We are looking at replacing our servers with the Cisco UCS blades. Currently we have our internal VMs running on a group of hosts where the VNX5300 is zoned so that only certain LUNs are available to the internal hosts. We also have our DMZ VMs running on a separate group of hosts where the VNX5300 is zoned so that only certain LUNs are available to the DMZ hosts.
We are looking at setting up the UCS so that our internal VMs and our DMZ VMs are running on the same UCS blade (using VLANs to separate the traffic). My issue is how to achieve the storage isolation that we have now. I don't think I can do it the same way that we currently do it because the vHBAs are defined at the host level. I've been told that since the VMs are just files on a LUN there is no need to segregate the SAN so that the LUNs are isolated. Our DMZ VMs don't have any raw LUNs so I'm thinking that we can just present both internal host LUNs and DMZ host LUNs and not worry that we would have a security issue.
I'm curious what other people are doing? Is this a valid configuration?
Realistically the attack vector at the storage layer is really restricted to people with admin access to the storage array. You could create 2 x storage groups and that would isolate the VM's into storage silos on the array - if using block storage.
If using file storage and NFS i think you can assign NFS exports to a data mover - so have two NFS exports on 2 x physical datamovers and then the data flow is isolated as well.
We're using block storage. Not sure what you mean by creating 2 x storage groups to isolate the VMs. You're saying create duplicate storage groups (one for the internal LUNs and one with the DMZ LUNs)? If the VMs are running on the same ESXi host I'm not sure how that isolates the VMs.
in a storage group i can create multiple luns and take advantage of options such as fastVP. A storage group is effectively a logical separation of the underlying storage. So 2 storage groups will provide 2 logical storage entities on the array. Put the DMZ vm's in one storage group and the internal VM's in the other storage group.
On the hosts you can configure multiple vSwitches - one for internal and the other for DMZ, or a single vswitch and use port groups - your physical network design will influence this decision.
If you want to be really secure you could have a separate cluster for DMZ VM's.
It really depends on what you are trying to achieve from a security perspective.
Looking at Unisphere I can see where I can add hosts to storage groups but not VMs individually so I'm still not sure I can segregate the storage via storage groups on the VNX. I am planning on using vSwitches to segregate the network traffic on the host itself.
As far as the cluster idea that sounds like a good deal too. However looking at the infrastructure client it looks like all of the clusters we created have the hosts as part of the cluster. In my new scenario my DMZ VMs will be on the same host as my internal VMs.