Content Comparison

Virtual Machines need to be connected to your networkEvery Virtual Machine needs basic Internet access to apply maintenance, add optional features, and install programs and libraries. Hyper-V creates virtual network adapters on its VMs. Most modern operating systems are ready to run in a Hyper-V VM and are distributed with device support for Hyper-V network adapters in the same way that they support Intel and Realtek hardware network adapters. The administrator has to configure each VM network adapter to a logical network connected to other VMs, the host Windows system, or the real network. Hyper-V presents this configuration through the metaphor of a “virtual network switch”. The user can then imagine connecting VMs to virtual switches in the same way that physical computers are connected to physical switches with an Ethernet cable. However, Hyper-V does not even try to duplicate the exact behavior of a real Ethernet switch and the panels that Hyper-V provides to configure networking can be confusing. This paper will instead describe how Hyper-V virtual networking really operates.

The first step is to quickly describe the way that all operating systems expose the Internet to programs and process requests from the application to the network adapter. Then we can describe the way that this is modified for virtual machines, how Hyper-V in particular implements networking, and what options are available for configuration.

The Internet Stack

Sockets are the programming inteface originally invented by Berkeley Unix, the first operating system to put Internet support into its Kernel. The application program calls a service to lookup a computer name in DNS and return an IP address corresponding to that name. Different services have well known “port” numbers. For example, “https://” requests to the Web use port number 443. A client then connects to the service using the combination of IP address and port number, and its operating system provides a random large port number and inserts its own IP address when creating the connection. To the program, a socket accepts and returns a stream of bytes. The program could send and receive one byte at a time, but that would be inefficient. It is up to the program to decide how many bytes to send in one operation, and when it reads data the system returns however many bytes have been received up to this point.

TCP is one of the basic internet protocols and is built into every operating system Kernel. TCP provides reliable (error corrected) streams of bytes between the client and server programs. It also views the data as a stream of bytes, but TCP has to break that stream up into packets of data that can be efficiently sent through the network. To allow error correction TCP retains a certain number of bytes (the “window”) of data until it receives an acknowledgement message from the other computer that all those bytes were received correctly. If data is lost or corrupted by the network, it can be retransmitted. Packets can arrive in a different order than they were sent, so TCP is responsible for rearranging the data as it is received.

TCP inserts control information into the packet that contains the port number of the sending and receiving programs and the logical starting byte number of this data in the overall stream.

IP generates packets that are small enough to be sent through the network. Since the packets will pass through the Internet individually, each packet must contain the IP address of the destination and sending computer. The destination can be any computer anywhere in the world.

Ethernet is a protocol to send data between a small number of computers over short distances. Ethernet moves data between two devices inside your home, or inside an office or other building. Each network adapter on each computer or device has a unique 6-byte Ethernet ID. Ethernet packets by default are limited to around 1500 bytes and contain the Ethernet ID of the destination and sender. Ethernet can be wired or wireless, and Ethernet protocols are extended over long distance on fiber optics and Cable TV although this use is no longer “local area”.

An operating system creates an Ethernet packet the same way no matter when type of network or adapter will be used to transmit it. However, the next step down is where the packet is given to an actual piece of hardware for transmission, and the alternatives available are enormous. The physical network hardware can be built into the motherboard, a plug-in adapter card, an external USB device, or on a Thunderbolt dock. It can use copper wires, fiber optics, cable TV, WiFi, bluetooth, 5G cellphone, or Starlink satellites. It can be limited to one room, or span thousands of miles.

So, Hyper-V makes the rational strategic decision to locate all its virtual networking logic between the universal Ethernet packet support in the Kernel but above the physical hardware support for any specific hardware adapter.

Hyper-V virtual networking is based on two components:

A simulated adapter is installed in each Virtual Machine and in the Host Windows system. This component receives packets built by the Ethernet layer of the Windows or Linux Kernel and behaves as if it were just another hardware adapter, except there is no hardware here. It will move the packet around in memory, and eventually deliver it to another component of the Windows 11 host Kernel or one the operating systems in one of the VMs. It also simulates “receiving data from the network” when a packet generated somewhere else is addressed to this system.

A Hyper-V generic network adapter manager that sits in the Windows 11 host operating system kernel and can be assigned to control any network adapter hardware driver plugging into Windows through the standard interface that all network drivers present to Windows. In this case, the adapter is detached from direct access by Windows applications and only talks to Hyper-V.

Hyper-V talks to the simulated adapters in the VMs and on the host computer, and to the generic network adapter manager on any adapter that have been assigned to Hyper-V management. It moves Ethernet packets between them. Sometimes the packet just moves between VMs in memory, and sometimes the packets go through hardware adapters to a real network.

