Why don't you just use a virtual firewall (e.g. pfSense) with appropriate interfaces and port forwarding configured?
With this you could have the Internet servers on an internal-only vSwitch and only the pfSense's WAN post connected to the Internet. This certainly requires to reconfigure the networking on the currently direct connected VMs.
André