Is it more secure to have containers on their own bridged network rather than on the same bridge?


I have some LXD containers using a bridged network (gets a 10.X.X.X address that can only be accessed from the LXD host). Every container gets their own bridged network (I create a network with the same name as the container that will be using it) and I configured UFW correctly so that some containers can access a port on another container (while they are on different networks/subnets). UFW runs on all containers too to allow communication to select ports.

Would it be less secure if I put them all in one network (eg. br0 instead of containernet1, containernet2, etc.)? Eg. if malicious software gets root access in the container (they are all unprivileged) could they mess/communicate with other containers.

Thanks for any input or information.

If using the same bridge, you’d want to enable the security features on the LXD nic entry (mac_filtering, ipv4_filtering, ipv6_filtering) to prevent the container from performing any MAC/IP spoofing.