Hypervisors are tools used to create virtual machines (VMs) for hosting services, testing, and software development in a secure environment. Unfortunately, this level of security is only possible by completely sandboxing the virtual machine from the physical world, which is a problem if the project needs any networking.
For this reason, hypervisors offer various networking modes to provide networking capabilities to a VM while maintaining some level of security. These networking modes include NAT, bridged, and host-only networks.
So, what exactly are NAT, bridged, and host-only networking modes? How do they work, and which should you use?
What Is NAT?
Network Address Translation (NAT) is a networking mode where the hosts translate the VM's IP address to the router for the VM can connect to the internet.
Basically, when connecting to the internet, the VM's IP address gets masked by the host's IP address. This mode does not allow the interconnection between VMs, nor does it allow a VM to communicate with other physical machines except the host.
The VM is given an IP address through a virtual DHCP server linked to the physical host's network modem, not the DHCP server from the physical router. A virtual DHCP server is automatically created whenever a virtual machine is made. This means that the IP address of a VM using a NAT adapter can have the same IP address as another VM without causing any problems. However, this also means that each VM hosted by the physical host machine cannot interact with each other because they share the same IP.
In instances where VMs require working NAT and a network connection with each other, some hypervisors such as VirtualBox provides options for "NAT network" mode.
What Is a Host-only Network?
A host-only network provides the highest level of network security in exchange for very limited networking capabilities. For example, a host-only network allows all VMs and the host machine to network with each other while being cut off from the physical network. And since the host machine doesn't translate the address for the VMs, the router cannot provide them with any internet access.
A host-only network uses a virtual DHCP server from the host machine to give a unique IP address to each VM. MAC addresses are automatically set, but you can change the MAC address and IP address if you want to.
What Is a Bridged Network?
A bridged network is the most permissive of all network connection types.
It allows a VM to network with other VMs and all physical machines on the physical network. Although a bridged network provides VMs with all the networking functionalities, it also significantly decreases its security as the VMs are also susceptible to networking vulnerabilities, similar to an open physical network.
A bridge adapter provides each VM with a unique IP address within the physical network subnet. VMs get their IP address not from a virtual DHCP server but from the physical router in your network. To use a bridged network, a user must manually select the bridged adapter mode on the hypervisor and set unique MAC addresses to each VM.
Comparing NAT, Bridged, and Host-only Networks
NAT, bridged, and host-only networks are three of the most common networking modes virtual machines use for connectivity. Depending on the connection mode, your virtual machine will have varying degrees of networking capabilities. Although having an IP open to all connections may seem convenient and useful, the risk a fully open connection creates is not worth the convenience. Besides, setting the correct network mode is easy and can be done in a few seconds.
The important thing is that you need to understand which network mode better fits your needs. To make it simpler for you to understand, here is a table on what each specific network mode provides access to:
|
Network Mode |
Access to other VMs |
Access to Host |
Access to Physical Machines |
Internet Access |
|---|---|---|---|---|
|
NAT |
No |
Yes (One way) |
No |
Yes |
|
Bridged |
Yes |
Yes |
Yes |
Yes |
|
Host-Only |
Yes |
Yes |
No |
No |
NAT vs. Bridged Mode vs. Host-Only: Which Network Mode To Use?
There are many practical applications for using a virtual machine. Many of these applications are usually in the form of testing, education, development, and hosting services.
Based on the table, NAT is restricted from connecting to other VMs and the machines on the physical network. VMs configured to use NAT are invisible to physical machines and other VMs hosted by the host machine. And since a VM in a NAT configuration cannot be seen by other machines, the risk of possible port scanning attacks is eliminated.
This makes NAT a suitable network connection for testing projects where the VM needs to be isolated but also needs internet access. Furthermore, NAT can also be used by establishments using VMs as clients for browsing the internet and doing various company tasks.
On the other hand, a bridge network configuration allows connection to similarly set VMs, the host machine, physical machines on the server, and the internet. This mode grants full network connectivity at the expense of having the least amount of security. For example, a bridged network is necessary if a virtual machine hosts a web server, file server, or mail server.
In contrast with the bridged network, a host-only network grants the best network security at the expense of low connectivity. A bridged network only allows connection to the host and other VMs. Although very isolated, a host-only connection is best used when setting up a private virtual network for testing and learning about cybersecurity.
You Can Mix and Match Different Virtual Machine Networking Modes
Testing, development, and hosting services are pretty broad areas of VMs usage. However, for more specialized tasks, you may encounter situations where NAT, bridge, or host-only network modes doesn't fit the type of connection you need.
To tailor fit your network mode, you can mix and match connection modes. This is possible as hypervisors often give VMs four to eight network adapters. So, you can use multiple network modes when necessary. For example, you need a network that has an internet and VM-to-VM connection while being invisible to the physical network. You would combine NAT and host-only network modes to create such a connection.
And that's basically all you need to know about VM networking modes. Hopefully, you can now use and customize your VM networks.