I tried to get what the "best practice" according to the docs (especiallyhttps://github.com/firecracker-microvm/firecracker/blob/main/docs/prod-host-setup.md) for guest isolation would be.

I understand the steps in the prod-host-setup but I also assume that network namespaces are actually crucial for production use.
The documentation seems to be a bit unspecific here.

So to clarify (and maybe to update the production docs?):

When I run multiple microvms which need access to e.g. internet, is itabsolutely required to run them in individual network namespaces for full network isolation?

For me, it is tricky with nftables to actually fully isolate VMs from each other to prevent attacks of other VMs if compromised. I managed "isolation lite" by only allowing tap0 to talk to eth1, but not to tap1 ,tap2, etc. But is this already good enough?
(The production docs speak about mitigation of spectre, rowhammer etc, but if one VM can reach another VM via ssh or any other open port, I don't need those fancy exploits inside a VM to disrupt operations).

On the other hand if network namespaces arenot required to reach a good network isolation, I would love to avoid the complexity of managing many namespaces, veth links and bridges to allow to run like 10 or 20 isolated VMs.

Clarification or hints are very welcome :)