Network Controller: software-defined networks in Windows Server 2016. Part 1: features and services
Last year, we talked about Storage Spaces Direct - software-defined storage in Windows Server 2016. Today, let's talk about another new product from Microsoft, this time from the field of software-defined networks (SDN). Network Controller is a network management service in Windows Server 2016.
Content
VLAN. The first virtual networks appeared in 1998. These were local VLANs working using the IEEE 802.1Q protocol. The technology allows to divide one L2 network into many logical L2 networks. But VLAN has a limitation that turned out to be significant with the growing number of networks: the maximum number of connections on one L2 network is 4096. To overcome it, manufacturers began to develop new protocols with greater scalability, for example: IEEE 802.1ad and IEEE 802.1ah. We will not dwell on them in detail and move on.
VXLAN, STT and NVGRE. In 2011, VMware, Arista and Cisco are launching the VXLAN protocol, which allows you to create up to 16 million logical L2 segments on the same network. In parallel with them, Microsoft is creating the NVGRE protocol of a similar specification, which is beginning to evolve in Windows Server 2012. Nicira offers the STT protocol. The issue with limited scalability is resolved, you can create as many networks as you like. With the growth of networks, the infrastructure becomes difficult to manage, and there is a need for a centralized console to configure virtual and physical equipment. This is how the concept of software-defined networks (SDN) with centralized management of network infrastructure arises.
')
SDN. An approach to network management using unified software. One of their first SDN technology was introduced by Nicira. After purchasing Nicira, VMware creates a VMware NSX product using the VXLAN protocol.
In 2013, Microsoft offers its version of the software-defined network in the edition of Windows Server 2012R2 based on the NVGRE protocol. The NVGRE protocol had several drawbacks:
In the edition of Windows Server 2016, Microsoft introduced a new implementation of software-defined networks already based on the VXLAN protocol - Network Controller (NC). This service is available only in Windows Server 2016 Datacenter edition. Let's look at the features of a network controller.
Network Controller - a single point of management and monitoring for all physical and virtual domain networks. It configures IP subnets, VLANs, routers, and firewalls. NC stores network topology information, balances traffic, and sets NAT rules.
In general, the principle of the Network Controller architecture is as follows: the controller nodes are located on separate VMs, and the routing, traffic balancing and firewall services are located on virtualization servers.
Network Controller Architecture.
Network Controller is based on the Open vSwitch software switch. This switch is also used in software-defined VMWare NSX and OpenStack Neutron networks. It supports the control protocol OVSDB (Open vSwitch Database), which is responsible for the exchange of information between network equipment.
Let's look at how Network Controller works. Servers, virtual machines, hypervisor virtual switches are registered in NC. After registration and configuration, the servers establish a connection with the Network Controller and receive from it all the necessary information about the virtual machine networks, balancing rules and VPN tunnels.
The virtual networks on the hosts are connected to the Hyper-V virtual switch with the Azure VFP Switch Extension. Through it, the virtual ports to which the VMs are connected are managed:
Let us examine in detail what services are included in the Network Controller and what they control.
Virtual Network Management. This is a virtual network creation and management service. It manages Hyper-V virtual switches and virtual network adapters in virtual machines. Virtual Network Management contains virtual network settings that are used by other Network Controller services.
Firewall Management. This service simplifies the organization of firewalls: no need to manually configure firewalls on each VM and remember configurations. Network Controller stores all Access Control Lists (ACL) settings for virtual machines and networks. Distributed Firewall on hosts requests information from it and applies the rules to the necessary networks and virtual machines. Configuration on the virtual machine side is not required.
Below is a diagram of the principle of operation of the firewall in the Network Controller. Northbound is the interface through which the Network Controller is managed using the REST API. Southbound is used to communicate with network devices, SLB-multiplexers, gateways and servers, for network discovery and other services. Gateways determine which virtual network tunnels are required to build. Then they forward the incoming packets through the tunnel to the servers with virtual machines connected to the desired virtual network.
This is how the firewall service in the Network Controller is arranged.
