We are considering deploying Windows 8.1 (or Windows 10) client Hyper-V to about 50 users and manage them via Hyper-V Manager from a 2012 R2 server or IT workstation running Windows 10 with Hyper-V Manager from the RSAT tools.

The plan is for the users to have a semi-locked down physical workstation they will use for Office, Internet access, email, IM and other apps that work fine with a limited user account.  

The users that are developers will have a Hyper-V VM running a Windows clients that they will have full admin access to run developer and debugging tools, do snapshots etc. and it will need to have access to a development network and restricted access only for a whitelist of IP ranges and domains so that  Internet restrictions cannot be bypassed by using VPNs or proxies.

Is it possible for the Hyper-V client machine to have network access to a separate and isolated network without the host having to have two NICs connected to two different wall ports?

We need to keep the VM isolated on its own network and away from the regular office and production network. If the VM became infected with malware, we don't want it to be physically possible for malware to to spread between the host and the VM or between the host network and the VM's network.

If there are two NICs, it would be pretty easy for the user to bypass security by simply swapping the cables.

• Edited by MyGposts Saturday, July 11, 2015 4:46 AM

XenClient is a solution built to do exactly what you are trying to do.

Since your end user must be a Hyper-V Administrator in order to interact with the VM, they can shoot themselves in the foot any number of ways. That aside.

VLANs have been mentioned, which would be the simplest (in the box way).

You could put a router VM on the device.  And the router VM handles the isolation rules between the two VMs on the shared virtual switch.  One entry IP, two subnets.  This could be Linux (pfsense) or even windows with RRAS.

I don't fully understand how the VLAN separation works when both the host and the guest are using the same NIC connected to a single physical port at their desk.

We would need to have it set up in a way so that the end user cannot get around the network separation by tampering with settings in Hyper-V Manager.

The Hyper-V Virtual Switch is like any layer2/3 switch.

The rules are applied at the virtual port level (what we interact with as a virtual NIC).

So any networking rules are applied before the network traffic enters the switch itself.

Your far bigger hitch is locking down the management OS.  That is bar far your biggest challenge.  Network isolation is small in regards to that.