This article was first published on SearchServerVirtualization.TechTarget.com.
While virtual machines working in isolation can be useful for some purposes, modern day applications and operating systems often rely on network connectivity to accomplish their tasks. The challenge is in finding the right balance between ease of communications and security. In this article, I’ll cover details about virtual networking options in Microsoft Virtual Server 2005. Read on, so you’ll be able to ensure that no VM is an island (unless, of course, you want it to be).
Virtual Server’s Networking Architecture
Let’s start by taking a look at the architecture of how Virtual Server handles network access. Figure 1 provides a high-level view. Starting from the bottom, you have your physical network – the actual cables, switches, routers, and other devices to which the host computer is connected. Above that is the host’s physical network interface card (NIC) and its associated driver. That’s the standard stuff. Virtual Server adds a layer called the “Virtual Machine Network Services Driver”. It’s the responsibility of this layer to allow virtual NICs (which are configured within the VM) the ability to access the physical network.
Figure 1: An overview of Virtual Server’s network architecture
In the simplest configuration, you’ll likely have only a single physical NIC and a single virtual NIC. However, Virtual Server supports as many host NICs as you can install on the host OS, and up to four virtual NICs within each VM.
Understanding Virtual Networks
Virtual Networks are created within Virtual Server to simplify the administration of networking options. One option is not to attach the VM’s NIC to any virtual network (or to not use a virtual NIC at all). In that case, the VM will not be able to communicate with other physical or virtual machines. If you do want to enable communications, there are two main types of virtual networks options.
Guest-Only Networks
A good way to minimize network security risks is to create a virtual network that restricts virtual machines to talking only to each other. Figure 2 shows an example. You can create many different Guest-Only networks, simply by choosing not to bind them to any of the host’s physical network adapters.
Figure 2: A logical overview of Guest-Only virtual networks.
External Networks
When you choose to connect a host network adapter to a virtual network, all VMs that are connected to that network will act as if they were physically connected to the host’s LAN (see Figure 3). In fact, other computers on the same network will have a hard time distinguishing that these machines are VMs. While this offers the best connectivity, it comes at the risk of security (you must ensure that your VMs are properly patched and secured), and manageability (VMs must use compatible network addresses).
Figure 3: A logical overview of Guest-Only virtual networks.
Creating Virtual Networks
The good news is that, once you understand Virtual Server’s networking architecture, creating and managing virtual networks is pretty simple. First, let’s look at how you can place limits on which physical network connections can be used.
Enabling Host Network Adapters
It’s not uncommon for server-side computers to have multiple physical network adapters. This is often done to segment traffic (for example, in the case of a public web server), or for performance (for example, creating a separate network connection for performing backups). In these cases, it’s likely that you’ll want to tell Virtual Server that one or more network interfaces is “off limits” for VMs. You can do this by editing the properties of the appropriate network connection and unbinding the Virtual Machine Network Services item (see Figure 3). The rules are simple: If the box is checked, then virtual networks will be able to use the physical adapter. If not, the network connection will not be available.
Figure 4: Configuring the Virtual Machine Network Services item in the properties of a host network adapter.
Managing Virtual Networks
OK, now that we have all the pre-requisites out of the way, it’s time to fire up the Virtual Server Administration Web Site. By clicking on the items in the “Virtual Networks” Section, you can create and configure virtual networks. Figure 5 shows the screen you’ll see when creating a new virtual network. The name of the virtual network can be anything descriptive. Next, you can choose whether you want to bind the network to one of the host’s physical network adapters, or if you want to create a guest-only network. Finally, this page will automatically list all virtual network adapters that are not currently connected to a virtual network and will allow you to connect them directly. Click OK, and your virtual network should be ready for use.
Figure 5: Create a new virtual network.
Configuring VM Network Adapters
You can connect virtual network adapters to virtual networks by editing the configuration of an existing VM. Figure 6 shows the configuration of a VM that has multiple virtual NICs. Note that you can specify a static MAC address, or you can have Virtual Server automatically create one that will avoid conflicts. The best news is that you can connect and disconnect virtual network attachments even while the VM is running (just be sure that your OS and applications are OK with this).
Figure 6: Modifying virtual network adapter properties for a VM
More Virtual Server Networking Features
In this article, I covered the basics of getting up and running with Virtual Server’s networking options. But wait, there’s more! Virtual Server includes a built-in DHCP server that can be used for each of your virtual networks. As with physical network environments, this can help to greatly simplify the management of network addresses (especially if you often copy or move VMs). Of course, if your VMs are participating on the host network, you can use DHCP and other network services that might already be available.
Both Windows XP SP2 and the Windows Server 2003 platform offer built-in firewall functionality, and an Internet Connection Sharing (ICS) feature. Both of these are available for you to use with your VMs through an interesting application of the Microsoft Loopback Adapter (see Virtual Server Books Online for more details).
