1 Reply Latest reply on Apr 5, 2017 4:10 PM by Eric_Allione

    Limit the port groups a VM can connect to

    stephentzsamal Lurker

      Hi

      I've been researching and surprisingly found nothing so far which is odd, I would think other enterprises would have faced similar challenge.

       

      What we have is a cluster with access to a preprod and prod.

      2 connection to preprod,vlans 10, 20,30

      2 connections to prod, vlans 100, 200, 300

      -------------------

      vSwitch1 with 3 Pg's

      PG_v10_pp

      PG_v20_pp

      PG_v30_pp

       

      vSwitch2 with 3 Pg's

      PG_v100_pd

      PG_v200_pd

      PG_v300_pd

       

      VMs on VLAN10 and VLAN100 have the same Name and IP

      SERVER001 | 10.222.10.33 | connected to PG_v10_pp

      SERVER001 | 10.222.10.33 | connected to PG_v100_pd

       

      Same for V20, 200 and 30,  300.

       

      What we  want to avoid is someone on purpose or by accident to take the VM and change its port group from PG_v10_pp to PG_v100_pd, for example.

       

      Any elegant way of doing this within vSphere products? Is another product or add-on needed to achieve this?

      The only thing I can think of is giving the user that has access to the Prod vLAN, giving that user NoAccess to PreProd vLANs and vice versa. But eventually there would  have to  be a super admin that needs access to see both?

      Also if a VM is connected to PROD and a user with access to preprod VMs only logs in and edits the Prod machines settings, they should be able to see all  the preprod portgroups and then re-assing that VM to a preprod vlan, effectively nullifying the entire delegation policy we are trying to achieve, unless the users with access to preprod network are also restricted to see preprod VMs as well and vice versa.

       

      I digress, is there  a simply way of saying VM001 cannot connect to PG1, PG2, and PG3?

       

      Thanks

        • 1. Re: Limit the port groups a VM can connect to
          Eric_Allione Enthusiast
          vExpert

          There may not be a feature for "port-group" affinity like there is for host affinity etc, but  you can create roles that only allow DVPortgroup.Modify for those on your team who know better. If this is the only privilege which you wanted to restrict, then in global configuration you could start with the Administrator templates giving you King Kong rights, and then remove the role for DVPortgroup.Modify.

           

          The list of roles can be found at vSphere API/SDK Documentation > vSphere Management SDK > vSphere Web Services SDK Documentation > vSphere Web Services SDK Programming Guide > Privileges Reference.