Windows Server 2025 Software Defined Datacenter: Networking Deployment Series (4/6)

Welcome to part four of our Networking Deployment Series for Windows Server 2025! In this series, we’ve been following Contoso Medical Center’s journey to deploy Windows Server 2025 Software Defined Datacenter (SDDC) for a modern, secure, and automated environment. 

Thus far, Contoso has accomplished the following: 

• Part 1: Laid the foundation with consistent, automated host networking using Network ATC
• Part 2: Introduced proactive diagnostics and monitoring with Network HUD
• Part 3: Deployed Network Controller on Failover Cluster for a resilient SDN control plane 

With the SDN “brains” now in place, Contoso is ready for the next step: securing every workload from day one with microsegmentation, automated security policies, and a Zero Trust approach. 

 

From Reactive to Proactive: Securing Every VM by Default 

As Contoso rapidly expands and adopts cutting-edge technologies to enhance patient care and operational efficiency, securing virtual workloads has become their top priority. Historically, they relied on manual firewall rules and static ACLs to protect virtual workloads. However, this reactive approach left gaps—new VMs could be deployed without the proper security policies, and enforcement often varied from host to host, increasing risk of human error. 

With Windows Server 2025, Contoso can shift from reactive security to proactive, automated protection. SDN enables Contoso to secure every VM with microsegmentation, enforcing granular, VM-level network policies so that workloads only communicate when necessary. This approach is central to Zero Trust principles, treating every access request as potentially risky and requiring verification before granting permission. SDN microsegmentation leverages several key technologies: 

• Network Security Groups (NSGs): Every VM is automatically assigned an NSG at creation, providing immediate, distributed firewall protection for both north-south and east-west traffic.  

• Tag-Based Segmentation: Security policies are assigned based on workload identity, allowing rules to follow VMs as they move or scale rather than relying on static IPs.  

• Default Network Policies: Every VM receives baseline protection from the moment it’s created, even before the operating system is deployed, ensuring no workload is ever left exposed.  

For a healthcare provider like Contoso where patient data and critical applications must be protected at all times, these SDN security capabilities in Windows Server 2025 deliver the automation, consistency, and compliance needed to confidently support rapid growth, safeguard patient data, and protect critical applications from day one. 

 

What Are NSGs, Tag-Based Segmentation, and DNP? 

Network Security Groups (NSGs) 

An NSG is a 5-tuple firewall (source IP, destination IP, source port, destination port, protocol) that protects both north-south and east-west flows. NSGs can be applied to individual VMs or subnets, and because they’re enforced at the vSwitch, they scale without bottlenecks. 

Key Advantages: 

• Granular control: block lateral traffic between workloads in the same VLAN or subnet
• Multitenancy: policies can be unique per VM even if IP addresses overlap 
• Visibility: audit logging of all processed flows for compliance 

Tag-Based Segmentation 

Instead of managing policies based on network segments and IP ranges, tags let you label workloads with descriptive identifiers like “App = MedicalRecords” or “Env = Prod”. NSG rules can then reference these tags, allowing policy to follow the workload wherever it runs. 

Key Advantages: 

• Simplifies policy creation — no more chasing IP changes!
• Enables reusable security templates
• Supports dynamic, intent-based enforcement 

Default Network Policies (DNP) 

DNPs ensure no VM is ever left without protection. When a VM is created (or even after it’s running), a default NSG is automatically applied based on your chosen security level: 

1. No protection – no restrictions (not recommended)
2. Open some ports – block all inbound traffic except specified management ports, and allow all outbound traffic
3. Use existing NSG – apply a custom policy you’ve already created

Key Advantages: 

• Security starts before OS deployment
• Prevents accidental exposure of new workloads
• Works on both VLAN (logical) and SDN virtual networks 

 

How Contoso Implemented These Capabilities 

Using the Native SDN experience in Windows Admin Center, Contoso’s IT team: 

1. Defined baseline DNP rules for all new VMs.
2. Created workload-specific NSGs for their medical and IoT apps.
3. Assigned security tags (i.e. App = Web, App = IoT) to VMs.
4. Linked NSG rules to tags to block cross-app communication where not required.
5. Monitored enforcement through Network HUD and audit logs for compliance evidence. 

As a result, Contoso achieves immediate, consistent protection for all virtual workloads! 

 

Why This Matters for You 

With NSGs, tag-based segmentation, and DNP in Windows Server 2025 SDN, you can: 

• Apply Zero Trust inside your datacenter
• Protect both new and existing workloads automatically
• Simplify policy management for hybrid and dynamic environments
• Meet compliance needs with built-in logging and monitoring 

For Contoso, this means patient data, imaging workloads, and administrative systems are all protected from the moment they’re provisioned without relying on manual firewall rules or additional third-party tools. 

 

Compatibility & Tooling 

These capabilities are supported in: 

• Windows Server 2025 (Datacenter)
• Windows Admin Center (latest version)
• SDNExpress v2 

Check out our video walkthrough to see SDN security in action on Windows Server! 

 

What’s Next? 

With robust workload protection now in place, Contoso is preparing to move forward with the next steps of their networking journey: 

• Enhancing mission-critical VM performance with Accelerated Networking to deliver high-throughput, low-latency connectivity and optimized network efficiency (coming in Part 5)
• Ensuring seamless connectivity and resilience across multiple clusters with SDN Multisite, supporting disaster recovery and regional failover (coming in Part 6) 

Stay tuned for our next post, where we explore Accelerated Networking and how it can boost performance for your most important workloads. 

 

Try It Today! 

Interested in trying out these capabilities on Windows Server 2025? Get started by exploring our step-by-step guide on creating and configuring Network Security Groups, Tag-Based Segmentation, and Default Network Policies. 

Have feedback? Email us at edgenetfeedback@microsoft.com.