Thinking of switching from ESXi to Hyper-V, need some input.

[KuJoe]

I currently have a R610 hosted in one of my cabinets in a local data center that I use for personal use and have been running the free version of ESXi on it for a while (started with 5.0 and now it's running 5.5). I've been using ESXi because that's what I use at work and I'm comfortable with the GUI and PowerCLI along with all of the features (both free and paid) but one thing I've been wanting to do for a while is encrypt the data on the servers for better security since I may be shipping the server out to another data center in a different state where I won't have the benefit of a locking cabinet or physical access. The server hosts some sensitive data about myself and my company so I don't want somebody to just be able to grab a drive or two and ruin what I've built. Anyways, after further investigating somebody on a blog somewhere suggested switching to Hyper-V because it supports Bitlocker out of the box and my R610 has a TPM module. I have some Hyper-V experience but overall I prefer managing ESXi over Hyper-V but in reality I rarely need to log into vSphere so I'd be willing to put up with Hyper-V the few times I needed to manage my VMs. Another reason I am looking at switching is the limits for the free ESXi license, I can only assign a max of 8 vCPUs to my VMs and I would love to bump up one of my VMs to at least 10 or 12 vCPUs to reduce the times some of my scripts run.

 

I've scoured the Google looking for comparisons and so far I cannot find a definitive reason for or against switching to Hyper-V (I already have Datacenter licenses for Server 2008 and Server 2012 so cost isn't a factor). Hopefully somebody who is familiar with both can shed some light on the subject with their experiences and opinions. Thanks!

 

EDIT: After I posted this and did a bit more search I saw a lot of people recommending KVM as an alternative. I have been hosting KVM nodes for the past 5+ years and almost finished writing my custom control panel for KVM so it might be worth exploring as an option also since it supports FDE if I use CentOS. Dang there are a lot of options now.

Edited December 19, 2016 by KuJoe
Adding KVM into the ring.

[leadeater]

Just upgrade to ESXi 6.5 which supports encryption? https://blogs.vmware.com/vsphere/2016/10/whats-new-in-vsphere-6-5-security.html

[KuJoe]

9 minutes ago, leadeater said:

Just upgrade to ESXi 6.5 which supports encryption? https://blogs.vmware.com/vsphere/2016/10/whats-new-in-vsphere-6-5-security.html

I considered this but I'd need to buy the vCenter license.

[leadeater]

As for the ESXi free limitations have you looked in to VMUG EVALAdvantage? Gets you rather high end licensing for very low cost.

 

I've used Server 2012 R2 Hyper-V which is fairly good, no big complaints but the usage was rather easy as it was just a couple of small schools so hosted file servers, print servers etc. Server 2016 I would be perfectly happy to switch to from ESXi, been tossing that around for ages but I'm just so ingrained in the VMware world it's a bloody hard decision.

[KuJoe]

25 minutes ago, leadeater said:

Just upgrade to ESXi 6.5 which supports encryption? https://blogs.vmware.com/vsphere/2016/10/whats-new-in-vsphere-6-5-security.html

I'll try upgrading my R610 to 6.5 tonight even though it's not supported. Fingers crossed.

[KuJoe]

I got ESXi 6.5 installed but unfortunately I can confirm I need to purchase a vCenter license in order to utilize the encryption option. I'll also need to setup a 3rd party KMS server. Looks like I'll be looking into Hyper-V more now.

[KuJoe]

2 hours ago, leadeater said:

As for the ESXi free limitations have you looked in to VMUG EVALAdvantage? Gets you rather high end licensing for very low cost.

 

I've used Server 2012 R2 Hyper-V which is fairly good, no big complaints but the usage was rather easy as it was just a couple of small schools so hosted file servers, print servers etc. Server 2016 I would be perfectly happy to switch to from ESXi, been tossing that around for ages but I'm just so ingrained in the VMware world it's a bloody hard decision.

Not sure how I missed the first line. The pricing for the VMUG Advantage is not bad, only $200. I might consider this but there's still a lot of work required to use the built in encryption where Hyper-V makes it effortless. Thanks for that though, I still might subscribe even if I switch to Hyper-V.

[leadeater]

13 minutes ago, KuJoe said:

Not sure how I missed the first line. The pricing for the VMUG Advantage is not bad, only $200. I might consider this but there's still a lot of work required to use the built in encryption where Hyper-V makes it effortless. Thanks for that though, I still might subscribe even if I switch to Hyper-V.

Yea I love having the licenses and software it gives. If I switch to Hyper-V I'll more than likely have a virtual ESXi host in it to do all my lab stuff I want to try.

[Mikensan]

While the operating system (ESXI) and its configuration may not be encrypted, could you not just use the guest's operating system to encrypt the data? Assuming you're on a windows network for the guests, would it not be viable to use bitlocker for certain folders? Not much a need for AES-NI if you're not encrypting data constantly as you would be with VPN tunnels etc..

