0

I need to restrict a couple of virtual machines from the LAN access in my vCenter, so they can't access any other LAN resources excepting few locations. The only thing comes to mind atm - to create a separate vswitch and assign these VMs on it, even with a dedicated physical port.

Is there any other options I can use?

Improve this question
1
  • I'm confused about the "excepting few locations". Does this mean that your VM's need to some computers on your network, but not others? Commented Jun 16, 2017 at 23:00

3 Answers 3

Reset to default
1

The equivalent to VLANs in physical switches are port groups in vSphere. Create a new port group without physical NICs for your isolated VMs and they can only communicate with each other.

If you want the port group to communicate with the real world add a physical NIC and the appropriate VLAN tagging, enabling the port group to talk to this exact VLAN.

You can also use a VM to route/filter traffic for your purely virtual port group by connecting one NIC to the internal port group and another to a port group with VLAN connectivity. Obviously, that VM needs to run some kind of routing/firewall or proxy software.

Improve this answer
0

I'm not sure what you're trying to do. I understand it like this: You have a VM A in VLAN X and a VM B in VLAN X and you want to restrict network access between them, correct? Well, if they are in the same VLAN there's nothing ESXi itself can do to stop communication. Different virtual switches won't help: VM A -> vSwitch A -> physical network -> vSwitch B -> VM B. Basically, that's what being in the same VLAN means: Machines can access each other directly.

The best way to do it in the Hypervisor is probably NSX but that's a costly option. As an alternative you could put the VMs in different VLANs and put a firewall between them. Or you can use Private VLANs and ACLs on your physical Switches to restrict network traffic.

Improve this answer
2
  • in VMWare speak (in the vSphere) you want a new vswitch to be sure you vlans are truly separate. Commented Jun 16, 2017 at 20:56
  • @quadruplebucky There's no separation with different virtual switches, if it's the same VLAN it's the same VLAN: VMs will be able to communicate across virtual switches if they are in the same network.If you connect two physical servers to two different physical switches they can talk to each other if they're in the same VLAN, why should it be different with VMs? Commented Jun 16, 2017 at 21:23
0

If you have to isolate those VMs from LAN access what you've described is one way to do it, the VM's can't be attached to any vswitch that's attached to any physical port that's attached to the LAN.

I don't know what your requirements are but I've seen deployments where a limited staging or dev environment was set up behind a dedicated firewall VM, so that management didn't have to get too nervous about whatever they were nervous about, but there are other ways of isolating VMs yet still permitting them some network access.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.