Share via


Hyper-V V2: Guest Only External Networks + Add Roles Wizard Changes

The Hyper-V best practice in traditional production environments is that any physical network interface used by guest virtual machines is dedicated and isolated to guest only traffic and not shared with the management operating system (host).  This recommendation was made for several reasons – security is the primary reason since virtual machines are considered less trusted than the management partition isolating the network traffic reduces the risk that a malicious guest could take advantage of a remote security exploit to take over the physical machine.  Following this practice also reduces the risk of a guest virtual machine saturating the network preventing the server administrator from being able to log onto the physical machine and take appropriate action.  In Server 2008 (Hyper-V V1) you accomplished this by unbinding TCP (as well as any other network protocol) on the virtual adapter exposed by Hyper-V – in Server 2008 R2 we have added a new feature which be default does not create the virtual adapter on the management partition (of course there’s an option to have it the old way).  In addition this functionality was pushed into the Add Roles Wizard when you create your first virtual network.  Here’s some screen captures to illustrate.

Server 2008 (V1) Server 2008 R2 (V2) One Physical Interface Server 2008 R2 (V2) Two Physical Interfaces
Add Role Wizard – Virtual Network Page image Add Role Wizard – Virtual Network Page image Add Role Wizard – Virtual Network Page image
Allows the creation of a new virtual network at install time even if the server has only one network interface. When there is only one physical interface the ability to create a new virtual network at install time is disabled – you can create a new network post install. When there are two or more interfaces you can select the interface(s) for which you want virtual networks created – you must leave at least one interface unchecked.
Hyper-V Virtual Network Manager Post Role Install image Hyper-V Virtual Network Manager Post Role Install image Hyper-V Virtual Network Manager Post Role Install image
Post install the virtual network is created and bound to the physical interface. No virtual network is created – however you can now create an interface which can/should be shared with the management partition/operating system. Post install a new virtual network is created and bound to the physical interface but no virtual interface is exposed to the management partition/operating system.
Network Connections On The Host image Network Connections On The Host image Network Connections On The Host image
You can see both the physical and virtual adapters are available – the physical interface will only have the Microsoft Virtual Network Switch Protocol bound to it and the virtual interface will have TCP and other network services bound. Since there are no virtual networks created by default you don’t have any virtual interfaces exposed and the physical interface is not bound to the Microsoft Virtual Network Switch Protocol. There are still just two interfaces on the management partition/operating system both are physical (the fact that one is disconnected is because it really is disconnected on my server).
  Hyper-V Virtual Network Manager Creating a New Shared Virtual Network image  
  When creating a new virtual network checking the “Allow management operating system to share this network adapter” checkbox will create a new virtual interface on the management partition/operating system.  
  Network Connections On The Host image  
A new virtual interface is created - the physical interface will only have the Microsoft Virtual Network Switch Protocol bound to it and the virtual interface will have TCP and other network services bound.  

Taylor Brown
Hyper-V Integration Test Lead
https://blogs.msdn.com/taylorb

clip_image001

Comments

  • Anonymous
    January 15, 2009
    Our challange so far with server 2008 is not being able to provide nic resiliency through teaming. In R2 Since Virtual and Management Server can share both physical nics is this getting us one step closer?  Do both physical nics require unique ip's? =========================================================
    NIC teaming is still an issue - these changes don't impact (postivily or negativly) NIC teaming...  I can say that while not supported by Microsoft - I know of a number of users (internally and externally) that use NIC teaming in production.  I will also say we are aware of the need and are looking at options to improve the experiance.  -Taylor

  • Anonymous
    February 09, 2009
    It seems to me that in the Server 2008 R2 (V2) One Physical Interface scenario, the "Allow management operating system to share this network adapter" should be checked and grayed out (non-changeable). If you clear this checkbox you would loose network connectivity since the single physical NIC is converted to a virtual switch, but the host cannot use it.