While the cloud is revolutionary for enterprises, security issues are stalling migration. In our previous blog, we highlighted how vCloud Air Hybrid DMZ resolves those barriers.

Essentially, the DMZ is a single connection point and security layer that extends security concepts from on-premises to the cloud. It also brings management consolidation, performance improvements, and cost reductions. We’ve already covered those details. Now, we’ll turn our attention to how Hybrid DMZ works, referencing example designs as well.

To start off, Hybrid DMZ’s architecture can either extend or replace data centers. The key technology is the DMZ layer, a component that enables the best practices for on-premises security through to the cloud. It does this by first aggregating network connectivity — whether MPLS or IPsec — into a single point of contact. This consolidates all the network connections to individual vCloud Air virtual data centers. From here, the DMZ then segments network traffic and separates management servers from compute servers. With Advanced Networking Services, the DMZ layer basically becomes a router for downstream connected services.

With this set-up, IT admins gain a few functions at their fingertips. Separation of duties, for example, can be easily enabled. Regardless of the project variety across different virtual data centers, the Hybrid DMZ enables resource isolation and role-based access control. Shared services can also be managed. Given the greater consolidation; monitoring, logging, and orchestration are all easy to direct. And licensing requirements can also be controlled. Separation of app and OS licensing occurs physically, including for products such as Oracle or Windows datacenter.

Beyond the basics, Hybrid DMZ can be customized. It acts as an umbrella even when customers have multiple vCloud Air services. This applies for a mix of services, multiple instances of one service, or any combination. Architecture is sized based on customer needs. Additionally, optional features such as Direct Connect and Hybrid Cloud Manager can further customize designs.

Now that you’ve had a technical run-through, let’s look at a few design possibilities. Take the instance of multiple clouds with Direct Connect. Instead of individuals tapping into each specific one — all with their own DNS, directories, and IPs/IDs — using Hybrid DMZ’s singular Direct Connect moves those separate processes to one Dedicated Cloud. This DMZ layer then routes users to where VMs actually are, whether that’s a Dedicated Cloud, disaster recovery, or Virtual Private Cloud. Such resource reduction brings fantastic cost savings as well.

In another scenario, the issue might be high availability. Let’s say there are two Direct Connect circuits from separate vendors. With this situation, and only one Dedicated Cloud endpoint, Hybrid DMZ can use Advanced Networking Services to configure an active/standby setup. This simultaneously boosts performance and security.

Some admins favor intense micro-segmentation. The good news is that Hybrid DMZ can host security software in shared environments while implementing both North/South and East/West isolation. By having Hybrid DMZ as the contact-point, any mix of clouds can exist in the back. The endpoint is always secure since traffic goes through the DMZ. You can also use BGP and dynamic routing for defining priority paths, and mix and match internet connectivity across multiple circuits.


Do you have a use-case with different needs? We’re excited to hear them. At the end of the day, vCloud Air Hybrid DMZ secures organizations so they can leap forward into the cloud. With the right security concepts in place, you won’t have to hesitate about digital transformation.

To learn more about how Hybrid DMZ, check out Building Secure Data Centers in VMware vCloud Air with Hybrid DMZ.