ESXi v5.1 / vSphere Security Best Practices

lwb250 · ‎03-11-2014

We have an existing VMware environment with a cluster that is running virtual machines for our DMZ only. The DMZ VMs are all connected with a single virtual switch in this cluster and have dedicated physical NICs for their trunk ports. We have a significant amount of capacity for expansion in this cluster. Here's the question:

We are absorbing some formerly remote departments that will be migrating to our production environment in the near future. Is there any reason why we could not run their VMs on a separate virtual switch within this cluster, even though these VMs will not be in the DMZ?

In other words, we would have different totally separate groups on their own virtual switches connected to physical NICs for those groups only.

This may seem painfully obvious, but former employees were adamant that there could be no commingling of VM groups between production and DMZ on the same cluster. In other words, there had to be a separate cluster for production and a separate cluster for the DMZ.

From what I can see in the ESXi hardening guides this appears to be acceptable.

Thanks in advance!

weinstein5 · ‎03-11-2014

Welcome to the Community - You are correct - as long as you configure you vswitches so that the traffic is separate there should be no issue -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

All

ESXi v5.1 / vSphere Security Best Practices