing personal data. These are fundamental principles of laws and regulations.

Compliance in cybersecurity is important because it helps organizations establish a baseline of security measures and protocols that can protect sensitive data and ensure the security of computer systems and networks. Compliance can also be used to demonstrate to stakeholders that an organization is taking the necessary steps to protect data and mitigate cybersecurity risks.

Now, let’s understand another interesting and important topic: cryptography.

Star Hand AWS Certification Exam, Division of responsibility

The Cloud Adoption Framework– Cloud Security Fundamentals

CAF is a collection of guidelines, best practices, tools, and templates from all major public cloud providers to accelerate an organization’s cloud adoption journey. Every organization has a diverse set of on-premises resources, critical data that they deal with, and regulatory compliance that they need to adhere to, and hence no one cloud adoption formula fits all. It is extremely important to have a strategy to adopt the cloud, and CAF helps business leaders and technology managers define the path of their adoption using CAF. All leading public cloud service providers have developed a version of CAF, which helps make the journey smoother for their potential customers moving into the cloud. It is a useful place to start your journey to understand your needs and do the initial assessment – that is, the maturity assessment. This maturity assessment helps you understand your existing infrastructure, processes, and readiness to adopt the cloud. It also helps the customer in choosing the right service model and IaaS, PaaS, and SaaS offerings.

Microsoft’s CAF involves the following steps. You should also refer to the other cloud frameworks from AWS and GCP:

  1. Strategy: This phase involves establishing the business case for cloud adoption and defining the organization’s cloud strategy. It includes defining the organization’s goals, identifying potential benefits and risks, and selecting the appropriate cloud service provider.
  2. Plan: In this phase, the organization develops a detailed plan for migrating to the cloud. This includes identifying the workloads to be migrated, assessing their suitability for cloud deployment, and determining the appropriate migration strategy.
  3. Ready: This phase involves preparing the organization’s environment for cloud adoption. This includes establishing the necessary infrastructure, networking, and security requirements to ensure a smooth transition to the cloud. This also includes setting up the landing zone for the cloud infrastructure and defining the best practices to expand as the need arises.
  4. Adopt: In this phase, the organization deploys its workloads to the cloud environment. This includes configuring and evaluating the cloud infrastructure and applications to ensure they are functioning as expected.
  5. Govern: In this phase, the organization establishes governance policies and processes to manage its cloud-based solutions. This includes monitoring and managing cloud resources, ensuring compliance with regulatory requirements, and establishing security controls to protect against cyber threats.
  6. Manage: This final phase involves ongoing management and optimization of the cloud environment. This includes monitoring performance, managing costs, and continually improving cloud-based solutions to meet the organization’s evolving needs.

Overall, CAF provides organizations with a structured approach to adopting cloud computing technologies. By following the framework, organizations can better plan, implement, and manage their cloud-based solutions, enabling them to realize the full benefits of cloud computing while minimizing risks and costs. Now that you understand CAF, let us understand the last but very important topic of this chapter: landing zones.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Division of responsibility

The three pillars of cybersecurity – people, process, and technology – Cloud Security Fundamentals

People, process, and technology are the three most important pillars of cybersecurity that are essential for creating a comprehensive and effective cybersecurity strategy. If any of the people, process, or technology pillars are missing or inadequate in a cybersecurity strategy, it can significantly weaken the overall security posture of an organization and increase the risk of cyber threats. It will be as effective as a two-legged stool, unable to bear the full weight of an organization’s security requirements. The following figure explains how each pillar is crucial for cybersecurity and, if missing, what impact it can bring to defect cybersecurity:

Figure 1.7 – Three pillars of cybersecurity

Let us look at these areas in detail:

  • People: The people pillar refers to the human element of cybersecurity, including employees, contractors, and other stakeholders. People are an important part of any cybersecurity strategy because they can be both the weakest link and the strongest asset. Properly trained and aware employees can help prevent security breaches and quickly respond to incidents, while employees who lack awareness and training can inadvertently create security risks. To ensure the people pillar is strong, organizations should provide cybersecurity training to all employees, implement policies and procedures for cybersecurity best practices, and establish a culture of security awareness.

If the people pillar is missing or inadequate, it can lead to security risks such as human error, insider threats, and social engineering attacks. Employees who lack cybersecurity awareness and training may inadvertently click on phishing emails or download malware, putting sensitive data at risk. Insider threats, where employees intentionally steal or leak data, can also be a significant risk if proper access controls and monitoring are not in place.

