This chapter covers virtual machine networking modes, a key topic in the CompTIA A+ 220-1101 exam under Objective 4.1 (Virtualization Cloud). Understanding the differences between bridged, NAT, and host-only networking is critical because exam questions often test your ability to select the correct mode based on a given scenario. Approximately 5–10% of the virtualization questions on the exam relate to networking modes, and you must know the default behavior, IP addressing implications, and use cases for each mode.
Jump to a section
Imagine a house (the host machine) with several rooms (VMs). Each room has a window (virtual NIC). In bridged mode, each room has its own door directly to the outside street (physical network). The house number is the same, but each room has a unique apartment number (IP address on the same subnet). From outside, you can knock on any room's door directly. In NAT mode, the house has one front door (the host's IP) and a concierge (NAT engine). When a room wants to go outside, the concierge opens the door, records the room's identity and destination, and lets them out. When someone outside replies, the concierge checks their log and delivers the message to the correct room. No one outside knows the rooms exist—they only see the house's front door. In host-only mode, the house is in a gated community with no exit to the outside. Rooms can talk to each other and the concierge, but not to the street. Internal bridges (virtual switches) connect rooms within the house. The concierge in NAT mode also runs a DHCP service, assigning internal addresses (like room numbers) automatically. The bridged mode requires the physical network to have enough IP addresses, like a street with enough house numbers for every room. NAT mode conserves IPs but requires the concierge to remember every conversation. Host-only mode is for private meetings—rooms can share files but never go outside.
What Are Virtual Machine Networking Modes?
Virtual machine networking modes define how a virtual machine (VM) communicates with the host machine, other VMs on the same host, and external networks (including the internet). In virtualization platforms like VMware Workstation, Oracle VirtualBox, and Microsoft Hyper-V, the hypervisor provides virtual network adapters (vNICs) that connect to virtual switches (vSwitches). These vSwitches can operate in different modes, each offering a distinct level of isolation and connectivity.
Why Networking Modes Exist
Networking modes exist to address different requirements: - Isolation: Some VMs must be completely isolated from the external network for security testing or malware analysis. - Resource sharing: VMs may need to share the host's internet connection without requiring separate IP addresses on the physical network. - Direct accessibility: Some VMs, like web servers, must be directly reachable from the external network.
The three primary modes are bridged, NAT (Network Address Translation), and host-only. Each mode maps to a specific virtual switch configuration in the hypervisor.
How Bridged Mode Works
In bridged mode, the VM's vNIC connects to a virtual bridge that is directly attached to the host's physical network adapter. The VM appears as a separate device on the same physical network segment as the host.
Mechanism:
The hypervisor creates a virtual bridge (e.g., vmnet0 in VMware) that binds to the host's physical NIC.
The VM's vNIC is connected to this bridge.
The bridge forwards Ethernet frames between the VM and the physical network without modification.
The VM obtains an IP address from the same DHCP server that serves the physical network, or it can use a static IP in the same subnet as the host.
From the perspective of other devices on the physical network, the VM has its own MAC address and IP address. Traffic to and from the VM is treated like any other endpoint.
Key characteristics:
The VM can communicate with the host, other VMs (if they are also in bridged mode on the same bridge), and any device on the physical network.
The VM can access the internet if the physical network provides internet access.
The physical network must have available IP addresses for each bridged VM.
The VM's IP address is typically on the same subnet as the host.
How NAT Mode Works
NAT mode uses network address translation to allow VMs to share the host's IP address for outbound traffic. The hypervisor runs a NAT engine and a DHCP server for the virtual network.
Mechanism:
The hypervisor creates a private virtual network (e.g., vmnet8 in VMware) with a distinct subnet (commonly 192.168.x.0/24).
A virtual DHCP server assigns IP addresses to VMs on this private subnet.
The NAT engine resides on the host and translates the private IP addresses of VMs to the host's IP address when traffic goes to the external network.
