Introduction
This article helps you evaluate the Software Defined Networking (SDN) features in Windows Server 2016 Technical Preview and Virtual Machine Manager 2016 Technology Preview 4. In particular, this topic is focused on scenarios that incorporate Microsoft Software Load Balancer (SLB) with System Center Virtual Machine Manager (VMM).
Once you deploy Software Load Balancer along with Network Controller in your VMM set up, you can also leverage multiplexing and NAT capabilities in your datacenter.
Prerequisites
Before we get into details of Software Load Balancer deployment, make sure you have performed the following steps:
1. Deploy Network Controller
This document assumes that you already have Network Controller on boarded into VMM management. If you have Network Controller deployed in your set up, you will have the basic compute and network infrastructure in place to proceed for SLB deployment.
For more details on requirement related to different Hosts, virtual machines, Logical Networks, Subnets, IP Pools, and switches, please refer to the Network Controller deployment guide here.
If you haven’t deployed Network Controller yet, please refer to the Network Controller guide above and come back to this section after deploying Network Controller.
2. Prepare an SSL Certificate
The SLB service template requires that an SSL certificate be prepared prior to importing the service template. You should already have these certificates ready as part of Network Controller deployment. To revisit steps on how to prepare SSL certificates click here.
3. An available Windows Server host
In addition to hosts that you already have in your Network Controller set up, you will require one additional host (also referred to as ‘Edge host’) to deploy Software Load Balancer, according to the shown diagram. Optionally, you can choose one of the existing hosts in your set up to deploy SLB.
Set up
This section covers the setup required for deploying the Software Load Balancer and optionally the BGP router.
Topology overview
The topology consists of four physical hosts, one Network Controller virtual machine, two tenant virtual machines, one Software Load Balancer MUX virtual machine, and optionally one Router – BGP Peer virtual machine. Most of these hosts and virtual machines would already be configured as part of Network Controller on deployment.
You will need to deploy one additional host (the ‘Edge Host’) and two additional virtual machines for Software Load Balancer deployment. All of the virtual machines require an operating system VHD and you can download the Windows Server 2016 Technical Preview 4 ISO image here.
Logical Networks
In addition to the Management and the Backend logical networks that you already have configured during Network Controller deployment, you will need the following networks to deploy SLB.
Network Name | Subnet | Mask | VLAN ID on trunk | Gateway |
Front End (or Transit) Used as SLB Front end networks. | 10.60.35.0 | 24 | 10 | 10.60.35.1 |
Public IP Network (used to assign IP address if SLBM) | 10.128.134.116 | 27 | NA | 10.128.134.117 |
|
|
Create the Front End logical network
The Front End network is used for northbound connections in SLB MUX virtual machines and BGP peer virtual machine. To create the Front End logical network, complete the following:
1. Start the Create Logical Network Wizard.
2. Type a name and optional description for this network, then click Next.
3. On the Settings page, ensure you select One Connected Network. You can also check Create a VM network with the same name box to allow virtual machines to access this logical network directly and the Managed by the Network Controller box, then click Next.
4. On the Network Site panel, add the network site information for your VIP subnet. This should include the Host Group and subnet information for your VIP network.
5. Review the Summary information and complete the Logical Network wizard.
Create the Public IP logical network
You need an IP address pool for public IPs and to assign an IP address to SLBM. Public IPs are also used for tenant services that need an internet identifiable public IP address. We will create a Public Logical network in order to specify IP address pool for Public network. To create the Public Logical network, complete the following:
1. Start the Create Logical Network Wizard.
2. Type a name and optional description for this network. Click Next.
3. On the Settings page, be sure to select One Connected Network. You will also see a new settings: Managed by the Network Controller. Ensure that you check this box as well as the Public IP address network box and then click Next.
4. On the Network Site panel, add the network site information for your Public Network. This should include the Host Group and Subnet information.
5. Review the Summary information and complete the wizard.
Create IP address pools required for SLB deployment
Create an IP pool for Front End addresses
This is an IP pool from where DIPs will be assigned to the SLB MUX virtual machines and BGP Peer virtual machine.
Create the IP pool for the Front End network by following the same procedure and steps as the back end network. Be sure to use the IP address range that corresponds to your Front End network IP address space. To create the IP pool for Public IP addresses, complete the following:
1. Right-click the Public logical network in VMM and select Create IP Pool from the drop down menu.
2. Provide a name and optional description for the IP Pool and ensure that the Public Logical network is selected for the logical network. Click Next.
3. Accept the default network site as shown in below screen shot and click Next.
4. Choose a starting and ending IP address for your range that contains the entire address range of your Public VIP subnet.
