Part 3: Isolation Networks, Firewalls, and 40TB NAS Integration

Enterprise Hyper-V Containerization with Docker, Isolation Networks, and High-Performance NAS

Part 3: Isolation Networks, Firewalls, and 40TB NAS Integration

Author: Virtology – https://virtology.blogspot.com/
Series Overview:
Parts 1 and 2 established a secure, hardened Hyper-V foundation and enterprise Docker environment using Hyper-V isolation and TLS-based security.
In this final installment, we’ll design an isolation network architecture, configure secure firewalls, and attach an ultra-fast 40TB all-flash NAS array using modern SMB and RDMA technologies to achieve maximum throughput and minimal latency.

1. Designing the Network Architecture

Objective: Build a segmented network architecture that separates management, container, and storage traffic for predictable performance and enhanced security.

Recommended VLAN Design:

Network ZoneVLANPurposeExample Subnet
Management10Host administration10.10.10.0/24
Container20Container traffic10.10.20.0/24
Storage30NAS/iSCSI/SMB traffic10.10.30.0/24
External40Internet or DMZ access10.10.40.0/24

Best Practice:
Use VLAN tagging and dedicated NICs or vNICs for each zone. This prevents cross-traffic contamination and isolates attack surfaces between workloads.

Hyper-V Switch Configuration Example:

# Create isolated switches
New-VMSwitch -Name "vSwitch-Management" -NetAdapterName "NIC1" -AllowManagementOS $True
New-VMSwitch -Name "vSwitch-Container" -NetAdapterName "NIC2" -AllowManagementOS $False
New-VMSwitch -Name "vSwitch-Storage" -NetAdapterName "NIC3" -AllowManagementOS $False

# Assign VLAN IDs
Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "vSwitch-Management" -Access -VlanId 10
Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "vSwitch-Container" -Access -VlanId 20
Set-VMNetworkAdapterVlan -ManagementOS -VMNetworkAdapterName "vSwitch-Storage" -Access -VlanId 30

Verification:

Get-VMNetworkAdapterVlan

Microsoft Reference:
https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/virtual-switch

2. Implementing Windows Firewall and Network Security Zones

Once VLANs are established, enforce zone-based firewalls using Windows Defender Firewall with Advanced Security.

Firewall Profiles:

  • Domain Profile: For management and AD-integrated services

  • Private Profile: For container communication within trusted networks

  • Public Profile: For external or untrusted traffic

Example Rules:

# Allow management tools (RDP, WAC)
New-NetFirewallRule -DisplayName "Allow RDP Management" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow
New-NetFirewallRule -DisplayName "Allow Windows Admin Center" -Direction Inbound -Protocol TCP -LocalPort 6516 -Action Allow

# Allow Docker TLS traffic
New-NetFirewallRule -DisplayName "Allow Docker TLS" -Direction Inbound -Protocol TCP -LocalPort 2376 -Action Allow

# Restrict inter-VLAN communication
Set-NetFirewallProfile -Profile Domain,Private,Public -DefaultInboundAction Block -DefaultOutboundAction Allow

Best Practice:

  • Use group policy-based firewall deployment for consistency.

  • Implement IPsec policies between management and storage zones.

  • Regularly export and version-control firewall configurations:

    netsh advfirewall export "C:\firewall-config.wfw"

Microsoft Reference:
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security

3. Connecting and Configuring the NAS Storage Array

For high-performance storage, use a dedicated NAS array built on all-flash NVMe or M.2 drives.
Vendors: Dell PowerVault ME5 Series or HPE Alletra 6000 series both deliver exceptional IOPS with NVMe and 25/40GbE uplinks.

Configuration Goals:

  • 40TB usable all-flash capacity

  • SMB 3.1.1 over RDMA (SMB Direct)

  • AES-256 encryption in-transit and at-rest

  • Multipath I/O for fault tolerance

Example Storage Network Setup:

New-NetIPAddress -InterfaceAlias "NIC3" -IPAddress 10.10.30.10 -PrefixLength 24
New-SmbMultichannelConstraint -InterfaceAlias "NIC3"

SMB 3.1.1 Encryption and RDMA:

Set-SmbServerConfiguration -EncryptData $True -EnableSMBDirect $True
Get-SmbServerConfiguration | Select EncryptData, EnableSMBDirect

Best Practice:

  • Use RDMA-capable NICs (RoCEv2 or iWARP) for the storage network.

  • Configure Jumbo Frames (MTU 9014) to minimize CPU load and improve throughput.

  • Avoid using the same network for container traffic and storage access.

Microsoft Reference:
https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-direct

4. Integrating NAS Storage into Hyper-V and Docker

Mounting NAS as SMB Share

New-PSDrive -Name "S" -PSProvider FileSystem -Root "\\NAS01\DockerData" -Persist

Moving Docker Storage to NAS

Update Docker’s daemon.json file:

{
  "data-root": "S:\\DockerData",
  "exec-opts": ["isolation=hyperv"]
}

Restart Docker:

Restart-Service docker

Why:
Hosting container data and volumes on NAS improves resiliency and performance while offloading I/O from the Hyper-V host. NAS-based volumes can be snapshotted and replicated independently.

5. Implementing Storage Encryption and Access Control

Enable at-rest encryption on NAS volumes:

  • Dell PowerVault: Use Self-Encrypting Drives (SEDs) with Secure Enterprise Key Manager (SEKM).

  • HPE Alletra: Enable encryption via Aruba Key Management Server (AKMS) integration.

