HyperV Virtual Switch and Physical NIC question

[DrB0b]

Hello All,
So I have a question that I cannot find the answer to directly but a lot of indirect opposite answers. So let me start it up by running the below config:
Server A has 4 network ports. Port 1 is statically set for the HOST only. Port 2-3 are set as a Team for all normal VM traffic. Port 4 is the one in question.

What I want to do with Port 4 is totally isolate it from all other traffic, Host and other VM. I am going to assign it one of our Public Static IPs but I want to make sure that all traffic on Port 4 can only talk with the 1 particular VM assigned to Port 4. The way I plan on doing it is to take Port 4 and turn it into a Virtual Switch and uncheck "Allow management operating system to share this network adapter" and assign it only to VM4. I'm assuming this is the right method but I would love to be 100% sure that no other traffic can get to the Host as the Host is on our internal network behind our business firewall where as Port 4 will be a direct line to the public internet. I guess I'm hoping someone can give me a warm fuzzy and state some MS doc that says all traffic can only get to the VM assigned to that port.

The other obvious option is to have a dedicated DMZ server to host this VM I suppose. VM 4 will be an FTP server for what it is worth.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[DrB0b]

Found an old server I specifically set up to avoid any potential issue as it is fully off our internal network now. Still interested if anyone has any thoughts on above.

Also, if any of the members here operate a high activity FTP server I do have some basic questions I would like to pick your brain over security wise.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.

 

[2ffat]

I wondering what the advantage is of having a dedicated server for the DMZ? Our firewall and WAPs all have DMZ settings. Set up properly, they even block access to our "real" network thus preventing someone from attacking our network from our guest network.


James P. Cottingham
I'm number 1,229!
I'm number 1,229!

 

[DrB0b]

I have a DMZ set up with the FW but the Host server is on our internal LAN while the VM that is on that server is supposed to be in the DMZ or externally via its public IP. I agree with what you are saying but my question above was that since the physical NIC on the HOST, which resides on our LAN, can I be sure that all traffic for the Virtual Switch on Port 4 is going only to the VM it is dedicated to and there is no communication to the HOST. Maybe Im not explaining properly. I am looking for one of two things. Either a known vulnerability with Hyper V switching that allows traffic to the HOST even when it isnt supposed to be able to use that interface or an MS article that states without that box mentioned above checked that the HOST cannot receive any traffic from that port.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.