5. In the IP addresses reserved for load balancer VIPs box, type the entire IP address range in the subnet. This should match the range you used for starting and ending IP addresses.
You do not need to provide gateway, DNS or WINS information as this pool is used to allocate IP addresses for VIPs only via the Network Controller, so skip these screens by clicking Next.
6. Review the summary information and complete the wizard.
|
After you have created all the required logical networks and IP pools, make sure you associate newly create Front End logical network with the SDN uplink port profile you created during Network Controller deployment. |
Deploy the Management and SDN logical switch to the Edge host
You should already have an SDN logical switch and a management logical switch available in your setup as part of Network Controller deployment.
If the SDN Switch with Front end and Back end port profiles is not deployed already to the edge host where SLB MUX VMs are going to be deployed, deploy the SDN switch to the host now. Similarly, if the Management logical switch is not deployed on the Edge Host yet, deploy the Management logical switch on the host.
Please refer to Network Controller deployment guide here to learn about deploying SDN and Management logical switches to a host.
Deployment
Now you can deploy the Software Load Balancer MUX into your SDN infrastructure.
Download the service template to a local computer
First, you need to download the SLB MUX service template from here and save it to a folder on your VMM server or a file share that your VMM server has access to.
Add template resources to the VMM Library
Before you import the SLB MUX service template you need to do the following:
Add the custom resources to the VMM library
Copy the .CER certificate that you previously created for the Network Controller to the NCCertificate.CR folder. This is the same .CER certificate you added to the TrustedRootCertificate.CR folder for the Network Controller Service Template.
Add the custom NCCertificate.CR and EdgeDeployment.CR custom resources to the VMM library.
Import the service template
Now you can import the SLB MUX service template to the VMM library. To import the service template into the VMM library, complete the following:
1. In VMM, navigate to Library.
2. In the top of the left pane, in the Templates section, select Service Templates.
3. In the ribbon at the top, click Import Template.
4. Browse to your service template directory, then select the SLBMuxServiceTemplate.2.0.xml file that you downloaded and follow the prompts to import it.
5. The service template uses the following virtual machine configuration parameters, so update the parameters to reflect the configuration of your environment as you import the service template.
Configuration parameters:
Resource type | Resource name and description |
Library Resources | Resource name: WinServer.vhd Description: Windows Server Virtual Hard Disk. Format should be VHD. Select the base VHD image that you prepared earlier and imported into your VMM library. Resource name: NCCertificate.cr Description: A custom library resource that contains the trusted root certificate (.CER) for the Network Controller. This will be used for secure communications between the Network Controller and the SLB MUX instances. Map to the NCCertificate.cr library resource in your VMM library. Resource Name: EdgeDeployment.cr Description: A custom library resource that contains an SSL Certificate in .PFX format. Select the EdgeDeployment.cr library resource that you prepared earlier and imported into you VMM library. |
Configure the deployment
Follow these steps to deploy an SLB MUX service instance.
To configure the deployment
1. Select the SlbMuxServiceTemplate service template and click Configure Deployment to begin. Type a name and optionally a destination for the service instance. The destination must map to a Host Group that contains the hosts configured previously.
2. In the Network Settings section, you must map the networks as follows:
Network setting | Value |
DatacenterNetwork | Map this to your Front End or transit VM network. |
ManagementNetwork | Map this to your Management VM network. |
After you are done with mapping the destination and network settings, the Deploy Service dialog appears. It is normal for the virtual machine instances to be initially red. Click Refresh Preview to automatically find suitable hosts (from the destination you mapped earlier) for the virtual machine. This can be can be done manually if needed.
3. On the left side of the Configure Deployment window there are a number of settings that you must configure. The table below summarizes each field:
Setting | Requirement | Description |
Datacenter Network | Required | Your External or transit VM network |
Management Network | Required | Choose the Management VM Network that you created for host management. |
LocalAdmin | Required | Select a Run as account in your environment which will be used as the local Administrator on the virtual machines. User name should be .\Administrator |
SelfSignedConfiguration | Required | If you are using a self-signed certificate you created yourself, set this value to True. If you are using a certificate that has been assigned by an Enterprise CA or external Root CA, set this value to False. |
Deploy the SLB MUX service
After you configure these settings, you can click Deploy Service to begin the service deployment job. Deployment times will vary depending on your hardware but are typically between 30 and 60 minutes.
When the service deployment job has completed, verify that your service appears in the VMM console:
1. Open the VMs and Services workspace.
2. Click Services in the ribbon.
3. Verify that your SLB MUX service instance appears in the VM Network Information for Services window.
4. Right-click the SLB MUX service and select Properties from the menu.
d) Verify that the state is Deployed.
