KVM & Networking
-
I am new to KVM, however I have a basic kvm installation working. The default setup is nat, and works well. However, I am curious at to what is recommended when you need a VM or 2 to be accessed from the internet. With respect to networking, bridge or routed or keep the nat and apply all those 'rich' rules firewalld needs.
-
NAT is used when making an isolated lab network that you want off of your normal network. Bridging is what is used for "normal" networking where the VMs on KVM (or any hypervisor) are a normal part of the network.
-
I would almost never NAT, KVM is not a firewall and it would be extremely rare for you to want a platform level firewall in that manner.
-
We have a thread with some examples. I think it is the colo thread that @EddieJennings made.
-
If you think of it in physical terms, when would you want (if it were free) to put a router in the middle of your network and add firewall ACLs? There are times, certainly, but then when would you want that firewall to be associated with a physical platform rather than associated with specific workloads? And then, when would you want said firewall to use NAT and bring in all of that complication in the "middle" of your network?
There is a reason that the NAT option is there, and for things like labs, you can see where it might be useful for a totally isolated network workload. But almost never will you see it in production.
-
I don't NAT unless it's on a workstation and I'm using something like Vagrant for testing. For ease of use I use macvtap interfaces. Just select the interface you want the VM to use and macvtap.
If I need host to VM networking for some reason, I'll set up a private network (not NAT) that the host and VMs share, but I normally don't need that.
-
Even better is to set up an ovs bridge. That way you can leverage VXLAN for separate networks between hosts.
-
This is the aforementioned thread:
https://mangolassi.it/topic/16744/networking-and-1u-colocation/ -
thanks for your replies, What i understand is, that don't want to run anything on the host, and bridge the host to another VM which you would use as firewall, router etc. So if you had 2 Vm's to run ( 1 as an web server and a 2nd as a mail server), you would still need NAT, given that you have only 1 static/routable ip address.
-
@pattonb said in KVM & Networking:
So if you had 2 Vm's to run ( 1 as an web server and a 2nd as a mail server), you would still need NAT, given that you have only 1 static/routable ip address.
Why do you have only one static IP?
-
because they aren't free, (possibly only 1 static IP is available, although I think that would be rare) I was just putting out that scenario, to ensure I understand a prudent network layout for virtualization, when you want to have some VM's available to the 'outside'. If the VM's were not 'big' production type servers (where the volume/traffic is low),Using 1 static makes more sense (of course I think, I understand the arguments that could be made against such a notion). In the case I mentioned, or constraints you have to work with, would that be a sensical way of doing it ? I can see that if the VM's are only to be accessed from within a local LAN, you could have a number of setups. However, is it still a good idea to not run anything on the host, that is not necessary, much like the advice given for using XS.
-
@pattonb said in KVM & Networking:
because they aren't free, (possibly only 1 static IP is available, although I think that would be rare)
Oh, you are talking about your WAN link, not the IPs on your LAN.
-
correct.
-
In that case, typically, you'd have the NAT on your firewall, not on your KVM host. So you'd be back to bridging on the KVM host.
-
I have currently maybe 65 VMs on my KVM host, they each have their own IPs and are bridged. But there is a firewall and NAT sitting in front of all of it.
-
@scottalanmiller said in KVM & Networking:
I have currently maybe 65 VMs on my KVM host, they each have their own IPs and are bridged. But there is a firewall and NAT sitting in front of all of it.
This is really how it is most cases regardless of hypervisor.
The only exception is in non-production when dealing with KVM + Wireless NIC... I haven't had time to see if I could get it to bridge somehow, so I'm stuck with NAT on my laptop. But, this is not an issue with servers, as they don't use wireless and this seems to be specific to wireless.
