Using a NAT Virtual Switch with Hyper-V

In this post, I will show how you can create a Windows 10 or Windows Server 2016 (WS2016) Hyper-V virtual switch that uses network address translation (NAT), enabling virtual machines to be isolated behind a single shared IP address on the host.



Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

Scaling and Isolation

What is NAT? NAT is a system that is used in just about every Internet-connected home and business, which we non-network types rarely think about. The system allows a private network to connect to a larger network using a single IP address; this means that we can have many machines in the private network, consuming just a single address on the larger network and this increases the scalability of the larger network.

An added benefit of scaling out the possible number of machines on the network is that NAT effectively isolates the machines in the smaller private network. We can only access machines in the NAT’d network by creating NAT rules, translating an external TCP or UDP port on the external interface into a private TCP or UDP port listening on a NIC or IP address of a machine on the private network.

It is these two features that make NAT interesting in WS2016 Hyper-V networking. We can create a NAT virtual switch and use it in a few interesting scenarios, including:

  • Deploying Windows Server or Hyper-V containers on a virtual switch with a private address range, enabling many containers to be hosted on a single IP address that is assigned to the host.
  • Creating a classroom full Windows 10 PCs, running Client Hyper-V, with identical virtual machines running on each PC.

I recently had a need to deploy that second example at work when we built a new training room for teaching Microsoft server and cloud solutions. I needed to provide each attendee with a set of machines, including domain controllers, file servers, SQL Server instances, and so on. Instead of creating a unique domain for each host, with each machine having a unique LAN address, I created 1 set of machines, copied them to each host, and imported them into Hyper-V. Networking is provided by a NAT-enabled virtual switch, meaning that the virtual machines can connect to the LAN and Internet via the host’s LAN IP address, but the machines on one PC cannot connect to or interfere with those on another PC.

Deploying a NAT Virtual Switch

You only need three lines of PowerShell to deploy an NAT-enabled virtual switch on a Windows 10 or WS2016 Hyper-V machine.

The first step is to create an Internal virtual switch; this is a switch that is not connected to a physical NIC on the host; instead, the host management OS has a virtual NIC that is connected to the virtual switch; the end result is that (to begin with) that virtual machines on the internal virtual switch can talk to the host, but they cannot talk to the network that the host is connected to.

New-VMSwitch -SwitchName “NATSwitch” -SwitchType Internal

The next step updates the virtual NIC that connects the host management OS to the internal virtual switch. The following command will assign an IP address to this virtual NIC, and this IPv4 address will be the default gateway for the network on NAT network that we are creating.
New-NetIPAddress -IPAddress -PrefixLength 24 -InterfaceAlias “vEthernet (NATSwitch)”

The final step in the process will configure the network address of the NAT network that will run on the virtual switch; this is the private range of addresses that the virtual machines will use in the abstracted virtual switch; note that the IPv4 address in the previous step must be in this range.
New-NetNAT -Name “NATNetwork” -InternalIPInterfaceAddressPrefix

The resulting deployment is depicted in the following illustration.

A NAT switch on Windows 10 or Windows Server 2016 Hyper-V [Image Credit: Aidan Finn]
A NAT switch on Windows 10 or Windows Server 2016 Hyper-V [Image Credit: Aidan Finn]
Any virtual machine that runs on the virtual switch will use an IPv4 address in the address range. The machines will route to the LAN via the management OS NIC and NAT, the same way that your laptop or tablet accesses the Internet via the router in your home. As far as the LAN is concerned, these machines are accessing the LAN from the single LAN IP address of the host.

By default, there is no way to remotely access the machines from the LAN, but you can create NAT rules to enable access via port translation (forward TCP 50002 from the host IP address to TCP 3389 on

There is no DHCP functionality in the virtual switch. If you want DHCP, then you must build one or more DHCP servers as machines on the switch. Otherwise, you can assign static IP addresses to the machines.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (4)

4 responses to “Using a NAT Virtual Switch with Hyper-V”

  1. <p>I am tryich to get this in a script and use Read-Host and that will not work.</p><p><br></p><p>$SName&nbsp;= Read-Host "Create an Internal virtual switchname for example NATSwitch"</p><p>$SIP&nbsp; &nbsp;= Read-Host "Virtual NIC that connects the host management OS to the internal virtual switch."</p><p>$IAlias = Read-Host "Write interfacealias for example. vEthernet (NATSwitch)"</p><p>$NNat&nbsp;&nbsp; = Read-Host "The name of your NATprefix for example. NATNetwork"</p><p>$NatIP&nbsp; = Read-Host "Configure the network address of the NAT network for example"</p><p><br></p><p>New-VMSwitch -SwitchName $SName -SwitchType Internal</p><p>New-NetIPAddress -IPAddress $SIP -PrefixLength 24 -InterfaceAlias $IAlias</p><p>New-NetNAT -Name -InternalIPInterfaceAddressPrefix $NatIP</p><p><br></p><p>Everything is created but the in the vm environment it will not give me access to internet.</p><p>If I instead do it manualy as above in the article there are no problem at all.</p><p><br></p><p>I answer the questions as follows.</p><p>NATSwitch</p><p></p><p>vETHERNET (NATSwitch)</p><p>NATNetwork</p><p></p><p><br></p><p>What can be wrong?</p>

  2. <p>This is a great article. I can't understand how people in their guides assume that a switch (Layer 2 networking device) is doing …NAT (which involves routing). Many thanks for putting all the necessary configuration steps quite thoroughly and in a simple manner.I only wished those were also a part of the GUI and not a 'PowerShell exclusive'.</p>

  3. <p>An excellent post. It was exactly what I was looking for. But it doesn't describe the association between the management OS NIC and the physical NIC. I'm assuming that this would come from a -ExternalIPInterfaceAddressPrefix parameter on the New-NetNat cmdlet, but that would seem to direct traffic to any NIC on the specified subnet rather than allowing you to select which NIC(s) should be used by the NAT (assuming you have multiple NICs on the same subnet and would like to use one for host traffic and the rest for VM traffic).</p>

  4. <p>Great article. But I would like to know: What Gateway and DNS should I use for the virtual machines? Assume the Hyper-V NIC is and the physical NIC is</p>

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: