One of the greatest benefits of server virtualization is the way it's reduced hardware costs. Rather than dedicating...
a physical server to each individual workload, a physical server's hardware resources are shared among multiple virtualized workloads. This sharing of resources works great, as long as those resources are consumed equitably. However, disproportionate resource consumption has the potential to negatively impact multiple workloads. With a new Windows Server 2016 Hyper-V feature, this will no longer be an issue.
In theory, an individual VM should never consume excessive hardware resources to the point that the VM's resource consumption becomes disruptive to other VMs running on the host. After all, there are numerous hypervisor features that exist solely to prevent runaway resource consumption. For example, the Storage QoS feature can be used to cap storage I/O use. Similarly, dynamic memory use can be capped so that a VM never consumes more than a predetermined amount of memory.
Although hypervisor-level resource controls should prevent VMs from consuming too many resources, there are a number of real-world situations in which a VM can consume hardware resources to the point of impacting other VMs. For example, an administrator might have forgotten to enable some of the available controls.
Similarly, a VM-level misconfiguration could result in an unhealthy level of resource contention. Imagine, for example, that an administrator wants to set a VM's upper memory limit to 4000 MB, and accidentally types an extra zero, thereby allowing the VM to consume nearly 40 GB of RAM.
Of course, neglecting or accidentally misconfiguring a VM-level resource setting doesn't necessarily mean that the VM will become disruptive. Imagine what might happen, however, if such a machine was running a badly behaving application that fully consumed all of the VM's available resources. Worse yet, consider how such a VM could be leveraged in a denial of service attack.
Host Resource Protection
At some point during the development of Windows Server 2016 Hyper-V, Microsoft began to realize that excessive resource consumption could be a threat to neighboring VMs, and that better protections needed to be put into place in order to prevent such a VM from becoming disruptive. Such controls are essential in public clouds, such as Azure, and in private or hybrid clouds where the cloud provider has no control over what's running inside of a VM.
Microsoft's answer to this problem is a new feature called Host Resource Protection. The Host Resource Protection feature has been designed to prevent a VM from degrading neighboring VM's performance.
For right now, the Host Resource Protection feature is centered on virtual CPU (vCPU). If the hypervisor detects that a particular VM is generating excessive CPU activity, then it will allocate fewer CPU resources to the VM, thereby ensuring that other VMs running on the host continue to receive sufficient CPU resources.
Although Host Resource Protection is a CPU-centric feature, it seems likely -- given Microsoft's history of adding features to Hyper-V -- that the feature will eventually be extended to protect other types of hardware resources.
The Host Resource Protection feature is disabled by default, but can be enabled through Windows PowerShell by using the Set-VMProcessor cmdlet. The full command is:
Set-VMProcessor -EnableHostResourceProtection $True
If Host Resource Protection needs to be disabled, it can be turned off by using this command:
Set-VMProcessor -EnableHostResourceProtection $False
If the Set-VMProcessor cmdlet seems familiar, it's probably because this cmdlet existed in previous versions of Hyper-V. Although support for Host Resource Protection is new to Windows Server 2016 Hyper-V, the Set-VMProcessor cmdlet has long supported the throttling of CPU resources for individual VMs. The cmdlet can be used to allocate a specific number of virtual processors to a VM, and can also set a maximum CPU usage cap, a CPU reserve value and a relative weight.
Suppose, for instance, that an administrator wanted to allocate two vCPUs to a VM named DemoVM. Just to make things interesting, let's also assume that the administrator wanted to cap usage at 50% with a 10% reserve and set a relative weight of 100. The command for doing so would be as follows:
Set-VMProcessor DemoVM -Count 2 -Reserve 10 -Maximum 50 -RelativeWeight 100
Incidentally, these values can also be applied through the Hyper-V Manager.
The key difference between this technique and enabling the Windows Server 2016 Hyper-V Host Resource Protection feature is that Host Resource Protection is applied to the host, not to the VM, and doesn't require a granular CPU configuration.
Learn about other new Hyper-V features
Navigate the Discrete Device Assignment feature
Protect Hyper-V VMs with Host Guardian