This question is derived from my previous question on Isolating Web application where two approaches were recommended.
My question is if one of the VM on which application is hosted is compromised will the virtualization layer be enough contain the vulnerable web application? Are there any other security measures need to be taken to protect other VMs?
See this question for a sense on how secure VMs really are. How secure are virtual machines really? False sense of security?
A good general rule is to not allow the VMs to communicate with each other through networking. This means proper measure to segregate network access should be enforced.
If you notice a compromise on any of the VMs, immediately nuke the VM and setup again from a known safe point. This should be relatively easy to do with virtualization compared to an actual server.
Besides that, make sure that your hypervisor is kept up-to-date to prevent any known exploits against the hypervisor from allowing a compromise to break out of the VM and affect the host or other VMs.
