Hyper-V V2: Guest Only External Networks + Add Roles Wizard Changes

The Hyper-V best practice in traditional production environments is that any physical network interface used by guest virtual machines is dedicated and isolated to guest only traffic and not shared with the management operating system (host).  This recommendation was made for several reasons – security is the primary reason since virtual machines are considered less trusted than the management partition isolating the network traffic reduces the risk that a malicious guest could take advantage of a remote security exploit to take over the physical machine.  Following this practice also reduces the risk of a guest virtual machine saturating the network preventing the server administrator from being able to log onto the physical machine and take appropriate action.  In Server 2008 (Hyper-V V1) you accomplished this by unbinding TCP (as well as any other network protocol) on the virtual adapter exposed by Hyper-V – in Server 2008 R2 we have added a new feature which be default does not create the virtual adapter on the management partition (of course there’s an option to have it the old way).  In addition this functionality was pushed into the Add Roles Wizard when you create your first virtual network.  Here’s some screen captures to illustrate.

Server 2008 (V1) Server 2008 R2 (V2) One Physical Interface Server 2008 R2 (V2) Two Physical Interfaces
Add Role Wizard – Virtual Network Page image Add Role Wizard – Virtual Network Page image Add Role Wizard – Virtual Network Page image
Allows the creation of a new virtual network at install time even if the server has only one network interface. When there is only one physical interface the ability to create a new virtual network at install time is disabled – you can create a new network post install. When there are two or more interfaces you can select the interface(s) for which you want virtual networks created – you must leave at least one interface unchecked.
Hyper-V Virtual Network Manager Post Role Install image Hyper-V Virtual Network Manager Post Role Install image Hyper-V Virtual Network Manager Post Role Install image
Post install the virtual network is created and bound to the physical interface. No virtual network is created – however you can now create an interface which can/should be shared with the management partition/operating system. Post install a new virtual network is created and bound to the physical interface but no virtual interface is exposed to the management partition/operating system.
Network Connections On The Host image Network Connections On The Host image Network Connections On The Host image
You can see both the physical and virtual adapters are available – the physical interface will only have the Microsoft Virtual Network Switch Protocol bound to it and the virtual interface will have TCP and other network services bound. Since there are no virtual networks created by default you don’t have any virtual interfaces exposed and the physical interface is not bound to the Microsoft Virtual Network Switch Protocol. There are still just two interfaces on the management partition/operating system both are physical (the fact that one is disconnected is because it really is disconnected on my server).
  Hyper-V Virtual Network Manager Creating a New Shared Virtual Network image  
  When creating a new virtual network checking the “Allow management operating system to share this network adapter” checkbox will create a new virtual interface on the management partition/operating system.  
  Network Connections On The Host image  
A new virtual interface is created - the physical interface will only have the Microsoft Virtual Network Switch Protocol bound to it and the virtual interface will have TCP and other network services bound.  

Taylor Brown
Hyper-V Integration Test Lead
https://blogs.msdn.com/taylorb

clip_image001