Hi, I have a requirement to setup a virtualised inner and outer DMZ. Two vSphere 5.1 servers will be used; one for each DMZ. The vsphere servers have 6 physical nics each.
The outer DMZ ESXi server will host webservers for internet users, and the inner DMZ ESXi server will host application serevrs (accessed via the webserver).
The planned configuration is:
Internet ---> External Firewall --> ESXi server with web server VMs --> Internal Firewall --> ESXi server with application VMs
--> Internal corporate network
The first time to set-up a DMZ, and I'm unsure about the set-up. I'd like to ascertain the design for physical nics, vswitches, portgroups, and vnics for VMs. Can you comment on the following proposed design and questions?
(1) External ESXi server
- 3 pnics for vswitch0; for vmware management portgroup (PG). These nics are connected to the internal physical switch & firewall
- 3 pnics for vswitch1; for Outer DMZ portgroup. These nics are connected to the external physical switch & firewall
(2) External web server VM
- 1 vnic connected to the Outer DMZ portgroup
- How does this VM route traffic to the internal DMZ application servers? Does it require an additional vnic with a gateway configured, if so on what PG?
(3) External ESXi server
- 3 pnics for vswitch0; for vmware management portgroup (PG). These nics are connected to the internal physical switch
- 3 pnics for vswitch1; for Inner DMZ portgroup. These nics are connected to the internal physical switch & firewall
(4) Internal application VMs
- 1 vnic connected to the Inner DMZ portgroup
- How does the application communicate with the webserver VM on the external DMZ? Does it require an additional vnic with a gateway configured, if so on what PG?
(5) Separate VLANs as detailed below:
- External ESXi
- VLAN for vmware management
- VLAN for Outer DMZ
- VLAN for vmware management
- Internal ESXi
- VLAN for vmware management
- VLAN for Outer DMZ
- VLAN for vmware management
(6) Possible requirement - both the web server and application servers to be accesible from the corporate network - how to best achieve this?
Thanks