VMware Cloud Community
Fvistr01
Contributor
Contributor
Jump to solution

Building isolated Dev and PROD environment

Hello Guys,

I am building / Migrating a dev environment from physcally seperate hardware into virtually separate environment.

Currently, I have Dev vms on seperate c7000 chasis which I will be migrating to PROD environment but those will be isolated through VLANs.

I will really appreciate if anyone can share with me their Dev - Prod design layout.

Requirements are:

Dev will be clone copy of Prod,

There will be no connectivity between Dev and Prod

Will be assigning Resource pool for Dev environment

Separate network for Dev

End user will only have access to prod, what are the options for users to connect to DEV environment from their desk without vCenter server?

Thanks

1 Solution

Accepted Solutions
mprazeres183
Enthusiast
Enthusiast
Jump to solution

Hi AmmaraVistro ,

You are right, I am already using vCenter server and currently using vDS with VLANs for data, management, vMotion and storage in PROD environment.

My goal is to add an isolated DEV environment within current PROD environment.

- In that case I would suggest to use a naming convetion to secregate the vGuests from each other or the Folder structure, also you can use the Ressource Pools but with caution.

I am currently using vDS with vLANs for vGuest data, Storage, Management and vMotion for PROD, I guess I have to create another vDS for DEV and assign a Storage vLAN plus create new vLANs for Data, Management and vMotion for Dev?

- You can actually do the following:

- You can create a vDS and call it vCenter-Host-Management and use on this vDS - Management, vMotion and Storage on the same vLAN.

- You then create a vDS and name it Prod-DEV and use it only for the vGuest data.

- You then create within the vDS Prod-DEV two different Distributed Port Groups (1 Prod and 1 Dev)

With this configuration, you could use the same IP Segment and vLAN for managing the ESXi Hosts, vMotion and Storage.

At the same time, the only thing you then have on the vDSs PROD-DEV is the Traffic of the vGuests. That you can then select either for DEV or PROD vGuests.

As you want to share the same ressources (Hosts) for the DEV and PROD, this would be my consideration.

Best regards,
Marco

Check my blog, and if my answere resolved the issue, please provide a feedback. Marco Frias - VMware is my World www.vmtn.blog

View solution in original post

4 Replies
mprazeres183
Enthusiast
Enthusiast
Jump to solution

Hi Fvistr01​,

Thanks for this very interessting question.

So this is a Design question, therefore I can't tell you what the best solution will be for your customer as I don't know each of the points regardless of security, needs and so on.

However I can tell you a best practice and how I would solve it, then it's up to you and the customer also regarding costs (Licences) and I will give you 2 solutions.

1. The a bit expensier solution:

Install if not already installed a vCenter. (As I can read from your question this should already be there.

Install 2 Separate Clusters.

1 Cluster being the PROD_COMPANY_Cluster1

1 Cluster being the DEV_COMPANY_Cluster1

Create 2 vDS Switches and define the vLANs for the 2 Clusters with 2x Server Network (an vLAN for the vGuests).for the ESXi Hosts, 1 or 2 vlan ESXi Management, 1 or 2 vlan vMotion (if wanted and needed (DRS)).

Make sure that the 2 vLANs for the vGuests are blocked, like this: example: vLAN100 is the vLAN with IP Segment 10.160.130.xxx/24 for PROD, and vLAN110 is the vLAN with IP Segment 10.160.140.xxx/24 for DEV. Make sure that on firewall rules the DEV -> PROD is blocked and vice-versa if you wish both ways to be disabled.

I would not do a clone of your DEV to PROD, but instead just use the DEV and name it PROD and create a new DEV.

In this szenario you would not need to have a Resource Pool for DEV (By the way Resource Pools are only good in a mather if ther is an issue with your hardware, so that you can define which Group will get priority to the ressources in the same cluster. But as you would create 2 Clusters, you will not need to segregate the environment.

Now, you are saysing that END users need to access DEV, so if you want them to connect trough the PROD servers to DEV, I would suggest, that you create a JUMPHOST, and you allow this IP from 1 or 2 Jumphosts to access the DEV environment by opening this direction on the Firewall management, otherwise you can just allow the connection from PROD to DEV but close the other direction from DEV to PROD. This is up to you.

With a Jumphost, you would need to install a TS Server and maybe work with a DNS Round Robin for a Loadbalancing purpose.

