Network Virtualization and other changes boost flexibility and manageability
Windows Server 2012 and Hyper-V are fundamental building blocks of Microsoft's private cloud strategy. The most recent Microsoft server OS comes with Microsoft Hyper-V 3.0 hypervisor, which features many changes. Hyper-V 3.0 might become the first Microsoft virtualization platform to truly challenge VMware vSphere.
Among the Hyper-V changes are several new security features. Network Virtualization is Microsoft's first step in the Software-Defined Networking (SDN) space. In SDN, the control of network traffic is managed by software that runs outside the physical network hardware, allowing more flexible network management and configuration. From a security point of view, SDN and Network Virtualization enable organizations and cloud providers to better isolate virtual machines (VMs) on the network level.
There are also many smaller—though no less important—security-related changes in Hyper-V 3.0. Good examples are the new extensible virtual network switch, the new Hyper-V Administrators group, and enhanced Windows BitLocker Drive Encryption support.
Defining Network Virtualization
With Network Virtualization, Microsoft extends its VM isolation capabilities from the host to the network layer. Isolation is crucial in multi-tenant cloud solutions, in which the applications and services of different organizations or organizational departments are hosted on the same physical server and network infrastructure. For example, a cloud provider that hosts services for both Apple and Samsung certainly wouldn't want Apple to sneak into Samsung's VMs or network, or vice versa.
Similar to the way that server virtualization allows you to set up multiple isolated VMs on a single host, Hyper-V 3.0 Network Virtualization allows you to run multiple isolated virtual networks on the same physical network. Network Virtualization leverages a software-based abstraction layer that sits on top of the physical network and is based on the concept of virtual subnets. A virtual subnet represents a broadcast boundary that ensures that only VMs on the same virtual subnet can communicate with one another. As such, virtual subnets allow administrators to set up different isolated broadcast domains between VMs.
Although Hyper-V has supported the use of virtual LANs (VLANs) for the creation of isolated virtual networks since Windows Server 2008, VLANs have limited scalability and flexibility. VLANs can support only a limited number of isolated tenant networks. This limit exists primarily because switches typically don't support more than 1,000 VLAN IDs out of the theoretical limit of 4,096. According to Microsoft, Network Virtualization can support more than 16 million virtual networks.
Furthermore, VLANs lack flexibility. They are poorly suited for dynamic cloud environments, in which tenant VMs regularly join and leave the data center and migrate across physical servers for load-balancing or capacity-management purposes. VLAN management is complex and requires reconfigurations on the switch level when a VM is moved to another host. Server 2012 also adds support for private VLANs (PVLANs), through an extension on the level of the Hyper-V virtual switch. Although PVLANs can increase the level of isolation between VMs, they don't counter the problem of complex VLAN management across virtual and physical networking devices. This problem can be addressed only through the use of Network Virtualization.
Under the Network Virtualization Hood
With Network Virtualization, each VM is assigned two IP addresses. One IP address is visible to the VM and is relevant only in the context of a given tenant virtual or software-defined network. This address is called the Customer Address (CA). The second IP address is relevant only in the context of the physical network. This address is called the Provider Address (PA). The decoupling of CA and PA brings several benefits.
First, customers easily move VMs between data centers. Thanks to the new abstraction layer, you can move a VM to the data center of another cloud service provider, without reconfiguring the VM's IP and network configuration and without changing all the IP address–based policies in the organization. You also don't need to worry anymore about the IP configuration of other tenants' VMs that are hosted in the same data center. When Network Virtualization is enabled, VMs with identical IP addresses can coexist on the same Hyper-V host and even on the same network, without IP address conflicts.
Network Virtualization also allows the live migration of VMs between physical servers on different subnets, without service interruption. If a VM has two IP addresses, then the PA can be changed without affecting the CA. A user or application that talks to the VM by using the CA will not experience interruptions and will be unaware that the VM has physically moved to a different subnet.
Besides CAs and PAs, Network Virtualization uses a third important component: the Virtual Subnet ID (VSID). Each Network Virtualization virtual subnet is uniquely identified using a VSID. VSIDs allow Hyper-V hosts to tag traffic from different virtual subnets and to differentiate the traffic of VMs that have the same CA. The Network Virtualization software logic encapsulates the VSID, CA, and PA into each network packet.