The NAT engine maintains a translation table that maps each VM's private IP:port to the host's IP:port.
Return traffic is translated back using the table entries.
Key characteristics:
VMs can initiate outbound connections to the internet and other external networks.
External devices cannot initiate connections to VMs unless port forwarding is configured.
The host can communicate with VMs using the private IP addresses.
VMs can communicate with each other on the same private network.
The host acts as a gateway for the VMs.
Default values:
VMware NAT network: 192.168.124.0/24 (varies by version)
VirtualBox NAT network: 10.0.2.0/24
DHCP server typically assigns addresses for a lease time of 30 minutes to 24 hours.
How Host-Only Mode Works
Host-only mode creates a private network that is completely isolated from the physical network. VMs can communicate with the host and with each other, but not with external networks.
Mechanism:
The hypervisor creates a virtual switch (e.g., vmnet1 in VMware) that is not connected to any physical NIC.
A virtual DHCP server assigns IP addresses to VMs on a private subnet.
The host has a virtual adapter on the same subnet, allowing host-VM communication.
No NAT or bridging occurs—the virtual switch is isolated.
Key characteristics:
VMs cannot access the internet or any external network.
External devices cannot access the VMs.
The host can communicate with VMs using the private IP addresses.
VMs can communicate with each other on the same virtual switch.
Ideal for isolated testing environments.
Configuration and Verification
VMware Workstation:
Bridged: Virtual Network Editor -> vmnet0 (default bridged)
NAT: vmnet8 (default NAT)
Host-only: vmnet1 (default host-only)
VirtualBox:
Bridged: Settings -> Network -> Attached to: Bridged Adapter
NAT: Attached to: NAT
Host-only: Attached to: Host-only Adapter (requires a host-only network created in File -> Host Network Manager)
Verification commands (inside VM):
Check IP address: ipconfig (Windows) or ip addr (Linux)
Check connectivity: ping to host IP, another VM IP, or an external IP
Check default gateway: ip route (Linux) or route print (Windows)
Interaction with Related Technologies
DHCP: Both NAT and host-only modes typically include a DHCP server. Bridged mode relies on the physical network's DHCP.
DNS: VMs in NAT mode usually use the host's DNS settings or a DNS proxy provided by the hypervisor.
Port Forwarding: In NAT mode, you can configure port forwarding to allow external access to specific VM services (e.g., RDP on port 3389).
VLANs: Some hypervisors support VLAN tagging on virtual switches, which can be used with bridged mode to segregate traffic.
Exam-Relevant Details
Default gateway: In NAT mode, the default gateway for VMs is typically the host's IP address on the virtual NAT network (e.g., 192.168.124.1 in VMware).
IP address ranges: VirtualBox NAT uses 10.0.2.0/24; VMware NAT uses 192.168.x.0/24.
Bridged mode requirement: The host's physical NIC must be active and connected to a network; otherwise, the bridge has no connectivity.
Host-only mode no DHCP: Some hypervisors allow disabling DHCP in host-only mode, requiring static IPs.
Common Misconfigurations
Using bridged mode on a network with limited IP addresses: If the DHCP pool is exhausted, VMs may receive APIPA addresses (169.254.x.x).
Forgetting to enable IP forwarding on the host for host-only mode: Without it, VMs cannot communicate with each other across different virtual switches.
Misunderstanding NAT's one-way initiation: Candidates often think NAT allows inbound connections without port forwarding.
Select the Virtualization Platform
Begin by choosing your hypervisor: VMware Workstation, Oracle VirtualBox, or Microsoft Hyper-V. Each has its own virtual network editor and default settings. For VMware, open the Virtual Network Editor from the Edit menu. For VirtualBox, go to File > Host Network Manager to create or modify host-only networks. Understanding the platform-specific terminology is crucial because the CompTIA A+ exam may reference generic concepts but you must be able to apply them across platforms. For example, VMware uses vmnet0, vmnet1, and vmnet8; VirtualBox uses names like 'NAT' and 'Host-only Adapter'.
