One of the new features introduced into Windows in build 10586 and above was the new NAT Virtual Switch. This feature was primarily introduced to ease the introduction of the Windows Containers in the upcoming release of Windows Server 2016.
In more recent builds of Windows (build 14295 and above) the NAT Virtual Switch has been removed in favor of a new Virtual NAT Device that exists separate from the Hyper-V Virtual Switch.
This new Virtual NAT Device is more inline with Microsoft’s Software Defined Networking approach. It also allows us to create multiple Hyper-V Lab environments where each Lab is completely isolated from any others but still be connected to the Internet by way of the Virtual NAT Device.
Previously, to give all the machines in a Lab internet access we would have had to use:
- An External Switch – Connect all machines to an External Virtual Switch that was connected to the internet via one of the Hyper-V Host’s network adapters.
- A Guest NAT – Install a NAT onto one of the Guest Virtual Machines in the Lab. For example, install Windows Server 2012 R2 with the Remote Access role and configure a NAT. This would still require at least this node in the Lab to be connected to the internet via an External Virtual Switch.
Each of these approaches had some drawbacks:
- Each Lab was not completely isolated from the other labs.
- An entire guest might need to be provisioned to provide internet access to the other machines in the Lab.
But using the Virtual NAT device allows us to configure Labs with complete network isolation but still being connected to the internet without the use of a guest NAT.
So, to configure a pair of Labs like in the diagram above all we need is to execute a few PowerShell Cmdlets.
Note: Make sure your Hyper-V host is at least build 14295 (Windows 10 build 14295 or Windows Server 2016 TP5). Otherwise these cmdlets will fail.
If you want some more detail on setting up a Virtual NAT, see Set up a NAT Network.
Configure Hyper-V Lab with NAT
To configure a Hyper-V Lab with NAT, perform the following steps, executing any PowerShell cmdlets in an Administrator PowerShell console.
- Create a Hyper-V Internal Virtual Switch on your Host:
New-VMSwitch -Name Lab1 -SwitchType Internal
This will also create a Virtual Network Adapter connected to the host.
- Assign the gateway IP address of the NAT to the Virtual Network Adapter:
# Get the MAC Address of the VM Adapter bound to the virtual switch $MacAddress = (Get-VMNetworkAdapter -ManagementOS -SwitchName Lab1).MacAddress # Use the MAC Address of the Virtual Adapter to look up the Adapter in the Net Adapter list $Adapter = Get-NetAdapter | Where-Object { (($_.MacAddress -replace '-','') -eq $MacAddress) } New-NetIPAddress –IPAddress 192.168.140.1 -PrefixLength 24 -InterfaceIndex $Adapter.ifIndex - Create the Virtual NAT device:
New-NetNat –Name Lab1NAT –InternalIPInterfaceAddressPrefix 192.168.140.0/24
- Configure the network settings on each guest virtual network adapter assigned to the virtual switch in the 192.168.140.0/24 subnet and configure the default gateway to be 192.168.140.1.
That’s it – all machines in the Lab should have access to the internet and be completely isolated as well. Naturally I have updated the LabBuilder system to support this new functionality as well.
I hope this was useful and happy NATing.
PowerShell, Programming and DevOps 
very helpful diagrams!
LikeLiked by 1 person
Thank you pickle!
LikeLike
Error detected in published code…
The string #4: Please remove the second closing parenthesis.
{ ($_.MacAddress -replace ‘-‘,”) -eq $MacAddress) }
^
LikeLiked by 1 person
It does seem to be correct, but it looks wrong – the ” is actually two sets of single quotes.- which does look like a double quote. So the single quote isn’t missing, just looks like it at first glance. It is always better to use single quotes around string literals in PowerShell if the string literal doesn’t contain variables – because it’s faster 🙂
LikeLike
Hi Alexey- I re-read your message and took a look at the code, and you are quire correct – the second parenthesis is missing. I misread your message and was careless. Sorry about that.
LikeLike
Daniel, do You know how to setup and use port mapping with the Virtual NAT ?
LikeLike
Good question – I haven’t looked too far into that side of things. I know it is possible because Docker uses port mapping and NAT switches were created primarily for Docker. But my money is on something like this:
Add-NetNatStaticMapping -NatName MyNat -ExternalIPAddress “10.0.0.25/24” -ExternalPort 80 -InternalIPAddress “192.168.140.5” -InternalPort 8080
https://technet.microsoft.com/en-us/library/dn283360%28v=wps.630%29.aspx
The External IP Address would be the IP that is assigned to the NIC attached to the NAT Switch I think.
LikeLike
Thanks , I’ve just been looking for information about this subject for a long time and yours is the best I have came upon till now. However, what about the bottom line? Are you positive concerning the source?
LikeLike
Thank you, I appreciate that. I’m not sure I understand what you mean about the “bottom line”. I did notice a bug in the source code in step 2 that someone did actually point out but I misunderstood what they meant. My bad. I’ve corrected the source in step 2. Is that what you were referring to?
LikeLike
How do I connect 2 labs to the switch independent of each other?
LikeLike
Hmm. That is a good question. Theoretically Virtual Switches are completely isolated from each other. It isn’t easy (or even possible) to combine them as far as I know. You could in theory though, create a VM that was connected to both VSwitches and install it as a router (using Windows Server Routing and Remote Access). But this isn’t a short or easy task I’m sorry 😦
LikeLike