This is configured though the metaphor of a virtual switch, but there is an important difference between the behavior of this virtual switch and a real network switch. A real switch knows nothing about the device connected to one of its ports until the device sends a packet and the switch can see the 6-byte Ethernet ID in the packet. When the switch gets a packet with a destination 6-byte Ethernet ID it has never seen, it has to “broadcast” the packet by sending a copy of it out every port to every device. Hyper-V, however, creates and configures the VMs and is part of the Windows 11 host kernel. It knows the configuration of all these systems before they send any data. So, Hyper-V can “cheat” and use the information it already has where a real switch would have to explore and discover its devices.

However, Hyper-V does not know what is out on any real network connected to a hardware network adapter that has been assigned to it. When it gets a packet with a 6-byte Ethernet ID destination that is not associated with any VM or the Windows host, and a hardware network adapter has been assigned to this “virtual switch”, then the destination must be a device out on the real network and packet is sent to the physical network.

What Hyper-V Doesn’t Do

In datacenters with specialized server hardware, there may be expensive network adapters on the VM host clusters that can present a direct hardware interface to many virtual machines. The server then creates a direct connection between a VM and the physical adapter. This means that the VM has to have specific hardware support for that adapter device.

Hyper-V on a Windows 11 PC supports only the standard inexpensive adapters available on all computers. It does not have the ability to pass through the hardware behavior of a physical network adapter to a VM.

It is possible to dedicate one network adapter to one VM so that even the host operating system doesn’t see it, but you still have to create a generic Hyper-V virtual adapter on the VM. You then connect that adapter to a Hyper-V virtual switch that has no other VMs and is not shared with the host operating system, but which is connected to the one physical network adapter. This adapter only communicates to that one VM, but the VM doesn’t see the read hardware type of the adapter, and any hardware configuration of adapter options needs to be done using the Device Manager of the host Windows 11 operating system instead of the VM system.

Virtual Network without Configuration

When Hyper-V is installed, it creates a virtual switch called “Default”. It needs no configuration and you cannot change it.

When you create a new VM, it usually gets a virtual network adapter connected to “Default”.

The “Default” switch provides the same services to VMs that the router/gateway provides to devices on your home network or the company provides to computers connected to its network. There is a configuration service called “DHCP” that automatically configures the addresses and network parameters on each device.

In the case of the Default Hyper-V virtual switch, each VM that uses it is assigned internal addresses and networking parameters that allow them to communicate to the host Windows 11 system. On the host system, Hyper-V provides a Gateway function (like the Gateway device that connects your home to your Internet Service Provider). The Gateway allows VMs to talk to the internet using whatever networks the host computer uses for its own applications. The Gateway resolves DNS queries from the VMs using whatever DNS servers the host Windows system is currently using. The Gateway rewrites packets from the VMs so they appear to have come from its own applications, and routes the packets using the network connections and configuration that it uses for its own applications.

For example, if the host computer is currently using WiFi for its own network access, then traffic from the VMs automatically goes over WiFi. If you disconnect from WiFi and switch to wired Ethernet on the host, then the traffic from the VMs automatically switches at the same time. The VMs do not have to be configured, but at the same time they have no control over what is really going on. If the host is a laptop and you carry it to a library of coffee shop, then the VMs start to use whatever you connect to. Turn on a VPN and the VMs use it.

The Default network allows VMs to access the Internet to download and install new software and apply patches. It hides the VMs other computers. The VMs can use shared files and services on the host, but the Default networking does not make it easy for applications on the host to find services provided by the VMs.

Configured Hyper-V Virtual Switches

Default cannot be controlled. If you need the ability to assign addresses and configure networking on VMs, then you create your own named Hyper-V Virtual Switch. Remember, the “switch” here is just a name for a configuration that:

1. Defines a set of virtual network adapters on VMs that are connected to each other and can exchange data.

2. Optionally creates a simulated network adapter on the host Windows 11 system that can communicate to this specific set of VM virtual adapters.

3. Optionally attaches one real physical network adapter on the host computer that has been assigned to Hyper-V control and is not directly available for use by host applications.

Hyper-V does not provide any DNS or network address assignment service to the virtual network you create when you define your own named Switch. If you need DNS or DHCP, then you have to create a VM to provide it. Normally you will provide a static configuration on each VM and then you don’t need an automatic service.

There are restrictions on the way you use Hyper-V virtual switches:

...

You cannot change the Default switch. It is what it is, and you leave it alone.

...

