Sifting through Hyper-V's VM isolation choices

For whatever reason it may be, you might want to control which virtual machines can communicate with one another. Hyper-V offers numerous VM isolation options to choose from.

There are several reasons why you may want to isolate a group of computers from others. One is that you should separate communication between business units within an organization. For example, you would never want HR computers to communicate with finance computers and vice versa. In a physical IT data center, a general approach for separating communication between different business units is to define separate VLANs.

While IT trends toward virtualizing the physical environment, including networking, several virtualization vendors, including Microsoft Hyper-V, offer different isolation options. The moment you talk about virtualizing your physical infrastructure, you would expect virtualization software to provide different options, which help you model your physical to logical environment and also help you configure the isolation for different business units. VM isolation is necessary because a host can contain VMs belonging to different business groups. Both IT organizations and cloud hosting providers benefit from the isolation options that Microsoft Hyper-V provides.

Hyper-V Virtual Switches

There are three types of virtual switches provided by Hyper-V: external, internal and private. These virtual switches help isolate VM traffic from each other. VMs connected to an internal virtual switch can talk to each other and also allow communication to the Hyper-V Parent Partition. A private virtual switch allows communication only between the VMs that are connected to a private virtual switch. If you have a group of computers that require communication between each other, you can create a private virtual switch and then connect those VMs to that switch. An external virtual switch allows VMs to talk to the local area network (LAN). In most cases, virtualization administrators configure VMs on an external virtual switch so VM traffic can be seen by VMs running on a remote Hyper-V server and physical computers running on a LAN. In case you need to configure isolation for VMs connected to a Hyper-V virtual switch, you can always use second isolation option, which is to configure VLAN domains for each group of VMs.


VLAN allows you to isolate VM traffic. You can configure the VLAN ID on both the Hyper-V virtual switch and the VM. However, a virtual switch can be configured only with one VLAN ID. An example of providing isolation for two business units (e.g. HR and finance) is to configure all HR VMs to use VLAN ID 2 and finance VMs to use VLAN ID 3. By default, Hyper-V virtual switches allow VLAN traffic. In other words, a Hyper-V virtual switch is configured in the trunk mode to allow all VLAN traffic. It is always recommended to configure VLANs rather than creating a separate Hyper-V virtual switch to achieve the isolation. Hyper-V supports configuring a maximum of 4095 VLANs. Since VLAN suffers from the scalability issues, you have other isolation options to use such as PVLAN and Hyper-V Network Virtualization.


Private virtual LAN (PVLAN) is another form of isolation for VMs running on Windows Server 2012 and 2012 R2 Hyper-V hosts. Although small organizations can use VLANs to achieve isolation for VMs, it is not a viable option for a multitenant data center. VLAN suffers from the scalability issues and the configuration is complex. Microsoft designed the PVLAN feature to overcome the VLAN limitation. PVLANs are often used by cloud service providers, allowing VLANs to be divided into a number of isolated virtual networks for different customer VMs. Although the scalability issues seen in VLANs can also be solved by configuring each tenant in Hyper-V Network Virtualization, a simple solution would be to use PVLAN if there is only one VM running per tenant.

VSID (Hyper-V Network Virtualization)

VSID, sometimes referred to as virtual subnet ID, is a component of Hyper-V Network Virtualization that also helps in configuring isolation for VMs. You can use either the VLAN isolation method or the Hyper-V Network Virtualization isolation method but not both. Hyper-V Network Virtualization can support more than 16 million virtual networks as opposed to the 4095 virtual networks VLAN ID supports. If you are planning to use VSID for VM isolation, make sure you have configured other required components of Hyper-V Network Virtualization including provider addresses, Routing Domain ID, VM networks and more. It is imperative to understand that in case a tenant has multiple virtual networks to be hosted on a shared IaaS cloud, the best isolation option would be to use Hyper-V Network Virtualization rather than using VLAN or PVLAN.  In case you still need to block network traffic for a group of VMs, you can always configure port access control lists (port ACLs).

Port ACLs

Although the port ACL feature was actually designed to allow or block incoming and outgoing network traffic to VMs from remote computers, it can also be used as an isolation option. Port ACL can be used in conjunction with VLAN. For example, you may want to block communication traffic between VMs within a VLAN.  In this case, you could configure a port ACL rule to block communication between VM1 and VM2. Port ACL can only be used on Windows Server 2012 and later Hyper-V hosts.

Windows Firewall

You can also configure Windows Firewall to block or allow incoming traffic for a bunch of VMs but only at the operating system (OS) level. Since Windows Firewall works at the VM OS level, a Hyper-V host does not have control over the incoming or outgoing network traffic. However, IT organizations are still using the Windows Firewall isolation method to block unwanted traffic from remote computers.

Dig Deeper on Microsoft Hyper-V and Virtual Server