Component |
Recommended Action Item |
Compute |
Configure firewall rules and ports according to best practices. |
Compute |
VMware vSphere ESXi Shell and SSH access should be configured per the customer security and manageability requirements. |
Datacenter |
Use vCenter Server roles, groups, and permissions to provide appropriate access and authorization to the VMware virtual infrastructure. Avoid using Windows built-in groups (Administrators). |
Datacenter |
Tasks and Events Retention Policy set in the environment. |
Datacenter |
Size with HA host failure considerations. |
Datacenter |
Set up redundancy for the management port (either using a separate vmnic or a separate uplink) and an alternate isolation response gateway address (if appropriate) for more reliability in HA isolation detection. |
Datacenter |
Maintain compatible and homogeneous (CPU and memory) hosts within a cluster to support the required functionality for vMotion, vSphere DRS, VMware vSphere Distributed Power Management (DPM), VMware vSphere HA, and vSphere FT. |
Network |
Verify that there is redundancy in networking paths and components to avoid single points of failure. For example, provide at least two paths to each network. |
Network |
Configure networking consistently across all hosts in a cluster. |
Network |
If jumbo frames are enabled, verify that jumbo frame support is enabled on all intermediate devices and that there is no MTU mismatch. |
Network |
Minimize differences in the number of active NICs across hosts within a cluster. |
Network |
Configure networks so that there is separation of traffic (physical or logical using VLANs). |
Network |
Use DV Port Groups to apply policies to traffic flow types and to provide Rx bandwidth controls through the use of Traffic Shaping. |
Network |
Use Load-Based Teaming (LBT) to balance virtual machine network traffic across multiple uplinks. |
Network |
Use Network I/O Control (NetIOC) to prioritize traffic on 10GbE network uplinks. |
Network |
Adjust load balancing settings from the default virtual port ID only if necessary. |
Storage |
Minimize differences in datastores visible across hosts within the same cluster or vMotion scope. |
Storage |
NFS and iSCSI storage traffic should be separated physically (for performance) and logically (for security). |
Virtual Machines |
Limit use of snapshots, and when using snapshots limit them to short-term use. |
Virtual Machines |
Verify that VMware Tools is installed, running, and up to date for running virtual machines. |
Virtual Machines |
Verify that virtual machines meet the requirements for vSphere vMotion. |
Compute |
Avoid unnecessary changes to advanced parameter settings. |
Datacenter |
Enable bidirectional CHAP authentication for iSCSI traffic so that CHAP authentication secrets are unique. |
Datacenter |
Disconnect vSphere Clients from the vCenter Server when they are no longer needed. |
Datacenter |
Maintain compatible virtual hardware versions for virtual machines to support vMotion. |
Licensing |
Verify that adequate licenses are available for vCenter Server instances. |
Licensing |
Verify that adequate CPU licenses are available for ESXi hosts. |
Network |
Distribute vmnics for a port group across different PCI buses for greater redundancy. |
Network |
Change port group security default settings for Forged Transmits, Promiscuous Mode, and MAC Address Changes to Reject unless the application requires the defaults. |
Storage |
Use shared storage for virtual machines instead of local storage. |
Storage |
Size datastores appropriately. |
Storage |
Allocate space on shared datastores for templates and media/ISOs separately from datastores for virtual machines. |
Storage |
Use Storage I/O Control (SIOC) to prioritize high importance virtual machine traffic. |
Virtual Machines |
As a security enhancement initiative, disable certain unexposed features. |
Virtual Machines |
Limit sharing console connections if there are security concerns. |
Virtual Machines |
Allocate only as much virtual hardware as required for each virtual machine. Disable any unused or unnecessary or unauthorized virtual hardware devices. |
Virtual Machines |
Consider using the latest virtual hardware version to take advantage of additional capabilities. |
Virtual Machines |
Use the latest version of VMXNET that is supported by the guest operating system. |
Virtual Machines |
Use reservations and limits selectively on virtual machines that need it. Don’t set reservations too high or limits too low. |
Virtual Machines |
Select the correct guest operating system type in the virtual machine configuration to match the guest operating system. |