From a security point of view, a secure option that is being used for example by VPS hosting providers that we work with, is to DMZ the VMs, not the hyper-v host.
By DMZ-ing the VMs instead of the host, you can access and backup the host as usual and have only the VMs exposed to the outside. Attackers cannot easily access the host from the VM. Only the Hyper-V integration services would potentially and theoretically permit some malicious software perhaps to talk to the host; however, Microsoft has safeguarded this quite well so far.
All strategies including the above have their own pros and cons:
- Adding a new backup NAS in the internal LAN and open the port between DMZ Hyper-V Server for backups
In that case the attacker takes over the host and can do whatever he wants, including damaging the backup device. By the way, ransomware does this, too. It can find network access shares and damage all files there as well.
- Adding a new NAS in the DMZ. Pro: no need change anything in the firewall
In that case the downside is the attacker could gain full access to the host, all VMs on it, and all backups of it, leaving you potentially with nothing to restore from in case of an attack.
If you DMZ all VMs using static IP addresses, the risk is limited to the internals of each VM. The downside is you need to DMZ all VMs separately, but the host would remain on the internal network and protected as-is, including backups etc.
Another security ‘trick’ is to setup an isolated virtual switch and attach a separate NIC for those DMZ VMs so the VMs have no way of talking to the internal network, including the host. That would give you another layer of security in case someone hacks into the VM.
Welcome to BackupChain, the Hyper-V Server Backup Software for IT Professionals!
Download BackupChain now, our Server 2016 backup software that is specifically made for IT pros. Cloud backup, Hyper-V virtual machine backup, VMware server backup, Exchange server backup, and complete file server backup, all in one package. Beyond server backup, BackupChain also includes a DIY cloud server that works on all versions of Windows from XP to Windows 10, and from Windows Server 2003 to Windows Server 2016.