Deep Security and ESXi Net.DVFilterBindIpAddress, Design considerations on DSVA Appliance

Deep Security was one of the first products to use vShield Endpoint integration, thus offloading the AV scans to the hypervisor. In this blog I am going to give a short overview of how some the componemts fits together and how the communications work.

Deep Security Configuration

Lets start of on the Deep Security side. When you add a vCenter to Deep Security it will ask for the vCenter and vShield details. Once this have been enterd you can look at the properties of the configuration for the vcenter. On this page you will see that there is an additional tab named : Network Configuration. See below :

DS02

As you can see there is an VM Kernel IP and Appliance IP. If need be you can change this ONLY if it will clash with an IP range in your network. As you can see the default is 169.254.1.1/24. If you want to change this you need to do this before you prep the ESXi hosts. Take this as a design consideration.

VM Kernel IP

Each ESXi host will be assigned the same IP : 169.254.1.1 . This new IP is configured in the ESXi advance setting automatically : NET.DVFilterBindIpAddress. (Don’t go and play with this!!) See below :

DS01

Appliance IP

Next is the Appliance IP. Each host will have a Deep Security Appliance deployed also. This Internal IP (It has an external IP also that is used for Management via DSM and configured at deployment via the UI) will be the IP above : 169.254.1.39. The IP will be the same for each Appliance that is deployed. By default vMotion is disabled for this appliance, thus the Appliance is “pinned” to a host.

Design considerations on the Appliance :

  • If you have internal disks on the host, you could consider to deploy the appliance to those disks. Make sure they mirrored at leased.
  • The Appliance do have reserved memory. Make sure from a HA perspective you take this into consideration that you might have less available memory for VM’s. Do the maths!
  • Set HA VM monitoring on this appliance (See points below on when this Appliance is off).
  • You can also create an Alarm with an action to power on this VM if it is powered off(See points below on when this Appliance is off).

Communication Channel

Now that this internal network have been setup between the ESXi host and Appliance, the data that needs to be scanned is passed on this internal network to the Appliance for scanning.

So what will happen if the appliance is powered off ?

  • There will be a vSphere alarm raised that the VM is off
  • The VM’s will still work but there will be no protection for them(only those on the host that the Appliance if off)

Leave a Reply