July 23, 2018
Hyper-V Nested Virtualization Explained
Windows Server 2016 is the newest addition to the popular Windows Server family of operating systems. The 2016 version introduces several useful new features, including features specifically designed for the Hyper-V virtualization platform. The application area for the latest version of Hyper-V has been expanded due to these improvements. Nested virtualization is a new feature that is included in Hyper-V 2016, which was released with Windows Server 2016 and Windows 10; it is therefore available on workstations as well as servers. This blog post explains what nested virtualization is, as well as the use cases, requirements, and limitations of this new feature.
What Is Nested Virtualization?
Nested virtualization is a feature that allows the creation of Hyper-V virtual machines within another Hyper-V virtual machine (VM) running on a Hyper-V host. The VMs that are running inside VMs are called nested VMs.
The following are some of the use cases for nested virtualization:
Isolated environments. You can create nested virtual machines that are connected with each other via an isolated virtual network. Thus, you can create a fully isolated environment without any impact on your regular virtual machines and network.
Training/testing/development. Training is useful to familiarize new users or administrators with software (or to familiarize existing users or administrators with new software). However, training in production environments can cause instability or even failure. With nested virtualization, you can simulate the production environment on nested virtual machines without any impact on the real production environment. Besides training for administrators, QA specialists and developers may need this type of environment for testing or development purposes, respectively. The benefit is that you can use nested virtual machines in existing virtual environments for these purposes without needing to buy additional dedicated hardware.
Building a private cloud. Deploying a real private cloud with a self-service portal for users can be expensive and labor-intensive. With nested virtualization, you can deploy a pseudo–private cloud with identical functionality. For example, you could create a VM with Hyper-V Server installed and provision 256 GB of RAM. Users can create and configure nested VMs inside the VM with Hyper-V according to their needs, but they cannot exceed the memory limit and consume more than 256 GB of RAM. You can add memory and virtual network adapters to VMs on which Hyper-V is installed with the hot-add feature. There is no downtime in this case.
Requirements and Limitations
The following requirements must be met to implement nested virtualization in Hyper-V:
- The host operating system must be Windows Server 2016 or Windows 10 (Anniversary update or later). Older Windows versions don’t support nested virtualization.
- The Hyper-V VM must be of version 8 or higher.
- The physical server must have a compatible CPU that supports the appropriate virtualization features. Only Intel processors with VT-x and EPT technology support nested virtualization. AMD processors do not currently support nested virtualization.
- There must be enough physical memory to run the VMs.
- The VM cannot use Dynamic Memory.
While not required, SSD disks are recommended because lack of disk speed significantly reduces VM performance.
There are some limitations for the VMs that host nested VMs (nested VMs can be referred to as “innermost guests”):
- Checkpoints cannot be applied to a running VM.
- Live migration fails for the VM.
- Runtime memory resize does not function.
Note that the features associated with the three limitations listed above can be used for the innermost guests.
How to Enable Hyper-V Nested Virtualization and Create a Nested VM
Configuring a Hyper-V Host
First, you need to configure a Hyper-V host. Prepare a physical server that has a compatible CPU, enough memory, and appropriate storage capacity. Check to ensure that CPU virtualization features such as Intel VT-x are enabled in BIOS. Install Hyper-V Server 2016, Windows Server 2016, or the Windows 10 operating system. Add a Hyper-V server role if you are using a full-featured Windows operating system (there is a walkthrough for adding a Hyper-V role with PowerShell in an earlier blog post). You can also use GUI and Server Manager.
Deploying a Guest VM
Create a guest VM. The creation of a guest VM is quite straightforward and is explained here. Install an operating system that supports nested virtualization for Hyper-V on the guest VM (Windows 10 Anniversary Update or later, Windows Server 2016, or Hyper-V Server 2016). Windows Server 2016 is used for the purposes of this walkthrough.
Configuring a Guest VM
By default, support of hardware virtualization is disabled for a guest VM. The operating system displays an error if you try to add a Hyper-V role.
You can enable hardware virtualization for a guest hypervisor only by using PowerShell. The guest VM must be powered off in order to apply the following commands.
The first command allows you to check whether hardware virtualization is enabled for the guest VM. Execute the following command on the host OS (which is installed on a physical machine).
Get-VMProcessor -VMName vm_name | fl *
Where vm_name appears, substitute the name of your VM. The name of the VM is Server2016 in this example. WIN2018 is the computer name; it represents a physical machine on which Windows is installed along with the Hyper-V role.
The second command enables hardware virtualization inside a guest VM. Stop the VM before applying the following command:
Set-VMProcessor -VMName vm_name -ExposeVirtualizationExtensions $true
There is no message displayed after entering the command if everything is okay. If the VM is running, the following error message is displayed:
VM network connection
You now need to configure the network settings for your VM. There are two ways of connecting nested VMs to the network: MAC spoofing and NAT. If you configure a network for nested VMs by providing an access to a real Local Area Network (LAN), then one network adapter on the host machine would carry multiple MAC addresses – which could potentially cause network issues. That’s why the MAC address spoofing option must be activated (this option is disabled by default). However, MAC address spoofing cannot be used for VM networking in cases where a private pseudo-cloud is deployed. You should configure NAT in these situations.
