Ngaba kunzima ukwenza umatshini wenyani (VM) efini? Akukho nzima ngaphezu kokwenza iti. Kodwa xa kufikwa kwishishini elikhulu, kwanesenzo esilula esinje sinokujika sibe side kabuhlungu. Akwanelanga ukwenza umatshini wenyani; kuya kufuneka ufumane ukufikelela okuyimfuneko ekusebenzeni ngokuhambelana nayo yonke imimiselo. Intlungu eqhelekileyo kubo bonke abaphuhlisi? Kwenye ibhanki enkulu, le nkqubo yathabatha iiyure eziliqela ukuya kwiintsuku eziliqela. Kwaye njengoko bekukho amakhulu emisebenzi efanayo ngenyanga, kulula ukucinga ubungakanani bolu cwangciso ludla abasebenzi. Ukuphelisa oku, siye saphucula ilifu labucala lebhanki kwaye sazenza ngokuzenzekelayo kungekuphela nje inkqubo yokudala ii-VM, kodwa kunye nemisebenzi ehambelanayo.
Inombolo yoMsebenzi woku-1. Ilifu ngoqhagamshelo lwe-Intanethi
Ibhanki idale ifu yangasese isebenzisa iqela layo langaphakathi le-IT kwicandelo elinye lenethiwekhi. Ngokuhamba kwexesha, abaphathi baxabisa izibonelelo zayo kwaye bagqiba kwelokuba bandise ingqikelelo yefu yabucala kwezinye iindawo kunye namacandelo ebhanki. Oku kufuna iingcaphephe ezingakumbi kunye nobuchule obunamandla kumafu abucala. Ke ngoko, iqela lethu laphathiswa ukuphuculwa kwelifu.
Umlambo oyintloko wale projekthi wawukudalwa koomatshini bokwenyani kwicandelo elongezelelweyo lokhuseleko lolwazi - kwindawo echithwayo (DMZ). Yilapho iinkonzo zebhanki zidibene neenkqubo zangaphandle ezingaphandle kweziseko zebhanki.
Kodwa le medali nayo ibenecala elijikayo. Iinkonzo ezivela kwi-DMZ bezifumaneka βngaphandleβ kwaye oku kubandakanye iseti epheleleyo yolwazi lomngcipheko wokhuseleko. Okokuqala, oku kusongelwa kweenkqubo zokuqhekeza, ukwandiswa okulandelayo kwendawo yokuhlaselwa kwi-DMZ, kwaye emva koko kungene kwisiseko sebhanki. Ukunciphisa eminye yale mingcipheko, sicebise ukusebenzisa umlinganiselo owongezelelweyo wokhuseleko-isisombululo sokwahlulwahlulwa kwamancinci.
Ukukhuselwa kwe-Micro-segmentation
Ukwahlulahlula kweClassic kwakha imida ekhuselweyo kwimida yothungelwano usebenzisa i-firewall. Nge-microsegmentation, i-VM nganye inokwahlulwa ibe yinxalenye yomntu, eyedwa.
Oku kwandisa ukhuseleko lwenkqubo yonke. Nokuba ngaba abahlaseli baqhekeze iseva enye ye-DMZ, kuya kuba nzima kakhulu kubo ukusasaza uhlaselo kuyo yonke inethiwekhi - kuya kufuneka bagqobhoze "iingcango ezitshixiweyo" ezininzi ngaphakathi kwenethiwekhi. I-firewall yobuqu ye-VM nganye iqulethe imithetho yayo malunga nayo, emisela ilungelo lokungena nokuphuma. Sibonelele nge-micro-segmentation sisebenzisa i-VMware NSX-T Distributed Firewall. Le mveliso isembindini idala imithetho ye-firewall yee-VM kwaye isasazeke kuzo zonke iziseko zoncedo. Akunandaba nokuba yeyiphi i-OS yeendwendwe ezisetyenzisiweyo, umgaqo usetyenziswa kwinqanaba lokudibanisa oomatshini bokwenene kwinethiwekhi.
Ingxaki N2. Ukukhangela isantya kunye nokulula
Ukusasaza umatshini wenyani? Ngokulula! Ucofa kabini kwaye ugqibile. Kodwa ke imibuzo emininzi iphakama: njani ukufumana ufikelelo ukusuka kule VM ukuya kwenye okanye inkqubo? Okanye ukusuka kwenye inkqubo ebuyela kwi-VM?
Ngokomzekelo, ebhankini, emva kokuyalela i-VM kwi-portal yefu, kwakuyimfuneko ukuvula i-portal yenkxaso yobugcisa kwaye ungenise isicelo sokubonelela ukufikelela okufunekayo. Impazamo kwisicelo ibangele iminxeba kunye nembalelwano ukulungisa imeko. Ngelo xesha, i-VM ingaba ne-10-15-20 yokufikelela kunye nokucubungula nganye kuthathe ixesha. Inkqubo kaMtyholi.
Ukongeza, "ukucoca" imikhondo yomsebenzi wobomi boomatshini abade bekude bafuna ukhathalelo olukhethekileyo. Emva kokuba zisusiwe, amawaka emithetho yokufikelela yahlala kwi-firewall, ilayisha izixhobo. Oku zombini umthwalo owongezelelweyo kunye nemingxunya yokhuseleko.
