Security is the first thing that comes to mind. Compartmentalization prevents or at least makes it considerably harder for compromised services to screw up all the others.
Another thing would be that it might be easier to manage backups and snapshots.
Am I doing something wrong? All my services are grouped in docker compose files. Containers that have to communicate internally - a server and it’s db for example - are on their own private docker network. A reverse proxy has its ports 80 and 443 open and it is on an external docker network. Services that I need to access from the outside are on this network and they do not have any ports open. Except for the torrent client, which has a UDP port open.
It’s strong, but splitting services into separate VMs is stronger than just using separate docker containers. This is especially true for the torrent client.
I’m not a netsec professional, this is just my understanding of best practices.
Why do you use two separate Debian VMs plus a truenas VM running nextcloud?
Security is the first thing that comes to mind. Compartmentalization prevents or at least makes it considerably harder for compromised services to screw up all the others.
Another thing would be that it might be easier to manage backups and snapshots.
From my understanding, it’s helpful that each VM will have its own IP so ports can be opened only on specific VMs, increasing overall security.
Am I doing something wrong? All my services are grouped in docker compose files. Containers that have to communicate internally - a server and it’s db for example - are on their own private docker network. A reverse proxy has its ports 80 and 443 open and it is on an external docker network. Services that I need to access from the outside are on this network and they do not have any ports open. Except for the torrent client, which has a UDP port open.
It’s strong, but splitting services into separate VMs is stronger than just using separate docker containers. This is especially true for the torrent client.
I’m not a netsec professional, this is just my understanding of best practices.
I am also just a hobbyist, so that was a genuine question. Thanks for the answer.
Same here! Good luck with your setup!!