First published on TECHNET on Feb 29, 2016
NOTE
This information is no longer current. For the latest information on this topic, see
Deploy and manage a Software Defined Network (SDN) infrastructure in the VMM fabric
.
=====
Introduction
This article helps you evaluate the Software Defined Networking (SDN) features in Windows Server 2016 Technical Preview and Virtual Machine Manager 2016 Technology Preview 4. In particular, this topic is focused on scenarios that incorporate Gateway with VMM Technical Preview 4.
Gateway is a data path element in SDN that enables GRE based S2S connectivity between two autonomous systems. For our scenario here specifically, Gateway enables site-to-site VPN connectivity between remote tenant networks and your datacenter using Generic Routing Encapsulation (GRE).
In combination with Software Load Balancing (SLB), Gateway can also be used for point-to-site VPN gateway connectivity so that your tenants’ administrators can access their resources on your datacenter from anywhere.
Prerequisites
Make sure you have performed following steps before deploying Gateway.
Deploy Network Controller
This document assumes that you already have Network Controller onboarded into VMM management. If you have Network Controller deployed in your set up, you will have basic compute and network infrastructure in place to proceed for Gateway deployment.
For more details on requirement related to different Hosts, virtual machines, Logical Networks, Subnets, IP Pools, and switches, please refer to Network Controller deployment guide
here
.
If you haven’t deployed Network Controller as yet, please refer to the Network Controller guide above and come back to this section after deploying Network Controller.
Deploy Software Load Balancer
Although it’s not required that you deploy Software Load Balancer before proceeding to deploy Gateway, for the purpose of simplicity and preview validation, we recommend that you deploy and onboard SLB before proceeding further in this document. Having SLB deployed along with Gateway will enable you to validate the IPSec connection types.
For more details on requirements related to different hosts, virtual machines, logical networks, subnets, IP pools and switches, please refer to the SLB deployment guide
here
.
If you haven’t deployed Software Load Balancer as yet, please refer to the SLB deployment guide above and come back to this section after deploying Network Controller.
Prepare an SSL Certificate
The Gateway service template requires that an SSL certificate is prepared prior to import. You should already have these certificates ready as part of Network Controller deployment. To revisit steps on how to prepare SSL certificates click
here
. You should right click on this SSL certificate created earlier during
Network Controller deployment
and export it without a password in .CER format. This certificate will be later placed inside the NCCertificate.CR folder, details for which are included in the later sections.
Setting it up
This section covers the setup required for deploying the Gateway virtual machine.
Topology overview
The topology consists of four physical hosts, one Network Controller virtual machine, two tenant virtual machines, one Gateway virtual machine, one SLB MUX virtual machine and optionally one Router – BGP peer virtual machine. Most of these hosts and virtual machines would already be configured as part of Network Controller deployment.
You will need to deploy one additional VM for Gateway.
All the virtual machines require an operating system VHD. You can download the Windows Server 2016 Technical Preview ISO image from
here
.
Logical Networks
In addition to the Management, Back End, Front End and Public IP network that you already have configured, you will need the following network to deploy Gateway:
Network Name
|
Subnet
|
Mask
|
VLAN ID on trunk
|
Gateway
|
Reservations (examples)
|
VIP
: Subnet for GRE VIPs.
|
10.127.134.128
|
27
|
NA
|
10.127.134.129
|
10.127.134.158
|
Active Directory and DNS must also be available and reachable from this subnet.
Creating the GRE VIP logical network required for Gateway Deployment
You need an IP address pool for private VIPs and to assign virtual IP address to GRE endpoints. We will create a GRE VIP Logical network in order to specify IP address pool for GRE endpoints.
Create a GRE VIP Logical network
The GRE VIP network is a subnet that exists solely for defining VIPs that will be assigned to Gateway virtual machines running on your SDN fabric. This network does not need to be preconfigured in your physical switches or router and need not have a VLAN assigned.
-
Start the
Create Logical Network Wizard
.
