Bill H
asked on
Setting up Colo - help on design
Hi, im building out a colocation rack to host data for some clients.
I am wondering what software platform you used (like vmware), and how you separated each clients network? Also, curious on backups as well!
I am wondering what software platform you used (like vmware), and how you separated each clients network? Also, curious on backups as well!
Tip: If you check Co-Lo prices + OVH prices, you may find OVH will suffice.
ASKER
I am not interested in linux. I am hosting Windows VM's, Can someone else with experience on this matter respond?
This article explains how we isolate tenants from cluster from our business day to day networks. It's absolutely critical to get the setup right. We've seen cloud hosting companies get hit by encryption events that take everything out including the tenants because things were not segmented correctly.
Make sure the Co-Lo is Tier III or better certified. A proper A/B or A/B/C power setup is critical as this is one area where the lower end data centre setups cheap out. Then, when something goes BOOM the entire DC goes offline. BTDT many times.
HEPA filtration and a sales staff that knows what PUE is and can explain how their setup fits in is important. If they don't know their PUE then walk away.
Physical security. SWITCH in Las Vegas has one of the best security setups I've seen. Physical access is ownership. Make sure the DC chosen has proper access solutions in place.
For backups we use Veeam. To off-site those backups an option is CloudConnect to a third party or set up StarWind's Virtual Tape Library and hook that in to BackBlaze for an inexpensive off-site solution.
We run with a pair of SonicWALL NSA series with failover and High Availability with 10GbE SFP connections.
Our tenant clusters are built on Storage Spaces and Hyper-V and now Storage Spaces Direct. We're an all Microsoft house.
Make sure the Co-Lo is Tier III or better certified. A proper A/B or A/B/C power setup is critical as this is one area where the lower end data centre setups cheap out. Then, when something goes BOOM the entire DC goes offline. BTDT many times.
HEPA filtration and a sales staff that knows what PUE is and can explain how their setup fits in is important. If they don't know their PUE then walk away.
Physical security. SWITCH in Las Vegas has one of the best security setups I've seen. Physical access is ownership. Make sure the DC chosen has proper access solutions in place.
For backups we use Veeam. To off-site those backups an option is CloudConnect to a third party or set up StarWind's Virtual Tape Library and hook that in to BackBlaze for an inexpensive off-site solution.
We run with a pair of SonicWALL NSA series with failover and High Availability with 10GbE SFP connections.
Our tenant clusters are built on Storage Spaces and Hyper-V and now Storage Spaces Direct. We're an all Microsoft house.
ASKER
Philip, how much is Veeam offsite? How do you backup locally, do you have a NAS or something?
Do you use an L3 switch to create vlans for each customer?
Do you use an L3 switch to create vlans for each customer?
in the infrastructure part, run vrf's to seperate client traffic. and run firewall's that can run in multi tenant config. like cisco context.
then youre sure all traffic is separated. dont use sonicwall. they cant do this and it will be a shared firewall.
on the server layer, you can do vmware hyperv. or any other virtualization platform. but keep in mind how to make backup's and be able to make a promises on data recovery.
we run more then 750 customers with 19200 virtual servers with out any problem. if you need help with the design of the network. send me a private message and will make a design
that will fit
then youre sure all traffic is separated. dont use sonicwall. they cant do this and it will be a shared firewall.
on the server layer, you can do vmware hyperv. or any other virtualization platform. but keep in mind how to make backup's and be able to make a promises on data recovery.
we run more then 750 customers with 19200 virtual servers with out any problem. if you need help with the design of the network. send me a private message and will make a design
that will fit
Veeam has a partner site to check then reach out to the various vendors listed there.
Managed switches with VLANs set up for each tenant and DENY rules on the SonicWALL between the VLANs.
Managed switches with VLANs set up for each tenant and DENY rules on the SonicWALL between the VLANs.
How you host Windows VMs depends on your budget + technical expertise.
If your budget is high then license VMWare or some other VM system.
If you prefer a free solution to optimize your profits + have good expertise available to you, run LXD + VirtualBox + your Windows installs.
With LXD all networking is pretty much setup once you init LXD the first time.
Usually takes 15-20 minutes to install a bare metal machine + have VirtualBox containers ready for Windows installs.
If your budget is high then license VMWare or some other VM system.
If you prefer a free solution to optimize your profits + have good expertise available to you, run LXD + VirtualBox + your Windows installs.
With LXD all networking is pretty much setup once you init LXD the first time.
Usually takes 15-20 minutes to install a bare metal machine + have VirtualBox containers ready for Windows installs.
ASKER
Benjamin Van Ditmars - i sent you a message.
@Benjamin "SonicWALL can't segment network traffic based on VLAN setups"? They are called "Zones" and configured as such. I suggest digging in a bit deeper before making such pronouncements since this one is outright wrong.
We have plenty of hosting setups running with NSA series SonicWALL edges with nary a packet crossed between tenants.
