Windows Server 2016 enables building a Software-Defined Data Center (SDDC) with new layers of security and Azure-related approach for hosting business applications and infrastructure. The new Software-Defined Network (SDN) Stack provides dynamic security and hybrid flexibility by enforcing network policy in the Hyper-V Virtual Switch using the Azure Virtual Filtering Platform (VFP) Switch Extension. Instead of programming network configurations into a physical switch, the new Microsoft Network Controller delivers the network policy to the Hyper-V Hosts using the OVSDB protocol and is programmed into the VFP extension of the vSwitch by a Host Agent which enforces the policy.
Hyper-V Network Virtualization (HNV)
The network virtualization solution in Windows Server 2012 and 2012R2 – Hyper-V Network Virtualization (HNV) – used an encapsulation format known as NVGRE to create overlay networks based on network policy that is managed through SCVMM and programmed through WMI / PowerShell (which is still available in Windows Server 2016). Another popular industry protocol for encapsulation is VXLAN.
Windows Server 2016 supports both NVGRE and VXLAN encapsulation protocols, with the default being VXLAN. The Microsoft Network Controller is built as a programmable surface to create and manage virtual networks and apply precise policies for security, load balancing, and Quality of Service. A specific management plane (PowerShell scripts, System Center Virtual Machine Manager (SCVMM), or the Microsoft Azure Stack (MAS) components) programs network policy through the RESTful API exposed by the Microsoft Network Controller, which then distributes this policy to each of the Hyper-V hosts using the OVSDB Protocol and a set of schemas to represent virtual networks, ACLs, user-defined routing, and other policy.
Like VLANs, both NVGRE and VXLAN provide isolation by including an identifier (e.g. VXLAN Network Identifier – VNI) to identify the logical network segment (virtual subnet).
In WS2016, multiple VNIs (or virtual subnets) can be combined within a Routing Domain so that isolation between tenant virtual networks is maintained thereby allowing for overlapping IP address spaces.
Unlike physical networks with VLANs where policy is closely tied to location and the physical port to which a server (hosting a VM) is attached, a network endpoint (VM) is free to move across the datacenter while ensuring that all policy moves along with it.
Microsoft picked the distribution by a central authority approach to sending out the VM MAC : VTEP IP mapping information to avoid the unnecessary broadcast/multicast network traffic. The Microsoft Network Controller (OVSDB Client) communicates with the Hyper-V Hosts (VTEPs) using the OVSDB protocol with policy represented in schemas persisted to a Host Agent’s database (OVSDB Server).
A local ARP responder on the host is then able to catch and respond to all ARP requests from the VMs to provide the destination MAC address of the remote VM. The Host Agent database also contains the VTEP IP address of all hosts attached to the virtual subnet. The Host Agent programs mapping rules into the VFP extension of the Hyper-V Virtual Switch to correctly encapsulate and send the VM packet based on the destination VM.
This is the review of an article.