VMware Cloud Community
omegahost
Enthusiast
Enthusiast
‎10-19-2015 11:40 PM

vShield Design

Hi friends,

I'm looking in vShield suite capabilities and features. I have some questions about its design, scalability and reliability.

1- As I know vShield app is a vSphere Kernel Module, so why we need a separated VM for vShield app that vShield manager communicate with it? Why vShield manager don't talk directly to vSphere?

2- Does vShield suite components sit directly on the way of traffic flow to VMs?

3- What is the effect of vShield components going down on VMs?

4- Do we have scalability concern in implementing vShield suite for our environment?

5- What is the best practices for high availability of vShield suite?

Regards

0 Kudos
1 Reply
Sreec
VMware Employee
VMware Employee
‎10-20-2015 07:21 AM

Hi ,

      Please find the answer's.

1- As I know vShield app is a vSphere Kernel Module, so why we need a separated VM for vShield app that vShield manager communicate with it? Why vShield manager don't talk directly to vSphere?


vShield app is a hypervisor based firewall,however we need per hypervisor service machine which is an App appliance which is by default excluded from any protection and BY DEFAULT  we cannot migrate the same to another host.

Since this is vNIC level protection,it will send the traffic to vShield appliance over the management PG(That is the reason the appliance should be reachable  from vShield,VC and Host) .If even your vShield is down,all existing rules will continue to work(Remember vShield app is just one feature of VCNS),however no changes can be made until vShield manager is up and running.


In NSX distributed kernal module talks directly with NSX manager(No per host fw appliance)

2- Does vShield suite components sit directly on the way of traffic flow to VMs?

I'm sorry,this question is not precise.However a lot depends on what feature we are using in this set-up.


3- What is the effect of vShield components going down on VMs?

It totally depends upon what feature we were using eg: Edges(What specific feature within edge),vShield App,End-Point ,Data Security,VXLAN etc.

For eg: If edge is down(lets say no HA configured for edges,and if edge is used to NAT functionality to hit public network,certainly VM outbound/inbound access will be impacted in that case)


4- Do we have scalability concern in implementing vShield suite for our environment?

     Feature specific scalability is certainly there. May be should try reading design guide and KB

http://www.vmware.com/files/pdf/techpaper/vShield-design-guide.pdf

VMware KB: vCloud Networking and Security 5.1 and 5.5 Edge configuration limits and throughput


5- What is the best practices for high availability of vShield suite?


     vShield manager can be certainly protected by using vSphere HA feature,however no FT possible,mapping is always 1:1 relation between VCNS and VC.

     We can enable HA for Edges,for the same reason,two instances of edges will be running on separate host in a active stand by mode and adding to that we can leverage vSphere HA functionality for the same instance.


Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos