ESXi network setup for isolated internal virtual machines

security tcpip vmware-esxi vmware-vsphere virtual-machines

Using ESXi v5.1 and vSphere, my networking is setup like so:

  • One standard Switch: vSwitch0
  • vSwitch0 has one uplink physical adapter (Internet connected)
  • vSwitch0 VM Network has 3 virtual machines (Web Accessible)

I'd like to add several "internal" VMs that are accessible only to the 3 Public facing VMs that are currently on vSwitch0. How should I do this? I know I could add a another "internal" vSwitch that is not bound to a physical uplink, then employ a "gateway" VM that is dual-homed, but it seems there should be an easier way. Can I accomplish this strictly with a networking setup? If so, how?

(Please feel free to use whatever IP scheme you need to illustrate your answer)

Thanks much!


Solution 1:

  1. ESXi 5.1 and vSphere are synonomous. They are the same thing. I prefer to call it vSphere since that's what VMware calls it.

  2. Create a new vSwitch for the internal VM's. Do not bind this vSwitch to a physical NIC.

  3. Connect the internal VM's to this internal vSwitch.

  4. Add a new vNIC to each external VM and connect it to the "internal" vSwitch.

  5. Configure the internal vNIC appropriately on each VM so that they're all on the same internal subnet (whatever RFC1918 address range you choose to use).

Now each external VM is multihomed and will have a connection to both the external and the internal network and should be able to communicate on the internet as well as to the internal VM's.

Of course, this is just one of the possible ways to do this.

Solution 2:

Associating a port-group to a vSwitch does not necessarily give it upstream network access. The upstream device has to have a corresponding interface with a like configure IP/subnet for those devices to talk to.

Create an "internal only" port group. Give each virtual machine needing access to the uplink network and the internal network a second NIC that faces internal.

How it would look:

Router: 192.168.0.1/24

ESXi Host: 192.168.0.2/24

Public Server 1:

NIC1: Assign to existing "VM Network" port group. IP 192.168.0.11/24, Default Gateway 192.168.0.1

NIC2: Assign to "Internal Only" port group 172.16.0.11/24, No Default Gateway

Public Server 2:

NIC1: Assign to existing "VM Network" port group. IP 192.168.0.12/24, Default Gateway 192.168.0.1

NIC2: Assign to "Internal Only" port group 172.16.0.12/24, No Default Gateway

Public Server 3:

NIC1: Assign to existing "VM Network" port group. IP 192.168.0.13/24, Default Gateway 192.168.0.1

NIC2: Assign to "Internal Only" port group 172.16.0.13/24, No Default Gateway

Internal Only Server 1:

NIC1: Assign to "Internal Only" port group 172.16.0.21/24, No Default Gateway

Internal Only Server 2:

NIC1: Assign to "Internal Only" port group 172.16.0.22/24, No Default Gateway

Internal Only Server 3:

NIC1: Assign to "Internal Only" port group 172.16.0.23/24, No Default Gateway

Related

How many iptables block rules is too many
Couldn't execute 'show events' on mysqldump
kinit & pam_sss: Cannot find KDC for requested realm while getting initial credentials
Limit ssh to local network, except for the git user
How to remove all messages from exim mail queue from a certain user/email
Serial Over LAN on FreeBSD 10.0 with SuperMicro X9-SCM-F
Windows Server - "Not enough storage available error"
Can not truncate / clear error.log on apache, but can do it manually with nano
Where does a firewall application fit into the software stack?
tail all log files in a directory | exclude zipped files
How can I suppress Postfix anvil statistics from system logs?
What SSL Certificate works WITHOUT an intermediate certificate?