Placing Web & App servers (VM) in the same or different VLANs

I have 16 IIS Web servers (on VMs running Win 2008 R2 Std) &
8 App (Appfabric, MS HL7) servers (on VMs running Win 2008 R2 Std).

I'm deciding whether to place them on same VLAN/subnet   Or
Web servers on one VLAN/subnet (ie DMZ zone) & the App on
another (ie App zone).

Q1:
Is MS HL7/Appfabric considered app servers or people generally
treat it as web?

Q2:
There's quite a number of communications (persistent & non-
persistent) between the Web & the HL7/Appfabric (& several
other inhouse developed HL7 and .Net apps) & I'm thinking
if I could justify to place all of them into one single DMZ zone.
Is this a good idea?

Q3:
By placing them in different zones/VLANs, anyone foresee any
issue in the VMware/ESXi setup/configuration?  All the 16+8
VMs are running on 5 ESXi hosts.  Guess, I'll need to permit
both DMZ & App zones on the trunked ports of the switches
that the ESXi hosts are connected to.  Anything else?
sunhuxAsked:
Who is Participating?
 
Andrew Hancock (VMware vExpert / EE MVE^2)Connect With a Mentor VMware and Virtualization ConsultantCommented:
Q1. Applicartion Servers

Q2. DMZ

Q3. No issues with VMware ESXi, using VLANs or Trunked Ports
0
 
sunhuxAuthor Commented:
So inter-VLAN routing is handled by the layer 3 switch
or usually there's a firewall between the DMZ & App
zones/VLANs as well?
0
 
sunhuxAuthor Commented:
One more question:

if the web & app servers are only meant for internal users' access
(ie not for public internet), is it still really crucial to segregate web
from app servers & create a DMZ zone?
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
Andrew Hancock (VMware vExpert / EE MVE^2)Connect With a Mentor VMware and Virtualization ConsultantCommented:
Yes, inter-vlan routing is usually enabled by your physical switches.

But when we work with clients, we put firewalls between DMZ and Production Networks, and we also tie the ports down or IP Addresses, so different servers in the DMZ cannot commiunicate with other servers in the DMZ.

So everything is isolated, and we have firewalls between the DMZ and Internet.

e.g.

Internet ---> Firewall ---> DMZ ---> Firewall ---> Production Networks (e.g. AD, DHCP, email, file servers etc)
0
 
sunhuxAuthor Commented:
if the web & app servers are only meant for internal users' access
(ie not for public internet), is it still really crucial to segregate web
from app servers & create a DMZ zone?
0
 
sunhuxAuthor Commented:
http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf
Just read the above: hmm, we never commit to the customer that we'll build
a virtualized DMZ for them in the design specs which the customer has just
signed off.

Without a virtualized DMZ, I really can't see any benefit in placing the
Web VMs & App VMs in separate VLANs, or is there still a security benefit?

Concerned that I may end up raising a lot of firewall rules later & if there's
inter-VLAN routing issues, going to have a lot to troubleshoot
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)Connect With a Mentor VMware and Virtualization ConsultantCommented:
if you only need to serve internal users, no need for DMZ.
0
 
sunhuxAuthor Commented:
Bear with me:  for internal users, is it still essential to put web &
app VMs in separate VLANs ?  I think if the inter-VLAN routing has a
Cisco ACL (access control lists) filtering, it may introduce a bit of delay:

http://social.msdn.microsoft.com/Forums/en/architecturegeneral/thread/f7262f04-4f8d-483e-863e-8a17171776d3
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)Connect With a Mentor VMware and Virtualization ConsultantCommented:
I would not use different VLANs.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.