5.8
Table Of Contents
- vCloud Suite Architecture Overview and Use Cases
- Contents
- About this book
- Introduction to vCloud Suite
- Architecture Overview
- Conceptual Design of a vCloud Suite Environment
- vCloud Suite Components in the Management Cluster
- Software-Defined Data Center Core Infrastructure
- Delivering an Infrastructure Service
- Delivering Platform as a Service
- Deploying vCloud Suite
- Install vCloud Suite Components
- Update vCloud Suite Components
- External Dependencies for Deploying vCloud Suite
- System Requirements of vCloud Suite Components
- Security Considerations
- Licensing
- vCloud Suite Licensing Model
- Activating vCloud Suite Components in the vSphere Web Client
- Activating vCloud Suite Components in the vSphere Client
- Add the vCloud Suite License by Using the vSphere Client
- Assign the vCloud Suite License to vSphere in the vSphere Client
- Assign the vCloud Suite License to vCenter Operations Management Suite in the vSphere Client
- Assign the vCloud Suite License to vCloud Networking and Security in the vSphere Client
- Assign the vCloud Suite License Key to vCenter Site Recovery Manager
- Activating vCloud Suite Components by Using Their Own Licensing Interfaces
- Monitoring License Usage for vCloud Suite
- vCloud Suite Use Cases
- Index
Resource reservations and limits protect virtual machines from performance degradation that would result
if another virtual machine consumed excessive shared hardware resources. For example, if one of the virtual
machines on a host is incapacitated by a denial-of-service (DoS) attack, a resource limit on that machine
prevents the attack from taking up so much of the hardware resources that the other virtual machines are
also affected. Similarly, a resource reservation on each of the virtual machines provides that, in the event of
high resource demands by the virtual machine targeted by the DoS attack, all the other virtual machines still
have enough resources to operate.
By default, ESXi imposes a form of resource reservation by applying a distribution algorithm that divides
the available host resources equally among the virtual machines while keeping a certain percentage of
resources for use by other system components. This default behavior provides a degree of natural protection
from DoS and distributed denial-of-service (DDoS) attacks. Specific resource reservations and limits are set
on an individual basis to customize the default behavior so that the distribution is not equal across the
virtual machine configuration
Security and Virtual Networks
If an ESXi host is accessed through vCenter Server, it is typical to protect vCenter Server using a firewall.
This firewall provides basic protection for the network.
A firewall might lie between the clients and vCenter Server. Alternatively, vCenter Server and the clients
can be behind the firewall, depending on deployment. The main point is to provide a firewall at what is
considered to be an entry point for the system.
Networks configured with vCenter Server can receive communications through the vSphere Client or third-
party network management clients that use the SDK to interface with the host. During normal operation,
vCenter Server listens for data from its managed hosts and clients on designated ports. vCenter Server also
assumes that its managed hosts listen for data from vCenter Server on designated ports. If a firewall is
present between any of these elements, it needs to be confirmed that the firewall has open ports to support
data transfer.
Firewalls might also be included at a variety of other access points in the network, depending on how the
network is planned to be used and the level of security various devices require. Select the locations for
firewalls based on the security risks that have been identified for network configuration. The following is a
list of firewall locations common to ESXi implementations.
Securing Virtual Machines with VLANs
The network can be one of the most vulnerable parts of any system. The virtual machine network requires
as much protection as its physical counterpart. Virtual Machine network security can be enhanced in several
ways, including through the use of virtual local area networks (VLANS).
If the virtual machine network is connected to a physical network, it can be subject to breaches to the same
degree that a network made up of physical machines is. Even if the virtual machine network is isolated from
any physical network, virtual machines in the network can be subject to attacks from other virtual machines
in the network. The requirements for securing virtual machines are often the same as those for physical
machines.
Virtual machines are isolated from each other. One virtual machine cannot read or write another virtual
machine's memory, access its data, use its applications, and so forth. However, within the network, any
virtual machine or group of virtual machines can still be the target of unauthorized access from other virtual
machines and might require further protection by external means.
n
Adding firewall protection to the virtual network by installing and configuring host-based firewalls on
some or all of its virtual machines.
vCloud Suite Architecture Overview and Use Cases
34 VMware, Inc.