Hybrid Networking: SDN features in Windows 2016 & Azure Networking

Hybrid Networking: SDN features in Windows 2016 & Azure Networking
Microsoft Ignite 2016 9/12/2018 8:32 PM Hybrid Networking: SDN features in Windows & Azure Networking INF325 Bala Natarajan, Senior Program Manager Balaji Navaneethan, Senior PFE © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda SDN Intro Azure Networking Server 2016 SDN
Microsoft Ignite 2016 9/12/2018 8:32 PM Agenda SDN Intro Hyper scale Networking Azure Networking Server 2016 SDN Server 2016 SDN features How the SDN features come together Demo Hybrid Networking © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Networking Hybrid Hyper-scale Enterprise Grade

Azure Networking Hyperscale
Inside the Azure Region Connecting Azure Regions Geographic Reach and Internet Ecosystem Security Performance Load Balancing Virtual Networks Cross-premises connectivity Software Defined WAN Optical Networks National Clouds CDN Backbone in 100+ iXP 3500+ peerings with ISPs ExpressRoute in 35 locations Private cloud connectivity Servers Advanced MPLS Services Long-Haul Optical Network Internet Exchange Provider

Software Defined Networking (SDN)
Building the right abstractions to enable Scale and Agility Abstract Management, Control, and Data planes Tenant Compose compute & storage roles and networks Tell & Program Instead of Discover and react Azure FrontEnd Management Plane Application Plane Proprietary Hardware Appliance Controller Control Plane Commodity Hardware Physical Transport Plane Control Plane Example: ACLs Management Create a tenant Control Plumb tenant ACLs to switches Data Apply ACLs to these flows Switch

The Big (Network) Picture
Microsoft Ignite 2016 The Big (Network) Picture 9/12/2018 8:32 PM Virtual Network “Bring Your Own Network” Bring your own DNS or use Azure-provided DNS Segment with subnets and security groups Control traffic flow with User Defined Routes Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 VPN/ER GW Internet √ AD / DNS Users Internet Front-End Access Dynamic/Reserved Public IP addresses Direct VM access, ACLs for security Load balancing DNS services: hosting, traffic management DDoS protection Backend Connectivity Point-to-site for dev / test VPN Gateways for secure site-to-site connectivity ExpressRoute for private enterprise grade connectivity Backend Connectivity ExpressRoute / S2S VPN © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Networking Microsoft Ignite 2016 9/12/2018 8:32 PM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Network building blocks
Microsoft Ignite 2016 9/12/2018 8:32 PM Azure Network building blocks Network & Address Management Access controls for workload Traffic Inspection High performance / Low latency Hybrid Connectivity © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Birth of the Virtual Data Center
9/12/2018 8:32 PM VNet Peering is the key that unlocks the Virtual Data Center © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

VNet-to-Vnet Connection
Microsoft Ignite 2016 9/12/2018 8:32 PM VNet-to-Vnet Connection VNet Peering Azure Region /16 Private connectivity between different VNets Connection through the gateways connects VNets in same region through the Azure backbone No gateways required Latency and throughput at par as single VNet! PEER IPSec VPN Tunnel /16 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

VNet Peering Hub and spoke
Microsoft Ignite 2016 9/12/2018 8:32 PM VNet Peering Hub and spoke Hub and Spoke configuration Consolidate shared services High bandwidth Low latency Cross subscription Supports NVA and Gateway Transit (ARM-to-ARM only) © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Network Security Groups
Microsoft Ignite 2016 9/12/2018 8:32 PM Network Security Groups Internet NSGs control inbound/outbound network access Segment network to meet security needs 5 tuple ACLs on both directions Can protect Internet and internal traffic Enables DMZ subnets Associated to subnets/VMs and now NICs √ √ √ VPN GW Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Securing Internet-Bound Traffic
Microsoft Ignite 2016 9/12/2018 8:32 PM Securing Internet-Bound Traffic Internet Force Internet- bound traffic to an on-premises site Auditing and inspecting Internet traffic On Premises √ S2S/ ExpressRoute √ √ VPN GW Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

