A warm 2023 “Hello” to our Customers and Partners!
Today is an exciting day as we share with each of you the extensive new features and improvements for SDN in Windows Admin Center 2211 (WAC)! We cannot thank you enough for the fantastic feedback and requests to help us as a team drive forward. In case you missed it, Windows Admin Center (WAC) 2211 officially announced General Availability in December. You can download it here today!
We hope you all are as excited as us, and we cannot wait to hear how you leverage the new features!
Default Network Policies - This long-requested feature is finally available! We are bringing Azure parity to our existing NSG (network security groups) on Azure Stack HCI! Default Network Policies are automatically enabled as an available feature once your environment is upgraded to 22H2! Default Network Policies grant you the ability to reduce lateral attacks providing a few options such as “Open some ports,” “Use existing NSG,” or “No protection.” For “Open some ports,” default policy denies all inbound access optionally allowing you to select a list of well-known inbound ports and allows full outbound access from the VM. The next option is “Use existing NSG” that you may have already created, and the last option of “No protection”, all ports on your VM are exposed to networks posing a security risk. Now you can empower your newly created VMs (virtual machines) and applications to never be without NSG (Network Security Groups) protection again. We will write another blog post with all the details you want to know, so stay tuned!
Tag based Micro segmentation - Instead of relying on clunky, fragile methods of specifying IP ranges for NSG control, admins are now able to use custom service tags to associate NSGs and VMs for access control. Gone are the days of remembering and retyping the IP ranges for your production machines and management machines; simple, self-explanatory labels can be used instead. For more information on the feature and its use cases, check out Anirban's post from earlier this month
Improved SDN management for externally created VMs - In addition to continually working on improving the VM tools in WAC (Windows Admin Center), we have improved the way that WAC detects SDN integration with VMs created outside of WAC. Now, VMs using SDN that were created outside of WAC have improved capabilities to connect the VM itself to the SDN resources it uses to improve your management experience.
Kerberos support through WAC - WAC support for managing Kerberos-enabled clusters is finally here! Keep your clusters more protected through WAC by allowing for a higher-level security when accessing and updating your SDN resources. Simply deploy whatever network controllers, software load balancers, and gateways you need, and then enable Kerberos on your network controller to enjoy a more secure version of the SDN features you already use. All management, including VM SDN features, can be done through WAC just like before. We have enabled more security measures in this newest version, so be sure to visit the SDN Infrastructure extension to revalidate your SDN setup and reenable your networking extensions.
Deployment Improvements – Get ready for a more seamless deployment workflow! With additional validation and interface improvements, customers can see clearer error messages and more descriptive input labels with larger input text boxes. Behind the scenes, this deployment workflow will cache Network Controller node names, so users will no longer have to input this information for additional instances of WAC. Now, WAC also supports supplying VHD (virtual hard disk) files for VM creation in deployment.
NSG Audit Logs – NSG audit logging is now available with location setting and options for Azure blob uploading. Admins can select where NSG audit logs are stored locally, and we would especially like to highlight the Azure blob upload feature. This functionality allows admins to upload these flow logs to an Azure subscription blob to meet regulatory requirements for logging.
Gateways – Updates to the gateway extension allow users to view their virtual gateway connections and make edits to them through WAC. The creation of gateway connections has also been improved with corrected IP range validation and the ability to add more than one route metric at a time.
Phew... that's a list! Please grant us the gift of feedback by reaching out to sdn_feedback@microsoft.com.
Lastly, if you’d like to learn more about Windows Admin Center's SDN capabilities, here are some resources to check out:
Software Defined Networking is Azure-inspired Networking in your datacenter and at the edge, learn more below:
Plan for and deploy SDN infrastructure on Azure Stack HCI - Learn | Microsoft Docs
Implement Datacenter Firewall and Software Load Balancer on Azure Stack HCI - Learn | Microsoft Docs
Manage Azure Stack HCI tenant networks - Learn | Microsoft Docs
The Official Blog Site of the Windows Core Networking Team at Microsoft