VMware Cloud Well-Architected Framework for Azure VMware Solution: Shared Responsibility Model

VMware Cloud Shared Responsibility

A shared responsibility model is common among the different VMware Cloud Infrastructure Service providers, which defines distinct roles and responsibilities between the VMware Cloud Infrastructure Services provider and an organization consuming the service.

Disclaimer: The intent of this document is to provide guidance and best practices for VMware Cloud Infrastructure Service providers regarding the shared responsibilities of the service.

Azure VMware Solution

Azure VMware Solution implements a shared responsibility model that defines distinct roles and responsibilities of the two parties involved in the offering: Customer and Microsoft.

Graphical user interface</p>
<p>Description automatically generated



Azure VMware Solution is a first party Azure service, customers should work directly with Microsoft support. This solution is fully supported and verified by VMware.

Customer Responsibility: Security in the Cloud

Customers are responsible for the deployment and ongoing configuration of their SDDC, virtual machines, and data that reside therein. In addition to determining the network firewall, ExpressRoute and VPN configuration, customers are responsible for managing virtual machines (including in guest security and encryption) and using Azure role-based access control (or Azure Active Directory) along with vCenter Roles and Permissions to apply the appropriate controls for users.

Microsoft Responsibility: Azure VMware Solution Security of the Cloud

Microsoft is responsible for protecting the software and systems that make up the Azure VMware Solution service. This software infrastructure is composed of the compute, storage, and networking software comprising the SDDC, along with the service consoles used to provision Azure VMware Solution.

Microsoft Responsibility: Azure Infrastructure Security of the Infrastructure

Microsoft is responsible for the physical facilities, physical security, infrastructure, and hardware underlying the entire service. Details on the shared responsibility model employed by Azure VMware Solution can be found in the table below. You can see that a great deal of low-level operational work is handled by the Microsoft leaving the customer to focus on managing their workloads.

Shared Responsibility Matrix

The following is not an exhausted list of responsibilities but encompass the most frequent tasks and definitions. For further questions, please contact Microsoft.





  • Deploying Software Defined Data Centers (SDDCs)
  • Host Count
  • Management Network Range
  • HCX Network Range
  • Configuring SDDC Network & Security (NSX)
  • Tier-1 Routers
  • Firewall
  • IPsec VPN
  • NAT
  • Public IP Addresses
  • Network Segments
  • Distributed Firewall
  • Network extension (via HCX or NSX)
  • Configuring SDDC Network & Security (VSAN)
  • Define and maintain VSAN VM Policies
  • Add hosts to maintain adequate “slack space”
  • Deploying Virtual Machines
  • Installing Operating Systems
  • Patching Operating Systems
  • Installing Antivirus Software
  • Installing Backup Software
  • Installing Configuration Management Software
  • Migrating Virtual Machines
  • HCX Configuration
  • HCX Updates
  • Live vMotion
  • Cold Migration
  • Content Library Sync
  • Managing Virtual Machines
  • Installing software
  • Implementing backup solution
  • Implementing Antivirus solution

Microsoft – Azure VMware Solution

  • SDDC Lifecyle
  • ESXi patch and upgrade
  • vCenter Server patch and upgrade
  • NSX patch and upgrade
  • vSAN patch and upgrade
  • SDDC Networking (NSX)
  • Tier-0 Router
  • Connectivity from Tier-0 to Azure Network
  • SDDC Backup/Restore
  • Backup and Restore vCenter Server
  • Backup and Restore NSX Manager
  • SDDC Health
  • Replace failed hosts

Microsoft – Azure Infrastructure

  • Physical Infrastructure
  • Azure Regions
  • Azure Availability Zones
  • Compute / Network / Storage
  • Rack and Power Bare Metal Hosts
  • Rack and Power Network Equipment



Azure VMware Solution private cloud updates and upgrades


In the next section, learn about the different considerations for managing infrastructure and application services.


Associated Content

From the action bar MORE button.

Filter Tags

General Azure Services Azure VMware Solution Document Design