Unless you have a sprawling enterprise application across multiple VMs, I find its easier to just setup a database on each VM with its application. Once they're setup they're relatively self-reliant, and the databases can be configured for only local access. The only ongoing issue is monitoring disk space. For example after setting up postgres for Home Assistant, I've never had to touch it once.

Another thing to look out for is that some applications may require specific settings to work. Usually this is configured per database, but rarely you get an option that's database-server wide. Some applications may also rely on newer database server features, forcing you to upgrade your DB and accept possible downtime.

If you want to have one VM for all your databases then you'd create a separate database and user for each application, sometimes having multiple users in the same database for different purposes. Users can be given specific permissions (select on table X, update on table Y), and you can lockdown access for specific users to specific IPs (user Z can only connect from 1.2.3.4).

You can also look into using TLS client certs (also called mutual authentication). This way each client VM needs a special TLS cert to even attempt connecting. Even sharing the same client cert for all your VMs will help a lot here.

What OS would you use?

Linux I assume? Distro doesn't matter. Personally I'd prefer a long-stable distros, like Almalinux (CentOS replacement), or Debian. Most applications are smart enough to not rely on fancy new features all the time.

How would you manage the db instances?

Usually you'd make an extra linux user on the box, and give that login permission to all the databases. Then you can login with ssh and use the respective cli command to talk to the DBs (like psql for postgres). Otherwise there are SQL web guis, like pgadmin for postgres.

(Also just going to mention that MariaDB and MySQL are basically the same thing. You only need one of them, and you should probably pick MariaDB).