Have you ever wondered how far virtualization goes? How much flexibility can you implement in your environment and what is the minimum amount of hardware you still require?
These questions will hopefully be answered if you read on.
Once upon a time.. There was server virtualization, desktop virtualization, storage virtualization and cloud computing. The Software-Defined Data Center was born! Even networking could be virtualized and provided you with unimaginable flexibility in your infrastructure.
The scope for this article will basically cover the networking part and specifically the edge part of your infrastructure like public internet and DMZs. My homelab will be the subject, but the architectures that will be showcased here, can be implemented in production for sure.
In a nutshell, my homelab is configured like the diagram below.
A little explanation could be handy: The Internet is giving me everything to share my articles with you over a 180 Mbit down- and 18 Mbit up-link. The Internet Modem is connected with 1 Gigabit to a self-built hardware appliance which is running Sophos UTM and has two physical interfaces. It does however have multiple virtual interfaces to connect different logical networks to each other. The red lines indicate unfiltered, “dirty” internet, while the blue lines indicate filtered, safe traffic. The appliance is connected to a Gigabit Switch, which connects all my home devices together like my NAS and BA-ESX (which is my Bad-Ass ESXi host).
The hardware I used to build my UTM:
- Asus AT4NM10T-I motherboard with onboard Intel Atom CPU
- Antec ISK 300-150 case
- Kingston KVR800D3S8S6 2GB RAM
- Patriot Torqx 2 PT232GS25SSDR 32GB SSD
- Intel Gigabit CT Desktop Adapter NIC
So, now you wonder how far does virtualization go? As I’m already using techniques like virtual interfaces, VLANs, server and desktop virtualization, what remains? Well, you will always need some sort of physical connection to the outside world, or at least a network connection. The place where you plug it in, can be about anything: directly in a physical server, a firewall, router, or switch. The minimum amount of hardware required depends on your environment of course, but in case of a traditional setup, you need the following hardware:
- Physical up-link to a network (could be internet)
- A security device that manages your internal and external networks
- Physical switch for connecting your servers
- Physical servers for implementing a hypervisor
My case here is to create more flexibility and push virtualization to the MAX. As you can see in the list above, the only item that does not contain the word physical, is the security device. I decided to replace my physical security device with a virtual, high-available security device and see how this performs.
What is Sophos UTM?
Before I get to the details, I would like to share some information about the security solution I am using (and have been using for the past 6 years in both home and business environments): Sophos UTM (previously Astaro UTM). This piece of software is really the Swiss Army knife among networking services. Whether you need a DHCP server, NTP server or would like to provide your users and engineers a way to work remote, Sophos UTM is the way!
A summary of the major features I think the product has:
- Easy to use web-based management interface
- User Portal for accessing applications remotely through a browser
- Integration with directory services like Active Directory, RADIUS and LDAP
- Network Services
- Network Protection
- Load Balancing
- Intrusion Prevention
- Wireless Protection (Wireless LAN Controller)
- Web Protection (Proxy)
- Endpoint Protection (Antivirus for clients and servers)
- E-mail Protection
- SMTP Gateway (Including support for multiple profiles in cases you have multiple domains and multiple e-mail servers)
- Anti-Spam (Including Quarantine Manager)
- Web Server Protection (Reverse Proxy)
Sophos delivers both hardware appliances, but it’s also possible to purchase a software license and enables you to install their software in a virtual machine, or on custom-built hardware.
To give you an idea about the user-friendly and intuitive interface, you can see the screenshots below.
To the MAX!
Now enough talking! Let’s see how the network diagram looks after removing the physical security device and moving network security to the virtualization layer.
Erhm, ok.. So where did security go? My dirty traffic is now flowing directly into my switch!
Well, let’s zoom in a bit:
I have created a seperate VLAN on my switch, especially for internet. The Internet Modem is plugged into an access port on the switch, that resides in this internet VLAN. Only devices that are connected to this VLAN will be able to access dirty traffic, so there is my segmentation. The trunk that I was already using to provide my Bad-Ass ESXi host with the ability to use all VLANs on my switch, now has an extra port group on the vSphere Distributed Switch that utilized the internet VLAN.
The only two virtual machines that are connected to this internet VLAN, are my two UTM appliances. Security is back!
Besides removing the need for a physical security device, I moved network security to the virtualization layer, giving me more flexibility and a lower possibility that physical failures impact the availability (that is, if I would have more ESXi hosts, but you get my point). The reason for deploying two UTM appliances, is that they can be put into an active-standby or active-active cluster. I applied the active-standby configuration by adding an extra virtual NIC to the appliances and connect those NICs to a dedicated heartbeat VLAN.
This setup would never be possible with my physical box, as it only has two physical interfaces and I need one for the internet uplink, one for internal virtual interfaces and finally a dedicated interface for the cluster configuration.
Now how does this perform? Really really well I must say! It even works better than I predicted.
When one of two UTMs fail, the other UTM takes over within seconds. Now one of the challenges was the internet uplink. Would the Internet Modem assign the WAN IP address to the new active UTM? Well yes, but only after disabling HA link monitoring on the WAN and internal interfaces inside the UTM. Only the heartbeat NIC should be enabled for HA link monitoring. Without this adjustment, I was getting unexpected results. Now, when one UTM fails, internet access is back online in about 5 seconds.
The way I configured this from the VMware point-of-view is displayed in the screenshots below.
And the bandwidth throughput? Awesome!
The solution described in this article can be used with many different products. Think about VMware vCloud Networking & Security, NSX or even Microsoft Hyper-V with third-party virtual firewall appliances.
Hopefully this helps you think of different networking and virtualization strategies to provide the best possible solution for your customer (or homelab! ;-)).