Part 7 of a 9-part series . Today’s post is the first of two sections; to read the second half, click here .
One of the foundational requirements we called out in the 2012 R2 vision document was our promise to help you transform the datacenter. A core part of delivering on that promise is enabling Hybrid IT.
By focusing on Hybrid IT we were specifically calling out the fact that almost every customer we interacted with during our planning process believed that in the future they would be using capacity from multiple clouds. That may take the form of multiple private clouds an organization had stood up, or utilizing cloud capacity from a service provider or a public cloud like Azure, or using SaaS solutions running from the public cloud.
We assumed Hybrid IT would really be the norm going forward, so we challenged ourselves to really understand and simplify the challenges associated with configuring and operating in a multi-cloud environment. Certainly one of the biggest challenges associated with operating in a hybrid cloud environment is associated with the network – everything from setting up the secure connection between clouds, to ensuring you could use your IP addresses (BYOIP) in the hosted and public clouds you chose to use.
The setup, configuration and operation of a hybrid IT environment is, by its very nature incredibly complex – and we have poured hundreds of thousands of hours into the development of R2 to solve this industry-wide problem.
With the R2 wave of products – specifically Windows Server 2012 R2 and System Center 2012 R2 – enterprises can now benefit from the highly-available and secure connection that enables the friction-free movement of VMs across those clouds. If you want or need to move a VM or application between clouds, the transition is seamless and the data is secure while it moves.
The functionality and scalability of our support for hybrid IT deployments has not been easy to build, and each feature has been methodically tested and refined in our own datacenters. For example, consider that within Azure there are over 50,000 network changes every day, and every single one of them is fully automated. If even 1/10 of 1% of those changes had to be done manually, it would require a small army of people working constantly to implement and then troubleshoot the human errors. With R2, the success of processes like these, and our learnings from Azure, come in the box.
Whether you’re a service provider or working in the IT department of an enterprise (which, in a sense, is like being a service provider to your company’s workforce), these hybrid networking features are going to remove a wide range of manual tasks, and allow you to focus on scaling, expanding and improving your infrastructure.
In this post, Vijay Tewari (Principle Program Manager for Windows Server & System Center) and Bala Rajagopalan (Principle Program Manager for Windows Server & System Center), provide a detailed overview of 2012 R2’s hybrid networking features, as well as solutions for common scenarios like enabling customers to create extended networks spanning clouds, and enabling access to virtualized networks.
Don’t forget to take a look at the “ Next Steps ” section at the bottom of this post, and check back tomorrow for the second half of this week’s hybrid IT content which will examine the topic of Disaster Recovery.
* * *
Hybrid networking refers to capabilities that seamlessly extend an enterprise’s on-premises network to the service provider’s (hosted or Azure) cloud, and many teams across Microsoft have come together to deliver these end-to-end experiences and scenarios for our customers.
Hybrid networking enables enterprises to easily move their VMs (and virtualized workloads) across clouds while maintaining IP addresses and other networking policies. With hybrid networking, an enterprise administrator can treat a composite network spanning on-premises cloud boundaries as a single extended network .
As enterprises continue to utilize more and more capacity from the cloud, service providers face a pressing issue: How does one simplify the to-the-cloud migration of an increasing number of tenants while minimizing their capital and operational expenses?
Hybrid networking impacts both the ease of workload migration as well as the cost to the service provider. To maximize this benefit, Windows Server 2012 R2 and Systems Center 2012 R2 have been built to deliver cloud-optimized server and management capabilities that enable service providers to deliver efficient hybrid networks that easily onboard tenants.
These capabilities broadly fall under three specific areas we’ll examine today:
This post will also cover 3 key scenarios that have been designed into the 2012 R2 wave of products.
Windows Server 2012 included the cross-premises gateway feature, which allowed enterprise sites to be connected to each other or to the cloud using standard VPN protocols. In Windows Server 2012 R2, this feature is extended into a full-fledged site-to-site (S2S) VPN gateway to support cloud service provider and enterprise customer requirements (see Figure 1 below).
These customer requirements include:
With the 2012 R2 release, we have further refined the Hyper-V Extensible Switch and Hyper-V Network Virtualization which were both introduced in Windows Server 2012.
The Hyper-V Extensible Switch now allows third party extensions to act on packets before and after HNV encapsulation for a richer set of policy and filtering implementations. Additionally, support for hybrid forwarding is available – this allows different forwarding agents to handle packets based on type, e.g. HNV or non-HNV encapsulated.
The impact of this is big: Multiple network virtualization solutions (one provided by HNV, and another from the forwarding switch extension) can co-exist on the same Hyper-V host. Regardless of which agent performs the forwarding computation, the forwarding extension can apply additional policies to the packet. More details on the 2012 R2 Hyper-V Extensible Switch features can be found here .
HNV also now supports dynamic IP address learning, an in-box S2S gateway (covered in this article), integration with NIC teaming for load balancing, high availability, and NVGRE task offload support from NIC vendors. More info on these elements can be found in this blog article .