User Defined Routes (UDR)
Microsoft Ignite 2016 9/12/2018 8:32 PM User Defined Routes (UDR) Internet System routes facilitates traffic automatically for some scenarios But you can also control traffic flow in Azure with custom User Defined Routes Route packets via virtual appliance, on-premises (F/W, NAT device..etc.,) VM/Appliance System Route VPN GW System Route UDR Backend 10.3/16 Frontend 10.1/16 VM/Appliance © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Application Gateway: Layer 7 ADC Features
fabrikam.com contoso.com/video/* Videos Images contoso.com/images/* Application Gateway contoso.com Security SSL termination Allow/block SSL protocol versions Session & site management Cookie based session affinity Multi-site hosting Content management URL based routing Backend management Access and Performance logs Custom health probes

Web Application Firewall (WAF) - Preview
Security Protect applications from web based intrusions Preconfigured OWASP core rule set Detection and Prevention modes Real time Monitoring WAF logs integrated with Azure Insights XSS attack × Site 1 Application Gateway WAF Valid request Valid request Site 2 SQL Injection × Valid request L7 LB Alerts WAF logs Azure Security Center Azure Insights

Accelerated Networking Internals- Preview
Microsoft Ignite 2016 9/12/2018 8:32 PM Accelerated Networking Internals- Preview Networking policy applied in software in the host Hardware accelerators used to apply all policies © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Accelerated Networking
Microsoft Ignite 2016 9/12/2018 8:32 PM Accelerated Networking VM-to-VM latency & bandwidth Latency intra VNET is ~30 microseconds RTT 25Gbps with the improved DS15v2 VMs Azure SQL Database Service 1.5x throughput improvements in SQL writes (1KB commits) Portal Enabling is just a click of a button © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Customer’s connection
Microsoft Ignite 2016 9/12/2018 8:32 PM ExpressRoute Unified connectivity to Microsoft Cloud Services Predictable performance Enterprise-grade resiliency and with 99.95% availability SLA Large and growing partner ecosystem Customer’s network Customer’s connection Traffic to public Azure services (typically PaaS) Traffic to Virtual Networks (typically IaaS) Traffic to Office 365 and CRM Online (SaaS) Microsoft Edge Partner Edge © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/12/2018 8:32 PM Secure VPN BGP for redundant paths and dynamic routing Automatic shortest path selection and failover Transit over Microsoft global network Secure connectivity using Internet only for “last mile” VNet 3 Central US ASN 65030 Full mesh Redundant paths BGP BGP On-Premises Site 4 ASN 65040 On-Premises Site 5 ASN 65050 VNet 2 West US VNet 1 East US BGP BGP BGP S2S VPN S2S VPN ASN 65020 ASN 65010 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Virtual Data Center Emerges
9/12/2018 8:32 PM RBAC allows segregation of duties between centralized and specialized teams Common components are minimized (reduced cost and complexity) Centralized IT is enabled at the Security and Infrastructure components © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure N/W Features Summary
Microsoft Ignite 2016 9/12/2018 8:32 PM Azure N/W Features Summary Best performance – 25 Gbps Accelerated Networking VNet Peering UltraPerformance Gateway Highest connectivity SLA 99.95% for VPN and ExpressRoute Higher Availability Active-Active VPN Multi-path and transit routing Improved Security Web Application Firewall More Capabilities DNS Service Native IPv6 for Azure VMs Multiple VIPs per load balancer NIC enhancements MAC persistence Enhanced Monitoring and Diagnostics © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Server 2016 SDN Microsoft Ignite 2016 9/12/2018 8:32 PM

Datacenter Network Datacenter Microsoft Ignite 2015 9/12/2018 8:32 PM
Spine Switches/Routers Microsoft Ignite 2015 9/12/2018 8:32 PM Datacenter Network Fixed-Function Physical Appliances Edge Routers Compute/Storage & TOR Switches Datacenter © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Challenges customers face
Agility “I need to onboard workloads with complex policies across my own datacenter and/or the public cloud in days – not weeks – to remain competitive.” Security “I must stop a compromised node from attacking other nodes on my network” Costs “I need to reduce the number of operator interventions and efficiently meet network growth demands. Current practices just won’t scale.”