Configure the SLB role and SLB MUX Instance Properties
Now that the service is deployed you can configure its properties. This involves associating the VM instance that we deployed using the SLB MUX service template, and then configuring BGP peering between the SLB MUX instance and a router.
Associate the SLB Service Role with the SLB MUX Instance
1. Open the Fabric workspace.
2. Click Network Service to display the list of network services installed.
3. Right-click the FabricNetworkManagerNetworkController service and select Properties.
4. Find the Associated Service field under Service information and click Browse. Select the SLB MUX service instance you created earlier and click OK.
The Service instances that you deployed are now associated with the Load Balancer role, and you should see the SLB MUX virtual machine instance listed under the Load Balancer role.
Validation
Once you have deployed SLB MUX in your setup, you can validate the deployment by configuring peering of the SLB MUX instance and a BGP router (or RRAS VM), assigning a public IP to a tenant VM or Service, and accessing the tenant VM\service from outside the network.
Configure BGP Peering between the SLB MUX instance and a router
In order to publish the VIP network and addresses to networks outside of your private cloud, you will need to configure Border Gateway Protocol (BGP) peering between the SLB MUX and your external router.
1. First you will need to obtain the IP address and the Autonomous System Number (ASN) of the router that you want to peer with, so start by opening the Fabric workspace.
2. Right-click the FabricNetworkManagerNetworkController service and select Properties.
3. Click the Services tab and select the Load Balancer Role in the list of services.
4. Click the SLB MUX virtual machine instance and you will see the MUX instance BGP settings. For the BGP port, type the value 8560 and for Local ASN, type the ASN number you want to use for BGP peering for the MUX. VMM will accept any value you pick here but if you are peering it with a router in your infrastructure it should match the numbering scheme in your lab or datacenter. In the example below we used a value of 2 for the ASN.
5. To configure the information for the BGP router you want to peer with, click Add and then enter the name, IP address and ASN number of the router you want to peer with. In the screen shot above, you can see that we have peered with the ADVWRKS-ROUTER router using an IP address of 172.27.0.1 and an ASN of 1.
Click OK to complete the SLB MUX service instance configuration.
6. Check the Jobs window to verify that the Update Fabric Role with required configuration and Associate service instance with fabric role jobs have completed successfully.
7. In order to complete the BGP peering operation, you will need to configure BGP to peer with your SLB MUX instance on the router. If you are using a hardware router device, you will need to consult your vendor’s documentation on how to setup BGP peering for that device. You will also need to know the IP address of the SLB MUX instance that you deployed earlier. To do this, you can either log on to the SLB MUX VM instance and obtain the IP address by running IPCONFIG /ALL from a Command Prompt, or from the VMM console.
Provisioning VIPs for tenant virtual machines
You can provision VIPs for tenant virtual machines either individually for each virtual machine or via service templates. Provisioning a VIP for a single virtual machine is not a typical scenario, but for Tech Preview 4 it may be the easiest way to evaluate this functionality. Provisioning a VIP for a single virtual machine must be done via PowerShell.
Provision VIPs for an individual virtual machine
To provision a VIP for an individual VM or set of VMs that were deployed using a VM template, you will need to deploy the VM instances using a VM template, create a VIP template in the VMM console, then create a VIP and assign it to the VMs using PowerShell.
Create a VIP Template
The process for creating a VIP template is as follows:
1. Navigate to the Fabric Workspace in the VMM console.
2. Right-click on the VIP Templates node and select Create VIP Template. Alternately, you can click on the Create VIP Template in the Ribbon toolbar.
3. Provide a name in the Template Name field and an optional description in the Description field.
4. In the Virtual IP Port field, provide a value for the port you wish to test. For our example we used port 5001, but you can choose another port you want to test with if desired.
5. For the Backend Port, provide a value for the port from which you wish to map traffic on the back end. In our example we simply used the same port as the front end virtual IP port: 5001. Once you have provided the port, click the Next button.
6. On the Specify a Template Type screen, click the Specific radio button and select Microsoft for the Manufacturer, then for the Model, select Microsoft Network Controller. Click Next.
7. On the Specify Protocol Options screen, select the protocol you wish to create a VIP mapping for. The HTTP and HTTPS options are commonly used, but for our simple example we selected the Custom option and chose TCP in the Protocol Name field. If TCP does not appear as an option in the drop-down menu you can type it in manually. This is a known issue in TP4. Click Next.
8. You can optionally select enable persistence if you wish to have the load balancer make the connection from the client “sticky”. Click Next.
