Solved

Placing Web & App servers (VM) in the same or different VLANs

Posted on 2013-01-14
9
483 Views
Last Modified: 2013-01-16
I have 16 IIS Web servers (on VMs running Win 2008 R2 Std) &
8 App (Appfabric, MS HL7) servers (on VMs running Win 2008 R2 Std).

I'm deciding whether to place them on same VLAN/subnet   Or
Web servers on one VLAN/subnet (ie DMZ zone) & the App on
another (ie App zone).

Q1:
Is MS HL7/Appfabric considered app servers or people generally
treat it as web?

Q2:
There's quite a number of communications (persistent & non-
persistent) between the Web & the HL7/Appfabric (& several
other inhouse developed HL7 and .Net apps) & I'm thinking
if I could justify to place all of them into one single DMZ zone.
Is this a good idea?

Q3:
By placing them in different zones/VLANs, anyone foresee any
issue in the VMware/ESXi setup/configuration?  All the 16+8
VMs are running on 5 ESXi hosts.  Guess, I'll need to permit
both DMZ & App zones on the trunked ports of the switches
that the ESXi hosts are connected to.  Anything else?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 120

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 480 total points
ID: 38777189
Q1. Applicartion Servers

Q2. DMZ

Q3. No issues with VMware ESXi, using VLANs or Trunked Ports
0
 

Author Comment

by:sunhux
ID: 38777928
So inter-VLAN routing is handled by the layer 3 switch
or usually there's a firewall between the DMZ & App
zones/VLANs as well?
0
 

Author Comment

by:sunhux
ID: 38777943
One more question:

if the web & app servers are only meant for internal users' access
(ie not for public internet), is it still really crucial to segregate web
from app servers & create a DMZ zone?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 120

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 480 total points
ID: 38777949
Yes, inter-vlan routing is usually enabled by your physical switches.

But when we work with clients, we put firewalls between DMZ and Production Networks, and we also tie the ports down or IP Addresses, so different servers in the DMZ cannot commiunicate with other servers in the DMZ.

So everything is isolated, and we have firewalls between the DMZ and Internet.

e.g.

Internet ---> Firewall ---> DMZ ---> Firewall ---> Production Networks (e.g. AD, DHCP, email, file servers etc)
0
 

Author Comment

by:sunhux
ID: 38778034
if the web & app servers are only meant for internal users' access
(ie not for public internet), is it still really crucial to segregate web
from app servers & create a DMZ zone?
0
 

Author Comment

by:sunhux
ID: 38778090
http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf
Just read the above: hmm, we never commit to the customer that we'll build
a virtualized DMZ for them in the design specs which the customer has just
signed off.

Without a virtualized DMZ, I really can't see any benefit in placing the
Web VMs & App VMs in separate VLANs, or is there still a security benefit?

Concerned that I may end up raising a lot of firewall rules later & if there's
inter-VLAN routing issues, going to have a lot to troubleshoot
0
 
LVL 120

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 480 total points
ID: 38778095
if you only need to serve internal users, no need for DMZ.
0
 

Author Comment

by:sunhux
ID: 38778264
Bear with me:  for internal users, is it still essential to put web &
app VMs in separate VLANs ?  I think if the inter-VLAN routing has a
Cisco ACL (access control lists) filtering, it may introduce a bit of delay:

http://social.msdn.microsoft.com/Forums/en/architecturegeneral/thread/f7262f04-4f8d-483e-863e-8a17171776d3
0
 
LVL 120

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 480 total points
ID: 38778676
I would not use different VLANs.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Vyos VLANs 14 61
Drobo B1200i and vmware ESX 5.5 with two servers 14 58
Certain exe files will not run in Vista 26 53
ESXi vmnic Stand By Status 3 60
When rebooting a vCenters 6.0 and try to connect using vSphere Client we get this issue "Invalid URL: The hostname could not parsed." When we get this error we need to do some changes in the vCenter advanced settings to fix the issue.
This article outlines why you need to choose a backup solution that protects your entire environment – including your VMware ESXi and Microsoft Hyper-V virtualization hosts – not just your virtual machines.
Teach the user how to join ESXi hosts to Active Directory domains Open vSphere Client: Join ESXi host to AD domain: Verify ESXi computer account in AD: Configure permissions for domain user in ESXi: Test domain user login to ESXi host:
This Micro Tutorial steps you through the configuration steps to configure your ESXi host Management Network settings and test the management network, ensure the host is recognized by the DNS Server, configure a new password, and the troubleshooting…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question