7.1.3 DMZ/Isolated Clusters
vSAN storage is an effective security boundary for a DMZ isolated cluster configuration. By using only local storage presented by vSAN, the environment can be completely segregated into its own security zone. In this configuration, vSAN means that workloads do not share the same underlying storage, and security and storage policies are provided based on the workloads. This setup means that these critical systems are highly available and perform well in the environment.
Employing vSAN for use in DMZ, isolated or perimeter network clusters can help VMware Cloud Providers:
• Service providers today typically run fully isolated clusters except shared storage
• Buying a separate array for just DMZ is prohibitively expensive
• Smaller arrays often do not offer same performance or features
• Very common use case for vSAN, because it offers full isolation
When implementing a vSAN design for DMZ/isolated cluster configurations, there are specific design considerations that must be taken into account to be successful. The following considerations must be taken into account:
• Typically, DMZ/isolated cluster workloads are a balanced workload type, where the recommended designs are a mix between the need for performance and the need for capacity. Policy recommendations must take this into account to prevent a single policy being used for all workloads, negating the benefit of software-defined storage.
• Migrations to and from these hosts must be considered. If there are no other underlying storage connections, which is the recommendation for DMZ hosts, it might take a significant amount of time to migrate to and from the vSAN volume.