I have a “server network” VLAN for VMs running whatever services e.g. Immich, Jellyfin.
I have a “management network” VLAN that basically only has my UniFi networking gear (router, switches, APs) and some other related networking gear.
Should XCP-ng be considered part of the “management network”, or grouped in with the other servers as it actually is a server itself. I have it in “server network” at the moment.
I’d put it in management.
Ya, I think I’ll put it into management VLAN like you say.
How do you segment/secure access to your hypervisors / management VLAN? I have a “main/trusted” VLAN that only my PCs and laptops are on, and that whole VLAN has full access to the management VLAN.
I don’t allow inter VLAN traffic and I create exceptions on trusted networks for access.
Do you make exceptions per device connecting, or per service being connected to, or both?
For me, if a device is on the main/trusted VLAN then it would be given the access individually anyway, so easier to allow the entire VLAN. The other devices (other family laptops, phones, etc.) are on different VLANs depending on purpose.
Also, I guess you have Xen Orchestra on the management network too?
I have the xcp console per ssh on my management network, and the VMs running on top can be on any give VLAN on my network, including the VM running Xen Orchestra, which is also located in the management VLAN.
on segregation: you can use your firewall router to enforce the rules for intra VLAN traffic. For the management network you would only allow jump machines in selected other VLANs to connect to a admin VM on the management VLAN . from there you can access all the machines on the management VLAN. This allows you to authenticate accesses to the jump machines and keep anything else out of your management network. The access can be built with some tools, things I am using are KASM workspaces, Teleport and SSH.
I like the idea about having an admin VM in the management network, but having a dedicated jump box in select VLANs would be a bit overkill for me. I think rather than granting full management VLAN access to my entire main/trusted VLAN that I’d just grant access to the Admin VM in the management VLAN from the main/trusted VLAN instead. The Admin VLAN would be a nice central way of managing it all too, I might lock it down to just SSH too.
What you suggest is technically feasible and a little less secure. It all depends on your own risk assessment.