How to properly separate traffic for virtual machines and a KVM host?

G

Godless2016-09-27 14:58:45

Computer networks

Godless, 2016-09-27 14:58:45

In principle, everything is simple - there is a KVM host, it has 2-3 services + several virtual machines.
There is only one setevukha on the host. IP grey, behind NAT. Conditionally x.x.x.1/24. Several ports have been forwarded from tyrnet to this address, incl. 80 and 443.
Virtual machines have yyy0/24 addresses inside the host and, accordingly, go to the network through NAT.
It is necessary: to separate the traffic of virtual machines and the host. So that virtual machines do not see each other and do not see the host.
The situation is complicated by nginx, which routes all web traffic to virtual machines (and the host! The host also has web resources). There are many sites, all HTTPS, one IP, so you need SNI, i.e. a single nginx is needed.
Question: how to do it correctly ?
Intentionally I will not write my thoughts, I have a couple of decisions in my head, but everything is something and not that ...

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Armenian Radio, 2016-09-27
@Godless

VLAN, bridges, NGINX in a separate virtual machine.