sunhux
asked on
Placing Web & App servers (VM) in the same or different VLANs
I have 16 IIS Web servers (on VMs running Win 2008 R2 Std) &
8 App (Appfabric, MS HL7) servers (on VMs running Win 2008 R2 Std).
I'm deciding whether to place them on same VLAN/subnet Or
Web servers on one VLAN/subnet (ie DMZ zone) & the App on
another (ie App zone).
Q1:
Is MS HL7/Appfabric considered app servers or people generally
treat it as web?
Q2:
There's quite a number of communications (persistent & non-
persistent) between the Web & the HL7/Appfabric (& several
other inhouse developed HL7 and .Net apps) & I'm thinking
if I could justify to place all of them into one single DMZ zone.
Is this a good idea?
Q3:
By placing them in different zones/VLANs, anyone foresee any
issue in the VMware/ESXi setup/configuration? All the 16+8
VMs are running on 5 ESXi hosts. Guess, I'll need to permit
both DMZ & App zones on the trunked ports of the switches
that the ESXi hosts are connected to. Anything else?
8 App (Appfabric, MS HL7) servers (on VMs running Win 2008 R2 Std).
I'm deciding whether to place them on same VLAN/subnet Or
Web servers on one VLAN/subnet (ie DMZ zone) & the App on
another (ie App zone).
Q1:
Is MS HL7/Appfabric considered app servers or people generally
treat it as web?
Q2:
There's quite a number of communications (persistent & non-
persistent) between the Web & the HL7/Appfabric (& several
other inhouse developed HL7 and .Net apps) & I'm thinking
if I could justify to place all of them into one single DMZ zone.
Is this a good idea?
Q3:
By placing them in different zones/VLANs, anyone foresee any
issue in the VMware/ESXi setup/configuration? All the 16+8
VMs are running on 5 ESXi hosts. Guess, I'll need to permit
both DMZ & App zones on the trunked ports of the switches
that the ESXi hosts are connected to. Anything else?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
One more question:
if the web & app servers are only meant for internal users' access
(ie not for public internet), is it still really crucial to segregate web
from app servers & create a DMZ zone?
if the web & app servers are only meant for internal users' access
(ie not for public internet), is it still really crucial to segregate web
from app servers & create a DMZ zone?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
if the web & app servers are only meant for internal users' access
(ie not for public internet), is it still really crucial to segregate web
from app servers & create a DMZ zone?
(ie not for public internet), is it still really crucial to segregate web
from app servers & create a DMZ zone?
ASKER
http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf
Just read the above: hmm, we never commit to the customer that we'll build
a virtualized DMZ for them in the design specs which the customer has just
signed off.
Without a virtualized DMZ, I really can't see any benefit in placing the
Web VMs & App VMs in separate VLANs, or is there still a security benefit?
Concerned that I may end up raising a lot of firewall rules later & if there's
inter-VLAN routing issues, going to have a lot to troubleshoot
Just read the above: hmm, we never commit to the customer that we'll build
a virtualized DMZ for them in the design specs which the customer has just
signed off.
Without a virtualized DMZ, I really can't see any benefit in placing the
Web VMs & App VMs in separate VLANs, or is there still a security benefit?
Concerned that I may end up raising a lot of firewall rules later & if there's
inter-VLAN routing issues, going to have a lot to troubleshoot
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Bear with me: for internal users, is it still essential to put web &
app VMs in separate VLANs ? I think if the inter-VLAN routing has a
Cisco ACL (access control lists) filtering, it may introduce a bit of delay:
http://social.msdn.microsoft.com/Forums/en/architecturegeneral/thread/f7262f04-4f8d-483e-863e-8a17171776d3
app VMs in separate VLANs ? I think if the inter-VLAN routing has a
Cisco ACL (access control lists) filtering, it may introduce a bit of delay:
http://social.msdn.microsoft.com/Forums/en/architecturegeneral/thread/f7262f04-4f8d-483e-863e-8a17171776d3
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
or usually there's a firewall between the DMZ & App
zones/VLANs as well?