Storage Access Between Networks - Best Practices

First post here so be gentile…

I am looking for Best Practices when you have a Server (VM) that is going to access your Shared Storage between networks/ VLANs.

I have a plex server that is currently sitting in my main / private network but want to isolate it from the main network / put it in its own VLAN which I can handle.

My question is more specific to accessing the shared Storage from Plex and the best security practices. Currently plex has access to my Synology NAS via a dedicated read only user. Once I move the Server to its own VLAN what would be the best way to get access to the Storage?

Should I do it through Firewall Rules or just give it a direct network connection through another Network Adapter in the VM?

I’m wondering how this is normally dealt with in corporate environments with Web Servers and Shared Storage.

I would recommend to pass the traffic through a firewall, but the caveat is if this would be the storage for the OS of the VM. This matters due to latency. If your use case is rather a file server like (SMB or NFS) then my responses below would be appropriate.

“Once I move the Server to its own VLAN what would be the best way to get access to the Storage?” - I would create a rule that allows the VM access to Synology on the required port(s). This would go on the interface that the VM is using as it’s default gateway.

“Should I do it through Firewall Rules or just give it a direct network connection through another Network Adapter in the VM?” - Again use firewall rules. The reason you don’t want to put an adapter on the same network is because now they have access to each others 65535 ports. If either system gets compromised they would have complete access to the other systems ports and this makes hacking it much easier.

“I’m wondering how this is normally dealt with in corporate environments with Web Servers and Shared Storage.” - 99 times out of 100 you would have separation between systems through a firewall.

2 Likes