MrVault
asked on
Hyper-V remote desktop development environment
There are lot of blogs and posts out there and I was having trouble sifting through them and I'm in a time crunch.
I've been tasked with building a hyper-v development environment. the main goals are:
A) allow copy/paste of files between office workstations and hyper-v host and guest VMs both directions.
B) allow RDP in both directions (workstation to guest VM, guest VM to workstation).
C) keep broadcast traffic to a minimum so that the guests are not hammering the regular network with their arp's and other network traffic. the nature of the applications that will run on the guests are such that there may be lots of arp traffic.
D) eventually there will be other hosts with guest VMs that need to be able to communicate with the guests on the other hosts.
E) for many reasons I was hoping to keep the guest VMs on their own subnet so we're not eating into our main one.
F) I can't see any reason to make the guest VMs part of our domain, so we're thinking of leaving them in a workgroup. is it important that they be in a workgroup with the same name as our domain?
G) we also need to be able to RDP to the machines once we're VPN-ed in from the outside network.
H) the guest VMs need internet access.
we have 4 NICs on the host machine, initially we only have 1 free port on the switch. a new switch will be ordered next quarter due to budget.
Thanks a ton. earn some points!
I've been tasked with building a hyper-v development environment. the main goals are:
A) allow copy/paste of files between office workstations and hyper-v host and guest VMs both directions.
B) allow RDP in both directions (workstation to guest VM, guest VM to workstation).
C) keep broadcast traffic to a minimum so that the guests are not hammering the regular network with their arp's and other network traffic. the nature of the applications that will run on the guests are such that there may be lots of arp traffic.
D) eventually there will be other hosts with guest VMs that need to be able to communicate with the guests on the other hosts.
E) for many reasons I was hoping to keep the guest VMs on their own subnet so we're not eating into our main one.
F) I can't see any reason to make the guest VMs part of our domain, so we're thinking of leaving them in a workgroup. is it important that they be in a workgroup with the same name as our domain?
G) we also need to be able to RDP to the machines once we're VPN-ed in from the outside network.
H) the guest VMs need internet access.
we have 4 NICs on the host machine, initially we only have 1 free port on the switch. a new switch will be ordered next quarter due to budget.
Thanks a ton. earn some points!
ASKER
Thanks. A few follow up questions.
1. isn't there any way to do all this without using a third party router software? isn't that the point of the hyper-v networks tool?
2. how do I make sure additional hosts created later can be on the same network as others?
3. I'm going to use static IPs. these shouldn't be changing.
4. don't have additional hardware or vm resources for creating a new child domain. I guess I'll have to make them part of the main domain. even though they're on separate networks that should be ok right?
5. totally agree about helping others. this is time critical so I was hoping to entice fast responses :)
1. isn't there any way to do all this without using a third party router software? isn't that the point of the hyper-v networks tool?
2. how do I make sure additional hosts created later can be on the same network as others?
3. I'm going to use static IPs. these shouldn't be changing.
4. don't have additional hardware or vm resources for creating a new child domain. I guess I'll have to make them part of the main domain. even though they're on separate networks that should be ok right?
5. totally agree about helping others. this is time critical so I was hoping to entice fast responses :)
Q1:
Hyper-V has 3 different type of virtual switches, allowing you to create different kind of network segments:
1. External: connect the VMs to the rest of the network
2. Internal: connect the VMs to the host only
3. Private: fully isolated subnet
Because you want your VMs to be isolated (keeping the broadcast off the primary network), you can do that with a private network by creating a separated IP subnet. And, in order to connect to the VMs to Internet and the primary network you need a router. You can also use a spare router, if you have one: in that case you will need to use one of the existing network cards of the host and create an external network segment instead of private. I find using vyatta router in VM much easier, it needs only 256MB of RAM.
Q2:
It depends how you are going to connect the VMs to the rest of the network.
Q3:
Yes, static IP addresses are OK.
