I'm managing a remote dedicated server on which I've installed Proxmox as the hypervisor. I'm looking for the security best practices to secure the hypervisor (Proxmox) while giving public access to some individual VMs. I'm using pfSense als the internal firewall/router. Proxmox webinterface has 2FA enabled. I'm considering various options:
1) No network access for the hypervisor. Passthrough the single networking card and public IP to the pfSense VM. When pfSense would become unreachable this would require KVM access (which is possible, but has to be manually requested, so not ideal). Example config: https://github.com/pekare/hetzner-proxmox-pfsense
2) Hypervisor has a public IP and can only be reached by SSH. Using port forwarding I can access the Proxmox webinterface. Hypervisor would use the built-in Proxmox firewall and use fail2ban. Setup somewhat similar to: https://dominicpratt.de/hetzner-and-proxmox-pfsense-as-gateway/
3) Other options I'm missing?
Thanks for your answers!
1) No network access for the hypervisor. Passthrough the single networking card and public IP to the pfSense VM. When pfSense would become unreachable this would require KVM access (which is possible, but has to be manually requested, so not ideal). Example config: https://github.com/pekare/hetzner-proxmox-pfsense
2) Hypervisor has a public IP and can only be reached by SSH. Using port forwarding I can access the Proxmox webinterface. Hypervisor would use the built-in Proxmox firewall and use fail2ban. Setup somewhat similar to: https://dominicpratt.de/hetzner-and-proxmox-pfsense-as-gateway/
3) Other options I'm missing?
Thanks for your answers!