The logical design phase defines the solution's requirements and policies, addressing the "what" rather than the "how." The requirement to comply with security standards translates into specific logical design decisions that enforce security policies.

Specifying the use of a strong cryptographic algorithm like SHA-2 or higher for certificates (D) is a fundamental security policy decision. It ensures data integrity and aligns with modern security standards that deprecate older, weaker algorithms.

Establishing an operational practice for managing the certificate trust between NSX Global and Local Managers (E) is a critical logical decision for maintaining the security of a federated management plane. This ensures that communication between management components remains secure and authenticated throughout the certificate lifecycle.

A. Use large-size NSX Edge virtual appliances to account for the additional firewall rules.

This is a physical design decision. Sizing of components is based on performance and capacity requirements, which are determined after the logical design is complete.

B. Enable VM Monitoring for each workload within the cluster.

This is a vSphere High Availability (HA) feature primarily focused on availability and resiliency, not a core security standard compliance measure like cryptography or access control.

C. Enable Inter-SR iBGP routing.

This is a specific, low-level network configuration choice for implementing routing in an NSX Tier-0 gateway. It is a physical design detail, not a logical security policy.

1. VMware Cloud Foundation Design Guide (v4.3

p. 18): This guide distinguishes between logical and physical design. The logical design phase includes making decisions about security principles. It states

"The logical design phase of a solution design is where the requirements of the solution are translated into a high-level design that can be used to make the physical design decisions." Certificate management is a key security principle covered.

2. VMware NSX-T Data Center Administration Guide (v3.2

p. 113): In the "Certificates" section

the documentation details the requirements for certificates

including the need for strong signature algorithms. It states

"The signature algorithm must be SHA256withRSA or stronger." This supports decision (D) as a documented security requirement.

3. VMware NSX-T Data Center Federation Guide (v3.2

p. 21): The guide describes the process of adding an NSX Local Manager to an NSX Global Manager. It details the security mechanism: "To add a location

you must provide the FQDN or IP address of the NSX Manager cluster and the thumbprint of the cluster's certificate." This highlights the importance of the thumbprint verification process (E) for establishing a secure

trusted connection.