I’m a relatively recent user of LXD, and am still exploring. I’m liking its power and flexibility so far, so thanks to the developers!
I’ve been looking at using LXD to create isolated containers (a DMZ of sorts) for services that I need to give external network access. I’d like to stress-test whether my approach makes sense.
On my router I have various VLANs. My main internal network is VLAN 10, IPv4 subnet 10.10.10.0/24. I have also created a VLAN 66, IPv4 subnet 172.16.66.0/24, for the proposed isolated containers.
On the router, I have set up strict firewall rules (essentially “guest” network rules) so that any host on VLAN 66 cannot reach any other host in the network, except for limited exceptions (eg DHCP, DNS, ICMPv6, and certain established/related connections). However, hosts on VLAN 10 can reach VLAN 66.
My LXD host (Ubuntu 18.04.3) is on subnet 10.10.10.0/24. Its NIC has both VLAN 10 (native) and VLAN 66 (tagged) switched to it.
The result is that the container gets IPv4 and IPv6 addresses in VLAN 66 (only), and is accessible from other hosts in my network (including the LXD host) in accordance with my router’s firewall rules. (I also mounted a storage directory on my RAID6 array into the container using the LXD device option.)
This seems to achieve what I wanted - I have a container that has addresses in VLAN 66 (only) and is isolated by my router from other hosts in the network. I can forward ports on my router directly to the container.
I wanted to check though that I wasn’t deceiving myself, in particular whether LXD’s networking in some way opens up the rest of the network to the container in a way that I thought I had shut off through the router’s firewall rules.
Any insights appreciated!