Nested Hyper-V VMs in Azure has been available for a while now, its great for alot of different scenarios such as unsupported operating systems that run legacy applications to sandbox environments.
After creation of these VMs in a nested Hyper-V Virtual Machine (VM) you will possibly want to connect these VMs to other VMs in Azure. With the current restrictions on the Azure backend network it is not currently possible to create an external switch and give the Hyper-V VMs direct access to the Hyper-V hosts physical network.
Although with the mentioned restriction; there is a solution!
The solution is to configure NAT so that VMs can access the internet from the Hyper-V hosts public IP address and configure additional routing to enable connectivity to other VMs in Azure and vis-versa so other VMs in Azure can access the Hyper-V VMs
There is various blogs out there to allow you to create the initial setup of this; I will show quickly how to create a base setup, this blog post is to document how you can “Connect to nested Hyper-V VMs in Azure from another Virtual Network using VPN Gateway“
Recommended blog post to assist you with configuring the initial setup:-
Azure Hyper-V host and Virtual network setup
Virtual Network:-
Virtual Network Name:- tamops-hyperv-vnet
Address Space:- 10.2.0.0/16
Subnet1:- NAT – 10.2.0.0/24
Subnet2:- LAN – 10.2.1.0/24
Subnet3:- GatewaySubnet – 10.2.4.0/24
Hyper-V Host:-
Virtual Machine Name:- tamops-hypervvm
Virtual Machine Size:- D2s_v3 (Dv3 & Ev3 are supported for nested virtualisation)
Nic1:- Subnet NAT – 10.2.0.4
Nic2:- Subnet LAN – 10.2.1.4 – IP forwarding enabled
Azure VPN Gateway also deployed in GatewaySubnet
Azure VM in different Virtual network setup
Virtual Network:-
Virtual Network Name:- tamops-production
Address Space:- 192.168.0.0/16
Subnet1:- vmtest – 192.168.0.0/24
Subnet2:- GatewaySubnet – 192.168.1.0/24
Virtual Machine Name:- tamops-vm1
Virtual Machine Size:- DS1_v2
Nic1:- Subnet vmtest – 192.168.0.4
Azure VPN Gateway also deployed in GatewaySubnet
Azure Hyper-V host setup
Server Roles that will be installed on the host:-
- Hyper-V
- Routing/RRAS
- DHCP
DHCP will be used to automatically assign the hyper-V VMs IP addresses with RRAS used to route the traffic correctly.
PowerShell to install services:-
Install-WindowsFeature -Name Hyper-V,Routing,DHCP -IncludeManagementTools -Restart
Virtual Switch Setup
Create a virtual switch that will be used by Hyper-V VMs as a bridge for both NAT and routing
New-VMSwitch -Name "tamopsSwitch" -SwitchType Internal
New-NetIPAddress –IPAddress 10.2.2.1 -PrefixLength 24 -InterfaceAlias "vEthernet (tamopsSwitch)"
DHCP Setup
A DHCP scope that will be used to assign IP addresses to the Hyper-V VMs, use a public and valid DNS server, for this I have used Google’s
Add-DhcpServerV4Scope -Name "tamopsSwitch" -StartRange 10.2.2.2 -EndRange 10.2.2.254 -SubnetMask 255.255.255.0
Set-DhcpServerV4OptionValue -DnsServer 8.8.8.8 -Router 10.2.2.1
RRAS and Routing Setup
Open Routing and Remote Access
Right click on your VM name and select Configure and Enable Routing and Remote Access
Select Custom Configuration
Select NAT & LAN Routing
Click finish & Start service
Create NAT for internet access on Hyper-V VMs
Select IPv4 -> NAT -> Right click and new interface
Ethernet will be your interface you want to NAT
Ethernet2 is the “lan” subnet
Select as below
Static Routes Setup
Now to create 2 static Routes for the NICs
- One for primary interface to avoid asymmetric routing
- One to allow Azure VMs to communicate with Hyper-V VMs
On Static Routes -> right click and New Static Route, create these two as below
The deployment so far
Hyper-V host is now setup and Hyper-V VMs will now be to communicate to the internet and also to other Azure VMs
At the start of this blog, I mentioned that I was going to show how Hyper-V VMs can communicate to another Azure VM in a different subnet with Azure Gateway VPNs in place.
Azure RouteTables need to be configured along with an additional Static Route configured on Azure Hyper-V host
Additional Routing Setup
Add additional static route as below
Create two Azure Route tables
Routetable Name:- Routetable1
Virtual network gateway route propagation enabled
Route:- RouteName: hyper-vvm AddressPrefix: 10.2.2.0/24 NextHop: Virtual applicance with IP: 10.2.1.4
Assign to both LAN & GatewaySubnets of Virtual Network tamops-hyperv-vnet
Routetable Name:- Routetable2
Virtual network gateway route propagation enabled
Route:- RouteName: hyper-vvm AddressPrefix: 10.2.2.0/24 NextHop: Virtual network gateway
Assign to vmtest subnet of Virtual Network tamops-production
Ready to test
For this test setup, I have configured an open Network security group (*) and also disabled Windows Firewall
Test ping from a Hyper-V VM to tamops-vm1 (Hyper-V VM has been assigned tamopsSwitch that was created earlier in blog post)
Test ping from tamops-vm1 to a Hyper-V VM
Awesome, the setup is now complete with the ability to communicate between Azure VM in a different Virtual Network to your nested Azure Hyper-V VM!
Thomas Thornton 
Thank you for the quick guide, is it possible to also get direct connectivity between the hyperV VMs (the nested VMs) and the branch/remote office VMs connected via azure VPN gateway without having to create NATing on the azure vm/hyperV host? Or is this only possible from azure vnets?
Hi Marco, for access from on prem to azure hyperV VMs, it’s the route table you pay attention too and the routing section of this blog.
I used Nat for outbound Internet access.