Virtual network security

Virtual network security

Virtual networks can be configured to be completely isolated from all other virtual and physical networks. Or, if necessary, they can be configured to have limited isolation on the network until the point of connection to the physical network.

Network isolation

To configure a virtual machine to have complete network isolation, each virtual machine must be assigned to only one internal virtual network. The virtual network must be configured so that it does not use a physical network adapter. For more information about how to configure a virtual network, see Create a virtual network.

Once a virtual network is attached to a physical network adapter, it is exposed to the same security risks as that physical network adapter.

Network packet isolation

Virtual machines cannot intercept network packets from the host operating system. Similarly, the host operating system cannot intercept network packets from a virtual machine. This isolation is enforced by the virtual machine network services driver, which determines whether a network packet is routed to the host operating system or to a virtual machine. For more information, see Virtual network architecture.

Firewall software running on the host operating system will not protect guest operating systems. To obtain this protection, you must install firewall software directly on the guest operating systems. For more information, see Securing Virtual Server.