Microsoft Build 2016 9/12/2018 8:32 PM “ The ability to spin up a software-defined network in about eight minutes while eliminating a $20,000 cost is a huge benefit. “ Chris Amaris Chief Technology Officer Convergent Computing © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure-inspired SDN Datacenter Microsoft Ignite 2015 9/12/2018 8:32 PM
Physical Infrastructure Azure inspired SDN Datacenter © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

How do we get agility? Microsoft Ignite 2016 9/12/2018 8:32 PM

SDN: Building the right abstractions for Scale
Abstract by separating management, control, and data planes Azure Resource Manager, SCVMM, or Powershell Example: ACLs Management plane Create a tenant ACL Control plane Plumb these tenant ACLs to these switches Data plane Apply these ACLs to these flows Management Plane Controller Data plane needs to apply per-flow policy to millions of VMs How do we apply billions of flow policy actions to packets? Control Plane Switch (Host)

Virtual Filtering Platform (VFP)
Microsoft Ignite 2016 9/12/2018 8:32 PM Virtual Filtering Platform (VFP) Acts as a virtual switch inside Hyper-V VMSwitch Provides core SDN functionality for Azure networking services, including: Address Virtualization for VNET VIP -> DIP Translation for SLB ACLs, Metering, QoS, Security Guards Uses programmable rule/flow tables to perform per-packet actions Supports all Azure data plane policy at 40GbE+ with offloads Coming for all clouds in Windows Server 2016 VM VM NIC vNIC vNIC VM Switch VFP ACLs, Metering, Security VNET SLB (NAT) © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Flow Tables: the Right Abstraction for the Host
VMSwitch exposes a typed Match-Action-Table API to the controller Controllers define policy One table per policy Key insight: Let controller tell switch exactly what to do with which packets VNet Description Workload Description Controller VNet Routing Policy NAT Endpoints ACLs Host: VFP Flow Action TO: 10.2/16 Encap to GW TO: Encap to TO: !10/8 NAT out of VNET Flow Action Flow Action TO: DNAT to TO: !10/8 SNAT to Flow Action Flow Action Flow Action TO: /24 Allow 10.4/16 Block TO: !10/8 NIC Blue VM1 VNET LB NAT ACLS

Table Typing/Flow Caching are Critical to Performance
Microsoft Ignite 2016 9/12/2018 8:32 PM Table Typing/Flow Caching are Critical to Performance COGS in the cloud is driven by VM density: 40GbE is here First-packet actions can be complex Established-flow matches must be typed, predictable, and simple hash lookups Host First Packet Flow Action Flow Action TO: 10.2/16 Encap to GW TO: Encap to TO: !10/8 NAT out of VNET Flow Action Flow Action TO: DNAT to TO: !10/8 SNAT to Flow Action Flow Action TO: /24 Allow 10.4/16 Block TO: !10/8 NIC Blue VM1 VNET LB NAT ACLS Connection Action , ,80,9876 DNAT + Encap to GW , ,80,9876 Encap to , ,6754,80 SNAT to VFP Subsequent Packets © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Virtualize entire network for agility
Switching and routing Load balancers Firewalls Edge gateways Other physical appliances Azure Internet Direct Internet Connectivity VPN and ExpressRoute Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 VPN GW with predictable performance! AD/DNS Virtual Network

