1

I have a requirement for almost 100 Virtual PCs for 100 different clients. For security reasons I have to use a basic firewall for all device and I have a PaloAlto Firewall. Also, to maintain privacy and security the virtual pc can’t communicate to eachother as the user of the pc are different. Therefore, I can’t create the same network pool for the all 100 machine and also it is not feasible to create 100 separate network for those machine.

So how can I create network for the 100 Virtual PCs so that i can implement firewall policy to them and the PCs couldn’t communicate to eachother as well?

7 Spice ups
2

If the users do not have amin access, use the same LAN, put them all on DHCP in a single subnet (/25 or lower as that would be the first to give >=126 usable hosts), and create a firewall rule to deny access to the DHCP subnet.

They would still be able to communicate to the DHCP server outside that subnet and any shared resources so long as they too were outside that subnet.

3

I have the admin access for all switches and firewall.
But my main concern is whe all the host are in same subnet doesn’t it allow host to communicate each other in L2 level and it would not hit the gateway (which will be firewall in my case).

4

Welcome to the community!

Which hypervisor?

If these were physical devices, you could put them all on physical switches and use a private VLAN, which prevents devices on the same VLAN from communicating with each other. Put put all on same VLAN in a virtual environment, your virtual switch would need need a similar capability.

Otherwise, I would say 1 VLAN per VM. That’s easy to build out on any physical switch that has a CLI, and that can also be done via CLI for your Palo Alto firewall. Virtual port groups with VLAN assignments can be done via CLI on ESXi host, and for Hyper-V you just need to assign the correct VLAN ID to the VM.

5

Only if you mask them to that subnet, you can create a firewall rule for a subnet that does not use the same mask.

So for instance subnet 10.1.0.0/23

Gives you 10.1.0.0-10.1.1.255

Creating a firewall rule for 10.1.1.0/24 will block anything in 10.1.1.1-255 from seeing one another, but NOT seeing 10.1.0.0-255 so if your DHCP hands out 10.1.1.1-254 with a /23 subnet that’s is perfectly fine, the firewall blocking 10.1.1.0/24 will not care.

So if you for instance gave it a all IP addresses the subnet of 255.255.254.0 they would have inherit access to them from a routing standpoint, but firewall would block any IP in the 10.1.1.0/24 subnet. Subnet is not actually applied in the firewall other than shorthand for defining ranges, firewall blocks on IP.

I do it on my labs all the time.

And correct it does not prevent L2 but what its the concern there?

Depending on how configured you can potentially get traffic to escape outside VLAN as well, the question is can you do anything threatening with it under normal conditions. Are these random strangers from the internet?

6

@genemoody2 ​, where are you applying these firewall rules?

7

In my labs at machine level, in this case it would be a windows firewall outbound and inbound rule

You could create for a subset of the main LAN such as 10.1.1.0/24 where the actual LAN is 10.1.0.0/23

Could simply do it by range as well. Nothing in a 10.1.1.0/24 would-be able to hit anything else in there, but can freely access anything 10.1.0.0/24

IF the system users do not have admin access and cannot modify rules, they would be locked in and the others locked out of all IP addresses in that range, which would be every other computer in that range.

8

This is the classic example of micro segmentaiton / workload segmentation.
If you don’t want to build this then I recommend cloud - this is quite easy to achieve with security groups/vnets (obvioulsy script all config).
For on prem - I using vmware I would use NSX. If not then you either choose network segmentation which basically is a vlan per host or an SDN platfrom (e.g. cisco aci), or agent based solutions (the most basic of which would be host based firewall).

An alternative method would be private vlans. If all VDIs were on one vlan/subnet and then a private vlan was used for each VDI - they would not be able to communicate with each other only the gateway. the firewall could then control access.