  • Process: The process pillar refers to the policies, procedures, and standards that govern an organization’s cybersecurity strategy. Effective processes are important for ensuring that security controls are consistently applied, security incidents are identified and responded to promptly, and risks are managed effectively. To ensure the process pillar is strong, organizations should implement a cybersecurity framework such as NIST or ISO, conduct regular risk assessments, establish incident response plans, and regularly review and update policies and procedures.

If the process pillar is missing or inadequate, it can lead to inconsistent or ineffective security controls and responses to incidents. Without established policies and procedures, organizations may not know how to respond to security incidents, which could result in delays and increased damage. Risk assessments, vulnerability management, and incident response plans are all essential components of a strong process pillar.

  • Technology: The technology pillar refers to the hardware, software, and other technological solutions that are used to protect an organization’s systems and data. Technology is an important part of any cybersecurity strategy because it can help automate security controls and provide real-time threat intelligence. However, technology alone is not enough to ensure security. To ensure the technology pillar is strong, organizations should implement a layered DiD approach, including firewalls, intrusion detection and prevention systems, endpoint protection, encryption, and other security controls.

If the technology pillar is missing or inadequate, it can leave systems and data vulnerable to a wide range of cyber threats. Without proper security controls, such as firewalls, intrusion detection systems, and encryption, cybercriminals may be able to breach systems and steal or damage sensitive data. Additionally, outdated software and systems can leave vulnerabilities open for exploitation.

Overall, by focusing on the three pillars of cybersecurity – people, process, and technology – organizations can create a comprehensive and effective cybersecurity strategy that is designed to protect against a wide range of cyber threats. Weakness in any of these pillars can have significant implications for an organization’s cybersecurity. However, it is easier said than done when it comes to building a well-balanced program between these three pillars. Too often, organizations lack a solid foundation in all three pillars, which makes them vulnerable. In many cases, organizations look for managed service providers (MSPs) to get a more stable cybersecurity platform to protect their critical assets.

Now that you understand the three important pillars of cybersecurity, let us understand another important concept called the Zero Trust model.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Division of responsibility, Landing zone concepts

Security products and strategies at different layers – Cloud Security Fundamentals

Let us take a closer look at what security products and strategies are appropriate and applied at different layers:

  • Physical security: Physical security controls are an important part of DiD as they help protect an organization’s physical assets, such as its buildings, servers, and other infrastructure. Here are some examples of physical security controls that are applied in the same way:
    • Perimeter security: Perimeter security controls are used to control access to the organization’s property. Examples include fences, walls, gates, and barriers.
    • Access control: Access control measures are used to control who has access to the organization’s physical assets. Examples include ID badges, security guards, and biometric authentication systems.
    • Surveillance: Surveillance measures are used to monitor the organization’s physical assets for potential security threats. Examples include CCTV cameras, motion detectors, and security patrols.
    • Environmental controls: Environmental controls are used to protect the organization’s physical assets from damage caused by environmental factors such as fire, water, and temperature. Examples include fire suppression systems, water leak detection systems, and temperature control systems.
    • Redundancy: Redundancy measures are used to ensure that the organization’s physical assets remain operational even in the event of failure. Examples include backup generators, redundant HVAC systems, and redundant network connections.
  • Identity and access: This implements security controls such as MFA, condition-based access, attribute-based access control (ABAC), and role-based access control (RBAC) to protect infrastructure and change control.
  • Perimeter: A protection mechanism that is used across your corporate network to filter large-scale attacks such as DDoS so that the resources are not exhausted, causing a denial of service.
  • Network: Security techniques such as network segmentation and network access control are used to segregate different resources together and to limit communication between resources to prevent lateral movement.
  • Compute: This involves limiting access to VM from limited/whitelisted IPs only and also restricting certain ports and opening only the required ones.
  • Applications: Four primary techniques can be used to secure applications, each with its strengths and weaknesses. Let us take a look:
    • Runtime Application Self-Protection (RASP): RASP is an application security technology that is designed to detect and prevent attacks at runtime. RASP integrates with the application runtime environment and monitors the behavior of the application to identify potential threats. RASP can detect attacks such as SQL injection, cross-site scripting (XSS), and buffer overflow attacks, and can take action to block the attack or alert security personnel.
    • Interactive Application Security Testing (IAST): IAST is an application security testing technique that combines aspects of both SAST and DAST. IAST is a real-time security testing technology that provides feedback on vulnerabilities during the testing process. IAST can detect vulnerabilities such as SQL injection and XSS attacks by monitoring the application during testing.
    • Static Application Security Testing (SAST): SAST is an application security testing technique that analyzes the application’s source code for security vulnerabilities. SAST can identify vulnerabilities such as buffer overflows, SQL injection, and XSS attacks. SAST is typically run during the development process and can help developers identify and fix vulnerabilities before the application is deployed.
    • Dynamic Application Security Testing (DAST): DAST is an application security testing technique that analyzes the application while it is running. DAST can identify vulnerabilities such as SQL injection, XSS attacks, broken authentication, and session management. DAST is typically run after the application is deployed to identify vulnerabilities that may have been missed during the development process.

