Bridge or NAT? The best KVM network configuration

In KVM virtualization, network settings are crucial to the connection speed and performance of virtual machines. The libvirt tool simplifies network management by providing two main types of networks: bridged networks and NAT networks. These two methods are suitable for different usage scenarios. For example, bridged networks are more suitable for formal production environments, while NAT networks are more suitable for development or testing environments.

NAT Network
After installing KVM, it will automatically set up a default NAT network. In this way, your virtual machines can access the Internet through this NAT network. This NAT network is actually a virtual switch plus some network rules. It may sound a bit complicated, we can understand it more clearly through a picture.

In KVM's NAT network, the virtual machine is connected to the host machine through a virtual switch. After the virtual machine's IP address is converted to the host machine's IP address through the SNAT rule of iptables, the virtual machine can access the external network using the host machine's physical network card. Since only SNAT is configured and DNAT is not configured, the virtual machine can access the external network, but the external network cannot directly access the virtual machine. If you want the external network to be able to access the services of the virtual machine, you need to manually configure DNAT. "External network" here refers to the local area network (such as the network within the office environment), not the Internet.


enp6s18 is the computer's real network card, and virbr0 is the virtual switch that KVM has configured as the default NAT network. When using default NAT, the virtual machines will connect to virbr0. Since there are no virtual machines running, you will not see any changes to the network card. If you start a virtual machine (such as ubuntu-cloud), KVM will create a new virtual network card for it. Next, we will start this virtual machine to see what happens.


After you start the ubuntu-cloud virtual machine, when you run the ip a command again to check the network interface information, you will find that there is a new network interface than before. This change is shown in the figure below:

When you start the ubuntu-cloud virtual machine, you will find that there is an additional network card named vnet0. The function of this vnet0 network card is to connect the ubuntu-cloud virtual machine to the virbr0 switch. You can imagine it as a network cable, one end of which is connected to the ubuntu-cloud virtual machine (through its internal virtual network card) and the other end is connected to the virbr0 switch (through vnet0). In short, vnet0 is a virtual network card specially configured to allow ubuntu-cloud to communicate with virbr0. Running the brctl show command can help you see the relationship between virbr0 and vnet0 more clearly.

Now there is a virtual switch called virbr0. It has two interfaces, one is virbr0-nic and the other is vnet0. The virbr0-nic interface is used to connect to the physical network card (eth network card) on the host machine, and the vnet0 interface is used to connect to the virtual network card (eth network card) in the ubuntu-cloud virtual machine. Now you can imagine how they are connected, right?

With the above knowledge, we can refine the model diagram of the NAT network and understand it as follows:

Bridged Network
In our production environment, I chose the bridged network model. This model allows virtual machines and host machines to be at the same level at the network level. For example, our company's servers are located in the 192.168.99.0/24 network segment, and the IP address of one server A is 192.168.99.66. On this server, we used KVM to create two virtual machines A1 and A2, and assigned them 192.168.99.67 and 192.168.99.68 as IP addresses respectively through the bridged network configuration.

From the perspective of the physical switch, host A and virtual machines A1 and A2 are considered independent devices and are directly connected to the switch. This means that at the network level, the three are considered independent entities. Therefore, other computers within the company can directly access the services on A1 or A2 through the IP address, just like accessing ordinary network nodes. This configuration simplifies network management and improves resource utilization and service accessibility.

Set up a bridge network
Before establishing a bridge network, it is recommended to check the current network information.

Remove the enp6s18 network interface from the virbr0 bridge device:

Configure the bridge to point to br0:


Configure br0:

Add a network interface to the bridge device:

After successful configuration, use the following command to view the results as follows:

The bridge br0 we created here can be used. The virtual machine we created can use these two bridges, where br0 is the bridge mode and virbr0 is the NAT mode.