ctcbod
Enthusiast
Enthusiast

Running web services within ESXi estate

I currently have an internally accessible vShphere estate (3x ESXi 5.0 hosts) and now want install a web server on this and allow access from the internet to certain web services. I need to completely isolate these web servers and associated traffic from my other VM servers so am really looking for some best practises if possible. 

What’s the best way to isolate these web servers from my other internal VMs?  

Initially I plan to get a new NIC for each host, will configure a dedicated vSwitch for the web servers and will configure them on a vLAN.   These new NICs will interface directly with some DMZ ports on a switch that allows external access.   I’ve seen some documentation on creating a separate DMZ on each host (3 vSwitches, 2 firewall VMs and the web server in between) but am unsure if this is totally necessary.

Any advice appreciated.  

0 Kudos
3 Replies
DavoudTeimouri
Virtuoso
Virtuoso

I think, you are doing that by a good solution. Using dedicated NIC, vSwitch and VLAN is very good solution.

Just you can use vShield for have more security, of course the VM's firewall can help you on this regard.

-------------------------------------------------------------------------------------
Davoud Teimouri - https://www.teimouri.net - Twitter: @davoud_teimouri Facebook: https://www.facebook.com/teimouri.net/
DanielOprea
Hot Shot
Hot Shot

Hello,

To create all this infrastructure mini you must separate internal networks (DMZ) of the public. The documentation that you should look at is as follows:

http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-securit...

http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf

And the guide vsphere security for infrastructure:

VMware Security Hardening Guides | VMware España

And if you are using vshield mirate this document:

http://www.vmware.com/files/pdf/techpaper/vmware-secure-segmentation-tier-1-apps-in-DMZ-vshield-app....

PLEASE CONSIDER AWARDING any HELPFUL or CORRECT answer. Thanks!! Por favor CONSIDERA PREMIAR cualquier respuesta ÚTIL o CORRECTA. ¡¡Muchas gracias!! Blogs: http://danieloprea.blogspot.com.es/ https://communities.vmware.com/blogs/doprea
ctcbod
Enthusiast
Enthusiast

Thanks for this Davoud.

Daniel, I have access to those documents, but I was just looking for a basic outline of how best to securely isolate the private and the public networks.  Once I have the fundamental hardware requirements in place i.e. dedicated NICs on each host interfacing with my organisation's DMZ, I can then look at the VMware documentation on hardening vsphere.   I don't user vshield so this is not an option.

Thanks.

0 Kudos