A systems administrator is building a sandbox on a workstation-class hypervisor. The virtual machines must be able to communicate with each other and with the host PC, and they need outbound Internet access for downloading updates. At the same time, the VMs must not be directly reachable from any other device on the physical LAN unless the administrator manually configures port forwarding. Which virtual network mode should the administrator select for the VMs?
Network Address Translation (NAT) places the VMs behind an internal, software-based router that shares the host's IP address. The guests can initiate outbound traffic to the internet and exchange traffic with the host (and, if desired, with one another), but incoming sessions from the physical LAN are blocked unless specific port-forwarding rules are created. Bridged or direct-access networking gives each VM its own address on the LAN, so any workstation on that segment could reach the VM-violating the isolation requirement. Host-only networking provides isolation but offers no path to the public internet unless an additional NAT device is introduced. SR-IOV (or other passthrough methods) exposes the VM directly to the physical NIC, again placing it on the production LAN and eliminating the desired barrier. Therefore, NAT best satisfies all stated constraints.