Updated guide for deploying Software Load Balancer using Microsoft VMM 2016 Tech Preview 4

NOTE This guide is an updated version of the guide previously published here.

=====

Introduction

This article helps you evaluate the Software Defined Networking (SDN) features in Windows Server 2016 Technical Preview and Virtual Machine Manager 2016 Technology Preview 4. In particular, this topic is focused on scenarios that incorporate Microsoft Software Load Balancer (SLB) with System Center Virtual Machine Manager (VMM).

Once you deploy Software Load Balancer along with Network Controller in your VMM 2016 Technical Preview set up, you can also leverage multiplexing and NAT capabilities in your datacenter.

Prerequisites

Before we get into details of Software Load Balancer deployment, make sure you have performed the following steps:

1. Deploy Network Controller

This document assumes that you already have Network Controller on boarded into VMM management. If you have Network Controller deployed in your set up, you will have the basic compute and network infrastructure in place to proceed for SLB deployment.

For more details on requirement related to different Hosts, virtual machines, Logical Networks, Subnets, IP Pools, and switches, please refer to the Network Controller deployment guide here.

If you haven’t deployed Network Controller yet, please refer to the Network Controller guide above and come back to this section after deploying Network Controller.

2. Prepare an SSL Certificate

The SLB service template requires that an SSL certificate be prepared prior to importing the service template. You should already have these certificates ready as part of Network Controller deployment. To revisit steps on how to prepare SSL certificates click here. You should right click on this SSL certificate that was created earlier during Network Controller deployment and export it without a password in .CER format. This certificate will be later placed inside the NCCertificate.CR folder, details for which are included in the later sections.

3. An available Windows Server host

In addition to hosts that you already have in your Network Controller set up, you will require one additional host (also referred to as ‘Edge host’) to deploy Software Load Balancer, according to the shown diagram. Optionally, you can choose one of the existing hosts in your set up to deploy SLB.

Set up

This section covers the setup required for deploying the Software Load Balancer and optionally the BGP router.

Topology overview

image

The topology consists of four physical hosts, one Network Controller virtual machine, two tenant virtual machines, one Software Load Balancer MUX virtual machine, and optionally one Router – BGP Peer virtual machine. Most of these hosts and virtual machines would already be configured as part of Network Controller on deployment.

You will need to deploy one additional host (the ‘Edge Host’) and two additional virtual machines for Software Load Balancer deployment. All of the virtual machines require an operating system VHD and you can download the Windows Server 2016 Technical Preview 4 ISO image here.

Logical Networks

In addition to the Management and the Backend logical networks that you already have configured during Network Controller deployment, you will need the following networks to deploy SLB.

Network Name Subnet Mask VLAN ID on trunk Gateway
Front End (or Transit): Used as SLB Front end networks. 10.60.35.0 24 10 10.60.35.1
Public IP Network: Used to assign IP address if SLBM. 10.128.134.116 27 NA 10.128.134.117

clip_image003 NOTE  Active Directory and DNS must be available and reachable from these subnets. You must have Domain Admin credentials and the ability to create DNS entries in the domain if you choose to use an existing Active Directory domain.

Create the Front End logical network

The Front End network is used for northbound connections in SLB MUX virtual machines and BGP peer virtual machine. To create the Front End logical network, complete the following:

  1. Start the Create Logical Network Wizard.
  2. Type a name and optional description for this network, then click Next.
  3. On the Settings page, ensure you select One Connected Network. You can also check Create a VM network with the same name box to allow virtual machines to access this logical network directly and the Managed by the Network Controller box, then click Next.
  4. On the Network Site panel, add the network site information for your VIP subnet. This should include the Host Group and subnet information for your VIP network.
  5. Review the Summary information and complete the Logical Network wizard.

