We are running a Hyper-V server on our Windows Server 2008 R2. I have ordered a subnet because we would like to provide each of your VM's with a public IP address.
My data center provider (Hetzner AG from germany) writes the following about it:
Problems with virtualization
With this type of IP/subnet allocation, it is not possible to use a "bridged" setup, as with such a setup several MAC addresses appear. VPS (linux virtual servers, Xen, vmware, etc) must use a so-called "Routed" setup (VMware: "host-only networking"). With an additional subnet the host system or dom0 must be configured with an IP address from the subnet which is then used as a gatewar for the VPS. The (additional) address of the host system must therefore be configured in the VPS in each case as a gateway. An exception to this rule is "openvz", which does not require a gateway. On the host system or dom0 "ip_forward" must be activated for each virtualization:
Well, what does this mean for me now, how do I have to configure hyper V?
Thanks for your help!
What they're saying is that if you have multiple different clients each with their own VM in your setup, using a subnet in bridged mode allows me to "see" other clients' MAC's on my virtual NIC. This is a bit of a security thing, in that ideally, you'll want to isolate each client completely so that there's no risk of one client causing "harm" to another of your clients, which you'd likely wind up being responsible for.
The person at your hosting facility is simply reminding you that if you do what you want to do, you may be at risk of getting yourself into trouble.
I'm not sure it's possible to do host-only networking with public IPs on Hyper-V (or VMWare for that matter). What I believe you should be doing instead is assigning all these IP's to the host, and then creating appropriate rules for NAT etc for each IP to point to the private network of each client's VM(s).
Now, if this is a Server for one organization we're talking about, and you don't have a need, security-wise, to isolate each service, then you may not care about this. Personally, I'd still isolate them, so that if one gets compromised, an attacker can't discover new machines just by looking at ARP.
It's saying that you'll need a router between your new subnet and their network to address their requirement of having 1 MAC address:1 Switchport. I'm not sure that Hyper-V provides an option for this natively, but you could setup RRAS on the host or buy a hardware router to put in between the host and the network.
In this context, this explanation of how to set it up in Windows Server 2012 might help: http://www.wiki.hetzner.de/index.php/Windows_Server_2012_Subnet/en (provided by the same provider mentioned in the initial question)
I don't know if this works for Win Server 2008, but I could't see a reason why it shouldn't.