First published on TECHNET on Feb 29, 2016
1. Create an Active Directory security group for Network Controller management
2. Create an Active Directory security group for Network Controller clients
3. Prepare an SSL Certificate
To use a self-signed certificate
To use a Certificate Authority
4. Prepare a file share for keeping diagnostic logs (optional)
Topology
Hosts
Virtual Machines
Management Logical Network
Management Logical Switch
Prepare VHD for the Network Controller virtual machine
Import the service template
To import the service template into the VMM library
Configure and deploy the service
Add and configure Network Controller service to VMM
To run the Add Network Service wizard
Create Back End network for tenant VM connectivity
To create the Back End (HNV PA) network
Create IP address pools that will be managed by the network controller
To create an IP address pool for the Back End Network
Configure Back End network
Create an SDN logical switch and deploy to hosts
To create the SDN logical switch
To deploy the logical switch to hosts
Create tenant VM networks and IP pools
To configure a VM network
Create tenant virtual machines
To create a virtual machine from an existing virtual hard disk
Manish Jha, Program Manager
Microsoft
UPDATE: For the latest information on deploying Network Controller using VMM 2016, please see Deploy a Software Defined Network infrastructure using VMM in TechNet.
=====
Introduction
This article helps you evaluate the Software Defined Networking (SDN) features in Windows Server 2016 Technical Preview 4. In particular, it focuses on using System Center Virtual Machine Manager (VMM) 2016 Technical Preview 4 for deploying Network Controller , a new feature in Windows Server 2016. Network Controller is a scalable and highly available server role that enables you to automate the configuration of network infrastructure instead of performing manual configuration of network devices.
Prerequisites
Before proceeding to deploy Network Controller, make sure that you have performed the following steps:
1. Create an Active Directory security group for Network Controller management
You need to create an Active Directory security group for Network Controller management. The group should be a Domain Local group. Members of this group will be able to create, delete, and update the deployed Network Controller configuration. You need to create at least one user account that is a member of this group and have access to its credentials.
2. Create an Active Directory security group for Network Controller clients
You need to create an Active Directory security group for Network Controller clients. The group should be a Domain Local group. Once the Network Controller is deployed, any members of this group will have permissions to communicate with the controller via REST interface. You need to create at least one user account that is a member of this group. After the Network Controller is deployed, VMM can be configured to use this user account’s credentials to establish communication with the Network Controller.
3. Prepare an SSL Certificate
You need an SSL certificate that will be used to establish secure communication (https) between VMM and Network Controller. There are two methods you can use to generate an SSL certificate: generate a self-signed certificate or use a Certificate Authority (CA).
To use a self-signed certificate
The following example creates a new self-signed certificate, and can be run from a PowerShell command window on any computer running Windows Server 2016 Technical Preview. Make note of the names you use to create the certificate and use the same names when you deploy the Network Controller.
New-SelfSignedCertificate -KeyUsageProperty All -Provider "Microsoft Strong Cryptographic Provider" -FriendlyName "<YourNCComputerName>" -DnsName @("<YourNCFQDN>")
You can use the Certificates snap-in to manage your certificate. Click Start , type manage computer certificates and press Enter. A Certificates - Local Computer console starts, where you can find your Network Controller certificate under Personal , Certificates .
To use a Certificate Authority
For Windows-based enterprise CA, follow the steps available here to request a CA-signed certificate. The certificate must include the serverAuth EKU, specified by the OID 1.3.6.1.5.5.7.3.1. In addition, the certificate Subject Name must match the DNS name of the Network Controller.
After requesting the certificate, use the Certificates snap-in to export it and its private key into a .pfx file. When exporting, choose Personal Information Exchange - PKCS #12 (.PFX) and accept the default to Include all certificates in the certification path if possible . The export wizard requires that you protect the private key by either a security or a password. Be sure to assign a password, as you will need it later during Network Controller deployment.
