Just wanted to get some opinions around V center,
We currently have 3 hosts connected to a vcenter server, these all have shared storage and we are familiar with HA and DRS along with migrations and have used it quite successfully.
We also have a number of standalone hosts which are in our DMZ which run client facing apps, I wondered what the opinions were around adding these hosts over the management port to our V center server for management more spefically for performance monitoring as without the vcenter or 3rd party app you can only see current resource activity on the host. With vcenter you can see historical data, we have about 4 or 5 of these standalone hosts which we would like to integrate.
None of these hosts share storage (that may change one day) - quite small hosts running individual apps, we have not or need to migrate vm's between or ha so they remain standalone - We have a dr site which these replicated to using veeam for failover.
I plan to create a management port (or use existing) and put on an individual physical network/vlan (same as our internal production vcenter and hosts) which will carry all the management traffic so its isolated (for security and throughput).
Just wondered if anyone else had added hosts which didn't share storage to the vcenter and if there are any implications.
All our hosts backup with Veeam not sure if that makes a difference or not.
Our vcenter is at v5.1 however some of the standalone hosts run 5.5 or 6 not sure if that would have an impact or if the vcenter would need to be upgraded first to the latest to support them.
Thanks to those for reading/responding.
I think is fine to add the DMZ hosts to vCenter management, but remember to ask the security team first, if they aprove it, you can use the existing management VMkernel and open only the specific ports between the vCenter IP address and the vSphere ESXi management IPs.
The problem I can see is that you will need to upgrade your vCenter first, since you cannot manage vSphere ESXi hosts newer than the vCenter Server version.
In addition to what Richardson said, you can add these standalone hosts to the vcenter only after upgrading your vcenter. The fact that they only have local storage will prevent you from using HA and DRS for the VMs residing on that storage.
Another scenario could be to investigate with network/security team, if the current DMZ hosts could not be added to SAN infrastructure via ISCSI /FCoE after moving them to the management network.
That way, you can have these current standalone hosts with dual storage architecture (local/SAN). You can imagine running lab VMs on local storage and prod VMs on the shared storage. With the help of Veeam, you can easily copy VMs from local storage to shared and vice versa.
In addition, if the hosts are equipped with the same CPU architecture you can expand your current cluster resources'
My personal feeling about your network/security design is the following:
You should never isolate ESXi hosts themselves meaning putting them in a DMZ. You need to take advantage of the security features VMware put in place to harden the security at your hosts level by implementing VLANs and security policies at vSwitch level.
By doing this you avoid headaches in terms of management. On my view in the virtualization world, it's your applications that you need to isolate in terms of security not the hosts where they're running.
I hope it will help,