Virtualization Netowrking Questions

Posted on 2008-11-06
Last Modified: 2012-05-05
I am running some virtual machines (VM) on hosts with two network cards.  I wish to have some of my VM's be accessible from the internet like one of my VM's manages a bunch of websites that are public facing.

While I wish for my VM to be public facing I do not want the host to be accessible via the publc internet.  Right now my host are address via the public internet because on physical host NIC 1 I have a public IP and on physical NIC two I have a internal IP.  The VM has two virtual NICs on pointing to each physical NIC.  What is the best way to make my VM public facing without makine the host accessible?  VLAN?, Another configuration?

I am using Windows Virtualization (Hyper-V), but I tihnk the question is pretty generic
Note: I am a bit of a VLAN rookie
Question by:eferron
    LVL 13

    Accepted Solution

    Hmmm... if each of your VM's have their own IP address, it's a lot like using separate physical servers - the only difference is that your Hyper-V host will be acting as a "switch" to pass through to get to the VM's from your internal network or public Internet.

    You'll just need to configure a static IP on the outside of your network (given to you from your ISP) and set up your Router/NAT device to do port forwarding to your internal VM IP's...  There's not really any more risk that the standard "allowing Internet traffic into your Internal network" security risk.  If one of your VM's gets compromised, they'll have access to your whole internal network infrastructure.

    VLAN's could help, but will require some additional configuration and an addtional subnet running in your network.

    Author Comment

    Maybe I should take the approach of having external VM host that only host outbound facing guest and internal facing host that manage all internal facing guest machines.  I was really hoping there was a better way of exposing a guest machine to the outside network without making the host NIC visible to the internet.
    Maybe for now the best way is to just publish the web sites using reverse proxy, like the web publishing feature in ISA Server.
    Any other thoughts or validations anyone?

    Author Closing Comment

    Doesn't sound like anybody else is weighing so I guess you win.  Thanks,


    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
    This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now