Off/on internet access per host or network?

Very new to LXD so I hope I can describe this properly.

I’ve created bridged networks with profiles, and added storage and network devices, then created my instances so I now have endpoints that can communicate across my routed networks.

Problem is, I need to install packages with apt on the containerized instances. I’d like a simple way to add connectivity, then turn it off so that the traffic doesn’t actually get routed onto my physical hosts LAN after installing packages.

Should I do this from within the instances or is there a way to give internet access to the network (which seems better so that I don’t have to configure each and every instance)?

Any help with how to do this, thanks.

You can likely use LXD network ACLs for this.
With a bridge network, your only option is to apply ACLs to the network itself, but that should work just fine in this case.

Thanks for the reply. Am I missing anything on how to work ACL’s? I’ve created this ACL, then assigned it to my network, but I still can’t ping or get apt installs working. I’ve also logged out, and back in, but not sure if that’s needed.

$ lxc network acl show internet
name: internet
description: ""
- action: allow
  protocol: icmp4
  description: ICMP
  state: enabled
- action: allow
  protocol: tcp
  destination_port: "80"
  description: HTTP
  state: enabled
ingress: []
config: {}
- /1.0/networks/mylan

So just to clarify, did you have connectivity working prior to adding the ACL?

By default LXD doesn’t block anything, so if things were getting blocked before, it’s most likely something else messing with your firewall. A common source of issue is having Docker installed on the host system as it has the annoying habit of altering global firewall rules.

I do have connectivity working between instances now where each instance can ping the other within a network.

I’ve not installed Docker or any other packages to these instances after they’ve been created because, well, I can’t get internet access to them yet. Though, I do want to install Docker when I can access the internet. Docker currently is installed on the host machine.

I disabled the host firewall and tried to ping to, but same results.

Right, Docker on the host system is the issue.