Network Controller

Updated: March 3, 2016

Applies To: Windows Server Technical Preview

New in Windows Server® 2016 Technical Preview, Network Controller provides a centralized, programmable point of automation to manage, configure, monitor, and troubleshoot virtual and physical network infrastructure in your datacenter. Using Network Controller, you can automate the configuration of network infrastructure instead of performing manual configuration of network devices and services.

This topic contains the following sections.

• Network Controller Overview

• Network Controller Features

Network Controller Overview

Network Controller is a highly available and scalable server role, and provides one application programming interface (API) that allows Network Controller to communicate with the network, and a second API that allows you to communicate with Network Controller.

You can deploy Network Controller in both domain and non-domain environments. In domain environments, Network Controller authenticates users and network devices by using Kerberos; in non-domain environments, you must deploy certificates for authentication.

Network Controller communicates with network devices, services, and components by using the Southbound API. With the Southbound API, Network Controller can discover network devices, detect service configurations, and gather all of the information you need about the network. In addition, the Southbound API gives Network Controller a pathway to send information to the network infrastructure, such as configuration changes that you have made.

The Network Controller Northbound API provides you with the ability to gather network information from Network Controller and use it to monitor and configure the network.

The Network Controller Northbound API allows you to configure, monitor, troubleshoot, and deploy new devices on the network by using Windows PowerShell, the Representational State Transfer (REST) API, or a management application with a graphical user interface, such as System Center Virtual Machine Manager.

You can manage your datacenter network with Network Controller by using management applications, such as System Center Virtual Machine Manager (SCVMM), and System Center Operations Manager (SCOM), because Network Controller allows you to configure, monitor, program, and troubleshoot the network infrastructure under its control.

Using Windows PowerShell, the REST API, or a management application, you can use Network Controller to manage the following physical and virtual network infrastructure:

• Hyper-V VMs and virtual switches

• Physical network switches

• Physical network routers

• Firewall software

• VPN Gateways, including Routing and Remote Access Service (RRAS) Multitenant Gateways

• Load Balancers

In the following illustration, an Administrator uses a Management Tool that interacts directly with Network Controller. Network Controller provides information about the network infrastructure, including both virtual and physical infrastructure, to the Management Tool, and makes configuration changes according to the Administrator’s actions when using the tool.

If you are deploying Network Controller in a test lab environment, you can run the Network Controller server role on a single physical server (without using Hyper-V) or on a Hyper-V virtual machine (VM) that is installed on a Hyper-V host.

For high availability in larger datacenters, you can deploy a cluster by using either three physical servers (without Hyper-V) or by using three VMs that are installed on three Hyper-V hosts.

Network Controller Features

The following Network Controller features allow you to configure and manage virtual and physical network devices and services.

• Fabric Network Management

• Firewall Management

• Network Monitoring

• Network Topology and Discovery Management

• Software Load Balancer Management

• Virtual Network Management

• RAS Gateway Management

Fabric Network Management

This Network Controller feature allows you to easily manage the fabric, or physical network, for your datacenter stamp or cluster. Using this feature, you can configure IP subnets, virtual Local Area Networks (VLANs), Layer 2 and Layer 3 switches, and network adapters installed in host computers.

Fabric network management includes planning, designing, implementation, and auditing of the fabric network resources and network infrastructure services.

Firewall Management

This Network Controller feature allows you to configure and manage allow/deny firewall Access Control rules for your workload VMs for both East/West and North/South network traffic in your datacenter. The firewall rules are plumbed in the vSwitch port of workload VMs, and so they are distributed across your workload in the datacenter. Using the Northbound API, you can define the firewall rules for both incoming and outgoing traffic from the workload VM. You can also configure each firewall rule to log the traffic that was allowed or denied by the rule.

For more information, see Datacenter Firewall Overview.

Network Monitoring

This Network Controller feature allows you to monitor the physical and virtual network in your datacenter stamp or cluster. The Network Monitoring service uses the network object model, provided by the topology service, to determine the network devices and links to be monitored. Physical network monitoring is performed using both active network and element data.

Active network data, such as network loss and latency, is detected by sending network traffic and measuring round-trip time. The Network Monitoring service automatically determines the network points between which traffic must be sent, the quantum of traffic to be sent in order to cover all network paths, and also the loss/latency baseline and deviations over a period of time. A key aspect of this solution is fault localization. The Network Monitoring service attempts to localize devices that are causing network loss and latency. The solution leverages advanced algorithms to identify both network paths and devices in the paths that are causing performance degradation.

Element data is collected using Simple Network Management Protocol (SNMP) polling and traps. The monitoring service collects a limited set of critical data available through public management information bases (MIBs). For example, the service monitors link state, system restarts, and Border Gateway Protocol (BGP) peer status.

The monitoring system reports health of both devices and device groups. Health is reported based on both active and element data. Devices are, for example, physical switches and routers. Device groups are a combination of physical devices which has some relevance within the datacenter. For instance, device groups can be racks or subnets or simply host groups. In addition to providing health information, the monitoring service also reports vital statistics such as network loss, latency, device CPU/memory usages, link utilization, and packet drops.

The Network Monitoring service also performs impact analysis. Impact analysis is the process of identifying overlay networks affected by the underlying faulty physical networks. The service uses topology information to determine virtual network footprint and to report the health of impacted virtual networks. For example, if a host loses network connectivity, the system marks all virtual networks on this host and that are connected to the faulty network as impacted. Similarly, if a rack loses uplink connectivity to the core network, the system determines the logical network affected and marks all virtual networks in this rack and connected to the affected logical network as impacted.

Finally, the system integrates with the SCOM server to report both health and statistics data. Health is reported in an aggregated manner making it easy to traverse and understand key issues.

For more information, see Network Monitoring.

Network Topology and Discovery Management

This Network Controller feature allows you to automatically discover network elements in the cloud datacenter network. Network Topology and Discovery also determines how network devices are interconnected to build a topology and dependency map.

For more information, see Network Discovery and Topology.

Software Load Balancer Management

This Network Controller feature allows you to enable multiple servers to host the same workload, providing high availability and scalability.

For more information, see Software Load Balancing (SLB) for SDN.

Virtual Network Management

This Network Controller feature allows you to deploy and configure Hyper-V Network Virtualization, including the Hyper-V Virtual Switch and virtual network adapters on individual VMs, and to store and distribute virtual network policies.

Network Controller supports both Network Virtualization Generic Routing Encapsulation (NVGRE) and Virtual Extensible Local Area Network (VXLAN).

RAS Gateway Management

This Network Controller feature allows you to deploy, configure, and manage Hyper-V hosts and virtual machines (VMs) that are members of a RAS Gateway cluster, providing gateway services to your tenants. Network Controller allows you to automatically deploy VMs running RAS Gateway with the following gateway features:

• Add and remove gateway VMs from the cluster and specify the level of backup required.

• Site-to-site virtual private network (VPN) gateway connectivity between remote tenant networks and your datacenter using IPsec.

• Site-to-site VPN gateway connectivity between remote tenant networks and your datacenter using Generic Routing Encapsulation (GRE).

• Point-to-site VPN gateway connectivity so that your tenants’ administrators can access their resources on your datacenter from anywhere.

• Layer 3 forwarding capability.

• Border Gateway Protocol (BGP) routing, which allows you to manage the routing of network traffic between your tenants’ VM networks and their remote sites.

Network Controller is capable of dual-tunnel configuration of site-to-site VPN gateways and the automatic placement of tunnel end-points on separate gateways. In addition, Network Controller can load balance site-to-site and point-to-site VPN connections between gateway VMs, as well as logging configuration and state changes by using logging services.

For more information on BGP, see Border Gateway Protocol (BGP).

For more information on the RAS Gateway, see RAS Gateway Multitenant BGP Router.