Jezper - Fotolia

Is Hybrid DMZ Reference Designs for vCloud Air what it claims to be?

VMware's reference architecture, Hybrid DMZ Reference Designs, brings network connectivity to vCloud Air data centers. But is it really based on the DMZ, as its name implies?

I find the name for VMware's series of architectures based on the concept of the demilitarized zone a bit peculiar. The sales pitch for Hybrid DMZ Reference Designs for vCloud Air suggest they consolidate security, core services and network connections while extending on-premises security and governance to this cloud demilitarized zone.

The problem is, when reviewing the documentation, there doesn't appear to be anything specific to a demilitarized zone in the reference design. Instead, this design appears to describe a vCloud Air data center with greater network connectivity than existing vCloud Air data centers. While this networking is valuable, the overall product doesn't seem to do what its name would suggest.

Bear in mind that these are reference designs -- essentially, a template from which you can design a resolution to your business's problems. These designs provide guidance for ways to use vCloud Air.

It's interesting to note that the documentation for the Hybrid DMZ Reference Designs show it as a new vCloud Air data center rather than an expansion of the existing data center. This new data center sits on dedicated physical hardware, which provides tenants with greater flexibility to configure the network. It does look like the designs could be added onto an existing dedicated vCloud Air data center, but that's not indicated in the documentation I've seen.

I would be very surprised if a new Hybrid DMZ data center is the only way to join vCloud Air data centers together, although it is certainly one option.

This new Hybrid DMZ data center provides a single point of connectivity between your on-premises network and your vCloud Air data centers. It is less clear whether the Hybrid DMZ is also the point of internet connectivity. I associate a DMZ with a security boundary, usually between the corporate network and the internet; applications are published to the internet via the DMZ and access to internet sites is controlled through the DMZ. I didn't see any indication that the Hybrid DMZ provides this service to on-premises or vCloud Air-based applications. For this reason, I don't see a demilitarized zone in the Hybrid DMZ designs.

The definition of a data center is difficult in the cloud. On premises, we know that a data center is a large room full of computers. For a cloud provider, a data center is one or more very large rooms full of computers. But for a tenant of an infrastructure as a service cloud, the data center boundary isn't as well-defined. A tenant data center is a logical grouping of resources rather than a physical location. A single tenant may have multiple data centers that are all housed inside the provider's massive data center. The Hybrid DMZ allows a tenant with multiple data centers in vCloud Air to link them together. Shared services can be placed in a new, Hybrid DMZ data center. Having these shared services is more efficient than providing the same services inside multiple vCloud Air data centers.

It seems that VMware expects Hybrid DMZ to appeal to customers with multiple vCloud Air data centers. They may have separate data centers for business units or testing and development versus production. They may also have separate vCloud Air data centers for disaster recovery to the cloud. VMware's documentation for the Hybrid DMZ implies there is no other way for a customer to route between their vCloud Air data centers, at least, not without network traffic leaving vCloud Air.

I would be very surprised if a new Hybrid DMZ data center is the only way to join vCloud Air data centers together, although it is certainly one option.

Now for the security and DMZ aspect: It's always been possible to house a DMZ inside vCloud Air, just as you would with on-premises vSphere. But how does VMware propose to extend your on-premises security and governance to vCloud Air Hybrid DMZs? The first way is to run VMs in this new Hybrid DMZ. Those VMs can run the same security tools that you run in VMs on premises. This is a core value proposition for vCloud Air; it uses the same hypervisor as you use on premises. There is nothing new in being able to run your software firewall and intrusion detection software on vCloud Air.

The second method is to run VMs with vCloud Air Advanced Networking Services. This is essentially NSX for vCloud Air, and is extremely cool. There are great features for network microsegmentation, dynamic routing, WAN acceleration and VPNs. These Advanced Networking Services are available to every vCloud Air data center, not just Hybrid DMZs.

I can see some customers getting value from a vCloud Air Hybrid DMZ, particularly customers who are serious about using vCloud Air and who have multiple vCloud Air data centers. I suspect that these customers are in the process of migrating much of their on-premises estate onto vCloud Air. It was a bit of a struggle to get information about these reference designs. Some of the links on the main website were broken. I wonder whether the reference designs are usually delivered by VMware's Professional Services Organization; maybe they aren't really meant to be used by customers.

Next Steps

What licensing do you need for vCloud Air?

VMware bucks public cloud with vCloud Air partners

Hybrid Cloud Manager unites vSphere and vCloud Air management

Dig Deeper on Using VMware cloud computing tools