Physical Top of Rack Switch
Network Controller for a Scale out, Control Plane of your Virtualized Network Internet Datacenter Management tool (SCVMM, PS, Azure Stack) Hyper-V Host Hyper-V vSwitch VM Network controller Physical Top of Rack Switch

Virtual Networks for Flexible Workload Deployment
L2 switching and Distributed Routing [New!] VXLAN encapsulation [New!] OVSDB for provisioning policy [New!] REST API for SDN applications Blue Sales Red Blue Finance Shared DC Fabric  VNI 6001 MAC    VNI 5001 MAC VXLAN Tunnel    

Hybrid SDN Gateways for a cloud on your terms – your workloads, anywhere
Public Cloud Woodgrove HQ MPLS WAN MPLS MPLS Router Exchange VLAN 30 GRE Tunnel VLAN 40 Public internet Contoso HQ BGP Gateway VM Pool NEW for 2016! M+N Resiliency Multi-tenant Forwarding Dynamic/Transit Routing REST API BGP Gateway (Internet edge) SQL Farm Contoso VNet Woodgrove VNet

[New!] A cloud-optimized Load Balancer for cloud infrastructure and tenants
Client Scales up. Bypass MUX for outgoing traffic with Direct Server Return (DSR) Load balances the load balancers! Multi-tenanted. Only one VM for load balancing policies across 100s of tenants and VIPs Stateless. NAT and Probes on the DIP REST API for SDN applications VIP VIP Edge Routers VIP Tenant Definition: VIPs, # DIPs LB MUX LB MUX NAT/ Probe NAT/ Probe Direct Return: VIP Stateless Tunnel Controller Mappings Azure VMSwitch Azure VMSwitch NAT DIP DIP VM DIP VM DIP VM DIP VM DIP

[New!] Internal Load Balancing with 0% CPU utilization!
Client Edge Routers Majority traffic in a datacenter is East-West. Unique Azure design that bypasses the MUX entirely for such traffic. Significant Perf Gains! Throughput gain: ~25% Latency drop: ~35% MUX CPU utilization: 0%! Tenant Definition: VIPs, # DIPs LB MUX LB MUX Controller Mappings ICMP Redirect ICMP Redirect VIP Direct Return: VIP 1st Request DB Tier (DIP) Web Tier (Client) Azure VMSwitch DB Tier (DIP) VM DIP Azure VMSwitch NAT NAT NAT Additional requests Bypass MUX DIP

Security Microsoft Ignite 2016 9/12/2018 8:32 PM

Layered Security, Protection, and Isolation
Microsoft Build 2016 9/12/2018 8:32 PM Layered Security, Protection, and Isolation SDN Virtual Network Isolation DFW & NSG Appliances DDoS Protection Firewall ACLs Physical Network VM Cloud Services & “Infrastructure” VM Guest Threat © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

[New!] Micro-Segmentation to segment your network based on app and security needs
Dynamically segment network to meet evolving security needs. 5 tuple stateful, distributed firewall in both directions. Associated to subnets or NICs Update ACLs independent of VMs For VMs and Containers On-premises 10.0/16 Internet ExpressRoute and VPNs VPN GW Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 Virtual Network

[New!] User Defined Routes to route tenant traffic to Virtual Appliances
On-premises 10.0/16 Internet Tenant defined routing tables for virtual networks Enables routing traffic to a virtual appliance Virtual appliance need have no awareness of SDN ExpressRoute and VPNs VPN GW Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 Virtual Network

[New!] Port Mirroring to mirror tenant traffic
Mirror inbound and outbound packets on a port to a virtual appliance Many ports to one appliance – a single appliance can serve multiple ports. 5-tuple rules to enable a subset of traffic Appliance not in data path of VM-to- VM communication. Packets not modified in any way On-premises 10.0/16 Internet ExpressRoute and VPNs VPN GW Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 Virtual Network

