donohoe1
asked on
Best way to manage DMZ ESXi host?
We have an lone ESXi 6.7 host in our DMZ which is the dedicated host for our DMZ VMs. It is directly connected to the DMZ port on our ASA. We're trying to figure out the safest way to management it. As it stands right now, our two options are:
1. Connect the management interface directly to our management network. I don't particularly like this because that host is directly connecting our DMZ to our management network, and we're relying on VMs not being able to attack their host to keep our management network secure.
2. Connect the management interface to an empty port on our ASA, set that port to a higher security level than our DMZ network but lower security level than our internal production network, then manage it directly through our production network. I don't particularly like this since the management interface will be directly exposed to our production network, though it would be on a different network.
Any thoughts, comments, insults, rants?
1. Connect the management interface directly to our management network. I don't particularly like this because that host is directly connecting our DMZ to our management network, and we're relying on VMs not being able to attack their host to keep our management network secure.
2. Connect the management interface to an empty port on our ASA, set that port to a higher security level than our DMZ network but lower security level than our internal production network, then manage it directly through our production network. I don't particularly like this since the management interface will be directly exposed to our production network, though it would be on a different network.
Any thoughts, comments, insults, rants?
ASKER
That's what I mean. The DMZ port on our ASA is connected to the NIC attached to the port group providing VM access.
We're trying to figure out how to handle the management interface of the host. Having the host connected to the DMZ and the management network just seems...wrong.
We're trying to figure out how to handle the management interface of the host. Having the host connected to the DMZ and the management network just seems...wrong.
If you have an ESXi in complete dark site (in your case DMZ), then atleast you need to have port 443 to be open to manage first..
Ensure you are accessing it from another machine which is in DMZ to ensure that is secure method and limit its access to specific set of people..
Its standalone so only way is via connecting management ui ..
Thanks,
MS
Ensure you are accessing it from another machine which is in DMZ to ensure that is secure method and limit its access to specific set of people..
Its standalone so only way is via connecting management ui ..
Thanks,
MS
>>That's what I mean. The DMZ port on our ASA is connected to the NIC attached to the port group providing VM access.
So connect ANOTHER NIC on the ESX host, to the prod network on a separate vSwitch, these are separate networks?
So connect ANOTHER NIC on the ESX host, to the prod network on a separate vSwitch, these are separate networks?
Dmz prevents exit out of the host to the LAN, management.
Your inter lan rules shoukd allow a system from a management ip or other ans access to the esxi host.
As the comment Pete, the esxi host gas multiple interfaces, you can set either a trunk in the host into a virtual switch where each VM is tagged to a specific LAN.
Or have these X management port explicitly set and connected to the management side, with the remaining virtual switch configuration ...
Since each segment has its own ip block, and presumably you sort static IPs in the VM which means even if you err and "connect" a VM to the wrong "port" on the virtual switch it will not have a path out.
Vcsa is how you should manage your esxi host.
Your inter lan rules shoukd allow a system from a management ip or other ans access to the esxi host.
As the comment Pete, the esxi host gas multiple interfaces, you can set either a trunk in the host into a virtual switch where each VM is tagged to a specific LAN.
Or have these X management port explicitly set and connected to the management side, with the remaining virtual switch configuration ...
Since each segment has its own ip block, and presumably you sort static IPs in the VM which means even if you err and "connect" a VM to the wrong "port" on the virtual switch it will not have a path out.
Vcsa is how you should manage your esxi host.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That is what I said that you have to manage the connections.
Just create a port group in the ESX server and connect that to the DMZ?
>>Connect the management interface directly to our management network. I don't particularly like this
>>because that host is directly connecting our DMZ to our management network, and we're relying on
>>VMs not being able to attack their host to keep our management network secure.
No it isn't? if your VMS are in a different port-group management port-group, or even on different vSwitches
>>Connect the management interface to an empty port on our ASA, set that port to a higher security level
than our DMZ network but lower security level than our internal production network, then manage it directly
through our production network. I don't particularly like this since the management interface will be directly
exposed to our production network, though it would be on a different network.
It's the management interface (or what we used to call the service console) it should be in your production/managemnt network, that's its job. Connecting different PHYSICAL vmnics to different PHYSICAL switches (or even VLANS) is accepted practice
Regards,
Pete