Virtual-to-cloud (V2C) conversion converts virtual machines (VMs) into a form that can be operated inside a cloud. If you host VMs in an isolated demilitarized zone (DMZ) design, you can greatly improve cloud security. But before I explain how your DMZ setup affects VM hosting, let’s discuss DMZ’s virtualization roots.
DMZ design and V2C: Creating boundaries
DMZs exist outside the internal LAN, and separating their exposed resources from others inside the LAN protects your data from the Internet’s more nasty bits. That separation makes it difficult to get data into and out of a DMZ, especially when creating and securing the connections to internal resources.
At the same time, DMZ isolation provides an easy-to-define boundary for VMs in the cloud, greatly improving VM security. A segregated DMZ acts as a protective bubble around those VMs.
Improving VM security with DMZ design
With an isolated DMZ design, VM hosting in the cloud is just as secure as running VMs in a traditional virtual infrastructure is. Even after a VM conversion to the cloud, VMs in a DMZ require the same level of network access that they did previously. Cloud security also requires HTTP and HTTPS connectivity, but they’re just as easy to protect elsewhere as they are at home.
To ensure VM security, some offsite VM hosting requires additional networking configurations. Those configurations connect VMs with resources inside the LAN, such as databases or application servers.
Some cloud providers offer hardware-based or software-based firewalls that strictly control traffic between cloud-based VMs and the IP endpoint at your perimeter. One can further protect that incoming traffic with LAN-based firewalls or reverse proxy solutions. For even better VM security, firewall software built into your VM’s operating system adds yet another layer of protection outside the scope of your cloud provider or virtualization platform.
If performance requirements permit, you can retain data inside your LAN while hosting the VMs that process that data. With this VM security configuration, an attacker would gain little from hacking your Web servers, requiring further effort to access internal data.
VM hosting in the cloud is a decision driven by its business benefits as much as its technology. You’ve heard all the benefits before: Burstability when resources run low, quick and sometimes fully automated scaling of servers and services, commodity pricing atop infrastructures with massive economies of scale. Placing VMs in a segregated and Internet-accessible DMZ design is a low-risk first step toward realizing the benefits of VM hosting, while also boosting VM security in the cloud.
This was first published in July 2011