VMware Cloud Community
burdweiser
Enthusiast
Enthusiast
‎08-16-2009 10:43 AM

Getting HA to work on DMZ cluster

I need a little direction on getting HA to work in a DMZ cluster. Here is my setup and what I've done so far:

- vCenter is in the production network on 10.3.0.X network. A NAT in the DMZ has been setup for vCenter (10.2.0.15). In vCenter under Runtime Settings, I have configured a "managed IP address" of 10.2.0.15.

- The hosts are ESXi 4. I have configured the hosts file with the IP of the NAT IP for the vCenter server 10.2.0.15. I have also configured the "preserveServeIp" option for the hosts vpxa.cfg file.

- The managment ports are on the DMZ network 10.2.0.x network. vMotion ports are isolated (the hosts only talk to eachother, vMotion is not on a routable network).

- In the advanced settings of the cluster for HA, I have configured das.allowvMotionNetworks = false to keep HA off the vMotion ports.

I can manage the host servers in vCenter, but I cannot get HA working. I know HA relies heavy on DNS, but I have configured everything in the hosts file on both host servers. I always get the error "cmd addnode failed for secondary node: Internal AAM error - agent could not start: Unknown HA error".

Am I just going to have to stick the managment ports on a routable managment network to get HA working?

I have been fighting with the network / security team to have my managment ports on a rouable network. This is what is in the DMZ best pratice guide.

0 Kudos
2 Replies
burdweiser
Enthusiast
Enthusiast
‎08-17-2009 07:50 AM

bump

0 Kudos
Texiwill
Leadership
Leadership
‎08-19-2009 12:15 PM

Hello,

Moved to Security forum.

Let us instead break this down by Networks. You have 3 maybe 4 major networks....

Management

Storage

VMotion

VM

Management, Storage, VMotion are NOT and NEVER should be within any part of the DMZ not even a NAT in the DMZ. They should be connected to different physical switches unrelated to the DMZ.

The VM Network for DMZ should be within the DMZ, it should be the only thing within the DMZ.

I have been fighting with the network / security team to have my managment ports on a rouable network. This is what is in the DMZ best pratice guide.

What is their concern? That is where we should start this discussion because your management and vmkernel ports should be on the proper network else not much really works. As for DNS, local host files actually cover that quite well.

It sounds like your security team is still of the mindset, its a box with multiple pNICs, hence it is one security zone. Instead of treating each ESX host as its own datacenter.

They may need to read more materials to get a better feel for Virtualization Security.


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos