Hello All,
I really need a solution to my queries, as I'm new to NSX and network security. Please help me.
We have been using Cisco 1000v/VSG to secure the backup VLAN which is used dedicated for taking backups of VM and Physical Servers.
After VMWare announced discontinuing the third party switches; We have got recommendation from VMware to use NSX to replace VSG and VDS to replace the Cisco 1000v.
My question is, do I really need to spend lot of money just to protect one VLAN which is used for taking backups of VM's?
the best practice to backup VM/Physical servers is using a dedicated network. But, Is this is correct which we have been following?
Can't we have a protected Backup VLAN using just VDS and without NSX?
Why should I secure a backup network VLAN using a software firewall (Cisco VSG or VMWare NSX)? Can't we secure the Backup VLAN at Physical Switch Level?
We are taking snapshot backups and that too encrypted; What issues I may face if I don't have a layer of Security using software (NSX)?
Thanks again for your valuable time.
Regards
Ravi
What do you want me to answer? I don't know if you want to spend the money on it. NSX has even more advantages.
But if it is only about the backup, I would like to ask the following question:
Why do you need a dedicated VLAN for backups and thus connect all VMs to each other? In this case you don't need firewalls or further VLANs because it's a security nightmare...
Possible solution: Private VLANs. But the physical switches must support it.
Or, another solution could be: Using a backup solution that works at VM level, for example: Veeam. These backup solutions work with the vCenter and connect to the ESXi hosts and datastores directly and do not necessarily require a network connection to the VM (apart from Application Aware backups).
Thank You For your time and reply.
Why do you need a dedicated VLAN for backups and thus connect all VMs to each other? In this case you don't need firewalls or further VLANs because it's a security nightmare...
Possible solution: Private VLANs. But the physical switches must support it.
Dedicated VLAN/Physical Network for VM backups and Physical Server backups helps to run backups smoothly and run production with out any bandwidth issues.
Firewall required for security purpose. To make sure no one else trying to login VM Guests using that extra NIC/IP.
Can you give me details about Private VLAN's?
Or, another solution could be: Using a backup solution that works at VM level, for example: Veeam. These backup solutions work with the vCenter and connect to the ESXi hosts and datastores directly and do not necessarily require a network connection to the VM (apart from Application Aware backups).
We are taking snapshot backups using Commvault, But that requires an agent which takes backups on network. Commvault do have other SAN level backup options, but that has some challenges with data store design.
Thanks & Regards
Ravi
Firewall required for security purpose. To make sure no one else trying to login VM Guests using that extra NIC/IP.
And what happens if VM A is compromised and the attacker accesses VM B via the backup VLAN? Since it is the same L2 connection, the traffic does not necessarily pass through the firewall.
Can you give me details about Private VLAN's?
Understanding Private VLANs - TechLibrary - Juniper Networks
We are taking snapshot backups using Commvault, But that requires an agent which takes backups on network. Commvault do have other SAN level backup options, but that has some challenges with data store design.
There are backup solutions that work at the ESXi and vCenter levels and do not require an agent in the VM or a network connection to the VM.