Choose the Networking Mode
Based on the scenario, select bridged, NAT, or host-only. For a VM that needs to be directly accessible from the physical network (like a web server), choose bridged. For a VM that only needs outbound internet access (like a client for updates), choose NAT. For an isolated lab (like malware analysis), choose host-only. The exam often presents a scenario and asks which mode to use. Remember: bridged = same subnet as host, NAT = private subnet with NAT, host-only = private subnet without external access.
Configure the Virtual Network Adapter
In the VM settings, assign the vNIC to the appropriate virtual switch. For bridged mode, select the physical NIC to bridge (often 'Automatic' or a specific adapter). For NAT, select the NAT network (e.g., vmnet8). For host-only, select the host-only network (e.g., vmnet1). You can also add multiple vNICs to a VM, each on a different network. This is common for VMs that need both a management network (host-only) and an external network (NAT).
Power On the VM and Obtain an IP Address
Start the VM. Most guest OSes are configured to use DHCP. In bridged mode, the VM will request an IP from the physical network's DHCP server. In NAT and host-only modes, the hypervisor's built-in DHCP server assigns an IP. Verify with `ipconfig` (Windows) or `ip addr` (Linux). If no IP is obtained, check that the DHCP server is enabled in the virtual network settings. In VMware, you can check the Virtual Network Editor to ensure DHCP is running. In VirtualBox, verify the host-only network has DHCP enabled.
Test Connectivity and Verify Mode Behavior
Perform connectivity tests. Ping the host (e.g., 192.168.124.1 for VMware NAT), ping another VM on the same virtual network, and ping an external IP like 8.8.8.8. In bridged mode, you should be able to ping devices on the physical network. In NAT mode, outbound pings should succeed but inbound pings to the VM will fail unless port forwarding is configured. In host-only mode, only the host and other VMs on the same host-only network are reachable. Use `tracert` (Windows) or `traceroute` (Linux) to see the path: in NAT mode, the first hop is the host's NAT IP; in bridged mode, the first hop is the physical network gateway.
Scenario 1: Development and Testing Environment
A software development team needs to test a web application across multiple OSes without affecting the production network. They use a single host running VMware Workstation with multiple VMs: a Windows Server VM for the database, a Linux VM for the web server, and a Windows 10 VM for client testing. They configure the VMs in host-only mode (vmnet1) to keep traffic isolated. The host also has a NAT network (vmnet8) for one VM to download updates. The host-only network uses the subnet 192.168.100.0/24 with DHCP enabled. Developers can RDP into VMs from the host using the private IPs. Performance is excellent because no external network latency is involved. A common misconfiguration is forgetting to enable the DHCP server on the host-only network, causing VMs to get APIPA addresses. The fix is to check the Virtual Network Editor and ensure DHCP is enabled.
Scenario 2: Home Lab with Internet Access
A student runs VirtualBox on a laptop to study for the CompTIA A+ exam. They have a VM for practicing Windows Server administration. The laptop is connected to a home router via Wi-Fi. The student sets the VM to NAT mode so it can access the internet for updates and downloads. The VM gets an IP in the 10.0.2.0/24 range. The student can also SSH into the VM from the host using the host-only adapter (added as a second vNIC) for management. Performance is adequate for learning. A problem arises when the student tries to host a web server on the VM and access it from another device on the home network—it fails because NAT blocks inbound connections. The solution is to either switch to bridged mode or configure port forwarding in VirtualBox's NAT settings. The exam may test this scenario: 'A user wants to access a VM's web server from another computer on the same physical network. Which mode should be used?' Answer: bridged.
