Windows Server 2016: Introduction to Network Controller

In Windows Server 2016 There are many new features in networking that allow us to achieve a functional infrastructure, named Software-Defined Networking (SDN), underlying the Software Defined Datacenter (SDDC).

The main features of Software Architecture Defined Networking (SDN) are adaptability, the dynamism and ease of management. All these aspects can be covered better by introducing in Windows Server 2016 of the features that we're going to deepen in this article.

Network Controller

This is a new role that is introduced in Windows Server 2016 that can be easily installed by using Server Manager or Using PowerShell and that helps you manage, Configure and monitor virtual and physical network infrastructure of your datacenter. Thanks to the Network Controller you can also automate the configuration of their network infrastructure instead of having to manually configure device and services. This role can also be installed on virtual machines, plan to be put in high availability and can scale easily. Deploy your Network Controller can either be done in domain environment, in this case, user authentication and network device is using Kerberos, that in a non-domain environment requiring certificate authentication.

Communication between the Network Controller and the network components is done using the Southbound API, figura 1, where is made the discovery of network equipment and detected configuring services. Also through the same interface the required network information is collected and transmitted to the changes made.

Northbound interface API you can communicate with your Network Controller to consult network information and use them to make monitoring and troubleshooting. The same API is used to make changes to the network configuration and to deploy new devices.

2015_ 12_27_WS16NC_01
Figure 1 – Communication Scheme

Manage and monitor your network through Network Controller, figura 2, can be performed directly using PowerShell (Network Controller Cmdlets) or by using management applications such as System Center Virtual Machine Manager (SCVMM) and System Center Operations Manager (SCOM).

2015_ 12_27_WS16NC_02

Figure 2 – Management Network Controller

Via the Network Controller you can manage the following physical and virtual network infrastructure components:

  • Hyper-V VMs and virtual switches
  • Switch
  • Router
  • Software firewall
  • Vpn Gateway (including Multitenant RRAS Gateway)
  • Load Balancer

Virtualized Network Functions

The spread of virtualization has also involved the field network and there is more and more interest in virtual appliances and cloud services that provide network services with an emerging market growing fast. We see more and more frequently in software defined datacenter using virtual appliances to deliver networking features that typically were paid solely by physical devices (such as load balancers, Firewall, router, switch, etc.).

In Windows Server 2016 Technical Preview includes the following virtual appliance:

Software Load Balancer

This is a load balancer software layer-4, similar to the load balancer already widely used on the Azure platform. For more information about Microsoft Azure Load Balancing Services, I invite you to consult Microsoft Azure Load Balancing Services.

Multi-tenant Firewall

Datacenter Firewall, figura 3, is a new service introduced in Windows Server 2016. This firewall can protect the network layer virtual network and is thought to be multitenant. When implemented can be offered as a service by the service provider and the tenant administrator can install and configure the firewall policy to secure their virtual networks from potential attacks that originate from the internet or from Interne.

2015_ 12_27_WS16NC_03

Figure 3 – Firewall Policy

Managing the Datacentre Firewall can be made using the network controller. Datacenter Firewall provides the following benefits for cloud service providers:

  • A scalable and maintainable software firewall service that can be offered as a service to its tenants
  • Provides protection for tenants, regardless of the operating system running on the virtual machine
  • Freedom to move virtual machines hosted tenants of different fabrics without breaking the firewall functionality provided in that:
  • Agent firewall is deployed as a vSwitch;
  • The virtual machines of the tenant shall take the policy assigned to their vSwitch;
  • Firewall rules are configured in each port of the vSwitch, regardless of the physical host that holds the virtual machine

As regards tenants instead the Datacenter Firewall provides the following benefits:

  • Ability to define rules on the firewall to help protect workloads in virtual network to the Internet
  • Ability to create rules on the firewall for protection between virtual machines on the same subnet layer 2 or on different subnet L2
  • Ability to define firewall rules to help protect and isolate network traffic between the on-premise and virtual network tenants present at the service provider

RAS Gateway

RAS Gateway is used to route network traffic between the virtual and physical networks networks. There are many areas of use:

Site-to-Site Gateway

Multi-tenant gateway solution, figura 4, that allows tenants to access their resources and manage them using a site-to-site VPN connection. Thanks to this gateway you can connect virtual resources in the cloud with the physical network of the tenant.

2015_ 12_27_WS16NC_04

Figure 4 – S2S Gateway

Forwarding Gateway

Used to route network traffic between virtual networks and the physical network hosting provider (in the same geographical location) – Figure 5.

