vSAN infra behind the firewall

suhag79 · ‎12-06-2017

Hi all,

Is anyone came across the situation to put all the vSAN stake behind the firewall ? what could be the impact in daily operation ? is their any best practices on this scenario ?

Regards,

TheBobkin · ‎12-08-2017

Hello suhag79

Sure, I have seen a lot of vSAN environments implementing firewalls, provided these are configured properly they should have no negative impact on the performance/operation of the cluster.

The main points are to ensure any firewalls implemented do not block necessary traffic:

Ensure the relevant necessary ESXi host ports are open:

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-171B99EA-15B3-4CC...

And the ports between ESXi and vCenter:

https://kb.vmware.com/s/article/1005189

Provided the relevant ports that vSAN uses are open, vSAN clustering will function normally:

https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.virtualsan.doc/GUID-D52F00FF-CA2C-4...

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.virtualsan.doc/GUID-D52F00FF-CA2C-4...

(Note: these listed are default ports so if using non-default e.g. for 'vSAN Clustering Service' then obviously open the ones used)

List of ports for other VMware products and features that may or may not be used in the environment:

https://kb.vmware.com/s/article/1012382

Hope this helps.

Bob

All

vSAN infra behind the firewall