VMware vShield App best practices list

Posted by on May 17, 2012 in VMware, vShield | 0 comments

After a couple of recent projects that implemented vShield app in various ways I thought it would be good to start building a list of best practices. These are some of the suggestions that I have collected in working with different customers and VMware people. I will continue to update as new things come to light.

Consider reading my list of vCloud best practices when you are done with this list, since they are used together often.

vShield Manager

  • Do not deploy vShield manager appliance to a cluster that it will be protecting, can cause connection to itself and vCenter to be lost. (With vShield 5.0.1 you can exclude the appliance from protection, but I would still avoid)
  • Access to default services like DNS, syslog, NTP and other similar services that all your VMs need access to should be created as Layer 3 low precedence rules at the datacenter level.
  • To provide additional resiliency beyond HS considering using Fault Tolerance (FT) for protecting vShield Manager

 

vShield App instances (Appliances)

  •  When deploying use local datastore on host if available to prevent accidental vMotion
  • Consider setting DRS host affinity to make sure the vShield app appliance does not get vMotioned off of host, DRS is disabled by default for the appliance VM.
  • Follow vSphere hardening recommendations for virtual switches
  • Use Security Groups to group together server of same functions (Domain controllers, Web server, DB server etc.)
  • Ensure that the HA restart priority for the vShield App appliance is set to high to ensure it is the first to restart, making sure that its running before the VMs its protecting are started.

 

 

 

 

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

Leave a Reply

%d bloggers like this: