Updated guide for deploying Network Controller using Microsoft VMM 2016 Technical Preview 4

UPDATE: For the latest information on deploying Network Controller using VMM 2016, please see Deploy a Software Defined Network infrastructure using VMM in TechNet.

=====

Introduction

This article helps you evaluate the Software Defined Networking (SDN) features in Windows Server 2016 Technical Preview 4. In particular, it focuses on using System Center Virtual Machine Manager (VMM) 2016 Technical Preview 4 for deploying Network Controller, a new feature in Windows Server 2016. Network Controller is a scalable and highly available server role that enables you to automate the configuration of network infrastructure instead of performing manual configuration of network devices.

Prerequisites

Before proceeding to deploy Network Controller, make sure that you have performed the following steps:

1. Create an Active Directory security group for Network Controller management

You need to create an Active Directory security group for Network Controller management. The group should be a Domain Local group. Members of this group will be able to create, delete, and update the deployed Network Controller configuration. You need to create at least one user account that is a member of this group and have access to its credentials.

2. Create an Active Directory security group for Network Controller clients

You need to create an Active Directory security group for Network Controller clients. The group should be a Domain Local group. Once the Network Controller is deployed, any members of this group will have permissions to communicate with the controller via REST interface. You need to create at least one user account that is a member of this group. After the Network Controller is deployed, VMM can be configured to use this user account’s credentials to establish communication with the Network Controller.

3. Prepare an SSL Certificate

You need an SSL certificate that will be used to establish secure communication (https) between VMM and Network Controller. There are two methods you can use to generate an SSL certificate: generate a self-signed certificate or use a Certificate Authority (CA).

To use a self-signed certificate

The following example creates a new self-signed certificate, and can be run from a PowerShell command window on any computer running Windows Server 2016 Technical Preview. Make note of the names you use to create the certificate and use the same names when you deploy the Network Controller.

New-SelfSignedCertificate -KeyUsageProperty All -Provider “Microsoft Strong Cryptographic Provider” -FriendlyName “<YourNCComputerName>” -DnsName @(“<YourNCFQDN>”)

You can use the Certificates snap-in to manage your certificate. Click Start, type manage computer certificates and press Enter. A Certificates – Local Computer console starts, where you can find your Network Controller certificate under Personal, Certificates.

To use a Certificate Authority

For Windows-based enterprise CA, follow the steps available here to request a CA-signed certificate. The certificate must include the serverAuth EKU, specified by the OID 1.3.6.1.5.5.7.3.1. In addition, the certificate Subject Name must match the DNS name of the Network Controller.

After requesting the certificate, use the Certificates snap-in to export it and its private key into a .pfx file. When exporting, choose Personal Information Exchange – PKCS #12 (.PFX) and accept the default to Include all certificates in the certification path if possible. The export wizard requires that you protect the private key by either a security or a password. Be sure to assign a password, as you will need it later during Network Controller deployment.

clip_image007 NOTE This .pfx certificate should be placed directly in the ServerCertificate.cr folder for use in deployment. Details of ServerCertificate.cr are included in following sections in this guide.

4. Prepare a file share for keeping diagnostic logs (optional)

This share will be accessed by the Network Controller to store diagnostics information throughout its lifetime. Create a file share that can be accessed by the Network Controller. You may also optionally assign access permissions for the share to a specific domain user account. Store the username and password for this account which will be used later during Network Controller deployment.

Setup

This section covers the setup require for deploying the Network Controller.

Topology

The following test topology is designed to allow you to evaluate the SDN features on a small hardware footprint without requiring a large test bed. You can deploy this topology if you want but it’s not required. It is just a guide to help you understand the pieces that are required to deploy an SDN fabric and how they fit together. We assume that you already have VMM 2016 Technical Preview 4 installed with a few hosts under management.

clip_image002 Important As you plan to deploy an SDN fabric to an existing environment that may also have hosts that do not use the Network Controller, you need to do the following:

  1. Create a separate Host Group for hosts that will be managed by the Network Controller. The Network Controller supports Windows Server 2016 Technical Preview hosts only.
  2. Ensure that you have a dedicated subnet for Logical Networks that will be managed by the Network Controller. You cannot share a subnet or Logical Network that is managed by the Network Controller with non-managed hosts running Windows Server 2016 Technical Preview or with hosts running previous versions of operating system.

clip_image004

The topology to deploy Network Controller consists of three physical hosts, one virtual machine for Network Controller, and two tenant virtual machines that will be used for Network Controller deployment validation.

Hosts

Host Hardware Requirements Software Requirements
Host 1: Infrastructure Host 2 x 1Gb physical network adapter Windows Server 2016 Tech Preview
Host 2: VM Host 2 x 1Gb physical network adapter Windows Server 2016 Tech Preview
Host 3: VM Host 2 x 1Gb physical network adapter Windows Server 2016 Tech Preview

Virtual Machines

Virtual Machine Software Requirements
Network Controller Virtual Machine Windows Server 2016 Technical Preview 4 (VHD)
Tenant VM 1 Windows Server 2016 Technical Preview 4 (VHD)
Tenant VM2 Windows Server 2016 Technical Preview 4 (VHD)

The physical network must be configured so that the following networks are available. Subnets and VLAN IDs are examples and can be customized for your environment:

Network Name Subnet Mask VLAN ID on trunk Gateway
Management: The subnet that connects VMM with NC Host and VM Hosts. 10.60.34.0 24 NA 10.60.34.1
Backend: Subnet for the Provider Addresses. Needed to validate the Network Controller deployment. 10.60.33.128 25 11 10.60.33.129

Active Directory and DNS must be reachable from these subnets.

Management Logical Network

The Management logical network models the Management network connectivity for the VMM host, NC host, and VM hosts. To create the Management logical network:

  1. Open the Fabric workspace in the VMM Console, expand Networking and select the Logical Networks node.
  2. Right-click the Logical Network node and select Create Logical Network.
  3. Specify a Name and optional Description for this network. For example, you can call it MGMT. Click Next.
  4. On the Settings page, be sure to select One Connected Network, since all Management networks need to have routing and connectivity between all hosts in that network. Check the Create a VM Network with the same name… to automatically create a VM Network for your Management network. Click Next.
  5. In the Network Site panel, click Add to add a new network site. Select the host group for the hosts that will be managed by the Network Controller. Insert your management network IP subnet information. This network should already exist and be configured in your physical switch. Click Next when you’re ready to proceed.

clip_image005

6. Review the Summary information and click Finish to complete.

Management Logical Switch

The Management logical switch needs to be deployed on the NC host and provides the Management network connectivity to the NC VM. To create Management logical switch:

  1. Click Create Logical Switch on the ribbon in the VMM Console.
  2. Review the Getting Started information and click Next.
  3. Provide a Name and optional Description. For the Uplink mode, be sure to select No Uplink Team. Click Next to proceed.
  4. For Minimum Bandwidth mode, choose Absolute. Click Next.
  5. Accept the default switch extension and click Next to proceed.
  6. You can add a Virtual Port Profile and choose a Port Classification for Host Management on this page if you want but it is not required. Click Next when you’re finished.
  7. Create a new Uplink Port Profile directly from the Logical Switch wizard. Click Add and select New Uplink Port Profile from the drop down menu.
  8. Provide a name and optional description for your uplink port profile.

a. Use the defaults for Load Balancing algorithm and Teaming Mode.
b. Be sure to select all the network sites that are part of the Management logical network you created.
c. Select the Uplink Port Profile you created and click New virtual network adapter. This adds a host virtual network adapter (vNIC) to your logical switch and uplink port profile, so when you add the logical switch to your hosts, the vNICs get added automatically.
d. Provide a name for the vNIC. Verify that the management VM network is listed under the Connectivity section.
e. Check the Inherit connection settings from the host adapter box. This allows you to take the vNIC adapter settings from the adapter that already exists on the host.
f. If you created a port classification and virtual port profile earlier, you can select it now.

Capture

g. Click Next.
h. Review the Summary information and click Finish to complete the wizard.

To deploy the Management logical switch on the NC host, follow the steps available at this page.

Deployment

Prepare VHD for the Network Controller virtual machine

The service template requires one virtual hard disk that must be prepared prior to importing the service template. This virtual disk must contain an operating system running Windows Server 2016 Technical Preview and should be in VHD format. Download and use Windows Server 2016 Technical Preview 4 ISO image from here. Please note that with TP4, VMM service template for Network Controller only supports single node deployment on a generation 1 virtual machine.

clip_image007 NOTE You cannot use a VHDX as VMM doesn’t support deploying Network Controller Service template on a Generation 2 Virtual Machine.

Import the service template

This section tells you how to import Network Controller service template into your VMM library. Before proceeding to import Network Controller Service template, download the template to your machine from our download center here.

To import the service template into the VMM library
  1. In VMM, navigate to Library.
  2. In the top of the left pane, in the Templates section, select Service Templates.
  3. In the ribbon at the top, click Import Template.
  4. Browse to your service template folder, select the Network Controller Standalone.xml file and follow the prompts to import it.

The service template uses the following virtual machine configuration parameters. Update the parameters to reflect the configuration for your environment as you import the service template.

Resource Type Resource Name and Description
Library Resources Resource Name: WinServer.vhd

Description: Windows Server Virtual Hard Disk. Format should be VHD.Select the base VHD image that you prepared earlier and imported into your VMM library.

NCSetup.cr A library resource that contains scripts to be utilized to setup the Network Controller. Map to the NCSetup.cr library resource in your VMM library.
ServerCertificate.cr A library resource that contains an SSL certificate in .PFX format. Select the ServerCertificate.cr library resource that you prepared earlier and imported into you VMM library. Also put the .pfx SSL certificate you prepared above inside this folder.
TrustedRootCertificate.cr A library resource that contains a certificate public key (.CER) to be imported as a trusted root certificate to validate the SSL Certificate. The trusted root certificate is optional. If a trusted root certificate is not needed, this resource will still need to be mapped to a CR folder, however the folder should be left empty. Map to the TrustedRootCertificate.cr in your VMM library.

Configure and deploy the service

Use the following process to deploy a network controller service instance.

  1. Select the Network Controller service template and click Configure Deployment to begin. You will have to select a name and destination for the service instance. The destination must map to a Host Group that contains the hosts configured in an earlier step in this topic.
  2. In the Network Settings section, you must map to the management VM network that you set up previously.
  3. Once you are done with mapping the destination and network settings, the Deploy Service dialog will appear. It is normal for the virtual machine instances to be initially red. Click Refresh Preview to have the deployment service automatically find suitable hosts (from the destination you mapped earlier) for the virtual machines to be created. This can be can be done manually if needed.
  4. In the map diagram, click the virtual machine element and change the VM name and computer name to match the computer name you used when you created the computer certificates.
  5. On the left side of the configure deployment window there are a number of settings that you must configure. The table below summarizes each field’s values.
Setting Requirement Description
ClientSecurityGroup Required Name of the security group containing Network Controller client accounts. This is the group you created previously.Example: contoso\Network Controller Clients
DiagnosticLogShare Optional File share location where the diagnostic logs will be periodically uploaded. If this is not provided, the logs are stored locally on each node.Example: \\fileserver.contoso.com\nc_logs\
DiagnosticLogShareUsername Optional Full username (including domain name) for an account that has access permissions to the diagnostic log share. Must be in the form [domain]\[username].Example: contoso\Username
DiagnosticLogSharePassword Optional The password for the account specified in the DiagnosticLogShareUsernamee parameter.
EnableApplicationLogging Required Indicates whether to enable network controller application logging. These are intended to be used to debug issues. Leaving this option set to True will consume disk space. Options are “False” and “True”. Recommended set to “False”.
LocalAdmin Required Select a Run As account in your environment which will be used as the local Administrator on the NC virtual machines. User name should be .\Administrator
MgmtDomainAccount Required Select a Run As account in your environment which will be used to prepare the Network Controller. This user must be a member of the management security group, specified below, which has privileges to manage the network controller.
MgmtDomainAccountName Required This must be the full username (including domain name) of the Run As account mapped to MgmtDomainAccount.Example: contoso\Username.

 Note
The domain username will be added to the Administrators group during deployment.
MgmtDomainAccountPassword Required Password for the management Run As account mapped to MgmtDomainAccount.
MgmtDomainFQDN Required Fully qualified domain name for the Active directory domain that the network controller virtual machines will join.Example: Contoso.com
MgmtSecurityGroup Required Name of the security group containing network controller management accounts. This is the group you created previously.Example: contoso\Network Controller Management
ServerCertificatePassword Required Password needed to import the SSL Certificate into the machine store.

6. After you configure these settings, click Deploy Service to begin the service deployment job. Deployment times will vary depending on your hardware but are typically between 30 and 60 minutes.

Add and configure Network Controller service to VMM

After the network controller service is successfully deployed, the next step is to add it to VMM as a network service. This works just like adding other network services in VMM; you begin this process with the Add Network Service wizard.

To run the Add Network Service wizard
  1. Navigate to the Fabric node in the VMM console.
  2. Right-click the Network Service icon under Networking and click Add Network Service.
  3. The Add Network Service Wizard starts. Click Next.
  4. Provide a name for your Network Controller Network Service and an optional description. Click Next.
  5. Select Microsoft for the manufacturer and for model select Microsoft Network Controller. Click Next.

clip_image008

6. On the Credentials tab, provide the RunAs account you want to use to configure the Network Service. This should be the same account that you included in the Network Controller Clients group. Click Next.

7. For the Connection String, use the FQDN you registered in DNS for the network service you deployed previously. Your connection string should look similar to this:

serverurl=https://<NCName.DomainName>/;SouthBoundIPAddress=<IP address>

clip_image007 NOTE One way to verify the IP address of the network controller is to ping the network controller computer name.


clip_image009

9. On the Review Certificates page, a connection is made to the network controller virtual machine to retrieve the certificate. Verify that the certificate shown is the one you expect. Ensure you select the These certificates have been reviewed and can be imported to the trusted certificate store check box. Click Next.

10. On the next screen, click Scan Provider to connect to your service and list the properties and their status. This is also a good test of whether or not the service was created correctly, and that you’re using the right connect string to connect to it. Examine the results, and when it completes successfully, click Next.

clip_image007 NOTE The Name and Manufacturer fields will be empty. This is to be expected.

11. Configure the Host Group in VMM that your Network Controller will manage. If all your hosts in your VMM deployment will be managed by the Network Controller (for example, if you’re using the minimum deployment topology), then you can choose All Hosts. Otherwise, you will want to choose only the Host Group with Windows Server 2016 Technical Preview hosts that are part of your SDN fabric. Click the appropriate check box and then click Next.

12. Click Finish to complete the Add Network Service wizard. When the service has been added to VMM, you should see it appear in the Network Services list in the VMM Console, and it should look similar to the following:

clip_image010

13. You can right-click the Network Controller object and select Properties to view the properties of your newly created Network Controller.

14. Click OK to finish.

Validation

This section, although not required for Network Controller deployment itself, is intended to allow users to validate successful deployment for Network Controller. We will create a NC managed ‘Back End’ network and configure tenant VM network on top of that. We will also test connectivity between two tenant VMs deployed across different hosts to ensure NC is deployed correctly.

Create Back End network for tenant VM connectivity

The network controller is connected to the Management network, which is the network that is used to deploy and manage the network controller through VMM. Next, you need to create “Back End” network that will be managed by the network controller in your SDN fabric. This network will be used to validate that the Network Controller has been deployed successfully and that tenant virtual machines within same Virtual Network are able to ping each other.

To create the Back End (HNV PA) network

1. Start the Create Logical Network Wizard.

2. Type a name and optional description for this network. The example shown here is Back End Network. Click Next.

clip_image011

3. On the Settings page, be sure to select One Connected Network since all HNV PA networks need to have routing and connectivity between all hosts in that network. Ensure you check Allow new VM networks created on this logical network to use network virtualization. You will also see a new setting: Managed by the Network Controller. Ensure you check this box and then click Next.

clip_image012

4. On the Network Site panel, add the network site information for your HNV PA network. This should include the Host Group, Subnet and VLAN information for your Back End Network. Remember, this network should already exist in your physical network devices (switch) and all your SDN fabric hosts should have physical connectivity to it.

5. Review the Summary information and complete the wizard.

Create IP address pools that will be managed by the network controller

The Back End Network is the HNV Provider Address (PA) network, so it must have a static IP address pool managed by VMM for address assignment, even if DHCP is available on this network. Thus, you need to create a static IP address pool that is associated with this logical network.

To create an IP address pool for the Back End Network

1. Right-click the back end network logical network in VMM and select Create IP Pool from the drop down menu.

2. Provide a name and optional description for the IP Pool and ensure that the back end network is selected for the logical network. Click Next.

3. On the Network Site panel, you need to select the subnet that this IP address pool will service. If you have more than one subnet as part of your HNV PA network, you need to create a static IP address pool for each subnet. If you have only one site (for example, like the sample topology) then you can just click Next.

4. On the IP Address range panel, specify the starting and ending IP address. It is recommended that you start with the second address in your IP address range so that the network controller does not assign the default gateway address for the subnet. Click Next.

clip_image013

5. Now configure the default gateway address. Click Insert next to the Default gateways box, type the address and use the default metric. Click Next.

6. Optionally you can configure DNS information but this is generally not required.

7. Optionally you can also configure WINS server information but this is generally not required. Click Next.

8. Review the summary information and click Finish to complete the wizard.

Configure Back End network

  1. In Network Service, right-click the network controller object and select Properties.
  2. Click on the Logical Network Affinity tab in the left menu.
  3. Select the Back End (HNV PA) network that you created earlier to be your Back-End network.
  4. Click OK.