Create the Public IP logical network

You need an IP address pool for public IPs and to assign an IP address to SLBM. Public IPs are also used for tenant services that need an internet identifiable public IP address. We will create a Public Logical network in order to specify IP address pool for Public network. To create the  Public Logical network, complete the following:

  1. Start the Create Logical Network Wizard.
  2. Type a name and optional description for this network. Click Next.
  3. On the Settings page, ensure you select One Connected Network. You can also check Create a VM network with the same name box to allow virtual machines to access this logical network directly and the Managed by the Network Controller box then click Next.
  4. On the Network Site panel, add the network site information for your Public Network. This should include the Host Group and Subnet information.
  5. Review the Summary information and complete the wizard.

Create IP address pools required for SLB deployment

Create an IP pool for Front End addresses

clip_image001[6] TIP While creating IP address pools for NC managed networks, you MUST use a value for Starting IP Address that is at least 4 IP addresses into the Address range for the IP Subnet. The Network Controller uses the first three IP addresses of the network range. For example, if your IP subnet is 192.168.0.0/24, you should use 192.168.0.4 as your starting IP address.

This is an IP pool from where DIPs will be assigned to the SLB MUX virtual machines and BGP Peer virtual machine.

Create the IP pool for the Front End network following the same procedure and steps mentioned in the Network Controller guide. Be sure to use the IP address range that corresponds to your Front End network IP address space.

clip_image003 NOTE After you have created all the required logical networks and IP pools, make sure you associate newly create Front End logical network with the SDN uplink port profile you created during Network Controller deployment.

Deploy the Management and SDN logical switch to the Edge host

You should already have an SDN logical switch and a management logical switch available in your setup as part of Network Controller deployment.

If the SDN Switch with Front end and Back end port profiles is not deployed already to the edge host where SLB MUX VMs are going to be deployed, deploy the SDN switch to the host now. Similarly, if the Management logical switch is not deployed on the Edge Host yet, deploy the Management logical switch on the host.

Please refer to Network Controller deployment guide here to learn about deploying SDN and Management logical switches to a host.

Deployment

Now you can deploy the Software Load Balancer MUX into your SDN infrastructure.

Download the service template to a local computer

First you need to download the SLB MUX service template from here and save it to a folder on your VMM server or a file share that your VMM server has access to.

Add template resources to the VMM Library

Before you import the SLB MUX service template you need to do the following in order to add the custom resources to the VMM library:

  1. Copy the .CER certificate that you previously created for the Network Controller to the NCCertificate.CR folder.
  2. Add the custom NCCertificate.CR and EdgeDeployment.CR custom resources to the VMM library:

a. In VMM, navigate to Library.
b. In the top of the left pane, in the Templates section, select Service Templates.
c. In the ribbon at the top, click Import Physical Resource.
d. Click Add Custom Resource and navigate to the folder where you copied the Gateway Service Template files. Select the EdgeDeployment.cr and NCCertificate.cr folders and click OK.
e. Under Select Library server and destination for imported resources, navigate to your VMM library server and click OK.
f. Click Import to import the custom resources.

Import the service template

Now you can import the SLB MUX service template to the VMM library. To import the service template into the VMM library, complete the following:

  1. In VMM, navigate to Library.
  2. In the top of the left pane, in the Templates section, select Service Templates.
  3. In the ribbon at the top, click Import Template.
  4. Browse to your service template directory, then select the SLBMuxServiceTemplate.2.0.xml file that you downloaded and follow the prompts to import it.
  5. The service template uses the following virtual machine configuration parameters, so update the parameters to reflect the configuration of your environment as you import the service template.

Configuration parameters:

Resource Type

Resource Name and Description

Library Resources

Resource name: WinServer.vhd

Description: Windows Server Virtual Hard Disk. Format should be VHD. Select the base VHD image that you prepared earlier and imported into your VMM library.

=====

Resource name: NCCertificate.cr

Description: A custom library resource that contains the trusted root certificate (.CER) for the Network Controller.  This will be used for secure communications between the Network Controller and the SLB MUX instances.

Map to the NCCertificate.cr library resource in your VMM library.

=====

Resource Name: EdgeDeployment.cr

 

Description: A custom library resource that contains an SSL Certificate in .PFX format.

Select the EdgeDeployment.cr library resource that you prepared earlier and imported into you VMM library.

