Shared Responsibility Model - vSphere+ and vSAN+


VMware vSphere+ is a multi-cloud workload platform that bring benefits of the cloud to on-premises by deploying high-value cloud services to easily build, run, manage, and secure traditional and next-gen applications. VMware vSphere+ combines industry-leading virtualization technology, an enterprise-ready Kubernetes environment, and high-value cloud services to transform your existing on-premises deployments into a SaaS-enabled infrastructure.

A picture containing text, software, computer icon, number

Description automatically generated

VMware vSAN+ is VMware’s premier hyperconverged infrastructure (HCI) offering which extends VMware vSAN’s capabilities to now deliver cloud-connected services, which help IT administrators to centralize management and enhance efficiency of their VMware vSAN environment. VMware vSAN+ builds on the benefits customers receive from VMware vSphere+.

Shared Responsibility Model

VMware vSphere+ and VMware vSAN+ implement a shared responsibility model that defines distinct roles and responsibilities of the three parties involved in the offering: Customer, VMware, and AWS.

A diagram of a software security system

Description automatically generated


Customer responsibility, “Security of the Infrastructure and applications”

The customer is responsible for compliance for the customer’s on-premises infrastructure, virtual machines (VMs), networks, and applications that they manage. Customer workloads run in the customer’s own on-premises environment.

VMware responsibility, “Security of the Management Software”

VMware is responsible for Subscription/License management, configuration management, and assisted vCenter lifecycle, Gateway.

AWS responsibility, “Security of the infrastructure”

AWS is responsible for the physical facilities, physical security, infrastructure, and hardware underlying cloud services offered by AWS.

VMware vSphere+ and VMware vSAN+ Responsibilities

VMware vSphere+™, incorporating VMware vSAN+™, includes Cloud Services and a Cloud Gateway operated by VMware along with inventory that is operated by the customer.  The diagram below color codes the VMware vSphere+ high-level architecture to help clarify the shared responsibility model, with customer responsibilities represented in green and VMware responsibilities represented in dark blue.

A diagram of a cloud server

Description automatically generated with low confidence

Shared Responsibility Matrix




  • Infrastructure Setup
    • Install/deploy/patch/upgrade VMware ESXi hosts.
    • Deploy VMware vCenter Server.
    • Configure/setup the authentication system.
    • Configure the storage and networking stacks, including enabling and configuring vSAN storage services (optional)
    • Create the management cluster.
    • Configure/setup firewall rules.
  • Deploy/Manage Virtual Machines
    • Install/patch operating systems.
    • Install antivirus software.
    • Install backup software.
    • Install configuration management software.
  • Migrate Virtual Machines
    • Live vMotion, cold migration, Content Library sync.
  • Gateway Management
    • Install the VMware vCenter Cloud Gateway.
    • Configure the settings on the VMware vCenter Cloud Gateway.


  • VMware vSphere+/VMware vSAN+ Services
    • Assisted vCenter Lifecyle.
      • Facilitate vCenter updates.
    • VMware vCenter Server Configuration Management
      • Manage vCenter Server configurations to reserve the resources for performing vCenter Server Upgrades, Authorization configurations to ensure VMware Site Reliability Engineering staff have access to manage & monitor vCenter Server.
    • Subscription/License Management
      • Collect usage data on a continuous basis.
  • VMware Cloud on AWS
    • Manages the underlying infrastructure to host & run the cloud services.
    • Provides a common set of services for operations such as persisting data, sending messages, and executing long running operations.
    • Provides the service starter to help with creating new vSphere+ services that take care of patching the base images and third-party libraries.

Shared Customer and VMware

  • Customers have complete root access and VMware has shell/SSH access to the VMware vCenter Cloud Gateway. Both share the efforts for its proper operation:
    • The customer is responsible for the installation of the VMware vCenter Cloud Gateway.
    • The customer is responsible for the registration of the VMware vCenter Cloud Gateway to the VMware Cloud account for registration of the respective VMware vCenter Servers.
    • Customer can disable SSH access from Appliance Management UI from the VMware vCenter Cloud Gateway.
    • VMware is responsible for patching & updating the VMware vCenter Cloud Gateway.
    • VMware is responsible for monitoring the service health and for remediation in case of issues with cloud services.
    • VMware and the customer are responsible for monitoring the health and activities on the VMware vCenter Cloud Gateway.

Amazon Web Services

  • Infrastructure-as-a-Service (IaaS) Services, Platform-as-a-Service (PaaS) Services
    • Physical Infrastructure
      • AWS Regions: US-West-2 only
      • AWS Availability Zones
      • Physical security of AWS facilities.



For a detailed information on VMware vSphere+ service description, please refer to documentation available at:

VMware vSphere+ ™ Getting Started:

VMware vSphere+™ Security Overview:

VMware Cloud Services Guide:


Filter Tags

vSAN+ vSphere+ Document