Virtual machines (VMs) working in isolation can be useful for some purposes, but modern applications and operating systems often rely on network connectivity to accomplish their tasks. The challenge is in finding the right balance between ease of communications and security. In this article, I'll cover the virtual networking options in Microsoft Virtual Server 2005. With this information, you can ensure that no VM is an island (unless, of course, you want it to be).
Virtual Server's networking architecture
Let's start by taking a look at how Virtual Server handles network access. Figure 1 provides a high-level view.
Starting from the bottom, you have your physical network -- the actual cables, switches, routers and other devices to which the host computer is connected. Above that is the host's physical network interface card (NIC) and its associated driver. That's the standard stuff. Virtual Server adds a layer called the Virtual Machine Network Services Driver. This layer allows virtual NICs (which are configured within the VM) to access the physical network.
In the simplest configuration, you'll likely have a single physical NIC and a single virtual NIC. But Virtual Server supports as many host NICs as you can install on the host OS and up to four virtual NICs within each VM.
Understanding virtual networks
Virtual networks simplify the administration of networking options. One option is not to attach the VM's NIC to any virtual network (or to not use a virtual NIC at all). In that case, the VM will not be able to communicate with other physical or virtual machines. If you do want to enable communications, you have two main virtual network options.
A good way to minimize network security risks is to create a virtual network that restricts virtual machines to talking only to each other. Figure 2 shows an example. You can create many different guest-only networks simply by choosing not to bind them to any of the host's physical network adapters.
When you connect a host network adapter to a virtual network, all VMs that are connected to that network will act as if they were physically connected to the host's LAN (see Figure 3). In fact, other computers on the same network will have a hard time distinguishing that these machines are VMs.
Although this offers the best connectivity, it can be risky for security (you must ensure that your VMs are properly patched and secured) and manageability (VMs must use compatible network addresses).
Creating virtual networks
The good news is that, once you understand Virtual Server's networking architecture, creating and managing virtual networks is pretty simple. Let's look at how you can place limits on which physical network connections can be used.
Enabling host network adapters
Server-side computers can have multiple physical network adapters. This is often done to segment traffic (for example, in the case of a public Web server) or to improve performance (for example, creating a separate network connection for performing backups).
In these cases, you may want to tell Virtual Server that one or more network interfaces is off limits for VMs. You can do this by editing the properties of the appropriate network connection and unbinding the Virtual Machine Network Services item (see Figure 4). The rules are simple: If the box is checked, then virtual networks will be able to use the physical adapter. If not, the network connection will not be available.
Managing virtual networks
Now that we have the prerequisites out of the way, it's time to fire up the Virtual Server Administration Web site. By clicking on the items in the Virtual Networks section, you can create and configure virtual networks.
Figure 5 shows the screen you'll see when creating a new virtual network. The name of the virtual network can be anything descriptive. You can choose whether you want to bind the network to one of the host's physical network adapters or if you want to create a guest-only network. Finally, this page will automatically list all virtual network adapters that are not currently connected to a virtual network; the page will allow you to connect them directly. Click OK, and your virtual network should be ready for use.
Configuring VM network adapters
You can connect virtual network adapters to virtual networks by editing the configuration of an existing VM. Figure 6 shows the configuration of a VM that has multiple virtual NICs. Note that you can specify a static MAC address or you can have Virtual Server automatically create one that will avoid conflicts.
The best news is that you can connect and disconnect virtual network attachments even while the VM is running (just be sure that your OS and applications are OK with this).
More Virtual Server networking features
In this article, I covered the basics of getting up and running with Virtual Server's networking options. But wait, there's more!
Virtual Server includes a built-in DHCP server that can be used for each of your virtual networks. As with physical network environments, this can simplify the management of network addresses (especially if you often copy or move VMs). Of course, if your VMs are participating on the host network, you can use DHCP and other network services that might already be available.
Both Windows XP SP2 and the Windows Server 2003 platform offer built-in firewall functionality and an Internet Connection Sharing (ICS) feature. Both of these are available for you to use with your VMs through an interesting application of the Microsoft Loopback Adapter (see Virtual Server Books Online for more details).
Overall, Virtual Server's networking architecture is flexible and easy to manage once you know how it all works. Keep this information in mind when you're trying to determine the best balance between communications and security for your VMs.
|Installing a guest OS||Comparing Virtual Server with VirtualPC|
About the author: Anil Desai is the author of numerous technical books focusing on the Windows Server Platform, Virtualization, Active Directory, SQL Server, and IT management. Most recently, he has written The Rational Guide to Managing Microsoft Virtual Server and The Rational Guide to Scripting Microsoft Virtual Server. He has made dozens of conference presentations at national events and is also a contributor to technical magazines.