Application at risk! Phishing for secrets
/24 Subnet3 Tier 3 Virtual Network – “MyNetwork” Microsoft Ignite 2016 9/12/2018 8:32 PM Application at risk! Phishing for secrets /24 Subnet2 Tier 2 Active Directory VM Internal VIP /24 Subnet1 Tier 1 File Server 1 VM File Server 2 VM Public VIP  Web Server 1 VM Web Server 2 VM Outbound NAT  © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Application at risk! The attack
/24 Subnet3 Tier 3 Virtual Network – “MyNetwork” Microsoft Ignite 2016 9/12/2018 8:32 PM Application at risk! The attack /24 Subnet2 Tier 2 Active Directory VM Private VIP  /24 Subnet1 Tier 1 File Server 1 VM N File Server 2 VM Public VIP  Web Server 1 VM N N Web Server 2 VM N Outbound NAT  N © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Dynamic Security Micro-segmentation
/24 Subnet3 Tier 3 Virtual Network – “MyNetwork” Microsoft Ignite 2016 9/12/2018 8:32 PM Dynamic Security Micro-segmentation /24 Subnet2 Tier 2 Active Directory VM Internal VIP /24 Subnet1 Tier 1 File Server 1 VM File Server 2 VM Public VIP  Web Server 1 VM Web Server 2 VM Outbound NAT  © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Dynamic Security Using the distributed firewall
Active Directory NSG /24 Subnet3 Tier 3 Virtual Network – “MyNetwork” Microsoft Ignite 2016 9/12/2018 8:32 PM Back End NSG Dynamic Security Using the distributed firewall /24 Subnet2 Tier 2 Active Directory VM Front End NSG Internal VIP /24 Subnet1 Tier 1 File Server 1 VM File Server 2 VM Public VIP  Web Server 1 VM Web Server 2 VM Outbound NAT  © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Dynamic Security Virtual Appliances
Active Directory NSG /24 Subnet3 Tier 3 Virtual Network – “MyNetwork” Microsoft Ignite 2016 9/12/2018 8:32 PM Back End NSG Dynamic Security Virtual Appliances /24 Subnet2 Tier 2 Active Directory VM NSG Virtual Appliance VM Internal VIP /24 Subnet1 Tier 1 File Server 1 VM File Server 2 VM Public VIP  Web Server 1 VM Web Server 2 VM Outbound NAT  © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Cost Optimized Performance

[New!] VMMQ for 40G Ethernet Performance
VMMQ is the fourth generation performance enhancement RSS was in WS2008 VMQ arrived in WS2008 R2 vRSS (VMQ with RSS in the VM) came in WS2012 R2 VMMQ (hardware offload of vRSS) is in WS2016

[New!] Converged NIC for cost optimized Storage and Networking
9/12/2018 [New!] Converged NIC for cost optimized Storage and Networking Windows Server 2016 © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

NIC Applies Bandwidth Reservations per TC
[New!] QoS for predictable storage and networking perf on a Converged NIC QoS per VM in Hyper-V switch Carve out traffic classes for storage and networking Apply QoS limits to limit maximum bandwidth for a VM Use QoS reservations to guarantee minimum bandwidth for a VM RDMA Traffic TCP/IP Traffic TC=X TC=0 NIC Applies Bandwidth Reservations per TC

Customer Challenges Solved
Agility With the Cloud Optimized SDN Infrastructure in Windows Server 2016, customers can deploy complex workloads rapidly across any cloud. Security With Windows Server 2016, customers can dynamically segment their network to precisely model security needs, while being able to react quickly to breaches. Costs It’s all built in – the network controller, load balancer, firewall, controller, gateways,– everything is included as part of Windows Server 2016 and System Center 2016