In addition to the features noted above, Virtual Receive-Side Scaling (vRSS) in the R2 release enables traffic-intensive workloads to scale up to optimally utilize high speed NICs (10G) even from a VM. In addition to this, in an effort to improve diagnostics and thereby drive down opex, we have enabled remote packet captures and ETW traces in near real-time, without a need to log on to the destination machine.
We have also enabled basic management of physical switches (with standards-based schemas) using PowerShell and VMM, thereby making it possible to automate certain diagnostics across the hosts and into the physical network. Finally, deployment and management are now entirely automated via VMM, with tenant self service via the Windows Azure Pack (as shown in Figure 1).
For a deeper dive on the network virtualization enhancements in R2, check out
this recent post
on the
Networking Blog
.
Windows Server 2012 IP Address Management (IPAM) solution supported core IP address, DHCP and DNS management functions. With the R2 release, IPAM has implemented several major enhancement, such as:
There are also enhancements to the addressing and naming services themselves, including per-zone query metrics support in DNS, and FQDN-based DHCP policies. The use of IPAM in a hoster datacenter is depicted in Figure 1.
Our recent TechNet article on IPAM in Windows Server 2012 R2 describes these enhancements in more detail.
Now, to illustrate how these technologies have been built and bundled together to serve as solutions for common scenarios encountered by IT pros and service providers, the following three scenarios show how hybrid networking can make an infrastructure environment more powerful, scalable, resilient, and manageable.
We described the integrated approach we have taken in enabling our customers to deploy an IaaS solution in an earlier post in this R2 series , and as service providers and enterprises deploy IaaS, their customers in turn deploy their VM’s onto this capacity.
Traditionally these VM’s were provided IP addresses from a service provider network address space thereby forcing customers to renumber their VMs and rethink their network environments. With the availability of network virtualization, customers can create their own virtualized network on top of the service provider network infrastructure, utilize their own private IP numbering plan within the virtualized network, and connect it to their on-premises network to create an extended network that spans the on-prem infrastructure and the service provider cloud.
This approach dramatically simplifies the migration of workloads to the cloud and back.
This scenario is enabled by a combination of two key aspects: First, network virtualization, which enables the service provider to run multiple tenant networks with overlapping IP addresses on the same physical infrastructure. Second, the capability to connect the customer’s virtualized network in the service provider cloud back to the customer’s on-premises network to form one extended network.
To enable this deployment, the service provider provisions the network infrastructure and a set of S2S VPN gateways to support the creation of customer (virtualized) networks and S2S connections. Next, the customer self-provisions his virtualized network and S2S connections using the Windows Azure pack portal.
Now, let’s look at each step of this scenario in detail:
The Windows Azure Portal screenshot snippets below illustrate these steps.
First, the customer specifies the subnet in his private address space where the S2S gateway should be located, and (optionally) enables BGP. The customer also specifies the address of the designated DNS server to be used by applications running in his virtualized network. This could be a server located in the customer’s virtualized network or in the on-premises network, or it could be a server made available by the service provider.
He next specifies the IP address space to be used for the virtualized network. This is typically from the customer’s private IP address space.
The customer then specifies the BGP parameters, which include the Autonomous System Number (ASN) of the virtualized network, the peer BGP IP address, and the ASN of the on-premises network.
This results in BGP configuration via VMM being triggered on the service provider side (see screenshot above). BGP may also be configured by the admin using a script as described here , which allows more detailed configuration.
Finally, the customer specifies a name for the on-premises site, the public IP address of the on-premises S2S gateway, and the IP addresses that are reachable on the on-premises site over the S2S connection. The last two parameters are required to set up S2S connection on-demand from the service provider side, and to determine which destinations in the extended network are in the on-premises side (if BGP is not enabled).
After completing these tasks, the customer deploys a S2S gateway at the on-premises site that connects to the service provider cloud. This could be an existing 3rd party edge device, or a Windows Server 2012 R2 S2S gateway.
In the former case, the customer uses vendor-specific commands to set up the S2S connection. In the latter case, customers can use the following script template to automate the configuration of the gateway:
############### Macros for RRAS Config on Ent GW ############################## $S2SDestination = "100.0.0.6" $IPv4Subnet = "172.23.90.4/32:100" $BGPPeerAddress = "172.23.90.10" $BGPAddress = "172.23.90.4" $BGP_PeerASN = 64522 $BGP_LocalASN = 64512 ################### Install S2S VPN on Ent GW ############################## New-VM -Name GW -MemoryStartupBytes 2.5GB -SwitchName Internet -VHDPath "E:GW-VMsGW.vhd" -Path "E:VM" Add-WindowsFeature -Name Remoteaccess -IncludeAllSubFeature -IncludeManagementTools ipmo remoteaccess Install-RemoteAccess -VpnType VpnS2S ############## Configure S2S VPN on Ent GW ############################## Add-VpnS2SInterface -Name "-Tunnel" -Protocol IKEv2 -Destination $S2SDestination -AuthenticationMethod PSKOnly -SharedSecret 111_aaa -Persistent -IPv4Subnet "172.23.90.10/32:100" -NumberOfTries 0 ############### Configure BGP on Ent GW ############################## #### Add BGP Router #### Add-BgpRouter -BgpIdentifier $BGPAddress -LocalASN $BGP_LocalASN #### Add BGP Peers #### Add-BgpPeer -Name "ServiceProviderSite1" -LocalIPAddress $BGPAddress -PeerIPAddress $BGPPeerAddress -PeerASN $BGP_PeerASN #### Add custom networks for advertisements to peers #### Add-BgpCustomRoute -Interface "Intranet" ## End Config Ent GW - ## |
In the former case, the internal router learns external routes (10.2.1.0/24) from the edge device, and it must distribute these routes to other on-premises routers using an IGP. In the latter case, the edge device itself must distribute the external routes to other on-premises routers using the IGP it runs.