Scenario 3: Malware Analysis Sandbox
A security analyst uses a host-only network to isolate a VM running malware. The host has no physical network connectivity for safety. The VM is configured in host-only mode with no DHCP (static IP). The analyst uses the host to monitor the VM's behavior. The host-only network uses a private subnet like 192.168.56.0/24. The analyst must ensure that no other network interfaces are bridged or shared. A common mistake is leaving a NIC in bridged mode, which could allow malware to escape to the physical network. The exam might ask: 'Which mode provides the highest level of isolation from the physical network?' Answer: host-only.
What the 220-1101 Exam Tests
Objective 4.1 (Virtualization Cloud) includes: 'Compare and contrast cloud computing concepts' and 'Given a scenario, set up and configure client-side virtualization.' Networking modes are a subset of client-side virtualization. The exam expects you to:
Identify the correct networking mode for a given scenario.
Understand the default IP addressing behavior for each mode.
Know that NAT allows outbound-only initiated connections.
Recognize that bridged mode requires the VM to be on the same subnet as the host.
Understand that host-only mode provides no external network access.
Common Wrong Answers and Why
Choosing NAT when the scenario requires inbound access: Many candidates think NAT allows inbound connections because it provides internet access. However, NAT is one-way; inbound connections require port forwarding or bridged mode.
Confusing host-only with NAT: Both use private IPs, but host-only has no NAT and no external access. Candidates often pick host-only when internet access is needed.
Thinking bridged mode uses a different subnet: Some believe bridged mode creates a separate subnet. In reality, the VM gets an IP from the same subnet as the host.
Assuming all modes provide DHCP by default: While NAT and host-only typically have DHCP, it can be disabled. Bridged mode depends on the physical network's DHCP.
Specific Numbers and Terms
VMware NAT default subnet: 192.168.124.0/24 (or 192.168.x.0/24)
VirtualBox NAT default: 10.0.2.0/24
VMware host-only default: 192.168.100.0/24
VirtualBox host-only default: 192.168.56.0/24 (after creating a host-only network)
The term 'vmnet' appears in VMware questions.
Edge Cases
Multiple NICs: A VM can have multiple vNICs on different networks. The exam may ask which mode allows a VM to be on both a private and public network simultaneously.
Bridged mode without a physical network: If the host has no network cable plugged in, bridged mode will not work (no connectivity).
NAT port forwarding: The exam may mention 'port forwarding' as a way to allow inbound connections in NAT mode.
Eliminating Wrong Answers
If the scenario says 'must be accessible from other computers on the same network,' eliminate NAT and host-only; choose bridged.
If the scenario says 'must be isolated from the network,' eliminate bridged and NAT; choose host-only.
If the scenario says 'needs internet access but should not be directly accessible,' choose NAT.
Bridged mode places the VM on the same subnet as the host, requiring an IP from the physical network.
NAT mode uses a private subnet (e.g., 10.0.2.0/24 in VirtualBox) and allows outbound-only connections.
Host-only mode creates an isolated private network with no external access.
VMware Workstation uses vmnet0 (bridged), vmnet1 (host-only), and vmnet8 (NAT) by default.
VirtualBox NAT default subnet is 10.0.2.0/24; host-only default is 192.168.56.0/24.
In NAT mode, inbound connections require port forwarding configuration.
Host-only mode is ideal for malware analysis or testing without network exposure.
Bridged mode fails if the host's physical NIC is disconnected or the DHCP pool is exhausted.
These come up on the exam all the time. Here's how to tell them apart.
Bridged Mode
VM appears as a separate device on the physical network.
VM obtains IP from the physical network's DHCP.
External devices can initiate connections to the VM.
Requires an available IP address on the physical network.
Best for servers that need direct network access.
NAT Mode
VM is on a private network behind the host.
VM obtains IP from the hypervisor's DHCP (private subnet).
External devices cannot initiate connections unless port forwarding is configured.
Does not consume physical network IP addresses.
Best for client VMs that only need outbound internet access.
NAT Mode
Provides outbound internet access to VMs.
Uses NAT to translate private IPs to host's IP.
