csph
Contributor
Contributor

isolate 1 server

Jump to solution

We have 3 hosts running vSphere 4. The VMs are all using the default vSwitch network. This works fine, but we wanted to have a more secure environment in one (more later) situation. As an example we have 2 Linux servers.

Server1 (web server)

Server2 (DB server)

Obviously Server1 needs to talk to the outside world. However I’ve heard a bit about isolating VMs so that Server2 would be only accessible by going through Server1 and that the outside world had no visibility to Server2.

I know I could probably do something with IPtables, etc. But it would be nicer and much easier to manage doing this at the virtual switch layer.

Any help would be greatly appreciated!

0 Kudos
1 Solution

Accepted Solutions
vmroyale
Immortal
Immortal

How did you address them? Just assign a private IP address, or something not used in your environment, to each NIC on the isolated network and they should talk to each other fine. Remember, each of these VMs will need to be on the same host.

Brian Atkinson | vExpert | VMTN Moderator | Author of "VCP5-DCV VMware Certified Professional-Data Center Virtualization on vSphere 5.5 Study Guide: VCP-550" | @vmroyale | http://vmroyale.com

View solution in original post

0 Kudos
11 Replies
virtualportal
Enthusiast
Enthusiast

Hi,

You can use Private VLANs (PVLAN's) to achieve this. This is supported in vSphere and allows you to sit Server 1 in Primary PVLAN and then all other VM's in secondary PVLAN's. There are a few different configuration options including promiscuous, community and isolated PVLAN's.

Eric Sloof has a great Video on PVLAN's over at this link.

Also Page 6 of this VMware Whitepaper has a great diagram.

This setup is usually quite nice if you use a virtual router or Firewall that you would like all of your traffic to pass through before it reaches the outside world.

I hope this helps you solve your issue.






----


Steven Bryen

Blog: www.virtual-portal.com

Twitter: @virtualportal

VCP3, VCP4

csph
Contributor
Contributor

Thanks so much, I'll check out those links.

0 Kudos
vmroyale
Immortal
Immortal

Hello and welcome to the forums.

You could also create a vSwitch with no physical NICs assigned to it. Then you could give Server 1 and Server 2 each a new NIC and connect them via this switch. The catch is that they would need to stay on the same host for this to work.

Good Luck!

Brian Atkinson | vExpert | VMTN Moderator | Author of "VCP5-DCV VMware Certified Professional-Data Center Virtualization on vSphere 5.5 Study Guide: VCP-550" | @vmroyale | http://vmroyale.com
csph
Contributor
Contributor

Steve,

I haven't watched the video yet, but it looks like you have to do this on a distributed virtual switch, is this correct?

We only have the advanced license so I can't create those.

If this is the case would I have to do this like vmroyale suggested?

0 Kudos
virtualportal
Enthusiast
Enthusiast

Sorry i forgot to mention, yes this is pretty cool stuff but does require the Distributed Virtual Switch.

What vmroyale mentioned would work however if you have enough physical NIC's on your ESX hosts then you could create a second vSwitch on all ESX hosts with another Physical Uplink (all plugged into same switch or VLAN). This creates a segregated network for the isolated VM's and also allows you to still use features such as vMotion, HA and DRS.

You just need to ensure that all Portgroup names are identical across hosts.



----


Steven Bryen

Blog: www.virtual-portal.com

Twitter: @virtualportal

VCP3, VCP4

0 Kudos
csph
Contributor
Contributor

Thanks for the info.

Would you happen to know of any tutorial/walk through on how to do this?

Sorry, I'm kinda new to this.

0 Kudos
csph
Contributor
Contributor

What am I missing? I am trying to accomplish what vmroyale posted.

I created a new vSwitch (with no network adapter). I added a network card to Server1 (connected to new switch), so now it has 1 adapted on the default network, and one to the new switch. For Server2 I changed the switch that the default network adapter was connected to, to the new switch.

My thinking was that it shouldn't be connected to the default network (so it is inaccessible to the outside world), but only to the new "private/internal switch".

Now Server1 cannot see Server2.

How can I get these two to talk?

0 Kudos
vmroyale
Immortal
Immortal

How did you address them? Just assign a private IP address, or something not used in your environment, to each NIC on the isolated network and they should talk to each other fine. Remember, each of these VMs will need to be on the same host.

Brian Atkinson | vExpert | VMTN Moderator | Author of "VCP5-DCV VMware Certified Professional-Data Center Virtualization on vSphere 5.5 Study Guide: VCP-550" | @vmroyale | http://vmroyale.com
0 Kudos
csph
Contributor
Contributor

Thank you so much vmroyal. I think I got it. Server1 has 2 NICs. The first is configured on the VM Network (our cooperate LAN), the second is connected to the new virtual network I created (not connected to a physical NIC) I gave it an IP of 192.xxx.x.50, subnet 255.255.255.0 and no default gateway.

Server2 has only 1 NIC connected to the new virtual network I created (not connected to a physical NIC) I gave it an IP of 192.xxx.x.51, subnet: 255.255.255.0 and no default gateway.

I cannot see Server2 from the LAN, but can ping it from Server1. I just got my web app up and running on the 2 servers!!

I do realize that these need to be on the same host and am ok with that for now.

Does it appear that I set this up correctly? Is there anything I should have done differently? Are there any other issues I need to be aware of with a setup like this?

Again I really appreciate everyone's help here.

0 Kudos
vmroyale
Immortal
Immortal

Does it appear that I set this up correctly?

Yes, that is exactly right.

>Is there anything I should have done differently? Are there any other issues I need to be aware of with a setup like this?

From a security perspective, you could look at a few other things - this depends on the requirement, need or paranoia involved. Server 2 is now not directly accessible on the network, but it is still accessible from Server 1. There is still plenty that could be done to protect Server 2 from Server 1. From an availability perspective, if you have DRS running, you might want to consider creating a rule to keep these virtual machines together.

Brian Atkinson | vExpert | VMTN Moderator | Author of "VCP5-DCV VMware Certified Professional-Data Center Virtualization on vSphere 5.5 Study Guide: VCP-550" | @vmroyale | http://vmroyale.com
0 Kudos
csph
Contributor
Contributor

Thanks for your help. I will do some testing of this environment and possibly have more questions later.

0 Kudos