All physical servers in the Oracle VM environment are connected to the management network. Oracle VM Manager and the Oracle VM Servers communicate over the management network through the Oracle VM Agent, which runs on each server.
Strictly speaking, none of the physical servers need to be reachable externally, so it is recommended that the management network uses a private subnet. This private subnet may be reachable from within your corporate network or a portion of it. If the management network is not a private subnet, or if further security hardening is required, you can restrict access to the IP addresses of the Oracle VM Servers only. The goal is to protect the management network so that it is not exposed to users and machines that do not need to access the physical Oracle VM environment.
In addition to firewall configurations in your corporate network, the use of a VLAN may further shield the management network from unauthorized access. If management network access from outside the corporate network is required, consider enabling it through a VPN tunnel.
For all firewall configurations in your corporate network
you must reckon with the same port requirements as described
above for iptables on the Oracle VM
management server.
Depending on your server hardware and network resources you may want to further segregate network traffic by network role (management, storage, migration, virtual machines, heartbeat). The network model and its security implications are described in detail in Section 3.1, “Oracle VM Network Model”.