How to Set Up Windows Server 2019 NVGRE

How to Set Up Windows Server 2019 NVGRE

Network Virtualization using Generic Routing Encapsulation (NVGRE) is Microsoft’s network virtualization technology that encapsulates Layer 2 Ethernet frames within GRE packets to create isolated virtual networks across a shared physical infrastructure. NVGRE is part of Windows Server 2019’s Hyper-V Network Virtualization (HNV) stack and is the predecessor to VXLAN support. It allows multiple tenants to use overlapping IP address spaces while maintaining complete network isolation. This guide covers NVGRE configuration in Windows Server 2019.

NVGRE vs VXLAN in Windows Server 2019

Both NVGRE and VXLAN are supported in Windows Server 2019’s SDN stack. NVGRE uses GRE encapsulation with a Tenant Network Identifier (TNI) in the GRE key field, while VXLAN uses UDP port 4789. NVGRE is encapsulated directly in IP (protocol 47), which can cause issues with ECMP (Equal-Cost Multi-Path) load balancing on physical switches that cannot inspect GRE headers. VXLAN over UDP is generally preferred in newer deployments because it allows better traffic distribution across physical links. However, NVGRE remains supported for backward compatibility and integration with existing deployments.

Prerequisites

NVGRE requires the following components: Hyper-V installed on all compute hosts, Network Controller deployed and configured, and physical network hardware that can forward GRE-encapsulated traffic. Install the Hyper-V role:

Install-WindowsFeature Hyper-V -IncludeManagementTools -Restart

Install the Network Controller role for centralized management:

Install-WindowsFeature NetworkController -IncludeManagementTools -Restart

Enabling Hyper-V Network Virtualization

Hyper-V Network Virtualization must be enabled on each Hyper-V host and its virtual switch. First, identify the virtual switch that connects to the provider network:

Get-VMSwitch | Select Name, SwitchType, NetAdapterInterfaceDescription

Enable network virtualization on the virtual switch. Specify NVGRE as the encapsulation type:

Get-NetAdapter | Where-Object {$_.Name -like "vEthernet*"} | ForEach-Object {
    Set-NetAdapterAdvancedProperty `
        -Name $_.Name `
        -RegistryKeyword "*EncapsulatedPacketTaskOffload" `
        -RegistryValue 1
}

Configure the VFP extension on the virtual switch to handle NVGRE:

Get-VMSwitchExtension -VMSwitchName "SDNSwitch" | Where-Object {$_.Name -like "*VFP*"} | Enable-VMSwitchExtension

Configuring NVGRE via Network Controller

In the full SDN stack, NVGRE encapsulation is configured through the Network Controller. The encapsulation type is set per virtual network. Create a virtual network using NVGRE encapsulation:

$ncUri = "https://nc.contoso.com"
$cred = Get-Credential

$vnet = New-Object Microsoft.Windows.NetworkController.VirtualNetwork
$vnet.ResourceId = "TenantB_NVGRE_VNet"
$vnet.Properties = New-Object Microsoft.Windows.NetworkController.VirtualNetworkProperties
$vnet.Properties.EncryptionCredential = $null

$subnet = New-Object Microsoft.Windows.NetworkController.VirtualSubnet
$subnet.ResourceId = "TenantB_Subnet01"
$subnet.Properties = New-Object Microsoft.Windows.NetworkController.VirtualSubnetProperties
$subnet.Properties.AddressPrefix = "10.10.10.0/24"
$subnet.Properties.VirtualSubnetId = 5001

$vnet.Properties.Subnets = @($subnet)
$vnet.Properties.AddressSpace = New-Object Microsoft.Windows.NetworkController.AddressSpace
$vnet.Properties.AddressSpace.AddressPrefixes = @("10.10.10.0/24")

New-NetworkControllerVirtualNetwork `
    -ConnectionUri $ncUri `
    -ResourceId $vnet.ResourceId `
    -Properties $vnet.Properties `
    -Credential $cred

Configuring PA (Provider Address) and CA (Customer Address) Mappings

NVGRE uses a two-layer addressing model. Customer Addresses (CA) are the IP addresses visible inside the virtual network. Provider Addresses (PA) are the physical host IP addresses used for encapsulation. The Network Controller manages these mappings automatically. To view the current PA to CA mapping on a host:

Get-NetVirtualizationLookupRecord | Select CustomerAddress, ProviderAddress, VirtualSubnetId, MACAddress

View the virtual subnet configuration:

Get-NetVirtualizationCustomerRoute | Select DestinationPrefix, NextHop, Metric

View provider network routes:

Get-NetVirtualizationProviderRoute | Select InterfaceIndex, DestinationPrefix, NextHop

Manual NVGRE Configuration Without Network Controller

In environments without a full Network Controller deployment, you can manually configure NVGRE using the NetVirtualization cmdlets. Add the virtual subnet and associated routes:

Add-NetVirtualizationCustomerRoute `
    -RoutingDomainID "{11111111-1111-1111-1111-111111111111}" `
    -VirtualSubnetID 5001 `
    -DestinationPrefix "10.10.10.0/24" `
    -NextHop "0.0.0.0" `
    -Metric 255

Add a lookup record mapping a customer VM address to a provider host address for cross-host communication:

Add-NetVirtualizationLookupRecord `
    -CustomerAddress "10.10.10.10" `
    -ProviderAddress "192.168.1.101" `
    -VirtualSubnetID 5001 `
    -MACAddress "00-15-5D-AA-BB-01" `
    -Rule TranslationMethodEncap

Add the provider route to reach the remote host:

Add-NetVirtualizationProviderRoute `
    -InterfaceIndex (Get-NetAdapter -Name "pNIC").InterfaceIndex `
    -DestinationPrefix "192.168.1.0/24" `
    -NextHop "192.168.1.1" `
    -Metric 1

Verifying NVGRE Operation

Verify the NVGRE lookup table on the host to confirm CA to PA mappings are populated correctly:

Get-NetVirtualizationLookupRecord | Format-Table CustomerAddress, ProviderAddress, VirtualSubnetId, MACAddress

Use netsh to view NVGRE statistics on the virtual switch:

netsh interface hypervvirtualnetwork show provider

Check the VFP port rules to confirm NVGRE encapsulation policies are applied:

vfpctrl.exe /list-vmswitch-port
vfpctrl.exe /port  /list-rule

Firewall and Physical Network Considerations

NVGRE uses IP protocol 47 (GRE). Ensure all physical network devices and firewalls between Hyper-V hosts allow GRE traffic:

New-NetFirewallRule `
    -DisplayName "Allow NVGRE GRE Protocol 47 Inbound" `
    -Direction Inbound `
    -Protocol 47 `
    -Action Allow

New-NetFirewallRule `
    -DisplayName "Allow NVGRE GRE Protocol 47 Outbound" `
    -Direction Outbound `
    -Protocol 47 `
    -Action Allow

NVGRE on Windows Server 2019 provides solid network virtualization capabilities for multi-tenant environments. While VXLAN has largely replaced NVGRE in newer SDN deployments due to better load-balancing support, NVGRE remains a valid option, particularly in environments with existing Windows Server 2012 R2 / 2016 deployments that need backward compatibility or in scenarios where UDP-based encapsulation is not desired.