4. Prepare a file share for keeping diagnostic logs (optional)
This share will be accessed by the Network Controller to store diagnostics information throughout its lifetime. Create a file share that can be accessed by the Network Controller. You may also optionally assign access permissions for the share to a specific domain user account. Store the username and password for this account which will be used later during Network Controller deployment.
Setup
This section covers the setup require for deploying the Network Controller.
Topology
The following test topology is designed to allow you to evaluate the SDN features on a small hardware footprint without requiring a large test bed. You can deploy this topology if you want but it’s not required. It is just a guide to help you understand the pieces that are required to deploy an SDN fabric and how they fit together. We assume that you already have VMM 2016 Technical Preview 4 installed with a few hosts under management.
- Create a separate Host Group for hosts that will be managed by the Network Controller. The Network Controller supports Windows Server 2016 Technical Preview hosts only.
- Ensure that you have a dedicated subnet for Logical Networks that will be managed by the Network Controller. You cannot share a subnet or Logical Network that is managed by the Network Controller with non-managed hosts running Windows Server 2016 Technical Preview or with hosts running previous versions of operating system.
The topology to deploy Network Controller consists of three physical hosts, one virtual machine for Network Controller, and two tenant virtual machines that will be used for Network Controller deployment validation.
Hosts
Host | Hardware Requirements | Software Requirements |
Host 1 : Infrastructure Host | 2 x 1Gb physical network adapter | Windows Server 2016 Tech Preview |
Host 2 : VM Host | 2 x 1Gb physical network adapter | Windows Server 2016 Tech Preview |
Host 3 : VM Host | 2 x 1Gb physical network adapter | Windows Server 2016 Tech Preview |
Virtual Machines
Virtual Machine | Software Requirements |
Network Controller Virtual Machine | Windows Server 2016 Technical Preview 4 (VHD) |
Tenant VM 1 | Windows Server 2016 Technical Preview 4 (VHD) |
Tenant VM2 | Windows Server 2016 Technical Preview 4 (VHD) |
The physical network must be configured so that the following networks are available. Subnets and VLAN IDs are examples and can be customized for your environment:
Network Name | Subnet | Mask | VLAN ID on trunk | Gateway |
Management : The subnet that connects VMM with NC Host and VM Hosts. | 10.60.34.0 | 24 | NA | 10.60.34.1 |
Backend : Subnet for the Provider Addresses. Needed to validate the Network Controller deployment. | 10.60.33.128 | 25 | 11 | 10.60.33.129 |
Active Directory and DNS must be reachable from these subnets.
Management Logical Network
The Management logical network models the Management network connectivity for the VMM host, NC host, and VM hosts. To create the Management logical network:
- Open the Fabric workspace in the VMM Console, expand Networking and select the Logical Networks node.
- Right-click the Logical Network node and select Create Logical Network .
- Specify a Name and optional Description for this network. For example, you can call it MGMT. Click Next .
- On the Settings page, be sure to select One Connected Network , since all Management networks need to have routing and connectivity between all hosts in that network. Check the Create a VM Network with the same name… to automatically create a VM Network for your Management network. Click Next .
- In the Network Site panel, click Add to add a new network site. Select the host group for the hosts that will be managed by the Network Controller. Insert your management network IP subnet information. This network should already exist and be configured in your physical switch. Click Next when you’re ready to proceed.
6. Review the Summary information and click Finish to complete.
Management Logical Switch
The Management logical switch needs to be deployed on the NC host and provides the Management network connectivity to the NC VM. To create Management logical switch:
- Click Create Logical Switch on the ribbon in the VMM Console.
- Review the Getting Started information and click Next .
- Provide a Name and optional Description. For the Uplink mode, be sure to select No Uplink Team . Click Next to proceed.
- For Minimum Bandwidth mode, choose Absolute . Click Next .
- Accept the default switch extension and click Next to proceed.
- You can add a Virtual Port Profile and choose a Port Classification for Host Management on this page if you want but it is not required. Click Next when you’re finished.
- Create a new Uplink Port Profile directly from the Logical Switch wizard. Click Add and select New Uplink Port Profile from the drop down menu.
