Cloud Discover Assessment

Security and Permissions

Overview

This page details the security and permissions we request in the Cloud Discover online tool and how you can revoke these permissions at any time.

Permissions We Request

To use our “Cloud Discover” tool you need to have administrator-level permissions in your VMware vCentre and your Firewalls. We’ll request some permissions from you. This section describes the permissions we request and why.

Within the cloud discover framework, we use multiple tools to retrieve your VMware configurations, performance and Network utilization data, These tools will require “Read Only” access to your vCentre API.

Once you sign in to vCenter, create a new user and grant the required permissions as listed below:

  • To add a new user, Follow the direction down to Users and Groups,
    vCenter Menu -> Administration ->Single Sign On ->Users and Groups ->
    Then add a new user with your choice of name for this exercise.

Cloud Discover - Security and Permissions

  • Also, please create a new role with Global “Settings” Permission.
    ‘vCenter Menu -> Administration -> Access Control -> Roles’, Add with ‘Global – Settings’ permission.
    Cloud Discover - Security and PermissionsCloud Discover - Security and Permissions
  • Assign the previously created user account with this role using,
    vCenter Menu -> Administration -> Access Control -> Global permissions -> ‘+’ . And tick the box of ‘Propagate to Children’. Note: Login to vSphere Web GUI using this account and ensure can access and read the configurations before configuring Cloud Discover.Cloud Discover - Security and Permissions

The next step is to ensure the “Cloud Discover” resources within your VMware platform can communicate the application edges hosted by Macquarie and VMware.

Below diagram articulate how these services communicate.

Cloud Discover - Security and Permissions

 

Please ensure below network destinations have been allowed access through your firewall. Like vCentre access you must have Administrator rights in your firewall to configure these settings.

Cloudhealth:

Destination Port Protocol Service Description Purpose
api.cloudhealthtech.com 

 

443 TCP Primary communication channel with Platform by API. SSL channel encrypted. Inbound communication port for Cloudhealth API
On-prem vCenter Server 443 TCP Communication with other data sources within the datacentre Network Communication
DNS server 53 UDP Communication for internal and Internet services configured Network Communication

 

vRealize Network Insight:

Destination Port Protocol Service Description Purpose
On-prem vCenter Server 443 TCP Communication with other data sources within the datacentre Network Communication
reg.ni.vmware.com 443 TCP Services that require Internet access Registration Service
support2.ni.vmware.com 443 TCP Services that require Internet access Support Tunnel Service
svc.ni.vmware.com 443 TCP Services that require Internet access Upgrade Service/Metric Service
Vrni.macquariecloudservices.com

 

443 TCP Primary communication channel with Platform. SSL channel encrypted with 2048b RSA key based SHA2 cert (or User configured custom cert). Collector to Platform messages on this channel also encrypted further with HMAC. Inbound communication port for vRealize Network Insight Platform

 

You are all done, please share the previously created account details with your Macquarie Representative and wait for further instruction to configure the local cloud discover resources in your environment. Don’t worry, This is as simple as configuring the permission above.

Revoking Access

Like granting access, revoking access to our application is relatively straightforward

By following these steps, you’ll clean up any permissions Macquarie Cloud Services have configured for your vCenter server appliance.

Removing Service Account User

For service account user created to vsphere.local:
Go to ‘vCenter Menu -> Administration -> Single Sign On -> Users and Groups’
Select the user and click ‘DELETE’.

For service account user created under AD domain:
Login the domain controller
Go to ‘Windows Server Manager – > Tools – > Active Directory Users and Computers’
Search and delete the user.

Removing the Role

Go to ‘vCenter Menu -> Administration -> Access Control -> Roles’
Select and delete the role created for Cloud Discover usage.

Removing the Collector VMs

Go to ‘vCenter client GUI, search or find the collector VMs’
Power off the collector VMs
Right click the VMs and select ‘Delete from Disk’

 

Appendix

Cloud Discover System requirements

  • On-prem vCenter is running on v6.5 or above.
  • The CloudHealth Aggregator deploys as a single VM on-premise for each vSphere environment.
  • The Cloud Discover aggregator requires VM size of 2 vCPUs, 2 GB memory, and 10 GB of disk storage.
  • vRNI Collector (Proxy) VM Size, 5 vCores, 12GB RAM and 200GB Disk
  • A vCenter service account, it requires ‘Read-Only’ role with ‘Global – Settings’ permission
  • Above listed Network access requirements.