SDN Feature Summary for WS 2016
Network controller [NEW!] Central control plane Fault tolerant Control with System Center VMM, PowerShell, or RESTful API Virtual networking BYO address space Distributed routing VXLAN [NEW!] and NVGRE Network security [NEW!] Micro-Segmentation - Distributed firewall & Network Security Group BYO virtual appliances via user- defined routing or mirroring Robust gateways M:N availability model [NEW!] Multi-tenancy for all modes of operation BGP Transit Routing [NEW!] Software load balancing [NEW!] L3/L4 load balancing (N-S and E- W) with DSR NAT For tenants and cloud infra Performance [NEW!] Converged NIC for both RDMA and Ethernet traffic VMMQ for 40G Ethernet perf QoS for predictable Perf Consistency with Azure in UI, API, and Services

Hybrid connectivity Demo
Microsoft Ignite 2016 9/12/2018 8:32 PM Hybrid connectivity Demo © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo Setup - http://104.42.197.112/ Microsoft Ignite 2016
/16 /16 /24 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Next steps Learn more: www.microsoft.com/WindowsServer2016
Microsoft Ignite 2016 9/12/2018 8:32 PM Next steps Learn more: Windows Server Blog: © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

How the SDN features come together
Microsoft Ignite 2016 9/12/2018 8:32 PM How the SDN features come together © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

HNV Provider Logical Network
HNV ( /25, VLAN 11) Management ( /25, VLAN 7) Microsoft Ignite 2016 9/12/2018 8:32 PM Web Subnet ( /24) Logical Network Diagram Tenant VMs Web Subnet ( /24) Transit ( /26, VLAN 10) DB Subnet ( /24 MUX1 GW 1 2 3 MUX2 MUX3 Infrastructure VMs NC1 NC2 NC3 Public VIP ( /29) Compute Cluster Private VIP ( /29) © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Managed Logical Networks
Mgmt Microsoft Ignite 2016 9/12/2018 8:32 PM Network Controller Managed Logical Networks NIC1 NIC2 vSwitch Mgmt NIC1 NIC2 VFP vSwitch Mgmt NIC1 NIC2 VFP vSwitch Mgmt NIC1 NIC2 VFP NC2 Mgmt vSwitch NC Host Agent Mgmt VFP NC3 Mgmt NC Host Agent SCOM SQL NC Host Agent NC Host Agent Let’s use the Microsoft Network Controller to create some Tenant Virtual Networks!! © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Ignite 2016 HNV 9/12/2018 8:32 PM Network Controller Managed Logical Networks Mgmt NIC1 NIC2 vSwitch Mgmt VFP vSwitch NC2 Mgmt Mgmt VFP vSwitch NC3 Mgmt Mgmt VFP NC Host Agent vSwitch Mgmt NC Host Agent VFP SCOM SQL NC Host Agent NC Host Agent Start by creating an HNV Provider Logical Network and IP Pool for carrying encapsulated tenant traffic © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Logical Network Diagram
Management ( /25, VLAN 7) Management Microsoft Ignite 2016 9/12/2018 8:32 PM Logical Network Diagram Infrastructure VMs NC1 NC2 NC3 HNV ( /25, VLAN 11) Compute Cluster © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

HNV PA Host vNICs used for constructing the encapsulated packet header
Microsoft Ignite 2016 HNV 9/12/2018 8:32 PM Network Controller Managed Logical Networks Mgmt NIC1 NIC2 vSwitch Mgmt Red Tenant VM Network HNV PA VFP HNV PA vSwitch Green Tenant VM Network Virtual Networks Mgmt VFP HNV PA HNV PA vSwitch Mgmt VFP HNV PA HNV PA HNV vSwitch Red Tenant VM Network Green Tenant VM Network Mgmt VFP SCOM SQL HNV PA Host vNICs used for constructing the encapsulated packet header Create Tenant VM Networks on top of HNV Provider Network © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Deploy VMs onto Hyper-V Hosts
Red Tenant VM Network Green Tenant VM Network Microsoft Ignite 2016 HNV 9/12/2018 8:32 PM HNV Provider Network Controller Managed Logical Networks Mgmt Network Controller Managed Virtual Networks Green Tenant VM Network Red Tenant VM Network vSwitch HNV PA HNV PA VFP vSwitch HNV PA HNV PA VFP vSwitch HNV PA HNV PA VFP vSwitch VFP Deploy VMs onto Hyper-V Hosts © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

