How DMZ design improves VM security in the cloud

You’re probably aware of P2V conversion and V2V conversion, but moving VMs to the cloud is a whole new

    Requires Free Membership to View

ballgame -- especially around security. With a segregated DMZ design, you can safely host VMs in the cloud.

Virtual-to-cloud (V2C) conversion converts virtual machines (VMs) into a form that can be operated inside a cloud. If you host VMs in an isolated demilitarized zone (DMZ) design, you can greatly improve cloud security. But before I explain how your DMZ setup affects VM hosting, let’s discuss DMZ’s virtualization roots.

DMZ design and V2C: Creating boundaries

DMZs exist outside the internal LAN, and separating their exposed resources from others inside the LAN protects your data from the Internet’s more nasty bits. That separation makes it difficult to get data into and out of a DMZ, especially when creating and securing the connections to internal resources.

At the same time, DMZ isolation provides an easy-to-define boundary for VMs in the cloud, greatly improving VM security. A segregated DMZ acts as a protective bubble around those VMs.

Improving VM security with DMZ design

With an isolated DMZ design, VM hosting in the cloud is just as secure as running VMs in a traditional virtual infrastructure is. Even after a VM conversion to the cloud, VMs in a DMZ require the same level of network access that they did previously. Cloud security also requires HTTP and HTTPS connectivity, but they’re just as easy to protect elsewhere as they are at home. 

To ensure VM security, some offsite VM hosting requires additional networking configurations. Those configurations connect VMs with resources inside the LAN, such as databases or application servers.

Some cloud providers offer hardware-based or software-based firewalls that strictly control traffic between cloud-based VMs and the IP endpoint at your perimeter. One can further protect that incoming traffic with LAN-based firewalls or reverse proxy solutions. For even better VM security, firewall software built into your VM’s operating system adds yet another layer of protection outside the scope of your cloud provider or virtualization platform.

If performance requirements permit, you can retain data inside your LAN while hosting the VMs that process that data. With this VM security configuration, an attacker would gain little from hacking your Web servers, requiring further effort to access internal data. 

VM hosting in the cloud is a decision driven by its business benefits as much as its technology. You’ve heard all the benefits before: Burstability when resources run low, quick and sometimes fully automated scaling of servers and services, commodity pricing atop infrastructures with massive economies of scale. Placing VMs in a segregated and Internet-accessible DMZ design is a low-risk first step toward realizing the benefits of VM hosting, while also boosting VM security in the cloud.

This was first published in July 2011

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.