Azure nested Hyper-V server with 2 NICs

Joe H 96 Reputation points
2022-08-17T19:06:46.19+00:00

I have a Hyper-V server running nested in an Azure VM. There are two Azure subnets, 192.168.169.0/28 and 192.168.169.16/28. The first NIC, used for only host traffic is connected as 192.168.169.4. The second NIC, called External, is used only for traffic from the VMs on the host and has an IP address of 192.168.169.20.

I've set up a Virtual Switch in Hyper-V connect to "Internal". I created a NAT assigned to that switch with a subnet of 172.16.1.0/24. The VMs on the Hyper-V server will be on that subnet. How do I configure routing on the host so that all traffic from the 172.16.1.0/24 subnet will go through the External NIC (192.168.169.20 on the 192.168.169.16/28 subnet)? This is for a malware test box, so I want the traffic from the malware VM to only go to the 192.168.169.16/28 subnet.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,133 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tristan McCosker 1 Reputation point
    2022-08-18T02:50:45.74+00:00

    Hi Joe,

    The best way to do this would be to create a Hyper-V switch with type 'External' and set the attached NIC to your External one.

    This will mean your VMs can connect to other devices in Azure and the internet without connecting to the host or VMs on another switch. You should not need to use Hyper-V NAT in this scenario and will not be able to segregate the traffic properly in Azure as all traffic will be coming from the host IP address:
    https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/connect-to-network
    "Network Address Translation (NAT) gives a virtual machine access to your computer's network by combining the host computer's IP address with a port through an internal Hyper-V Virtual Switch."

    In your situation I would recommend:

    1. Create External Hyper-V switch, link it to our external NIC and attach it to your VMs. Do not allow the management operating system to share the network adapter.
    2. Create a Network Security group and attach it to the External NIC in Azure
    3. Configure rules on the NSG so that it can only talk to the required networks, Subnets within a VNet can always communicate by default in Azure

    This should mean your VMs can communicate to 192.168.169.16/28 without having any connection to the host or other subnets in your VNet.

    If you have any follow up questions please let me know and I can try to help.

    Kind regards,
    Tristan