9. For the Load Balancing method, select Round Robin from the drop down list. Click Next.
10. Health Monitors are not implemented in TP4 so click Next to move past this screen.
11. Confirm your settings and then click Finish when you are ready to create the VIP Template.
Create the VIP using PowerShell
|
The following is a sample Windows PowerShell script that will create a VIP for an individual VM. In the script parameters section, be sure to substitute the actual values that match your test environment for the samples that are used in this script. The script should be run on the VMM server, or on a machine with the VMM Admin Console. param( [Parameter(Mandatory=$false)] # Name of the Network Controller Network Service # This value should be the name you gave the Network Controller service when you on-boarded the Network Controller to VMM $LBServiceName="NC", [Parameter(Mandatory=$false)] # Name of the VM instance to which you want to assign the VIP $VipMemberVMNames= @("WGB-001"), [Parameter(Mandatory=$false)] # VIP address you want to assign from the VIP pool. # Pick any VIP that falls within your VIP IP Pool range. $VipAddress="172.27.1.5", [Parameter(Mandatory=$false)] # Name of the VIP VM Network $VipNetworkName="vip", [Parameter(Mandatory=$false)] # The name of the VIP template you created via the VMM Console. $VipTemplateName="ADVWRKS-VIP", [Parameter(Mandatory=$false)] # Arbitrary but good to match the VIP you're using. $VipName="scvmm_172_27_1_5_5001" ) Import-Modulevirtualmachinemanager $lb=Get-scLoadBalancer|where { $_.Service.Name -like$LBServiceName}; $vipNetwork=get-scvmnetwork-Name$VipNetworkName; $vipMemberNics= @(); foreach ($vmNamein$VipMemberVMNames) { $vm=get-scvirtualmachine-Name$vmName; # if ($vm.VirtualNetworkAdapters[0].VMNetwork.ID -ne $vipNetwork.ID) # { # $vm.VirtualNetworkAdapters[0] | set-scvirtualnetworkadapter -VMNetwork $vipNetwork; # } $vipMemberNics+=$vm.VirtualNetworkAdapters[0]; } $existingVip=get-scloadbalancervip-Name$VipName if ($existingVip-ne$null) { # foreach ($mem in $existingVip.VipMembers) # { # $mem | remove-scloadbalancervipmember; # } $existingVip|remove-scloadbalancervip; } $vipt=get-scloadbalancerviptemplate-Name$VipTemplateName; $vip=New-SCLoadBalancerVIP-Name$VipName-LoadBalancer$lb-IPAddress$VipAddress-LoadBalancerVIPTemplate$vipt-FrontEndVMNetwork$vipNetwork-BackEndVirtualNetworkAdapters$vipMemberNics; Write-Output"Created VIP "$vip; #foreach ($memberNic in $vipMemberNics) #{ # $address = $memberNic.IPv4Addresses[0]; # Write-Output "Creating vip member with address " $address; # New-SCLoadBalancerVIPMember -LoadBalancerVIP $vip -IPAddress $address -Port 82 -VirtualNetworkAdapter $memberNic; #} $vip=get-scloadbalancervip-Name$VipName; Write-Output"VIP with members "$vip; |
After running the script, you should see output with details for the VIP you have just created. Once the script is executed successfully and the VIP is assigned to the tenant VM, you should be able to access the tenant VM from outside your datacenter network.
Manish Jha| Program Manager II | Microsoft
Our Blogs
- Configuration Manager: http://blogs.technet.com/configurationmgr/
- Data Protection Manager: http://blogs.technet.com/dpm/
- Orchestrator: http://blogs.technet.com/b/orchestrator/
- Operations Manager: http://blogs.technet.com/momteam/
- Operations Management Suite: https://blogs.technet.microsoft.com/omsblog/
- Service Manager: http://blogs.technet.com/b/servicemanager
- Virtual Machine Manager: http://blogs.technet.com/scvmm
- Microsoft Intune: https://blogs.technet.microsoft.com/intunesupport/
- WSUS: http://blogs.technet.com/sus/
- AD and Azure RMS: http://blogs.technet.com/b/rms/
- Application Virtualization: http://blogs.technet.com/appv/
- MED-V: http://blogs.technet.com/medv/
- Application Proxy: http://blogs.technet.com/b/applicationproxyblog/
- Forefront Endpoint Protection: http://blogs.technet.com/b/clientsecurity/
- Forefront Identity Manager: http://blogs.msdn.com/b/ms-identity-support/
- Forefront TMG: http://blogs.technet.com/b/isablog/
- Forefront UAG: http://blogs.technet.com/b/edgeaccessblog/
VMM 2012 R2