VMware Cloud Community
beckhamk
Enthusiast
Enthusiast
Jump to solution

Good virtual firewall to use with vmotion

We would like comments on good and easy to use firewalls that are either virtual appliances or can be installed as a vm on vmware. We are trying to find something that can work with vmotion is anything at all?

Anyone else out there have virtual firewalls in palce for your vm's and how are you handling vmotion with them?

Reply
0 Kudos
1 Solution

Accepted Solutions
Rumple
Virtuoso
Virtuoso
Jump to solution

You need to have this configuration setup on EACH esx host

EXTERNAL_vSwitch - FIREWALL_VM -- INTERNAL_vSwitch

PROTECTED_VM - INTERNAL_vswitch

In this configuration all protected VM's will have their default gateway to be set to the Internal IP of that firewall VM

When a VM on the same host as the Firewall_vm wants to get onto the internet, all network routing stays within the vswitch on that host

When a VM on a DIFFERENT host needs to get to the Internet/EXTERNAL it will go out the phyical nic attached to the INTERNAL_vswitch on HOST 1..travel into the Physical nic attached to the INTERNAL_vSwitch on Host 2 and then hit the internal IP of the firewall VM.

As long as your INTERNAL_vSwitches are connected to an isolated Physical Switch, Crossover cable or approriately vlan'd then they are only accessibly externally though the firewall....

View solution in original post

Reply
0 Kudos
5 Replies
Rumple
Virtuoso
Virtuoso
Jump to solution

When you say, virtual firewalls in place and how are you handling vmotion?

Firewall appliances work identical to regular VM's. the VM's themselves don't actually know that they have been moved from system to system. The External switch is what you need to ensure will support the VMotion of the VM. I've used ISA with vmotion with no problems at all as long as I had the same external vswitch configured and a link to the same internet connection.

Reply
0 Kudos
Lightbulb
Virtuoso
Virtuoso
Jump to solution

I use Vyatta (http://www.vyatta.com/index.php). A mature Open Source routing/firewall solution that is pretty easy to get up and running even for a network novice. They have a downloadable Virtual appliance or ISO if you want to roll your own.

As Rumple said there is nothing about Vmotion that would be any different than another VM

DanielHDT
Contributor
Contributor
Jump to solution

A good introducion how ISA or TMG can be implemented in virtual environment can be found here:

http://edge.technet.com/Media/Virtualize-your-ISA-or-Forefront-TMG-servers/

beckhamk
Enthusiast
Enthusiast
Jump to solution

thanks for the info guys! Let me explain what i meant by the vmotion. I am not talking about vmotioning the firewall vm. I mean if we have a setup with a windows vm that has a nic that connects to a virtual switch that connects to the firewall vm. How do we handle the firewall if the windows vm is vmotioned?

As a note, right now we already have a HW firewall in place for the WAN before it hits any esx host, this firewall scenario is for internal use. Would we have to create a firewall vm to run on each esx host?

Thanks,

Reply
0 Kudos
Rumple
Virtuoso
Virtuoso
Jump to solution

You need to have this configuration setup on EACH esx host

EXTERNAL_vSwitch - FIREWALL_VM -- INTERNAL_vSwitch

PROTECTED_VM - INTERNAL_vswitch

In this configuration all protected VM's will have their default gateway to be set to the Internal IP of that firewall VM

When a VM on the same host as the Firewall_vm wants to get onto the internet, all network routing stays within the vswitch on that host

When a VM on a DIFFERENT host needs to get to the Internet/EXTERNAL it will go out the phyical nic attached to the INTERNAL_vswitch on HOST 1..travel into the Physical nic attached to the INTERNAL_vSwitch on Host 2 and then hit the internal IP of the firewall VM.

As long as your INTERNAL_vSwitches are connected to an isolated Physical Switch, Crossover cable or approriately vlan'd then they are only accessibly externally though the firewall....

Reply
0 Kudos