VM Networking & Storage
Bridges, VLAN tags, local vs SAN/NFS.
Learning objectives
- Design virtual networks with bridges, VLANs, and firewall rules
- Choose storage types: local, NFS, Ceph, and ZFS for Proxmox
- Connect Workshop Co. VMs securely — web, database, and storage tiers
Virtual networking basics
Each VM gets one or more virtual NICs connected to a bridge on the hypervisor. The bridge behaves like a physical switch port — frames from VM 110 (web) and VM 120 (database) can talk if they share a bridge and VLAN.
Workshop Co.'s Proxmox host has one physical NIC plugged into their Edmonton office router. Marcus creates:
| Bridge | VLAN tag | Connected VMs |
|---|---|---|
vmbr0 | untagged (LAN) | web 110, staging 111, nextcloud 130 |
vmbr1 | VLAN 20 (internal) | web 110, db 120 — database not on public LAN |
Put the database on an internal-only network. The web VM has two NICs: one on vmbr0 for public HTTP, one on vmbr1 for PostgreSQL on port 5432. Firewall on db VM allows 5432 only from web VM IP.
Worked example — Proxmox bridge snippet
# /etc/network/interfaces excerpt on pve-workshop-01
auto vmbr0
iface vmbr0 inet static
address 192.168.10.2/24
gateway 192.168.10.1
bridge-ports eno1
bridge-stp off
bridge-fd 0
auto vmbr1
iface vmbr1 inet manual
bridge-ports none
bridge-stp off
bridge-fd 0VM 120 (database) attaches only to vmbr1 with static IP 10.20.0.5/24. VM 110 reaches it at that address; the office LAN cannot.
Storage options
| Storage type | Proxmox | ESXi | Workshop Co. use |
|---|---|---|---|
| Local LVM/ZFS | local-lvm, ZFS pool | Local VMFS datastore | VM disks on NVMe |
| NFS | Add NFS storage | NFS datastore | Shared ISO library |
| Ceph / vSAN | Proxmox Ceph | VMware vSAN | Future cluster — not day one |
| Backup target | PBS, NFS, S3 | Vendor backup appliance | Nightly to Swift Host off-site |
Marcus puts fast VM disks on ZFS with compression enabled. Nextcloud's 500 GB volume lives on a separate HDD mirror — sequential file access does not need NVMe.
Disk formats and performance
- Raw / thick — pre-allocated, best performance on local ZFS
- QCOW2 — thin provisioning, snapshots; fine for labs
- VirtIO SCSI — preferred disk bus for Linux guests on Proxmox
- VMware Paravirtual SCSI — ESXi equivalent with tools installed
Try it yourself
Draw a network diagram for Workshop Co.:
- Internet → office router → Proxmox host
- Web VM (public), staging VM (public but IP-restricted), db VM (private), Nextcloud (public HTTPS)
Label which VMs share bridges and where firewall rules apply.
Sample diagram notes
- Router port-forwards 443 → web VM only
- Staging: same forward on non-standard port or Cloudflare Access
- Db VM: no router forward; only web VM on internal bridge
- Nextcloud: 443 forward or reverse proxy on web VM
Check your understanding
- Why should the PostgreSQL VM avoid sitting on the same bridge as untrusted LAN clients?
- When would Workshop Co. add NFS storage to Proxmox?
Answers
- Reduces attack surface — LAN devices and compromised guests cannot reach db port directly.
- Shared ISO/template library, backup target, or second node in a cluster needing shared disk for live migration.