KVM Virtual Machine Network - Guest-guest/VM-VM only network (no host/hypervisor access, no outbound connectivity)
Laine Stump
laine at redhat.com
Mon Jun 14 15:51:26 UTC 2021
On 6/11/21 7:22 PM, Eduardo Lúcio Amorim Costa wrote:
> I know that with the *virsh* command I can create several types of
> networks (a "NAT network", for example) as we can see in these URLs...
>
> KVM network management <https://programmersought.com/article/52213715009/>
> KVM default NAT-based networking
> <https://www.ibm.com/downloads/cas/ZVJGQX8E> (page 33)
>
> *QUESTION:* How can I create a network (*lan_n*) where only guests/VMs
> have connectivity, with no outbound connectivity and no host/hypervisor
> connectivity?
(Just to be sure I'm understanding correctly - you want the guests on
this network to have connectivity to each other, but not guest<->host,
and nothing beyond the host, correct?)
Normally the guests would get their DHCP-assigned IP address from the
host, and use the host for DNS, but since you want to forbid
guest<->host communication, that implies that either one of the guests
on the network will act as DHCP/DNS server, or that the guests will have
statically configured IP addresses.
That being the case, all you really need is to define a libvirt virtual
network that has no IP address on the host, e.g.:
<network>
<name>super-isolated</name>
</network>
(It *might* be necessary to add "ipv6='yes'" immediately after "network"
in order for IPv6 connectivity to work, but I'm not sure and don't have
a setup to try it right now).
>
> *NOTE:* The connectivity to other resources will be provided by a
> *pfSense* firewall server that will have access to another network
> (*wan_n*) with outbound connectivity and other resources.
Yes, this is a common config - have a "super-isolated" network for all
the guests + the firewall VM, and then the firewall VM has a 2nd
interface that connects everyone to the outside.
>
> |Network layout... [N]wan_n ↕ [I]wan_n [V]pfsense_vm [I]lan_n ↕ [N]lan_n
> ↕ ............................. ↕ ↕ ↕ [V]some_vm_0 [V]some_vm_1
> [V]some_vm_4 [V]some_vm_2 [V]some_vm_5 [V]some_vm_3 _ [N] - Network; _
> [I] - Network Interface; _ [V] - Virtual Machine. |
Sigh. Stupid email client formatting - your original ASCII diagram
looked nice, but just look at what Thunderbird did to it when I hit
reply :-/ (fortunately I didn't need to refer to it)
More information about the libvirt-users
mailing list