This article was first published on SearchServerVirtualization.TechTarget.com.

While virtual machines working in isolation can be useful for some purposes, modern day applications and operating systems often rely on network connectivity to accomplish their tasks. The challenge is in finding the right balance between ease of communications and security. In this article, I’ll cover details about virtual networking options in Microsoft Virtual Server 2005. Read on, so you’ll be able to ensure that no VM is an island (unless, of course, you want it to be).

Virtual Server’s Networking Architecture

Let’s start by taking a look at the architecture of how Virtual Server handles network access. Figure 1 provides a high-level view. Starting from the bottom, you have your physical network – the actual cables, switches, routers, and other devices to which the host computer is connected. Above that is the host’s physical network interface card (NIC) and its associated driver. That’s the standard stuff. Virtual Server adds a layer called the “Virtual Machine Network Services Driver”. It’s the responsibility of this layer to allow virtual NICs (which are configured within the VM) the ability to access the physical network.

clip_image002

Figure 1: An overview of Virtual Server’s network architecture

In the simplest configuration, you’ll likely have only a single physical NIC and a single virtual NIC. However, Virtual Server supports as many host NICs as you can install on the host OS, and up to four virtual NICs within each VM.

Understanding Virtual Networks

Virtual Networks are created within Virtual Server to simplify the administration of networking options. One option is not to attach the VM’s NIC to any virtual network (or to not use a virtual NIC at all). In that case, the VM will not be able to communicate with other physical or virtual machines. If you do want to enable communications, there are two main types of virtual networks options.

Guest-Only Networks

A good way to minimize network security risks is to create a virtual network that restricts virtual machines to talking only to each other. Figure 2 shows an example. You can create many different Guest-Only networks, simply by choosing not to bind them to any of the host’s physical network adapters.

clip_image004

Figure 2: A logical overview of Guest-Only virtual networks.

External Networks

When you choose to connect a host network adapter to a virtual network, all VMs that are connected to that network will act as if they were physically connected to the host’s LAN (see Figure 3). In fact, other computers on the same network will have a hard time distinguishing that these machines are VMs. While this offers the best connectivity, it comes at the risk of security (you must ensure that your VMs are properly patched and secured), and manageability (VMs must use compatible network addresses).

clip_image006

Figure 3: A logical overview of Guest-Only virtual networks.

Creating Virtual Networks

The good news is that, once you understand Virtual Server’s networking architecture, creating and managing virtual networks is pretty simple. First, let’s look at how you can place limits on which physical network connections can be used.

Enabling Host Network Adapters

It’s not uncommon for server-side computers to have multiple physical network adapters. This is often done to segment traffic (for example, in the case of a public web server), or for performance (for example, creating a separate network connection for performing backups). In these cases, it’s likely that you’ll want to tell Virtual Server that one or more network interfaces is “off limits” for VMs. You can do this by editing the properties of the appropriate network connection and unbinding the Virtual Machine Network Services item (see Figure 3). The rules are simple: If the box is checked, then virtual networks will be able to use the physical adapter. If not, the network connection will not be available.

clip_image007

Figure 4: Configuring the Virtual Machine Network Services item in the properties of a host network adapter.

Managing Virtual Networks

OK, now that we have all the pre-requisites out of the way, it’s time to fire up the Virtual Server Administration Web Site. By clicking on the items in the “Virtual Networks” Section, you can create and configure virtual networks. Figure 5 shows the screen you’ll see when creating a new virtual network. The name of the virtual network can be anything descriptive. Next, you can choose whether you want to bind the network to one of the host’s physical network adapters, or if you want to create a guest-only network. Finally, this page will automatically list all virtual network adapters that are not currently connected to a virtual network and will allow you to connect them directly. Click OK, and your virtual network should be ready for use.

clip_image009

Figure 5: Create a new virtual network.

Configuring VM Network Adapters

You can connect virtual network adapters to virtual networks by editing the configuration of an existing VM. Figure 6 shows the configuration of a VM that has multiple virtual NICs. Note that you can specify a static MAC address, or you can have Virtual Server automatically create one that will avoid conflicts. The best news is that you can connect and disconnect virtual network attachments even while the VM is running (just be sure that your OS and applications are OK with this).

clip_image011

Figure 6: Modifying virtual network adapter properties for a VM

More Virtual Server Networking Features

In this article, I covered the basics of getting up and running with Virtual Server’s networking options. But wait, there’s more! Virtual Server includes a built-in DHCP server that can be used for each of your virtual networks. As with physical network environments, this can help to greatly simplify the management of network addresses (especially if you often copy or move VMs). Of course, if your VMs are participating on the host network, you can use DHCP and other network services that might already be available.

Both Windows XP SP2 and the Windows Server 2003 platform offer built-in firewall functionality, and an Internet Connection Sharing (ICS) feature. Both of these are available for you to use with your VMs through an interesting application of the Microsoft Loopback Adapter (see Virtual Server Books Online for more details).

Overall, Virtual Server’s networking architecture is flexible and easy-to-manage, once you know how it all works. Keep this information in mind when you’re trying to determine the best balance between communications and security for your VMs.