Hardware requirements for 100 virtualized high performance Windows 7 desktops?

security windows-7 virtualization vdi hyper-v-server-2012-r2

We are debating whether to add Client Hyper-V or VMWare Player Pro to new Windows 10 desktops later this year and have our developers run their developer tools in a Windows 7 VM on their local desktop. For security reasons, they will not have admin rights on their local workstation which will only be used to host their VM(s) and for office work not requiring admin rights such as email, web, Microsoft Office etc.).

The developers would have admin rights on the VMs instead. The VMs would be on an isolated network VLAN and AD domain with no Internet access and no direct file transfer or network access between the VM and host. The users will do all their development and testing inside the VMs.

I have not been able to find a true virtual machine "player" that only allows using existing VMs and not creating new ones when installed on a workstation.

Client Hyper-V does not work at all unless the users have either local admin rights on the host machine or are members of the Hyper-V Administrators group which allows them unlimited configuring of VM settings which will make it pretty simple for them to get around restrictions even without admin rights on the host. VMWare Player is not just a player. It also allows creating new VMs even without admin rights.

Is there any alternative vm software that allows use of existing VMs on their local workstation, but not adding or reconfiguring VM hardware?

If that cannot be done, how can we build a highly available virtual server in Hyper-V that would have the performance needed for heavy software development, long queries and builds and debugging etc.. Many of the developers work with 10 or more applications running at the same time and have 16GB RAM on their current systems.

So, I would guess we would need 2 very powerful severs with a huge amount of RAM to run 100 high memory VMs simultaneously and some kind of virtual SAN. It will also need the disk space and I/O to handle 100 busy workstation VMs.

If there were 100 VMs, we could run 50 on each in a 2 member failover cluster. If one goes down, the other would need to be able to handle the load of all 100 without a problem. We could also do planned live migrations to do maintenance such a Windows Update reboots on the hosts. We would then need SCVMM to manage them and assign private cloud access to the users so they can access the VMs and also create/revert checkpoints on their software testing VMs.

Since we have limited money, what would be a cost effective hardware design that could make this work (server specs etc.) and what ballpark price range would we expect to pay using hardware from a manufacturer like Dell or HP etc..?

If the costs are astronomical, we would then go back to the plan of adding VMs locally on workstations and try to find ways to restrict the users from creating unauthorized VMs.


How about turning this around:

The workstations are in a secured LAN, Internet access is restricted with a proxy to a number of white-listed sites that developers need - like StackExchange :). Developers have admin rights on the workstations.

For all other needs, they can connect to a VM and have (external) e-mail and possibly full Internet access, but no access to the work related data.

This way, the needed performance of VMs is significantly lower. Perhaps also the number of them is lower. Perhaps you can assign VMs dynamically as they are needed.

Hardware requirements depend heavily on needed performance, but I'd personally go with around 10 cheap nodes with 8 core CPU and 32 GiB RAM and a very fast SSD RAID each - and fairly automated maintenance. This is for the case where the VM is not the main workstation but the auxiliary machine.

IIUC, your concern here is the security and safety of the code and documentation and you would like to have a system where you don't have to trust developers (too much).

I have a very similar task for a client of mine, just it's CAD instead of software development. For a big part, this is a social problem that we're trying to solve with technical means.

How can developers efficiently work without constant and convenient access to programming related sites and the StackExchange family? :)

Related

Is there a way of exporting fstab info for device which is currently mounted?
What is the performance impact of disabling NCQ?
Is there a standard time duration before DNS caches are cleared?
Failing to install certbot on debian jessie
How connect a linux box to an azure point-to-site gateway?
Why do sequential writes have better performance than random writes on SSDs?
No need to enable SNI for multiple SSL sites on same IP but using same wild card certificate?
How avoid Azure Subscription suspension?
After creating an A DNS record for WWW is it also necessary to create a AAAA record for WWW?
How do I disable hard disk spin down or head parking in FreeBSD?
How do I configure a windows domain controller to use an external time server?
Online backup service for servers