Posey's Tips & Tricks

Taking a Better Look at Hyper-V Private Networks

Private virtual networks are the most secure virtual network because they never communicate with the Hyper-V host or with the physical network. But what exactly happens when you create one?

Microsoft Hyper-V supports three different types of virtual networks: external, internal and private. External virtual networks are the most commonly used because they allow a virtual machine (VM) to access the outside world. Internal virtual networks are isolated segments accessible by VMs and by the Hyper-V host, while private virtual networks are only accessible to VMs.

Private virtual networks are obviously the most secure virtual network type because they never communicate with the Hyper-V host or with the physical network.

But what happens when you create a private network? Let's take a look.

Before I jump right into a discussion of private networks, I want to take just a moment and talk about what happens when you create a normal, external network. From within the Hyper-V Manager, you can create an external network by clicking on the Virtual Switch Manager, and then clicking on the New Virtual Switch option. Doing so gives you a choice between creating an external, internal or private virtual switch. You can see what this looks like in Figure 1.

[Click on image for larger view.] Figure 1: You can create an external, internal or private virtual switch.

When you create an external virtual switch, Hyper-V creates a virtual Ethernet adapter on the Hyper-V host. This virtual Ethernet adapter provides connectivity to the virtual switch, which is in turn connected to a physical Ethernet adapter. Because Hyper-V hosts can communicate across the external virtual network, the host's network stack is disconnected from the physical network adapter, and connected to the virtual network adapter instead. This allows the host to communicate with both the VMs and the physical network.

So with that said, let's take a look at what happens when you create a private network. To create a private network, open the Virtual Switch Manager from within the Hyper-V Manager, click on New Virtual Switch and then choose the Private option. This causes a private virtual switch to be created. As you can see in Figure 2, you have the ability to rename this virtual switch and to enter any applicable notes.

[Click on image for larger view.] Figure 2: I have created a private virtual switch.

Because private virtual networks are unable to communicate with Hyper-V hosts or with the physical network, no virtual network adapter is created at the host level. If you look at Figure 3, you can see the network adapters residing on my Hyper-V host. In this case, things are a bit more complicated than the discussion has so far alluded to, but not by much. Instead of having one physical network adapter, I have three (Ethernet, Ethernet 2 and Ethernet 3). These three Ethernet adapters have been bound together in a NIC team (MyTeam). The NIC team acts as the physical adapter for this server. The virtual adapter -- vEthernet (My Virtual Switch) -- is the virtual network adapter that lets the host talk to the virtual network. As you can see, there are no network adapters associated with the private network.

[Click on image for larger view.] Figure 3: No host-level adapter is created for the private network.

So how does IP addressing work on a private network segment? To show you how this works, I created a VM running Windows 10 and connected it to the private virtual switch that I had previously created. As you can see in Figure 4, the guest operating system doesn't know or care that a private network is in use. The network adapter is shown to be a Hyper-V Network Adapter on an unidentified network, but Windows 10 treats this adapter the same way it would treat any other adapter.

[Click on image for larger view.] Figure 4: This is how a guest OS sees a private network adapter.

So what happens if you try to live migrate a VM that uses a private network adapter? You will get an error message like the one shown in Figure 5, telling you that the virtual switch does not exist on the destination computer.

[Click on image for larger view.] Figure 5: The live migration triggered an error.

You can get around this problem by creating a duplicate private network adapter on the destination host. Just remember that the private network will not span hosts, because there is no connectivity to the external network.

As you can imagine, private networks have very limited use cases, as do internal networks. Even so, they do have their place. Private networks are, for example, sometimes used for backbone traffic across VMs.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.


comments powered by Disqus

Subscribe on YouTube