Cloud CloudOps Data Center Virtualization & Cloud Infrastructure Hybrid Cloud Organizational Change

Operationalizing VMware Cloud on AWS PACSI Matrix

Kevin Lees, Chief Technologist, IT Operations Transformation

Andrea Siviero, Principal Architect


VMware Cloud on AWS provides a unified infrastructure framework that enables businesses to integrate their on-premise, VMware SDDC platform with AWS. It does so while providing a common operating environment in which existing tools and skillsets based on familiar VMware software can be leveraged. This is extremely powerful but comforting at the same time.


That said, there is still some angst expressed at the operational level based on the questions customers are asking me when we’re discussing how to operationalize VMware Cloud. Questions primarily center around the operational differences between managing an on-premise, VMware SDDC platform and VMware Cloud.


There are some differences. In order to help address the differences and their impact on operational roles and responsibilities at the activity level, we’ve gone through a discovery process and developed a VMware Cloud PACSI matrix. In this blog I’ll explore at a high level some of the biggest differences. A link to the full PACSI matrix can be found at the end of the blog.


But first, what is PACSI and why did we use it instead of the more commonly used RACI approach? PACSI is defined as:

Perform: The person/function carrying out the activity

Accountable:  The person/function ultimately answerable for the correct and thorough completion of the deliverable or task, and often the one who delegates the work to the  performer

Control:  The person/function reviewing the result of the activity (other than accountable.) He or she has a right of veto; his or her advice is binding

Suggest:  The person/function consulted to give advice based upon recognized expertise.  The advice is non-binding

Informed:  The person/function who must be informed of the result of the activity

We decided to use PACSI as it provides a slightly more granular set of responsibilities that better fit the allocation of responsibilities in a managed service such as VMware Cloud.

Organizational Users and Roles

VMware Cloud on AWS accounts are based on an Organization, which corresponds to a group or line of business subscribed to VMware Cloud on AWS services. Your MyVMware account is used to create the Organization and will make you an Organization Owner, allowing you to invite new users. New users can be assigned the Organization Owner role or the Organization Member role. Both types of users can manage the SDDC cloud, but only Organization Owners can invite more users.

Both users will have access to all the resources and services of the Organization and can create, manage, and access SDDCs belonging to the Organization. The major tasks performed by organization users include, but are not limited to:

  • Adding and removing hosts to the SDDC
  • Configuring the management network for vCenter access/administration: VPN, DNS, Firewall rules
  • Configuring and maintaining the compute network for workloads: logical networks, firewall rules, NAT, VPN, DNS, Public IPs

vCenter Users, Roles and Administration
In the cloud SDDC, VMware performs numerous administration tasks for you. This includes, but is not limited to, managing the lifecycle of the cloud SDDC software stack (deployment, configuration, patching, etc.), configuring the AWS infrastructure, and adding/removing hosts and networks during failure scenarios or cluster-scaling operations. Because the service is doing all of this for you, a Cloud Administrator in the SDDC requires fewer privileges than an Administrator on an on-premises data center.

To better maintain the separation between the service and the customer, VMware Cloud on AWS introduced two new roles to the traditional vCenter user model: CloudAdmin and CloudGlobalAdmin. These new roles and associated privileges ensure that the Cloud SDDC infrastructure is configured in a prescriptive deployment architecture and the customer cloud administrators cannot adversely reconfigure the management component or appliances. With this model, the customer cloud administrator has full control over their workloads while having a read-only view of management workloads and infrastructure.

  • CloudAdmin Role:The CloudAdmin role has the necessary privileges for you to create and manage workloads on your SDDC. However, you cannot access or configure certain management components that are supported and managed by VMware, such as hosts, clusters, and management virtual machines.
  • CloudGlobalAdmin Role: The CloudGlobalAdmin role is associated with global privileges and allows you to perform only certain global tasks like create and manage Content Library objects.
    A new vCenter user group called CloudAdminGroup will also be created and given the privileges associated with both roles.