A virtual network adapter on a VM is either unconnected or is connected to one Hyper-V virtual switch. At any time, you can use the Hyper-V Manager or PowerShell to disconnect the virtual adapter from one virtual switch and reconnect it to another named virtual switch. The VM sees the same behavior as a real computer would see if a real adapter was unplugged from one network, then plugged into another network.

...

A Hyper-V virtual switch can be associated with at most one real physical network adapter on the host computer. At any time, you can use Hyper-V manager or PowerShell to change the physical network adapter connected to the switch to a different physical network adapter.

...

The host operating system can have at most one simulated network adapter connected to a Hyper-V virtual switch.

...

A physical network adapter associated with a Hyper-V virtual switch cannot be used directly by applications on the host operating system. It can be administered, and you can make hardware configuraton changes, but if an application needs to use the device then you must create a simulated host network adapter connected to that switch, and then the host applications can share the physical adapter with VMs also connected to the same switch.

...

has a built in Default network that provides VMs with general network access without any configuration because it runs through a gateway in your native Windows 11 system and piggybacks on the networking you already have.

In technical terms, Default provides each VM with network addresses and parameters through DHCP, resolves network names on your host, provides a NAT gateway on the host, and uses the host routing tables to select the best choice from your wired, wireless, or VPN connections. There is no better solution for basic client access from any VM.

With a connection to Default, a client program on the VM can access anything on the host computer, the local network (home or Yale), any VPN your computer is connected to, and the general Internet. Default allows client programs on the host computer to dynamically find and connect to VMs by hostname (using “hostname.local” dynamic name resolution).

You need a custom network to give a VM a static IP address, to expose services running on a VM to clients on another computer, or to make a VM look like a normal computer on your local network.

Hyper-V is not “Bare Metal” Virtualization

In large datacenters virtual machines are created by specialized hardware. These systems can have special network adapters that allow virtual machines to communicate directly at the hardware level.

Hyper-V can work on any computer that supports Windows, and it can run on any network adapter that runs with Windows, including adapters connected through USB or on a docking station. It emphasizes generality over optimization, so it cannot connect any hardware device directly to a VM. It is, however, built into the Windows Kernel rather than running as an application program.

The network adapters are installed into Windows, have Windows drivers, and appear in the Windows Device Manager. They may have hardware optimizations that can be turned on or configured on the host system. Most users will ignore these options, but anything configured in the native Windows system will also apply to all VMs.

...

Generic Virtual Network Adapters

The interface between an operating system and a network device drive is fairly simple, and many different types of software will generate what appears to be a network adapter but is really some type of software service. VPN software creates a simulated direct network connection to the campus, but actually sends the data on an encrypted session over the public internet. Simulated network adapters are part of WSL, Docker containers, and other software.

Hyper-V, like most virtual machine supervisors, has created its own virtual network device drivers that will be installed automatically when a Windows or Linux system discovers that it is running in a Hyper-V VM. Instead of simulating a hardware device, network communication is handled by translating software calls from the operating system in the VM to software calls from the VM to Hyper-V itself.

A Linux application does a system call to the Linux kernel, which then calls the Linux Hyper-V network device driver, which then calls out from the VM to Hyper-V running in the real computer. Hyper-V then processes the request by moving the data to another VM or to the host Windows system, where it will either be fed up through another Hyper-V device driver or passed to the Windows device driver of a real physical network adapter card.

The Virtual Switch Meme

Hyper-V networking has the same services and configuration options as competing options like VMware Workstation or Oracle VirtualBox. Other systems may create a named “virtual network” and then connect virtual adapters on each VM to that network by its name. Hyper-V does the same thing, but Microsoft has decided to call it a “virtual network switch” instead of a “virtual network”.

The only advantage of this meme is that a switch is a physical device in the real world, and when you are drawing diagrams in a tool like Visio, you can find a standard picture for a switch and add it to your diagram along with pictures of real or virtual computers connected to the switch:

...

Using the Hyper-V Manager or PowerShell scripts, an administrator connects a virtual network adapter configured on a VM to the Switch. The host Windows system can also get a virtual network adapter connected to the Switch, and optionally one physical network adapter on the host system can also be connected to the switch. Loosely speaking, Ethernet packets transmitted by any virtual adapter connected to the Switch, and packets received by the physical network adapter from an external network are examined by Hyper-V and based on the 6-byte Ethernet ID in the destination field of the packet, it is transferred to the appropriate virtual network adapter configured with that ID.

Physical Network Adapter Bridge

Through Hyper-V, the host Windows system can assign one physical network adapter to a Hyper-V Virtual Switch. VMs attached to the Switch appear to the external Ethernet network as individual real computers. They can be assigned IP addresses statically or dynamically (from the external DHCP server). The VMs can expose database services or Web applications to the external real computers.