Configuring the deployment

Follow these steps to deploy an SLB MUX service instance.

Configure the deployment

  1. Select the SlbMuxServiceTemplate service template and click Configure Deployment to begin. Type a name and optionally a destination for the service instance. The destination must map to a Host Group that contains the hosts configured previously.
  2. In the Network Settings section, you must map the networks as follows:
Network setting Value
DatacenterNetwork Map this to your Front End or transit VM network.
ManagementNetwork Map this to your Management VM network.

After you are done with mapping the destination and network settings, the Deploy Service dialog appears. It is normal for the virtual machine instances to be initially red. Click Refresh Preview to automatically find suitable hosts (from the destination you mapped earlier) for the virtual machine. This can be can be done manually if needed.

3. On the left side of the Configure Deployment window there are a number of settings that you must configure. The table below summarizes each field:

Setting Requirement Description
Datacenter Network Required Your External or transit VM network
Management Network Required Choose the Management VM Network that you created for host management.
LocalAdmin Required Select a Run as account in your environment that will be used as the local Administrator on the virtual machines. User name should be .\Administrator
SelfSignedConfiguration Required If you are using a self-signed certificate you created yourself, set this value to TRUE. If you are using a certificate that has been assigned by an Enterprise CA or external Root CA, set this value to FALSE.
MgmtDomainAccount Required Select a Run as account in your environment which will be used to prepare the Network Controller. This user must be a member of the management security group, specified below, which has privileges to manage the network controller.
MgmtDomainAccountName Required This must be the full username (including domain name) of the Run as account mapped to MgmtDomainAccount.Example: contoso\username.

clip_image003 NOTE
The domain username will be added to the Administrators group during deployment.
MgmtDomainAccountPassword Required Password for the management Run as account mapped to MgmtDomainAccount.
MgmtDomainFQDN Required Fully qualified domain name for the Active directory domain that the network controller virtual machines will join.Example: Contoso.com

Deploy the SLB MUX service

After you configure these settings, you can click Deploy Service to begin the service deployment job. Deployment times will vary depending on your hardware but are typically between 30 and 60 minutes.

When the service deployment job has completed, verify that your service appears in the VMM console:

  1. Open the VMs and Services workspace.
  2. Click Services in the ribbon.
  3. Verify that your SLB MUX service instance appears in the VM Network Information for Services window.
  4. Right-click the SLB MUX service and select Properties from the menu. Verify that the state is Deployed.

Configure the SLB role and SLB MUX Instance Properties

Now that the service is deployed you can configure its properties. This involves associating the VM instance that we deployed using the SLB MUX service template, and then configuring BGP peering between the SLB MUX instance and a router.

Associate the SLB Service Role with the SLB MUX Instance

  1. Open the Fabric workspace.
  2. Click Network Service to display the list of network services installed.
  3. Right-click the FabricNetworkManagerNetworkController service and select Properties.
  4. In the Wizard, click on Load Balancer Role and enter the last IP from the Public VIP pool as Management IP address. Although you will create a Public IP address pool in later sections, you will already have a fair idea of IP address range you plan to reserve through this IP pool. Click OK.

clip_image006

5. Find the Associated Service field under Service information and click Browse.

6. Select the SLB MUX service instance you created earlier and click OK.

clip_image007

The Service instances that you deployed are now associated with the Load Balancer role, and you should see the SLB MUX virtual machine instance listed under the Load Balancer role.

Create an IP pool for Public IP addresses

This step needs to be performed at this stage when Software Load Balancer is on boarded into VMM. This makes sure that the created VIP pool is advertised using SLB manager VIP (management IP shown above).

clip_image001[13] TIP While creating IP address pools for NC managed networks, you MUST use a value for Starting IP Address that is at least 4 IP addresses into the Address range for the IP Subnet. The Network Controller uses the first three IP addresses of the network range. For example, if your IP subnet is 192.168.0.0/24, you should use 192.168.0.4 as your starting IP address.

1. Right-click the Public logical network in VMM and select Create IP Pool from the drop down menu.

2. Provide a name and optional description for the IP Pool and ensure that the Public Logical network is selected for the logical network. Click Next.

