Solved

Placing Web & App servers (VM) in the same or different VLANs

Posted on 2013-01-14
9
484 Views
Last Modified: 2013-01-16
I have 16 IIS Web servers (on VMs running Win 2008 R2 Std) &
8 App (Appfabric, MS HL7) servers (on VMs running Win 2008 R2 Std).

I'm deciding whether to place them on same VLAN/subnet   Or
Web servers on one VLAN/subnet (ie DMZ zone) & the App on
another (ie App zone).

Q1:
Is MS HL7/Appfabric considered app servers or people generally
treat it as web?

Q2:
There's quite a number of communications (persistent & non-
persistent) between the Web & the HL7/Appfabric (& several
other inhouse developed HL7 and .Net apps) & I'm thinking
if I could justify to place all of them into one single DMZ zone.
Is this a good idea?

Q3:
By placing them in different zones/VLANs, anyone foresee any
issue in the VMware/ESXi setup/configuration?  All the 16+8
VMs are running on 5 ESXi hosts.  Guess, I'll need to permit
both DMZ & App zones on the trunked ports of the switches
that the ESXi hosts are connected to.  Anything else?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 121

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 480 total points
ID: 38777189
Q1. Applicartion Servers

Q2. DMZ

Q3. No issues with VMware ESXi, using VLANs or Trunked Ports
0
 

Author Comment

by:sunhux
ID: 38777928
So inter-VLAN routing is handled by the layer 3 switch
or usually there's a firewall between the DMZ & App
zones/VLANs as well?
0
 

Author Comment

by:sunhux
ID: 38777943
One more question:

if the web & app servers are only meant for internal users' access
(ie not for public internet), is it still really crucial to segregate web
from app servers & create a DMZ zone?
0
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

 
LVL 121

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 480 total points
ID: 38777949
Yes, inter-vlan routing is usually enabled by your physical switches.

But when we work with clients, we put firewalls between DMZ and Production Networks, and we also tie the ports down or IP Addresses, so different servers in the DMZ cannot commiunicate with other servers in the DMZ.

So everything is isolated, and we have firewalls between the DMZ and Internet.

e.g.

Internet ---> Firewall ---> DMZ ---> Firewall ---> Production Networks (e.g. AD, DHCP, email, file servers etc)
0
 

Author Comment

by:sunhux
ID: 38778034
if the web & app servers are only meant for internal users' access
(ie not for public internet), is it still really crucial to segregate web
from app servers & create a DMZ zone?
0
 

Author Comment

by:sunhux
ID: 38778090
http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf
Just read the above: hmm, we never commit to the customer that we'll build
a virtualized DMZ for them in the design specs which the customer has just
signed off.

Without a virtualized DMZ, I really can't see any benefit in placing the
Web VMs & App VMs in separate VLANs, or is there still a security benefit?

Concerned that I may end up raising a lot of firewall rules later & if there's
inter-VLAN routing issues, going to have a lot to troubleshoot
0
 
LVL 121

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 480 total points
ID: 38778095
if you only need to serve internal users, no need for DMZ.
0
 

Author Comment

by:sunhux
ID: 38778264
Bear with me:  for internal users, is it still essential to put web &
app VMs in separate VLANs ?  I think if the inter-VLAN routing has a
Cisco ACL (access control lists) filtering, it may introduce a bit of delay:

http://social.msdn.microsoft.com/Forums/en/architecturegeneral/thread/f7262f04-4f8d-483e-863e-8a17171776d3
0
 
LVL 121

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 480 total points
ID: 38778676
I would not use different VLANs.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
In this article, I show you step by step with screenshots to assist you - HOW TO: Deploy and Install the VMware vCenter Server Appliance 6.5 (VCSA 6.5), with some helpful tips along the way.
Teach the user how to use create log bundles for vCenter Server or ESXi hosts Open vSphere Web Client: Generate vCenter Server and ESXi host log bundle:  Open vCenter Server Appliance Web Management interface and generate log bundle: Open vCenter Se…
Teach the user how to join ESXi hosts to Active Directory domains Open vSphere Client: Join ESXi host to AD domain: Verify ESXi computer account in AD: Configure permissions for domain user in ESXi: Test domain user login to ESXi host:

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question