Awukwazi ukwenza oku ngemithetho efini. Ayinabungozi kwaye ayikhuselekanga.
Ukunciphisa ixesha elithathayo ukubonelela ngokufikelela kwii-VM kunye nokwenza kube lula ukuzilawula, siye saphuhlisa inkonzo yolawulo lokufikelela kwinethiwekhi yee-VM.
Umsebenzisi kwinqanaba lomatshini wenyani kwimenyu yomxholo ukhetha into yokwenza umgaqo wofikelelo, kwaye ngoko kwifom evulayo ichaza iiparameters - ukusuka apho, apho, iindidi zeprotocol, iinombolo zezibuko. Emva kokuzalisa kunye nokungenisa ifom, amathikithi afunekayo adalwe ngokuzenzekelayo kwinkqubo yenkxaso yobugcisa bomsebenzisi ngokusekelwe kuMphathi weNkonzo ye-HP. Banoxanduva lokuvumela oku okanye olo fikelelo kwaye, ukuba ufikelelo luvunyiwe, kwiingcali ezenza eminye yemisebenzi engekazenzelwanga.
Emva kokuba isigaba senkqubo yeshishini elibandakanya iingcali zisebenze, inxalenye yenkonzo iqala eyenza ngokuzenzekelayo imithetho kwi-firewalls.
Njengomculo wokugqibela, umsebenzisi ubona isicelo esigqitywe ngempumelelo kwi-portal. Oku kuthetha ukuba umgaqo udaliwe kwaye unokusebenzisana nawo - ukujonga, ukutshintsha, ukucima.
Amanqaku okugqibela eenzuzo
Ngokusisiseko, siphucule imiba encinci yelifu labucala, kodwa ibhanki ifumene isiphumo esibonakalayo. Abasebenzisi ngoku bafumana ukufikelela kwinethiwekhi kuphela nge-portal, ngaphandle kokujongana ngqo neDesika yeNkonzo. Iinkalo zefom enyanzelekileyo, ukuqinisekiswa kwazo ngokuchaneka kwedatha engenisiweyo, uluhlu olucwangcisiweyo ngaphambili, idatha eyongezelelweyo - konke oku kunceda ukuqulunqa isicelo esichanekileyo sokufikelela, esinezinga eliphezulu lokunokwenzeka liya kuqwalaselwa kwaye lingakhatywanga ngabasebenzi bokhuseleko lolwazi ngenxa ukufaka iimpazamo. Oomatshini be-Virtual abasekho iibhokisi ezimnyama-ungaqhubeka nokusebenza nabo ngokwenza utshintsho kwi-portal.
Ngenxa yoko, namhlanje iingcali ze-IT zebhanki zinesixhobo esilungele ngakumbi sokufikelela, kwaye kuphela abo bantu babandakanyekayo kwinkqubo, ngaphandle kwabo ngokuqinisekileyo abanako ukwenza ngaphandle kwayo. Lilonke, ngokweendleko zabasebenzi, oku kukukhululwa kumthwalo opheleleyo wemihla ngemihla ubuncinane umntu o-1, kunye neeyure ezininzi ezigcinwe kubasebenzisi. Ukuzenzekela kokudalwa komgaqo kwenze ukuba kube lula ukuphumeza isisombululo se-micro-segmentation esingadali mthwalo kubasebenzi basebhankini.
Kwaye ekugqibeleni, "umgaqo wokufikelela" waba yiyunithi ye-accounting yelifu. Oko kukuthi, ngoku ilifu ligcina ulwazi malunga nemithetho yazo zonke ii-VM kwaye ihlambulule xa oomatshini benyani becinywa.
Kungekudala izibonelelo zokuphucula ziya kusasazeka kwilifu lebhanki yonke. I-automation yenkqubo yokudala ye-VM kunye ne-micro-segmentation iye yahamba ngaphaya kwe-DMZ kwaye yathatha amanye amacandelo. Kwaye oku kwandisa ukhuseleko lwelifu lonke.
Isisombululo esiphunyeziweyo sikwanomdla kuba sivumela ibhanki ukuba ikhawuleze iinkqubo zophuhliso, isondeza imodeli yeenkampani ze-IT ngokwalo mgaqo. Emva kwakho konke, xa kuziwa kwizicelo zeselula, ii-portals, kunye neenkonzo zabathengi, nayiphi na inkampani enkulu namhlanje izama ukuba "yifektri" yokuvelisa iimveliso zedijithali. Ngale ndlela, iibhanki zidlala ngokuhambelana nezona nkampani zinamandla ze-IT, zihambelana nokuyilwa kwezicelo ezitsha. Kwaye kulungile xa amandla esiseko se-IT esakhiwe kwimodeli yefu yangasese ikuvumela ukuba unikeze izibonelelo eziyimfuneko kule mizuzu embalwa kwaye ngokukhuselekileyo ngokusemandleni.
Ababhali:
UVyacheslav Medvedev, iNtloko yeSebe le-Cloud Computing, i-Jet Infosystems,
U-Ilya Kuikin, injineli ekhokelayo yesebe le-computing yefu yeJet Infosystems
umthombo: www.habr.com