2015_ 12_27_WS16NC_05

Figure 5 – Forwarding Gateway

GRE Tunnel Gateway

Gateways are able to create tunnels based on the GRE protocol that provide connectivity between virtual network of tenants and external networks. The GRE protocol is supported on many network devices, Therefore it is an ideal choice when not prompted to channel encryption. For more information on the GRE tunnel I invite you to consult GRE Tunneling on Windows Server Technical Preview.

Hyper-V Network Virtualization

The Network Virtualization with Hyper-V (HNV) is a key component of Software Defined Networking solution (SDN) by Microsoft and as such there are many new features in Windows Server 2016 to make it more functional and integrated stack SDN.

An important aspect to consider when it comes to SDN is that stack itself is consistent with Microsoft Azure and would therefore bring the same potentials used in public cloud Azure at its reality.

Programmable Hyper-V Switch

With the Network Controller you can make policy push HNV, figura 6, towards the agent running on each host that uses the Open vSwitch Database Management Protocol (OVSDB – RFC 7047). The Host Agent stores these policies using a schema customization VTEP and is able to program complex rules within the powerful engine of Hyper-V virtual switch.

2015_ 12_27_WS16NC_06

Figure 6 – Push Policies

VXLAN Encapsulation support

EXtensible Protocol Virtual Local Area Network (VXLAN – RFC 7348) has been widely adopted in the market with the support of leading vendors like Cisco, Brocade, Dell, HP and others. The HNV now supports this encapsulation scheme, using Microsoft MAC distribution mode through the Network Controller, which allows you to program the association between the IP addresses of the tenant (Customer Address – CA) physical network IPS and (Provider Address – PA). Generic Routing Encapsulation the encapsulation protocol Network Virtualization (NVGRE) continues to be supported on Windows Server 2016.

Interoperability with Software Load Balancer (SLB)

The software load balancer (SLB) presented above is fully supported in the virtual networks. The SLB is done through the virtual switch engine performance and controlled by network controller regarding the mapping Virtual IP (VIP) – Dynamic IP (DIP).

IEEE Compliant

To ensure full interoperability with physical and virtual network equipment we guarantee that all packets transmitted when using HNV is in all its fields compliant with standards dictated by the IEEE. This aspect has been heavily edited and improved in Windows Server 2016.

New Elements Introduced (Cloud Stairs Fundamentals)

In Windows Server 2016 the following features have been introduced to allow you to configure your environment more effectively, making the best use of available hardware resources:

Converged Network Interface Card (NIC): This feature allows you to use a single network adapter to handle different types of traffic: the management, storage access (RDMA) and the traffic of the tenant. In this way it is possible to decrease the number of network adapters are required for each physical host.

Switch Embedded Teaming (SET): Set is a new integrated Virtual Switch NIC Teaming solution for Hyper-V. SET allows you to have up to eight compounds teaming physical network adapters in a single SET team. This teaming mode, being integrated into virtual switch, can only be used on physical hosts and not inside the virtual machines, where you can still configure teaming in the traditional way (NIC Teaming Virtual Machines). This teaming mode does not expose team interfaces, but the configurations are made through Virtual Switch port.

2015_ 12_27_WS16NC_07

Packet Direct: Packet Direct allows to achieve a high throughput and low latency for network traffic.

Enhancements to existing services

The Network Access Protection feature (NAP) is already in the State "deprecated" in Windows Server 2012 R2. In Windows Server 2016 the DHCP Server role will no longer support NAP DHCP scopes and functionality will no longer be NAP-enabled.

DNS Server
Now let's dig into those that are on Windows Servers 2016 the various innovations introduced on DNS servers to improve the efficacy and safety:

DNS Policy: You can configure DNS policy to define how the DNS server answers queries DNS. DNS responses can be based on many parameters, such as the client's IP address (location) or the time of day. DNS policies open their doors to different scenarios like location-aware DNS configuration, traffic management, load balancing and DNS split-brain.

Response Rate Limiting (RRL): You can configure the DNS server limits on response rate. This configuration allows us to avoid the use of DNS by malicious systems to perform DOS attacks (denial of service).

DNS-based Authentication of Named Entities (DANE): You can use the TLSA records (Transport Layer Security Authentication) to provide information to the Client regarding DNS which CA is waiting for a specific domain name. This mechanism is useful to prevent attacks man-in-the-middle type you.

Support for Unknown Records: This feature allows you to add records that are not explicitly supported by Windows DNS servers.

IPv6 root hints: You can use the IPV6 root servers for Internet name resolution.

Windows PowerShell Support: introducing new PowerShell cmdlets support is improved for the DNS Server.

DNS and IPAM: better integration between DNS and IPAM.

I invite you to study and evaluate the field the new features introduced in the field of networking downloading Windows Server 2016.

Please follow and like us: