Today we have a treat for you! Richard Hicks, a Microsoft MVP in TMG firewalls and now a DirectAccess expert, shares some very interesting and useful information with you on some new features and capabilities in System Center Virtual Machine Manager and Hyper-V. In this article Richard covers an interesting aspect of private cloud, which is network virtualization.
As we’ve talked about many times in this blog, one of the key characteristics of any cloud infrastructure is the decoupling of the infrastructure from the services running on it – the services should be completely abstracted from the hardware that supports the services. This is what network virtualization can do for you. Richard tells you how it does this. Enjoy! –Tom.
Great strides have been made over the last few years in the areas of compute and storage virtualization. New features in Windows Server 2012 Hyper-V allow systems engineers to virtualize nearly any workload without issue. Until recently, network virtualization has lagged behind. Virtual workloads were still bound by the constraints of the physical network. This limited the flexibility for moving workloads in our datacenters and is a serious cause for concern. If a virtual machine is migrated (or fails over) to a host that resides on a different subnet, the virtual machine will have to be assigned a new IP address to communicate on the network.
While assigning an IP address is trivial and in fact can be automated, it introduces many challenges. Often network policy is enforced based on source and/or destination IP address. Assigning a new IP address will result in significant work updating existing firewall policies to reflect this change. In addition, IP address changes can be problematic for tiered applications that require communication with networked resources based on IP address. Changing the IP address of a virtual machine may, in some instances, require changes to the application itself.
With System Center 2012 Virtual Machine Manager (SCVMM) SP1, Microsoft introduces the concept of virtual networking, which is more broadly referred to as Software Defined Networking (SDN). Virtual networking is made possible by the Hyper-V Extensible Switch, with networking configuration and policies managed and distributed via SCVMM. Virtual networking addresses the essential need for abstraction of the physical network for virtualized workloads, freeing them from the limitations imposed by the physical network.
Once configured and enabled, Hyper-V network virtualization provides support for some important private cloud deployment scenarios, such as:
- Multi-tenant Isolation – Just as the hypervisor abstracts the physical server’s resources and provides what the guest operating system believes to be its own server, Hyper-V network virtualization does the same for network resources. Each virtual network appears to assigned guest VMs as a separate physical network. In reality, this virtual network runs on top of the existing physical network. Multiple virtual networks can coexist on a single physical network in total and complete isolation. This is ideal for hosting providers selling Infrastructure as a Service (IaaS) offerings as it allows them to on-board new customers without requiring them to change their IP addressing scheme. It is equally important for enterprise private cloud deployments where physical network segmentation would normally be employed, such as test and development environments or the implementation of security zones for sensitive workloads.
Historically this has been accomplished on the physical network using VLANs. However VLANs suffer from a number of shortcomings in a virtual environment. In terms of scalability, VLANs are limited in number to just around 4000. This is a serious restriction for hosting providers looking to onboard thousands, tens of thousands, or even hundreds of thousands of customers. By contrast, Hyper-V network virtualization uses Network Virtualization using Generic Routing Encapsulation (NVGRE) which provides more than 16 million discrete networks. In addition, the configuration of VLANs is difficult to automate and when performed manually is error prone. Manual VLAN configuration in a dynamic, multi-tenant environment is inefficient and not all scalable.
- Workload Flexibility – Hyper-V network virtualization allows datacenter administrators the freedom to place new workloads or move existing workloads anywhere in their environment without having to reconfigure the physical network. As workloads move from one host to another, network configuration policy is updated automatically to accommodate these changes. If a virtual machine is live migrated or fails over to a Hyper-V host that resides on a different subnet, perhaps even to a datacenter in a different geographical location, Virtual Machine Manager automatically and transparently reconfigures the virtual network to ensure that the VM can communicate without issue using its existing network configuration.
The good news is that Hyper-V network virtualization is compatible with existing networking equipment. There is no need to purchase new, specialized equipment to take advantage of these capabilities. The only drawback to Hyper-V network virtualization out of the box is that hosts located on virtual networks can only communicate with hosts located within their virtual network (which may include multiple virtual subnets). By default, they are unable to communicate with any resources located on the physical network, such as on-premises resources like Active Directory, DNS, file or database servers, etc. This is because network traffic on a virtual subnet is encapsulated by the Hyper-V Extensible Switch with NVGRE.
On premises non-virtual hosts, and even virtual hosts that are not using the Hyper-V Extensible Switch (perhaps connected directly to a physical network interface on the host) don’t participate in this communication. To address this challenge an NVGRE gateway is required to translate network communication between the Hyper-V virtualized network and the on-premises physical network. Once installed, hosts located on any virtual subnets can communicate with resources located on the physical network.
Iron Networks has worked closely with Microsoft to develop a turn-key, ready-to-deploy NVGRE gateway built on Windows Server 2012. It provides scalable, multi-tenant gateway services for Hyper-V virtual networks, allowing systems engineers to fully realize the potential of their private cloud investment. In addition, the Iron Networks NVGRE gateway includes site-to-site VPN services, which can be leverage to connect to cloud-based services like Windows Azure to enable a true hybrid-cloud solution.
For more information about the Iron Networks NVGRE gateway, visit http://www.ironnetworks.com/mnv.
Richard Hicks (MCP, MCSE, MCTS, and MCITP Enterprise Administrator) is the Director of Sales Engineering for Iron Networks, a Microsoft OEM partner developing secure remote access, network virtualization, and converged cloud infrastructure solutions. Richard is a four-time Microsoft MVP and has nearly 20 years of experience working in large scale corporate computing environments. Follow Richard on Twitter @richardhicks.