We do a lot of testing using Hyper-V VMs like setting up our own AD and SCCM Labs. Most of the times I have seen people creating 2 virtual NICs for each VM for Private (internal/domain) and External (internet) access. While this process of 2 NICs work well for some cases, it doesn’t give you the desired environment for testing scenarios like Intune Autopilot – Hybrid AD join which requires internet as well as intranet connectivity. In this blog I will explain how we can use NAT switches in Hyper-V which will provide the VMs both – Intranet and Internet access with just 1 virtual NIC.
Note: You cannot create a NAT switch directly from Hyper-V Manager – Virtual Switch Manager. To do this you need to use PowerShell commands. Requirements: Powershell 5.1 and above.
On the Hyper-V Host machine 1. To create a new switch type the below command in PowerShell New-VMSwitch -SwitchName NAT -SwitchType Internal
2. Check adapter configuration using the below command to find out the Interface Index and make note of it. Get-NetAdapter In this example lets assume our Interface Index is 15. In your case it could be any number, so use it accordingly.
3. The next step is to configure the switch IP (gateway) New-NetIPAddress -IPAddress 192.168.0.1 -PrefixLength 24 -InterfaceIndex 15 This will assign an IP address to this virtual NIC, and this IPv4 address will be the default gateway for the network on NAT network
4. Now that we have the gateway in place, we will configure the network address of the NAT network that will run on the virtual switch; this is the private range of addresses that the virtual machines will use in the abstracted virtual switch. Note that the IPv4 address in the previous step falls in this range. New-NetNat -Name InternalNAT -InternalIPInterfaceAddressPrefix 192.168.0.0/24
The resulting network diagram is shown below
Any virtual machine that runs on the virtual switch will now use an IPv4 address in the 192.168.0.0 address range. There is no DHCP functionality in the virtual switch. If you want DHCP, then you can create a DHCP scope with address range such as 192.168.0.2 – 192.168.0.100 in your DHCP server and add the physical host NIC IP as DNS server in the scope.
Next, we allow the access from the Nat network to the Host by adding a firewall rule.
New-NetFirewallRule -RemoteAddress 192.168.0.0/24 -DisplayName "Allow192network" -Profile Any -Action Allow
Now you should be able to ping from the host to the virtual NAT network and vice versa. Your NAT network serves as a corporate network which has both intranet and internet connectivity.
Hello Mohammed, I have created two AD sites - primary and DR - on a Hyper-V host. I am also using a domain joined Remote Access Server (router) for linking the two sites having different subnets. My requirement:
1) Monitor the router traffic between the sites and impose necessary port restirctions
2) Allow both the sites internet access (via the host machine) and keep their internal network secure at the same time.
Network configuration:
1) On router Server - Three virtual NICs: two private for two sites, 1 internal for internet access via host
2) on both the DCs, in primary and DR site, two NICs: one private for that specific site and one internal same as used on router.