Configuring MAC address spoofing
MAC address spoofing must be enabled on the network adapter of the virtual Hyper-V host.
On the physical machine with Hyper-V Server, enter the following command in order to enable MAC address spoofing:
Get-VMNetworkAdapter -VMname vm_name | Set-VMNetworkAdapter -MacAddressSpoofing On
Where vm_name appears, substitute your VM name (in our case, Server2016, as mentioned above).
If you prefer a GUI, go to VM Settings > Network adapter > Advanced features and tick the Enable MAC address spoofing checkbox, then click OK (see the screenshot below).
NAT can be enabled only by using PowerShell. If you want to use NAT for VM network connection, follow the instructions below.
First, create a new virtual switch.
Note: While the previous commands were executed on the host OS, the following commands must be executed on the guest OS.
New-VMSwitch -Name "SwitchName" -SwitchType Internal
Where SwitchName appears, substitute your own switch name. For the purposes of this walktrough, NAT-Switch is used.
Define the subnet behind NAT and enable NAT. The network address must not coincide with IP addresses in your existing network. In this example the network name is NAT-net and the network address is 192.168.2.0/24.
New-NetNat -Name "network_name" –InternalIPInterfaceAddressPrefix 'ip-address/netmask'
After that, you should assign the IP address for the interface on which NAT is enabled.
Generate a list of the available adapters to check their names with the following command:
Get-NetAdapter | ft -Autosize
In this example, the name of the virtual network adapter that is connected to the virtual switch created earlier is vEthernet (NAT-Switch).
You should now define the IP address for this virtual network adapter, which must belong to a created network. Nested VMs will use the IP address of this network interface as a gateway. In our example, this IP address is 192.168.2.1. It belongs to the network 192.168.2.0/24.
Get-NetAdapter "adapter_name" | New-NetIPAddress -IPAddress ip_address -AddressFamily IPv4 -PrefixLength mask_number
Configuring a Nested VM
You can now create and configure a nested VM (a VM that runs inside a VM). In this walkthrough, a VM with Windows Server 2016 is used as the nested VM.
Select the virtual switch (which you have recently created) in the network settings of the VM in Hyper-V Manager.
Configure the TCP/IP settings in the Network Adapter Properties of the nested VM. If there are no DHCP servers in the virtual network, assign the IP address, subnet mask, default gateway and DNS server manually.
Note: Check your firewall settings, because firewalls can block network connections.
Your nested VM now has a configured network and is ready to run.
Protection of VMs with NAKIVO Backup & Replication
In order to ensure maximal reliability of your Hyper-V virtual environment, your VMs must be backed up. NAKIVO Backup & Replication is a fast, reliable, and affordable all-in-one backup solution that can protect your virtual machines in the best possible way. NAKIVO Backup & Replication makes backup processes easier while providing fast recovery with a long list of options. The product is closely integrated with Hyper-V, even giving you the ability to create Hyper-V VM-replicas and use them for Automated Failover with Network Mapping and Re-IP within the framework of a disaster recovery process. NAKIVO Backup & Replication provides a set of features that save disk space and time, including the following:
Incremental Backup allows you to copy only the VM data that has changed since the last full or incremental backup. You can save disk space because you do not need to perform a full backup every time. Incremental backup is also time-saving because copying less amount of data takes less time.
Instant object recovery allows you to recover MS SQL objects (such as databases or tables), MS Exchange objects (such as emails), and MS Active Directory objects or containers (such as users, groups, computers, etc.). You can also restore particular files or folders. Object and file recovery are performed directly from compressed and deduplicated backups without requiring you to first recover the entire VM. This saves you significant amounts of time in cases where you only need a lost object or a corrupted file.
Application-aware backup mode keeps the data of backed-up VMs that run applications such as Microsoft Exchange, Active Directory, SQL, or Sharepoint consistent. Memory and input/output operations are flushed when a backup is performed. Without this functionality, the effect would be similar to the server powering off unexpectedly due to power loss. NAKIVO Backup & Replication uses Microsoft Volume Shadow Copy service (VSS) to freeze the VMs and create application-consistent backups of your Windows-based VMs.
MS Exchange and MS SQL log truncation helps you save disk space. Microsoft Exchange and SQL servers record each change made to their databases in transaction logs. This approach is used primarily for data protection purposes. By replaying the logs, data that has been erroneously changed or removed from the database can be recovered. The files to which logs are recorded grow over time and can eventually fill up the disk, causing a server crash. NAKIVO Backup & Replication truncates (removes) MS Exchange and MS SQL log files after creating a successful backup of the VM.
Active Directory Integration provides centralized management with the ability to authenticate and authorize users or computers in client-server Windows networks (Domain type networks). NAKIVO Backup & Replication can be integrated with Active Directory. Domain users can log in to NAKIVO Backup & Replication with their domain credentials.
Nested virtualization is a useful new Hyper-V feature that allows you to deploy virtual machines within virtual machines. As a result, you can build labs containing virtualized infrastructures within a single computer. Nested virtualization can be used for training, testing, and development. The feature is also useful in cases where using the regular virtual machines on physical servers is not an option – usually for security or financial reasons.
Whether you choose to use nested virtualization or not, you need to make sure your Hyper-V environment is protected. NAKIVO Backup & Replication can provide fast and reliable Hyper-V backup for infrastructures of any size.