There are many options for connecting your virtual machines to a network. This article covers many of the default configurations for popular hypervisors.
NAT is useful when you want to run applications that are nonnative to the host on a guest machine, as if they were running on the host.
NAT works by modifying outbound and inbound packets from a guest machine.
For outbound packets, it replaces the source IP with that of the host machine.
For reciprocal inbound packets, the host machine translates the destination IP address back to the guest machine's.
In NAT mode, each guest has a its own instance of NAT.
Because all traffic to the host has the same IP address, the host will not know to translate incoming packets unless the guest has initiated the connection. As such, NAT acts as a basic firewall, blocking incoming connections without port-forwarding.
Because all guests using NAT will communicate with the same IP, the host and guest machines are isolated and cannot communicate without advanced configuration.
Host-only networks are beneficial when connecting host and guest machines without permitting guests to access the external network.
In a host only network, each guest machine is connected separately to the host on a private internal network.
The host PC uses a virtual switch to facilitate guest-to-guest and host-to-guest connections on the private network. Because there is no connection between the host's virtual adapter and physical NIC, guest machines can't access the external network.
NAT Network is similar to NAT, but like a host-only network it also allows direct communication between hosts and guests.
In a NAT network, the host and guest computers are all on the same private network, and can communicate with each other without address translation via a virtual switch. The host has a separate private IP address for communication on the private network.
When a guest wants to communicate with a device outside of the network, the packets are sent and received via a shared NAT gateway, which is the private IP address of the host on the NAT network. The NAT gateway translates IP addresses to that of the host (public IP address on the external network) or guest appropriately.
Like NAT, NAT Network acts as a firewall for the guests, blocking the initiation of inbound connections.
A bridged network is useful when guests need to directly access the external network in the same manner as a host.
On a bridged network, virtualization software creates a virtual network adapter for each guest. These connect to a virtual switch that facilitates the flow of data between the guests, and acts as a bridge between the guests and host.
When the guest sends data, the bridge passes the data (containing the guest machine's IP and MAC address) to the physical NIC on the host, allowing direct access to the network.
When data is received, the bridge recognizes the MAC address of the virtual network adapter, and forwards it to the guest machine via the virtual network adapter.
Because there is nothing between the guest and the external network, other devices will percieve it as a physical host. Exposition to incoming traffic from these devices could potentially present security issues.
If multiple guests are up on the host, they can communicate since they act as physical hosts on the external network.
On a bridged network, the guest cannot "listen" to data intended for other devices even if the adapter is in promiscuous mode, since the data is filtered to the virtual adapter only when it has the guest's MAC address.
Unlike the other methods, passthrough can provide a guest with direct access to a physical Network Interface Card.
As an alternative to virtual network interfaces, USB and PCI NICs can act like they are plugged directly into the guest machine.
Because the devices are controlled entirely by the guest, it is impossible for the host (or other guests) to utilise the passed-through NIC directly.
Alongside other network setups, the guests could communicate with each other and the host machine. Furthermore, configuring the guest with NIC access as a NAT gateway would enable other devices to access the external network.
Unlike a bridged network, no software layer operates between the NIC and the guest. As a result, the guest is able to "listen" to data intended for other devices if the adapter is in promiscuous mode.