A separate cluster might include the need for extra capacity to provide HA (N+1 or even more) capacity if necessary. It would also include extra hosts that need vSphere licenses and to be monitored, patched and managed. So, it could be a valid route or option if you factor in the requirements and consequences stated above.

From a security perspective, there is something to be said about using the same physical NICs for both trusted (normal production / internal) and untrusted (DMZ / Internet) traffic even if both are logically separated by a VLAN. From the same perspective, a security officer might opt to put the DMZ virtual machines on a different set of hosts, but in doing so, he has the consequences stated above. However, you mitigate the risk that a VM could easily be placed into the DMZ by switching its network adapter to the DMZ VM network.

I don't know what the background is, and if you have stuff like compliance in place. That might be a big influencer on the vSphere design for the DMZ.

We mix the internal and DMZ VMs on the same hosts, but use different nics/portgroups.

When the hosts mgmt network is in the DMZ, it makes it tough sometimes to migrate/p2v.

Personally I would not do this unless it was a high risk environment and willing to pay the consequences for extra management / overhead.

Previously when I have added DMZ VM's to a cluster I will have a setup like the following:

All these are for DMZ use only;

- Physical Switch

- At least one physical NIC in each host for DMZ use only

- Dedicated DMZ vSwitch / VM port group on each host

- Configure a static access port for your DMZ VLAN on the physical switch port

Here's a screenshot of how it was setup. Isolation is key in my opinion.

hi ,

I was going through few network isolation/security choices for vSphere 5 and found this article very helpful.

http://bradhedlund.com/2010/02/10/vswitch-illusion-dmz-virtualization/