Using a NAT Virtual Switch with Hyper-V
In this post, I will show how you can create a Windows 10 or Windows Server 2016 (WS2016) Hyper-V virtual switch that uses network address translation (NAT), enabling virtual machines to be isolated behind a single shared IP address on the host.
Scaling and Isolation
What is NAT? NAT is a system that is used in just about every Internet-connected home and business, which we non-network types rarely think about. The system allows a private network to connect to a larger network using a single IP address; this means that we can have many machines in the private network, consuming just a single address on the larger network and this increases the scalability of the larger network.
An added benefit of scaling out the possible number of machines on the network is that NAT effectively isolates the machines in the smaller private network. We can only access machines in the NAT’d network by creating NAT rules, translating an external TCP or UDP port on the external interface into a private TCP or UDP port listening on a NIC or IP address of a machine on the private network.
It is these two features that make NAT interesting in WS2016 Hyper-V networking. We can create a NAT virtual switch and use it in a few interesting scenarios, including:
- Deploying Windows Server or Hyper-V containers on a virtual switch with a private address range, enabling many containers to be hosted on a single IP address that is assigned to the host.
- Creating a classroom full Windows 10 PCs, running Client Hyper-V, with identical virtual machines running on each PC.
I recently had a need to deploy that second example at work when we built a new training room for teaching Microsoft server and cloud solutions. I needed to provide each attendee with a set of machines, including domain controllers, file servers, SQL Server instances, and so on. Instead of creating a unique domain for each host, with each machine having a unique LAN address, I created 1 set of machines, copied them to each host, and imported them into Hyper-V. Networking is provided by a NAT-enabled virtual switch, meaning that the virtual machines can connect to the LAN and Internet via the host’s LAN IP address, but the machines on one PC cannot connect to or interfere with those on another PC.
Deploying a NAT Virtual Switch
You only need three lines of PowerShell to deploy an NAT-enabled virtual switch on a Windows 10 or WS2016 Hyper-V machine.
The first step is to create an Internal virtual switch; this is a switch that is not connected to a physical NIC on the host; instead, the host management OS has a virtual NIC that is connected to the virtual switch; the end result is that (to begin with) that virtual machines on the internal virtual switch can talk to the host, but they cannot talk to the network that the host is connected to.
New-VMSwitch -SwitchName “NATSwitch” -SwitchType Internal
The next step updates the virtual NIC that connects the host management OS to the internal virtual switch. The following command will assign an IP address to this virtual NIC, and this IPv4 address will be the default gateway for the network on NAT network that we are creating.
New-NetIPAddress -IPAddress 192.168.0.1 -PrefixLength 24 -InterfaceAlias “vEthernet (NATSwitch)”
The final step in the process will configure the network address of the NAT network that will run on the virtual switch; this is the private range of addresses that the virtual machines will use in the abstracted virtual switch; note that the IPv4 address in the previous step must be in this range.
New-NetNAT -Name “NATNetwork” -InternalIPInterfaceAddressPrefix 192.168.0.0/24
The resulting deployment is depicted in the following illustration.
Any virtual machine that runs on the virtual switch will use an IPv4 address in the 192.168.0.0 address range. The machines will route to the LAN via the management OS NIC and NAT, the same way that your laptop or tablet accesses the Internet via the router in your home. As far as the LAN is concerned, these machines are accessing the LAN from the single LAN IP address of the host.
By default, there is no way to remotely access the machines from the LAN, but you can create NAT rules to enable access via port translation (forward TCP 50002 from the host IP address to TCP 3389 on 192.168.0.2).
There is no DHCP functionality in the virtual switch. If you want DHCP, then you must build one or more DHCP servers as machines on the switch. Otherwise, you can assign static IP addresses to the machines.