Software Load Balancer Management. The service operates at the level of virtualized networks and balances traffic at the L4 level. Traffic balancing is performed using SLB Multiplexer (MUX) service virtual machines and BGP routers. On one NC, you can make 8 MUX. From the Network Controller MUX receive the routing rules. Multiplexers announce routes / 32 for each VIP via BGP routers.
Example
Balancing traffic in Network Controller.
In Windows Server 2016, NAT rules are now also set via Software Load Balancer Management. The Network Controller knows which network NAT is organized for. MUX contains information about hosts and virtual machines connected to the network for which NAT is organized.
NAT in Network Controller is implemented by balancing traffic for a group from one host. Currently only TCP and UDP traffic balancing is supported.
RAS Gateway Manager. This service creates VPN tunnels to connect the cloud infrastructure with the physical one. In Network Controller, you can build a VPN in any convenient way:
The endpoint of the tunnel is the Gateway virtual gateway. It organizes a tunnel, encapsulates traffic into VXLAN packets, and forwards it to its hosts.
Service creation VPN-tunnels RAG Gateway Management.
iDNS: Internal DNS. The service allows you to create virtual DNS servers. Currently it exists as an implementation of the concept and supports working with only one DNS zone, which is inconvenient for clients. Multi-tenant mode will be added in the next edition of Windows Server 2016.
Consider how the iDNS service works. A DNS zone is organized in which client zones will be created. Network Controller is configured: specifies the serviced DNS zone and upstream DNS servers that will process requests coming from clients.
After setting up iDNS Network Controller distributes information to the host. The iDNS proxy service on hosts handles DNS requests from clients. It works like this:
The principle of operation of the iDNS service in Network Controller.
Example
All that we described in detail above is Network Controller services, which are included in the official release of Windows Server 2016. We also managed to test the services included in the Technical Preview, but removed from the release. One such service is Canary Network Diagnostics for monitoring network performance, collecting statistics on the operation of physical and virtual network equipment, and error detection. Add-ons should be included in the release of Windows Server 2016R2, and we'll talk about them in the future.
In the next part, we will describe how to deploy Network Controller and about some interesting "pitfalls" that we discovered during testing.
Write questions in the comments.
Author: Sergey Gruzdov
Content
Where did the virtual networks come from?
Windows Server 2016: Network Controller
Network Controller Services
Where did the virtual networks come from?
VLAN. The first virtual networks appeared in 1998. These were local VLANs working using the IEEE 802.1Q protocol. The technology allows to divide one L2 network into many logical L2 networks. But VLAN has a limitation that turned out to be significant with the growing number of networks: the maximum number of connections on one L2 network is 4096. To overcome it, manufacturers began to develop new protocols with greater scalability, for example: IEEE 802.1ad and IEEE 802.1ah. We will not dwell on them in detail and move on.
VXLAN, STT and NVGRE. In 2011, VMware, Arista and Cisco are launching the VXLAN protocol, which allows you to create up to 16 million logical L2 segments on the same network. In parallel with them, Microsoft is creating the NVGRE protocol of a similar specification, which is beginning to evolve in Windows Server 2012. Nicira offers the STT protocol. The issue with limited scalability is resolved, you can create as many networks as you like. With the growth of networks, the infrastructure becomes difficult to manage, and there is a need for a centralized console to configure virtual and physical equipment. This is how the concept of software-defined networks (SDN) with centralized management of network infrastructure arises.
')
SDN. An approach to network management using unified software. One of their first SDN technology was introduced by Nicira. After purchasing Nicira, VMware creates a VMware NSX product using the VXLAN protocol.
In 2013, Microsoft offers its version of the software-defined network in the edition of Windows Server 2012R2 based on the NVGRE protocol. The NVGRE protocol had several drawbacks:
- management of virtual networks in Windows Server 2012R2 was carried out only through the Virtual Machine Manager (VMM). It was the storage point for all virtual infrastructure configurations and a single point of failure.
- hardware manufacturers have used VXLAN as the main protocol, and few have implemented NVGRE support.
