Understanding Hyper-V Network VirtualizationCDP-B324Arnaud Lheureux, Stanislas QuastanaTechnical Evangelists, CISSPMicrosoft

Session Objectives And TakeawaysSession Objectives: Understand what is Hyper-V Network Virtualization and how it worksDeploy network virtualization with System Center 2012 R2Understand how to link real world and virtualized networks

Hyper-V Network Virtualization = System Center 2012 R2 Virtual Machine Manager+ Windows Server 2012 R2 Hyper-V+ HNV Gateway

What is Network Virtualization?

Network Virtualization decouples IP virtual networks and addresses from physical network infrastructure, providing isolation and concurrency between multiple virtual IP networks on the same physical network infrastructure

ObjectivesRun multiple virtual IP networks on a physical network Each virtual network has illusion it is running as a physical network

Network Virtualization?

Network Virtualization?

For companies/private cloudPrivate Cloud with network isolation between internal customers/business unitsExtend Corporate Datacenters to external resources Hybrid CloudFlexible VM placement without reconfiguration Easier Integration of acquired company network infrastructure

For hostersMulti-tenancyCustomers can bring their own IP and IP network topologyFlexible VM placement in datacenter networks without reconfiguration

Network virtualization benefits

How Hyper-V Network Virtualization works?

PA: Provider Address IP Address owned and managed by infrastructure/cloud provider/hosterIP Address assigned to provider’s hypervisor

CA: Customer Address IP Address owned and managed by Cloud/Hoster’s customerIP Address assigned to a customer’s virtual machine

2 types of IP addresses

Customer VM Network Network isolation boundaryComprised of one or more Virtual SubnetsRouting between VM subnets is explicit

Virtual Subnet (VSID)Broadcast boundary

Customer VM Network & Virtual Subnet

Red Corp

Blue Subnet1

Blue Subnet3Blue Subnet2

Blue Subnet5

Blue Subnet4

Red Subnet2

Red Subnet1

Blue Sales Net Red HR Net

Multitenant Datacenter eg: Hoster Datacenter/Private Cloud

CustomerVM Network

VirtualSubnet

Blue CorpBlue R&D Net

Hyper-V Network Virtualization is transparent for virtual machines that know only Customers IP Addresses

Only VM Network traffic is virtualizedHyper-V administration network traffic is not virtualized

Hyper-V Network Virtualization - Principles

Different subnets

NVGRE – How it works

10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.7

192.168.2.22 192.168.5.55

192.168.2.22192.168.5.55

10.0.0.5 10.0.0.7

GRE Key Blue Subnet

MAC

10.0.0.5 10.0.0.7

GRE Key Red Subnet

MAC192.168.2.22

192.168.5.55

10.0.0.510.0.0.7

10.0.0.510.0.0.7

10.0.0.5 10.0.0.7

10.0.0.510.0.0.7

Provider Address (PA)

Customer Address (CA)

Configuration propagation

Blue• VM1: MAC1, CA1, PA1

• VM2: MAC2, CA2, PA3

• VM3: MAC3, CA3, PA5

• … Red• VM1: MACX, CA1, PA2

• VM2: MACY, CA2, PA4

• VM3: MACZ, CA3, PA6

• …

System Center 2012 R2

Virtual Machine Manager

Hyper-V n°1with VMM

agent@IP : PA1

Hyper-V n°2with VMM

agent@IP : PA3

Hyper-V n°3with VMM

agent@IP : PA3

VM Networks configuration

network virtualizationConfiguration

Networking in SC VMM at first look

Hyper-V Network virtualization configuration step by step with System Center VMM

Configuration step by step1. Create a “Logical Network”2. Create an ”IP Pool” (Provider Addresses)3. Create a ”Logical Switch” 4. Assign a Logical Switch to an Hyper-V host5. Create a “VM Network”6. Create an “IP Pool” for “VM Network”

(Customer Addresses)7. Assign a “VM Network” to a virtual machine

Pro

vid

er

Cu

sto

mer

Configuration step by step1. Create a “Logical Network”2. Create an ”IP Pool” (Provider Addresses)3. Create a ”Logical Switch” 4. Assign a Logical Switch to an Hyper-V host5. Create a “VM Network”6. Create an “IP Pool” for “VM Network”

(Customer Addresses)7. Assign a “VM Network” to a virtual machine

Pro

vid

er

Cu

sto

mer

Create “Logical Network”

