Hey all,
I posted this in /r/sysadmin as well and would love your input.
I'm curious if anyone is using a virtual firewall/router as their edge gateway for an on-premise datacenter.
I've been looking at new firewalls and have been chewing on the thought of virtualized firewalls as the edge, handling both internal (east-west) traffic and external internet (north-south) traffic.
It seems risky, but at the same time, seems like there could be advantage:
Failover - architected the right way, the firewall VM would failover to a different host if the main host craps out, and you might get a hiccup. Additionally, it seems like most VMs will also run in an active-passive so even if the VM itself fails you can have your passive takeover.
Cost - It's more OpEx than CapEx. For example, at CDW I see a Palo Alto VM-100 license with all the addons (ThreatPrev, URL Filtering) is ~$3500 for the first year, and each subsequent year is only renewal for the security services. The VM-100 is capable of 2Gbps throughput. A comparable hardware model, the PA-850, is running you ~$12k without any of the addon services.
Flexibility - If we end up needing more than 2Gbps throughput, I don't need to buy new hardware. I just buy a license for the upgraded VM and I don't even have to go into my datacenter to perform the upgrade (provided I have a proper HA pair).
I think the major concern would be security and putting one of our critical services (internet connectivity) on shared infrastructure with everything else. Now a failed cluster doesnt just mean internal services are down, but so too is our access to SaaS and cloud workloads.
Seems like one of those things where you won't be a hero if it all goes well, but you will 100% get fired if it goes south.
Curious what everyone else is thinking about this..
No comments:
Post a Comment