In the edition of Windows Server 2016, Microsoft introduced a new implementation of software-defined networks already based on the VXLAN protocol - Network Controller (NC). This service is available only in Windows Server 2016 Datacenter edition. Let's look at the features of a network controller.
Windows Server 2016: Network Controller
Network Controller - a single point of management and monitoring for all physical and virtual domain networks. It configures IP subnets, VLANs, routers, and firewalls. NC stores network topology information, balances traffic, and sets NAT rules.
Glossary
Services:
- Virtual Network Management is a virtualized network management service.
- Software Load Balancer Management is a service for balancing traffic and NAT rules.
- Firewall Management is a service for configuring firewalls and VM access control lists.
- RAS Gateway Management is a VPN tunnel management service.
- iDNS is a virtual DNS server creation service.
Networks:
- Backend Network (provider addresses, PA) - a network with provider addresses. Virtual tunnels are created here and traffic passes.
- Management Network - a management network, through which traffic flows between the components of the SDN.
- VM network (customer addresses, CA) is a virtualized network to which virtual machines are connected.
- Transit Network - a transit network. It exchanges traffic between BGP and SLB Multiplexer / Gateway. Transit networks publish routes to BGP.
Hosting services:
- Azure VFP Switch Extension - Hyper-V Switch Extension. Adds the functionality of an L3 switch to a virtual switch. Includes distributed load balancer (DLB) and Distributed firewall (DFW).
- Distributed load balancer - traffic balancer.
- Distributed firewall - firewall, responsible for executing VM access rules.
- Distributed router (vSwitch) - virtual router.
- NC Host Agent — Receives information about virtual networks and firewall rules from NC.
- SLB Host Agent - receives balancing rules from NC.
Office VMs:
- SLB multiplexer (MUX) - Windows Server virtual machines with the role of Software Load Balancing. They contain information about traffic balancing rules. MUXs publish routes on BGP and process incoming packets.
- Gateway is a virtual gateway.
In general, the principle of the Network Controller architecture is as follows: the controller nodes are located on separate VMs, and the routing, traffic balancing and firewall services are located on virtualization servers.
Network Controller Architecture.Network Controller is based on the Open vSwitch software switch. This switch is also used in software-defined VMWare NSX and OpenStack Neutron networks. It supports the control protocol OVSDB (Open vSwitch Database), which is responsible for the exchange of information between network equipment.
Let's look at how Network Controller works. Servers, virtual machines, hypervisor virtual switches are registered in NC. After registration and configuration, the servers establish a connection with the Network Controller and receive from it all the necessary information about the virtual machine networks, balancing rules and VPN tunnels.
The virtual networks on the hosts are connected to the Hyper-V virtual switch with the Azure VFP Switch Extension. Through it, the virtual ports to which the VMs are connected are managed:
- enable and disable ports;
- management of bandwidth in both directions;
- prioritization of packages by classes (COS);
- purpose purposes: statistics and ACL management on the ports of the virtual switch.
Network Controller Services
Let us examine in detail what services are included in the Network Controller and what they control.
Virtual Network Management. This is a virtual network creation and management service. It manages Hyper-V virtual switches and virtual network adapters in virtual machines. Virtual Network Management contains virtual network settings that are used by other Network Controller services.
Firewall Management. This service simplifies the organization of firewalls: no need to manually configure firewalls on each VM and remember configurations. Network Controller stores all Access Control Lists (ACL) settings for virtual machines and networks. Distributed Firewall on hosts requests information from it and applies the rules to the necessary networks and virtual machines. Configuration on the virtual machine side is not required.
Below is a diagram of the principle of operation of the firewall in the Network Controller. Northbound is the interface through which the Network Controller is managed using the REST API. Southbound is used to communicate with network devices, SLB-multiplexers, gateways and servers, for network discovery and other services. Gateways determine which virtual network tunnels are required to build. Then they forward the incoming packets through the tunnel to the servers with virtual machines connected to the desired virtual network.
This is how the firewall service in the Network Controller is arranged.
