The Hyper-V Virtual Switch: An Overview

In this post I will give you an introduction to Hyper-V virtual switch, including the basics behind it, the three types of virtual switch, System Center Virtual Machine Manager (SCVMM) logical switch. I’ll also discuss what role Hyper-V virtual switches play in networking your virtual machines.

Hyper-V Virtual Switch Basics

Consider how you network a physical server:

  • The server has one (or more) NIC.
  • That NIC is connected to a switch port.
  • The switch port is an attribute of a physical switch.
  • That access switch is connected to the rest of the physical network.

A Hyper-V virtual switch is not that different to an access switch:

  • A virtual machine has one (or more) virtual NIC.
  • That virtual NIC is connected to a virtual switch port.
  • The virtual switch port is (and here is where it is different) an attribute of the virtual NIC (more on this later).
  • The virtual switch is connected to a physical NIC or NIC team in the host.
  • The host’s NIC or NIC team is connected to the rest of the physical network.

Hyper-V Virtual Switch: NIC Team

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

The virtual switch connects virtual machines to the rest of the physical network.

Let’s get back to the switch port being an attribute of the virtual NIC. When we do network configurations on a physical switch, such VLAN tagging, we implement those configurations on a switch port. The same happens (under the covers) with a Hyper-V switch port. A physical server rarely moves, but when it does, we have to reconfigure the new switch port. A virtual machine can move very frequently. By making the switch port an attribute of the virtual NIC, any assigned network policy moves with the virtual machine, so there is no need to re-implement network policy for the VM.

The Hyper-V virtual switch implements functionality such as QoS, VLAN tagging, bandwidth limits, and so on, even though those settings are revealed by the virtual NIC. The virtual switch also implements other advanced features such as Port ACLs.

3 Types of Virtual Switch

There are three types of virtual switch that you can create in Hyper-V.

  • External: This is the most common kind of virtual switch. VMs connected to this switch can communicate with other VMs on the physical network, the host, and other networked physical entities.
  • Internal: VMs on an internal network can talk to other VMs on that same internal network that are running on that host, and the host. Rarely do you see internal virtual switches used outside of a lab.
  • Private: When connected to a private virtual switch, VMs are limited to communications with VMs on the same private network that are running on that host. This approach is sometimes used for network isolation but communications are constrained within a host. In production, you are better off deploying a firewall protected VLAN or using Hyper-V Network Virtualization (Software-Defined Networking).

Note that any communications to and from a VM are subject to security rules that are applied, such as physical firewall (gateway) rules, Port ACLs, and so on.

System Center Virtual Machine Manager (SCVMM) Logical Switch

If you plan on using SCVMM to deploy hosts, network, or to use Hyper-V Network Virtualization then you should use SCVMM to deploy a logical switch. This is not a cross-host shared virtual switch, but it is a logical switch in terms of unified configuration and management from the VMM console. SCVMM cannot import preexisting virtual switches; you must deploy the logical switch from SCVMM in order to take advantage of the advanced concepts that System Center can offer.


Since WS2012, the Hyper-V virtual switch has been able to add on (not replace, as with other virtualization platforms) layers of third-party functionality. There are three kinds of extension that can work with packets as they flow to/from virtual NICs through the virtual switch stack:

  • Capture: These are tools that can observe packets. An example is the network monitoring product by InMon.
  • Filtering: This type of extension can intercept packets. An example is the security solution by 5nine.
  • Forwarding: You can have a single forwarding extension in a virtual switch. This adds functionality for third-party switch management, such as the Cisco Nexus 1000V.

Note that you can add multiple extensions to a single virtual switch. Only the forwarding type has a limitation (one per switch).

Hyper-V extensible Virtual Switch

The Hyper-V extensible virtual switch.

Microsoft’s software-defined networking solution, Hyper-V Network Virtualization (HNV), was added in WS2012. However, HNV was incompatible with virtual switch extensions in that version. This is no longer the case since WS2012 R2; an extension can work with VM network packets as they pass through the layers of the virtual switch.

Related Topics:

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: