VMware Cloud Community
benjaminsohn
Contributor
Contributor
‎03-20-2024 07:32 PM
Jump to solution

vCenter / DMZ Best Practices

Hello, we are building out a new DMZ VMWare cluster.  Question: Is it a security best practice to have a dedicated vCenter on the DMZ for DMZ ESXi hosts, or is it acceptable to have the DMZ ESXi hosts communicate with a vCenter on the internal network? The internal vCenter would be located on a dedicated management network that is secured.

0 Kudos
1 Solution

Accepted Solutions
Brisk
Enthusiast
Enthusiast
‎03-21-2024 12:27 AM
Jump to solution

It all depends on your requirements and desired security posture.

What users will be used to log onto that DMZ ? Do you want to add it to your internal domain as well? Will you be using SSO users and log on to vCenter that way?

If you're building out separate hosts in DMZ, I'm going to assume that your DMZ has its own management network. It might be better if you place a new vCenter in there as well if your requirements tell you to. You could also add the hosts into your regular vCenter, if there is a firewall between vCenter and those hosts you could only allow the bare minimum between them.

View solution in original post

0 Kudos
2 Replies
Brisk
Enthusiast
Enthusiast
‎03-21-2024 12:27 AM
Jump to solution

It all depends on your requirements and desired security posture.

What users will be used to log onto that DMZ ? Do you want to add it to your internal domain as well? Will you be using SSO users and log on to vCenter that way?

If you're building out separate hosts in DMZ, I'm going to assume that your DMZ has its own management network. It might be better if you place a new vCenter in there as well if your requirements tell you to. You could also add the hosts into your regular vCenter, if there is a firewall between vCenter and those hosts you could only allow the bare minimum between them.

0 Kudos
benjaminsohn
Contributor
Contributor
‎03-21-2024 06:12 AM
Jump to solution

Thanks for the response. 

Yes, if a vCenter was built on the DMZ it would be added to the internal domain and Active Directory user accounts would be used for administration of the DMZ hosts, vCenter features, etc.

DMZ hosts will have a dedicated management network separate from the internal management network. 

Sounds like you are suggesting if there is a dedicated management network on the DMZ to have a separate vCenter on the DMZ as well. 

Other option is to lock down communication between an internal vCenter and DMZ hosts.

0 Kudos