• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1163
  • Last Modified:

is it safe to virtualize my DMZ network on an ESXi 5.0 host, with internal networks also virtualized on the host?

currently i have 3 ESXi hosts
2 have management IPs that are in my internal network
1 has management IPs that are in my DMZ network

currently the 2 ESXi hosts on the internal network only host VMs that have internal network IPs, and the 1 ESXi host that are in my DMZ network only host VMs that lay in the DMZ

i want to enable HA or FT on the servers, so i need to put all 3 servers in the same cluster,
i would like to manage the 3 ESXi hosts with internal IPs,

in the event that i need to fail a VM over, the DMZ guest machines might need to run on a host that has internal network VMs running on it.
would this be OK from a security standpoint, if i have guest VMs running on both my DMZ and my internal network?
0
jsctechy
Asked:
jsctechy
  • 4
  • 2
  • 2
  • +1
2 Solutions
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Yes, we do and our clients do, the virtual switches are not connected.
0
 
Joseph DalyCommented:
Yes this can be done. You would need to configure a seperate network in VMware on all three of your hosts. This way you can specify which network each of your hosts will run on, either internal or DMZ.

I would suggest removing the management IP from the DMZ and only have the management go through internal.

As long as all three of your hosts can access both the internal and DMZ LAN you should be able to run HA failover without issue. The maps feature will help you determine if you have connections to these networks.
0
 
Joseph DalyCommented:
The first sentence should read.

"Yes this can be done. You would need to configure a seperate network in VMware on all three of your hosts. This way you can specify which network each of your VIRTUAL MACHINES will run on, either internal or DMZ. "
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
perfectly safe, there is no communicatin between virtual switches.
0
 
jsctechyAuthor Commented:
what if we only had 2 NICs per ESXi host?
all the servers are part of a HP c-class blade chassis, and the chassis has 2 switches in it, which is the equivalent of 2 physical NICs when presented to the blade servers
would vlans create the same security when dealing with the 10gb uplinks?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Use VLANs and Trunk network to host server
0
 
jsctechyAuthor Commented:
would vlans provide the same security as the vswitches?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Yes, only VMs connected in the portgroup will be able to communicate with DMZ, this is what we do here, and on client sites, to reduce physical networking.
0
 
vmwarun - ArunCommented:
As long as the hosts see the same IP subnets, internal or DMZ would be easy to host. Make sure that you consider case sensitivity for port groups if you are going for Standard vSwitches.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now