VM PXE / Public segmentation


I have two networks
a network for MaaS and PXE
a network for Public internet

When I create a VM, the VM is created sees the pxe network, boot, and installs.
Once the VM is active, I do not want the VM to be able to see the pxe MaaS network and the public network for segmenting purpose. If the host is compromised, it could be used to pivot to the MaaS PXE network.

What is the proper way to handle this?