There's a lot of ports running on proxmox, by default
- The cman
- gluster (in my case, and that cannot be protected easily)
- the proxy on port 8006
I mean... there is a handful for any hacker to play with.
On my current installation, I keep the cluster nodes on a private network behind a firewall. However, that is not optimal for customers that need to login in a VPN before being allowed access.
Also, all VM and CT are on their own private network. They're behind a firewall too, but as you guess this model is quickly getting expensive and difficult to manage.
I would like to secure the proxmox node properly on a public network and perhaps run the cluster on a dedicated vlan on private addresses.
Then I'd keep the VM and CT with public addresses directly connected to the internet.
What I'm looking for in reality seems to be a separation between the nodes and their management and the CT/VM network (like openstack and similar projects).
Is this possible ?