Overall, these techniques can be used in combination to provide a comprehensive approach to securing applications. Each technique has its strengths and weaknesses, and the choice of which technique to use depends on the specific needs of the organization and the application being secured.

  • Data: RBAC and ABAC are both access control models that are used to enforce data security:
    • In an RBAC model, access to resources is granted based on the user’s role or job function within an organization. This means that users are assigned specific roles, and those roles are granted permission to access specific resources. For example, an administrator role might be granted full access to a system, while a regular user role might only be granted access to certain parts of the system.
    • In an ABAC model, access to resources is granted based on a combination of attributes, such as the user’s job function, location, and time of day. This means that access control policies can be more flexible and granular than in an RBAC model. For example, a policy might be created to grant access to a resource only if the user is accessing it from a specific location and during specific hours.

Both RBAC and ABAC can be used to enforce data security by ensuring that only authorized users are granted access to sensitive data. Which model to use depends on the specific needs of the organization and the level of granularity and flexibility required for access control policies.

At this point, you should have a clear and baseline understanding of DiD. Now, let’s try understanding a benchmark model in information security famously known as the confidentiality, integrity, availability (CIA) triad.

Star Hand AWS Certification Exam, Division of responsibility, Landing zone concepts

Division of responsibility – Cloud Security Fundamentals

Let us understand how the division of responsibilities varies from one service model to another:

  • On-premises data centers: In an on-premises infrastructure (hardware and software), the customer is responsible for everything, from the physical security of data centers to the encryption of sensitive data.
  • IaaS: Virtual machines as services, which are offered by cloud providers such as Azure VM, AWS EC2, and Google Compute Engine, can be taken as examples of IaaS. If a customer decides to use VMs in the cloud, the cloud provider is responsible for the security of the physical data center, physical network, and physical host where the VM is hosted. As per Figure 1.4, security to the operating system (vulnerabilities and patches), network controls, applications hosted in the VM, identity and directory infrastructure, devices through which VMs are accessed, and information and data in the VM are all the customer’s responsibility.
  • PaaS: A wide range of services is offered by cloud providers under the PaaS category. Azure Web App, Logic Apps, Azure Functions, Azure SQL, Azure Service Bus, AWS Lambda, AWS Elastic Beanstalk, and Google App Engine are a few services under the PaaS category. As the service name suggests, PaaS provides an environment for building, testing, and deploying software applications. The most useful benefit of PaaS for its customer is that it helps create an application quickly without the need to manage the underlying infrastructure, such as hardware and operating systems. This becomes easy for customers as they are only responsible for securing the application and data.
  • SaaS: SaaS is a readymade, subscription-based application made available by cloud providers for its customers. Microsoft 365, Skype, Google Workspace, ERP, Amazon Chime, Amazon WorkDocs, and Dynamics CRM are some common examples of SaaS offerings. Out of all the service offerings, SaaS requires the least security responsibility from customers. The cloud provider is responsible for everything except data, identity access, accounts, and devices.

Important note

No matter which service is availed by the customer, the responsibility to protect accounts and identity, devices (mobile and PCs), and data is always retained by the customer.

The shared responsibility model is one of the most important topics to understand in the cloud security domain. Now that you understand it, let us understand another important topic – defense in depth.

Defense in depth

Defense in depth (DiD) is a cybersecurity strategy that uses a layered security approach to protect organizations’ critical assets from cyber criminals by utilizing a series of security measures to slow the advance of an attack. This was originally inspired by the military strategy, where each layer provides protection so that if one layer is breached, a subsequent layer will prevent an attacker from getting unauthorized access to data.

Star Hand AWS Certification Exam, Division of responsibility, Exams of Microsoft, Landing zone concepts

Cloud computing service model – Cloud Security Fundamentals

Cloud service models are different types of cloud computing services that are provided by CSPs to customers or users. There are three main types of cloud service models:

  • Infrastructure-as-a-Service (IaaS): In this service model, the CSP provides the infrastructure or computing resources such as servers, storage, and networking, which can be used by customers to build and manage their applications or services. The customer has control over the operating system, applications, and security, while the CSP is responsible for the underlying infrastructure.
  • Platform-as-a-Service (PaaS): In this service model, the CSP provides a platform for customers to develop, run, and manage their applications without the need to manage the underlying infrastructure. The customer can focus on building and deploying their applications while the CSP takes care of the infrastructure, operating system, and middleware.
  • Software-as-a-Service (SaaS): In this service model, the CSP provides a complete software application or service that can be accessed and used by customers over the internet. The customer does not need to install or manage the software as it is provided by the CSP as a service. Examples of SaaS include email, online storage, and customer relationship management (CRM) software.

