TechEd 2013: How To Design & Configure Networking In VMM (Part 2)

Speaker: Greg Cusanza, Senior PM, MSFT (VMM) and Charlie Wen, PM (Windows).

This is a follow up to part 1.

Objective of this session: bring WS2012 R2, System Center 2012 R2 and Windows Azure together using hybrid networking.

Hybrid Network

Tenant thinks they have their own network, but it’s an abstracted network on hosting environment.  Can link to Internet and extend clients’ on-premise network into hosting network.  There is routing between the client network and the tenant network.


Can route between client site A, through client site B, to tenant network if Site A to tenant network link is down.

There is in-box capability for the gateway in WS2012 R2.

Hybrid Networking in WS2012 and SysCtr 2012 SP1

  • WS 2012 R2 adds HNV, RRAS, and IPAM
  • SC2012 SP1 – VM networks with single VPN.
  • 3rd party gateways: F5 (software solution out now), Huawei, IronNetworks
  • Introduced Windows Azure Services for Windows Server (Katal, vNext to be Windows Azure Pack).  Not a hybrid solution.

F5 solution is Windows Server based at the moment.  They are working on a hardware solution.

Benefits of Hybrid Networking

  • For hoster, internal IT, or enterprise customer. 
  • Must be cost effective
  • Capex cost per tenant must be low.  Multi-tenancy.
  • Gateways must be highly available – using clustering in WS2012 R2 gateway
  • Must support self-service
  • Enterprises: must be able to extend on-premise network.  Establish contract for average throughput for each connection.  Easily provision and configure site-site connection on the hoster side


Network Fabrication Configuration

  • Enabling network virtualization: WS2012 R2 no longer requires NV filter enablement
  • Configuring provider address space: must have static IP pool.  Must enable network virtualisation on logical network for provider addresses.
  • If mixing 2012 and 2012 R2 hosts, must have KB2779768 on 2012 hosts


Checked the Allow New VM Networks Created On This Logical …. in the settings of the tenant Logical Network – different tenant network than before – no VLAN stuff.

Enabling Hybrid Connectivity

  • you need a gateway
  • 3rd party gateways do exist
  • WS2012 R2 gateway will do for many customers.  3rd party solutions will probably offer extra features.

Charlie Wen (Mr. QoS in WS2012) comes on stage to talk about the WS gateway.

WS2012 Hybrid Connectivity


  • 1 VM per tenant
  • Static routing required on each tenant site
  • Manual provisioning
  • Internet connectivity back to remote site – no NAT for direct connectivity to VM networks.


WS2012 R2

  • Multi-tenant solution that requires far fewer VMs as gateways
  • Clustering for HA – this is an SLA business
  • BGP routing for dyanmic routing
  • Multitenant NAT for direct Internet connectivity



Shows NAT in action on the gateway.  Client connects to VM in VM network using IE and public IP address.  Does it twice and does 2 downloads (long and still running).  Uses Get-NetCompartment to view tenant networks.  Moves the gateway role from one WS2012 r2 cluster member to another and it’s done in the blink of an eye.  The downloads do not get interrupted because the proactive failover of the gateway resource happens so quickly.  Good for maintenance.

Private Cloud with WS2012 R2

  • You could use HNV for lab, test networks, dev networks
  • Most services still on the physical network, e.g. AD, DNS, etc. 
  • That means the labs are isolated.  You can give connectivity with a forwarding gateway.
  • You can extend into a 3rd party site by connecting the forwarding gateway to the edge router.

Multi-tenant networking stack


Multi-tenant Site-to-Site

On boarding: create new tenant with a compartment in the gateway  Incoming packets go into a default compartment.  Packet is inspected, and sent to the correct tenant compartment, and onwards to the VM network.

Outbound packet, from the VM network, to the tenant compartment.  There is a routing table there and then it goes out to the right client on-premise site over the VPN.

Multi-tenant NAT

Each tenant compartment needs a unique IP.

Outbound packet into tenant compartment from VM network, then NATed before going out to the net.

For inbound packet, it comes into the gateway.  A NAT mapping sends it to the correct client compartment, and onwards to the VM network.

