VMware Cloud Community
jj_QST
Contributor
Contributor

vSphere client isolation

Using vShpere 6.5, we have a setup where VMs need to simulate client productions configurations where sometime there are 3 vms, sometimes 1, sometimes 4, etc.  Each 'installation' needs to be able to talk to "it's" machines, but not the others.  We have 5 teams using this setup, and each time might have dozens of 'installations'.  Machines will have the same names (not within installations, but from one installation to the next).  We manage this by having two NICs on each VM.  One to get internet which is connected to a network with internet (the "internet" network), and one connected to the "local" network.  The "local" network is a virtual distributed switch with multiple port groups (one for each team) and then we use subnetting and different IP ranges to keep each installation separate.

The "local" network is working fine.  The problem is that the VMs can still see each other on the "internet" network.  I'd like them to be isolated, so that they can get internet, but can't talk to each other.  I can't put each one it's in it's own port group because there are potentially hundreds of machines that get cloned and later deleted, so trying to manage those port groups is impractical.

How can I configure the "internet" network so that the clients can't see each other, but can still hit the gateway/DHCP server?

Reply
0 Kudos
2 Replies
PierluigiCastel
Contributor
Contributor

you can use a firewall like pfsense with 2 network adapter: one to your internet and one to a trunk portgroup vDS.. then associate to each portgroup of your "local" a single vlan.

Example

vSwitch0 (my internet connection) --- pfsense interface for wan

VDS-LOCAL
-> PG-TEAMS-TRUNK (vlan trunking 0-4094) pfsense iterface for vlan trunking
-> PG-TEAM-MASTER-VLAN1 (vlan 1)
-> PG-TEAM10-VLAN10 (vlan 10)
-> PG-TEAM11-VLAN11 (vlan 11)
-> and so on....

Next configure one vm for control the firewall from one pg example PG-TEAM-MASTER-VLAN1.. so you can create a rule that only this portgroup can access to firewall GUI interface

Next, setting a single vlan for each Team that you would connect.. enable DHCP... and setting role for give access to internet but blocking any interact with other vlan.
Next move is disconnect any vm (and remove unnecessary network adapter) from the "internet" 
The vm result on one only connection: the relative portgroup with internet access managed by firewall and dislocated by vlan (with no have interact eachother)

Reply
0 Kudos
PierluigiCastel
Contributor
Contributor

Note: pfsense release 2.5.2 (FreeBSD 12) have a littles problems with vmxnet3 driver.. use instead E1000E :winking_face:

Reply
0 Kudos