SMB Encryption on Windows Server:

Set-SmbServerConfiguration -EncryptData $True

Access Control:

icacls "S:\DockerData" /inheritance:r
icacls "S:\DockerData" /grant "svc_docker:(OI)(CI)M"

Best Practice:
Use least-privilege permissions for Docker service accounts. Never mount NAS shares with administrative credentials. Regularly rotate service account passwords and audit SMB connections.

6. Performance Testing and Optimization

Measuring IOPS and Latency

DiskSpd Example:

diskspd.exe -d60 -r -w50 -b8K -t8 -o32 -Sh S:\DockerData\testfile.dat

Optimizations:

  • Enable Windows Storage QoS to prevent noisy-neighbor issues:

    Set-VMHardDiskDrive -VMName "ContainerHost01" -ControllerType SCSI -QoSPolicyID (New-StorageQosPolicy -Name "ContainerQoS" -MaximumIops 50000).PolicyId

  • Enable SMB Multichannel for parallel throughput:

    Get-SmbMultichannelConnection

Benchmark Target:

  • 1M+ read IOPS

  • Sub-millisecond latency for 4K random reads

  • Sustained throughput > 20 GB/s on 40GbE with NVMe backend

Microsoft Reference:
https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-performance

7. Backup, Replication, and Disaster Recovery

Backup Strategy:

  • Use Windows Server Backup or Veeam with Hyper-V integration.

  • Snapshot NAS volumes before patching or container updates.

Replication:

  • Use Storage Replica between NAS devices for synchronous data protection.

  • Configure:

    New-SRPartnership -SourceComputerName "NAS01" -SourceRGName "RG01" -SourceVolumeName "S:" -DestinationComputerName "NAS02" -DestinationRGName "RG02" -DestinationVolumeName "S:"

Best Practice:
Maintain at least one off-site replica. Use immutable backups to protect against ransomware.

8. Validation and Monitoring

  • Validate network isolation using Test-NetConnection and VLAN inspection.

  • Monitor Hyper-V, Docker, and SMB performance via Performance Monitor and Windows Admin Center.

  • Forward critical logs (event ID 1006, 5120, 3008) to a centralized SIEM such as Graylog.

9. Summary

Your Hyper-V and Docker containerization environment now features:

  • Segmented isolation networks with VLAN and firewall enforcement

  • Hardened, TLS-secured Docker infrastructure

  • 40TB NAS integration with RDMA, SMB 3.1.1, and all-flash storage performance

  • Enterprise-grade encryption, replication, and monitoring

  • Consistent, secure, and high-performance compute for containerized workloads

This architecture balances speed, scalability, and security — ready for production deployment in demanding enterprise environments.

References and Further Reading

Published by Virtology
Exploring virtualization, performance tuning, and secure enterprise design.
Visit: https://virtology.blogspot.com/

Location: Orangeburg, SC 29115, USA

Comments

Post a Comment

Got something to say? Drop a comment below — let’s chat!

Popular posts from this blog

Proxmox VE + full Kubernetes (kubeadm) step-by-step

  Production-ready guide: Proxmox VE + full Kubernetes (kubeadm) step-by-step A practical, end-to-end walkthrough to deploy a hardened Proxmox VE environment and run a production-grade Kubernetes control plane and worker nodes (kubeadm). Includes HA control-plane, etcd considerations, load-balancing, networking (Calico), storage (Longhorn + option for Ceph), security hardening, backups, and monitoring. This blog assumes you have basic Linux + virtualization familiarity and a small cluster of physical servers for Proxmox (3+ nodes recommended for HA). Where choices exist I explain trade-offs and give concrete commands and config snippets you can copy. Outline Goals & prerequisites Logical architecture (ASCII diagram) Prepare Proxmox VE hosts (install & base hardening) Proxmox networking and storage planning Create cloud-init VM template for Kubernetes nodes Deploy VMs for Kubernetes control plane and workers Provision HA load balancer for kube-api (H...
Read more

Monitoring Virtualized Environments with Graylog: A Complete Guide

  Monitoring Virtualized Environments with Graylog: A Complete Guide Virtualization has become the backbone of modern datacenters, but as environments grow, so does the challenge of monitoring them effectively. Whether you’re running VMware vSphere, Hyper-V, Proxmox, KVM, Xen, or Nutanix , log visibility is essential for performance, capacity planning, and security. Graylog , with its flexible pipelines, dashboards, and alerting capabilities, provides a powerful centralized logging solution for virtualized infrastructures of all sizes. This guide walks through everything you need to know to monitor your virtual environment using Graylog—from collecting hypervisor logs to building dashboards and alerts that actually matter. Why Graylog for Virtualization Monitoring? Virtualization platforms all generate significant amounts of structured and unstructured log data: Host health VM lifecycle changes Storage access Virtual network changes Failovers and migrations ...
Read more

Building a Secure Virtual OPNsense 26.1 Firewall with VLANs, DMZ, and CARP High Availability

  Building a Secure Virtual OPNsense 26.1 Firewall with VLANs, DMZ, and CARP High Availability In this guide, we’ll walk through setting up OPNsense 26.1 as a primary gateway in a virtualized environment using Hyper-V , with VLAN segmentation, a DMZ, staged VPN, and optional CARP failover for high availability. This architecture ensures strong isolation, centralized traffic control, and enterprise-grade security — all without joining the firewall or hypervisor to Active Directory , reducing the attack surface. 1️⃣ Architecture Overview Logical Design Internet │ [External vSwitch] │ WAN (OPNsense) ┌──────────────────┐ │ OPNsense │ │ VLAN Gateways + HA│ └──────────────────┘ │ [Internal vSwitch - Trunk] │ ┌───────────────┬──────...
Read more