Setting up Colo - help on design

Hi, im building out a colocation rack to host data for some clients.

I am wondering what software platform you used (like vmware), and how you separated each clients network? Also, curious on backups as well!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Check out LXD. I host 1000s of sites... 100s of clients... many machines... using LXD...

If I had to do this any other way, I'd have to hire staff... shudder...

Also, with LXD all sites run at bare metal (machine) speed, rather than VM (super slow) speed, so you can host more clients/machine or provide high performance hosting.

LXD is your friend.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Tip: If you check Co-Lo prices + OVH prices, you may find OVH will suffice.
Cobra25Author Commented:
I am not interested in linux. I am hosting Windows VM's, Can someone else with experience on this matter respond?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Philip ElderTechnical Architect - HA/Compute/StorageCommented:
This article explains how we isolate tenants from cluster from our business day to day networks. It's absolutely critical to get the setup right. We've seen cloud hosting companies get hit by encryption events that take everything out including the tenants because things were not segmented correctly.

Make sure the Co-Lo is Tier III or better certified. A proper A/B or A/B/C power setup is critical as this is one area where the lower end data centre setups cheap out. Then, when something goes BOOM the entire DC goes offline. BTDT many times.

HEPA filtration and a sales staff that knows what PUE is and can explain how their setup fits in is important. If they don't know their PUE then walk away.

Physical security. SWITCH in Las Vegas has one of the best security setups I've seen. Physical access is ownership. Make sure the DC chosen has proper access solutions in place.

For backups we use Veeam. To off-site those backups an option is CloudConnect to a third party or set up StarWind's Virtual Tape Library and hook that in to BackBlaze for an inexpensive off-site solution.

We run with a pair of SonicWALL NSA series with failover and High Availability with 10GbE SFP connections.

Our tenant clusters are built on Storage Spaces and Hyper-V and now Storage Spaces Direct. We're an all Microsoft house.
Cobra25Author Commented:
Philip, how much is Veeam offsite? How do you backup locally, do you have a NAS or something?

Do you use an L3 switch to create vlans for each customer?
Benjamin Van DitmarsSr Network EngineerCommented:
in  the infrastructure part, run vrf's to seperate client traffic. and run firewall's that can run in multi tenant config. like cisco context.
then youre sure all traffic is separated. dont use sonicwall. they cant do this and it will be a shared firewall.

on the server layer, you can do vmware hyperv. or any other virtualization platform. but keep in mind how to make backup's and be able to make a promises on data recovery.

we run more then 750 customers with 19200 virtual servers with out any problem. if you need help with the design of the network. send me a private message and will make a design
that will fit
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Veeam has a partner site to check then reach out to the various vendors listed there.

Managed switches with VLANs set up for each tenant and DENY rules on the SonicWALL between the VLANs.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
How you host Windows VMs depends on your budget + technical expertise.

If your budget is high then license VMWare or some other VM system.

If you prefer a free solution to optimize your profits + have good expertise available to you, run LXD + VirtualBox + your Windows installs.

With LXD all networking is pretty much setup once you init LXD the first time.

Usually takes 15-20 minutes to install a bare metal machine + have VirtualBox containers ready for Windows installs.
Cobra25Author Commented:
Benjamin Van Ditmars - i sent you a message.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
@Benjamin "SonicWALL can't segment network traffic based on VLAN setups"? They are called "Zones" and configured as such. I suggest digging in a bit deeper before making such pronouncements since this one is outright wrong.

We have plenty of hosting setups running with NSA series SonicWALL edges with nary a packet crossed between tenants.

Please point out a single hosting provider that has multiple physical firewall/edge devices for each tenant. That's an untenable proposition.
Benjamin Van DitmarsSr Network EngineerCommented:
Phillip, i am working with sonicwall for about 15 years. and i love using them. but in a shared customer environment we stop using them
to give every customer there own context. this based on dynamic routing. every customer there own sslvpn vpn with own certificate.
and also access to "there" firewall.

it's to bad that sonicwall is behind on this part.

"Please point out a single hosting provider that has multiple physical firewall/edge devices for each tenant. That's an untenable proposition."

I don't see where Benjamin suggested this in his comment. Multi-context is making efficient use of ASA hardware for multiple tenants.


In addition to Benjamin's suggestions. I would venture to even more virtualization such a asa'v, csr1000v, Nexus 1kv's , and vsrx's. This willl allow you to assign virtual network devices per customer and all be contained within your VM Chassis/hosts.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Okay, then I missed the point. My apologies.

SSL VPN should be able to be set up for zones though?

We use Application Request Routing in IIS to route all inbound HTTPS to tenant's RD Gateway, Exchange, SharePoint, or custom services.

All connections are HTTPS with some having 2 Factor Authentication set up to protect those resources as well.

It's a very flexible system and as secure as the humans using it. :)
SSL VPN should be able to be set up for zones though?

I don't know what you are referring to here. If it is Benjamin's mention of SSL VPN. My understanding from his statement is just showing how segmented ASA contexts are. They virtually provide each tenant a separate firewall to the point of even having separate SSL vpn.

I also think ARR and SSL VPN is kind of an apples and oranges comparison. Different purposes IMO.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
@Soulja We don't work with Cisco ASA. I'm thinking that Zones on the SonicWALL is the same as the segmentation in the ASA.

ARR/RD Gateway is an SSL secured access point to the tenant system. The difference being the tenant authenticates to their own AD/DC instead of the ASA/SonicWALL for access to their resources. That eliminates a step (connecting SSL VPN first).
Ah ok. Yeah, seems like just two different ways the skin the cat honestly. I mean you could have your SSL VPN authenticate to each customer's AD/DC also.

In regards to the context vs zone, yes, that's probably the mix up here. Yeah, contexts aren't security zone, but actual virtual firewalls within an ASA chassis. Security zones in my experience are just that, zones for traffic flow that can house one or more firewall interfaces.

Anyway, nice chatting with you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.