Virtual networks with Hyper-V in Windows Server 2016
Network in a Box
Microsoft expands Hyper-V's functionality in Windows Server 2016. One interesting new feature is that Hyper-V containers are included in Technical Preview 4 (TP4), which let you virtualize Docker in Hyper-V.
In Windows Server 2016, you can add and remove network adapters on the fly (Figure 1). You do not need to shut down VMs to shut down an adapter. This feature is particularly useful if you work with different VLANs or network segments and need a way to connect VMs to networks quickly and easily. But this feature only works with generation 2 VMs. You need to decide when you create a virtual server whether you want to use these options because you can no longer change the generation retroactively.
Embedded virtualization (nested virtualization) is possible in Windows Server 2016, as of TP4, and Windows 10 from build 10565. You can thus install Hyper-V on a virtual server, which you virtualized with Windows 10 or Windows Server 2016, and create virtual switches. You can virtualize virtual switches again, which is useful not only for test environments, but also for the new Windows server or Hyper-V containers. You can operate virtual server containers on a virtual container host, which, in turn, is installed on a physical Hyper-V virtual machine. Hyper-V is considerably more flexible through these functions. The Host Guardian Service is integrated as a new server role in Server Manager. The main purpose of the host guardian is hardening the host against individual VMs, or isolating VMs. Manage the new service with System Center Virtual Machine Manager 2016; you will need at least Technical Preview 3. See the TechNet description for additional information [1].
Centralized Network Management
In the field of network security, the network controller plays an important role. The server service supports central control and monitoring of physical network devices, as well as virtual switches and virtual network cards based on Hyper-V. Network Controller extends the software-defined networking features in Windows Server to include central control and monitoring. You can thus centrally manage your virtual switches. Once the service is installed and set up, you can manage your networks with System Center Virtual Machine Manager 2012 R2 or 2016, as well as System Center Operations Manager 2012 R2/2016. The background to this technology is that management programs no longer individually access all the components of the network but open a connection to the network controller. The network components are connected to the controller, which supports centralized control as a kind of management gateway. The service works with the Host Guardian Service and can be managed in SCVMM 2016.
Understanding Virtual Network Cards
In the current preview, virtual switches are already in production and configurable. All the virtual machines you create on a Hyper-V server use the virtual switches for network communication. Nothing of this basic Hyper-V structure changes in Windows Server 2016. Simply put, virtual switches connect the virtual machine with the host's physical network cards and allow VMs to communicate with the rest of the network, with each other, or with the host itself. Windows Server 2012 R2 and Windows Server 2016 do not differ substantially. In addition to the simple connection of the virtual NICs on the VMs with the virtual switches on the Hyper-V hosts, you can configure advanced settings to connect virtual servers on the network in a better way. Windows Server 2016 essentially supports the functionality of Windows Server 2012 R2.
For better performance on the network, virtual servers in Windows Server 2016 can access even more hardware functions of the network cards, thus greatly accelerating the speed. Windows Server 2012 R2 introduced the ability to limit the bandwidth usage of virtual servers via the virtual network adapter settings. To limit bandwidth, you need to configure the Enable bandwidth management function and enter the value you want the virtual network card to use as a minimum and maximum bandwidth.
The Advanced Features field in the virtual network card settings on servers lets you block unwanted DHCP or router packages from VMs. This feature prevents virtual servers from acting as rogue DHCP servers or routers and affecting the network by sending routing or DHCP packets.
Separate from the Physical Network
With Hyper-V network virtualization, you can separate virtual networks from the physical network (Figure 2). The virtual servers can communicate with each other without compromising other servers. The exchange of data between the networks can occur using Hyper-V Network Virtualization (HNV) gateways (Figure 3), which let virtual servers on the same network communicate without compromising physical networks. With HNV technology, you can use virtual networks in parallel to each other on the same physical network. The virtual networks can use the same or a different IP address space.
Hyper-V network virtualization supports dynamic IP addresses. Dynamic addressing is useful in data centers, to configure an IP address failover configuration. If you work with HNV, two IP addresses are assigned to each virtual network adapter on the network: the customer address (CA) and the provider address (PA). The CA allows virtual servers on the network to exchange data. The PA supports data exchange between the VM and the Hyper-V host, as well as the physical network. Third-party products can access the CA and communicate over the PA.
Virtual switches and Network Virtualization Generic Routing Encapsulation (NVGRE) work together. Third-party products have the option of accessing the virtualized network through integration with the virtual switch and of communicating with both virtual servers and the physical network. All traffic in the virtual switches on Windows Server 2016 runs over the virtualized network and the optional integrated third-party products. Network card teams also cooperate with the virtualized network.
In this context, large enterprises and cloud providers can access the Access Control Lists (ACL) of virtual switches and centrally manage firewall settings, permissions, and network protection for the data center. Windows Server 2016 offers the possibility to easily integrate the port in the firewall rules. HNV is manageable through the network controller service in Windows Server 2016. Additionally, Windows Server 2016 supports Virtual eXtensible Local Area Network (VXLAN). VXLAN allows for a large number of VLANs, which is very interesting for service providers. VXLAN relies on MAC-based Layer 2 environments that are encapsulated in Layer 4 UDP packets. You could theoretically establish up to 16,777,215 (24-bit) Layer 2 infrastructures that contain 4,096 VLANs each. Also, HNV is now fully operational in load-balancing environments.
Another setting is Enable single-root I/O virtualization (SR-IOV) . This setting also relates to the physical features of network cards that work in Hyper-V. Network adapters that support this feature provide implemented I/O channels for virtualized environments, which the network cards use to pretend to be multiple network adapters when talking to virtualized servers. SR-IOV is interesting, especially, for I/O-intensive applications.