VMware Cloud Community
ndmuser
Enthusiast
Enthusiast
Jump to solution

internal only portGroup on vDS

Hello, is it possible to create on vDS (vSphere 5.0, Enterprise Plus)  PortGroup for internal VMs only. We need to setup two VMs: APPS and DB. APPS VM should have access to DMZ, internal campus network and DB server. DB VM should have access to APPS VM only (no Internet, no internal campus network). Would it be better to use standard vSwitch for this purpose? Will we be able to use vMotion between hosts?

Thank you for all advice and recommendations.

Tags (3)
Reply
0 Kudos
1 Solution

Accepted Solutions
sajal1
VMware Employee
VMware Employee
Jump to solution

Hello ndmuser,

Yes I forgot that part. If you want your DB VM to be connected to APP VM only then a simple solution do exist Smiley Happy . Create two Separate vSwitch or vDS. Do not attach any physical NIC to the first switch (no uplinks). Create a portgroup on this vSwitch (say by the name secured). Attach physical NICs (uplinks) to the second vSwitch and create one or more port groups (say Internal). Now your DB VM should have only one NIC and connected to the portgroup "secured". In your APP VM  create two vNICs and attach them to "secured" and "internal". So in that way the vSwitch which does not have any uplinks will not be connected to any internal or external network.

In fact you need to place DB and APP VM on the same host and then the traffic between DB and APP never goes out of the host. Whereas traffic from APP vm goes out to the appropriate location.

But one shortcoming of this process is you need to vMotion both the VMs together and they always need to be in the same host (well you can create VM-VM affinity rule for that Smiley Happy ).

View solution in original post

Reply
0 Kudos
6 Replies
sajal1
VMware Employee
VMware Employee
Jump to solution

Hi ndmuser,

You can solve this by many approaches.

1. The first approach is to use two separate VLAN's for this. Say internal campus network portgroup with VLAN 20 and external VLAN (DMZ) is 30.

     So a DB would have a single NIC with connecting to portgroup with VLAN 20 and APP VM has two NIC one connected to Internal Campus Network and another to DMZ

     VLAN.

     This is the easiest way.

2. Second way is to use the internal PVLAN feature of vDS. For details check the below link

     http://pubs.vmware.com/vsphere-55/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-55-network...

     Page 54

Saying the above there is no limitation in doing the vMotion between the hosts. You need to have underlying physical NIC's of the host server in TRUNK port so that all the VLAN data would flow through the NIC and you would implement VLAN tagging at the vDS/vSS level.

Please let me know if you need more information or clarification

Reply
0 Kudos
ndmuser
Enthusiast
Enthusiast
Jump to solution

Sajal, DB VM should not be connected to internal campus network or public network at all. It needs to be connected to APP server via Xover cable or their own switch if we would talk about physical world. Thank you for you advice!

Reply
0 Kudos
sajal1
VMware Employee
VMware Employee
Jump to solution

Hello ndmuser,

Yes I forgot that part. If you want your DB VM to be connected to APP VM only then a simple solution do exist Smiley Happy . Create two Separate vSwitch or vDS. Do not attach any physical NIC to the first switch (no uplinks). Create a portgroup on this vSwitch (say by the name secured). Attach physical NICs (uplinks) to the second vSwitch and create one or more port groups (say Internal). Now your DB VM should have only one NIC and connected to the portgroup "secured". In your APP VM  create two vNICs and attach them to "secured" and "internal". So in that way the vSwitch which does not have any uplinks will not be connected to any internal or external network.

In fact you need to place DB and APP VM on the same host and then the traffic between DB and APP never goes out of the host. Whereas traffic from APP vm goes out to the appropriate location.

But one shortcoming of this process is you need to vMotion both the VMs together and they always need to be in the same host (well you can create VM-VM affinity rule for that Smiley Happy ).

Reply
0 Kudos
ndmuser
Enthusiast
Enthusiast
Jump to solution

Thank you! Followed your recommendations: created vSwitches without uplinks on all ESXi hosts, created affinity rule for both VMs, turned off the internal vSwitch restriction on vMotion events, and so far everything works as expected. Smiley Happy

Reply
0 Kudos
rzilli_eng
Contributor
Contributor
Jump to solution

Hello sajal1,

I only have Enterprise (not plus) edition, so I cannot do it with a vDS. I´ve tried to do it with standard switch but no success. The two VMs in a vswitch/port group with no uplink dont see each other, is that a way to work arround?

Reply
0 Kudos
bayupw
Leadership
Leadership
Jump to solution

Hi Rodrigo, in that case you create a new VLAN for that isolated VLAN and create the PortGroup for that isolated VLAN.

Do not create a gateway/interface VLAN/SVI on the physical switch/router.

If you need multiple isolated VLAN and they need to be able to reach each other then you can either use VRF (Virtual routing and forwarding​) or use Private VLAN (Private VLAN)

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos