Windows Server Gateway
Published: June 26, 2013
Updated: March 12, 2014
Applies To: Windows Server 2012 R2
This topic, which is intended for Information Technology (IT) professionals, provides overview information about Windows Server Gateway, including Windows Server Gateway capabilities and features.
In addition to this topic, the following Windows Server Gateway documentation is available.
Who will be interested in Windows Server Gateway?
If you are a system administrator, network architect, or other IT professional, Windows Server Gateway might interest you under one or more of the following circumstances:
You are using or plan on using System Center 2012 R2, which is required when you deploy Windows Server Gateway.
You design or support IT infrastructure for an organization that is using or planning to use Hyper-V to deploy virtual machines (VMs) on virtual networks.
You design or support IT infrastructure for an organization that has deployed or is planning to deploy cloud technologies.
You want to provide full network connectivity between physical networks and virtual networks.
You want to provide your organization’s customers with access to their virtual networks over the Internet.
This topic includes the following sections.
Router Versions in Windows Server 2012 R2
What is Windows Server Gateway?
Windows Server Gateway integration with Hyper-V Network Virtualization
Clustering Windows Server Gateway for high availability
Windows Server Gateway as a forwarding gateway for private cloud environments
Windows Server Gateway as a site-to-site VPN gateway for hybrid cloud environments
Multitenant Network Address Translation (NAT) for VM Internet access
Multitenant remote access VPN connections
Two different versions of the gateway router are available in Windows Server 2012 R2 – the RRAS Multitenant Gateway and Windows Server Gateway. Although the routers have the same functionality and capabilities, you can use different methods to manage each router, depending on whether or not you are using System Center 2012 R2.
RRAS Multitenant Gateway. The RRAS Multitenant Gateway router can be used for multitenant or non-multitenant deployments, and is a full featured BGP router. To deploy an RRAS Multitenant Gateway router, you must use Windows PowerShell commands. For more information, see Remote Access Cmdlets in Windows PowerShell and Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide.
Windows Server Gateway. To deploy Windows Server Gateway, you must use System Center 2012 R2 and Virtual Machine Manager (VMM). The Windows Server Gateway router is designed for use with multitenant deployments. With the System Center 2012 R2 VMM Windows Server Gateway router, only a very limited set of Border Gateway Protocol (BGP) configuration options are available in the VMM software interface, including Local BGP IP Address and Autonomous System Numbers (ASN), List of BGP Peer IP Addresses, and ASN, values. You can, however, use Remote Access Windows PowerShell BGP commands to configure all other features of Windows Server Gateway. For more information, see Windows Server Gateway and Virtual Machine Manager.
Windows Server Gateway (Windows Server Gateway) is a virtual machine (VM)-based software router and gateway that allows Cloud Service Providers (CSPs) and Enterprises to enable datacenter and cloud network traffic routing between virtual and physical networks, including the Internet.
|Windows Server Gateway supports IPv4 and IPv6, including IPv4 and IPv6 forwarding. When you configure Windows Server Gateway with Network Address Translation (NAT), only NAT44 is supported.|
Virtual networks are created by using Hyper-V Network Virtualization, which is a technology that was introduced in Windows Server® 2012.
Hyper-V Network Virtualization provides the concept of a virtual machine (VM) network that is independent of the underlying physical network. With this concept of VM networks, which are composed of one or more virtual subnets, the exact physical location of an IP subnet is decoupled from the virtual network topology. As a result, organizations can easily move their subnets to the cloud while preserving their existing IP addresses and topology in the cloud. This ability to preserve infrastructure allows existing services to continue to work, unaware of the physical location of the subnets. That is, Hyper-V Network Virtualization enables a seamless hybrid cloud.
In both private and hybrid cloud environments using Windows Server 2012, however, it was difficult to provide connectivity between VMs on the virtual network and resources on physical networks at local and remote sites, creating a circumstance where virtual subnets were islands separated from the rest of the network.
In Windows Server 2012 R2, Windows Server Gateway routes network traffic between the physical network and VM network resources, regardless of where the resources are located. You can use Windows Server Gateway to route network traffic between physical and virtual networks at the same physical location or at many different physical locations. For example, if you have both a physical network and a virtual network at the same physical location, you can deploy a computer running Hyper-V that is configured with a Windows Server Gateway VM to act as a forwarding gateway and route traffic between the virtual and physical networks. In another example, if your virtual networks exist in the cloud, your CSP can deploy a Windows Server Gateway so that you can create a virtual private network (VPN) site-to-site connection between your VPN server and the CSP’s Windows Server Gateway; when this link is established you can connect to your virtual resources in the cloud over the VPN connection.
