| Author |
 Topic  |
|
|
dcslick
Here To Stay
USA
279 Posts
Status: offline |
 Posted - 01/20/2012 : 1:16:32 PM
|
Hello,
We recently purchased a new hyper v server. One of the reasons of this purchase was to build a new Magento shopping cart and replace our existing one on our web side of our network. The other reason was to be able to add additional production servers on the new hyper v server. So for now we only have one guest which is the Magento server on the new hyper v box. I was under the impression that we were only hosting the Magento server on the hyper v environment for testing and then replace our existing web side with the Magento solution which are all physical servers. I have now been told that is not the plan. We have multiple vlans set up on our network including for the web side and production sides of the network. As of now the hyper v server is on our production vlan. I was told today that I need to make the Magento server hosted on the new hyper v server to allow it to face outside the network. So here are my issues. I want to keep the production side and web side on the separate vlans. Since the boss is insistent on being able to have the magento server and other productions servers hosted on the hyper v I am concerned about security. First of all is this even smart to host servers from our productions side and web side on the same hyper v server? And if so do I need to purchase a new NIC to add to the hyper v box so it can connect to the other VLAN? I hope this makes sense, since I am little confused myself. Any thoughts or opinions would be much appreciated.
Thanks
~DC
|
~DC |
|
|
Isaac
Here To Stay
USA
208 Posts
Status: offline |
Posted - 01/20/2012 : 2:13:14 PM
|
It does make sense. Its not the best from security stand point of view, but its widely acceptable to run production and semi-dev environments -VMs- on the same host.
You must use a separate NIC cards for each network (production, Dev/private/, Management). It is highly desirable to have at least 4 NIC ports on a host server. We just placed an order for a server with total of 10 NIC ports.
In short, ensure that you do NOT select the "Allow management operating system to share this network adapter " while setting up new Virtual Switch on the physical NIC card connected to your production/external physical switch(vlan).
See if this helps you.
http://blogs.technet.com/b/mrsnrub/archive/2009/12/06/hyper-v-virtual-networks.aspx
Also, i would highly recommend heading over to Aidan's blog (http://www.aidanfinn.com/ ), and read all the stuff related to Hyper-V.
|
Edited by - Isaac on 01/20/2012 2:17:45 PM |
 |
|
|
Playwell
Honorable But Hopeless Addict
Netherlands
4822 Posts
Status: offline |
Posted - 01/20/2012 : 2:29:51 PM
|
| If you can switch to vlan tagging, it makes the environment so more flexible then separate nics |
'People who think they know everything are a great annoyance to those of us who do. '
Quote by Isaac Asimov
|
|
|
|
dcslick
Here To Stay
USA
279 Posts
Status: offline |
Posted - 01/20/2012 : 5:52:42 PM
|
Thank you very much for the replies Isaac and Playwell. I really appreciate it. I will research the options including VLAN tagging.
Thanks again,
DC |
~DC |
|
|
|
joe_elway
Honorable But Hopeless Addict
Ireland
7397 Posts
Status: offline |
Posted - 01/21/2012 : 07:57:10 AM
|
Some of the best guidance on this from MSFT is -implied- in the virtualisation recommendation for Forefront TMG. You absolutely can use a combination of VLAN ID (tag) and firewall rules to run many different firewalled VMs on a single host and even on a single NIC. Should you?
The Hyper-V virtual network is secure. You cannot hop VLANs on it. However, if you introduce NIC teaming from a 3rd party then the guidance can change. You MUST read the NIC teaming documentation that is relevant to the version of NIC teaming that you install. BTW, always install the latest one you can find when deploying the host, and then test the crap out of it. I'm looking forward to Win 8 native NIC teaming.
Here's my recommendation for host NICs:
1 NIC: parent
1 (or more) NIC: Internal VMs
1 (or more) NIC: External VMs
Pysical isolation of external facing networks protects internal facing from external influences, e.g. DDOS. DDOS happens more often than you would think, and it happens to the SMEs too because they are less capable of defending themselves from blackmail attacks. Being in some hosting data center is no protection either ... they usually charge a fortune for "protection" against DDOS cos the devices are expensive.
Ideal world, you'll have seperate hosts in the DMZ, but not everyone has the scale to justify that. |
Aidan Finn
MCSE, MVP (Virtual Machine)
IT Blog: http://www.aidanfinn.com
My Photography: http://www.aidanfinnphoto.com/
Books: WS2012 Hyper-V Installation & Config Guide, MSFT Private Cloud Computing
Twitter: http://twitter.com/joe_elway |
|
|
| |
Topic |
|
Hyper-V Networking and best practices question