A variation of this topology where Windows Server 2012 R2 gateway is deployed in the customer site is shown in Figure 3 (see below).
In this configuration, S2S VPN and BGP are terminated on Windows Server 2012 R2 S2S gateway deployed behind an edge firewall. In this case, since the gateway does not support distribution of routes between BGP and any IGP, only option 1 (noted above) is available for the S2S gateway to learn internal routes and distribute external routes.
Applications or services running in the customer’s virtualized network may access resources located on the Internet such as public DNS servers, web services, etc. This is a common requirement in many deployments. There are two options to enable this scenario:
The R2 release supports both options.
The Service provider can configure the NAT function in the S2S VPN gateway to enable direct Internet access from the customer’s virtualized network. The NAT function in the Windows Server 2012 R2 gateway is tenant-aware and allows VMs in multiple customer networks with overlapping IP addresses to access the same Internet IP address.
Customers can activate NAT for their virtualized networks using the Windows Azure Pack-based self-service portal. If S2S VPN and NAT are enabled for a virtual network, BGP enables learning of customer routes on the gateway so that only Internet traffic is NAT’ed.
There are often instances where resources available on a customer’s virtualized network need to be made accessible to users who are outside the customer’s premises.
Examples of this include disaster recovery, whereby the backup or recovery VM run in the cloud and need to be made accessible to users after a disaster situation. More routinely, a service running in the cloud may need to be made available to users who are working off-premises, including from public hotspots. Similarly, an administrator might want to login to a VM deployed in the cloud from anywhere.
To support this scenario, the service provider can enable access to VMs or services in a customer’s virtualized network from different devices over the Internet using the remote access VPN feature built into the Windows Server 2012 R2 S2S VPN gateway.
Users belonging to the customer’s organization can connect to their VMs or services in the cloud via the multitenant S2S gateway using industry standard IPsec/IKEv2 VPN connections from various devices like laptops, tablets and smartphones. If the devices are behind a firewall or router that does not allow IPsec traffic, SSTP (SSL) VPN can be used to connect to the gateway. SSTP VPN uses https (port 443) to connect to the gateway and can traverse firewalls that block any traffic that is not http/https.
The service provider can also enable remote access VPN for multiple customers on the same gateway with a single public IP address with all connections using port 443. Multiple customers can use overlapping IP addresses for VPN clients and the R2 multi-tenancy feature enables traffic isolation. All the VPN client connections are authenticated by the gateway directly or by using a RADIUS server in the service provider network.
After a user connects over VPN, he can access VMs in the appropriate virtualized network in the cloud as well as networks on-premises sites over S2S VPN (if provisioned). The service provider can easily enable multitenant VPN access in the S2S VPN gateway using a PowerShell script as described here . VMM support for this is not available in the R2 release.
The following figure shows the cmdlets used to enable VPN for customers Contoso and Fabrikam:
PS C:> Enable-RemoteAccessRoutingDomain -Name “Contoso” -Type Vpn PS C:> Enable-RemoteAccessRoutingDomain -Name “Fabrikam” -Type Vpn PS C:> Set-RemoteAccessRoutingDomain –Name “Fabrikam” –IPAddressRange 11.11.11.1, 11.11.11.200 –TenantName “Fabrikam” PS C:> Set-RemoteAccessRoutingDomain –Name “Contoso” –IPAddressRange 11.11.11.1, 11.11.11.200 –TenantName “Contoso” |
* * *
Windows Server 2012 R2 and System Center 2012 R2 provide a set of advanced capabilities for service providers to implement hybrid networking cost-effectively, reliably, and at scale. This includes multitenant S2S connectivity, NAT, and remote access VPN. In conjunction with the Windows Azure Pack, VMM, and PowerShell scripting – service providers can easily automate the on-boarding of customers, as well as set up and manage all hybrid networking functions.
Tomorrow we’ll cover another key part of a hybrid IT environment: Protecting your data with an enterprise-grade disaster recovery solution. It’s an under-served part of the industry, and I believe we have addressed it proactively with some very impressive features.
- Brad
To get even deeper on the topics covered in this post, check out the engineering posts and TechEd sessions included below.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.