Incus Container hosting - network isolation

I’ve searched for the subject topic and found several. This link seems close:

We are in early stages of hosting containers for external client ERP environments.

Ultimately each container will need wan gateway access and nothing else. No visibility to other client

However administration of these containers will need access to all the containers.

Is anyone doing a similar arrangement?

Interested in feedback,
Regards Bret Stern

Even on a simple bridged network, there’s support for this kind of isolation.

You’ll likely want the full complement of nic device options:

  • security.ipv4_filtering=true (prevents IPv4 spoofing)
  • security.ipv6_filtering=true (prevents IPv6 spoofing)
  • security.mac_filtering=true (prevents MAC spoofing)
  • security.port_isolation=true (prevents container to container traffic)

If you need a more complex setup where each customer has multiple containers that need to interact with each other, then you may want to opt for OVN networking which then allows for an unlimited number of virtual networks with ACL/firewalling support to allow exactly the traffic you want.