Customize a Hyper-V network adapter for security, performance

Look beyond basic network adapter settings in Hyper-V to enable features like IPsec task offloading, DHCP guard, protected networks, port mirroring and NIC teaming, among others.

The basic Microsoft Hyper-V network adapter settings are often sufficient, but Hyper-V provides other options that administrators can use to improve security and performance. In many cases though, these optional features require hardware or guest OS-level support.

When you create a VM using Hyper-V Manager, the New Virtual Machine Wizard asks you to which virtual switch the VM should be connected. The setup wizard, which you can see in figure A below, creates a Hyper-V network adapter that is bound to your switch of choice.

Unless you need virtual LAN (VLAN) connectivity, you probably won't have to touch the virtual network interface card (vNIC) again. Even so, there are a surprising number of settings available to customize the vNIC's behavior.

Choose a virtual switch for the VM.
Figure A. This is the only network-related question Hyper-V Manager asks during the VM creation process.

VNIC-related settings

To access additional vNIC-related settings, right-click on the VM and choose the Settings command from the shortcut menu. Upon doing so, you'll be taken to the VM's settings.

As you can see in figure B below, the settings related to the vNIC are really straightforward. You can choose to which virtual switch you want to attach the vNIC, and you can specify any VLAN that you want to use. This screen also helps you to enable bandwidth management for the vNIC, and you can specify the maximum and minimum acceptable bandwidth levels.

Hardware offloading settings
Figure C. The Hardware Acceleration container offers settings related to hardware offloading.

The settings above enable you to configure the vNIC's basic behavior. If you want more fine-grained control over the vNIC, then there are some extra settings available. Click on the plus icon to the left of the Hyper-V network adapter -- see figure B -- to expand the Network Adapter container to reveal additional options.

Additional settings

The additional settings are divided between two containers, the first of which is the Hardware Acceleration container -- see figure C.

Hardware offloading settings
Figure C. The Hardware Acceleration container offers settings related to hardware offloading.

The first of these settings allows you to enable the use of virtual machine queue (VMQ), a networking technology designed to enable the efficient transfer of network packets to and from a virtualization host.

VMQ has the ability to use direct memory access to transfer packets directly into a VM's shared memory. It also boosts performance by distributing packet processing across multiple CPUs. VMQ can significantly improve performance for network I/O-heavy VMs, but to use it, the host's physical network adapter must support VMQ at the hardware level.

VMQ has the ability to use direct memory access to transfer packets directly into a VM's shared memory.

The other feature that's available in the Hardware Acceleration tab is IPsec task offloading. Windows has long used the IPsec protocol as a means to encrypt network traffic streams in order to avoid exposing the contents of the packets within the encrypted streams.

The disadvantage to using IPsec, however, is that, like other encryption protocols, there's a significant amount of overhead associated with the encryption/decryption process. Hyper-V can mitigate the effects of this overhead by offloading IPsec-related tasks to the physical network adapter, so long as it supports IPsec offloading. All you have to do is to select the enable IPsec task offloading checkbox and specify the maximum number of offloaded security associations.

Advanced features

The other container that's available for your use is the Advanced Features container -- see Figure D. The primary feature found in this container is the ability to specify a static media access control (MAC) address -- as opposed to allowing Hyper-V to assign a MAC address to the vNIC -- and the ability to enable MAC spoofing.

Advances features
Figure D. These are some of the features that are available in the Advanced Features tab.

The Advanced Features tab also contains a series of checkboxes you can use to enable or disable various networking features. The Dynamic Host Configuration Protocol (DHCP) guard option, for example, blocks DHCP communications from unauthorized VMs pretending to be DHCP servers. Similarly, the router guard feature can shield the VM from unauthorized VMs pretending to be routers.

Another option available within Advanced Features is the protected network feature. This simple checkbox enables the VM to automatically migrate to a different cluster node -- assuming that the VM is highly available -- in the event of a network disconnection.

Another useful feature found in the Advanced Features section is the port mirroring setting. Port mirroring enables the mirroring of the VM's traffic to another VM for the purpose of monitoring the traffic stream.

The Advanced Features container also includes a NIC teaming checkbox. You can use this option to build a guest-level NIC team, although the guest OS will need to support NIC teaming.

Finally, a device naming option enables you to propagate the name of the Hyper-V network into the guest OS. In most cases, you probably won't need to enable this setting, but it's useful for identification purposes when guests have multiple NICs.

Dig Deeper on IT systems management and monitoring

Software Quality
App Architecture
Cloud Computing
Data Center