This document describes a typical Google Cloud VMware Engine architecture in Google Cloud. It also lists the security best practices that are applicable to VMware Engine workloads and describes when you would use specific Google Cloud services.
Architecture
The following diagram shows the Google Cloud services in a typical VMware Engine architecture.
This diagram includes the following:
Backup and DR Service is a managed service that provides backup and recovery of workloads running in VMware Engine.
BigQuery provides data warehousing and analytic capabilities for data that's generated by the applications and databases that run on VMware Engine VMs.
Cloud Audit Logs tracks the actions that your users take in your environment, which enhances your troubleshooting, auditing, and incident response capabilities.
Cloud Billing dashboards and alerts let you review usage and billing of VMware Engine workloads.
Cloud Identity unifies identity, access, application, and management for Google Cloud.
Cloud Load Balancing can be used with Hybrid Network Endpoint Groups (NEGs) to distribute traffic to applications that run on VMware Engine VMs.
Cloud Storage stores data, including backup data, for VMware Engine VMs and workloads.
Compute Engine can run applications that VMware Engine workloads interact with.
Cloud DNS registers, manages, and serves your domain.
Google Cloud Armor provides DDoS protection and WAF capabilities for web applications hosted in VMware Engine and applications that are exposed using Cloud Load Balancing.
Google Kubernetes Engine lets you run Kubernetes clusters on your VMware infrastructure within VMware Engine.
Identity and Access Management (IAM) controls who can perform specific actions on VMware Engine and resources, such as creating, editing, or deleting them.
Organization Policy Service centrally manages and enforces policies across your Google Cloud environment. Organization Policy helps to ensure consistent configuration and security compliance across the projects and resources within your organization.
Resource Manager helps you group and manage logical components of your VMware Engine workloads.
Secret Manager helps you protect the sensitive data and credentials that are used in VMware Engine projects.
Security Command Center helps you protect your cloud organization, your VMware workloads, and the data that you store on Google Cloud. Security Command Center provides the following:
- Centralized security management
- Threat detection and incident response
- Automated security assessments
- Compliance and regulatory reporting
- Security recommendations and best practices
Virtual Private Cloud (VPC) isolates your resources from the internet in a secure environment. This network configuration helps protect sensitive data and workloads from unauthorized access and potential cyberattacks.
Cloud VPN or Cloud Interconnect lets you establish a secure network connection between your on-premises infrastructure and your VMware Engine environment. Cloud VPN or Cloud Interconnect helps enable seamless data transfer and communication between your private network and Google Cloud resources.
Best practices for VMware Engine workloads
This section provides links to the best practices for workloads that use VMware Engine.
- Recommended user groups and IAM roles
Secure enterprise foundation best practices
Authentication and authorization best practices
- Disable automatic IAM grants for default service accounts
- Block the creation of external service account keys
- Block service account key uploads
- Configure separation of duties for organization policy administrators
- Enable two-step verification for super admin accounts
- Enforce two-step verification on the super admin organization unit
- Create an exclusive email address for the primary super admin
- Create redundant administrator accounts
- Implement tags to efficiently assign IAM policies and organization policies
- Audit high-risk changes to IAM
- Block access to Cloud Shell for Cloud Identity managed user accounts
- Configure Context-Aware Access for Google consoles
- Block account self-recovery for super admin accounts
- Turn off unused Google services
- Use Privileged Access Manager
Organization best practices
Networking best practices
Logging, monitoring, and alerting best practices
Key and secret management best practices
- Encrypt data at rest in Google Cloud
- Use NIST-approved algorithms for encryption and decryption
- Set the purpose for Cloud Key Management Service keys
- Ensure that CMEK settings are appropriate for secure BigQuery data warehouses
- Rotate encryption key every 90 days
- Set up automatic secret rotation
- Restrict customer-managed encryption keys location
- Use CMEK for Google Cloud services
- Replicate secrets automatically
Security posture and analytics best practices
Infrastructure best practices
Compute best practices
- Define VM instances that can enable IP forwarding
- Disable VM-nested virtualization
- Restrict external IP addresses on VMs
- Define permitted external IP addresses for VM instances
- Require VPC connector for Cloud Run functions
- Turn off external IP addresses for Dataflow jobs
- Use network tags for firewall rules
VMware Engine best practices
- Limit Admin role assignments for VMware Engine
- Use the VMware Engine Service Viewer role for least privilege
- Use RBAC and least privilege for vCenter Server Appliance roles
- Use identity federation for VMware users
- Grant roles to groups instead of individuals for vCenter Server Appliance
- Don't assign the Cloud-Owner-Role to user groups in vSphere
- Avoid using default vCenter and NSX-T service accounts
- Rotate passwords for default vCenter and NSX-T service accounts every 90 days
- Use the NSX Gateway Firewall to segment north-south traffic
- Use the NSX Distributed Firewall to segment east-west traffic
- Create separate subnets for workloads with different security requirements
- Create a log sink to store VMware Engine audit logs
- Collect VMware-level platform logs
- Monitor applications using Logging and Monitoring
- Create private clouds in regions that match your data-residency requirements
- Implement a backup and disaster recovery strategy
- Implement application-level encryption for VMware workloads
- Enable data-in-transit encryption on VMware vSAN clusters
- Configure vSAN data-at-rest encryption to use CMEK
- Rotate the keys used for vSAN data-at-rest encryption
Data management best practices
Storage best practices
- Block public access to Cloud Storage buckets
- Use uniform bucket-level access
- Protect HMAC keys for service accounts
- Detect enumeration of Cloud Storage buckets by service accounts
- Ensure Cloud Storage bucket retention policy uses Bucket Lock
- Set lifecycle rules for the SetStorageClass action
- Set permitted regions for storage classes
- Enable lifecycle management for Cloud Storage buckets
- Enable lifecycle management rules for Cloud Storage buckets
- Review and evaluate temporary holds on active objects
- Enforce retention policies on Cloud Storage buckets
- Enforce classification tags for Cloud Storage buckets
- Enforce log buckets for Cloud Storage buckets
- Configure deletion rules for Cloud Storage buckets
- Ensure isLive condition is False for deletion rules
- Enforce versioning for Cloud Storage buckets
- Enforce owners for Cloud Storage buckets
- Enable logging of key Cloud Storage activities