Software Load Balancer Management. The service operates at the level of virtualized networks and balances traffic at the L4 level. Traffic balancing is performed using SLB Multiplexer (MUX) service virtual machines and BGP routers. On one NC, you can make 8 MUX. From the Network Controller MUX receive the routing rules. Multiplexers announce routes / 32 for each VIP via BGP routers.
Example
- A packet for a specific virtual IP address comes to the BGP router.
- The BGP router checks the next node for the packet. In this case, it is MUX.
- According to the balancing rule tables received from the Network Controller, the MUX determines the purpose of the packet: the virtualized network, the host, and the virtual machine.
- Next, MUX generates a VXLAN packet and sends it to the host on the Backend network.
- The host receives the packet and sends it to the virtual switch (vSwitch), which determines the virtual machine to receive the packet.
- The packet is decapsulated, analyzed and sent to the virtual machine.
- The virtual machine processes the packet. The sender's address does not change after passing the packet through the MUX. Therefore, the virtual machine does not see behind it the MUX balancer and reads that the packet came directly from the Internet. Such balancing is called transparent load balancing.
- VM sends the answer.
- The virtual switch on the host determines that this is a response to the packet that came from the balancer and sends it back to the Internet. And not on the same chain, but rewrites the sender's address to the balancer IP and sends it immediately to the Internet. This approach is called Direct Server Return (DSR). This greatly speeds up the packet processing.
Balancing traffic in Network Controller.
In Windows Server 2016, NAT rules are now also set via Software Load Balancer Management. The Network Controller knows which network NAT is organized for. MUX contains information about hosts and virtual machines connected to the network for which NAT is organized.
NAT in Network Controller is implemented by balancing traffic for a group from one host. Currently only TCP and UDP traffic balancing is supported.
RAS Gateway Manager. This service creates VPN tunnels to connect the cloud infrastructure with the physical one. In Network Controller, you can build a VPN in any convenient way:
- via IPsec, which now works with both IKEv1 and IKEv2;
- create SSTP tunnels;
- create GRE tunnels.
The endpoint of the tunnel is the Gateway virtual gateway. It organizes a tunnel, encapsulates traffic into VXLAN packets, and forwards it to its hosts.
Service creation VPN-tunnels RAG Gateway Management.
iDNS: Internal DNS. The service allows you to create virtual DNS servers. Currently it exists as an implementation of the concept and supports working with only one DNS zone, which is inconvenient for clients. Multi-tenant mode will be added in the next edition of Windows Server 2016.
Consider how the iDNS service works. A DNS zone is organized in which client zones will be created. Network Controller is configured: specifies the serviced DNS zone and upstream DNS servers that will process requests coming from clients.
After setting up iDNS Network Controller distributes information to the host. The iDNS proxy service on hosts handles DNS requests from clients. It works like this:
- The client sends a name resolution request.
- iDNS-proxy looks to see whether it serves requests originating from this virtual network. This is determined by the primary DNS suffix of the network adapter. It must match the zone served by iDNS. If iDNS-proxy serves requests from this network, then sends the request to the upstream DNS server.
- The DNS server checks if the query is related to internal zones. If the client tries to resolve the internal name, the DNS server processes it. If not, send the request further.
The principle of operation of the iDNS service in Network Controller.
Example
There is a virtual network for which the iDNS service is available. When virtual machines are connected to this network, a zone with the same name as the virtual network ID will be created in the root DNS zone specified during configuration. A-records for virtual machines will be created in this zone.
A-records of virtual machines in the iDNS service.
All that we described in detail above is Network Controller services, which are included in the official release of Windows Server 2016. We also managed to test the services included in the Technical Preview, but removed from the release. One such service is Canary Network Diagnostics for monitoring network performance, collecting statistics on the operation of physical and virtual network equipment, and error detection. Add-ons should be included in the release of Windows Server 2016R2, and we'll talk about them in the future.
In the next part, we will describe how to deploy Network Controller and about some interesting "pitfalls" that we discovered during testing.
Write questions in the comments.
Author: Sergey Gruzdov
Source: https://habr.com/ru/post/321088/
All Articles