Top 10 Networking Features in Windows Server 2019: #4 Security with SDN

Published Feb 14 2019 10:06 AM 7,241 Views
First published on TECHNET on Aug 29, 2018
Share On: Twitter Share on: LinkedIn

This blog is part of a series for the Top 10 Networking Features in Windows Server 2019!
-- Click HERE to see the other blogs in this series.

Look for the Try it out sections then give us some feedback in the comments!
Don't forget to tune in next week for the next feature in our Top 10 list!
In this modern era of cloud computing, more and more customers are looking to move their workloads to public, private or hybrid clouds. Security is one of their main inhibitors in moving to cloud. How secure are their workloads in the cloud? Is their data safe from theft and tampering? Will it all work with IPv6?

Windows Server 2019 SDN delivers many features to increase customer confidence in running workloads either on-premises or as a service provider in the cloud. These security enhancements are integrated into the comprehensive SDN platform that our customers have already been using since Windows Server 2016.

For more information on general platform and management features, refer to SDN management blog ( link ) and the hybrid SDN gateway performance blog ( link ).

Encrypted Subnets

How many of the legacy applications on your network are using encryption?  How many of them are using an encryption method that is still considered secure?  Chances are you have some apps that are vulnerable to data theft and tampering.

You could find every app, analyze the encryption and update it, or you could encrypt at the network level with SDN.  With SDN network subnet encryption in Windows Server 2019, any packet that leaves a VM is automatically encrypted as it passes to other destinations on the same back-end network.  If a vulnerability is found, then the fabric can be updated quickly and all applications automatically gain the necessary level of security.

This is enabled on any of the subnets in a virtual network by specifying an encryption certificate to use and setting "Encryption" to true.

" As organizations look to enable protection through software defined controls and eliminate complexities, configurations leveraging virtual network encryption greatly enhance security in a simplified manner "

- Rand Morimoto, President, Convergent Computing

Ready to give it a shot!?   Download the latest Insider build and Try it out!

Firewall Logging

The ability to microsegment allows you to create isolation boundaries, but how do you know they're working? How can you tell if you're under attack? If a breach has occurred, how can you perform the post-mortem analysis to determine how far it went?

Firewall logging is critical for the ability to do all of the above.

In Windows Server 2019, SDN enables the Hyper-V host to generate Firewall logs that are consistent in format with Azure Network Watcher.  This enables the ecosystem of tools that has sprung up around Network Watcher to be easily adapted to work with the Windows Server SDN implementation.

After applying a one-time configuration to the network controller, you simply enable logging on individual Access Control List rules and network flows that match that rule are automatically logged.

"Windows Server 2019's SDN settings have an extremely helpful firewall-auditing component that can be enabled to log all network communications between SDN connections"

- Rand Morimoto, President, Convergent Computing

Ready to give it a shot!?   Download the latest Insider build and Try it out!

Fabric ACLs

Windows Server 2016 provides the ability to lock down the security of your virtual networks by automatically applying ACLs to VMs connected to virtual subnets.  Windows Server 2019 expands this capability to the fabric as well, allowing you to restrict access to your infrastructure machines in a way that is more easily managed and automatic, by adding ACLs to the logical subnets.  This means that any SDN managed VM connected to a VLAN based network will automatically get the necessary ACLs applied.

Ready to give it a shot!?   Download the latest Insider build and Try it out!

Virtual Network Peering

The primary security boundary for SDN is the isolation that's provided by the virtual network itself, but sometimes it becomes necessary to breach this boundary so that two virtual networks are able to communicate with each other.  This may be the case if you've deployed a Database in one virtual network, but want it to be accessed by other applications that have been deployed in their own separate virtual networks.  Virtual Network peering enables just that.  It combines the virtual routers in associated virtual network so they can communicate with each other, without having to traverse through a gateway. This enables high throughput, low latency communication between the virtual networks.

" This is really about making the scenario simpler to deploy / manage and removing the perf overhead.  As it happens we have a bunch of scenario’s where this feature will be useful, even in its current form.  As you know we run our two primary DC’s as active / active deployments and one of our big bug-ears has been providing this type of scenario, while still facilitating multiple entry points.  I can see multiple current workloads scenario’s where this will improve performance, rather than using our current approach of L3 GW’s over the MPLS inter-link "

- Philip Moss, Chief Product Officer, Acuutech

Ready to give it a shot!?   Download the latest Insider build and Try it out!

IPv6 support

While you may not want to use IPv6, at some point you may have to and because of that we've added support for IPv6 to SDN.  While not a security feature per-se, with Windows Server 2019, SDN includes the ability to use IPv6 for virtual network address spaces, virtual IPs and for logical networks.  All of the security features of SDN now work with IPv6 addresses and subnets, including Access Control Lists and User Defined Routing.

To use this feature, download the latest Insider build and use IPv6 subnets on your virtual subnets in the same way that you would use IPv4, and assign IPv6 addresses to your virtual machines.


As you can see, we have made a ton of investments in SDN to safeguard the security of your workloads with Windows Server 2019.

  1. You can encrypt data in transit with virtual network encryption to prevent data theft and tampering

  2. You can log traffic on the hosts for troubleshooting, auditing or simply post mortem analysis

  3. You can now apply security ACLs for your physical fabric networks

  4. You can enable secure, high performant communication between virtual networks

  5. You can use IPv6 addressing for your virtual networks

All these enhancements will bolster customer confidence when they run their workloads in the hybrid cloud. They can rest assured that their workloads are safe and secure with Windows Server 2019.

Thanks for reading,

Greg Cusanza and Anirban Paul
Version history
Last update:
‎Feb 14 2019 10:06 AM
Updated by: