When you create a virtual machine (VM), you have many networking options. You can set up your VM to act as just another computer on your network, secure it behind an internal router and firewall, or even simulate a fully customized real-time network.
This guide will specifically cover the networking options available in VirtualBox, but the same concept will apply to other virtualization programs.
Network Address Translation (NAT)
This type of network is standard for new VirtualBox instances and is fairly easy to understand. This makes it easy for the guest̵7;s operating system to access the Internet, in the same way that the computer has access to it behind your home router.
For example, your computer may have an IP address
192.168.1.5 in your home network. Your router has an IP assigned by your ISP, e.g.
220.127.116.11. When you connect to an external service, your router translates your internal IP address into the public IP address that you use to communicate with. (Technically, it uses an extension of NAT, called port address translation, but the concept is the same.)
In a way, this is exactly like putting your VMs behind an additional router. Packages sent from the VMs will go through two translations – first translating the VM’s private IP address to the host’s private IP address and then translating the host’s private address to your gateway’s public address. Ultimately, this enables internet connection for the virtual machine. As far as the World Cup is aware, it is exactly like a unit in a home network.
NAT mode does not give hosts (or any other local machine) access to services running on a VM, much like a service running on your local network is not publicly available from the open Internet. If you want an application to be available, you must port the ports on which it runs and bind them to the host’s local ports. This is both good and bad – on the one hand, it is much more secure in this way, because even local units can not access the World Cup’s services, but manually may not open the gates what you want. If this seems to be a problem, Bridged mode is a potential solution. You can also expose guest services to the open Internet by forwarding your router to forward a port to the host machine, which forwards the connection to the guest.
Although all other communication directions are possible, the NAT mode does not provide access to guest-to-host.
You should select NAT if you need basic Internet access, but still want to keep the VM separate from other machines in your network.
In NAT mode, the internal router is configured for each virtual machine. A VM cannot access services running on another virtual machine. In fact, each machine can have the exact same private IP address, because everything translates in the end.
The NAT network mode follows the same principle as NAT, but instead of logically separating each VM into its own network, the NAT network uses a network for all VM devices configured on the same NAT network (but nothing prevents you from having multiple separate networks).
This enables guest-to-guest access via a virtual switch, much like how a computer connected to your router’s first Ethernet socket can access a machine connected to the second socket. Otherwise, this mode works exactly the same as NAT; access to host to guest can only be achieved via port forwarding (but this time you have to choose which VM you want to forward to).
The only big difference is that since there are several VMs in a network, each VM must have a different address. This requires the host to run a DHCP server (again, just like you find in your home router), which dynamically assigns internal IP addresses to each VM on the network. This can be disabled and manually configured if you wish.
You should choose NAT network over basic NAT if you need guest-to-guest access.
Bridged mode is unique among network modes, as it is the only mode that does not isolate the virtual machines in any way. In bridge mode, your VM communicates directly with external services using the host’s network interface.
This means that VMs will be displayed for your router as a completely separate IP address, even if it is routed to the same machine. This allows you to host services at the World Cups and access them on your local network with an address and port number, making bridged networks very flexible.
This network mode is used by many VPS providers, such as AWS, as it allows them to divide a large powerful server into several smaller servers that can be sold to customers. Each machine has its own unique IP address in the network. But for services like AWS, a lot of extra protection and systems are introduced to prevent you from accessing the virtual machines from other customers, and its orders of magnitude are more complicated than this.
While the host is used to route the packets back to the server, it does not interfere in any way, making the guest’s OS appear as just another computer on your network. Because there is no isolation of the VM from the external network, there is no built-in firewall or protection in places other than your gateway firewall and some firewalls are manually configured on the guest OS.
Most servers come with many Ethernet ports and multiple physical interfaces. Because bridge mode simply bridges one of these physical interfaces, it can be used to run virtual machines on completely separate networks, depending on your actual cabling.
You should choose a bridged network if you want full unobstructed access. Also useful if you just want to run multiple “virtual” servers with the same hardware, much like a VPS provider would do.
In Host-Only mode, the virtual machines have no way to access the internet. However, host-to-guest and guest-to-host communication are still possible and are the main reason for using this mode.
In this mode, a DHCP server is usually run to provide IP addresses to the guests, and communication between guests and guests is also easy with the Internet network.
You should select Host only if you need a lot of bidirectional communication between host and guest but do not want internet access on host. If you need bidirectional communication but need external access, you can achieve the same effect with bridged mode, which provides full access.
Internal (simulated) network
Internal network is used to model real networks. Out of the box, it is completely separate from the outside world; multiple guests distributed in the same network can access each other, but not the host, or the internet, or vice versa. This is useful in itself by being able to simulate networks that are completely disconnected from the world, but Internal networks can be configured to provide Internet access to the private machines.
By creating a new virtual machine and configuring it as a router (eg with
iptables), you can tell all other machines in the virtual network to use the new VM router as their default gateway. To access external networks, you must create a separate network interface with an Internet-connected mode (NAT, Bridged, etc.) and connect it to the router. Technically, the internal network itself is not what provides Internet access, but VM1 and VM2 in this example will not have any network interfaces that enable direct Internet access.
In a way, this installation is not much different from the NAT network mode, but everything is handled manually.
You should choose Internal Network if you want to simulate or model a virtual network, or if you just need the flexibility to set everything up yourself. Internal networking is very useful for educational purposes as it allows anyone to configure their own network without going down to Radioshack to purchase the hardware they need.