IP range for hypervisors in Paris Datacenter 172.16.0.0/16

IP range for hypervisors in Seattle Datacenter 172.17.0.0/16

1 Logical Network to define those networks : InfraNetworkCloudProvider

Configuration step by step1. Create a “Logical Network”2. Create an ”IP Pool” (Provider Addresses)3. Create a ”Logical Switch” 4. Assign a Logical Switch to an Hyper-V host5. Create a “VM Network”6. Create an “IP Pool” for “VM Network”

(Customer Addresses)7. Assign a “VM Network” to a virtual machine

Pro

vid

er

Cu

sto

mer

Create “IP Pool” (PA)

Configuration step by step1. Create a “Logical Network”2. Create an ”IP Pool” (Provider Addresses)3. Create a ”Logical Switch” 4. Assign a Logical Switch to an Hyper-V host5. Create a “VM Network”6. Create an “IP Pool” for “VM Network”

(Customer Addresses)7. Assign a “VM Network” to a virtual machine

Pro

vid

er

Cu

sto

mer

Create “Logical Switch”

Logical switch prerequisite 1: Native/Uplink Port Profile

Logical Switch Prerequisite 2: Virtual network adapter port profiles

VMQSR-IOVIPsec task OffloadingDHCP Guard…

Logical switch prerequisite 3:Port Classifications

Configuration step by step1. Create a “Logical Network”2. Create an ”IP Pool” (Provider Addresses)3. Create a ”Logical Switch” 4. Assign a Logical Switch to an Hyper-V host5. Create a “VM Network”6. Create an “IP Pool” for “VM Network”

(Customer Addresses)7. Assign a “VM Network” to a virtual machine

Pro

vid

er

Cu

sto

mer

Assign logical switch to Hyper-V hosts

Configuration step by step1. Create a “Logical Network”2. Create an ”IP Pool” (Provider Addresses)3. Create a ”Logical Switch” 4. Assign a Logical Switch to an Hyper-V host5. Create a “VM Network”6. Create an “IP Pool” for “VM Network”

(Customer Addresses)7. Assign a “VM Network” to a virtual machine

Pro

vid

er

Cu

sto

mer

Create “VM Network”

Configuration step by step1. Create a “Logical Network”2. Create an ”IP Pool” (Provider Addresses)3. Create a ”Logical Switch” 4. Assign a Logical Switch to an Hyper-V host5. Create a “VM Network”6. Create an “IP Pool” for “VM Network”

(Customer Addresses)7. Assign a “VM Network” to a virtual machine

Pro

vid

er

Cu

sto

mer

Create “IP Pool” for “VM Network” (CA)

Configuration step by step1. Create a “Logical Network”2. Create an ”IP Pool” (Provider Addresses)3. Create a ”Logical Switch” 4. Assign a Logical Switch to an Hyper-V host5. Create a “VM Network”6. Create an “IP Pool” for “VM Network”

(Customer Addresses)7. Assign a “VM Network” to a virtual machine

Pro

vid

er

Cu

sto

mer

Assign “VM Network” to virtual machine

Some useful commands

Cmdlet Hyper-VGet-NetVirtualizationProviderAddressGet-NetVirtualizationLookupRecordGet-NetVirtualizationCustomerRoute

Cmdlet SCVMM 2012 R2Get-SCIPAddressRevoke-SCIPAddressGet-SCStaticIPAddressPool

Commands you need to know

“Follow the packets”

Packet Flow:VM are in different Virtual SubnetVM running on different hyper-V hostsVSID 5001, 5222 in the same routing

domain

Packet Flow: Blue1 send to Blue2

PA : 192.168.4.11

NIC NIC

PA : 192.168.4.22

CA : 10.0.0.5 CA : 10.0.1.7

Blue1 Blue2Virtual Subnet ID :

5001Virtual Subnet ID :

5222

Packet Flow: Blue1 Blue2where is default gateway ?

