How to Configure Windows Server 2016 Hyper-V Network Virtualisation
Hyper-V Network Virtualisation (HNV) is a core technology in the Windows Server 2016 SDN stack that enables multiple tenant virtual networks to coexist on a shared physical network fabric without interference. HNV decouples virtual machine network addresses from the underlying physical network topology, allowing tenants to use overlapping IP address ranges without conflict and permitting the physical network to evolve independently of the virtual network configuration.
This tutorial covers how to configure Hyper-V Network Virtualisation on Windows Server 2016, including enabling the HNV provider logical network, deploying virtual networks for tenants, and verifying traffic isolation between them.
HNV Architecture Overview
HNV works by encapsulating tenant VM network packets in an outer header before forwarding them across the physical network. Windows Server 2016 supports two encapsulation protocols: NVGRE (Network Virtualisation using Generic Routing Encapsulation) and VXLAN (Virtual Extensible LAN). The inner packet contains the tenant’s customer address (CA) space IP addresses, while the outer packet uses provider address (PA) space addresses that are routable on the physical fabric. The mapping between CA and PA addresses is maintained by the SDN Network Controller and distributed to the HNV Virtual Switch extensions on each Hyper-V host.
Prerequisites
You need Windows Server 2016 Datacenter edition on all Hyper-V hosts, a deployed Network Controller, and at least one Hyper-V virtual switch with the HNV extension enabled. The management OS on each host needs network connectivity to the Network Controller REST endpoint.
Install required features:
Install-WindowsFeature Hyper-V, NetworkController -IncludeManagementToolsStep 1 — Create an HNV Provider Logical Network
The HNV Provider logical network defines the physical address space used for encapsulation. Create it via the Network Controller REST API:
$uri = "https://nc.contoso.com"
$headers = @{ "Content-Type" = "application/json" }
$hnvBody = @{
properties = @{
networkVirtualizationEnabled = $true
subnets = @(@{
properties = @{
addressPrefix = "10.10.56.0/23"
vlanID = 11
}
})
}
} | ConvertTo-Json -Depth 6
Invoke-RestMethod `
-Uri "$uri/networking/v1/logicalNetworks/HNVProvider" `
-Method Put `
-Body $hnvBody `
-Headers $headers `
-UseDefaultCredentialsStep 2 — Assign PA Addresses to Hyper-V Hosts
Each Hyper-V host participating in the HNV fabric needs a Provider Address (PA) assigned within the HNV Provider logical network’s address space. Register each host’s network adapter in the Network Controller:
$serverBody = @{
properties = @{
connections = @(@{
managementAddress = "10.10.55.11"
credential = @{ resourceRef = "/credentials/HostAdminCred" }
credentialType = "UsernamePassword"
})
networkInterfaces = @(@{
resourceId = "HNV-PA-Adapter-Host1"
properties = @{
ipConfigurations = @(@{
properties = @{
privateIPAddress = "10.10.56.1"
privateIPAllocationMethod = "Static"
subnet = @{ resourceRef = "/logicalNetworks/HNVProvider/subnets/0" }
}
})
}
})
}
} | ConvertTo-Json -Depth 8
Invoke-RestMethod `
-Uri "$uri/networking/v1/servers/Host1" `
-Method Put `
-Body $serverBody `
-Headers $headers `
-UseDefaultCredentialsStep 3 — Create Tenant Virtual Networks
Define a virtual network for a tenant in the customer address (CA) space. Multiple tenants can use the same address ranges because HNV provides complete isolation:
$vnetBody = @{
properties = @{
addressSpace = @{ addressPrefixes = @("192.168.1.0/24") }
encapType = "VXLAN"
logicalNetwork = @{ resourceRef = "/logicalNetworks/HNVProvider" }
subnets = @(@{
resourceId = "Tenant1-Subnet1"
properties = @{
addressPrefix = "192.168.1.0/24"
}
})
}
} | ConvertTo-Json -Depth 6
Invoke-RestMethod `
-Uri "$uri/networking/v1/virtualNetworks/Tenant1VNet" `
-Method Put `
-Body $vnetBody `
-Headers $headers `
-UseDefaultCredentialsStep 4 — Attach Virtual Machines to the Virtual Network
Create a network interface for a VM and attach it to the tenant virtual network subnet:
$nicBody = @{
properties = @{
ipConfigurations = @(@{
properties = @{
privateIPAddress = "192.168.1.10"
privateIPAllocationMethod = "Static"
subnet = @{ resourceRef = "/virtualNetworks/Tenant1VNet/subnets/Tenant1-Subnet1" }
}
})
macAddress = "00-11-22-33-44-55"
}
} | ConvertTo-Json -Depth 6
Invoke-RestMethod `
-Uri "$uri/networking/v1/networkInterfaces/Tenant1VM1NIC" `
-Method Put `
-Body $nicBody `
-Headers $headers `
-UseDefaultCredentialsStep 5 — Verify HNV Policy Distribution
Once VMs are attached, verify that the Network Controller has pushed the CA-to-PA mapping policies to the Hyper-V hosts. On a Hyper-V host, check the VFP (Virtual Filtering Platform) policies:
vfpctrl /list-vmswitch-portvfpctrl /port /list-ruleStep 6 — Test Isolation Between Tenants
Deploy two VMs from different tenants using the same IP address (for example, both using 192.168.1.10) and verify that they cannot communicate with each other, confirming HNV isolation is functioning correctly. Use Test-NetConnection from within each VM:
Test-NetConnection -ComputerName 192.168.1.10 -Port 80Traffic between tenants should fail while traffic within the same tenant virtual network succeeds.
Conclusion
Hyper-V Network Virtualisation in Windows Server 2016 provides the network isolation foundation for multi-tenant SDN environments. By separating customer address spaces from provider address spaces and using VXLAN or NVGRE encapsulation, HNV enables flexible, scalable virtual networking that is completely decoupled from the underlying physical network. The Network Controller automates the distribution of HNV policies across all Hyper-V hosts, making large-scale deployments manageable and consistent.
