Hello, we are building out a new DMZ VMWare cluster. Question: Is it a security best practice to have a dedicated vCenter on the DMZ for DMZ ESXi hosts, or is it acceptable to have the DMZ ESXi hosts communicate with a vCenter on the internal network? The internal vCenter would be located on a dedicated management network that is secured.
It all depends on your requirements and desired security posture.
What users will be used to log onto that DMZ ? Do you want to add it to your internal domain as well? Will you be using SSO users and log on to vCenter that way?
If you're building out separate hosts in DMZ, I'm going to assume that your DMZ has its own management network. It might be better if you place a new vCenter in there as well if your requirements tell you to. You could also add the hosts into your regular vCenter, if there is a firewall between vCenter and those hosts you could only allow the bare minimum between them.
It all depends on your requirements and desired security posture.
What users will be used to log onto that DMZ ? Do you want to add it to your internal domain as well? Will you be using SSO users and log on to vCenter that way?
If you're building out separate hosts in DMZ, I'm going to assume that your DMZ has its own management network. It might be better if you place a new vCenter in there as well if your requirements tell you to. You could also add the hosts into your regular vCenter, if there is a firewall between vCenter and those hosts you could only allow the bare minimum between them.
Thanks for the response.
Yes, if a vCenter was built on the DMZ it would be added to the internal domain and Active Directory user accounts would be used for administration of the DMZ hosts, vCenter features, etc.
DMZ hosts will have a dedicated management network separate from the internal management network.
Sounds like you are suggesting if there is a dedicated management network on the DMZ to have a separate vCenter on the DMZ as well.
Other option is to lock down communication between an internal vCenter and DMZ hosts.