Hi everyone!
I have started experimenting with various virtualisation-solutions for Ubuntu server 16.04 lately. Have tried VMWare, KVM and Xen. I find Xen most interesting, and have got it up and running, and everything is fine.
But I'm experimenting with a solution with Xen where I got only one physical Linux-box loaded with Ubuntu 16.04 and Xen. This machine got 2 NICs.
Today this server is running with no virtual guests, and my plan is to sepparate the webserver, the mailserver, fileserver and so on to virtual installations. This is practical for security when upgrading so I don't crash the whole server, you all know what I mean...
What I'm curious about is pros and cons of a network setup like the one described below, and please feel free to give me some alternative solutions:
Old Physical network connections:
--------------------------------------
NIC1 (gives external IP) <- Fibre-modem in bridged mode
NIC2 <- Connected to Gigabit Cisco-switch and acts as router, DHCP-server and so on
Now my wish is to keep most in virtual machines, that includes the firewall/router. Have read a few documents about different solutions regarding this, and I think it has to be something like this in my setup:
NIC1 connected to fibre modem which gives external IP:
---------------------------------------------------------------
xenbridge0 -> eth0 in Guest1 Firewall/router and DHCP-server 192.168.0.10
NIC2 connected to fibre modem which gives external IP:
---------------------------------------------------------------
xenbridge1 -> eth0 in Guest2 Webserver 192.168.0.11
xenbridge1 -> eth0 in Guest3 Fileserver 192.168.0.12
I'm thinking about routing the needed ports back to the other virtual machines from the firewall/router-guest, for example port 80 to 192.168.0.11
Of course I could keep this simple and configure dom0 as the router/firewall, but I don't want that. I want dom0 to be kept as clean as possible, and simple to install if a move to a new physical server is needed. Of course, I need to be able to reach dom0 via SSH or something, but I guess that would be possible one way or another. But I think it's best to not expose it directly to the internet.
I hope you understand what I'm trying to do here, it's not that easy to explain...
Would it be a clear advantage to give each virtual machine it's own physical nic instead of this?
I have started experimenting with various virtualisation-solutions for Ubuntu server 16.04 lately. Have tried VMWare, KVM and Xen. I find Xen most interesting, and have got it up and running, and everything is fine.
But I'm experimenting with a solution with Xen where I got only one physical Linux-box loaded with Ubuntu 16.04 and Xen. This machine got 2 NICs.
Today this server is running with no virtual guests, and my plan is to sepparate the webserver, the mailserver, fileserver and so on to virtual installations. This is practical for security when upgrading so I don't crash the whole server, you all know what I mean...
What I'm curious about is pros and cons of a network setup like the one described below, and please feel free to give me some alternative solutions:
Old Physical network connections:
--------------------------------------
NIC1 (gives external IP) <- Fibre-modem in bridged mode
NIC2 <- Connected to Gigabit Cisco-switch and acts as router, DHCP-server and so on
Now my wish is to keep most in virtual machines, that includes the firewall/router. Have read a few documents about different solutions regarding this, and I think it has to be something like this in my setup:
NIC1 connected to fibre modem which gives external IP:
---------------------------------------------------------------
xenbridge0 -> eth0 in Guest1 Firewall/router and DHCP-server 192.168.0.10
NIC2 connected to fibre modem which gives external IP:
---------------------------------------------------------------
xenbridge1 -> eth0 in Guest2 Webserver 192.168.0.11
xenbridge1 -> eth0 in Guest3 Fileserver 192.168.0.12
I'm thinking about routing the needed ports back to the other virtual machines from the firewall/router-guest, for example port 80 to 192.168.0.11
Of course I could keep this simple and configure dom0 as the router/firewall, but I don't want that. I want dom0 to be kept as clean as possible, and simple to install if a move to a new physical server is needed. Of course, I need to be able to reach dom0 via SSH or something, but I guess that would be possible one way or another. But I think it's best to not expose it directly to the internet.
I hope you understand what I'm trying to do here, it's not that easy to explain...
Would it be a clear advantage to give each virtual machine it's own physical nic instead of this?