ARP for 10.0.0.1 (default gateway)

Hyper-V Switch broadcasts ARP to:1. All local VMs on VSID 50012. Network Virtualization filter

OOB: VSID:5001

Network Virtualization filter responds to ARP with MACDGW

ARP for 10.0.0.1

ARP is NOT broadcast to the network

192.168.4.11NIC

Hyper-V Switch

VSID ACL Enforcement

Blue1 Red1

Network Virtualization

10.0.0.510.0.0.5

MACPA1

VSID5001

VSID6001

IP VirtualizationPolicy Enforcement

RoutingMACDGW

Different VSID :: Different Hosts

192.168.4.22NICMACPA2

Blue2 Red2

10.0.0.710.0.1.7

VSID5222

VSID6001

Hyper-V Switch

VSID ACL Enforcement

Network Virtualization

IP VirtualizationPolicy Enforcement

Routing

Packet Flow: Blue1 Blue2

MACPA1

OOB: VSID:5001

Use MACDGW for 10.0.0.1

Default Gateway at MACDGW

Blue1 learns MAC of Default Gateway

MACDGW

Different VSID :: Different Hosts

192.168.4.11NIC

Hyper-V Switch

VSID ACL Enforcement

Blue1 Red1

Network Virtualization

10.0.0.510.0.0.5

MACPA1

VSID5001

VSID6001

IP VirtualizationPolicy Enforcement

RoutingMACDGW

192.168.4.22NICMACPA2

Blue2 Red2

10.0.0.710.0.1.7

VSID5222

VSID6001

Hyper-V Switch

VSID ACL Enforcement

Network Virtualization

IP VirtualizationPolicy Enforcement

Routing

Packet Flow: Blue1 Blue2sent from Blue1

MACB1MACDGW 10.0.0.5 10.0.1.7

OOB: VSID:5001

in Hyper-V switch

MACB1MACDGW 10.0.0.5 10.0.1.7

in Network Virtualization filterOOB: VSID:5001

MACB1MACDGW 10.0.0.5 10.0.1.7

NVGRE on the wireMACPA1 MACPA2 192.168.4.11 192.168.4.22 5222 MACB1MACB2 10.0.0.5 10.0.1.7

MACDGW

5222

Different VSID :: Different Hosts

192.168.4.11NIC

Hyper-V Switch

VSID ACL Enforcement

Blue1 Red1

Network Virtualization

10.0.0.510.0.0.5

MACPA1

VSID5001

VSID6001

IP VirtualizationPolicy Enforcement

RoutingMACDGW

192.168.4.22NICMACPA2

Blue2 Red2

10.0.0.710.0.1.7

VSID5222

VSID6001

Hyper-V Switch

VSID ACL Enforcement

Network Virtualization

IP VirtualizationPolicy Enforcement

Routing

Packet Flow: Blue1 Blue2received by Blue2

MACB1MACB2 10.0.0.5 10.0.1.7

OOB: VSID:5222

in Hyper-V switch

MACB1MACB2 10.0.0.5 10.0.1.7

NVGRE on the wire

in Network Virtualization filterOOB: VSID:5222

MACB1MACB2 10.0.0.5 10.0.1.7

MACPA1 MACPA2 192.168.4.11 192.168.4.22 5222 MACB1MACB2 10.0.0.5 10.0.1.7

MACDGW

Different VSID :: Different Hosts

192.168.4.11NIC

Hyper-V Switch

VSID ACL Enforcement

Blue1 Red1

Network Virtualization

10.0.0.510.0.0.5

MACPA1

VSID5001

VSID6001

IP VirtualizationPolicy Enforcement

RoutingMACDGW

192.168.4.22NICMACPA2

Blue2 Red2

10.0.0.710.0.1.7

VSID5222

VSID6001

Hyper-V Switch

VSID ACL Enforcement

Network Virtualization

IP VirtualizationPolicy Enforcement

Routing

Network Trace Analysis

How to connect Hyper-V Virtualized Networks to other networks ?

Hyper-V Network Virtualization Gateway bridges network virtualized environment with non-network virtualized environment

The HNV Gateway adds or removes NVGRE encapsulation and routes to physical network or encapsulates it in a VPN packet to send to a remote location

HNV Gateway

Hyper-V Network Virtualization & real datacenter networks

Hyper-V Network

Virtualization

Gateway

DC SQL DNS

subnet 10.2x.x/16

subnet 10.3.x.x/16

subnet 10.4.x.x/16

R1 R2B1 B2 B3 R3 R4Y1 Y2

172.16.x.x/16 Provider Addresses

Consolidated Datacenter Hyper-V Network Virtualization (“NVGRE world”)

