VMware Cloud Community
Trustee82
Contributor
Contributor
Jump to solution

ESXi enviroment isolated but VMs not administration comunication witch ESXi

We have a production network and we want to work in an ESXi lab environment isolated from the production network so that the VMs do not interfere with production services (for example DHCP)

We have managed to isolate the VMs from the ESXi, and we can manage it from the production network and the VMs have no communication with the production network. We have achieved this by enabling 2 switches, one switch for the machines and another for administration (VMkernek and physical nic card).

But this way, the VMs don't have access to the ESXi, there's no communication, and on one VM we have Veeam Backup and we'd like to be able to communicate for backup jobs.

Is this possible? At first we tried to define a second MVKernel and link it to the MV switch but this has not failed.

Reply
0 Kudos
2 Solutions

Accepted Solutions
LucianoPatrão
Jump to solution

Hi,

But how can you ping a physical environment if you don't have any physical network connection? Of course, that will never work. The connections between VMs are made virtually by the Virtual Switch. That is it, nothing else.

And why do you need to ping the ESXi hosts anyway?

Luciano Patrão

VCP-DCV, VCAP-DCV Design 2023, VCP-Cloud 2023
vExpert vSAN, NSX, Cloud Provider, Veeam Vanguard
Solutions Architect - Tech Lead for VMware / Virtual Backups

________________________________
If helpful Please award points
Thank You
Blog: https://www.provirtualzone.com | Twitter: @Luciano_PT

View solution in original post

Reply
0 Kudos
Kinnison
Commander
Commander
Jump to solution

Hi,


Maybe I'm making things too simple, but assuming you want to keep the "test" virtual machines fully isolated from the production environment, the virtual machine you use to perform backups with the VEEAM product could be placed in its own "portgroup" related to the same vSwitch on which the "portgroup" for management lands.


Regards,
Ferdinando

View solution in original post

Reply
0 Kudos
10 Replies
LucianoPatrão
Jump to solution

When you state "do not interfere with production services" do you mean just isolating the network, or do you mean performance vs bandwidth sharing the network with the production services?

If it is just isolation, you can do this by using VLANs. If it is performance, then you need extra vmnics for that(if you want the VMs to communicate outside).

Second, don't know why you are referring to vmkernel. vmkernel is not for VMs networking.

Creating a vSS or vDS without any vmnics is ok and works. As long as the VM doesn't need to communicate outside, all the traffic will stay inside the ESXi environment, which will work.

For the Veeam backup, I never tested a Virtual Switch without vmnics, but the only thing I see here that could cause not backup is if you are using the application awareness (that needs to connect direct to VM).

Luciano Patrão

VCP-DCV, VCAP-DCV Design 2023, VCP-Cloud 2023
vExpert vSAN, NSX, Cloud Provider, Veeam Vanguard
Solutions Architect - Tech Lead for VMware / Virtual Backups

________________________________
If helpful Please award points
Thank You
Blog: https://www.provirtualzone.com | Twitter: @Luciano_PT
Reply
0 Kudos
Trustee82
Contributor
Contributor
Jump to solution

 

Hi,

Thank you for fast reponse.

I refer a isolation de the network completely.

The vSS without any vmnics is ok and works but the VMs have not comunication with ESXi host and I can not do work Veeam backup
From any VM I can not a ping to ESXi host, but I have comunication between machines network. (view atachment)


Thanks you for all

Reply
0 Kudos
LucianoPatrão
Jump to solution

Hi,

But how can you ping a physical environment if you don't have any physical network connection? Of course, that will never work. The connections between VMs are made virtually by the Virtual Switch. That is it, nothing else.

And why do you need to ping the ESXi hosts anyway?

Luciano Patrão

VCP-DCV, VCAP-DCV Design 2023, VCP-Cloud 2023
vExpert vSAN, NSX, Cloud Provider, Veeam Vanguard
Solutions Architect - Tech Lead for VMware / Virtual Backups

________________________________
If helpful Please award points
Thank You
Blog: https://www.provirtualzone.com | Twitter: @Luciano_PT
Reply
0 Kudos
Trustee82
Contributor
Contributor
Jump to solution

Ok, I was thinking that the machines could connect to the ESXi internally using the vmkernel with the admin service.

I need it because one of the machines is the backup server and if it does not have a connection to the ESXi, backups cannot be made, Veam allows it to be deployed in a virtual machine and backup the environment and even itself

All of this is derived from using the same physical wired production network. I would not have these problems if I isolated my ESXi environment on another network, but it is not possible.

 

Reply
0 Kudos
LucianoPatrão
Jump to solution

Give me a couple of days, I will test this and update it here.

I will also try with the Veeam backup.

Luciano Patrão

VCP-DCV, VCAP-DCV Design 2023, VCP-Cloud 2023
vExpert vSAN, NSX, Cloud Provider, Veeam Vanguard
Solutions Architect - Tech Lead for VMware / Virtual Backups

________________________________
If helpful Please award points
Thank You
Blog: https://www.provirtualzone.com | Twitter: @Luciano_PT
Reply
0 Kudos
Trustee82
Contributor
Contributor
Jump to solution

Thank you very much for your trouble and effort.

Reply
0 Kudos
LucianoPatrão
Jump to solution

Hi again

So I try two ways. Creating a vDS and Standart Switch with no vmnics on it.

I could ping both VMs, and of course, pinging the ESXi host is impossible since there is no physical connection. 

Using Veeam, I was also able to backup using normal backup but also using application-aware.

vDS no vmnics and VMs assigned to it.

JailBreak_0-1683834197837.png

JailBreak_1-1683834225876.png

Backup VMs even have no connection to ESXi

JailBreak_2-1683834253078.png


Enabling application-aware and backup again

JailBreak_3-1683834315787.png

Successfully backup

JailBreak_4-1683834345148.png

As you can see it is possible to backup those VMs.

Hope this cam help.

 

 

 

Luciano Patrão

VCP-DCV, VCAP-DCV Design 2023, VCP-Cloud 2023
vExpert vSAN, NSX, Cloud Provider, Veeam Vanguard
Solutions Architect - Tech Lead for VMware / Virtual Backups

________________________________
If helpful Please award points
Thank You
Blog: https://www.provirtualzone.com | Twitter: @Luciano_PT
Reply
0 Kudos
Trustee82
Contributor
Contributor
Jump to solution

Thank you very much for your effort.

 where it is installed Veeam, on which machine?

From the screenshots it appears that Veeam does not reside on any of the machines in the DSwitch test

Reply
0 Kudos
Kinnison
Commander
Commander
Jump to solution

Hi,


Maybe I'm making things too simple, but assuming you want to keep the "test" virtual machines fully isolated from the production environment, the virtual machine you use to perform backups with the VEEAM product could be placed in its own "portgroup" related to the same vSwitch on which the "portgroup" for management lands.


Regards,
Ferdinando

Reply
0 Kudos
Trustee82
Contributor
Contributor
Jump to solution

Hi,

This solution is perfect, the only objection is that the Veeam MV has comunication with production environment, but in this case is not a problem.

Thank you very much for all and your dedication

Reply
0 Kudos