So… I got bitten by not reading the manual, or in this case – the admin guide for vShield.
See, enabling vShield makes all VMs communicate via the internalised network – vShield will actually inform you of an error during a migration. The error states that the VM is attached to a virtual intranet.
This intranet is the network that the virtual machine connects to through the vSwitch on the protected side of the vShield, and which does not home a physical NIC. In this case, the vShield is bridging traffic to the unprotected network that is connected to a physical NIC
Disable the virtual intranet check by editing the vpxd.cfg file of the VC server:
- Locate and edit the vpxd.cfg file on the vCenter Server. This file is typically installed at C:\Documents and Settings\All Users\Application Data\VMware\VMware vCenter by default. Add the following lines as a sub‐level to the config section, and at the same level as the vpxd section:
<migrate> <test> <CompatibleNetworks> <VMOnVirtualIntranet>false</VMOnVirtualIntranet> </CompatibleNetworks> </test> </migrate>
- Save the vpxd.cfg file.
- Restart the VMware vCenter Server service. You can access the service menu by going to Control Panel > Administrative Tools > Services.
Then, you’ll need to exclude the vShield VMs from being migrated via DRS and make sure to leave the Isolation Response HA settings as:
- VM Restart Priority: Disabled
- Host Isolation Response: Leave VM powered on
Cheers,
Leo
