How to connect VMs on hosts behind a gateway to public IPs?

I have a Linux gateway with two NICs and several VM hosts (also running Linux, with two NICs each) behind it.

The gateway is connected directly to WAN on one of it's NICs and receives several public IPs. I would like to assign the public IPs on the WAN to individual VMs so that they can be accessed from the outside network. In addition I would like to establish a private local network to be used for managing the VM hosts from the gateway that would have one of the public IPs assigned to it, this private network would be behind a firewall and a NAT.

I would like to set up something like this network architecture but I don't know what the best approach would be. The challenge is that a VM could be migrated between the hosts, so the IP assignment infrastructure can't be tied to a VM host.

Could I use VLANs mapped to MAC-addresses of the VMs virtual interface? Is there a better approach?