2. The cheaper solution: (But works too)

If you don't want to create another Cluster, you can just have all the ESXi Hosts on 1 Cluster and secregate them with the Resource Pools as you explained.

I wouldn't do it this way, as it's a little bit more complicated regarding the Management of the Enviroment, you will understand why just in a second:

- Install a Cluster for DRS purposes.

- Create 2 Resource Pools, make sure that the Resource Pools are correctly used! This is very critical when using Resource Pools and this is why:

Example 1: You have a Total Share of CPU = 12000 and a Total Share of Memory = 40000, now you create a Resource Pool for PROD with High Shares, it will give you 8'000 on CPU and 26400 on Memory and you create a DEV with Normal Shares, what will give you 4'000 on CPU and 13600 on Memory. If you put now 40 vGuests in to the PROD resource Pool and 10 to the DEV pool, your vGuests will use only 200 Shares of CPU and 660 Memory. In the case of DEV, they will use 400 Shares of CPU and 1360 Shares of Memory. As you see this makes no sense. And this is why I don't suggest the use of Resource Pools. But if you keep an eye on it and you don't overcommit you could use it.

-I would suggest you to use instead of Resource Pools just Folders (if you just need to separate them in the point of viewing them on the vCenter).

- We do it this way: We name all vGuests that are Prod like this vmwhatver1001 (Prod) vmwhatever6001 (Dev) meaning, all vGuests with a Name from 100x to 500x are PROD vGuests, and all starting with 600x to 900x are DEV/INT/TEST vGuests. This way you know which vGuest is what.

-Create a vSwtich (not a vds) so it's cheaper.

1st for PROD use the same as on the Chapter 1 I gave you to create 2 separate vGuest Networks with the different vLANs

2nd for DEV use the same as on the Chapter 1 I gave you to create 2 separate vGuest Netowrks with the different vLANs

Connect the PROD vGuests to the vSwitch 1

Connect the DEV vGuests to the vSwitch 2

With this solution you will not need the expensive Licensing model from VMWare and still have a good infrastrucutre.

However I would not recommend the use of Resource Pools, and if you do keep in mind, that the management overhead is higher than not to use them!

Best regards,

Marco

Check my blog, and if my answere resolved the issue, please provide a feedback. Marco Frias - VMware is my World www.vmtn.blog
AmmaraVistro
Contributor
Contributor
Jump to solution

Thank you Marco,

I like both those solutions Smiley Happy but I will go for the 1st option.

You are right, I am already using vCenter server and currently using vDS with VLANs for data, management, vMotion and storage in PROD environment. My goal is to add an isolated DEV environment within current PROD environment.

I am currently using vDS with vLANs for vGuest data, Storage, Management and vMotion for PROD, I guess I have to create another vDS for DEV and assign a Storage vLAN plus create new vLANs for Data, Management and vMotion for Dev?

Thanks

Farah

mprazeres183
Enthusiast
Enthusiast
Jump to solution

Hi AmmaraVistro ,

You are right, I am already using vCenter server and currently using vDS with VLANs for data, management, vMotion and storage in PROD environment.

My goal is to add an isolated DEV environment within current PROD environment.

- In that case I would suggest to use a naming convetion to secregate the vGuests from each other or the Folder structure, also you can use the Ressource Pools but with caution.

I am currently using vDS with vLANs for vGuest data, Storage, Management and vMotion for PROD, I guess I have to create another vDS for DEV and assign a Storage vLAN plus create new vLANs for Data, Management and vMotion for Dev?

- You can actually do the following:

- You can create a vDS and call it vCenter-Host-Management and use on this vDS - Management, vMotion and Storage on the same vLAN.

- You then create a vDS and name it Prod-DEV and use it only for the vGuest data.

- You then create within the vDS Prod-DEV two different Distributed Port Groups (1 Prod and 1 Dev)

With this configuration, you could use the same IP Segment and vLAN for managing the ESXi Hosts, vMotion and Storage.

At the same time, the only thing you then have on the vDSs PROD-DEV is the Traffic of the vGuests. That you can then select either for DEV or PROD vGuests.

As you want to share the same ressources (Hosts) for the DEV and PROD, this would be my consideration.

Best regards,
Marco

Check my blog, and if my answere resolved the issue, please provide a feedback. Marco Frias - VMware is my World www.vmtn.blog
Fvistr01
Contributor
Contributor
Jump to solution

Thanks mprazeres183

Reply
0 Kudos