Blog Post

Networking Blog
4 MIN READ

A New Dawn of Software Defined Networking (SDN) in Windows Server 2025

AnirbanPaul's avatar
AnirbanPaul
Icon for Microsoft rankMicrosoft
Nov 04, 2024

A New Dawn of Software Defined Networking (SDN) in Windows Server 2025

 

Today is an exciting day as we unveil extensive new features and improvements for Software Defined Networking (SDN) in Windows Server 2025. We deeply appreciate your fantastic feedback and requests which have driven our team forward.

 

We hope you are as thrilled as we are, and we can't wait to hear how you leverage these new features. We've categorized our updates into three major areas: Manageability, Security, and Scalability.

 

Manageability

 

“Native” SDN Infrastructure: The long-awaited feature is finally here! Traditionally, the Network Controller, a crucial part of SDN infrastructure, has been hosted in virtual machines (VMs), requiring multiple VMs for high availability. This setup consumes computing resources that could otherwise be used for applications, posing a significant issue for small-scale and single node Failover Clusters. With Windows Server 2025, we have transitioned the Network Controller from VMs to being hosted directly as Failover Cluster services on Windows Server 2025 hosts. This change not only conserves resources but also simplifies deployment and management, eliminating the need to deploy, manage, and update VMs. Yes, no more patching or installing agents from various teams on these VMs. You can use PowerShell cmdlets or Windows Admin Center to deploy and manage the “native” SDN infrastructure.  Native SDN empowers you to have advanced VM network security features in less than ten minutes.

 

 

Figure: Differences between Network Controller in VMs and “native” Network Controller

 

Simplified SDN Load Balancers (Coming Soon): Previously, setting up the SDN load balancer service involved setting up Border Gateway Protocol (BGP) peering between the load balancer virtual machines and the top-of-rack network switches to achieve external network connectivity. This process was cumbersome and incurred additional operational costs, consuming both resources and energy. This is particularly valuable for SMBs and smaller edge deployments, where advanced networking knowledge and know-how may be limited. The upcoming updates will make BGP optional, streamlining both the deployment and management process.

 

Security

 

Network security is a paramount concern for organizations today, given the rise in breaches, threats, and cybersecurity risks. SDN Network Security Groups (NSGs) offer Azure-consistent network security for Windows Server customers, protecting against both external and lateral threats. With Windows Server 2025, we are introducing new NSG capabilities to further enhance the security of your workloads.

 

Tag-based Segmentation: Instead of depending on cumbersome and unreliable methods for specifying IP ranges for NSG control, administrators can now use custom service tags to associate NSGs and VMs for access control. No more remembering and retyping IP ranges for your production and management machines; you can now use simple, self-explanatory labels. This allows you to tag your workload VMs with labels of your choice and apply security policies based on these tags. You can use PowerShell cmdlets or Windows Admin Center to deploy and manage network security tags. You can read more about tag-based segmentation here.

 

Figure: Network Security tags in Windows Admin Center

 

 

Default Network Policies: We are bringing Azure parity to our existing Network Security Groups (NSGs) on Windows Server 2025. Default Network Policies now enable you to reduce lateral attacks for workloads deployed through Windows Admin Center, offering options such as “Open some ports,” “Use existing NSG,” or “No protection.”

  • No protection: All ports on your VM are exposed to networks, posing a security risk.
  • Open some ports: The default policy denies all inbound access, allowing you to selectively open well-known inbound ports while permitting full outbound access from the VM.
  • Use existing NSG: Utilize an NSG you have already created.

With these options, you can ensure that your newly created VMs and applications are always protected with NSGs. You can read more about Default Network Policies here.

 

Figures: Default network policies in Windows Admin Center during VM creation

 

Scalability

 

SDN Multisite: Many of you deploy applications across multiple locations and need the flexibility to move parts of these applications freely without reconfiguring the application or networks. Traditionally, Windows Server only partially supported this scenario and required additional components for deployment and management. SDN Multisite addresses this by providing native Layer 2 and Layer 3 connectivity between applications across two locations without any extra components. It also offers unified network policy management for workloads, eliminating the need to update policies when a workload VM moves from one location to another. You can use PowerShell cmdlets or Windows Admin Center to deploy and manage SDN Multisite. You can read more about SDN Multisite here.

 

Figure: Native connectivity for workload VMs across California and Norway WS 2025 clusters with SDN multisite

 

High Performance SDN Gateways: SDN Layer 3 gateways are essential for SDN infrastructure, providing connectivity between workloads on SDN networks and external networks by acting as routers. Many of you have requested performance improvements for these gateways. With Windows Server 2025, we have significantly enhanced the performance of SDN Layer 3 gateways, achieving higher throughputs (~15-30% improvement) and reduced CPU cycles (~25-40% improvement). These improvements are enabled by default, so you will automatically experience better performance when you configure a SDN gateway Layer 3 connection through PowerShell cmdlets or Windows Admin Center.

 

Learning

 

Exciting news! We've just rolled out fresh learning content tailored to empower our customers and support engineers with in-depth knowledge and practice on SDN. All self-guided content is comprised of a lecture and a hands-on lab aimed to provide actionable knowledge that drives success for our customers. You can access the learning content here: Technical reference for Software Defined Networking (SDN)| Microsoft Learn.

 

We are excited to share all these innovations with you. Upgrade to Windows Server 2025 to try out these features, we look forward to your feedback. For any suggestions, opinions, or issues, please reach out to us at sdn_feedback@microsoft.com.

Updated Nov 04, 2024
Version 2.0