Shared Responsibility

VMware Cloud Services uses a shared responsibility model for security. Trusted security in the cloud is achieved through the partnership of shared responsibilities among customers, VMware, and Amazon Web Services. This matrix of responsibility ensures a higher security model and eliminates single points of failure. For more details please read the VMware Cloud Services on Amazon Web Services Security Overview whitepaper.

Areas of Biggest Impact

Aside from the obvious differences in physical datacenter management, the main operational differences lie in what you can and can’t do in vCenter when managing the SDDC environments you deploy in VMware Cloud. Administrators are used to being able to both see and modify pretty much every aspect of the on-premise SDDC environment. In VMware Cloud, the Cloud Administrator role can still see essentially all of the same SDDC environment settings but is restricted in what they can modify. There are also some operational process responsibility differences. We address these in the PACSI matrix for the following categories: SDDC management, compute management, storage management, network management, and security management.

SDDC Management

SDDC Management refers to the SDDC software components themselves. The primary differences in this category relates to some the overarching operational processes such as disaster recovery, backup and restore, patching, and updating, as well as change, incident, and problem management.

Compute Management

In Compute Management, the main differences in VMware Cloud are that the Cloud Administrator cannot change physical host settings, such as host name or hyperthreading, nor can they change cluster settings.

Storage Management

For Storage Management, in VMware Cloud the Cloud Administrator can only add vSAN datastores by requesting additional hosts. While they can create, edit, and select default storage policies, they cannot turn off deduplication, compression, or data at rest encryption.

Network Management

For Network Management in VMware Cloud, while the Cloud Administrator can create, edit, and remove logical networks, they cannot create, edit, or remove either distributed virtual switches or distributed virtual port groups.

Security Management

For Security Management in VMware Cloud, you as the customer have a lot of the same capabilities as on-premise for key aspects of workload security like NSX firewall rules.

In Closing

The PASCI matrix addresses role responsibilities for activities in other areas like Organization Management, Workload Management, On-premise to VMware Cloud on AWS Connectivity Management, and VMware Cloud on AWS to AWS Access Management, but the areas addressed above are where the primary differences with on-premise operational activities exist. While differences with on-premise operational activities do exist, the consensus among those who are managing SDDC environments on VMware Cloud is that the biggest challenge is making the mindset shift to work within the constraints that exist when managing with vCenter. Once that mindset shift if accomplished, they find managing SDDC environments on VMware Cloud and working with the VMware team managing the underlying environment easy and seamless. Once they do, IT can fully leverage capabilities provided by their on-premise VMware SDDC to VMware Cloud integrated hybrid cloud and realize the benefits of having a common operating environment.

For all of the activity and associated responsibility details, please download the full VMC on AWS PACSI Matrix .

Kevin Lees is the field Chief Technologist for IT Operations Transformation at VMware. His focus is on how customers optimize the way they operate VMware-supported environments and solutions. Kevin serves as an advisor to global customer senior executives for their IT operations transformation initiatives. He also leads the IT Transformation activities in VMware’s Global Field Office of the CTO. He is the author of the book Operationalizing VMware NSX which provides knowledge and guidance for achieving operating model optimization for operating a NSX-based network and security infrastructure. The book not only addresses tactical optimizations such as monitoring and troubleshooting but through a more strategic nature, such as team structure and culture, roles, responsibilities, and skillsets, as well as supporting ITSM process considerations. It can be downloaded from here.

Andrea Siviero, Principal Architect on the Professional Services Engineering and Remote Delivery (PS ERD) team, is a 12+ year veteran of VMware. He is responsible for driving the roadmap and execution of professional services for Hybrid Cloud solutions, as well as transforming the way VMware defines, creates and offers professional services. He also recently joined the Office of the CTO to drive activities related to Artificial Intelligence and Machine Learning.


5 comments have been added so far

Leave a Reply

Your email address will not be published. Required fields are marked *