04-13-2016 09:21 PM
Hey folks,
Can someone point me to a "best practice" design guide or white paper for making the physical connections to a vSphere cluster that will run a VM-200 virtual appliance? I'm only seeing configuration guides on deploying and setting up the VM on a vSphere host but nothing on how best to make the physical connections to the hosts-especially a VM farm cluster. We have a 50Mb Internet connection at a remote location that we are replacing a low end SOHO type firewall with a VM-200. We are setting it up in a 2 node vSphere cluster that will only house externally facing VMs (VMs also are available for internal users so). So one vmnic will connect to the ISP's connection, another will be the DMZ and the third will be the LAN side. The question is how best to physically connect everything so in the event one of the ESXi hosts goes down, vSphere HA can power the VM-200 up on the other host and all the connections be there.
My initial "design" is use three physical switches and to bring the ISP's connection to a switch and make two vSphere vmnic connections to that switch, place security on the ports so that only those ports can communicate with each other. Then make a second vmnic connection from both hosts to a DMZ switch which will have DMZ VMs on it (web servers and so on) and then finally a third switch which will be on the LAN side. Is this a good way to do it? Overkill?
Or I suppose by using VLANs and port ACLs, I could use a single switch but is that a "best practice"?
IIUC, traffic inbound would then flow from ISP >> WAN switch >> host1 or host2 >> PA-200 >> DMZ switch >> DMZ target and then for internal access to DMZ resources it will flow from LAN >> host1 or host2 >> PA-200 >> DMZ switch >> DMZ target. In all cases, traffic does not get to DMZ without going through the PA-200 and traffic leaving the DMZ returning to WAN or LAN also goes through the PA-200.
PA-200 will have the following vNICs:
vNIC1 = WAN
vNIC2 = DMZ
vNIC3 = LAN
vNIC4 = Management
Each vSphere host will have the following physical NICs:
vmnic0 = Host management network
vmnic1 = WAN
vmnic2 = DMZ
vmnic3 = Internal LAN
Each vSphere host will have the following vSwitches:
vSwitch0 = Management
vSwitch1 = WAN
vSwitch2 = DMZ
vSwitch3 = LAN
I'm new to Palo Alto and may not be understanding a lot so any pointers to documentation or diagrams on connectivity as described above would be helpful. I also realize that this is heavy on the vSphere side but I'd hate to make a bone headed mistake and expose our network to risk by not asking the question. I also hope I have complicated a simple deal!
Thanks in advance!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
