VMware Cloud Community
compwizpro
Enthusiast
Enthusiast
Jump to solution

way to restrict which which networks are connected to a VM at the same time

Hello,

We are trying to consolidate two different vsphere clusters into one in order to get better utilization of our compute resources.  Each cluster has its own set of networks within.  In order to consolidate the two clusters, we would need to present both set of networks to the same cluster.  Cluster A has a single network and Cluster B has 4 networks that are behind a firewall for non-production use.

Our network security team has a concern of someone creating a VM with two vNICs on it, one vNIC connecting to the network originally in Cluster A and another vNIC connecting to a network in Cluster B that's behind the firewall creating a bridge between the two networks that could bypass the firewall.

Is there a way to deny the ability to have network from Cluster A and network from cluster B be on the same VM?  Almost like an affinity rule where you don't allow the two different networks on the same VM?  I couldn't find anything on this and not sure if it's even a supported feature but I figured I would see if anyone else knew.

We are currently running vSphere 5.0 U3 and are looking to move to vSphere 6 shortly.  We are also using Cisco Nexus 1000v switch for both clusters.

Thanks in advance!

-Michael

Tags (2)
Reply
0 Kudos
1 Solution

Accepted Solutions
weinstein5
Immortal
Immortal
Jump to solution

Welcome to the Community -  If I understand your question you want to move all hosts to single cluster - if this the case than the answer is no - if someone has the ability to create VM in that cluster they will be able to connect it to any network in that cluster - if you maintain two separate cluster you would be able to assign  permissions to each cluster allowing only those users the ability to build VMs only within their cluster -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

View solution in original post

Reply
0 Kudos
2 Replies
weinstein5
Immortal
Immortal
Jump to solution

Welcome to the Community -  If I understand your question you want to move all hosts to single cluster - if this the case than the answer is no - if someone has the ability to create VM in that cluster they will be able to connect it to any network in that cluster - if you maintain two separate cluster you would be able to assign  permissions to each cluster allowing only those users the ability to build VMs only within their cluster -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
Reply
0 Kudos
compwizpro
Enthusiast
Enthusiast
Jump to solution

Thank you!  I figured that would be the case but just wanted to be sure. 

Thank you for the response!

Reply
0 Kudos