In the last post, I talked about some of the important networking customer use cases for applications on smaller Azure Stack HCI clusters and how we can satisfy those requirements. In this part, I will dive into the design, deployment and management for some of these network services.
If you are deploying NC for apps on traditional VLAN networks, refer to sample config file: link
If you are deploying NC for apps on virtualized networks, refer to this sample config file: link
NOTE: Today, the deployment UI and scripts do not configure the NC VM as highly available VM. We will fix this soon. You can do this manually by following the below steps:
Ensure that you provide a clustered storage location for the NC VM location. This will ensure that the VM files and the VHDs are stored on cluster storage. For example: C:\ClusterStorage\Volume1\NetworkController. NOTE: Do not provide UNC path for Cluster Storage.
Change the VM to a clustered VM by running the command:
Add-ClusterVirtualMachineRole “<NC VM name>” -Cluster “<HCI Cluster Name>”
Once the infrastructure is deployed, you can configure policies for the relevant use cases.
Network Security from external and lateral attacks
As a customer, the Security team has asked as an HCI administrator that you protect all East-West traffic and external traffic for an Edge deployment. Further, you have SCADA/Regulatory requirements that must be enforced for business practice.
With network security policies, you can protect every traffic flow in your HCI cluster, allowing only the flows required for your applications to function.
The first step is to create a logical network for your workloads hosted on VLAN networks. This is documentedhere.
Next, you need to create the security ACL rules that you want to apply to your workloads. This is documentedhere.
Once the ACL rules have been created, you can apply them to the network or a network interface.
For applying ACLs to a traditional VLAN network, see instructionshere.
For applying ACLs to a virtual network, see instructionshere.
For applying ACLs to a network interface, see instructionshere.
After the ACL rules have been applied to the network, all virtual machines in that network will get the policies and will have restricted access based on the rules. If the ACL rule has been applied to a network interface, the network interface will get the policies and will have restricted access based on the rules.
Fair network allocation for workload VMs
As a customer, the Database team is concerned that they may not be able to gain a fair amount of bandwidth for workloads. On the other side, the developer team is concerned that they will compete with database VMs residing within the same cluster.
With Quality-of-Service policies, you can prevent network intensive applications from hogging the entire bandwidth of your HCI cluster hosts. You can configure this through PowerShell, support through Windows Admin Center is coming soon.
Step 1: Configure global QoS settings.
You can perform the below steps on a Network Controller machine or a management client of Network Controller. This will enable the global setting to configure QoS policies through Network Controller.
All the above scenarios are very relevant for smaller clusters but are applicable for larger clusters as well. Please try these out and give us feedback at firstname.lastname@example.org. Don't hesitate to reach out for any questions as well.