Create an SDN logical switch and deploy to hosts

Now that you have create the logical networks, VM networks, and IP pools for your SDN fabric, you need to create a logical switch that you can deploy to your Windows Server 2016 Technical Preview hosts. This will make the networks that you created available to your hosts via VMM and will enable the Virtual Filtering Platform (VFP) switch extension which will make your hosts available to the network controller. This is also referred to as an SDN switch as it will enable creation and configuration of network objects via the network controller.

To create the SDN logical switch

1. Click Create Logical Switch from the ribbon, or right-click the Logical Switches node in the left hand tree navigation in the VMM console.

2. Review the Getting Started information and click Next.

3. Provide a name (SDN Switch or whatever you want) and optional description. For the uplink mode, ensure you select No Uplink Team.

clip_image002 Important Switch Embedded Teaming (SET) together with network virtualization are NOT supported in TP4, so be sure that you do not select an Uplink Team for your SDN switch. SET is supported with VLANs in TP4, so if you are testing converged networking with dedicated infrastructure adapters (that will not use networking virtualization) then you may team one or more adapters in this configuration.

4. Click the Managed by Microsoft Network Controller check box and you will notice that the Extensions page disappears. This happens because the network controller requires the VFP extension and thus is selected by default. If your network adapters support SR-IOV and you want to use it, you can enable it here as well and then click Next to proceed.

5. You can optionally select one or more Virtual Port Profiles if you want. This functionality is the same as it was in Windows Server 2012 R2. When you’re ready to proceed, click Next.

6. Add a new Uplink Port Profile directly from the wizard. Click Add and select New Uplink Port Profile from the drop down menu.

7. Provide a name (SDN port profile or whatever you want) and optional description for your Uplink Port Profile.

It is recommended that you use the defaults for Load Balancing algorithm and Teaming Mode.

Ensure you select all the Network Sites you created for your SDN fabric that are managed by the Network Controller as you want to be sure that they are included in this switch.

You do not need to check the Enable Hyper-V Network Virtualization box as you cannot have hosts that do not support this as part of an SDN fabric by definition. The SDN switch is supported on Windows Server 2016 Technical Preview hosts only.

Click Next to proceed.

8. Review the Summary information and click Finish.

To deploy the logical switch to hosts

You can now deploy the SDN logical switch to hosts that will be used to provision tenant virtual machines

1. Navigate to the Host Group that contains your Windows Server 2016 Technical Preview hosts that are be part of your SDN fabric. Right-click a host and select Properties from the drop-down menu.

2. Select Virtual Switches from the left menu.

3. Click New Virtual Switch and select New Logical Switch from the menu. The SDN logical switch that you created previously should appear selected in the logical switch combo box. If it isn’t, select it now.

4. Ensure you bind the SDN Logical Switch to the correct physical adapter on the host. It should be a different adapter from the one that the Management logical switch is connected to.

clip_image014

5. Click OK on the Host Properties dialog to complete the operation.

6. Repeat this for each host in your SDN fabric. The Infrastructure host does not need this logical switch.

Create tenant VM networks and IP pools

Next, you will create a VM network and IP pool for a tenant in your SDN infrastructure.

To configure a VM network

Follow steps mentioned here to create VM network and here to create IP address pool.

clip_image015 Tip While creating IP address pools for NC managed networks, you MUST use a value for Starting IP Address that is at least 4 IP addresses into the Address range for the IP Subnet. The Network Controller uses the first three IP addresses of the network range. For example, if your IP subnet is 192.168.0.0/24, you should use 192.168.0.4 as your starting IP address.

Click Next.

Create tenant virtual machines

Now you can create tenant virtual machines connected to the tenant virtual network.

To create a virtual machine from an existing virtual hard disk

Follow these steps to create a VM from an existing virtual hard disk.

clip_image001 Note During VM Creation, on Configure Hardware page, Connect the Network Adapter 1 of the VM to the tenant VM network that you created earlier in this document.

clip_image015 Tip To prevent placement from choosing a different value for these settings, click the pin icon next to the setting. Note that self-service users do not see this option.

Once you have deployed at least two virtual machines in your VM Network, you can ping one tenant virtual machine from the other tenant virtual machine to validate that the Network Controller has been deployed successfully and that it can manage Back End network allowing tenant virtual machines to ping each other.

Manish Jha, Program Manager
Microsoft