VMware Cloud Well-Architected Framework for Azure VMware Solution: Shared Responsibility Model

VMware Cloud Shared Responsibility

A shared responsibility model is common among the different VMware Cloud Infrastructure Service providers, which defines distinct roles and responsibilities between the VMware Cloud Infrastructure Services provider and an organization consuming the service.

Disclaimer: The intent of this document is to provide guidance and best practices for VMware Cloud Infrastructure Service providers regarding the shared responsibilities of the service.

Azure VMware Solution

Azure VMware Solution implements a shared responsibility model that defines distinct roles and responsibilities for VMware, Microsoft, 3rd party vendors, customers, and tenants.

Azure VMware Solution Shared Responsibility Matrix Table



Azure VMware Solution is a first party Azure service, customers should work directly with Microsoft support. This solution is fully supported and verified by VMware.

Customer Responsibility: Security in the Cloud

Customers are responsible for the deployment and ongoing configuration of their SDDC, virtual machines, and data that reside therein. In addition to determining the network firewall, ExpressRoute and VPN configuration, customers are responsible for managing virtual machines (including in guest security and encryption) and using Azure role-based access control (or Azure Active Directory) along with vCenter Roles and Permissions to apply the appropriate controls for users.

Microsoft Responsibility: Azure VMware Solution Security of the Cloud

Microsoft is responsible for the physical facilities, physical security, infrastructure, and hardware underlying the entire service. Details on the shared responsibility model employed by Azure VMware Solution can be found in the table below. You can see that a great deal of low-level operational work is handled by the Microsoft leaving the customer to focus on managing their workloads.

Microsoft is responsible for protecting the software and systems that make up the Azure VMware Solution service. This software infrastructure is composed of the compute, storage, and networking software comprising the SDDC, along with the service consoles used to provision Azure VMware Solution.

Shared Responsibility Matrix

The following is not an exhausted list of responsibilities but encompass the most frequent tasks and definitions. For further questions, please contact Microsoft.




  • Deploying Software Defined Data Centers (SDDCs)
  • Host quota
  • Host count
  • Management Network Range
  • HCX Network Range
  • Configuring SDDC Network & Security (NSX-T)
  • Additional Tier-1 Routers
  • Firewall
  • VMware NSX-T Data Center LB
  • IPsec VPN
  • NAT
  • Public IP addresses
  • Network Segments
  • Distributed firewall, gateway firewall
  • Network extension (via HCX or NSX)
  • AD/LDAP configuration for RBAC
  • Configuring SDDC – VMware vCenter Server
  • AD/LDAP configuration for RBAC
  • Configuring SDDC Network & Security (vSAN)
  • Define and maintain VSAN VM Policies
  •  Add hosts to maintain adequate “slack space”
  • Deploying Virtual Machines
  • Installing Operating Systems
  • Patching Operating Systems
  • Installing Antivirus Software
  • Installing Backup Software
  • Installing Configuration Management Software
  • Migrating Virtual Machines
  • HCX Configuration
  • HCX Updates
  • Live vMotion
  • Cold Migration
  • Content Library Sync
  • Managing Virtual Machines
  • Installing software
  • Implementing backup solution
  • Implementing Antivirus solution
  • Configure VMware HCX
  • Download and deploy HCA connector OVA on-premises
  • Pairing on-premises HCX connector
  • Configure the network profile, compute profile, and service mesh
  • Configure HCX network extension/MON
  • Updates and upgrades
  • Network configuration to connect to on-premises, VNet, or internet
  • Add or delete hosts requests to cluster from the Azure portal
  • Deploy/lifecycle management of partner (3rd party) solutions


  • Physical Infrastructure
  • Azure Regions
  • Azure Availability Zones
  • Express Route/Global reach
  • Compute / Network / Storage
  • Rack and Power Bare Metal Hosts
  • Rack and Power Network Equipment
  • SDDC Lifecyle
  • ESXi deploy, patch, and upgrade
  • vCenter Server deploy, patch, and upgrade
  • NSX-T deploy, patch, and upgrade
  • vSAN deploy, patch, and upgrade
  • SDDC Networking (NSX)
  • Microsoft Edge node/cluster, VMware NSX-T host preparation
  • Provide Tier-0 and Tenant Tier-1 Gateway
  • Connectivity from Tier-0 (using BGP) to Azure Network via Express Route
  • SDDC Compute – VMware vCenter Server provider configuration
  • Create default cluster
  • Configure virtual networking for vMotion, Management, vSAN, and others.
  • SDDC Backup/Restore
  • Backup and Restore VMware vCenter Server
  • Backup and Restore NSX-T Manager
  • SDDC Health
  • Monitoring and corrective actions
  • Replace failed hosts
  • HCX deployment with fully configured compute profile on cloud side as add-on (optional)
  • SRM deployment, upgrade, scale up/down (optional)
  • Support SDDC platforms and VMware HCX

Partner ecosystem

Partners provide support for their own products and solutions.

  • BCDR - SRM, JetStream Zerto, and others
  • Backup - Veeam, Commvault, Rubrik, and others
  • VDI - Horizon/Citrix
  • Security Solutions - BitDefender, TrendMicro, Checkpoint
  • Other VMware products - Aria (formerly vRealize), AVI


Azure VMware Solution private cloud updates and upgrades

In the next section, learn about the different considerations for managing infrastructure and application services.


The following updates were made to this guide:


Description of Changes


  • Updated graphic and table.


  • Guide was published.


Filter Tags

Operations and Management Cloud Well-Architected Framework Azure Services Azure VMware Solution Document Design