VMs can communicate with the host and each other.
Default gateway is the host's NAT IP.
Port forwarding can allow inbound access.
Host-Only Mode
No internet access for VMs.
No NAT; VMs use private IPs only.
VMs can communicate with the host and each other.
No default gateway (or host's host-only IP).
No inbound access from outside; fully isolated.
Mistake
NAT mode assigns the same IP address as the host.
Correct
NAT mode assigns a private IP address from a different subnet (e.g., 10.0.2.x or 192.168.x.x), not the host's IP. The host's IP is used only for translation.
Mistake
Bridged mode requires the VM to use a static IP.
Correct
Bridged mode can use DHCP from the physical network, just like any physical device. Static IP is optional.
Mistake
Host-only mode provides internet access through the host.
Correct
Host-only mode has no NAT or bridging, so there is no internet access. VMs can only communicate with the host and other VMs on the same virtual switch.
Mistake
All three modes allow VMs to communicate with each other on the same host.
Correct
VMs can communicate with each other only if they are on the same virtual network. In NAT and host-only modes, they share the same virtual switch. In bridged mode, they must be on the same bridge (default).
Mistake
NAT mode is more secure than bridged mode because it hides the VM.
Correct
NAT does provide some security by not exposing the VM's IP directly, but it is not a security feature. Both modes can be secured with firewalls. Host-only is the most isolated.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
NAT mode places the VM on a private network behind the host, using the host's IP for outbound traffic. The VM gets an IP from a private subnet (e.g., 10.0.2.x) and cannot be directly accessed from the external network. Bridged mode makes the VM appear as a separate device on the same physical network as the host, with its own IP from the physical DHCP. External devices can directly communicate with the VM. For the exam, remember: bridged = same subnet as host, NAT = private subnet with translation.
By default, no. NAT mode only allows outbound connections initiated by the VM. Inbound connections are blocked unless you configure port forwarding in the hypervisor's NAT settings. For example, in VirtualBox, you can forward host port 3389 to the VM's port 3389 for RDP. The exam may test this: 'Which mode allows inbound connections without additional configuration?' Answer: bridged.
Host-only mode creates a private network that is completely isolated from the physical network. It is used for scenarios where VMs need to communicate with the host and each other but not with the outside world, such as malware analysis, testing network services in a sandbox, or lab environments. The exam may ask: 'Which mode provides the most isolation from the physical network?' Answer: host-only.
In VMware Workstation, select the VM, go to VM > Settings, choose the network adapter, and set the network connection to Bridged, NAT, or Host-only. You can also use the Virtual Network Editor to modify the default networks. The exam expects you to know the default vmnet mappings: vmnet0 (bridged), vmnet1 (host-only), vmnet8 (NAT).
In VMware NAT mode, the VM typically gets an IP in the 192.168.x.0/24 range (e.g., 192.168.124.x). In VirtualBox NAT mode, it gets an IP in the 10.0.2.0/24 range (e.g., 10.0.2.15). The default gateway is the host's IP on that virtual network (e.g., 192.168.124.1 in VMware, 10.0.2.1 in VirtualBox). The exam may test these default subnets.
Yes, a VM can have multiple virtual network adapters, each connected to a different mode. For example, you could have one adapter in NAT mode for internet access and another in host-only mode for isolated management. This is common in lab setups. The exam may present a scenario where a VM needs both external and private network access.
If DHCP is disabled, VMs will not automatically receive an IP address. They may get an APIPA address (169.254.x.x) if configured for DHCP, or you must assign static IPs manually. In VMware, you can disable DHCP in the Virtual Network Editor. The exam may ask: 'A VM in host-only mode cannot obtain an IP address. What is the most likely cause?' Answer: The DHCP server is disabled.
You've just covered Virtual Machine Networking Modes — now see how well it sticks with free 220-1101 practice questions. Full explanations included, no account needed.
Done with this chapter?