Configuring VM Networks and Gateways in VMM
Applies To: System Center 2012 SP1 - Virtual Machine Manager, System Center 2012 R2 Virtual Machine Manager
Networking in Virtual Machine Manager (VMM) in System Center 2012 Service Pack 1 (SP1) and System Center 2012 R2 includes a number of enhancements that provide administrators with greater flexibility in configuring networks in a virtualized environment. This overview describes two of the enhancements, virtual machine networks (VM networks) and gateways.
The following list describes VM networks and gateways:
VM networks: VM networks enable you to use network virtualization, which extends the concept of server virtualization to make it possible to deploy multiple virtual networks (VM networks) on the same physical network. However, VM networks can be configured in multiple ways:
Network virtualization (Hyper-V network virtualization): If you want to support multiple tenants (also called clients or customers) with their own networks, isolated from the networks of others, use network virtualization. To use network virtualization, create a logical network, and on top of that logical network, create multiple VM networks, each of which uses the network virtualization option:
In System Center 2012 SP1: Isolate using Hyper-V network virtualization
In System Center 2012 R2: One connected network and Allow new VM networks created on this logical network to use network virtualization
With this isolation, your tenants can use any IP addresses that they want for their virtual machines, regardless of the IP addresses that are used on other VM networks. Also, you can enable your tenants to configure some aspects of their own networks, based on limits that you specify.
Network virtualization is supported only on hosts that are running Windows Server 2012 or Windows Server 2012 R2. Hosts that are running Windows Server 2008 R2 do not support network virtualization.
VLAN-based configuration: If you are working with networks that use familiar virtual local area network (VLAN) technology for network isolation, you can manage those networks as they are, and use VMM to simplify the management process.
The scenario that is described here is for VLANs that were set up for a specific purpose such as isolation, not for VLANs that were set up only for broadcast boundaries.
For a VLAN-based configuration, take the following steps:
Obtain information about the numbering of the isolated VLANs that have already been created in the physical network.
In VMM, create a logical network and select the appropriate option:
In System Center 2012 SP1: Network sites within this logical network are not connected. (Do not select the option for private VLANs unless you are using private VLAN technology.)
In System Center 2012 R2: In most cases, select VLAN-based independent networks. However, if you are using private VLAN technology, select Private VLAN (PVLAN) networks.
Within the logical network, configure a separate network site for each existing VLAN. Give each network site a name that is meaningful to you in your environment.
Create an association between those network sites and the host physical network adapter. You can do this on an individual host in VMM by modifying the properties sheet for the host (in Hardware under Network adapters). Alternatively, you can collect the information about your network sites into an uplink port profile (also called a port profile for uplinks) and a logical switch, and then apply the uplink port profile and the logical switch to host network adapters, as needed. For more information about uplink port profiles, see How to Create a Port Profile for Uplinks in VMM.
Create one VM network for each network site (and VLAN) in your configuration.
One VM network that gives direct access to the logical network ("no isolation"): This is the simplest configuration, where the VM network is the same as the logical network on which it is configured. This configuration is appropriate for a network through which you will manage a host. The VM network provides only the functionality of the logical network, which was introduced in System Center 2012. For this configuration, create a logical network, and then create a VM network that specifies that logical network with an appropriate setting:
In System Center 2012 SP1: If this logical network will support network virtualization (in addition to having a VM network that gives direct access to the logical network), select the check box to allow network virtualization. If this logical network will not use network virtualization at all, leave all check boxes cleared.
With System Center 2012 R2: For the logical network, select One connected network and then select Create a VM network with the same name to allow virtual machines to access this logical network directly. (If you select One connected network but do not select the second option, you will still be able to create the VM network later.) If this logical network will also support network virtualization, select the check box to allow network virtualization.
The VM network will function as a logical network with no isolated networks within it. On each logical network, you can have only one VM network that is configured with No isolation. However, on a logical network that allows network virtualization, you can have one VM network with no isolation and other VM networks with isolation (that is, with network virtualization).
Using external networks that are implemented through a network manager: With this configuration option, you can use a network manager (for example, a vendor network-management console) that allows you to configure settings on your forwarding extension, for example, settings for logical networks, network sites, and VM networks. You can configure VMM to import those settings from the vendor network-management database into VMM, which makes it easier to work with those settings in the context of your other network configuration settings. For detailed descriptions of this option, see the following topics:
Gateways: To connect a VM network to other networks, you can configure the VM network with a gateway. (This configuration requires that, in the logical network that the VM network uses for a foundation, the network virtualization option is selected.) The steps for configuring a VM network with a gateway depend on whether you have System Center 2012 SP1 or System Center 2012 R2:
In VMM in System Center 2012 SP1: To configure a VM network to connect to another network in your environment, for the gateway setting of the VM network, select Local networks. Alternatively, if you are a hosting provider and you want to enable your tenants, customers, or clients to connect their virtual machines (in the hosted environment that you provide) to systems on their own premises, you can configure their VM networks with gateways. To configure a VM network this way, for the gateway setting of the VM network, select Remote networks. The result is a connection through a virtual private network (VPN) tunnel.
