VMware Cloud Community
stephentzsamal
Contributor
Contributor
‎04-05-2017 12:20 PM

Limit the port groups a VM can connect to

Hi

I've been researching and surprisingly found nothing so far which is odd, I would think other enterprises would have faced similar challenge.

What we have is a cluster with access to a preprod and prod.

2 connection to preprod,vlans 10, 20,30

2 connections to prod, vlans 100, 200, 300

-------------------

vSwitch1 with 3 Pg's

PG_v10_pp

PG_v20_pp

PG_v30_pp

vSwitch2 with 3 Pg's

PG_v100_pd

PG_v200_pd

PG_v300_pd

VMs on VLAN10 and VLAN100 have the same Name and IP

SERVER001 | 10.222.10.33 | connected to PG_v10_pp

SERVER001 | 10.222.10.33 | connected to PG_v100_pd

Same for V20, 200 and 30,  300.

What we  want to avoid is someone on purpose or by accident to take the VM and change its port group from PG_v10_pp to PG_v100_pd, for example.

Any elegant way of doing this within vSphere products? Is another product or add-on needed to achieve this?

The only thing I can think of is giving the user that has access to the Prod vLAN, giving that user NoAccess to PreProd vLANs and vice versa. But eventually there would  have to  be a super admin that needs access to see both?

Also if a VM is connected to PROD and a user with access to preprod VMs only logs in and edits the Prod machines settings, they should be able to see all  the preprod portgroups and then re-assing that VM to a preprod vlan, effectively nullifying the entire delegation policy we are trying to achieve, unless the users with access to preprod network are also restricted to see preprod VMs as well and vice versa.

I digress, is there  a simply way of saying VM001 cannot connect to PG1, PG2, and PG3?

Thanks

0 Kudos
1 Reply
Eric_Allione
Enthusiast
Enthusiast
‎04-05-2017 04:10 PM

There may not be a feature for "port-group" affinity like there is for host affinity etc, but  you can create roles that only allow DVPortgroup.Modify for those on your team who know better. If this is the only privilege which you wanted to restrict, then in global configuration you could start with the Administrator templates giving you King Kong rights, and then remove the role for DVPortgroup.Modify.

The list of roles can be found at vSphere API/SDK Documentation > vSphere Management SDK > vSphere Web Services SDK Documentation > vSphere Web Services SDK Programming Guide > Privileges Reference.

0 Kudos