Security considerations

Review the following best practices to ensure that the VX cluster deployment environment is secured and that any potential security exposures are avoided.

Network best practices

  • The VX Deployer appliance is a virtual machine that is preloaded on VX Appliance systems. When cabling the systems, you should create a dedicated management network fabric which will be used by the VX Deployer to access the xClarity Controller (XCC) modules on the systems. In addition, the ESXi management fabric should be isolated into its own VLAN, and only authorized management applications should have access to this VLAN.

  • Preferably, the ThinkAgile VX systems being deployed should also be isolated into their own network switches, separate from any other systems on the network. This will help isolate any security incidents to only the VX systems in the network.

For more information about networking, see the following topic:

Cabling the network

VX Deployer best practices

The VX Deployer appliance is preloaded on the ThinkAgile VX systems. When configuring the appliance for network access, only configure the two network interfaces that are required for the operation:
  • External network - this interface is used to access ESXi, vCenter, and the xClarity Integrator appliance (which are deployed on the VX cluster during the installation). If these management appliances do not need to be accessible from the campus (data center) network, do not configure the campus network VLAN tag on the portgroup on your vSwitch that connects the VX Deployer. This way, the VX Deployer cannot send any traffic over into the campus (data center) network. Correspondingly, users will not be able to access the VX Deployer from the campus network. Only local administrators having access to the isolated management VLAN will be able to access the appliance.

  • XCC network - this is the network that connects the VX Deployer to the XCC modules on the hosts. This network is also used by the xClarity Integrator appliance for its operations, including systems monitoring, lifecycle management, and vSAN topology view. You should also isolate this traffic into its own VLAN, protected from other access points on the network.

Credentials

Any passwords configured during the deployment, such as vCenter accounts, ESXi accounts, and XCC credentials, will be removed from the VX Deployer database upon successful deployment of the cluster. However, if a deployment fails, there is a possibility some of these artifacts are still stored in the VX Deployer database. Although there is no direct threat of any information exposure, you should shutdown the VX Deployer appliance when you are not actively deploying a cluster. No services running in the VX Deployer are required to be running continuously for any cluster operations. Therefore, it is not necessary to keep the appliance running all the time.

Note: In case a cluster deployment failed and you need to contact Lenovo support for assistance, they might require additional ports to be permitted temporarily. Follow all instructions from the support engineer at that point.