BGP Dynamic Route learning and Best Path Selection

BGP will select the best route.  Say the Site 1 – hoster link goes down.  BGP will auto re-route to hoster via site 2.


Guest Clustering for HA

  • A 1:1 redundant (active/passive) cluster is created from the VMM service template when deploying the WS2012 R2 gateway
  • Failure is detected immediately
  • Site-site tunnels are reconnected on the new active node
  • So quick that end-end TCP connections do not time out

Back to Greg and SCVMM …

Provisioning from VMM

  1. Build a host/cluster – this host/cluster is dedicated for the gateway VMs.  DEDICATED.  They are edge network, “untrusted” hosts.  VMM agent uses certificates.
  2. Deploy gateway VMs from the service template
  3. Add gateway to VMM
  4. Finalize the gateway configuration

Post-preview functionality configured from SCVMM, ie not in the preview and will be in RTM:

  • HA
  • Forwarding gateway for private cloud


Has the service template and deploys it to the untrusted host.


Has one already baked, and shows the service in his cloud view.  The host was marked as a HNV host: get-scvmmhost <hostname> … IsDedicatedToWnvGateway is set to true.  Set-SCVMMHost –IsDedicatedToWnvGateway $true <hostname>.

Adds a Network Service in Fabric-Networking.  Selects RunAs account.  Sets a network service connection string.  Reviews the certificates.  Tests the provider before existing the wizard.  And then selects a host group – e.g. dedicate the gateway to a rack of servers.  Configures the front end and back end NICs: selects NICs and network sites for each of the two.  Done.  The g/w is added … but it takes a minute or so to set up the compartments …. watch out for that!

Goes into VM Newtorks.  Creates a new VM Network in the tenant logical network.  Enables HNV.  Sets the VM subnet.  Connects the VPN tunnel, with BGP.  Enables NAT.  Selects an IP Pool for the NAT connection.  Can add inbound access rules for specific ports, e.g. send inbound TCP 80 to port 80.  That configures the compartment in the g/w.  Adds an IP pool to the HNV gateway. 

Done!  Now you can add VMs to the VM Network and they can talk through the gateway, e.g. talk to an external network.

No configuration done in the gateway VMs or on the HNV hosts.

Enabling Tenant Self-Service

Using Windows Azure Services for Windows Server:

  • Tenants creat their own networks
  • Consistent experience with Windows Azure
  • Configuration of topology and BGP
  • Reporting and chargeback

SPF provides REST API to enable hosters and private cloud providers to build their own portal if they want.

The client configures a VM network and VPN tunnel on the hoster portal.  That configures VMM and the gateway for the tenant.  The tenant must then configure their own VPN endpoint to complete the tunnel.

Demo of tenant self-service

Logs into the portal as a tenant.  Creates a new virtual network.  Selects IPv4.  Specifies DNS, and chooses to enable NAT and VPN.  Enter his tenant VPN endpoint info and enables BGP.  Adds an address space for the VM network.  Names the site-site VPN, enters the pre-shared key, and the address space for BGP to do initial routing for dynamic discovery.

Note: it is IBGP.  Add the BGP peers and ASN info.  Check the wizard and done.

Outbound NAT is enabled.  Inbound requires configuration.  Hosters can supply VPN configuration scripts that the tenant can download from the portal. 

Creates a new NAT rule for a web server.  Nice bit: can choose an already selected VM rather than entering an IP address.

And that’s that!

One thought on “TechEd 2013: How To Design & Configure Networking In VMM (Part 2)”

  1. If a tenant VM Network can be NATed to a single External IP, how the tenant would publish their services from within their VM Networks? OK, I understand I can create a simple NAT rule for a single web server but what if I need multiple External/Public IPs to publish out services? I do not see any decent out of the box way to provide a tenant with multiple IPs for their resource publishing. One way would be to create multiple VM Networks per tenant and make them routable betwean each other but that does not sound good.
    So the question here is – do I need t o use 3rd party NV Gateways for such scenarious or I am simply lost in the design?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.