Overall, Virtual Server’s networking architecture is flexible and easy-to-manage, once you know how it all works. Keep this information in mind when you’re trying to determine the best balance between communications and security for your VMs.
#1 by Ashokan on May 11, 2008 - 12:07 am
Quote
I am just building my first Vertual and the trying to use the two node cluster – example from microsoft.
Host, guest Windows 2003 Ent svr. Host has DNS, DHCS from router is used. Vertual Network Service is running, NIC is , Intel
I have created a private Vertual Network and public. The guest is added to the Public. The issue is I am not getting internet connection on Guest. Re-installed .. no sucess.
Any help ?
Ashokan
#2 by Anil Desai on May 11, 2008 - 7:50 am
Quote
Ashokan,
I’m not sure I understand your configuration. If you’re talking about guest OS’s being added to a virtual NIC that is connected to a physical server adapter, you should be able to obtain a DHCP-based IP address. The assumption is that the host itself has a valid IP address on the network. You should also verify that the DNS server settings for the guest VM are properly configured (if not, DNS name resolution will fail, and it will appear that you “can’t connect to the Internet”). Those are some general troubleshooting steps to attempt for both physical and virtual machines.
I hope this is somewhat helpful. Good luck!
– Anil
#3 by Tibor Szabo on July 27, 2008 - 8:05 am
Quote
Hi,
I have connected the virtual network adapter to the physical network adapter af the server(w2003). I have static IP on the physical adapter, the server is hosted by hosting service provider. I would like to reach the VM through the internet, but I have only one IP address, that is assigned both to virtual adapter and the physical one…then after a while of using it, there comes the ip address conflict and the VM gets unreachable. How to solve? Thx
#4 by Anil Desai on July 27, 2008 - 4:11 pm
Quote
Tibor:
If I understand your configuration correctly, there are two issues here. The first is that your single externally-accessible IP address changes periodically (probably when the DHCP lease from your ISP expires). You can get around this by using a service such as DynDNS.org or by leasing a static IP address from your ISP.
Regarding the server configuration: You didn’t mention how you’d like to connect to the VM. If you’re planning to use the Remote Desktop Protocol (RDP), you can change the default port RDP is using and setup port-forwarding on your firewall.
I hope this is helpful. If it doesn’t address the question, feel free to follow up.
– Anil
#5 by Tibor Szabo on July 30, 2008 - 4:14 pm
Quote
Hi,
Yes, I want to use the RDP and the IP is static. There is no firewall. I’ve set up the same IP address( given by ISP) for both the physical network adapter and the Virtaul network adapter in VM. The VM is reachable by RDP, but after a while I get the IP address conflict. To what IP should I configure the physical and the virtual adapters?
Thx
#6 by Anil Desai on July 30, 2008 - 5:36 pm
Quote
Tibor:
I think I understand what you’re trying to do. As you’ve discovered, you cannot hard-code both the physical and virtual NIC to the same IP address as the systems are on the same network and will conflict. You have two options: Get a second IP address (on the same network segment) and assign that to the VM. Or, and this is significanlty more complicated, you can consider creating a Terminal Services Gateway using Windows Server 2008 Terminal Services. Basically, you have to have some way to either use a routing device that can re-route RDP traffic. Again, the easiest option would be to get a second IP address from your ISP.
I hope this is helpful. If not, I recommend posting your issue at the Microsoft Technical Communities web site (http://www.microsoft.com/communities/Default.mspx). Perhaps someone else will have some other suggestions. Good luck!
– Anil
#7 by Kirk Hayes on August 1, 2008 - 7:17 am
Quote
I have configured a Server 2003 host with a Guest OS of Windows Server 2003. When I setup the network adapter of the guest with a static IP I cannot connect to internet or other Servers by IP or name.I have tried using both my physical NICs and one NIC was setup statically and the other DHCP. With the one setup DHCP I could access the internet but I could not ping the VM by IP or name. Also when I set it up my host server becomes disconnected to everyone connected to the network.
#8 by Anil Desai on August 1, 2008 - 8:53 am
Quote
Kirk:
It sounds like the issue is most likely a configuration one. When you use a static IP for within the guest, you need to make sure that you have the proper default gateway and DNS server addresses defined. If you’re running a “flat” (non-routed) network, then those settings should be the same as those for the host machine. In this configuration, the VM should behave just like any other node on the network and should be able to send data to/from other servers on the LAN. Keep in mind that the Windows Firewall rules will still apply.
Alternatively, the host machine can serve as a Network Address Translator (NAT) to allow guest VMs to route traffic from the guest NICs through the physical NICs on the host. This configuration is commonly-used when you want to quickly enable Internet access for VMs or when another DHCP server is not available on the network.
