Hyper-V provides three primary types of virtual networks; internal, external, and private. Although private virtual networks (not to be confused with virtual private networks) are often overlooked, they can provide a great deal of flexibility in designing the security infrastructure of your network.
A private virtual network is not bound to a physical network adapter, and network traffic from VM’s is completely isolated from traffic in the management operating system and in any external networks. That being the case, using a private virtual network will only allow for communication between virtual machines on the same server.
There are a plethora of scenarios where this might be beneficial. For instance, in a scenario where you have an externally accessible web server that interacts with a database server, the web server could be located in an external network and the database server can be placed in a private network. In another scenario, a file/print server that is only accessed by users of a terminal server may also be placed in a private network. The goal in these scenarios is limiting the overall attack surface of the servers we are placing in private networks.
The use of a private virtual networks isn’t quite right for everybody, but it can provide some great added security benefits in a lot of scenarios. When planning your next Hyper-V deployment make sure you don’t count it out.