-
Type a name and optional description for this network and click
Next
.
-
On the
Settings
page, ensure you select
One Connected Network
. Optionally, you can also check
Create a VM network with the same name
box to allow virtual machines to access this logical network directly and the
Managed by the Network Controller
box then click
Next
.
-
On the
Network Site
panel, add the network site information for your VIP subnet. This should include the Host Group and subnet information for your VIP network.
-
Review the
Summary
information and complete the Logical Network wizard.
Create an IP pool for GRE VIP addresses
TIP
While creating IP address pools for NC managed networks, you MUST use a value for Starting IP Address that is at least 4 IP addresses into the address range for the IP subnet. The Network Controller uses the first three IP addresses of the network range. For example, if your IP subnet is 192.168.0.0/24, you should use 192.168.0.4 as your starting IP address.
-
Right-click the GRE VIP logical network in VMM and select
Create IP Pool
from the drop down menu.
-
Provide a name and optional description for the IP Pool and ensure that the VIP network is selected for the logical network. Click
Next
.
-
Accept the default network site and click
Next
.
-
Choose a starting and ending IP address for your range that contains the entire address range of your GRE VIP subnet.
-
In the
IP addresses reserved for load balancer VIPs
box, type the entire IP addresses range in the subnet. This should match the range you used for starting and ending IP addresses.
-
You do not need to provide gateway, DNS or WINS information as this pool is used to allocate IP addresses for VIPs only via the Network Controller, so skip these screens by clicking
Next
.
-
Review the summary information and complete the wizard.
To deploy the logical switch to Edge host
You will already have an SDN logical switch available in your set up as part of Network Controller and SLB deployment.
Deployment
Now you can proceed to deploy Gateway using VMM Service Template.
Download the service template
First, you need to download the Gateway service template from
here
and extract the contents to a folder on a local computer. You need to copy the contents to a folder on your VMM server or a file share that your VMM server has access to.
Add template resources to the VMM library
Before you import the Gateway service template you need to do the following:
NOTE
You can skip these steps if you have already configured Software Load Balancer and have EdgeDeployment.CR and NCCertificate.CR imported in the library.
-
Copy the .CER certificate that you previously created for the Network Controller to the NCCertificate.CR folder.
-
Add the custom NCCertificate.CR and EdgeDeployment.CR custom resources to the VMM library.
Import the service template
-
In VMM, navigate to
Library
.
-
In the top of the left pane, in the
Templates
section, select
Service Templates
.
-
In the ribbon at the top, click
Import Template
.
-
Browse to your service template directory, select the
EdgeServiceTemplate.1.0.xml
file and click
Next
.
-
This service template uses the following virtual machine configuration parameters. Update the parameters to reflect the configuration of your environment.
Configuration parameters:
Resource type
|
Resource name and description
|
Library Resources
|
Resource name
: win_server.vhd
Description
: Windows Server Virtual Hard Disk. Format can only be VHD.Prepare a VHD image from the earlier downloaded ISO image. You can use the same VHD which you have prepared for the Network Controller virtual machine.
=====
Resource name
: NCCertificate.cr
Description
: A custom library resource that contains the trusted root certificate (.CER) for the Network Controller. This will be used for secure communications between the Network Controller and the Gateway instances.Map to the NCCertificate.cr library resource in your VMM library.
=====
Resource Name
: EdgeDeployment.cr
Description
: A custom library resource that contains an SSL Certificate in .PFX format and the scripts required to install and configure RRAS.
Select the
EdgeDeployment.cr
library resource that you prepared earlier and imported into you VMM library.
|
6. Click
Next
.
7. On the Summary page, click
Import
.
Configure the deployment
To configure the deployment, complete the following:
1. Select the
EdgeServiceTemplate
service template and click
Configure Deployment
to begin. Type a name and choose a destination for the service instance. The destination must map to a Host Group that contains the hosts configured previously for Gateway deployment purpose.