HNV ( /25, VLAN 11) Management ( /25, VLAN 7) Management Logical Network Diagram Tenant VMs HNV Provider Logical Network Web Subnet ( /24) DB Subnet ( /24 Infrastructure VMs NC1 NC2 NC3 Compute Cluster

1. Create Multiple Tenant VNets 2. Create ACLs 3. Create VMs
Red Tenant VM Network Transit Green Tenant VM Network Network Controller Managed Virtual Networks Access Control Lists LB 1 LB 2 LB 3 LB 4 Load Balancers Virtual Machines Tenant VM Network 5 Web Tier ACL Public VIPs Tenant VM Tenant VM Network 1 Private VIPs DB Tier ACL Tenant VM Network 2 Tenant VM Network 2 Allow All ACL Tenant VM Network 3 Tenant VM Network 1 Green Tenant VM Network Tenant VM Network 4 VM NIC ACL Tenant VM Network 4 Tenant VM Network 5 Tenant VM Network 3 Red Tenant VM Network vSwitch VFP vSwitch VFP vSwitch VFP vSwitch 1. Create Multiple Tenant VNets VFP 2. Create ACLs 3. Create VMs 4. Create Load Balancers

Download the Gateways Service Template from GitHub Network Controller Managed Logical Networks Mgmt HNV Transit Private VIP NIC1 NIC2 Public VIP vSwitch VFP MUX1 Transit HNV Mgmt Mgmt vSwitch VFP MUX2 Transit HNV Mgmt Mgmt vSwitch VFP NC Host Agent MUX3 Transit HNV Mgmt Mgmt SLB Host Agent vSwitch VFP NC Host Agent Mgmt SLB Host Agent SCOM NC Host Agent SQL SLB Host Agent NC Host Agent SLB Host Agent

Network Controller Managed Logical Networks Mgmt HNV Transit Private VIP NIC1 NIC2 Public VIP vSwitch VFP MUX1 Transit HNV Mgmt Mgmt vSwitch VFP MUX2 Transit HNV Mgmt Mgmt vSwitch VFP NC Host Agent MUX3 Transit HNV Mgmt Mgmt Import the Gateway Service Template to VMM SLB Host Agent vSwitch VFP NC Host Agent Mgmt SLB Host Agent SCOM NC Host Agent SQL SLB Host Agent NC Host Agent SLB Host Agent

Network Controller Managed Logical Networks Mgmt HNV Transit Private VIP NIC1 NIC2 Public VIP GRE VIP vSwitch MUX1 Transit HNV Mgmt Mgmt VFP vSwitch MUX2 Transit HNV Mgmt Mgmt VFP vSwitch NC Host Agent MUX3 Transit HNV Mgmt Mgmt VFP SLB Host Agent vSwitch NC Host Agent Mgmt VFP SLB Host Agent SCOM NC Host Agent SQL SLB Host Agent NC Host Agent SLB Host Agent Create GRE VIP Logical Network for S2S GRE Tunnel Endpoints

Network Controller Managed Logical Networks Mgmt HNV Transit Private VIP NIC1 NIC2 Public VIP GRE VIP vSwitch VFP MUX1 Transit HNV Mgmt Mgmt vSwitch VFP Mgmt MUX2 Transit HNV Mgmt vSwitch VFP NC Host Agent MUX3 Transit HNV Mgmt Mgmt SLB Host Agent vSwitch VFP NC Host Agent Mgmt SLB Host Agent SCOM NC Host Agent SQL SLB Host Agent NC Host Agent SLB Host Agent Gateway Edge (Production) Service Template creates 3 Gateway VMs

