Scenario:
We have a single vCenter with 8 Host but our requirement is to isolate 2 Host dedicate for DMZ out of 6 Host in a single vCenter.
How to isolate a DMZ host in a single vCenter? is it possible to isolate, it should not communicate to normal operations vms running on same vCenter.
Environment-
8 Host total
6 for normal operations
2 for DMZ isolation.
vSphere 6.5
HP Blade servers Gen9.
suggestions and reply is appreciated.
The VMCI (Virtual Machine Communication Interface was a high-speed interface that virtual machines (VMs) on the same host could use to communicate with each other and the host kernel modules) has been depreciated in version 5.0 and removed from version 5.1 onward, so no longer exists in version 6.5.
This means from your perspective all traffic between VMs will need to flow through provisioned vSwitches. Where you can then isolateand route traffic based on port group, vSwitch etc.. as you require.
https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-65-networking-guide.pdf
The above document provides a complete overview of vSphere networking, and how it can be configured to achieve exactly what you require.
If you wanted to go further and place physical rather than logical controls for your DMZ servers, you could create a new DMZ cluster within vCenter from the two nodes you have identified. When doing this consider your capacity, HA and affinity requirements. For example if you are load balancing to multiple VMs you might consider creating anti-affinity rules to run those VMs on separate hosts. With HA you need to consider what happens in the event of a host failure, is there enough capacity in you two node cluster to run all VMs?
With both solutions you keep one vCenter as a single administration point.
Hope this helps
Simon
Yes you can, for this you have to create different cluster for DMZ then putting up ESXi hosts into it. Moreover DMZ means you will be in different subnet/network then you are in currently, this all needs new vlans and port groups, different firewall policies, major work here is need to be done from networking end.
And after all setup you need to migrate the VMs to DMZ cluster proceeding with downtime because IP will change. Make sure to check the required application or OS ports, so that Servers will be accessible from DMZ environment as well. Because in DMZ environments there are strict firewall policies.
Good Luck.
conyards Thank you will check..
Thank you. still VMs is not yet created so its new setup.
But all Host management network is same. so it will communicate each other host if its in same vCenter. please correct me if i am wrong.
Hosts can remain on the same network, yes.
However, the vSwitches that host the VMs located in the DMZ will be different and logically isolated from your non-dmz networks.
Thanks
Simon