Remember that through the Default network any client on a VM can access any external service that the host computer to access. The only reason to assign a physical adapter to Hyper-V is so that external clients can connect to servers on the VMs.

If you have an unused network adapter available, you can choose to dedicate it to a Hyper-V Switch. Then only the VMs will use it, and the host will continue to use other adapters.

However, you may have only one network adapter, and you may already be using it for all your internet access. You can only afford to share it with the VMs. It is already configured with your personal communication preferences (IP address, name servers, etc.) and you don’t want to have to redo all that.

Hyper-V has to operate inside the Windows Kernel using the existing rules for device drivers and network stacks. One device cannot be directly connected to two different networks. Hyper-V is already set up to create a virtual network adapter if the host operating system wants to talk to VMs through a custom Hyper-V switch.

The last piece of the puzzle is that Window has always had a relatively obscure option to connect two physical network adapters together so the Windows machine can be used as a bridge between two physical networks. This may go back 30 years to a time when network equipment was more expensive, but it hasn’t been removed even though it is almost never used.

At a high level, the way this works is:

Hyper-V creates a virtual network adapter in the Windows operating system and connects it to the Switch.

All the Ethernet and Internet communications configuration on the physical network adapter is moved from the physical adapter to the new virtual adapter. Any networking tables in Windows associated with the IP address or Ethernet ID or active sessions are changed to point to the new virtual adapter.

The physical adapter, no longer connected to anything, is set up to act as a bridge between the external network (whatever is on the other end of the RJ45 cable plugged into the adapter) and the Hyper-V “Virtual Switch” component (which itself is a kind of bridge between the host and VM adapters).

Windows does this reconfiguration as quickly as possible, but there is a warning that there may be a very short interruption of communication. When it is done, all the connections between host applications and external network services are still live.

If you look in Device Driver and Network Connections, you will now see the old physical network adapter and the new Hyper-V Virtual Network adapter. You may note that the physical network adapter no longer seems to have Internet access. This is because it is now only operating at the Ethernet packet level moving data between the external network and Hyper-V. Internet access now appears to be provided through the Virtual Network Adapter that connects you to the Virtual Switch and VMs. Once the physical adapter is owned by Hyper-V, the Virtual Switch is the way that the host Windows system accesses the external network.

...

Layers (abbreviated)

At this point anyone writing about networking is obligated to mention the 7 Layers of the OSI Networking Model. Now that I mentioned it, we can ignore the textbook stuff and just talk about how network stuff is done in the Windows Kernel.

An application calls some library of services to send a stream of bytes over a connection to some remote network endpoint known by its IP address or hostname and a port number.

Inside the Kernel part of the Windows networking code wraps the stream of data into a TCP “packet” associated with a port number destination. The TCP packet is then broken into one or more IP packets with the IP address of the destination. The IP packet is then broken into one or more 1500 byte Ethernet packets with a 6-byte Ethernet destination address of another device on the local network, which may be the final destination or else will be a gateway device that forwards the data to bigger networks and eventually the whole Internet.

This processing up to this point is universal. It doesn’t matter what you are doing (browsing the Web or backing up your disk files) and it doesn’t matter how the network connection is made (wired, Wi-Fi, or Bluetooth through a Intel, Realtek, or Broadcom chip that is on the motherboard, an adapter card, a USB port, or a Thunderbolt hub). The next step is a mess of possibilities. So, Hyper-V does not take the next step.

In every VM and on the host system, as soon as the data has been reduced to a bunch of Ethernet packets the Hyper-V virtual network adapter simply turns these packets over the Hyper-V system controlling the computer. Hyper-V can look at the 6-byte Ethernet ID destination in each packet. It knows every 6-byte Ethernet ID of every virtual adapter it created, and if it finds a match it can move the packet to the destination adapter in any VM or in the Windows host. If the destination is not known, but the Swtich is associated with a physical network adapter, then it can send the packets out on the external Ethernet network to have them delivered.

Configuring Hyper-V Virtual Switches

Every time your computer boots up, Hyper-V recreates and configures the Default Network/Switch. It has no configuration because it uses all the network configuration of the Windows host system to resolve names and route traffic through the fastest available network path. If you try to mess with it or delete it, it will be recreated fresh when you restart the system.

Other Virtual Switches can be configured using the graphic tool named Hyper-V Manager or by typing PowerShell commands into a Run as Administrator PowerShell session.

PowerShell is probably not the option you will choose, but it breaks the process down to a step by step procedure that explains the possibilities more clearly than using the GUI configuration panel.

