I have read a few threads on this, but here goes:
I have a standalone ESXi 4 host in a DMZ network. I have a vCenter server and ESXi 4 hosts in a LAN network. There is a cisco firewall seperating the two.
The reason for the ESXi in the DMZ was to host a few production VMs that are accessed externally. This host as a management network also in the DMZ. So all access via vSphere client is via its DMZ IP address.
I want to add this host into our existing vCenter structure ... for logging of performance data, ease of manageability and to allow our LAN-hosted Vmware Data Recovery VM to take backups of the DMZ VMs.
I thought about opening ports, etc ... but that seems a pain. What I would rather do is:
- create a new vSwitch with a VMKernel port/Mangement network directly connected to the LAN (there is a spare network interface for this) and give it a LAN IP address.
- delete the existing VMKernel and management ports from the DMZ-facing vSwitch, but retain the existing VM Network, to allow DMZ VM's to not lose access to the DMZ network. These are production systems.
I need to do this without any downtime for the DMZ VMs... is this scenario viable?
In the end, I would have:
vSwitch0 (in the DMZ), with its VM Network port group.
vSwitch1 (in the LAN), with a VMKernel Port and Manangement Network.
vCenter, vDR would access this host with its LAN IP address via vSwitch1, hence no issues should arise with adding the host, managing it, migrating VMs, backing up VMs with vDR (as that is all done via the management network, right??)
Also, I have a LAN datacenter defined in vCenter. Wondering if I should add the new host to it or create a seperate DMZ one. Would that impact VM Template deployment (from LAN host to DMZ host), backups, etc.
There is no dedicated network security team here, so I need to use my own judgement, but I do want to have a structure that is easy to setup and maintain (and add on to).
Thanks.