In simple terms, cloud service models are different types of cloud computing services that are provided by CSPs to customers. These services can range from providing infrastructure resources to complete software applications, with varying degrees of control and management by the customer.

Next, let us talk about cloud security.

What is cloud security?

Cloud security refers to the set of practices, technologies, policies, and measures designed to safeguard data, applications, and infrastructure in cloud environments. Security in clouds is crucial because it addresses the unique security challenges and risks associated with cloud computing, which includes services such as IaaS, PaaS, and SaaS.

Important note

Gartner reports (https://www.gartner.com/en/newsroom/press-releases/2021-11-10-gartner-says-cloud-will-be-the-centerpiece-of-new-digital-experiences) that 99% of cloud breaches are traced back to preventable misconfigurations or mistakes by cloud customers.

It is evident that cloud computing services bring some overriding concerns too, and most of them can be prevented if they are configured correctly. This includes network and system misconfigurations, IAM misconfigurations, and accidental exposure of resources. We will read more about major configuration risks in Chapter 11, but some of them are explained in the following subsection.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Division of responsibility, Exams of Microsoft

The CIA triad – Cloud Security Fundamentals

Not to be confused with the central intelligence agency of the same acronym, CIA stands for confidentiality, integrity, and availability. It is a widely popular information security model that helps an organization protect its sensitive critical information and assets from unauthorized access:

Figure 1.6 – The CIA triad (https://devopedia.org/images/article/178/8179.1558871715.png)

The preceding diagram depicts the CIA triad. Let’s understand its attributes in detail.

Confidentiality

Confidentiality ensures that sensitive information is kept private and accessible only to authorized individuals. This attribute focuses on keeping sensitive information private and accessible only to authorized individuals or entities. It aims to prevent unauthorized disclosure of information, protecting it from being accessed or viewed by unauthorized users. Let’s understand this by looking at an example of the payroll system of an organization. The confidentiality aspect of the payroll system ensures that employee salary information, tax details, and other sensitive financial data is kept private and accessible only to authorized personnel. Unauthorized access to such information can lead to privacy breaches, identity theft, or financial fraud.

Integrity

Integrity maintains the accuracy and trustworthiness of data by preventing unauthorized modifications. The integrity aspect ensures that information remains accurate, trustworthy, and unaltered. It safeguards against unauthorized modifications, deletions, or data tampering efforts, ensuring that the information’s integrity is maintained throughout its life cycle. Let’s understand integrity using the same example of the payroll system of an organization. The integrity aspect of the payroll system ensures that the data remains accurate and unchanged throughout its life cycle. Any unauthorized modifications to payroll data could lead to incorrect salary payments, tax discrepancies, or compliance issues.

Availability

Availability ensures that information and services are accessible and operational when needed without disruptions. This aspect emphasizes ensuring that information and systems are available and operational when needed. It focuses on preventing disruptions or denial of service, ensuring that authorized users can access the information and services they require without interruptions. Let’s understand availability by using the same example of the payroll system of an organization. The availability aspect of the payroll system ensures that it is accessible and functional when needed. Payroll processing is critical for employee satisfaction and business operations, and any disruptions to the system could result in delayed payments or other financial issues.

Overall, the CIA triad provides a framework for organizations to develop effective cybersecurity strategies. By focusing on confidentiality, integrity, and availability, organizations can ensure that their systems and data are protected from a wide range of threats, including cyberattacks, data breaches, and other security incidents.

Star Hand AWS Certification Exam, Compliance concepts, Division of responsibility, Exams of Microsoft, Landing zone concepts

SDDC deployment – Appendix: Preflight before Onboarding

When preparing for the deployment of your first SDDC, you need to collect the configuration data in advance. The settings ideally should be captured at the design stage, as discussed in the previous chapter.

