Full VM isolation between two (d)vSwitches– is it doable?



I’ve been searching all over and cannot find an answer to this… Is it possible to restrict a VM to a certain vSwitch or group of vSwitches on the same hypervisor?

I have two NICs on my hypervisor, each NIC is connected to completely different networks that cannot talk to each other no matter what, each physical NIC is mapped to it’s own vSwitch at the hypervisor level


Now I want a way to say is VM A is in vSwitch 1, it may absolutely not have a vNIC with a network that lives in vSwitch 2


What I’m trying to avoid is to have an intentional or accidental ‘bridge’ across two completely isolated networks to satisfy the requirements of my corporate security people and being able to use a single hypervisor to host VMs with unrelated networks but with a shared compute environment instead of buying dedicated compute for each separate network…


Would appreciate if anyone has any insights on this…

  1. The problem that you will run into with security is that if these two networks are supposed to be air-gaped then having them both on the same physical server may violate the design.

  2. Any changes to a vm that causes a switch would show up in logs. Your logging solution could alert if anyone moved a vm from the Coke switch to the Pepsi switch.

    Also, use RBAC to limit the ability for someone to do the move to a limited number of people.