3. Accept the default network site as shown in below screen shot and click Next.

clip_image003

4. Choose a starting and ending IP address for your range that contains the entire address range of your Public VIP subnet.

5. In the IP addresses reserved for load balancer VIPs box, type the entire IP addresses range in the subnet. This should match the range you used for starting and ending IP addresses. You do not need to provide gateway, DNS or WINS information as this pool is used to allocate IP addresses for VIPs only via the Network Controller, so skip these screens by clicking Next.

6. Review the summary information and complete the wizard.

Validation

Once you have deployed SLB MUX in your setup, you can validate the deployment by configuring peering of the SLB MUX instance and a BGP router (or RRAS VM), assigning a public IP to a tenant VM or Service, and accessing the tenant VM\service from outside the network.

Configure BGP Peering between the SLB MUX instance and a router

In order to publish the VIP network and addresses to networks outside of your private cloud, you will need to configure Border Gateway Protocol (BGP) peering between the SLB MUX and your external router.

1. First you will need to obtain the IP address and the Autonomous System Number (ASN) of the router that you want to peer with, so start by opening the Fabric workspace.

2. Right-click the FabricNetworkManagerNetworkController service and select Properties.

3. Click the Services tab and select the Load Balancer Role in the list of services.

4. Click the SLB MUX virtual machine instance and you will see the MUX instance BGP settings. For the BGP port, type the value 8560 and for Local ASN, type the ASN number you want to use for BGP peering for the MUX. VMM will accept any value you pick here but if you are peering it with a router in your infrastructure it should match the numbering scheme in your lab or datacenter. In the example below we used a value of 2 for the ASN.

clip_image008

5. To configure the information for the BGP router you want to peer with, click Add and then enter the name, IP address and ASN number of the router you want to peer with. In the screen shot above, you can see that we have peered with the ADVWRKS-ROUTER router using an IP address of 172.27.0.1 and an ASN of 1.

Click OK to complete the SLB MUX service instance configuration.

6. Check the Jobs window to verify that the Update Fabric Role with required configuration and Associate service instance with fabric role jobs have completed successfully.

7. In order to complete the BGP peering operation, you will need to configure BGP to peer with your SLB MUX instance on the router. If you are using a hardware router device, you will need to consult your vendor’s documentation on how to setup BGP peering for that device. You will also need to know the IP address of the SLB MUX instance that you deployed earlier. To do this, you can either log on to the SLB MUX VM instance and obtain the IP address by running IPCONFIG /ALL from a Command Prompt, or from the VMM console.

Provisioning VIPs for tenant virtual machines

You can provision VIPs for tenant virtual machines either individually for each virtual machine or via service templates. Provisioning a VIP for a single virtual machine is not a typical scenario, but for Tech Preview 4 it may be the easiest way to evaluate this functionality. Provisioning a VIP for a single virtual machine must be done via PowerShell.

Provision VIPs for an individual virtual machine

To provision a VIP for an individual VM or set of VMs that were deployed using a VM template, you will need to deploy the VM instances using a VM template, create a VIP template in the VMM console, then create a VIP and assign it to the VMs using PowerShell.

Create a VIP Template

The process for creating a VIP template is as follows:

  1. Navigate to the Fabric Workspace in the VMM console.
  2. Right-click on the VIP Templates node and select Create VIP Template. Alternately, you can click on the Create VIP Template in the Ribbon toolbar.
  3. Provide a name in the Template Name field and an optional description in the Description field.
  4. In the Virtual IP Port field, provide a value for the port you wish to test. For our example we used port 5001, but you can choose another port you want to test with if desired.
  5. For the Backend Port, provide a value for the port from which you wish to map traffic on the back end. In our example we simply used the same port as the front end virtual IP port: 5001. Once you have provided the port, click the Next button.
  6. On the Specify a Template Type screen, click the Specific radio button and select Microsoft for the Manufacturer, then for the Model, select Microsoft Network Controller. Click Next.
  7. On the Specify Protocol Options screen, select the protocol you wish to create a VIP mapping for. The HTTP and HTTPS options are commonly used, but for our simple example we selected the Custom option and chose TCP in the Protocol Name field. If TCP does not appear as an option in the drop-down menu you can type it in manually. This is a known issue in TP4. Click Next.
  8. You can optionally select enable persistence if you wish to have the load balancer make the connection from the client “sticky”. Click Next.
  9. For the Load Balancing method, select Round Robin from the drop down list. Click Next.
  10. Health Monitors are not implemented in TP4 so click Next to move past this screen.
  11. Confirm your settings and then click Finish when you are ready to create the VIP Template.

