Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Placing Web & App servers (VM) in the same or different VLANs

Posted on 2013-01-14
9
Medium Priority
?
487 Views
Last Modified: 2013-01-16
I have 16 IIS Web servers (on VMs running Win 2008 R2 Std) &
8 App (Appfabric, MS HL7) servers (on VMs running Win 2008 R2 Std).

I'm deciding whether to place them on same VLAN/subnet   Or
Web servers on one VLAN/subnet (ie DMZ zone) & the App on
another (ie App zone).

Q1:
Is MS HL7/Appfabric considered app servers or people generally
treat it as web?

Q2:
There's quite a number of communications (persistent & non-
persistent) between the Web & the HL7/Appfabric (& several
other inhouse developed HL7 and .Net apps) & I'm thinking
if I could justify to place all of them into one single DMZ zone.
Is this a good idea?

Q3:
By placing them in different zones/VLANs, anyone foresee any
issue in the VMware/ESXi setup/configuration?  All the 16+8
VMs are running on 5 ESXi hosts.  Guess, I'll need to permit
both DMZ & App zones on the trunked ports of the switches
that the ESXi hosts are connected to.  Anything else?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 124

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 1920 total points
ID: 38777189
Q1. Applicartion Servers

Q2. DMZ

Q3. No issues with VMware ESXi, using VLANs or Trunked Ports
0
 

Author Comment

by:sunhux
ID: 38777928
So inter-VLAN routing is handled by the layer 3 switch
or usually there's a firewall between the DMZ & App
zones/VLANs as well?
0
 

Author Comment

by:sunhux
ID: 38777943
One more question:

if the web & app servers are only meant for internal users' access
(ie not for public internet), is it still really crucial to segregate web
from app servers & create a DMZ zone?
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 124

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 1920 total points
ID: 38777949
Yes, inter-vlan routing is usually enabled by your physical switches.

But when we work with clients, we put firewalls between DMZ and Production Networks, and we also tie the ports down or IP Addresses, so different servers in the DMZ cannot commiunicate with other servers in the DMZ.

So everything is isolated, and we have firewalls between the DMZ and Internet.

e.g.

Internet ---> Firewall ---> DMZ ---> Firewall ---> Production Networks (e.g. AD, DHCP, email, file servers etc)
0
 

Author Comment

by:sunhux
ID: 38778034
if the web & app servers are only meant for internal users' access
(ie not for public internet), is it still really crucial to segregate web
from app servers & create a DMZ zone?
0
 

Author Comment

by:sunhux
ID: 38778090
http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf
Just read the above: hmm, we never commit to the customer that we'll build
a virtualized DMZ for them in the design specs which the customer has just
signed off.

Without a virtualized DMZ, I really can't see any benefit in placing the
Web VMs & App VMs in separate VLANs, or is there still a security benefit?

Concerned that I may end up raising a lot of firewall rules later & if there's
inter-VLAN routing issues, going to have a lot to troubleshoot
0
 
LVL 124

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 1920 total points
ID: 38778095
if you only need to serve internal users, no need for DMZ.
0
 

Author Comment

by:sunhux
ID: 38778264
Bear with me:  for internal users, is it still essential to put web &
app VMs in separate VLANs ?  I think if the inter-VLAN routing has a
Cisco ACL (access control lists) filtering, it may introduce a bit of delay:

http://social.msdn.microsoft.com/Forums/en/architecturegeneral/thread/f7262f04-4f8d-483e-863e-8a17171776d3
0
 
LVL 124

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 1920 total points
ID: 38778676
I would not use different VLANs.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Teach the user how to use create log bundles for vCenter Server or ESXi hosts Open vSphere Web Client: Generate vCenter Server and ESXi host log bundle:  Open vCenter Server Appliance Web Management interface and generate log bundle: Open vCenter Se…
This Micro Tutorial steps you through the configuration steps to configure your ESXi host Management Network settings and test the management network, ensure the host is recognized by the DNS Server, configure a new password, and the troubleshooting…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question