I have been tasked with redesigning my companys virtual infrastructure (vSphere 5.5 Ent Plus). This redesign will involve the consolidation of two physically air gapped Dev and Production environments into one IT Service, logically separated environments.
I have been looking at design guides utilising VMware vShield Edge product to simplify the segmentation via PGI (port group isolation). However, from what I understand, the PGI capability has been removed post v4.1 and is no longer available in vShield 5. The design I was looking to emulate was:
A few questions I have for anyone with experiance in this field:
- Why was PGI functionality removed, it looks to be a great method for segmenting environments
- does VXLAN supercede PGI or are there other functionalities vShield can provide to give the same functionaliy
- How does you segment your vEnvironment. My company is ultimately looking to migrate to a converged CIAB solution wtih DEV, Test, Prod and DMZ all located within the same physical infrastructure but yet securely separated logically.
As of vSphere 6 there is no more vCNS available to buy. So unless you already have Cloud Suite you will need to consider something like NSX or a third party.
I use Edge firewall devices between my portgroups to ensure isolation. If those portgroups are on different VLANs then port group isolation still works. However, you then need to bridge the gap.... an edge style firewall does this for you. There are several virtual versions of these firewalls.
pSwitch <-> Cable <-> pNIC <-> vSwitch <-> portgroup <-> EDGE FW <-> portgroup <-> vSwitch <-> workloads trust zone 1
EDGE FW <-> portgroup <-> vSwitch <-> workloads trust zone 2
The above works just fine for me. And if you want to ensure no traffic goes between the portgroups put each trust zone in its own VLAN, but that does mean the EDGE FW needs to bridge between VLANs. You can also do something similar with microsegmentation of workloads tagged as trust zone 1 and trust zone 2 depending on how you want to split things. Microsegmentation works within each trustzone to either act as a secondary defense, I.e. VMs in trust zone 1 cannot talk to trust zone 2 or you can say XYZ vms in tust zone 1 cannot talk to ABC vms in trust zone 1.
Lots of uses there. any virtualized EDGE FW can work here btw, does not need to be VCNS (if you do not already own it)
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2015
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
Hey Edward, many thanks for the reply. Couple of questions just to clear things up in my own head:
- You say that as of vSphere 6, vCNS is unavailable to buy. My deployment will be based on vSphere 6, does this rule using vShield Edge? Is vShield Edge only available as part of the vCNS package?
- If I can indeed use vShield Edge, I will most likely use the VLAN backed method of deployment. Can one instance of vSphere Edge span multiple port groups/VLANS, or must an appliance be deployed and configured for each individual port group?. My Test and Dev environments consist of only one singular vlan and subsequent port group, however my production envrionment consists of many different ports groups/vlans but do not require a perimeter around them individually, instead I want to create a "Production perimeter".
I hope the above makes sense. Again, thanks for the initial reply