Network Controller Managed Logical Networks Mgmt HNV Transit Private VIP NIC1 NIC2 Public VIP GRE VIP vSwitch VFP Mgmt RDMA2 vSwitch VFP Mgmt RDMA2 vSwitch VFP NC Host Agent Mgmt SLB Host Agent vSwitch VFP NC Host Agent Mgmt SLB Host Agent SCOM NC Host Agent SQL SLB Host Agent NC Host Agent SLB Host Agent Ideally, each GW VM should run on separate Hyper-V Hosts

Advertise Route to S2S VPN Endpoints / Virtual Gateways through SLB Mux Network Controller Managed Logical Networks Mgmt HNV Transit Private VIP NIC1 NIC2 Public VIP BGP Peering (Transit) GRE VIP vSwitch VFP BGP Peering (Transit) Mgmt BGP Peering (Transit) vSwitch VFP Mgmt vSwitch VFP NC Host Agent Mgmt SLB Host Agent vSwitch VFP NC Host Agent Mgmt SLB Host Agent SCOM Exchange Dynamic Routes for Remote Sites using BGP NC Host Agent SQL SLB Host Agent NC Host Agent SLB Host Agent During the GWs onboarding to NC we will need to specify: 1. ASN Number for ToR and GWs 2. ToR IP Address on the Transit Subnet for BGP Peering

HNV ( /25, VLAN 11) Management ( /25, VLAN 7) Web Subnet ( /24) Logical Network Diagram Tenant VMs Web Subnet ( /24) Transit ( /26, VLAN 10) DB Subnet ( /24 MUX1 GW 1 2 3 MUX2 MUX3 Infrastructure VMs NC1 NC2 NC3 Public VIP ( /29) Compute Cluster Private VIP ( /29)

Network Controller Managed Logical Networks Mgmt HNV Transit Private VIP Mgmt NIC1 NIC2 BGP Peering (Transit) vSwitch VFP SQL SCOM Public VIP GRE VIP

Remote Enterprise Site or Azure
Green Tenant S2S IKEv2 Tunnel Network Controller Managed Logical Networks Mgmt HNV Transit Private VIP Public VIP Remote Enterprise Site or Azure Internet GRE VIP BGP Customer Address Space Routes vSwitch VFP Public VIP Mgmt BGP S2S VPN Endpoint vSwitch VFP Mgmt vSwitch VFP Mgmt vSwitch VFP Mgmt

Remote Enterprise Site or Azure
Green Tenant S2S IKEv2 Tunnel Network Controller Managed Logical Networks Mgmt HNV Transit Private VIP Public VIP Remote Enterprise Site or Azure Internet Red Tenant S2S IKEv2 Tunnel BGP Customer Address Space Routes GRE VIP BGP Customer Address Space Routes vSwitch VFP Public VIP Mgmt BGP S2S VPN Endpoint vSwitch VFP Mgmt vSwitch VFP BGP S2S VPN Endpoint Mgmt vSwitch VFP Mgmt

Continue your Ignite learning path
9/12/2018 8:32 PM Continue your Ignite learning path Visit Channel 9 to access a wide range of Microsoft training and event recordings Head to the TechNet Eval Centre to download trials of the latest Microsoft products Visit Microsoft Virtual Academy for free online training visit © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Win a Spark After Dark drone pilot pass by completing your session evaluation ASAP #MSAUIGNITE

Thank you Chat with us in the Speaker Lounge
9/12/2018 8:32 PM Thank you Chat with us in the Speaker Lounge © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Hybrid Networking: SDN features in Windows 2016 & Azure Networking

Similar presentations

Presentation on theme: "Hybrid Networking: SDN features in Windows 2016 & Azure Networking"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Hybrid Networking: SDN features in Windows 2016 & Azure Networking

Similar presentations

Presentation on theme: "Hybrid Networking: SDN features in Windows 2016 & Azure Networking"— Presentation transcript:

Similar presentations

About project

Feedback