2. In the
Network Settings
section, you must map the networks as follows:
Network Setting
|
Value
|
Management Network
|
Map this to your Management VM network
|
3. Click
OK
.
4. After you are done with mapping the destination and network settings, Click
OK
.
5. The
Deploy Service
dialog appears. It is normal for the virtual machine instances to initially be red. Click
Refresh Preview
to automatically find suitable hosts (from the destination you mapped earlier) for the virtual machine. This can be can be done manually if needed.
6. On the left side of the
Configure Deployment
window, there are a number of settings that you must configure. The table below summarizes each field:
Setting
|
Requirement
|
Description
|
AdminAccount
|
Required
|
Select a Run As account in your environment which will be used as the local Administrator on the Gateway virtual machines. The user name should be .\Administrator
|
Management Network
|
Required
|
Choose the Management VM Network that you created for host management.
|
SelfSignedConfiguration
|
Required
|
If you are using a self-signed certificate you created yourself, set this value to
True
. If you are using a certificate that has been assigned by an Enterprise CA or external Root CA, set this value to
False
.
|
MgmtDomainAccount
|
Required
|
Select a Run As account in your environment that will be used to prepare the Network Controller. This user must be a member of the management security group, specified below, which has privileges to manage the network controller.
|
MgmtDomainAccountName
|
Required
|
This must be the full username (including domain name) of the Run as account mapped to MgmtDomainAccount.Example: contoso\Username.
NOTE
|
The domain username will be added to the Administrators group during deployment.
|
|
MgmtDomainAccountPassword
|
Required
|
Password for the management Run As account mapped to MgmtDomainAccount.
|
MgmtDomainFQDN
|
Required
|
Fully qualified domain name for the Active directory domain that the network controller virtual machines will join.Example: Contoso.com
|
Deploy the Gateway service
After you configure these settings, you can click
Deploy Service
to begin the service deployment job. Deployment times will vary depending on your hardware but are typically between 30 and 60 minutes. When the service deployment job has completed, verify that your service appears in the VMM console by completing the following:
-
Open the
VMs and Services
workspace.
-
Click
Services
in the ribbon.
-
Verify that your Gateway service instance appears in the
VM Network Information for Services
window.
-
Right-click the Gateway service and select
Properties
from the menu.
-
Verify that the state is
Deployed
.
Configure the Gateway Manager Role
Now that the service is deployed, you can configure its properties.
-
Open the
Fabric
workspace.
-
Click
Network Service
to display the list of network services installed.
-
Right-click your network controller service and select
Properties
.
-
Click the
Services
tab and select the
Gateway Manager
role in the services panel.
-
Find the
Associated Service
field under
Service information
and click
Browse
.
-
Select the Gateway service instance you created earlier and click
OK
.
-
Select
Run As account
that will be used by Network Controller to access Gateway VMs.
-
In
IPv4 frontend subnet
, select the front end subnet that you have created (It is the Transit subnet).
-
In
GRE VIP subnet
, select the VIP subnet that you created above.
-
In
Public IPv4 pool
, select the Public IP Pool.
-
For
Public IPv4 address
, provide an IP address from the above pool.
-
Configure the Gateway capacity in the
Gateway Capacity
field.
-
Configure the number of reserved nodes for back-up in
Nodes for reserved for failures field
.
-
Click
OK
.
You should see that the jobs below have passed successfully in VMM’s job space:
The Service instance that you deployed is now associated with the Gateway Manager role, and you should see the Gateway virtual machine instance listed under the Gateway Manager role:
Configure and validate Gateway connection types
Once you have deployed Gateway using the Virtual Machine Manager template, you can configure a GRE tunnel and validate Gateway deployment with this tunnel.
To validate GRE connection tunnel:
-
Choose one of the tenant virtual machines that has GRE tunneling enabled.
-
Ensure that this virtual machine can ping the edge router IP with the CA IP address.
Manish Jha, Program Manager
Microsoft