VMware Solutions Discussions

NFS Security and Separation with VMWare


In designing a new infrastructure for VMWare (see my earlier post).

Two advantages of NFS that particularly appealed to me (above not having to manage LUNs):

  • Being able to share filesystems between VMs (we already do a similar thing with Solaris Zones where areas such as /usr are mounted read-only from a master copy).

  • Being able to manage all the files of different VMs under one tree as an admin, rather than having them hidden inside VMDKs.

How practical is this with VMWare + NetApp? I am concerned that ESXi and the individual VMs would both be accessing the same Filer? Is it enough to separate them using vLANs?




I'm afraid it doesn't quite work as you described. Even with NFS the individual VMs are still contained within VMDK files. Their files are not directly visible on the NFS file system. What NFS does bring you though is;

-Automated Thin provisioning. That is, a VM will only consume the amount of space it actually requires. With FC or ISCSI the VMDK files are usually pre provisioned so the VM will consume it's maximum disk space right from the start.

-Visible deduplication savings, with NFS you can see, from Virtual Center, the space you have regained from NetApps deduplication. This means you can immediately use that space and deploy additional VMs

-Snapshots, with NFS you can restore individual VMs from snaps shots without copying the VM, just using the metadata of the file

For their disk files the VMs access the NetApp using the VMware layer only. If however you wanted some shared space, say a NFS volume for your Linux VMs or a CIFS share for your Windows VMs then yes you certainly could set up a separate VLAN if you wanted to separate the VM traffic from the VMware traffic.



I understand that the VM itself has to come from a VMDK, but I don't understand why I can't just mount parts of the filesystem at boot over NFS. For example, /usr or /home as we would do on a non-virtualizard server. Am I missing something?

I have read about thin provisioning, though it does seem a shame that thin provisioning isn't maintained when cloning through VMWare.



You can certainly do that. The VM would boot off of the NFS datastore mounted to the VMware hosts then the VM could connect to a shared NFS folder for user data. The user data would be a different NFS volume and would likely be on a separate VLAN. Very standard setup and easy to do with a NetApp. Dedupe is going to help you on both volumes as user data will likely have a high amount of redundancy as well.



I've thought of a follow up question. Is it possible to implement security using ONTAP with NFS on a per-network-port basis?

e.g. could we say that connections on network port 1 can only see volume a, b and c and connections on network port 2 can only see volumes d, e and f? If the answer is yes, how robust is this security?

All the connections I'm referring to would be NFS.


Hey Will,

Networking is not my strong area so hopefully some one else will pitch in. This certainly can be done and in fact done is a couple of different ways. You can restrict a NFS share by subnet and even down to per host access. You also can leverage a capability of the NetApp device called Multistore. With Multistore, imagine VMware was running on the storage device and on ESX you had VMs. Each VM was a NetApp device. Now it isn't of course VMware but the concept is the same. You can create virtual NetApp controllers, assign them storage and network ports and manage them as completely different storage arrays. Handy for what you are asking or if you wanted the NetApp device to belong to multiple Windows Domains.

As for how secure is it? I am not sure how to answer that technically but we have customers in all levels of government using this technology. Again hopefully someone network security savy will step in.

You can get more info in TR-3462 in the NetApp library.



Hi Will,

Depends on exactly what you're trying to achived but there are two options that come to mind with regards to NFS security isolation.

The 1st, is leveraging the IP-based security inherent with NFS. For example:

netapp1> exportfs
/vol/datastore1 -sec=sys,rw=,root=
/vol/datastore2 -sec=sys,rw=,root=

The 2nd, is leveraing the "MultiStore" capabilities, which create completely separate virtual NetApp controllers within a single physical controller (like VMs within a physical server). The security with "MultiStore" is extremely high, and is used, for example, by our large service provider customers to create storage as a service for completely different/separate customers.

Here's a link to more information on "MultiStore" - http://www.netapp.com/us/products/platform-os/multistore.html

Here's a link to third-party security audit of the "MultiStore" - http://media.netapp.com/documents/wp-multistore-analysis.pdf

Hope that helps,



Great. Thanks for your advice.

Oddly I don't seem to be able to say this question is answered or award points for it.

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.