Network setup for VPS providers

Much has been said about how businesses offering colocation or dedicated servers to customers should put each server into its own VLAN for various reasons (security, management, monitoring, maybe others). How about those who offer VPS?

Should each VPS get it's own VLAN and subnet? This would be a no-brainer in that it mirrors what is done for colocated and dedicated servers. But if a VPS needs to be transparently migrated from one VPS host to another, there will probably be complications in network reconfiguration, MAC address locking etc. It also 'wastes' a couple of IPs for each VPS, and requires IP assignment in blocks of 2^n.

On the other hand of the scale, the VPS could just be assigned IPs from a common subnet used by the VPS host, and the VPS 'bridged' onto the VPS host's network. How secure is Linux bridging vs. the various layer 2 attacks? If not sufficient, I suppose ebtables could be used for layer2 security, at the cost of complexity. This saves IP addresses, but could be more complex to configure, and still requires reconfiguration if the VPS needs to be migrated.

How about having all VPS hosts share a common subnet, and assigning VPS IPs from the common subnet? That might make it easier to migrate VPSs...

So what's ideal? Is there another way? Are there any gotcha's? What needs to be done to secure layer2 for VPS that connect to the network using bridging or proxy arp?

 

 

 

 

Top