VMware Cloud Community
ctcbod
Enthusiast
Enthusiast
‎01-11-2019 03:42 AM

Securely hosting web services

Hi community,

It’s been a while since I’ve looked at this scenario but I’m about to P2V some web services and host them on the same vSphere infrastructure as my internal production VMs.  

I have a physical NIC put aside for these VMs on each host and will create a new standard vswitch and VLAN for web traffic and keep promiscuous mode rejected to segregate traffic.  

I’d like to have separate storage and physical switch but that’s not an option just yet but Is there anything obvious that I’m missing to segregate web traffic from internal production and tighten security?     

Thanks in advance.

Reply
3 Replies
sk84
Expert
Expert
‎01-11-2019 07:00 AM

Apart from load balancing, I see no advantage in using an own NIC and vSwitch for web traffic. A separate VLAN and own port group should be sufficient. You can also set promiscuous mode to reject on port group level.

Otherwise I would use a web application firewall for the web traffic and in such cases NSX is always a good option (keyword: microsegmentation). But NSX is not available for free and requires some modifications (a distributed switch for example).

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
Reply
kenbshinn
Enthusiast
Enthusiast
‎01-11-2019 07:46 AM

Are you planning on using dedicated NICs for performance purposes or just to segregate the traffic? Could't you just use vLANs to do the same thing on your current Production vSwitch?

Unless you are doing it for Performance (Like you are setting up VM Passthough), your Production network is already saturated, or you are concerned that your production vSwitches have Promiscuous Mode turned on.

If none of the Above, I would just add the vLAN, maybe add the extra NIC to my NIC Team and be done with it.

It just seems like a waste to do it that way, unless there is a business requirement to use a separate NIC.

Reply
ctcbod
Enthusiast
Enthusiast
‎01-11-2019 08:26 AM

Thanks both.

Putting them on dedicated NICs was purely from an old mindset going back to v3.5 of keeping the web traffic separated.  So no load balancing required and no performance gain needed – just that I have the free NICs on the hosts so thought I could have another layer of separation via physical NICs.   

Reply