DMZ isolated via VLAN in virtualized environment (DMZ VMs and production VMs on same host)

Hi all, first time posting here.

I am working on reorganizing the network of the small company where I work at (we are moving to a new location) and was thinking in separating the DMZ servers from the production network servers by using VLANs on the hypervisor. In the testing scenario, there are 2 virtual machines on the same hypervisor: one in the DMZ and the other in the production network.

The whole idea is implemented as follows:

- Firewall: defined 3 separated networks where one is for management (10.0.1.0/24 - VLAN id 100), one for internal servers (10.0.2.0/24 - VLAN id 200), and one for the DMZ (10.0.3.0/24 - VLAN id 300). There are explicit firewall rules blocking any traffic from the DMZ network (10.0.3.0/24) to all other internal networks and vice-versa. Also, firewall rules block traffic between the management and production network in both directions. Finally, NAT 1:1 from a public IP to the DMZ VM, with rules allowing inbound traffic to ports 80 and 443 only.

- Switch: configured as L2, plugged to the firewall. Port where the hypervisor server is plugged allowing VLANS 100, 200, 300. No native VLAN defined (only tagged traffic allowed).

- Hypervisor server: only one NIC being used. Over the physical interface, one virtual interface on VLAN 100 (IP 10.0.1.10) and 2 bridges (one with a virtual interface on VLAN 200 other with another virtual interface on VLAN300 - both interfaces without IPs). The production VM is connected to the bridge on VLAN200 (IP 10.0.2.10) and the DMZ VM plugged to bridge with VLAN 300 (IP 10.0.3.10). The gateway for both VMs and the hypervisor is the firewall (10.0.1.1, 10.0.2.1, and 10.0.3.1).

Based on the tests I made, all communication between both internal VMs or from the hypervisor to the VMs always passes through the firewall (which is good and expected). With the rules in place, both VMs cannot reach the hypervisor management interface and the hypervisor cannot reach the VMs.

I know this approach relies solely on the software stack (hypervisor) and that physical separation for DMZ is always better when possible, however this approach above would be cheaper for us for not needing to buy more hardware.

Do you guys see big problems with this approach?

Thank you in advance for any opinion or thoughts.