I hope this is helpful.
– Anil
#9 by ReVeLaTeD on November 7, 2008 - 12:30 am
Quote
I’m new to the virtual world. I want to set up a virtual server environment on my laptop. Within this environment I will be able to test server-based software (Sharepoint, most notably). However, I have a challenge.
I will obviously need the virtual environment to have access to all internet resources, but I do NOT want it visible to LAN. Our IT group gets really antsy seeing any sort of server OS showing up on the LAN, so I don’t want that.
Is there any way to accomplish these two objectives (give it internet accessibility without making it visible to the local infrastructure)?
#10 by Anil Desai on November 7, 2008 - 7:21 am
Quote
Revelated:
That’s a tough combination of requiremetns to achieve. Because the VM will be sending and receiving packets on the LAN, it will be discoverable by network scanning tools. You can use the host computer as a Network Address Translator (NAT) by using Internet Connection Sharing for MSVS. Depending on the depth of monitoring, it might be obvious that there’s a new machine on the network. Other computers, however, would not be able to directly connect to the VM.
I highly recommend you coordinate with your network people to setup an isolated test network. By creating VLANs or custom routing rules, they can allow your VMs to access the Internet without having access to other servers on the production LAN. That helps security and makes your job simpler. Less “antsiness” is always a good thing. 🙂 Good luck!
– Anil
#11 by ReVeLaTeD on November 8, 2008 - 3:57 pm
Quote
Thanks, I’ll talk to them.
In the meantime how about this alternative:
Could I configure the VM to only be visible to my laptop? Basically, remove any and all connection configuration (Ethernet, wireless, etc) mapping from it so it’s not connected to anything but my laptop, and then just copy files to it as needed? Would that achieve at least one objective?
#12 by Peter Cox on June 21, 2009 - 6:41 pm
Quote
I’m obviously doing something stupid and maybe you can tell me what it is.
Have a physical Dell server setup with 3 nics and was running 2 virtual servers in a dmz outside the firewall with the host adapter connected to the inside network. I lost the OS hard drive, a long sad story and have recreated on a new pair of mirrored drives. Restored the virtual server setups from tape and restored the virtual server setup but could not get anything to come up so thought I would just recreate the servers. Now find that I can create hard disks but cannot select them in the virtual machine creation – select use an existing virtual hard disk, the drop down shows them all but no matter what I select it still shows none, Can create a virtual network but can’t connect it to a physical adapter – see the adapter names in the drop down but even if I select a real adapter it still shows None (Guests Only).
It’s as if I don’t have the rights to select anything But I have no idea what the issue is.
Any hints you can give me?
Thanks Peter
#13 by Anil Desai on June 23, 2009 - 10:13 am
Quote
Peter,
It does sound like you have reconfigured the server properly, and my best guess is that this is a permissions issue. By default, the Virtual Server service runs under an account with limited access to the system. While it might be able to enumerate paths and configuration settings, it might not have access to change them in either the VMC file or in the file system. Try changing the service account for the Virtual Server service and then restart the server. Hopefully, you’ll then be able to attach the VHDs/network adapters.
If that doesn’t work, consider recreating the virtual machine configurations from scratch. Just take note of the settings from the information details page in the MSVS admin, remove those VMs, and then recreate a new VM and attach the VHD(s) to the new VM.
On a side note: This might be a good opportunity to migrate to Hyper-V. You can transition the existing VMs to Windows Server 2008, as long as your hardware and licenses support it.
I hope this is helpful!
– Anil
#14 by Thomas Heimann on August 8, 2009 - 12:34 pm
Quote
Anil,
I hope you can help me. I just installed Virtual Server 2005 R2 Enterprise on a 2003 x64 R2 Enterprise Server.
When I go to the create virtual machine page from the admin website, I can open up all of the drop down menues but I cannot make any selections (IDE vs SCSI, or selecting network adapters, etc.).
I read one of your prior posts in re permission and I changed the account under which the Virtual Server service runs to the Administrator account, restarted the service, etc. and still no change. I am at a total loss 🙁
If you can help that would be so phenomenal. Thanks in advance!
Thomas Heimann
#15 by Anil Desai on August 9, 2009 - 6:02 pm
Quote
Thomas: It seems like you’ve addressed the most common cause of this type of problem (permissions). I actually haven’t run into this problem before, so I’m not sure about its cause. Assuming the problem occurs only on a single machine, I would still suspect security settings. Generally, using a local Admin account should work. You might want to try uninstalling and reinstalling MSVS. That should reset permissions on Registry keys and in the file system. If that doesn’t work, I’m at a loss. This might be good justification to move for MSVS to Hyper-V.
#16 by Mark on August 10, 2009 - 8:19 am
Quote
Is that the IE 8 “compatibility” problem?
Trackback: 7 osi layers