How to Configure Windows Server 2019 VXLAN

Virtual Extensible LAN (VXLAN) is a network virtualization technology that encapsulates Layer 2 Ethernet frames within UDP packets, allowing virtual networks to span across Layer 3 boundaries. VXLAN is a key component of Microsoft’s Software Defined Networking (SDN) stack in Windows Server 2019, enabling massive scalability beyond the 4,094 VLAN limit by supporting up to 16 million virtual network segments. This guide explains how to configure VXLAN in a Windows Server 2019 environment using the SDN stack and PowerShell.

VXLAN Architecture in Windows Server 2019

In Windows Server 2019, VXLAN encapsulation is handled by the Hyper-V Virtual Switch through the Host Networking Service (HNS) and the Network Controller. Each virtual network is identified by a VXLAN Network Identifier (VNI), a 24-bit value. VTEP (VXLAN Tunnel Endpoint) functionality is built into the Hyper-V Virtual Switch. The Network Controller maintains the mapping between VM MAC addresses, their hosting Hyper-V servers, and the corresponding VNIs.

Prerequisites

To configure VXLAN on Windows Server 2019, you need the following components in place: the Hyper-V role installed on all compute hosts, Network Controller deployed (part of the SDN stack), Software Load Balancer MUX VMs if load balancing is needed, and the Hyper-V hosts joined to a management fabric. Install the Hyper-V role on each host:

Install-WindowsFeature Hyper-V -IncludeManagementTools -Restart

Install the Network Controller role on a dedicated server or VM:

Install-WindowsFeature NetworkController -IncludeManagementTools

Creating a Virtual Network with VXLAN via Network Controller

The primary method for configuring VXLAN in Windows Server 2019 SDN is through the Network Controller REST API or the NetworkController PowerShell module. First, connect to the Network Controller:

$ncUri = "https://nc.contoso.com"
$cred = Get-Credential

Define and create a logical network that will back the virtual network (this represents the physical provider network):

$logicalNet = New-Object Microsoft.Windows.NetworkController.LogicalNetwork
$logicalNet.ResourceId = "VXLANProviderNetwork"
$logicalNet.Properties = New-Object Microsoft.Windows.NetworkController.LogicalNetworkProperties
$logicalNet.Properties.NetworkVirtualizationEnabled = $true

New-NetworkControllerLogicalNetwork `
    -ConnectionUri $ncUri `
    -ResourceId $logicalNet.ResourceId `
    -Properties $logicalNet.Properties `
    -Credential $cred

Creating a Virtual Network Subnet with VNI

Create a virtual network that uses VXLAN encapsulation by specifying a VNI (Virtual Network Identifier). In the Windows SDN stack, this is referred to as the virtual subnet’s VSIDRouteDistinguisher:

$vnet = New-Object Microsoft.Windows.NetworkController.VirtualNetwork
$vnet.ResourceId = "Contoso_VNet_001"
$vnet.Properties = New-Object Microsoft.Windows.NetworkController.VirtualNetworkProperties
$vnet.Properties.AddressSpace = New-Object Microsoft.Windows.NetworkController.AddressSpace
$vnet.Properties.AddressSpace.AddressPrefixes = @("192.168.100.0/24")

$subnet = New-Object Microsoft.Windows.NetworkController.VirtualSubnet
$subnet.ResourceId = "Contoso_Subnet_001"
$subnet.Properties = New-Object Microsoft.Windows.NetworkController.VirtualSubnetProperties
$subnet.Properties.AddressPrefix = "192.168.100.0/24"
$subnet.Properties.VirtualSubnetId = 6001

$vnet.Properties.Subnets = @($subnet)

New-NetworkControllerVirtualNetwork `
    -ConnectionUri $ncUri `
    -ResourceId $vnet.ResourceId `
    -Properties $vnet.Properties `
    -Credential $cred

Configuring VXLAN Using Host Networking Service (HNS)

On standalone Hyper-V hosts without a full SDN Network Controller, you can configure VXLAN networks using the Host Networking Service (HNS) PowerShell module. Install the required module:

Install-Module -Name HNS -Force

Create a new VXLAN overlay network using HNS:

$networkConfig = @{
    "Name"    = "VXLANOverlay"
    "Type"    = "Overlay"
    "Subnets" = @(
        @{
            "AddressPrefix" = "192.168.200.0/24"
            "GatewayAddress" = "192.168.200.1"
            "VSID" = 4096
        }
    )
}
New-HnsNetwork -JsonString ($networkConfig | ConvertTo-Json -Depth 5)

Verify the VXLAN network was created and the VSID was applied:

Get-HnsNetwork | Where-Object {$_.Type -eq "Overlay"} | Select Name, Type, Id

Attaching VM NICs to VXLAN Networks

In the SDN environment, VM NICs are connected to virtual network subnets through the Network Controller. Connect a VM’s network adapter to the VXLAN subnet:

$vmNic = New-Object Microsoft.Windows.NetworkController.NetworkInterface
$vmNic.ResourceId = "VM01_NIC01"
$vmNic.Properties = New-Object Microsoft.Windows.NetworkController.NetworkInterfaceProperties
$vmNic.Properties.IsPrimary = $true

$ipConfig = New-Object Microsoft.Windows.NetworkController.NetworkInterfaceIpConfiguration
$ipConfig.ResourceId = "VM01_IPConfig01"
$ipConfig.Properties = New-Object Microsoft.Windows.NetworkController.NetworkInterfaceIpConfigurationProperties
$ipConfig.Properties.PrivateIPAddress = "192.168.100.10"
$ipConfig.Properties.PrivateIPAllocationMethod = "Static"
$ipConfig.Properties.Subnet = New-Object Microsoft.Windows.NetworkController.ResourceReference
$ipConfig.Properties.Subnet.ResourceRef = "/virtualNetworks/Contoso_VNet_001/subnets/Contoso_Subnet_001"

$vmNic.Properties.IpConfigurations = @($ipConfig)

New-NetworkControllerNetworkInterface `
    -ConnectionUri $ncUri `
    -ResourceId $vmNic.ResourceId `
    -Properties $vmNic.Properties `
    -Credential $cred

Verifying VXLAN Encapsulation

Verify that the VXLAN tunnel endpoints (VTEPs) are correctly programmed on the host. Check the VFP (Virtual Filtering Platform) policies applied by the Hyper-V switch:

vfpctrl.exe /list-vmswitch-port
vfpctrl.exe /port  /list-rule

Use Network Monitor or Wireshark on the physical NIC to capture and confirm that traffic between VMs on different hosts is encapsulated in UDP port 4789 (standard VXLAN UDP port):

netsh trace start capture=yes tracefile=C:vxlan_capture.etl
# Wait for test traffic, then stop:
netsh trace stop

Firewall Rules for VXLAN Traffic

Ensure that UDP port 4789 is open on all Hyper-V hosts that participate in the VXLAN fabric. Create the required firewall rule:

New-NetFirewallRule `
    -DisplayName "Allow VXLAN UDP 4789 Inbound" `
    -Direction Inbound `
    -Protocol UDP `
    -LocalPort 4789 `
    -Action Allow

New-NetFirewallRule `
    -DisplayName "Allow VXLAN UDP 4789 Outbound" `
    -Direction Outbound `
    -Protocol UDP `
    -LocalPort 4789 `
    -Action Allow

VXLAN in Windows Server 2019 is a powerful network virtualization technology that provides tenant isolation, scalability beyond traditional VLAN limits, and seamless VM mobility across physical hosts. When deployed as part of the full SDN stack with Network Controller, it enables automated, policy-driven network provisioning that scales to thousands of tenants in a single physical fabric.