Windows Server Gateway is integrated with Hyper-V Network Virtualization, and is able to route network traffic effectively in circumstances where there are many different customers – or tenants – who have isolated virtual networks in the same datacenter.
Multi-tenancy is the ability of a cloud infrastructure to support the virtual machine workloads of multiple tenants, but isolate them from each other, while all of the workloads run on the same infrastructure. The multiple workloads of an individual tenant can interconnect and be managed remotely, but these systems do not interconnect with the workloads of other tenants, nor can other tenants remotely manage them.
For example, an Enterprise might have many different virtual subnets, each of which is dedicated to servicing a specific department, such as Research and Development or Accounting. In another example, a CSP has many tenants with isolated virtual subnets existing in the same physical datacenter. In both cases, Windows Server Gateway can route traffic to and from each tenant while maintaining the designed isolation of each tenant. This capability makes the Windows Server Gateway multitenant-aware.
Hyper-V Network Virtualization is a network overlay technology using Network Virtualization Generic Routing Encapsulation (NVGRE), which allows tenants to bring their own address space and allows CSPs better scalability than is possible by using VLANs for isolation.
Windows Server Gateway is deployed on a dedicated computer that is running Hyper-V and that is configured with one VM. The VM is then configured as a Windows Server Gateway.
For high availability of network resources, you can deploy Windows Server Gateway with failover by using two physical host servers running Hyper-V that are each also running a virtual machine (VM) that is configured as a gateway. The gateway VMs are then configured as a cluster to provide failover protection against network outages and hardware failure.
When you deploy Windows Server Gateway, the host servers running Hyper-V and the VMs that you configure as gateways must be running Windows Server 2012 R2.
Unless otherwise noted in the illustrations that are provided in the sections below, the following icon represents two Hyper-V hosts, each of which is running a VM configured as a Windows Server Gateway. In addition, both the servers running Hyper-V and the VMs on each server are running Windows Server 2012 R2, and the gateway VMs are clustered.
Private cloud is a computing model that uses infrastructure dedicated to your organization. A private cloud shares many of the characteristics of public cloud computing including resource pooling, self-service, elasticity, and metered services delivered in a standardized manner with the additional control and customization available from dedicated resources.
The only fundamental difference between a private cloud and a public cloud is that a public cloud provides cloud resources to multiple organizations, while the private cloud hosts resources for a single organization. However, a single organization may have multiple business units and divisions which can lend itself to being multi-tenant in nature. In these circumstances, private cloud shares many of the security and isolation requirements of public cloud.
For Enterprises that deploy an on-premises private cloud, Windows Server Gateway can act as a forwarding gateway and route traffic between virtual networks and the physical network. For example, if you have created virtual networks for one or more of your departments, such as Research and Development or Accounting, but many of your key resources (such as Active Directory Domain Services, SharePoint, or DNS) are on your physical network, Windows Server Gateway can route traffic between the virtual network and the physical network to provide employees working on the virtual network with all of the services that they need.
In the illustration below, the physical and virtual networks are at the same physical location. Windows Server Gateway is used to route traffic between the physical network and virtual networks.
For CSPs that host many tenants in their datacenter, Windows Server Gateway provides a multitenant gateway solution that allows your tenants to access and manage their resources over site-to-site VPN connections from remote sites, and that allows network traffic flow between virtual resources in your datacenter and their physical network.
In the illustration below, a CSP provides datacenter network access to multiple tenants, some of whom have multiple sites across the Internet. In this example, tenants use third party VPN servers at their corporate sites, while the CSP uses Windows Server Gateway for the site-to-site VPN connections.
In the illustration below, a home user running a Web browser on their computer makes a purchase on the Internet from a Contoso Web server that is a VM on the Contoso Virtual Network. During the purchasing process, the Web app verifies the credit card information provided by the home user by connecting to a Financial Services company on the Internet. This ability to connect from the virtual network to Internet resources is provided when NAT is enabled on the CSP Windows Server Gateway.
In the illustration below, Administrators use VPN dial-in connections to administer VMs on their corporate virtual networks. The Administrator from Contoso initiates the VPN connection from an Internet-enabled branch office, and connects through the CSP Windows Server Gateway to the Contoso Virtual Network.
Similarly, the Northwind Traders Administrator establishes a VPN connection from a residence office to manage VMs on the Northwind Traders Virtual Network.