Setting up a DMZ in ESX 3.5

One of the strongest selling points for using ESX as a lab environment is the ability to quickly create and modify network configurations to replicate practically any network layout you wish. What would take a few hours in a lab running network cable and configuring switches and routers can be done inside ESX with a few clicks of the mouse. For today's post, I will walk you through the basic steps of creating a DMZ inside your ESX server. Since this is a lab environment only, our focus will be on creating a functioning DMZ rather than worrying about security.

The first step, as in any network setup, is planning. I know I generally like to dive right into any new project and start creating, but this is one instance where a few minutes of planning will save you hours of headaches later down the line. I use the same spreadsheet to track IP address assignments in my lab environment that I use in my production environment. Write down each IP address range you plan on using and it's specific use and method of assignment (static or DHCP). I generally allocate the first 10 IP addresses to routers, switches, and other networking devices. I reserve addresses 10-30 for statically assigned servers. I usually create a DHCP zone that assigns the 100-200 address range. Lastly, I reserve 90-99 for any special devices that I have statically assigned via DHCP lease reservations. The result should look something like this:


On a separate sheet, record any statically assigned IP addresses, the host they belong to, and any notes that might be helpful. This makes it easy to tell at a glance which static IP addresses are free when you start adding servers. Make sure you and anyone else making changes to your lab environment keep the worksheet updated. All this planning may seem like overkill at first, but your test lab can quickly become too complicated to keep everything in your head.



Now that we have a blueprint for our DMZ, we're ready to decide what devices we need. A physical DMZ requires at least some network cables, a router, a switch, and a server to access. Our virtual DMZ will have the same components. ESX will provide our virtual switch as well as handling any cabling that needs to be done. You have a couple of choices when it comes to the router you wish to use. A Windows Server 2003 virtual machine set up with the routing and remote access service will suffice for the most basic routing needs. My personal preference is the Astaro Security Gateway appliance available from Astaro. They offer a free personal use license that supports up to ten clients. The ease of use and the list of features is pretty astounding for a free product. The specifics of installing the Astaro virtual appliance are beyond the scope of this article, but the download includes detailed instructions for installing the virtual appliance on ESX.

Now that we have a plan laid out for our virtual network and we have the router selected, it's time to start creating the switches and network connections inside ESX that will form our DMZ. Start up the VMware Infrastructure Client and log into your ESX machine. Highlight your ESX server on the left side of the screen and select the "Configuration" tab. You should be presented with your current ESX network layout that looks roughly like this:

If you're new to using virtualization, the network configuration can be a little confusing at first. ESX displays your virtual network setup so you can think of it just like a physical network. The left hand side shows all the virtual machines connected to your virtual network. The vertical grey bar represents the virtual network switch connecting all those virtual machines together. The right hand side shows any physical adapters that allow your virtual network to connect to outside networks. As you can see in our current configuration, I have virtual network called LAN with a half dozen virtual machines connected. The LAN network has a single physical network card attached to allow those virtual machines access to the outside world. For our purposes, we will assume that your initial network looks similar to mine and that the virtual machines in your existing virtual network can access the internet.

Now we're going to create the virtual network for our DMZ. Click on the "Add Networking" link. The next dialogue box asks you what type of network connection you wish to add. We want a new virtual switch to attach our virtual machines so we're going to select "Virtual Machine" and click "Next". The next dialogue box asks you whether you want to create a new virtual switch or connect to one of your current virtual switches. We'll leave the default "Create a virtual switch" option selected. ESX automatically adds any unassigned physical network adapters to your new switch. Make sure you clear any of the check boxes since our DMZ will only be connected to the outside network via our router. Take a look at the preview to be sure your new virtual network is set up the way you wish.


In the next dialogue box, give your new virtual network a name. We'll call ours DMZ. Leave the VLAN option blank and click "Next". We're now back at the configuration tab. Once ESX finishes creating our new virtual network, we should have something like this:

Our old LAN network is displayed on top with the newly created DMZ network just below it. We're almost finished. We've created the DMZ virtual network, but we still have to add our router and some virtual machines. The specific steps for installing your router depend on which type you selected. Regardless of what you decided to use as your router, you will need to make sure your router virtual machine has at least two virtual network cards. Your router will need at least one network adapter in the DMZ network and one network adapter that has access to the internet to function propertly. Once you finish installing your router, you can start adding virtual machines to your DMZ network. Once you add a virtual machine or two, go back to the configuration tab for your ESX server. If everything went to plan, you should see your router and the virtual machines you added under the DMZ virtual network.

One final note. We created this virtual DMZ with functionality instead of security in mind. The purpose of a true DMZ is to allow some of your servers greater access to the internet while keeping the rest of the network secure. This separation limits the damage in the event someone is able to breach one of the servers in your DMZ. In our virtual environment, our DMZ servers run on the same ESX hardware as the rest of our virtual servers so the same level of isolation is not created. This virtual DMZ is perfect for a lab environment, but further attention to security should be paid before using your virtual DMZ in any kind of production environment.