vSphere 5.5 - prevent VM from communicating with another VM? networking or settings?
We have VM's on the same host but I was wondering how we could set it up with the vSphere settings (whether with VM settings or virtual networking settings, or perhaps within Windows) to prevent a Windows VM from communicating with other specific VM's?
Right now that stuff is managed physically via a firewall (I think to prevent SQL server from communicating to another SQL server) so kind of like a test environment that's on the same AD domain, but that's because the hosts are physically separated.
Now the host is going away and the VM's are being moved to the other host.
Right now that stuff is managed physically via a firewall (I think to prevent SQL server from communicating to another SQL server) so kind of like a test environment that's on the same AD domain, but that's because the hosts are physically separated.
Now the host is going away and the VM's are being moved to the other host.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
it turns it off by default I believe.
in terms of Vlans, so if I have two port groups with the same physical uplink, the VM's on one port group will still go through the physical firewall to get to the other VM's on the other port group?
in terms of Vlans, so if I have two port groups with the same physical uplink, the VM's on one port group will still go through the physical firewall to get to the other VM's on the other port group?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes that is correct (or at least will be the scenario soon)
and does this isolated VM need to connect to any other services ?
The easiest and quickest method would be to use the WIndows/Symantec firewall on either VM, to block send or block receive.
So if you have VM1 and VM2, and VM2 must not receive anything from VM1, setup firewall rules to deny all traffic from VM1 on VM2.
and for good measure you could setup rules on VM1, to stop sending all traffic to VM2.
The easiest and quickest method would be to use the WIndows/Symantec firewall on either VM, to block send or block receive.
So if you have VM1 and VM2, and VM2 must not receive anything from VM1, setup firewall rules to deny all traffic from VM1 on VM2.
and for good measure you could setup rules on VM1, to stop sending all traffic to VM2.
ASKER
Yeah the VM would be good communicating with the vast majority of the rest of the network (AD, DNS, internal computers, etc.). Just not this one particular VM. Why? Probably because the server owner is irresponsible.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok thanks. That led me to take look at this article which I think I will use:
How to create an IPSec Security Policy specifying to block access to a specific IP address
http://www.serverintellect.com/support/windowsserversecurity/ipsec-blockip/
How to create an IPSec Security Policy specifying to block access to a specific IP address
http://www.serverintellect.com/support/windowsserversecurity/ipsec-blockip/
In VM functions, make's it alot easier, otherwise you've got to get into complicted network redesign for a single workstation.
ASKER
I think if we use the same vLAN then the server can still talk to severs on another vLAN naturally if they are on the same host.