Create the VIP using PowerShell

clip_image009 Windows PowerShell for creating a VIP for an individual VM

The following is a sample Windows PowerShell script that will create a VIP for an individual VM. In the script parameters section, be sure to substitute the actual values that match your test environment for the samples that are used in this script. The script should be run on the VMM server, or on a machine with the VMM Admin Console.

=====

param(

[Parameter(Mandatory=$false)]

# Name of the Network Controller Network Service

# This value should be the name you gave the Network Controller service when you on-boarded
the Network Controller to VMM

$LBServiceName = “NC”,

[Parameter(Mandatory=$false)]

# Name of the VM instance to which you want to assign the VIP

$VipMemberVMNames =  @(“WGB-001”),

[Parameter(Mandatory=$false)]

# VIP address you want to assign from the VIP pool.

# Pick any VIP that falls within your VIP IP Pool range.

$VipAddress = “172.27.1.5”,

[Parameter(Mandatory=$false)]

# Name of the VIP VM Network

$VipNetworkName = vip,

[Parameter(Mandatory=$false)]

# The name of the VIP template you created via the VMM Console.

$VipTemplateName = “ADVWRKS-VIP”,

[Parameter(Mandatory=$false)]

# Arbitrary but good to match the VIP you’re using.

$VipName = “scvmm_172_27_1_5_5001”

)

Import-Module virtualmachinemanager

$lb = Get-scLoadBalancer where { $_.Service.Name -like $LBServiceName};

$vipNetwork = get-scvmnetwork -Name $VipNetworkName;

$vipMemberNics @();

foreach ($vmName in $VipMemberVMNames)

{

    $vm = get-scvirtualmachine -Name $vmName;

#    if ($vm.VirtualNetworkAdapters[0].VMNetwork.ID -ne $vipNetwork.ID)

#    {

#        $vm.VirtualNetworkAdapters[0] | set-scvirtualnetworkadapterVMNetwork $vipNetwork;

#    }

    $vipMemberNics += $vm.VirtualNetworkAdapters[0];

}

$existingVip = get-scloadbalancervip -Name $VipName

if ($existingVip -ne $null)

{

#    foreach ($mem in $existingVip.VipMembers)

#    {

#        $mem | remove-scloadbalancervipmember;

#    }

    $existingVip | remove-scloadbalancervip;

}

$vipt = get-scloadbalancerviptemplate -Name $VipTemplateName;

$vip = New-SCLoadBalancerVIP -Name
$VipName LoadBalancer $lb IPAddress $VipAddress LoadBalancerVIPTemplate $vipt FrontEndVMNetwork $vipNetwork BackEndVirtualNetworkAdapters
$vipMemberNics;

Write-Output “Created VIP “ $vip;

#foreach ($memberNic in $vipMemberNics)

#{

#    $address = $memberNic.IPv4Addresses[0];

#    Write-Output “Creating vip member with address ” $address;

#    New-SCLoadBalancerVIPMember LoadBalancerVIP $vipIPAddress $address -Port 82 –VirtualNetworkAdapter
$memberNic;

#}

$vip = get-scloadbalancervip -Name $VipName;

Write-Output “VIP with members “ $vip;

=====

After running the script, you should see output with details for the VIP you have just created. Once the script is executed successfully and the VIP is assigned to the tenant VM, you should be able to access the tenant VM from outside your datacenter network.

Manish Jha, Program Manager
Microsoft