I am currently installing a server that consists of a Virtualization Host (kvm on ubuntu) and 7 VM's, some running MySQL and LDAP, others running different webservers and webapplications. The VMs running the databases would only be queried by the other VMs on the same physical server. The webserver VM's will run something like 10-20 websites and webapps. The server will be placed in a datacenter, directly connected to the internet.
My idea was to use NAT networking between Host and the VM's (forming a LAN internally) and to assign to the HostOS the public IP address. The HostOS will run the firewall (with iptables) and distribute the network traffic to the VMs. VMs would be shielded off initially completely from the outside and so there would be no need in this scheme to have a full-featured firewall on either of the VMs. Also, I would just need 1 public IP address. I have to pay extra for additional IP addresses and I can't have no more than 5.
I figured I could use a reverse proxy on the HostOS to distribute traffic among the VMs based on the requested hostnames.
My question is twofold:
- Is this a sound way to setup the hostOS and the VMs? Or will a reverse proxy slow down the server too much? Should I instead just use bridge networking (recommended by most sources), accept that all my VMs are directly exposed to the outside and take measures on them accordingly?
- What would be a good reverse proxy to run on the hostOS. I hear good stories about HAproxy. I've setup mod_proxy before (in a completely different scenario though), but I hear most people prefer HAproxy. Or do I need some ultralight weight reverse proxy that takes the least footprint as not to slow down the hostOS too much?
I'm using exactly this kind of architecture with Proxmox. Bridge networking wan't an option, since I haven't a sufficient number of public IP for the virtual machines. I'm using nginx as proxy virtual machines, you can configure it directly on the Host, but using a virtual machine isn't a bad idea too (try to keep as simple as possibile the Host configuration).
The only way for you to use bridge networking is to have an IP for every VM that should be connected to the internet. Since this means that you have to secure every VM on its own, it might be less work to use just one firewall on your host system. There are also good tutorials for that, if you use libvirt (https://jamielinux.com/docs/libvirt-networking-handbook/nat-based-network.html). In my experience (with nginx) there was no noticable slowdown with this solution. I assume HAproxy could be even faster.