Introduction
Running nested Hyper-V inside an Azure VM is a common solution for migrating legacy workloads that are not immediately cloud-native.
But there is a catch.
When nested virtual machines use NAT, Azure networking behaves very differently from on-premises environments. Without understanding these differences, inbound and outbound connectivity can fail in ways that are hard to troubleshoot.
This guide explains how to forward private Azure traffic through Azure Firewall or Other NVA to nested Hyper-V VMs, fully private and supported.
Architecture Overview
IP Addressing
| Component | IP Address |
|---|---|
| Hyper-V Host (Azure VM) | 10.0.0.4 |
| Nested VM 1 | 192.168.1.2 |
| Nested VM 2 | 192.168.1.3 |
| NAT Subnet | 192.168.1.0/24 |
Traffic Flow
Source (e.g., Azure VM, S2S/P2S) → Azure Firewall → Hyper-V Host → Windows NAT → Nested VM
Step 1 – Create NAT Network on Hyper-V Host
New-VMSwitch -Name "NATSwitch" -SwitchType Internal
New-NetIPAddress -InterfaceAlias "vEthernet (NATSwitch)" -IPAddress 192.168.1.1 -PrefixLength 24
New-NetNat -Name "NATNetwork" -InternalIPInterfaceAddressPrefix "192.168.1.0/24"
Step 2 – Enable Routing on Hyper-V Host
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name IPEnableRouter -Value 1
Reboot the host after this step.
Step 3 – Configure Nested VMs
- IP: 192.168.1.x
- Gateway: 192.168.1.1
- DNS: Private DNS Resolver or DNS server
Step 4 – Configure NAT Port Forwarding
Add-NetNatStaticMapping -NatName "NATNetwork" -Protocol TCP -ExternalPort 33892 -InternalIPAddress 192.168.1.2 -InternalPort 3389
Add-NetNatStaticMapping -NatName "NATNetwork" -Protocol TCP -ExternalPort 33893 -InternalIPAddress 192.168.1.3 -InternalPort 3389
Step 5 – Azure Firewall Rules
To allow connectivity to the nested virtual machines, configure an Firewall network rule that permits inbound TCP traffic to the Hyper-V host.
Firewall rule configuration
- Source: Allowed source IP address(es) or IP Group
- Destination: Hyper-V server (Azure VM) –
10.0.0.4 - Destination ports:
33892,33893 - Protocol: TCP
This rule ensures that RDP traffic is correctly forwarded to the nested VMs via the Hyper-V NAT configuration.
Step 6 – Test Connectivity
tnc 10.0.0.4 -Port 33892
tnc 10.0.0.4 -Port 33893
Conclusion
Azure Firewall forwards traffic to the Hyper-V host, which performs NAT to nested VMs. This pattern is private, secure, auditable, and supported in Azure.