First:
ALL enduser communication goes to the vCloud Cells.
You should check the "vCloud Directory Security" whitepaper, Chapter 5. The latest document i could find was for 9.5, but most this also apply to 9.7 / 10.
https://docs.vmware.com/en/vCloud-Director/9.5/vcd_sec.pdf
Things to check:
- If you have multiple Cells, use a LoadBalancer
- Open only port 443 to the internet (if you have ConsoleProxy on the same ip, also the IP of consoleproxy (e.g. 8443) and use a firewall (see: Blocking Malicious Traffic)
- Always use valid certificates
- Enforce strong passwords on all users
- If possible use a WAF and prevent access to administrative URLs (Admin Portal, Admin API Endpoints)
- If required enable MFA