Solved

Best way to provide iscsi storage to Hyper-V guests

Posted on 2011-09-09
5
665 Views
Last Modified: 2013-11-14
I'm helping a company host application services for its clients.  Each client will have access to a set of Hyper-V guest servers in their own vlan.  Also, each client environment will need to access their own SQL databases and general file data, which could range from hundreds of gigs to several terabytes in size.  

For this SQL and file storage we have a Supermicro white box server with about 20TB of storage.  The plan we're considering is to install Server 2008R2 with MS iscsi target software 3.3 and create a virtual disk for each client to use as storage.

My questions are

- should the iscsi targets be mounted in the hyper-v host, and passed through to the guest vm, or is it better to run iscsi initiator from within the guest?

- is it ok to have vhd's up to several terabytes in size?

- given that each client will have it's own vlan and IP subnet, would we need a separate physical nic for each vlan on the storage server?

Security will be a primary concern - clients should have no ability to see each other's networks, hosts or data

This is pretty new territory for me so if I'm completely off base, or if there's a better way of doing things, by all means please let me know!

Thanks in advance
0
Comment
Question by:smocohiba
  • 2
  • 2
5 Comments
 
LVL 26

Assisted Solution

by:gtworek
gtworek earned 200 total points
Comment Utility
- should the iscsi targets be mounted in the hyper-v host, and passed through to the guest vm, or is it better to run iscsi initiator from within the guest?

Giving client initiator access (maybe with dedicated adapter) gives you more flexibility. I.e. you can create VM Clusters (FCS) or easily migrate your storage from one server to another one.

- is it ok to have vhd's up to several terabytes in size?

Remember that dynamic and differential VHD are limited to 2TB.

- given that each client will have it's own vlan and IP subnet, would we need a separate physical nic for each vlan on the storage server?

It actually depends on your hadrware and drivers. If it works on one adapter it is ok.

Security will be a primary concern - clients should have no ability to see each other's networks, hosts or data
If it is your main concern you should remember that iSCSI itself is transmitted totally unencrypted and easy to intercept. You should encapsulate it into IPSec and/or encrypt your client disks with Bitlocker - it also makes your transmission encrypted at the higher level.
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 300 total points
Comment Utility
I would store VMs/VHDs less than 2 TB in size on a CSV per customer.  That at least logically separates customer data on a volume level. A customer also wouldn't be able to access data on another VHD unless you accidentally mapped the wrong VHD to a VM, which should be a little bit harder when you are reaching across CSV volumes.

If a VM needed more than the 2 TB that you can put on a VHD, I would look at passthrough disks. You can also use iSCSI from inside the VM, but you will then need to route the iSCSI traffic through a firewall/router that allows VM to SAN traffic but prevents VM to VM traffic, and you will need very strong access controls on the volumes such as IP address, CHAP, and initiator name to prevent a guest from being able to mount a volume that it shouldn't have access to.

You will need to compare that against the risk of accidentally assigning the wrong passthrough disk to a VM.

How to use passthrough disks on highly available VMs
http://social.technet.microsoft.com/wiki/contents/articles/440.aspx
0
 

Author Comment

by:smocohiba
Comment Utility
Thanks for the replies so far - great info!  for iSCSI I think we're starting to lean towards going with Starwind's free product rather than MS iSCSI target software - it seems to offer more robust features out of the box.  Is there anything I should be wary of with Starwind?

@kevinhsieh - I'm looking into setting up CSV from this page http://blogs.msdn.com/b/clustering/archive/2009/02/19/9433146.aspx.  Step 3 describes creating CSV disks by adding available storage to the CSVs.  What constitutes the available storage - physical partitions on the local disk?  Also, is it possible to map more than one CSV (containing a vhd) to a VM, effectively creating additional drives?

0
 
LVL 42

Expert Comment

by:kevinhsieh
Comment Utility
Available storage is the iSCSI volume(s) that you have attached to each host through the iSCSI control panel. I usually attach a new volume to a single host, initialize it and put a single partition on it, and then format it (usually 64K if it is storing VHDs). I then attach the other cluster nodes to it. It should then appear as available storage in the cluster manager.

While you can assign VHDs from different CSV to a single VM, you have to think about why you would do that instead of assigning multiple VHDs on the SAME CSV. There are reasons to do so, but that adds a layer of complexity that might not be required.

When working with VMs, there is basically no good reason for partitioning a VHD. If you need additional volumes in the VM, use more VHDs instead. The reasons for partitioning a physical disk don't exist for virtual disks, and you end up down the road wanting to expand a partition that is being blocked by another partition on the same VHD, and then there are all sorts of gyrations you need to go through to make it work. If you have just a single partition on a VHD, expanding it is straightforward.
0
 

Author Comment

by:smocohiba
Comment Utility
sorry for the late response! thanks for the clarification kevinhsieh - I think i'm starting to wrap my mind around the concept.  I'm going to try this out in test environment this week, but I'm optimistic this will work well for our needs!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This is an issue that we can get adding / removing permissions in the vCSA 6.0. We can also have issues searching for users / groups in the AD (using your identify sources). This is how one of the ways to handle this issues and fix it.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now