In VMM in System Center 2012 R2: To configure a VM network to connect to another network in your environment, on the Connectivity page or tab for the VM network, choose the setting for connecting directly to an additional logical network, and specify whether that connection is to use network address translation (NAT). Alternatively, if you are a hosting provider and you want to enable your tenants, customers, or clients to connect their virtual machines (in the hosted environment that you provide) to systems on their own premises, you can configure their VM networks with connectivity through VPN. To configure a VM network this way, on the Connectivity page or tab for the VM network, choose the setting for a connection through a virtual private network (VPN) tunnel, with or without Border Gateway Protocol (BGP).
Before you configure a gateway, see Prerequisites for gateways in this topic.
VM networks in VMM are configured by bringing other networking elements together. Before you create a VM network, create the elements (such as a logical network) on which you will build the VM network. These elements include the following:
Logical networks (the foundation for VM networks).
(Optional) Load-balancing configuration settings.
(Optional) Port settings and logical switches. You can use several VMM configuration elements together to consistently apply settings to multiple network adapters across multiple hosts. These configuration elements include:
Native port profiles for uplinks
Native port profiles for virtual network adapters
To learn about these networking elements, see the following topics:
If you want to add a gateway to your configuration in VMM, you must have provider software for the gateway. If the gateway is a non-Microsoft gateway, you must obtain the provider software from the manufacturer of the gateway device, install the provider on the VMM management server, and then restart the System Center Virtual Machine Manager service. Then you can add the gateway to the list of resources in VMM. For more information about setting up a specific non-Microsoft gateway device, refer to the manufacturer’s documentation.
In VMM in System Center 2012 R2, adding a gateway is called adding a "network service," and the gateway requires additional configuration steps, as described in How to Add a Non-Windows Gateway in VMM in System Center 2012 R2 or How to Add a Windows Server Gateway in VMM in System Center 2012 R2.
After you add a gateway to VMM, to use the gateway to connect a VM network through a VPN tunnel to another site, you must select an appropriate setting for the VM network. In System Center 2012 SP1, the setting is the Gateway setting called Remote networks, and in System Center 2012 R2, it is the Connectivity setting called Connect to another network through a VPN tunnel. Before you configure this setting for a VM network, gather the necessary information from your tenant, customer, or client. The following list provides more details:
Obtain the IP address of the remote VPN server (on the premises of the tenant, customer, or client).
If you are running VMM in System Center 2012 R2, also obtain information about the subnets on the premises of the tenant, customer, or client. These are the subnets that are used by the tenant’s virtual machines or other virtual or physical resources. In addition, if the tenant, customer, or client uses Border Gateway Protocol (BGP), obtain the relevant BGP peer IP addresses and Autonomous System Numbers (ASNs).
Identify the authentication method to use with the remote VPN server. If the remote VPN server is configured to use a pre-shared key, you can authenticate by using a Run As account in which you specify the pre-shared key as the password. Alternatively, you can authenticate with a certificate. The certificate can be either a certificate that the remote VPN server selects automatically or a certificate that you have obtained and placed on your network.
Determine whether to use the default VPN connection settings or to specify these settings. You can specify settings for the encryption, integrity checks, cipher transforms, authentication transforms, Perfect Forward Secrecy (PFS) group, Diffie-Hellman group, and VPN protocol.
The information that you gather helps you complete the gateway configuration for the VM network.
To use VMM to configure VM networks and gateways in System Center 2012 SP1 or System Center 2012 R2, complete the procedures in the following table.
Describes how to configure default VMM settings for automatic logical network and virtual network creation.
Describes how to add a gateway that can connect your virtualized networks to other networks. If you want to add a non-Microsoft gateway, you must first obtain provider software from the manufacturer of the gateway device, install the provider on the VMM management server, and restart the System Center Virtual Machine Manager service.
Describes how to create a VM network, with information about deploying multiple VM networks that use network virtualization (network isolation), deploying a single VM network with "no isolation," and using the other options for VM networks that are listed earlier in this topic.
Describes how to create static IP address pools for VM networks. These IP address pools are made available to virtual machines and services that use the VM networks.
Describes how to return inactive addresses to an IP address pool to make them available for reassignment.
Describes how to view diagrams that show the relationships among networking objects, such as logical networks and VM networks, in your VMM configuration.
For information about the next steps to take after you configure networking, see the topics in the following table.
Configure additional fabric resources, such as storage and library resources.
Add and configure hosts.
Deploy virtual machines individually or as part of a service.