Understanding Single-Host Virtual Network Models: NAT, Routing, Bridge, and Isolation

Regardless of the Internet or IoT, their network models are visible, but virtualization and cloud computing introduce far more complex network models, with some devices invisible, posing challenges for operators. By studying Xen and KVM virtualization, we gain a basic understanding of single‑host virtual network models.

NAT Model

The NAT model uses TAP/TUN in a Linux host to simulate two virtual switches and a virtual layer‑3 NAT device. The DomU’s second virtual NIC connects to one switch, while the other switch links the Dom0 NIC and the physical NIC, allowing Dom0 to communicate externally. The virtual NAT device connects both switches and, using iptables SNAT/DNAT, enables communication between DomU and external hosts.

Routing Model

The routing model also relies on TAP/TUN to simulate virtual switches and a virtual router. The DomU’s second virtual NIC connects to one virtual switch, while the other switch connects Dom0 and the physical NIC, allowing Dom0 direct external communication. For DomU to reach external hosts, the virtual router must have appropriate routes, and external hosts need routes back to DomU.

Bridge Model

The bridge model creates a single virtual switch via TAP on the Linux host. The DomU’s second virtual NIC connects to this switch, which also connects Dom0 and the physical NIC, placing DomU and Dom0 on the same LAN. No additional policies are needed for communication within the LAN.

Isolation Model

The isolation model uses TAP to simulate two independent virtual switches: one connects only to the DomU’s second virtual NIC, the other connects Dom0 and the physical NIC. The switches are not linked, so DomU instances can communicate with each other but cannot reach Dom0 or external hosts, and vice versa.

These are the common single‑host virtual network models; feedback is welcomed for further improvement.