The following table depicts the configuration items you need to provide to successfully deploy your first SDDC:

Configuration sectionConfiguration itemDescription
SDDC (see Figure 12.3 for details)NameFree text field. You can change the name after the deployment as well. It is recommended to use the company naming convention.
 AWS RegionAWS Region where your SDDC resides. The Region should fit your subscription, AWS VPC configuration, and AWS DX configuration (if in use).
 DeploymentSingle host – for POC only, for 60 days only. Multi-host – production deployment. Stretched cluster – a deployment across two AWS AZs.
 Host typeSelect one of the available host types. The host type should fit into your subscription, design, and workload requirements. You have a choice between: i3.metali3en.metalI4i.metal See Figure 12.4 for the deployment wizard where the host type is specified. VMware constantly adds new instances. Check the VMware documentation for the available instances.
 Number of hostsCount of ESXi hosts in your first cluster. If your design requires a multi-cluster setup, you will add additional clusters after the SDDC is provisioned with the first cluster.
AWS Connection (see Figure 12.2 for details)AWS accountThis is an AWS account you own. Choose the account according to the design and security requirements.
 Choose a VPCSelect an AWS VPC (the VPC should be precreated) in your AWS account. This VPC will become a connected VPC after the deployment.
 Choose subnet(s)Select a subnet in your VPC (the subnet must be precreated). The subnet must have enough free IPs for the SDDC deployment (to accommodate ESXi hosts’ ENI interfaces). The subnet also defines the destination AZ. You cannot change the subnet after the deployment. If you deploy a stretched cluster SDDC, you must select two subnets in two different AZs.
SDDC networkingProvide the management subnet CIDRYou should provide a private network subnet with enough IP addresses for the SDDC management (vCenter, ESXi hosts, vSAN network, etc.). It is recommended to use a /23 subnet if you plan to deploy more than 10 hosts. You cannot change the subnet after the deployment. Make sure the subnet does not overlap with the on-premises or other connected networks (including AWS).

Table 12.1 – SDDC Configuration Details

You can review the deployment wizard in Figure 12.3:

Figure 12.3 – SDDC deployment wizard SDDC Properties

You can review the VPC and subnet details of the SDDC wizard in Figure 12.4:

Figure 12.4 – SDDC deployment wizard. AWS VPC and subnet

After you have provisioned the SDDC, you must configure access to the vSphere Web Client to manage your SDDC through VMware vCenter Server. You will use the NSX manager UI to create a Management Gateway Firewall Rule. By default, access to vCenter is not allowed. You will specify an IP or a subnet and entitle it to access vCenter. An “allow all” rule is not possible.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Division of responsibility, Exams of Microsoft, Landing zone concepts

Accessing and configuring the VMware Cloud Console – Appendix: Preflight before Onboarding

There are a couple of steps required before you can start consuming VMware Cloud on AWS. You use the VMware Cloud Console to provision VMware Cloud on AWS SDDC. If you are already using any of the VMware Cloud services, you can just log in to the VMware Cloud Console and look for VMware Cloud on AWS in the Services inventory:

Figure 12.1 – VMware Cloud Console Services inventory

However, if it’s the first time you’re using VMware Cloud services, you should get access to the VMware Cloud Console.

The following steps outline the procedure to get started with the VMware Cloud Console:

  1. Receive a welcome email: Upon processing your purchase, VMware will send an email with an activation link. Use this link to log in to the VMware Cloud Console.
    NOTE
    VMware will use the email address designated as the “Fund owner’s” to send the activation link.
  2. Setup an Organization. An Organization provides authentication boundaries for your VMware Cloud services. Each Organization can be entitled to different services. A user can access multiple Organizations and switch between them in the VMware Cloud Console.
  3. Setup VMware Cloud service accounts: After gaining initial access to the VMware Cloud Console and creating an Organization, you can entitle user accounts to access to VMware Cloud on AWS. You can use manual assignment, or you can federate VMware Cloud Console with your identity provider. If your design includes federation for the VMware Cloud Console, it’s important to configure the federation feature before you deploy VMware Cloud on AWS SDDC.
  4. Create a term subscription. If you purchased a term subscription, it’s important to create a subscription object in the VMware Cloud Console before you deploy an SDDC. Creating a subscription matching your purchase is a organization’s responsibility – VMware does not pre-create a subscription in your VMware Cloud Organization. Make sure you have all the details of your purchase contract before creating a subscription, including the following:
    • AWS Region
    • Host count and host type
    • Subscription type – flexible or standard
    • Subscription duration – 1 year or 3 years

Figure 12.2 – Creating a subscription for VMware Cloud on AWS
NOTE
You can deploy a VMware Cloud on AWS SDDC without creating a subscription. In this case, VMware will use on-demand prices for billing. If you purchased a subscription but did not create a subscription object in the VMware Cloud Console, on-demand prices will be applied. If you deploy your SDDC using a different AWS Region or host type, or use more hosts, on-demand prices will be applied as well.