How-to: VirtualBox Internal Network Mode (2021)

Continuing our VirtualBox series, here's how-to: VirtualBox Internal Network Mode updated for 2021. This is taken from The VirtualBox Networking Primer in paperback and Kindle Ebook formats on Amazon as well as ebooks on Kobo and Apple Books.

Let's look at the Internal Network mode in VirtualBox.

Internal Network

If you want several guest machines to communicate with each other on one host, but with nothing else, then use the Internal Network mode.

Although you can use Bridged Networking for this purpose, Internal Network is more secure.

Internal network takes place inside the virtual network of the Guest machines, without any access for the Host, or any access for the virtual machines to the outside world. Internal Network is effectively an isolated private LAN for your virtual machines. VirtualBox ensures that all traffic on that network stays within the Host and is only visible to virtual machines on that virtual network. None of it goes through the Host's physical network interface – it is entirely virtual, with VirtualBox acting as a network switch. Only those Guests connected to the same internal network will be able to communicate with each other.

The Host is explicitly not a member of the internal network. This mode is entirely contained within VirtualBox and allows virtual machines to function even when the Host is not itself connected to any network, so that you can test clients and servers within their own little universe; sometimes that is all you need.

Possible uses might be running a top-secret development server and clients, conducting penetration testing or otherwise creating a secure Intranet for a team or organisation. It's an ideal way to lock down an environment against unauthorised software installs, downloads, uploads and Facebook-ing during office hours.

Internal Network (extended)

Figure 22: Internal Network (extended)

Internal Network is deliberately limited to a self-contained universe, which is fine if every resource you need exists there, or can be created inside. That would be the case for virtual machines VM1, VM2 and VM3 shown on an Internal Network. If they need access to external resources, or if we want to model physical networks, we have to extend the schema by adding another network mode to talk to the outside world, as illustrated. The NAT adapter added to VM1 turns it into a gateway to the VirtualBox network and Internet.

Practice: Internal Network with Extension

This is where Internal Networking becomes more useful in modelling real networks; you can create virtual infrastructure.

Extending the Internal Network by adding an adapter to one machine in a different mode (say, NAT or Bridged) provides a gateway to the outside world.

This is the more useful schema illustrated above. In this example, three virtual machines initially each have virtual network Adapter 1 connected to the Internal Network. The IP addresses of these network adapters are assigned from the subnet used for the VirtualBox Internal Network. That subnet has to be defined manually. In this set up, they can talk to each other but not to the Host or the outside world.

By adding Adapter 2 configured to operate in NAT mode to virtual machine VM1, it becomes a virtual-router. Install a Linux operating system and configure IPTABLES as the default firewall, this VM1 becomes the access point to the Host and the wider networked world beyond.

If the IP address of the internal network adapter of Virtual-Router is set as a gateway in the network settings of VM2 and VM3, they can have access to external networks.

The network configuration used in this example becomes:

VM1 Virtual-Router. IP addresses:

  • – internal network
  • – NAT mode
  • – gateway, the IP address of the built-in VirtualBox NAT device

VM2 client. IP addresses:

  • – internal network
  • – gateway

Client-2. IP addresses:

  • – internal network
  • – gateway

VirtualBox internal network subnet:

As a side note, veteran network administrators would likely prefer to use Bridged mode for the second virtual network adapter of the Virtual-Router machine so that it has a fixed IP address when connecting to/from external networks.

Second side note: VirtualBox provides no utility services such as DHCP under Internal Network, so your virtual machines must be statically addressed or one of them needs to provide a DHCP/Name service to the internal network.