Host1 Host2 Host3

Customer Addresses

CorpNet10.1.x.x/16

Hyper-V Network Virtualization & Hybrid Cloud

Hyper-V Network

Virtualization

Gateway

DC SQLDNS

subnet 10.2x.x/16

subnet 10.3.x.x/16

subnet 10.4.x.x/16

R1 R2B1 B2 B3 R3 R4Y1 Y2

172.16.x.x/16 Provider Addresses

Consolidated Datacenter Hyper-V Network Virtualization (“NVGRE world”)

Host1 Host2 Host3

Customer Addresses

S2S VPN

Internet

S2S VPNCorpNet10.1.x.x/16

HNV Gateway configuration & Deployment

WSG = Hypervisor + VM with RRAS services

Configuration done by SC VMM

Typically uses 3 network interfaces

N° 1 frontal, datacenter networkN° 2 backend, NVGRE networkN° 3 management network

/!\ Hypervisor hosting WSG cannot host VM using HNV

Windows Server Gateway topology

Hyper-V n°4With VMM agent

NIC 1 : PA/LogicalSwitchNIC 2 : Datacenter

NIC 3 : Management

VM : WSG1vNIC 1 : PA/LogicalSwitch

vNIC 2 : DatacentervNIC 3 : Management

1. Setup Windows Server Gateway Host and VM

2. Add the Gateway to VMM Network Fabric

3. Configure VM Networks to use Windows Server Gateway

3 steps to deploy Windows Server Gateway

Pro

vid

er

Cu

sto

mer

Configuring HNV Gateway on VM Networks

WhitepaperWindows Server Gateway Hardware and Configuration Requirements http://technet.microsoft.com/library/dn423897.aspx

VMM Configuration template

VMM Service model for 2 or 3 NICs configuration

http://technet.microsoft.com/en-us/library/dn249417.aspx

Building a highly available WSG

1. Install NVGRE Gateway provider in VMM

2. Add a new Gateway to VMM Network Fabric

3. Configure VM Networks to use NVGRE Gateway

3 steps to deploy 3rd party NVGRE Gateway

Pro

vid

er

Cu

sto

mer

IPAM Windows Server 2012 R2

Key takeaways

Hyper-V Network Virtualization provide a virtual IP network abstraction overlaid on a physical network

Hyper-V Network Virtualization = Windows Server 2012/2012 R2 Hyper-V + System Center 2012 SP1/2012 R2 Virtual Machine Manager + NVGRE Gateway (Windows Server 2012 R2, F5 Networks…) [+ IPAM Windows Server 2012 R2]

Key Takeaways

http://aka.ms/ArnaudTwitter : @arnaudlheureux

Stanislas Quastana

http://aka.ms/StanislasTwitter : @squastana

Arnaud Lheureux

Thank you for your attention!

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

Developer Network

http://developer.microsoft.com

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Come visit us in the Microsoft Solutions Experience (MSE)!Look for the Cloud and Datacenter Platform area TechExpo Hall 7

For more informationWindows Server Technical Previewhttp://technet.microsoft.com/library/dn765472.aspx

Windows Server

Microsoft Azure

Microsoft Azurehttp://azure.microsoft.com/en-us/

System Center

System Center Technical Previewhttp://technet.microsoft.com/en-us/library/hh546785.aspx

Azure Pack Azure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack

Azure

Implementing Microsoft Azure Infrastructure Solutions

Classroomtraining

Exams

+

(Coming soon)Microsoft Azure Fundamentals

Developing Microsoft Azure Solutions

MOC

10979

Implementing Microsoft Azure Infrastructure Solutions

Onlinetraining

(Coming soon)Architecting Microsoft Azure Solutions

(Coming soon)Architecting Microsoft Azure Solutions

Developing Microsoft Azure Solutions

(Coming soon)Microsoft Azure Fundamentals

http://bit.ly/Azure-Cert

http://bit.ly/Azure-MVA

http://bit.ly/Azure-Train

Get certified for 1/2 the price at TechEd Europe 2014!http://bit.ly/TechEd-CertDeal

2 5 5MOC

20532

MOC

20533

EXAM

532EXAM

533EXAM

534

MVA MVA

TechEd Mobile app for session evaluations is currently offline

SUBMIT YOUR TECHED EVALUATIONSFill out an evaluation via

CommNet Station/PC: Schedule Builder

LogIn: europe.msteched.com/catalog

We value your feedback!

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.