Skip to main content
Question

Hyper-V - Network Segmentation

  • December 15, 2025
  • 1 comment
  • 19 views
Stabz
Forum|alt.badge.img+8

HI folks,
We are increasingly deploying Hyper-V environments following recent changes in VMware’s pricing model. In my designs, I typically separate production and backup infrastructures into dedicated VLANs.

However, when using an on-host configuration, applying this architecture means that traffic will inevitably pass through the firewall, which could lead to excessive load and negatively impact backup performance.

The most straightforward approach today is to implement both Veeam and Hyper-V components within the same subnet to avoid any routing. 
 

How are you currently handling this in your environment?

Philippe DUPUIS |Veeam Certified Engineer | https://original-network.com/
Chris.Childerhose

1 comment

lukas.k
Forum|alt.badge.img+13
  • lukas.k
  • Influencer
  • December 15, 2025

Hi ​@Stabz,

Pretty easy from a security pov: You need to have proper segmentation in place.

 

I always recommend customers to have a proper segmentation in place, dedicated to the DR environment (which Veeam should be declared as part of). You could have those VLANs:

Data VLAN: for communication between VBR, repo, proxy, etc.

MGMT VLAN (dedicated for DR!): for OOBM of tape libraries and physical components

Immutable VLAN: for OOBM of immutable storages

 

With that you shouldn’t use a single VLAN for both Veeam and Hyper-V. Yes, it might be the easiest one to handle (you don’t have to worry about policies) but at the end of the day in case you prod gets attacked / infiltrated, attackers could easily and without a firewall get access to your Veeam / DR systems without having too much trouble. This is to avoid.

 

My recommendation: When planning such an environment you should use a physical firewall with the proper sizing that can handle that kind of workload. You also have to make sure that you have all required fw rules in place (refer to the Veeam KBs to make sure to cover the policies properly).

Yes, that might be additional workload to the fw, but is necessary for ensuring security measures.

 

Most state-of-the-art firewalls already have a throughput of at least 10 Gbit. Some customers even use dedicated firewalls only for that scenario.

 

Tip 1: Make sure to disable IPS and IDS for that kind of traffic since it would add a massive workload to the fw.

Tip 2: In case you have a dedicated storage make sure to consider using an Off-Host Proxy to retrieve data directly from the storage to avoid having Hyper-V servers to handle that traffic (On-Host Proxy).

 

Hope that gives a good first impression.

 

Best

Lukas

LK | Veeam Enterprise Architect | Former Veeam Vanguard | Security Specialist
Chris.Childerhose
Andanet
PeteSteven
Terms & ConditionsAccessibility statement