Does my current setup prevent a container or vm to change it's VLAN or Subnet?

I want to understand/make sure that a container that is using an OVN network can’t just change it’s vlan or subnet.

I already tried changing the vlan and subnet of an existing container and wasn’t able to reach anything - but I’m not sure if it’s just by chance or if it’s by design?

My host has 2 nics bonded together, with 3 vlans and one bridge for each vlan.

I created a network GUESTS that uses the br-guests as bridge.
I created a project core with features.networks=true and features.networks.zones=true. Inside the project I created a network core --type ovn.

I launch the instances with e.g. lxc launch ubuntu:22.04 t1 --network core --project core

network GUESTS

config:
  bgp.peers.r01.address: 172.18.40.1
  bgp.peers.r01.asn: "4200000001"
  dns.nameservers: 8.8.8.8
  ipv4.gateway: 172.18.40.1/22
  ipv4.ovn.ranges: 172.18.41.10-172.18.41.200
  ipv4.routes: 10.128.0.0/9
  volatile.last_state.created: "false"
description: ""
name: GUESTS
type: physical
used_by:
- /1.0/networks/core?project=core
managed: true
status: Created
locations:
- f01
- n13
- n16

network core

config:
  bridge.mtu: "1442"
  ipv4.address: 10.128.0.1/24
  ipv4.nat: "false"
  ipv6.address: fd42:550b:f0b8:b240::1/64
  ipv6.nat: "true"
  network: GUESTS
  volatile.network.ipv4.address: 172.18.41.10
description: ""
name: core
type: ovn
used_by: []
managed: true
status: Created
locations:
- f01
- n13
- n16

project core

config:
  features.images: "true"
  features.networks: "true"
  features.networks.zones: "true"
  features.profiles: "true"
  features.storage.buckets: "true"
  features.storage.volumes: "true"
description: ""
name: core
used_by:
- /1.0/profiles/default?project=core
- /1.0/networks/core?project=core

netplan

network:
  ethernets:

    eth0:
      match:
        macaddress: XXXXXXX
      dhcp4: no
      dhcp6: no
      set-name: eth0
      mtu: 9000

    eth1:
      match:
        macaddress: XXXXXXX
      dhcp4: no
      dhcp6: no
      set-name: eth1
      mtu: 9000


  bonds:
    bond-sw01:
      interfaces:
        - eth0
        - eth1
      link-local: []
      accept-ra : false
      dhcp4: false
      dhcp6: false
      mtu: 1500
      parameters:
        mode: 802.3ad
        lacp-rate: fast
        mii-monitor-interval: 100
        transmit-hash-policy: layer3+4


  vlans:
     bond-sw01.hosts:
       link: bond-sw01
       id: 1005
       link-local: []
       accept-ra: false
       dhcp4: false
       dhcp6: false
       mtu: 1500

     bond-sw01.guests:
       link: bond-sw01
       id: 2005
       link-local: []
       accept-ra: false
       dhcp4:  false
       dhcp6: false
       mtu: 1500

     # to ISP, currently to pfsense
     bond-sw01.uplink:
       link: bond-sw01
       id: 3003
       link-local: []
       accept-ra: false
       dhcp4:  false
       dhcp6: false
       mtu: 1500


  bridges:
    br-hosts:
      interfaces:
        - bond-sw01.hosts
      accept-ra: true
      dhcp4: false
      dhcp6: false
      mtu: 1500
      addresses:
        - 172.18.38.1/22
      routes:
        - to: default
          via: 172.18.36.1
          on-link: true
      nameservers:
        addresses:
          - 8.8.8.8

    br-guests:
      interfaces:
        - bond-sw01.guests
      link-local: []
      accept-ra: false
      dhcp4: false
      dhcp6: false
      mtu: 1500

    br-uplink:
      interfaces:
        - bond-sw01.uplink
      link-local: []
      accept-ra: false
      dhcp4: false
      dhcp6: false
      mtu: 1500

LXD OVN networks are made up of a virtual OVN logical router and a virtual OVN logical switch.
The instances you connect to the OVN network are connected to the logical switch, and these then use the virtual router for traffic to/from the uplink network.

So to answer your question directly, no the instances connected to the OVN network cannot join a VLAN on the uplink because they are not connected to the uplink at layer 2, there is a virtual router between them.