I have used virt-install to create two CentOS 7 virtual machine guests on a CentOS 7 host computer. One virtual machine is called webvm, and hosts web sites on a private network. The other virtual machine is called datavm and has the sole purpose of being the virtual database server for the web apps hosted on webvm. How can I set up networking so that datavm ONLY allows data connections from webvm, and so that those data connections happen WITHIN the physical server box? I want to make sure that the database transactions between webvm and datavm do not travel across the local network.
The network ip of webvm is 10.0.0.6 and the network ip of datavm is 10.0.0.5. The connection string from a typical web app hosted on webvm is:
jdbc:mysql://localhost:3306/somedb?autoReconnect=true
You can see that localhost refers to webvm. How do I change the connection string to refer to datavm? I hesitate to use jdbc:mysql://10.0.0.5:3306/somedb?autoReconnect=true because I do not want data transactions traveling across the network?
Also note that bridge networking already links the host OS to each of the guest OS'. So I don't want to do anything to mess up the host/guest bridge. The code that was used on the HOST to set up bridge networking with the guests is:
//Before creating vms
# nmcli con show (shows network connections before)
# nmcli con add type bridge ifname br0 (adds bridge networking)
# nmcli con show (shows network connections after)
//after creating vms
# nmcli connection modify bridge-br0 ipv4.method manual ipv4.addresses host.ip.addr/24 ipv4.gateway router.ip.addr
# nmcli con down bridge-br0; nmcli con up bridge-br0
# nmcli con up bridge-slave-eno1
# ip link (on host, will show vm connections as vnetX)
# bcrtl addif br0 vnet3 (this adds the vm to the network so you can ping it from elsewhere on the network. the vnet3 is a result from ip link that is a vm)
Now switch to another computer, open a terminal, and ssh [email protected] to connect to the virtual machine via ssh.
Whatever new bridge networking code we add must not conflict with the above bridge networking code that was already used.
So how do I set up a one-to-one, exclusive data connection between datavm and webvm?
MY BEST GUESS:
I read the red hat nmcli documentation at this link. And I also read this other link about bridged networking and virtual machines. My best guess is that I should go INSIDE datavm and set up a bridge connection in addition to a slave interface connection in webvm. Thus, datavm and webvm would each have two network connections, with one of the connections to the local network, and the other connection to the bridge network that they share. (I would later disable datavm's connection to the local network so that it can only talk to webvm.) I have no idea what the code in datavm would look like, but a random guess might be that it would look something like:
# nmcli con add type bridge ifname br1 ipv4.method manual ipv4.addresses newdatavm.ip.addr/24 ipv4.gateway newwebvm.ip.addr
# nmcli con up bridge-br1
# nmcli con up bridge-slave-eno1
# ip link (on host, will show vm connections as vnetX)
# bcrtl addif br1 vnet3 (where vnet3 is vnetX from preceding ip link)
But how do we give new IP addresses to datavm and webvm for this new bridge network without eliminating their ability to use their pre-existing ip addresses to connect to the local network? And how do we set it up so that the bridge just includes these two virtual machines? I imagine that firewalld is also involved.