Loading Posts...

VMware Virtualized DMZ Security Architectures

To mitigate the risk in your VMware environment you need to have a properly configured Security Zones in your Network. Your end users should not have access to the Management interfaces and it should be separately operated and managed. Keep Virtual Machine workloads in the properly configured security zones can mitigate the security threats in your network. That’s where DMZ (Demilitarized Zone) configuration comes in to play. Let’s briefly discuss what are the features of DMZ architectures in VMware.

There are three main DMZ Architectures: 

  • Partially collapsed DMZ with separate physical trust zones
  • Partially collapsed DMZ with separate virtual trust zones
  • Fully collapsed

Let’s discuss what are the features of these Architectures

Partially collapsed with separate physical zones


  • Simpler, less complex configuration
  • Less changes to the physical environment
  • Less change to separation of duties, less change in staff knowledge requirements
  • Less chance of misconfiguration due to the less complexity


  • More Physical resources required (ESXi hosts/Clusters) for each and every zone – Less consolidation
  • Higher costs for physical resources
  • Complete physical separation of different application types and risks
  • This method is not an optimal solution, there are separately allocated physical hosts and not shared or consolidated VMs – incomplete usage of the Virtualization concepts

Partially collapsed with separate virtual zones


  • Different Zones in a single ESXi host – fully utilization of resources
  • Full utilization of the advantages of Virtualization
  • Lower costs
  • Firewall Separation done only in the Network layer


  • Greater chance of misconfiguration
  • More Physical NIC cards will be required to connect to the each and every security zone
  • This is a better use of Virtualization concepts when comparing to the Partially collapsed with separate physical zones
  • This method is more complex and error prone configuration
  • If there is any accidental connectivity to a different zone put your environment in a danger situation
  • Regular audits might be required

Fully collapsed


  • Lower Cost Option
  • There are no physical firewall in between the security zones, only a virtual firewall appliance is configured – full utilization of resources
  • Virtual firewall handles the network segregation
  • Management of entire DMZ and network from a single management workstation


  • Greatest Complexity
  • Requirement of explicit configuration of separation of duties to help mitigate risk of misconfiguration (Regular audits required)
  • Proper configuration required otherwise loss of functionality of the system

In these three methods Virtual Machine network traffic is separated from the Management traffic. Also there should be a proper Change Management and Security Auditing methods for any sort of changes in these environments.

Click to rate this post!
[Total: 2 Average: 5]

Aruna Lakmal

Associate Technical Specialist at Pearson, Sri Lanka. Technology junky, enthusiast, a VMware vExpert and a blogger with more than 7 years of Experience in Information Technology more focusing on VMware Virtualization, Microsoft and Datacenter Technologies.

Get Updates Directly To Your Inbox!


Leave a Reply

Loading Posts...