Comment on Many Network Interfaces per VM/CT - Good Practice?
testfactor@lemmy.world 6 months ago
I wouldn’t let every VM have an interface into your management network, regardless of how you implement this. Your management network should be segregated with the ability to route to all the other VLANs with an appropriate firewall setup that only allows “related/established” connections back into it.
As for your services, having them on separate VLANs is fine, but it seems like you would benefit from having a reverse proxy to forward things to the appropriate VLAN, to reduce your management overhead.
But in general, having multiple interfaces per VM is fine. There shouldn’t be any performance hit or anything. But remember that if you have a compromised VM, it’ll be on any networks you give it an interface in, so minimizing that is key for security purposes. Ideally it would live in a VLAN that only has Internet access and/or direct access to your reverse proxy.
Im_old@lemmy.world 6 months ago
Having multiple interfaces in each vm can lead to issues with routing if you screw something up.
Like you said I’d expose the services via reverse proxy in the public vlan, and enable ssh access on the firewall only from a jumpbox or the ip of your pc (or maybe the vlan you are in).
testfactor@lemmy.world 6 months ago
Yeah, it can for sure. Definitely worth mentioning. Gotta watch what interface is set as the default router, or you’re bound to have a bad time. That said, the same is true with his originally proposed solution of pushing a trunk port to the VM, so it’s not any worse in that regard.
But yeah, full agreement on the correct solution. Keep it simple.
pyrosis@lemmy.world 6 months ago
I agree with this. The only vm I have that has multiple interfaces is an opnsense router vm heavily optimized for kvm to reach 10gb speeds.
One of the interfaces beyond wan and lan is an interface that links to a proxmox services bridge. It’s a proxbridge I gave to a container and is just a gateway in opnsense. It points traffic destined for services directly at the container ip. It keeps the service traffic on the bridge instead of having to hit the physical network.
realbadat@programming.dev 6 months ago
Agreed, I prefer trunk with native to the vlan for services, each container that the reverse proxy will hit in its own vlan (or multiples for differing sets of services, but I can be excessive).
I’d block any traffic initiated from that vlan to all others, and I’d also only allow the specific ports needed for the services. Then fully open initiated from the general internal vlan.