Cloud Discover Assessment
Security and Permissions
Overview
This page details the security and permissions we request in the Cloud Discover online tool and how you can revoke these permissions at any time.
Permissions We Request
To use our “Cloud Discover” tool you need to have administrator-level permissions in your VMware vCentre and your Firewalls. We’ll request some permissions from you. This section describes the permissions we request and why.
Within the cloud discover framework, we use multiple tools to retrieve your VMware configurations, performance and Network utilization data, These tools will require “Read Only” access to your vCentre API.
Once you sign in to vCenter, create a new user and grant the required permissions as listed below:
- To add a new user, Follow the direction down to Users and Groups,
vCenter Menu -> Administration ->Single Sign On ->Users and Groups ->
Then add a new user with your choice of name for this exercise.
- Also, please create a new role with Global “Settings” Permission.
‘vCenter Menu -> Administration -> Access Control -> Roles’, Add with ‘Global – Settings’ permission.
- Assign the previously created user account with this role using,
vCenter Menu -> Administration -> Access Control -> Global permissions -> ‘+’ . And tick the box of ‘Propagate to Children’. Note: Login to vSphere Web GUI using this account and ensure can access and read the configurations before configuring Cloud Discover.
The next step is to ensure the “Cloud Discover” resources within your VMware platform can communicate the application edges hosted by Macquarie and VMware.
Below diagram articulate how these services communicate.
Please ensure below network destinations have been allowed access through your firewall. Like vCentre access you must have Administrator rights in your firewall to configure these settings.
Cloudhealth:
Destination | Port | Protocol | Service Description | Purpose |
api.cloudhealthtech.com
|
443 | TCP | Primary communication channel with Platform by API. SSL channel encrypted. | Inbound communication port for Cloudhealth API |
On-prem vCenter Server | 443 | TCP | Communication with other data sources within the datacentre | Network Communication |
DNS server | 53 | UDP | Communication for internal and Internet services configured | Network Communication |
vRealize Network Insight:
Destination | Port | Protocol | Service Description | Purpose |
On-prem vCenter Server | 443 | TCP | Communication with other data sources within the datacentre | Network Communication |
reg.ni.vmware.com | 443 | TCP | Services that require Internet access | Registration Service |
support2.ni.vmware.com | 443 | TCP | Services that require Internet access | Support Tunnel Service |
svc.ni.vmware.com | 443 | TCP | Services that require Internet access | Upgrade Service/Metric Service |
Vrni.macquariecloudservices.com
|
443 | TCP | Primary communication channel with Platform. SSL channel encrypted with 2048b RSA key based SHA2 cert (or User configured custom cert). Collector to Platform messages on this channel also encrypted further with HMAC. | Inbound communication port for vRealize Network Insight Platform |
You are all done, please share the previously created account details with your Macquarie Representative and wait for further instruction to configure the local cloud discover resources in your environment. Don’t worry, This is as simple as configuring the permission above.
Revoking Access
Like granting access, revoking access to our application is relatively straightforward
By following these steps, you’ll clean up any permissions Macquarie Cloud Services have configured for your vCenter server appliance.
Removing Service Account User
For service account user created to vsphere.local:
Go to ‘vCenter Menu -> Administration -> Single Sign On -> Users and Groups’
Select the user and click ‘DELETE’.
For service account user created under AD domain:
Login the domain controller
Go to ‘Windows Server Manager – > Tools – > Active Directory Users and Computers’
Search and delete the user.
Removing the Role
Go to ‘vCenter Menu -> Administration -> Access Control -> Roles’
Select and delete the role created for Cloud Discover usage.
Removing the Collector VMs
Go to ‘vCenter client GUI, search or find the collector VMs’
Power off the collector VMs
Right click the VMs and select ‘Delete from Disk’
Appendix
Cloud Discover System requirements
- On-prem vCenter is running on v6.5 or above.
- The CloudHealth Aggregator deploys as a single VM on-premise for each vSphere environment.
- The Cloud Discover aggregator requires VM size of 2 vCPUs, 2 GB memory, and 10 GB of disk storage.
- vRNI Collector (Proxy) VM Size, 5 vCores, 12GB RAM and 200GB Disk
- A vCenter service account, it requires ‘Read-Only’ role with ‘Global – Settings’ permission
- Above listed Network access requirements.