Hi Fvistr01,
Thanks for this very interessting question.
So this is a Design question, therefore I can't tell you what the best solution will be for your customer as I don't know each of the points regardless of security, needs and so on.
However I can tell you a best practice and how I would solve it, then it's up to you and the customer also regarding costs (Licences) and I will give you 2 solutions.
1. The a bit expensier solution:
Install if not already installed a vCenter. (As I can read from your question this should already be there.
Install 2 Separate Clusters.
1 Cluster being the PROD_COMPANY_Cluster1
1 Cluster being the DEV_COMPANY_Cluster1
Create 2 vDS Switches and define the vLANs for the 2 Clusters with 2x Server Network (an vLAN for the vGuests).for the ESXi Hosts, 1 or 2 vlan ESXi Management, 1 or 2 vlan vMotion (if wanted and needed (DRS)).
Make sure that the 2 vLANs for the vGuests are blocked, like this: example: vLAN100 is the vLAN with IP Segment 10.160.130.xxx/24 for PROD, and vLAN110 is the vLAN with IP Segment 10.160.140.xxx/24 for DEV. Make sure that on firewall rules the DEV -> PROD is blocked and vice-versa if you wish both ways to be disabled.
I would not do a clone of your DEV to PROD, but instead just use the DEV and name it PROD and create a new DEV.
In this szenario you would not need to have a Resource Pool for DEV (By the way Resource Pools are only good in a mather if ther is an issue with your hardware, so that you can define which Group will get priority to the ressources in the same cluster. But as you would create 2 Clusters, you will not need to segregate the environment.
Now, you are saysing that END users need to access DEV, so if you want them to connect trough the PROD servers to DEV, I would suggest, that you create a JUMPHOST, and you allow this IP from 1 or 2 Jumphosts to access the DEV environment by opening this direction on the Firewall management, otherwise you can just allow the connection from PROD to DEV but close the other direction from DEV to PROD. This is up to you.
With a Jumphost, you would need to install a TS Server and maybe work with a DNS Round Robin for a Loadbalancing purpose.
2. The cheaper solution: (But works too)
If you don't want to create another Cluster, you can just have all the ESXi Hosts on 1 Cluster and secregate them with the Resource Pools as you explained.
I wouldn't do it this way, as it's a little bit more complicated regarding the Management of the Enviroment, you will understand why just in a second:
- Install a Cluster for DRS purposes.
- Create 2 Resource Pools, make sure that the Resource Pools are correctly used! This is very critical when using Resource Pools and this is why:
Example 1: You have a Total Share of CPU = 12000 and a Total Share of Memory = 40000, now you create a Resource Pool for PROD with High Shares, it will give you 8'000 on CPU and 26400 on Memory and you create a DEV with Normal Shares, what will give you 4'000 on CPU and 13600 on Memory. If you put now 40 vGuests in to the PROD resource Pool and 10 to the DEV pool, your vGuests will use only 200 Shares of CPU and 660 Memory. In the case of DEV, they will use 400 Shares of CPU and 1360 Shares of Memory. As you see this makes no sense. And this is why I don't suggest the use of Resource Pools. But if you keep an eye on it and you don't overcommit you could use it.
-I would suggest you to use instead of Resource Pools just Folders (if you just need to separate them in the point of viewing them on the vCenter).
- We do it this way: We name all vGuests that are Prod like this vmwhatver1001 (Prod) vmwhatever6001 (Dev) meaning, all vGuests with a Name from 100x to 500x are PROD vGuests, and all starting with 600x to 900x are DEV/INT/TEST vGuests. This way you know which vGuest is what.
-Create a vSwtich (not a vds) so it's cheaper.
1st for PROD use the same as on the Chapter 1 I gave you to create 2 separate vGuest Networks with the different vLANs
2nd for DEV use the same as on the Chapter 1 I gave you to create 2 separate vGuest Netowrks with the different vLANs
Connect the PROD vGuests to the vSwitch 1
Connect the DEV vGuests to the vSwitch 2
With this solution you will not need the expensive Licensing model from VMWare and still have a good infrastrucutre.
However I would not recommend the use of Resource Pools, and if you do keep in mind, that the management overhead is higher than not to use them!
Best regards,
Marco