Isolating VM's from Host Machine RRS feed

  • Question

  • I am attempting to spin up two VM's in Hyper-V.  One will be a DC running on Server 08R2 and the other will just be Server08R2.  I would like to isolate these VM's from the host machine as the host machine will be connected to the corporate network.  I will be doing some testing later on with this virtual DC.

    In essence, I want to completely isolate these VM's from the host machine, but allow them to access the internet if that is possible.  Would that be done by using an external virtual switch?

    What is the best way to accomplish this?



    Thursday, January 1, 2015 8:26 PM

All replies

  • With 2 NICs on the 2012 R2 Hyper-V host:

    • Create External vSwitch , call it "Corp" for example, attach it to the NIC that's wired to the corp network/subnet/vlan, give the host/management OS a vNIC on the Corp vSwitch by checking the "allow management OS to share this network adapter" checkbox in the Virtual Switch Properties screen.
    • Create another External vSwitch "Test", attach it to NIC#2 which is wired to the Internet, do NOT give the host/management OS a vNIC in the Test vSwitch, attach the VM vNICs to the Test vSwitch

    Sam Boutros, Senior Consultant, Software Logic, KOP, PA http://superwidgets.wordpress.com (Please take a moment to Vote as Helpful and/or Mark as Answer, where applicable) _________________________________________________________________________________ Powershell: Learn it before it's an emergency http://technet.microsoft.com/en-us/scriptcenter/powershell.aspx http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx

    Friday, January 2, 2015 12:48 AM
  • You'll need more config than just an external virtual switch.  That just allows VM access to the external LAN.  If your host is on that same LAN, they're all connected.

    There are 3 options here:

    1. Physical solution: you need to configure your network where you're plugging the NIC that connects to the VMs directly to the internet, with no connections to your host's LAN.

    2. VLAN/subnet: create a separate subnet for your VMs so they cannot see the network. This may be hard since you need to still access the same gateway.

    3. Create a 3rd VM and install RRAS.  This will isolate your VMs and virtual network but still allow them access to the Internet.  This technically will allow access to the host, but since RRAS is NAT it will prevent the your VMs from sending/receiving DHCP/DNS to your host network.  

    I've used this method to set up test AD domains in a virtual network while not affecting the host's network and AD. 

    For future reference, the Hyper-V forum is located here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverhyperv

    This forum is for the older product Virtual Server 2005 which is not related to Hyper-V.  You'll find a lot more Hyper-V expertise on the Hyper-V forum.

    Friday, January 2, 2015 7:19 PM