- Provide a name and optional description for your uplink port profile.
a. Use the defaults for Load Balancing algorithm and Teaming Mode.
b. Be sure to select all the network sites that are part of the Management logical network you created.
c. Select the Uplink Port Profile you created and click New virtual network adapter. This adds a host virtual network adapter (vNIC) to your logical switch and uplink port profile, so when you add the logical switch to your hosts, the vNICs get added automatically.
d. Provide a name for the vNIC. Verify that the management VM network is listed under the Connectivity section.
e. Check the Inherit connection settings from the host adapter box. This allows you to take the vNIC adapter settings from the adapter that already exists on the host.
f. If you created a port classification and virtual port profile earlier, you can select it now.
g. Click Next.
h. Review the Summary information and click Finish to complete the wizard.
To deploy the Management logical switch on the NC host, follow the steps available at this page.
Deployment
Prepare VHD for the Network Controller virtual machine
The service template requires one virtual hard disk that must be prepared prior to importing the service template. This virtual disk must contain an operating system running Windows Server 2016 Technical Preview and should be in VHD format. Download and use Windows Server 2016 Technical Preview 4 ISO image from here . Please note that with TP4, VMM service template for Network Controller only supports single node deployment on a generation 1 virtual machine.
Import the service template
This section tells you how to import Network Controller service template into your VMM library. Before proceeding to import Network Controller Service template, download the template to your machine from our download center here .
To import the service template into the VMM library
- In VMM, navigate to Library .
- In the top of the left pane, in the Templates section, select Service Templates .
- In the ribbon at the top, click Import Template .
- Browse to your service template folder, select the Network Controller Standalone.xml file and follow the prompts to import it.
The service template uses the following virtual machine configuration parameters. Update the parameters to reflect the configuration for your environment as you import the service template.
Resource Type | Resource Name and Description |
Library Resources |
Resource Name
: WinServer.vhd
Description : Windows Server Virtual Hard Disk. Format should be VHD.Select the base VHD image that you prepared earlier and imported into your VMM library. |
NCSetup.cr | A library resource that contains scripts to be utilized to setup the Network Controller. Map to the NCSetup.cr library resource in your VMM library. |
ServerCertificate.cr | A library resource that contains an SSL certificate in .PFX format. Select the ServerCertificate.cr library resource that you prepared earlier and imported into you VMM library. Also put the .pfx SSL certificate you prepared above inside this folder. |
TrustedRootCertificate.cr | A library resource that contains a certificate public key (.CER) to be imported as a trusted root certificate to validate the SSL Certificate. The trusted root certificate is optional. If a trusted root certificate is not needed, this resource will still need to be mapped to a CR folder, however the folder should be left empty. Map to the TrustedRootCertificate.cr in your VMM library. |
Configure and deploy the service
Use the following process to deploy a network controller service instance.
- Select the Network Controller service template and click Configure Deployment to begin. You will have to select a name and destination for the service instance. The destination must map to a Host Group that contains the hosts configured in an earlier step in this topic.
- In the Network Settings section, you must map to the management VM network that you set up previously.
- Once you are done with mapping the destination and network settings, the Deploy Service dialog will appear. It is normal for the virtual machine instances to be initially red. Click Refresh Preview to have the deployment service automatically find suitable hosts (from the destination you mapped earlier) for the virtual machines to be created. This can be can be done manually if needed.
- In the map diagram, click the virtual machine element and change the VM name and computer name to match the computer name you used when you created the computer certificates.
- On the left side of the configure deployment window there are a number of settings that you must configure. The table below summarizes each field's values.
6. After you configure these settings, click Deploy Service to begin the service deployment job. Deployment times will vary depending on your hardware but are typically between 30 and 60 minutes.
Add and configure Network Controller service to VMM
After the network controller service is successfully deployed, the next step is to add it to VMM as a network service. This works just like adding other network services in VMM; you begin this process with the Add Network Service wizard.
To run the Add Network Service wizard
- Navigate to the Fabric node in the VMM console.
- Right-click the Network Service icon under Networking and click Add Network Service .