[KuJoe]

3 hours ago, Mikensan said:

While the operating system (ESXI) and its configuration may not be encrypted, could you not just use the guest's operating system to encrypt the data? Assuming you're on a windows network for the guests, would it not be viable to use bitlocker for certain folders? Not much a need for AES-NI if you're not encrypting data constantly as you would be with VPN tunnels etc..

I considered this but I really like the idea of hardware based encryption (i.e. TPM) so I can have my backups encrypted also. I also don't like the idea of having to enter a password if a Linux VM reboots and I'm not near a PC to console into the VM.

[Mikensan]

2 minutes ago, KuJoe said:

I considered this but I really like the idea of hardware based encryption (i.e. TPM) so I can have my backups encrypted also. I also don't like the idea of having to enter a password if a Linux VM reboots and I'm not near a PC to console into the VM.

Hmmm, no way within linux to do folder based encryption and  auto-magic decryption based off of user (with a certificate) credentials? 

 

TPM is nice, but you can still fortify encryption in a similar manner with certificates on a USB drive. 

 

Just options anywho, something to consider if you can't do what you want in the end.

 

I'm personally considering pretty heavily the VMUG deal. Curious if the 365 day license is absolute or if you just stop receiving the latest versions.

[KuJoe]

Just now, Mikensan said:

Hmmm, no way within linux to do folder based encryption and  auto-magic decryption based off of user (with a certificate) credentials? 

 

TPM is nice, but you can still fortify encryption in a similar manner with certificates on a USB drive. 

 

Just options anywho, something to consider if you can't do what you want in the end.

 

I'm personally considering pretty heavily the VMUG deal. Curious if the 365 day license is absolute or if you just stop receiving the latest versions.

I really want to have the whole VM encrypted and I completely forgot of the security issues with handling encryption on the guest. The USB drive would be a great idea but I always worry about having anything sticking out of my servers in a data center especially if it's not in a locked cabinet where somebody can just walk away with it.

 

I'm going to build a Hyper-V server and give it a try to compare it with ESXi. I guess that's the only way I'll know if it's worth it or not.

[harry4742]

did you take a look at the Hyper-V Server (no GUI no Price  ) It does everything a S16 Datacenter would do and you have stuff like live migrations vSANs, HA-Clustering (requires AD connection to set up, not run) for 0$

[leadeater]

2 hours ago, Mikensan said:

Hmmm, no way within linux to do folder based encryption and  auto-magic decryption based off of user (with a certificate) credentials? 

 

TPM is nice, but you can still fortify encryption in a similar manner with certificates on a USB drive. 

 

Just options anywho, something to consider if you can't do what you want in the end.

 

I'm personally considering pretty heavily the VMUG deal. Curious if the 365 day license is absolute or if you just stop receiving the latest versions.

After 365 days the licenses stop functioning and your ESXi hosts will fall back to unlicensed feature support, basically shit breaks don't let it expire. If you want to stop then manually clean up and apply free licenses before expiration.

[KuJoe]

3 hours ago, harry4742 said:

did you take a look at the Hyper-V Server (no GUI no Price  ) It does everything a S16 Datacenter would do and you have stuff like live migrations vSANs, HA-Clustering (requires AD connection to set up, not run) for 0$

I have plenty of licenses so Hyper-V and the guests will be free for me but thanks for the info.

[KuJoe]

Finally got my new server online but the Spyder KVM over IP is a PITA. I got the data center to install an evaluation copy of Server 2012 R2 Datacenter and so far I'm rather liking Hyper-V, I don't know why my current experience is different than my prior experience with it but the Hyper-V Manager feels a lot different than the 2008 R2 hosts I'm used to fighting with. This is definitely an interesting turn of events. I think Microsoft may have stolen me from VMware. 

[leadeater]

1 hour ago, KuJoe said:

I think Microsoft may have stolen me from VMware

Whoa there, settle down .

 

Joking aside I think your going to be far more impressed with Server 2016. It has PCIe pass-through support, software defined networking at it's core if you want it (VXLANs etc), ReFS is hugely better so creating/removing snaps is near instant and same when cloning, Storage Spaces is better (combined effort with ReFS), Gen 2 SCSI boot VHDX. Likely missed some more nice things but yea Server 2016 is much better from a technical standpoint, whether you need or will use any of them is another matter.

 

SCVMM still isn't as nice as vCenter though.

[harry4742]

On 21.12.2016 at 1:17 PM, leadeater said:

SCVMM still isn't as nice as vCenter though.

But with 2016 it adds stuff like memory/nic hotadd

[leadeater]

1 hour ago, harry4742 said:

But with 2016 it adds stuff like memory/nic hotadd

I was meaning usability more than feature set for SCVMM vs vCenter, but that complaint is common for people used to vCenter who try SCVMM. Things you know are easier.

[harry4742]

On 28.12.2016 at 7:09 PM, leadeater said:

I was meaning usability more than feature set for SCVMM vs vCenter, but that complaint is common for people used to vCenter who try SCVMM. Things you know are easier.

That is always the case

I think the major difference is that the VMM is only part of the System Center which also has the capability of Change/Incident Management, Client Management, ....