Firecracker VM Network Config

firecracker-vm-network-config

This document explains how to set up host-side networking for a Firecracker microVM. The goal is to give the microVM basic networking + internet access using a TAP device and NAT.

This setup is meant to be simple, reusable, and easy to understand.

What This Setup Does

On the host machine, we:

1. Create a TAP device
2. Assign an IP address to the TAP device
3. Enable IPv4 forwarding
4. Add NAT rules for internet access

NOTE: Run this script before starting Firecracker.

Basic Terminology

TAP Device

A TAP device is a kernel-created virtual network interface operating at Layer 2 (Data Link Layer). It behaves like a virtual Ethernet card whose packets can be handled by a userspace program (Firecracker here).

NAT (Network Address Translation)

NAT rewrites IP addresses so multiple devices can share one public IP. This allows the microVM to use the host's internet access.

Host Network Setup Script

File: host-network-config.sh

#!/bin/bash
# ============================================
# Firecracker Networking Setup (HOST SIDE)
# ============================================
# This script:
# 1. Creates TAP device
# 2. Assigns IP to TAP
# 3. Enables IP forwarding
# 4. Adds NAT rules for internet access
#
# Run this ON THE HOST before starting Firecracker
# ============================================

set -e

# Configuation (TAP dev, IP can be changed as needed)
TAP_DEV="tap0"
HOST_TAP_IP="172.16.0.1/24"
VM_SUBNET="172.16.0.0/24"

# Detect default internet interface automatically
WAN_IFACE=$(ip route | awk '/default/ {print $5}')

echo "[+] Using WAN interface: $WAN_IFACE"

# 1. Create TAP device
echo "[+] Creating TAP device: $TAP_DEV"
sudo ip tuntap add $TAP_DEV mode tap || true
sudo ip addr add $HOST_TAP_IP dev $TAP_DEV || true
sudo ip link set $TAP_DEV up

# 2. Enable IP forwarding
echo "[+] Enabling IPv4 forwarding"
sudo sysctl -w net.ipv4.ip_forward=1

# 3. NAT rules (iptables)
echo "[+] Adding NAT rules"

sudo iptables -t nat -A POSTROUTING -s $VM_SUBNET -o $WAN_IFACE -j MASQUERADE
sudo iptables -A FORWARD -i $WAN_IFACE -o $TAP_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i $TAP_DEV -o $WAN_IFACE -j ACCEPT

echo "[✓] Network setup complete"
echo "[✓] Now we are ready to start Firecracker"
    

Result

• The host has a TAP interface
• IP forwarding is enabled
• VM traffic is NATed through the host
• Firecracker microVMs can access the internet

VM Network Setup

File: vm-net-config.sh

#!/bin/bash
# ============================================
# Firecracker VM Network Setup (VM SIDE)
# ============================================

set -e

# Configuration files in VM
VM_IP="172.16.0.2/24"
GATEWAY="172.16.0.1"
IFACE="eth0"

ip addr add $VM_IP dev $IFACE || true
ip link set $IFACE up
ip route add default via $GATEWAY || true

# DNS
echo "nameserver 8.8.8.8" > /etc/resolv.conf

echo "[✓] VM network configured"