- The Add Network Service Wizard starts. Click Next .
- Provide a name for your Network Controller Network Service and an optional description. Click Next .
- Select Microsoft for the manufacturer and for model select Microsoft Network Controller . Click Next .
6. On the Credentials tab, provide the RunAs account you want to use to configure the Network Service. This should be the same account that you included in the Network Controller Clients group. Click Next .
7. For the Connection String , use the FQDN you registered in DNS for the network service you deployed previously. Your connection string should look similar to this:
serverurl=https://<NCName.DomainName>/;SouthBoundIPAddress=<IP address>
9. On the Review Certificates page, a connection is made to the network controller virtual machine to retrieve the certificate. Verify that the certificate shown is the one you expect. Ensure you select the These certificates have been reviewed and can be imported to the trusted certificate store check box. Click Next .
10. On the next screen, click Scan Provider to connect to your service and list the properties and their status. This is also a good test of whether or not the service was created correctly, and that you’re using the right connect string to connect to it. Examine the results, and when it completes successfully, click Next .
11. Configure the Host Group in VMM that your Network Controller will manage. If all your hosts in your VMM deployment will be managed by the Network Controller (for example, if you’re using the minimum deployment topology), then you can choose All Hosts. Otherwise, you will want to choose only the Host Group with Windows Server 2016 Technical Preview hosts that are part of your SDN fabric. Click the appropriate check box and then click Next .
12. Click Finish to complete the Add Network Service wizard. When the service has been added to VMM, you should see it appear in the Network Services list in the VMM Console, and it should look similar to the following:
13. You can right-click the Network Controller object and select Properties to view the properties of your newly created Network Controller.
14. Click OK to finish.
Validation
This section, although not required for Network Controller deployment itself, is intended to allow users to validate successful deployment for Network Controller. We will create a NC managed ‘Back End’ network and configure tenant VM network on top of that. We will also test connectivity between two tenant VMs deployed across different hosts to ensure NC is deployed correctly.
Create Back End network for tenant VM connectivity
The network controller is connected to the Management network, which is the network that is used to deploy and manage the network controller through VMM. Next, you need to create "Back End" network that will be managed by the network controller in your SDN fabric. This network will be used to validate that the Network Controller has been deployed successfully and that tenant virtual machines within same Virtual Network are able to ping each other.
To create the Back End (HNV PA) network
1. Start the Create Logical Network Wizard.
2. Type a name and optional description for this network. The example shown here is Back End Network. Click Next .
3. On the Settings page, be sure to select One Connected Network since all HNV PA networks need to have routing and connectivity between all hosts in that network. Ensure you check Allow new VM networks created on this logical network to use network virtualization . You will also see a new setting: Managed by the Network Controller . Ensure you check this box and then click Next .
4. On the Network Site panel, add the network site information for your HNV PA network. This should include the Host Group, Subnet and VLAN information for your Back End Network. Remember, this network should already exist in your physical network devices (switch) and all your SDN fabric hosts should have physical connectivity to it.
5. Review the Summary information and complete the wizard.
Create IP address pools that will be managed by the network controller
The Back End Network is the HNV Provider Address (PA) network, so it must have a static IP address pool managed by VMM for address assignment, even if DHCP is available on this network. Thus, you need to create a static IP address pool that is associated with this logical network.
To create an IP address pool for the Back End Network
1. Right-click the back end network logical network in VMM and select Create IP Pool from the drop down menu.
2. Provide a name and optional description for the IP Pool and ensure that the back end network is selected for the logical network. Click Next .
3. On the Network Site panel, you need to select the subnet that this IP address pool will service. If you have more than one subnet as part of your HNV PA network, you need to create a static IP address pool for each subnet. If you have only one site (for example, like the sample topology) then you can just click Next .
4. On the IP Address range panel, specify the starting and ending IP address. It is recommended that you start with the second address in your IP address range so that the network controller does not assign the default gateway address for the subnet. Click Next .
5. Now configure the default gateway address. Click Insert next to the Default gateways box, type the address and use the default metric. Click Next .
