Hyper-V network policy in Software Defined Environment

For IT experts, Software Defined networks will become one of the most important technologies in the next five years. Now it's time to have a basic understanding of the software-defined network, especially its association with the Hyper-V network.

A Software Defined network is designed to address two important challenges facing network administrators. The first challenge is multi-tenant. Obviously, service providers have multi-tenant networks, but enterprise-level networks have even begun to change to the multi-tenant model, because more and more organizations have adopted the private cloud model to allow virtual machines (VMS). Administrators need to prevent tenants from accessing the networks of other tenants and do not allow them to access the core network infrastructure.

Another challenge is that in fact, in many organizations, data centers are no longer limited to four walls. Traditional networks have gradually been replaced by hybrid clouds, or geographically isolated failover data centers are connected to each other.

Software Defined networks solve these two challenges by establishing a series of Logical Networks on physical networks. In a way, this method is not novel: Virtual Private Network (VPN) has been in existence for more than a decade. Similar technologies are used to establish tunnels for data passing through the Internet to achieve secure transmission.

From the perspective of its basic features, the software defined network works very similar to VPN. Both technologies use package encapsulation to route traffic in the physical network. This encapsulation allows coexistence with other virtual networks while maintaining the private nature. For a software-defined network, this means that the customer's address segment can remain independent and private (which is important for multiple tenants), meaning that the logical subnet can span multiple physical networks.

A separate address segment makes the entire architecture possible. On the host layer, the IP address is used as a provider address. The provider address is the IP address assigned to a single Hyper-V host, which is allocated according to the principle of one virtual machine. Because each customer or tenant has a separate virtual address defined at the software layer, it is acceptable for multiple tenants to use the same customer address. In fact, tenants can even use overlapping MAC addresses because software-defined networks are completely isolated from each other.

Of course, creating a fully isolated virtual network is one thing, but in a real environment, systems in a virtual network usually need to access the external network. External customers also need to access the services provided by hosts in the virtual network. Microsoft's solution is to encapsulate the network Virtualization (NVGRE) Gateway by using a common route. The NVGRE gateway can implement multiple important functions.

First, the gateway provides the routing function. A gateway is required for communication between a physical network and a virtual network. Note that a single tenant may have virtual machines on multiple Hyper-V hosts. For Virtual Machine Communication between different hosts, you do not need to use the NVGRE gateway; it is only used for communication between physical machines and virtual machines.

This raises a question: how can virtual machines located on a Hyper-V host communicate with each other when a software-defined network is used? When a virtual machine needs to communicate with a virtual machine on another host, Hyper-V needs to know the destination address of the package sent. The solution is to use the system center Virtual Machine manager to manage various Hyper-V hosts. This allows the Virtual Machine manager to create and maintain a Hyper-V lookup table to record which virtual machine is located on which host. Because each single host is associated with a virtual machine server, all hosts can be located on any virtual machine.

NVGRE gateway can also be used as a network address translation component to publish application servers to the Internet, even though these services are actually located in a virtual server of a software defined network. This allows virtual machines in the Software Defined network to act as public Web servers or provide other Internet-oriented services.

As you can see, Software Defined network is a very important concept, especially as the original network is migrating to private or hybrid cloud. Remember that although Microsoft already has its software-defined Hyper-V network mechanism, the concept of software-defined network and NVGRE is not Microsoft's proprietary technology, but an industry standard.