VMware Solutions Discussions

Segmentation for VMware workloads

sonyf
4,129 Views

Hi there, we have been using our NetAPP FIler FAS for a couple of years, and I'm looking on design ideas on how we can include this new usecase.  We have a customer coming in that will want 4 different envrionments with similar applications in each envrionment.  We are going to use portgroups/vlans on that segment to have them access their volumes on netapp.  I think we will have both NFS mounts for Oracle filesystems, and they will also have some CIFS shares.  I believe that the current NFS is v3.  So I"m trying to come up with an architecture where each envrionment can access file mounts on the NetAPP for access.  I thought about using SVM, but I'm wondering if that is overkill for what I'm trying to protect against.  We will still end up managing these netapp volumes, so they will not have separate admins on each volume. 

 

I know that I could do it with firewall rules so that all traffic leaving the segement in vSphere can only talk to a particular LIF on the NetAPP.  Then we could use export policies for the NFS workload, and the for CIFS, there would have to be access based on which envrionment the request is coming from.  I believe they will have an AD per envrionment, so that will make it easy.  

When I talk about protecting against...my concerns are that vms in one environment can not mount shares/volumes on the wrong netapp mount point.  I don't want development  vms writing to production data on NetAPP.  I want to keep to policies pretty generic so that I don't have to do much on the vms(if possible).  I would like to hear what are some of the better ways to control access into a netAPP from a multi-tenant VMware envrionment?

 

 I've tried ot provide a rough picture of how it would look.

 

 

Thanks.

Sony,

1 ACCEPTED SOLUTION

asulliva
4,122 Views

If each "environment" has a different AD domain, then you will need multiple SVMs.  Beyond that, assuming each environment is using a different subnet, configure the export rules to only allow connections from the appropriate subnet.

 

Andrew

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

2 REPLIES 2

asulliva
4,123 Views

If each "environment" has a different AD domain, then you will need multiple SVMs.  Beyond that, assuming each environment is using a different subnet, configure the export rules to only allow connections from the appropriate subnet.

 

Andrew

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

sonyf
4,072 Views

Andrew,

Thanks for the response.  So if we have different ADs for each env, then we should segment by SVM.  Otherwise, if we are just talkng about NFS mounts, and a single AD environment, then we could get a way with a single SVM.  

Sony,

Public