Q4:
WS2008 as AD DS needs only 768MB of RAM and 1 virtual processor to run; but yes, you can make the VMs part of the domain, even on a different subnet. There are, however, some configurations that should be done on AD Sites and Services about the correct subnets associated with the site.
Hyper-V has 3 different type of virtual switches, allowing you to create different kind of network segments:
1. External: connect the VMs to the rest of the network
2. Internal: connect the VMs to the host only
3. Private: fully isolated subnet
Because you want your VMs to be isolated (keeping the broadcast off the primary network), you can do that with a private network by creating a separated IP subnet. And, in order to connect to the VMs to Internet and the primary network you need a router. You can also use a spare router, if you have one: in that case you will need to use one of the existing network cards of the host and create an external network segment instead of private. I find using vyatta router in VM much easier, it needs only 256MB of RAM.
Q2:
It depends how you are going to connect the VMs to the rest of the network.
Q3:
Yes, static IP addresses are OK.
Q4:
WS2008 as AD DS needs only 768MB of RAM and 1 virtual processor to run; but yes, you can make the VMs part of the domain, even on a different subnet. There are, however, some configurations that should be done on AD Sites and Services about the correct subnets associated with the site.
ASKER
sorry was out on vacation.
we have extra ports on our firewall, so we plan on connecting a switch to one of those ports, and letting the firewall be the router for the time being. there will be minimal traffic so we're not concerned about overloading the firewall for now.
given this, do I still create a private network and then set up a routing rule in the firewall?
we have extra ports on our firewall, so we plan on connecting a switch to one of those ports, and letting the firewall be the router for the time being. there will be minimal traffic so we're not concerned about overloading the firewall for now.
given this, do I still create a private network and then set up a routing rule in the firewall?
No, you don’t need private network in that case. However, you need to create an external virtual network instead from a dedicated network adapter – not the same that you will be using for the management of the Hyper-V host.
So, you connect NIC 1 to your primary network so that you can access your server but you do not create any virtual adapter from it – that will be your management connection. Then you connect NIC 2 to the spare port of the router and create a virtual network adapter from it. This virtual adapter will be the virtual switch for your virtual machines. Obviously, they will be on different IP segment and you will have to configure routing rules on the firewall. When you create the virtual adapter from NIC 2 you need to uncheck “Allow management operating system…” – that way NIC 2 will be dedicated to VM network traffic only.
This is the cleanest setup that you could have without using third-party software for routing functions.
So, you connect NIC 1 to your primary network so that you can access your server but you do not create any virtual adapter from it – that will be your management connection. Then you connect NIC 2 to the spare port of the router and create a virtual network adapter from it. This virtual adapter will be the virtual switch for your virtual machines. Obviously, they will be on different IP segment and you will have to configure routing rules on the firewall. When you create the virtual adapter from NIC 2 you need to uncheck “Allow management operating system…” – that way NIC 2 will be dedicated to VM network traffic only.
This is the cleanest setup that you could have without using third-party software for routing functions.
ASKER
HI Spaperov, why the need to create a separate NIC connection? Why can't I just manage it over the same network as the VMs and just let the firewall route my request down to the host?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for explaining the options. I have a feeling they're going to want to implement a physical router solution instead of software and to still yet use physical NICs. Thanks!
1. Place the Hyper-V server into the domain for easy management
2. Use a Private network on the Hyper-V host: covers C and E
3. Create a VM with Vyatta router (it’s a free software router – very easy to configure and perfect for such environment) – one interface on the Private network and another on the production network – covers H
4. On your default gateway (router) create a route to the Private subnet – covers A, B, and D.
5. I think Vyatta router can provide DHCP for your guests VM but may be static IP addresses are better
6. You could put the VMs into the domain – much less headache with matching the domain accounts with the workstation accounts. If you like a complete isolation you could create a separated forest/domain for your dev. env. and create trust between the production and dev. domain – covers F
7. How to do RPD to the VMs from Internet depends on the VPN you are using, but the setup shouldn’t be difficult – covers G
I hope you got the idea. The virtual environment is perfect for such scenario.
PS. It’s not about point, it’s about helping the others…