Virtual Machine isolation in vCloud director
jibbajabba
Member Posts: 4,317 ■■■■■■■■□□
I am just wondering, does anyone know of any other (firewall) products which work on virtual switch level apart from the Nexus and vShield Edge ?
While the Nexus seems to do the job, it isn't quite suitable in our environment (can't really go that deep into details here as it would be just too long / complicated to explain)
Today I looked into vShield Edge .. while it seems to do what it says on the tin, the problem is when you have customer (we are service provider) with just a single VM.
When using the isolation mode it means each customer (even with single VMs) will have to get a private IP range obviously, which I guess isn't the biggest issue (although it will be overkill), each customer will also need at least 2 public IPs if 1-to-1 NAT is required.
On top of the 2 public IPs, you have the memory overhead and license costs. As a service provider using VSPP3, you basically pay for the ram allocation of the vShield Edge appliance (at least 256MB) plus the license implication ..... Adding "Edge" for example adds x-amount of points to the per-GB of Ram pricing.
I just don't want to imagine 1000 customer with a single VM and 1000 vShield Edge appliances (eeek).
Are there any other solutions which don't cost an arm and a leg ? I have seen that the Checkpoint appliances for example (don't know pricings yet) works on Port groups, so you got on incoming and one outgoing port group --- that portgroup could easily be used as a direct connection to the External Network but probably isn't quite affordable ...
Plus we need to be able to gain access to SOME SORT of API in order to create / change firewall rules through a webinterface ...
Oh man, I hope my jibbajabba makes sense and people actually understand what I am talking about
While the Nexus seems to do the job, it isn't quite suitable in our environment (can't really go that deep into details here as it would be just too long / complicated to explain)
Today I looked into vShield Edge .. while it seems to do what it says on the tin, the problem is when you have customer (we are service provider) with just a single VM.
When using the isolation mode it means each customer (even with single VMs) will have to get a private IP range obviously, which I guess isn't the biggest issue (although it will be overkill), each customer will also need at least 2 public IPs if 1-to-1 NAT is required.
On top of the 2 public IPs, you have the memory overhead and license costs. As a service provider using VSPP3, you basically pay for the ram allocation of the vShield Edge appliance (at least 256MB) plus the license implication ..... Adding "Edge" for example adds x-amount of points to the per-GB of Ram pricing.
I just don't want to imagine 1000 customer with a single VM and 1000 vShield Edge appliances (eeek).
Are there any other solutions which don't cost an arm and a leg ? I have seen that the Checkpoint appliances for example (don't know pricings yet) works on Port groups, so you got on incoming and one outgoing port group --- that portgroup could easily be used as a direct connection to the External Network but probably isn't quite affordable ...
Plus we need to be able to gain access to SOME SORT of API in order to create / change firewall rules through a webinterface ...
Oh man, I hope my jibbajabba makes sense and people actually understand what I am talking about
My own knowledge base made public: http://open902.com
Comments
-
dave330i
Member Posts: 2,091 ■■■■■■■■■■
Have you looked into PVLAN to isolate VMs from each other vs. using a firewall/VM?2018 Certification Goals: Maybe VMware Sales Cert
"Simplify, then add lightness" -Colin Chapman