Please point out a single hosting provider that has multiple physical firewall/edge devices for each tenant. That's an untenable proposition.
We have plenty of hosting setups running with NSA series SonicWALL edges with nary a packet crossed between tenants.
Please point out a single hosting provider that has multiple physical firewall/edge devices for each tenant. That's an untenable proposition.
Phillip, i am working with sonicwall for about 15 years. and i love using them. but in a shared customer environment we stop using them
to give every customer there own context. this based on dynamic routing. every customer there own sslvpn vpn with own certificate.
and also access to "there" firewall.
it's to bad that sonicwall is behind on this part.
Benjamin
to give every customer there own context. this based on dynamic routing. every customer there own sslvpn vpn with own certificate.
and also access to "there" firewall.
it's to bad that sonicwall is behind on this part.
Benjamin
@Philip
"Please point out a single hosting provider that has multiple physical firewall/edge devices for each tenant. That's an untenable proposition."
I don't see where Benjamin suggested this in his comment. Multi-context is making efficient use of ASA hardware for multiple tenants.
@author
In addition to Benjamin's suggestions. I would venture to even more virtualization such a asa'v, csr1000v, Nexus 1kv's , and vsrx's. This willl allow you to assign virtual network devices per customer and all be contained within your VM Chassis/hosts.
"Please point out a single hosting provider that has multiple physical firewall/edge devices for each tenant. That's an untenable proposition."
I don't see where Benjamin suggested this in his comment. Multi-context is making efficient use of ASA hardware for multiple tenants.
@author
In addition to Benjamin's suggestions. I would venture to even more virtualization such a asa'v, csr1000v, Nexus 1kv's , and vsrx's. This willl allow you to assign virtual network devices per customer and all be contained within your VM Chassis/hosts.
Okay, then I missed the point. My apologies.
SSL VPN should be able to be set up for zones though?
We use Application Request Routing in IIS to route all inbound HTTPS to tenant's RD Gateway, Exchange, SharePoint, or custom services.
All connections are HTTPS with some having 2 Factor Authentication set up to protect those resources as well.
It's a very flexible system and as secure as the humans using it. :)
SSL VPN should be able to be set up for zones though?
We use Application Request Routing in IIS to route all inbound HTTPS to tenant's RD Gateway, Exchange, SharePoint, or custom services.
All connections are HTTPS with some having 2 Factor Authentication set up to protect those resources as well.
It's a very flexible system and as secure as the humans using it. :)
@Philip
SSL VPN should be able to be set up for zones though?
I don't know what you are referring to here. If it is Benjamin's mention of SSL VPN. My understanding from his statement is just showing how segmented ASA contexts are. They virtually provide each tenant a separate firewall to the point of even having separate SSL vpn.
I also think ARR and SSL VPN is kind of an apples and oranges comparison. Different purposes IMO.
SSL VPN should be able to be set up for zones though?
I don't know what you are referring to here. If it is Benjamin's mention of SSL VPN. My understanding from his statement is just showing how segmented ASA contexts are. They virtually provide each tenant a separate firewall to the point of even having separate SSL vpn.
I also think ARR and SSL VPN is kind of an apples and oranges comparison. Different purposes IMO.
@Soulja We don't work with Cisco ASA. I'm thinking that Zones on the SonicWALL is the same as the segmentation in the ASA.
ARR/RD Gateway is an SSL secured access point to the tenant system. The difference being the tenant authenticates to their own AD/DC instead of the ASA/SonicWALL for access to their resources. That eliminates a step (connecting SSL VPN first).
ARR/RD Gateway is an SSL secured access point to the tenant system. The difference being the tenant authenticates to their own AD/DC instead of the ASA/SonicWALL for access to their resources. That eliminates a step (connecting SSL VPN first).
@Philip
Ah ok. Yeah, seems like just two different ways the skin the cat honestly. I mean you could have your SSL VPN authenticate to each customer's AD/DC also.
In regards to the context vs zone, yes, that's probably the mix up here. Yeah, contexts aren't security zone, but actual virtual firewalls within an ASA chassis. Security zones in my experience are just that, zones for traffic flow that can house one or more firewall interfaces.
Anyway, nice chatting with you.
Ah ok. Yeah, seems like just two different ways the skin the cat honestly. I mean you could have your SSL VPN authenticate to each customer's AD/DC also.
In regards to the context vs zone, yes, that's probably the mix up here. Yeah, contexts aren't security zone, but actual virtual firewalls within an ASA chassis. Security zones in my experience are just that, zones for traffic flow that can house one or more firewall interfaces.
Anyway, nice chatting with you.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
If I had to do this any other way, I'd have to hire staff... shudder...
Also, with LXD all sites run at bare metal (machine) speed, rather than VM (super slow) speed, so you can host more clients/machine or provide high performance hosting.
LXD is your friend.