CIOREVIEW >> Virtualization >>

Mitigating Hypervisor Management Network Risks

By CIOReview | Wednesday, August 9, 2017

While implementing new hypervisor configurations in an IT infrastructure, organizations often overlook setting up the management network. The key to a proper setup is the number of network adapters the enterprise has. An extensive list of best practices exists while configuring the management network irrespective of the hypervisor environment the organization is currently using—be it VMware, Hyper-V, or any other virtual environment.

The final configuration of any management network is ultimately dependent on the number of network adapters that are installed in the organization’s host servers and also the way in which those network adapters are utilized.

Virtual environments like the VMware ESXi and Hyper-V have a low requirement and can function seamlessly on a server that has installed a single network adapter. Even though the requirements for the functioning of such virtual environments are low, it is highly recommended to provision the hypervisor-servers with the full capacity of the servers to hold the physical network adapters. Apart from the quantity of the network adapters, the performance of the virtual environments is heavily dependent on the way the network adapters are being used as well.

It is highly recommended to use a bare minimum of at least three network adapters in a Hyper-V environment, and increase the number of adapters whenever possible. The initial setup of the network adapters should be used to support the organization’s management network—primarily for the enterprise management and monitoring tasks.

As organizations realize the limited number of network adapters on the physical servers, some businesses share the available resource segment between the cluster network and the management network. Before implementing this technique, organizations must carefully configure their cluster network in order to get the expected results.

Through the Cluster Network Properties dialog box for a network segment, enterprises have the full control to use the available radio buttons to either allow or disallow cluster communications on the selected network. The biggest concern during this step is checking and maintaining the user traffic within the organization. If the cluster network communications are allowed across a selected network, then the client connectivity is allowed as a default setting. In such a case, client connectivity can be disallowed by deselecting the "Allow Clients to Connect through This Network" checkbox.

If an organization decides to use a dedicated network for their cluster communications, the best option is to take advantage of a dedicated backbone segment for cluster configuration. However, while using a segment for cluster and management traffic, the organizations will not have an option to use an isolated backbone segment unless a dedicated management station is connected to that particular segment.

The second and the third network adapter should be utilized for user traffic and storage traffic respectively. This arrangement does not always have a 100 percent success rate in some cases, for example, a server using Fiber Channel storage or a direct attached storage. Even with such limitations, the three network adapter rule is a good guideline for most scenarios.

In a case where Hyper-V server has more than three physical network adapters, it is recommended to use and build NIC teams from the remaining NICs—enabling a collection of physical NICs to collectively function as one. Windows Server 2012 and 2012 R2 (code-named Windows Server 8) allow NIC teams to be defined at the software level without the requirement of any specialized hardware.

The hypervisor management network should be logically isolated within the organization. This helps the network to carry only the management, monitoring, and also the clustering traffic. This sort of traffic isolation can be ensured by avoiding the installation of applications directly to the host servers and configuring firewall rules to block any unnecessary traffic that is not specifically required.