VMware Cloud Well-Architected Framework for Google Cloud VMware Engine: Shared Responsibility Model

VMware Cloud Shared Responsibility

A shared responsibility model is common among the different VMware Cloud Infrastructure Service providers, which defines distinct roles and responsibilities between the VMware Cloud Infrastructure Services provider and an organization consuming the service.

Disclaimer: The intent of this document is to provide guidance and best practices for VMware Cloud Infrastructure Service providers regarding the shared responsibilities of the service.

Google Cloud VMware Engine

Google Cloud VMware Engine implements a shared responsibility model that defines distinct roles and responsibilities of the parties involved in the offering: the Customer and Google.


Graphical user interface</p>
<p>Description automatically generated



Customer Responsibility: Security in the Cloud

Customers are responsible for the deployment and ongoing configuration of their SDDC, virtual machines, and data that reside therein. In addition to determining the network, firewall, and VPN configuration, customers are responsible for managing virtual machines (including guest security and encryption) and using Google Cloud Platform IAM Roles and Permissions along with vCenter Roles and Permissions to apply the appropriate controls for users.

Google is responsible for securing the software that makes up the Google Cloud VMware Engine service. This software infrastructure is composed of the compute, storage, and networking software comprising the private cloud, and the software that interfaces with these infrastructure services. Google is also responsible for the physical facilities, physical security, infrastructure, and underlying hardware for the entire service.

Details on the shared responsibility model employed by Google Cloud VMware Engine can be found in the table below. This table does not represent an exhaustive list of all responsibilities, but it covers common tasks. A great deal of low-level operational work is handled by the Google Cloud VMware Engine team, allowing the customer to focus on managing their workloads instead of physical infrastructure. Contact Google Cloud support if any further clarification is needed on which party is responsible for a particular task or component.

Shared Responsibility Matrix

The following is not an exhausted list of responsibilities but encompass the most frequent tasks and definitions. For further information, please contact Google.





  • Deploying the Google Cloud VMware Engine private cloud
  • Host Count (3 minimum)
  • Connected GCP Project
  • Network range for management appliances/resources
  • Configuring private cloud networking and security
  • Configuring Google Cloud VMware Engine Firewall, Regional settings, Client VPN, and Public IP address allocations
  • Configuring NSX-T based Firewalls, VPN, and NAT settings
  • Provisioning NSX-T segments
  • Deploying and Managing Virtual Machines
  • Installing Operating Systems
  • Patching Operating Systems
  • Installing and Managing Antivirus Software
  • Installing and Managing Backup Software
  • Installing and Managing any Configuration Management/Infrastructure as Code solutions
  • Migrating Virtual Machines
  • Using HCX for Cold, Bulk, vMotion, or RAV-based migrations
  • Content Library Sync
  • Operating System and Application-level monitoring

Google – Google Cloud VMware Engine

  • SDDC Lifecycle
  • ESXi patch and upgrade
  • vCenter Server patch and upgrade
  • NSX patch and upgrade
  • vSAN patch and upgrade
  • SDDC Backup/Restore
  • Backup and Restore vCenter Server
  • Backup and Restore NSX Manager
  • SDDC Health
  • Replace failed hosts
  • Add hosts and maintain adequate capacity
  • SDDC Provisioning
  • Operate VMware Engine console
  • Manage integration between VMware Engine and the wider Google Cloud
  • Physical Infrastructure
  • GCP Regions and Availability Zones
  • Compute / Network / Storage
  • Rack and Power Bare Metal Hosts
  • Rack and Power Network Equipment

Google – Google Cloud VMware Engine Infrastructure

  • Physical Infrastructure
  • GCP Regions
  • GCP Zones
  • Compute / Network / Storage
  • Rack and Power Bare Metal Hosts
  • Rack and Power Network Equipment



In the next section, learn about the different considerations for managing infrastructure and application services.




Filter Tags

General Google Services Google Cloud VMware Engine Document Design