Create

To create a naked Switch with nothing attached to it, you provide a Name. This simplest option is not the default for the command, so you add the “-SwitchType Private” option or the command will complain that you have forgotten other parameters

PS C:\Windows\System32> New-VMSwitch -Name Example -SwitchType Private

A naked switch can then be connected to virtual network adapters on VMs. Once connected, the VMs can talk to each other, but not to the host or the Internet through this Switch.

Add the Host

Hyper-V provides communication from the host Windows system to the Switch, and therefore to the VMs connected to the switch, by creating a Hyper-V Virtual Network Adapter device in the host Windows 11 operating system.

If there was a command to create the host virtual network adapter, then you could execute it twice and get two of them. Hyper-V doesn’t want you to have two, so the adapter is created when you change the SwitchType from “Private” to “Internal” and is deleted if you then turn the SwitchType back from “Internal” to “Private”. You see the new virtual adapter in the list returned from “Get-Adapter”.

PS C:\Windows\System32> Set-VMSwitch -Name Example -SwitchType Internal
PS C:\Windows\System32> Get-NetAdapter
Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
Ethernet                  Intel(R) Ethernet Connection (18) I219…      23 Disconnected C4-C6-E6-30-3F-37          0 bps
vEthernet (Example)       Hyper-V Virtual Ethernet Adapter #4          66 Up           00-15-5D-02-A0-04        10 Gbps
...

Note that there is an unused Intel physical adapter named “Ethernet” that will be used in the next example.

Problem Adding a Physical Adapter to an existing Hyper-V Switch Network

Once you create a Private or Internal switch you can then connect it to VMs and configure them with network addresses so they can talk to each other. Suppose you assign them to the 192.168.10.* subnet.

A physical adapter is connected to external devices that are part of some physical network. Frequently addresses are assigned to a physical network by a DHCP server on a gateway router supplied by your ISP. For the example, assume the physical Ethernet uses the 192.168.3.* subnet.

Adding the physical adapter to the internal Hyper-V network would “bridge” two different networks with two different subnets. This would work, but nothing could talk to a device on the other subnet.

Create a Switch with a Physical Network Adapter

The only operation with a sensible result is to attach the physical network adapter to a new Switch you create as part of a single operation.

PS C:\Windows\System32> New-VMSwitch -Name HomeNet -NetAdapterName Ethernet -AllowManagementOS $true
Name    SwitchType NetAdapterInterfaceDescription
HomeNet External   Intel(R) Ethernet Connection (18) I219-LM
PS C:\Windows\System32> get-netadapter
Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
Ethernet                  Intel(R) Ethernet Connection (18) I219…      23 Disconnected C4-C6-E6-30-3F-37          0 bps
vEthernet (HomeNet)       Hyper-V Virtual Ethernet Adapter #4          32 Disconnected C4-C6-E6-30-3F-37          0 bps

If you have an existing Internal or Private network connected to VM adapters, you can either reconnect the VM adapters to the new Switch or create new virtual adapters on some of the VMs and connect them to the new Switch while also leaving the VM connected to the old network with the old subnet.

Hyper-V Manager Switch Configuration

In the Actions menu, click on Virtual Switch Manager …

In this panel there is an entirely useless option list asking what type of Switch you want to create.

...

It is useless because all it does it set the default choice among three radio buttons on the next form, but you can always change that selection before you click the create button:

...

Using Hyper-V Manager you don’t have to remember PowerShell commands or the names of options, and you get a nice pulldown list of physical Ethernet adapters on the host system.

Note: this list includes adapters that are already being used with other switches and cannot be selected or you will get an error message instead of creating the switch.

Virtual Network Adapters in each VM

Each Hyper-V VM has a configuration including virtual disks and virtual network adapters. Each virtual disk is associated with a *.vhdx or *.iso file somewhere on the host disk, and each network adapter is either unconnected or connected to a named Virtual Switch.

...

Here there are two network adapters. The first adapter is connected to the Hyper-V Default switch/network. The second is connected to a Switch named “Bridge”. At any time you can disconnect a Virtual network adapter or connect it to another Switch. This simulates unplugging the Ethernet cable from a real computer and plugging in a cable connected to something else.

At any time you can add a new Network Adapter.

...

Adding an adapter to a running VM will work if the operating system reacts to the kind of hardware changes that happen when you plug a physical adapter into a USB port.

Once the adapter is defined, at any time you can connect or disconnect or change the virtual switch to which the adapter is attached. This is equivalent to plugging or unplugging an Ethernet cable to a physical adapter.

...

VLANs

If you don’t know about VLANs or do not use them, ignore this.

...