Nutanix storage container configuration guidance specifies that “Advertised Capacity” is the setting used to define a maximum limit for the container. This value enforces a hard cap on space usage. Reserved Capacity, in contrast, defines a minimum guarantee of space for the container and does not limit growth.

Prism Element is the correct interface for creating storage containers with specific data reduction settings such as compression and deduplication, as the container-level storage policies are applied directly at the cluster’s storage layer.

The documentation further clarifies that RF1, inline compression, and deduplication settings are configured within Prism Element under container creation. Therefore, to enforce the 100 GiB limit, the administrator must create the container in Prism Element and set the Advertised Capacity to 100 GiB.

Understanding the Exhibit & the Alert

The alert states:

" The cluster is using password-based SSH access for the CVM. "

" Password-based remote login is enabled on the cluster. "

" It is recommended to use key-based SSH access instead of password-based SSH access for better security. "

This means that the nutanix user can log in to Controller VMs (CVMs) using a password, which is a security risk.

Corrective Action: Enabling Cluster Lockdown

✅(C) Enable Cluster Lockdown. (Correct Answer)

Cluster Lockdown Mode restricts password-based SSH access and forces key-based authentication.

This prevents users from logging into CVMs using passwords, enhancing cluster security.

To enable Cluster Lockdown:

Go to Prism Central or Prism Element.

Navigate to Settings → Security → Cluster Lockdown.

Enable Cluster Lockdown Mode.

Evaluating the Other Answer Choices

❌(A) Rename the nutanix user. (Incorrect)

The nutanix user is a built-in system account required for cluster operations.

Renaming the user will not prevent SSH access via password.

❌(B) Block port 22 on the CVM firewall. (Incorrect)

Blocking port 22 (SSH) will completely disable SSH access, including key-based authentication.

This may break cluster management and troubleshooting operations.

❌(D) Delete the nutanix user. (Incorrect)

The nutanix user is a critical system account required for cluster functionality.

Deleting the account will cause serious issues with cluster management.

Multicloud Infrastructure References & Best Practices

Nutanix Security Best Practices:

Always use key-based SSH authentication instead of password-based logins.

Enable Cluster Lockdown Mode to enforce security policies.

Regularly audit user access to ensure security compliance.

Cluster Lockdown Benefits:

Prevents unauthorized SSH access via passwords.

Enforces public key authentication, reducing brute-force attack risks.

Strengthens CVM security against potential exploits.

For workloads requiring new IP addresses and DNS server settings during DR recovery, using custom scripting within the Recovery Plan is the recommended and supported method.

From theNutanix Enterprise Cloud Administration (ECA)course materials:

“Recovery Plans support scripting within the Recovery Sequence to enable administrators to perform post-recovery customization tasks, such as updating IP addresses, configuring DNS, or applying application-specific settings.”

“This scripting capability provides a flexible, automated approach to ensure that VMs are correctly reconfigured to operate within the DR environment’s network and DNS settings.”

This avoids the need for manual reconfiguration post-recovery or adjusting settings in production prior to failover.

Nutanix describes a special process for updating golden images or templates without modifying the original source object directly. The documentation states:

“Complete Guest OS Update creates a temporary, cloned instance of the template, boots it, and allows administrators to patch or update the operating system. Once updates are applied, the system recomposes the template with the modifications.”

This process ensures that templates remain clean and version-controlled while still allowing regular OS patching operations. Other options such as Create VM from Template merely instantiate running VMs and do not update the template source. Update Guest OS and Update Configuration refer to VM-level settings but do not create a temporary working copy for template lifecycle management.

Thus, Complete Guest OS Update is the correct feature.

Nutanix storage architecture uses distributed data paths, where each vDisk represents a distributed logical object. The performance best practices for databases state:

“Multiple vDisks provide parallelism across the Nutanix storage stack, increasing I/O queue depth and distributing operations across multiple CVMs.”

Also, the guidance for Linux-based database workloads specifies:

“Using LVM striping across multiple vDisks increases throughput by merging multiple I/O channels and enhancing parallel read/write operations.”

Thin vs thick provisioning is irrelevant for performance in a Nutanix environment, as both types deliver identical I/O performance due to the metadata-driven storage engine.

Thus, database performance benefits from additional vDisks and striping across them.

Metro Availability requires that VMs always read data from their primary site to maintain optimal performance and prevent remote data access latency.

Option C (Migrate the VM to its primary site and set appropriate rules) is correct:

If a VMfails over to the secondary sitebut is still running in the primary site, it will read data remotely, causinghigh latency and performance issues.

The solution is tomigrate the VM back to the primary siteand configureDRS rulesorhost affinity settingsto prevent unwanted movement.

Option A is incorrect:

The command listsactive Metro Availability protection domainsbut doesnot resolvethe issue.

Option B is incorrect:

Must-affinity rules can help, but they should be configuredafter migrating the VM back to the primary site.

Option D is incorrect:

RunningNCC health checkswill onlydiagnose the issue, not resolve it.

Nutanix Protection Policies replicate VM data between clusters using Nutanix’s built-in data protection engine. For inter-site or cloud-based replication, Nutanix documentation specifies that replication traffic can be encrypted using the Data-in-Transit Encryption feature. The internal description states:

“Data-in-Transit Encryption secures replication traffic moving between clusters by encrypting data packets before transmission across external or untrusted networks.”

This is distinct from Data-at-Rest Encryption, which protects stored data on disks but does not secure network traffic. Self-encrypting drives and secure boot only protect the VM locally, not the replication path. Because replication to NC2 travels over the Internet, encryption of the transport channel is mandatory to meet security compliance.

Therefore, the required capability is Data-in-Transit Encryption.

In Nutanix Prism Central,categoriesallow administrators togroup and organize entitiesfor management, automation, and policy enforcement.

Alerts (Option B) can be categorizedto group similar system events and create filtering rules.

Virtual Machines (Option C) can be categorizedto apply security policies, automation tasks, and resource allocation rules.

Option A (Storage Containers) cannot be categorizedin Prism Central. Storage policies apply at the container level but are not managed via categories.

Option D (ISO Images) cannot be categorizedbecause ISOs arestatic objects, not active entities.