if I want to prevent all VMs from being able to route between different virtual networks, it is sufficient to not allow creation of what is explicitly called “Virtual Router”, or do I have to restrict users to a single virtual network? That is, is routing possible inside a virtual machine though it is not defined as a virtual router?
Hello, yes of course, routing is possible in any VM - it is just as any other linux/windows server, which have capabilities to route. Good practise is enable IP and MAC spoofing and also set bandwidth limits to networks, so user can change IP/MAC address and cant consume whole for ex. 1Gbps network.
I don’t see any problem with user can route between netowrks. Why you want restrict it?
I want to restrict it because I want to define VLAN virtual networks that already exist as real networks for real machines and routing inside a VM would bypass access control lists on our real routers.
so you can attach only one network to VMs which are not under your control