VMware Cloud Community
vadm168
Enthusiast
Enthusiast
‎07-25-2018 03:43 PM
Jump to solution

Best practice for adding DMZ ESXi to internal vCenter

VCSA 6.5 on internal network

ESXi 6.5 in DMZ

Hi,

I am building an ESXi 6.5 in DMZ. I am thinking about connecting the ESXi's management interface (physical port #1/vSwitch #1) to internal network while VM guests are connected to DMZ network via ESXi's physical port #2/vSwitch #2. With this arrangement, is it possible for users in VM guests obtain access the internal network?

Also, if I mount an ISO datastore on the internal network's NFS share, can I provision VMs in DMZ by mounting the ISO on the internal datastore?

Thank you.

Reply
0 Kudos
1 Solution

Accepted Solutions
diegodco31
Leadership
Leadership
‎07-26-2018 12:22 PM
Jump to solution

Did you mean it's possible for a user within a VM to access internal network which is I don't want? To reiterate my setup:

Can a user within a VM gain access to the internal network via the hypervisor somehow?

No, If the user of the internal network has in vlan different it will be necessary a layer 3 equipment to make the communication.

Diego Oliveira
LinkedIn: http://www.linkedin.com/in/dcodiego

View solution in original post

Reply
0 Kudos
3 Replies
diegodco31
Leadership
Leadership
‎07-25-2018 04:28 PM
Jump to solution

Yes, it is possible.

The management network for the DMZ hosts doesn't need to be in a "dmz" network.  You could have it on the same management network as your current hosts or a new seperate internal network that's still routable to your current vCenter server.  Then have your VM dmz networks hanging off those hosts and handle all of your firewall config at that level for those networks.

Please consider marking this answer "correct" or "helpful" if you think your question have been answered correctly.

Diego Oliveira
LinkedIn: http://www.linkedin.com/in/dcodiego
Reply
vadm168
Enthusiast
Enthusiast
‎07-26-2018 11:58 AM
Jump to solution

Hi Diego,

Thanks for the reply but

>>Yes, it is possible.

Did you mean it's possible for a user within a VM to access internal network which is I don't want? To reiterate my setup:

vSwitch #1: connected to internal network as the ESXi management interface

vSwitch #2: connected to DMZ for VM guests' network

Can a user within a VM gain access to the internal network via the hypervisor somehow?

Is this the best practice setup for connecting a DMZ ESXi host to an internal vCenter, e.g. as opposed to having the ESXi's management interface in the DMZ (which I think is less secure for potential hacking since it's also in the DMZ?

Thanks,

Reply
0 Kudos
diegodco31
Leadership
Leadership
‎07-26-2018 12:22 PM
Jump to solution

Did you mean it's possible for a user within a VM to access internal network which is I don't want? To reiterate my setup:

Can a user within a VM gain access to the internal network via the hypervisor somehow?

No, If the user of the internal network has in vlan different it will be necessary a layer 3 equipment to make the communication.

Diego Oliveira
LinkedIn: http://www.linkedin.com/in/dcodiego
Reply
0 Kudos