How DMZ design improves VM security in the cloud

With VM hosting in the cloud, your main concern is VM security. But with a solid DMZ design, you can keep VMs properly isolated.

You’re probably aware of P2V conversion and V2V conversion, but moving VMs to the cloud is a whole new ballgame -- especially around security. With a segregated DMZ design, you can safely host VMs in the cloud.

Virtual-to-cloud (V2C) conversion converts virtual machines (VMs) into a form that can be operated inside a cloud. If you host VMs in an isolated demilitarized zone (DMZ) design, you can greatly improve cloud security. But before I explain how your DMZ setup affects VM hosting, let’s discuss DMZ’s virtualization roots.

DMZ design and V2C: Creating boundaries

DMZs exist outside the internal LAN, and separating their exposed resources from others inside the LAN protects your data from the Internet’s more nasty bits. That separation makes it difficult to get data into and out of a DMZ, especially when creating and securing the connections to internal resources.

At the same time, DMZ isolation provides an easy-to-define boundary for VMs in the cloud, greatly improving VM security. A segregated DMZ acts as a protective bubble around those VMs.

Improving VM security with DMZ design

With an isolated DMZ design, VM hosting in the cloud is just as secure as running VMs in a traditional virtual infrastructure is. Even after a VM conversion to the cloud, VMs in a DMZ require the same level of network access that they did previously. Cloud security also requires HTTP and HTTPS connectivity, but they’re just as easy to protect elsewhere as they are at home. 

To ensure VM security, some offsite VM hosting requires additional networking configurations. Those configurations connect VMs with resources inside the LAN, such as databases or application servers.

Some cloud providers offer hardware-based or software-based firewalls that strictly control traffic between cloud-based VMs and the IP endpoint at your perimeter. One can further protect that incoming traffic with LAN-based firewalls or reverse proxy solutions. For even better VM security, firewall software built into your VM’s operating system adds yet another layer of protection outside the scope of your cloud provider or virtualization platform.

If performance requirements permit, you can retain data inside your LAN while hosting the VMs that process that data. With this VM security configuration, an attacker would gain little from hacking your Web servers, requiring further effort to access internal data. 

VM hosting in the cloud is a decision driven by its business benefits as much as its technology. You’ve heard all the benefits before: Burstability when resources run low, quick and sometimes fully automated scaling of servers and services, commodity pricing atop infrastructures with massive economies of scale. Placing VMs in a segregated and Internet-accessible DMZ design is a low-risk first step toward realizing the benefits of VM hosting, while also boosting VM security in the cloud.

This was first published in July 2011

Dig deeper on Cloud computing infrastructure

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVMware

SearchWindowsServer

SearchCloudComputing

SearchVirtualDesktop

SearchDataCenter

Close