17 June 2008

Hyper-V: What are the uses for different types of virtual networks?

If you followed yesterdays post explaining the basics of networking in Hyper-V, you may be wondering what the different types of virtual networks are, when you should use them, and how they look in terms of traffic flow.

When you open Virtual Network Manager from Hyper-V Manager, there are three types of virtual network which can be created: External, Internal and Private. There is also a fourth type which can only be created through WMI and doesn’t have an official name, but I’ll call it a “Dedicated” virtual network (thanks Jake who came up with the suggestion!). Let’s look at each type, and when it is appropriate to use them.

External

External virtual networks are used where you want to allow communications between

  • Virtual machine to virtual machine on the same physical server
  • Virtual machine to parent partition (and visa-versa)
  • Virtual machine to externally located servers (and visa-versa)
  • (Optional) Parent partition to externally located servers (and visa-versa)

external  

Internal

Internal virtual networks are used where you want to allow communications between

  • Virtual machine to virtual machine on the same physical server
  • Virtual machine to parent partition (and visa-versa)

In a block diagram, an internal network is an external network without the binding to a physical NIC. An internal network would commonly be used to build a test environment where you need network connectivity into the virtual machines from the parent partition itself.

internal

Private

Private virtual networks are used where you want to allow communications between

  • Virtual machine to virtual machine on the same physical server

In a block diagram, a private network is an internal network without a virtual NIC in the parent partition. A private network would commonly be used where you need complete isolation of virtual machines from external and parent partition traffic. DMZ workloads running on a leg of a tri-homed firewall, or an isolated test domain are examples where this type of network may be useful.

private

Dedicated

Dedicated networks are in some ways one of the most useful type of virtual network where you dedicate a physical NIC for use just by virtual machines. They allow communication between:

  • Virtual machine to virtual machine on the same physical server
  • Virtual machine to externally located servers (and visa-versa)

Note that the parent partition is unable to use a dedicated virtual network for its own communication. You would normally have a second physical NIC for use by the parent partition, as was discussed yesterday. In a block diagram, a dedicated network is an external network without a virtual NIC in the parent partition.

 

dedicated

Note that you can achieve something functionally identical to a dedicated network by creating an external virtual network, and unbinding the protocols from the newly created virtual NIC in the parent partition. However, I would personally recommend you deploy a dedicated virtual network “correctly” to avoid accidental changing of bindings on the virtual NIC, or to avoid confusion as to what is present in the network adapters control panel applet. (And before you ask, I don’t have a sample script to create a dedicated virtual network yet. A post for another day).

Cheers,
John.

Filed under: , , , ,
 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# Syl said:

When Hyper-V finale release come ?

19 June 08 at 5:32 AM
# jhoward said:

Syl - within 180 days of the RTM of Windows Server 2008.

Cheers,

John.

19 June 08 at 9:15 AM
# Lior Arviv's Blog said:

Getting Started with Microsoft Hyper-V Understanding Hyper-V partitions and device drivers Migrating

20 June 08 at 2:05 PM
# Virtualization said:

U zadnje vrijeme sam imao podosta obaveza pa ne stigoh osvjeziti blog novostima, stoga slijedi izvjestaj

23 June 08 at 4:38 PM
# Ewdev said:

Fantastic article John, came at just the right moment for me.  I am trying to create something like a dedicated network but was a little confused with the sentence "unbinding the Microsoft Virtual Network Switch Protocol from the virtual NIC in the parent partition".  It seems that it is the physical NIC that has the Virtual Network Switch Protocol.  Would you not simply delete the virtual NIC from the parent partition, if you can?

I shall be trying this out today as I am trying to see if I can set up a Virtual ISA2006 server.  I will report back my findings.

25 June 08 at 3:52 AM
# Ask the Core Team said:

With the RTM release of Hyper-V just around the corner, I thought it would be a good idea to re-visit

25 June 08 at 7:43 AM
# jhoward said:

Ewdev - good catch, thank you. My bad - I meant unbind the protocols (which are all except the virtual network switch protocol) from the virtual NIC in the parent partition. I'll correct the text. You won't be able to delete the virtual NIC itself (you shouldn't any way).

Thanks,

John.

25 June 08 at 10:07 AM
# Ewdev said:

Well it is all up and working now, a little painful perhaps but I now have a DC/DNS/DHCP/WINS on the host VM plus three  Windows Server 2008 x64 child VM's for SQL Server 2005, IIS7 and Exchange 2007.  All of these are attached to an External virtual network and protected by a fourth child VM running Windows Server 2003 + SP2 x86 with ISA2006 and two virtual NIC's, one on the External vrtual network and the other on a Dedicated virtual network as discussed above.  Just to re-iterate, the dedicated network was simulated by unbinding ALL protocols off the dedicated virtual NIC from the host VM so as to eliminate the problem of the host bypassing the ISA firewall.  The only cable coming out of my box at present is one attached to the Dedicated NIC which goes straight to the Internet, although there is an external physical port for additional physical machines on the internal network if wished (This is the port for the "External" virtual network where the word "External" simply means external to the physical machine). The ISA2006 edge firewall setup works a treat and this seems such an obvious setup that I wonder if the concept of the Dedicated virtual network should perhaps be in the final build for Hyper-V?

02 July 08 at 7:21 PM
# jhoward said:

Ewdev - yes, this is somethig we're looking at for a future version. Glad you got it working.

Cheers,

John.

03 July 08 at 1:10 PM
# Scott Klassen said:

So how about that script for making a dedicated type?  Failing that, could anyone here point me to step-by-step manual instructions to "deploy a dedicated virtual network “correctly”"?

Thanks.

19 July 08 at 10:21 AM
# jhoward said:

Scott - I apologise, I haven't had a chance to get round to putting it together. Published in the last few days though are some sample scripts for the WMI APIs for Hyper-V, although it will require a bit of piecing together. Specifically, you need the Msvm_VirtualSwitchManagementService class, the sample code for the methods being http://msdn.microsoft.com/en-us/library/cc723875(VS.85).aspx.

Alternately, as I mentioned in the main body of the the text, you can functionally create something identical to a dedicated network by creating an external virtual network switch in the user interface. Once created, on the new virtual NIC which is created in the parent partition, remove all bindings: Start/ncpa.cpl. Select the appropriate NIC and choose properties. De-select all bindings. The only difference between this approach and using WMI is that you have a virtual NIC instance in the parent partition. However, with no bindings applied to it, it can't be used for anything.

I will get round to the script. Just need to find some time. Sorry!

Cheers,

John.

19 July 08 at 12:43 PM
# Martin Herbener said:

John,

If I want something like a dedicated virtual network, is there any reason not to DISABLE the virtual NIC in the host as opposed to unbinding?

thanks

Martin

08 August 08 at 10:27 AM
# jhoward said:

Hi Martin - yes, this will be equivalent from a functionality perspective. Personally, I prefer the unbinding to disabling as it's harder to accidentally re-bind than it is to accidentally re-enable the NIC.

Cheers,

John.

08 August 08 at 1:28 PM

Leave a Comment

Comment Policy: No HTML allowed. URIs and line breaks are converted automatically. Your e–mail address will not show up on any public page.

(required) 
(optional)
(required) 
Page view tracker