6. Optionally you can configure DNS information but this is generally not required.
7. Optionally you can also configure WINS server information but this is generally not required. Click Next .
8. Review the summary information and click Finish to complete the wizard.
Configure Back End network
- In Network Service , right-click the network controller object and select Properties .
- Click on the Logical Network Affinity tab in the left menu.
- Select the Back End (HNV PA) network that you created earlier to be your Back-End network.
- Click OK .
Create an SDN logical switch and deploy to hosts
Now that you have create the logical networks, VM networks, and IP pools for your SDN fabric, you need to create a logical switch that you can deploy to your Windows Server 2016 Technical Preview hosts. This will make the networks that you created available to your hosts via VMM and will enable the Virtual Filtering Platform (VFP) switch extension which will make your hosts available to the network controller. This is also referred to as an SDN switch as it will enable creation and configuration of network objects via the network controller.
To create the SDN logical switch
1. Click Create Logical Switch from the ribbon, or right-click the Logical Switches node in the left hand tree navigation in the VMM console.
2. Review the Getting Started information and click Next .
3. Provide a name ( SDN Switch or whatever you want) and optional description. For the uplink mode, ensure you select No Uplink Team .
4. Click the Managed by Microsoft Network Controller check box and you will notice that the Extensions page disappears. This happens because the network controller requires the VFP extension and thus is selected by default. If your network adapters support SR-IOV and you want to use it, you can enable it here as well and then click Next to proceed.
5. You can optionally select one or more Virtual Port Profiles if you want. This functionality is the same as it was in Windows Server 2012 R2. When you’re ready to proceed, click Next .
6. Add a new Uplink Port Profile directly from the wizard. Click Add and select New Uplink Port Profile from the drop down menu.
7. Provide a name ( SDN port profile or whatever you want) and optional description for your Uplink Port Profile.
It is recommended that you use the defaults for Load Balancing algorithm and Teaming Mode .
Ensure you select all the Network Sites you created for your SDN fabric that are managed by the Network Controller as you want to be sure that they are included in this switch.
You do not need to check the Enable Hyper-V Network Virtualization box as you cannot have hosts that do not support this as part of an SDN fabric by definition. The SDN switch is supported on Windows Server 2016 Technical Preview hosts only.
Click Next to proceed.
8. Review the Summary information and click Finish .
To deploy the logical switch to hosts
You can now deploy the SDN logical switch to hosts that will be used to provision tenant virtual machines
1. Navigate to the Host Group that contains your Windows Server 2016 Technical Preview hosts that are be part of your SDN fabric. Right-click a host and select Properties from the drop-down menu.
2. Select Virtual Switches from the left menu.
3. Click New Virtual Switch and select New Logical Switch from the menu. The SDN logical switch that you created previously should appear selected in the logical switch combo box. If it isn't, select it now.
4. Ensure you bind the SDN Logical Switch to the correct physical adapter on the host. It should be a different adapter from the one that the Management logical switch is connected to.
5. Click OK on the Host Properties dialog to complete the operation.
6. Repeat this for each host in your SDN fabric. The Infrastructure host does not need this logical switch.
Create tenant VM networks and IP pools
Next, you will create a VM network and IP pool for a tenant in your SDN infrastructure.
To configure a VM network
Follow steps mentioned here to create VM network and here to create IP address pool.
Click Next .
Create tenant virtual machines
Now you can create tenant virtual machines connected to the tenant virtual network.
To create a virtual machine from an existing virtual hard disk
Follow these steps to create a VM from an existing virtual hard disk.
Once you have deployed at least two virtual machines in your VM Network, you can ping one tenant virtual machine from the other tenant virtual machine to validate that the Network Controller has been deployed successfully and that it can manage Back End network allowing tenant virtual machines to ping each other.
Manish Jha, Program Manager
Microsoft
Updated Mar 11, 2019
Version 4.0System-Center-Team
Microsoft
Joined February 15, 2019
System Center Blog
Follow this blog board to get notified when there's new activity