I currently have an internally accessible vShphere estate (3x ESXi 5.0 hosts) and now want install a web server on this and allow access from the internet to certain web services. I need to completely isolate these web servers and associated traffic from my other VM servers so am really looking for some best practises if possible.
What’s the best way to isolate these web servers from my other internal VMs?
Initially I plan to get a new NIC for each host, will configure a dedicated vSwitch for the web servers and will configure them on a vLAN. These new NICs will interface directly with some DMZ ports on a switch that allows external access. I’ve seen some documentation on creating a separate DMZ on each host (3 vSwitches, 2 firewall VMs and the web server in between) but am unsure if this is totally necessary.
Any advice appreciated.
I think, you are doing that by a good solution. Using dedicated NIC, vSwitch and VLAN is very good solution.
Just you can use vShield for have more security, of course the VM's firewall can help you on this regard.
To create all this infrastructure mini you must separate internal networks (DMZ) of the public. The documentation that you should look at is as follows:
And the guide vsphere security for infrastructure:
And if you are using vshield mirate this document:
Thanks for this Davoud.
Daniel, I have access to those documents, but I was just looking for a basic outline of how best to securely isolate the private and the public networks. Once I have the fundamental hardware requirements in place i.e. dedicated NICs on each host interfacing with my organisation's DMZ, I can then look at the VMware documentation on hardening vsphere. I don't user vshield so this is not an option.