Set up an SDN network controller in the VMM fabric

This article describes how to set up a Software Defined Networking (SDN) network controller in the System Center Virtual Machine Manager (VMM) fabric.

The SDN network controller is a scalable and highly available server role that enables you to automate network infrastructure configuration instead of performing manual network device configuration. Learn more.

For a great introduction, watch a video (~ five minutes) that provides an overview of network controller deployment.

• Plan for a Software Defined Network (SDN). Learn more.

• Plan for an SDN Network Controller Installation and deployment. Learn more.

To set up SDN in the VMM fabric, you need the following:

• A service template: VMM uses a service template to automate network controller deployment. Service templates for the network controller support multi-node deployment on Generation 1 and Generation 2 VMs.
• A virtual hard disk: The service template needs a prepared virtual hard disk that's imported into the VMM library. This virtual hard disk is used for network controller VMs.
  • The virtual hard disk must be running the applicable Windows Server version with the latest patches installed.
  • It can be in VHD or VHDX format.
• A management logical network: That models your physical management network’s connectivity for the VMM hosts, network controller hosts, and tenant VM hosts.
• A logical switch: To provide the management logical network with connectivity to the network controller VMs.
• An SSL certificate: To authenticate communications between the VMM server and the network controller.
• An HNV provider logical network and tenant VM networks: To validate the network controller deployment.
• Other prerequisites: Verify other requirements.

Here's what you need to do to set up an SDN network controller:

1. Configure hosts and physical network infrastructure: You need access to your physical network devices to configure VLANs, routing, and others. You also need Hyper-V hosts to host the SDN infrastructure and tenant VMs. Learn more.

2. Prepare a virtual hard disk: You can prepare a virtual hard disk for the network controller service template in VHD or VHDX format, as appropriate, for the service template generation you choose.

3. Download the service templates: Download the network controller service templates and import them to the VMM library.

4. Set up Active Directory security groups: You'll need an Active Directory security group for network controller management, and another security group for network controller clients. Each group will need at least one user account in it.

5. Set up a VMM library share. You can have an optional library file share for keeping diagnostic logs. This library share will be accessed by the network controller to store diagnostics information throughout its lifetime.

6. Set up a VMM host group: Set up a dedicated host group for all the SDN Hyper-V hosts.

   Note

   Hosts must be running applicable Windows Server with latest patches installed and have the Hyper-V role enabled.

7. Create the management logical network: Create a logical network to mirror management network connectivity for the VMM host, network controller hosts, and tenant VM hosts. If you want to allocate static IP addresses from a pool, create a pool on this logical network.

8. Create and deploy a management logical switch: You create the logical switch and deploy it on network controller hosts to provide connectivity to the management network for network controller VMs.

9. Set up a certificate: You need an SSL certificate for secure/HTTPS communication with the network controller.

10. Import the template: Import and customize the network controller service template.

11. Deploy the service: Deploy the network controller service using the service template. Then add it as a VMM service.

1. Prepare the VHD or VHDX based on the type of template you would like to use.
2. After you prepare the hard disk, install the latest applicable Windows Server updates, and any language packs you need if you've a non-English environment.
3. Import the VHD/VHDX files to the VMM library. Learn more.

1. Download the SDN folder from the Microsoft SDN GitHub repository and copy the templates from VMM >Templates > NC to a local path on the VMM server.

2. Extract the contents to a folder on a local computer.

3. Refresh the library, you'll import the service templates, later.

   Note

   The custom resource files are used when setting up the network controller and other SDN components (software load balancer, RAS gateway).

   The NC folder contains four service templates and five custom resource folders. These are summarized in the following table:

Create security groups for network controller management and clients.

1. In Active Directory Users and Computers, create a security group for network controller management.

   • In the group, add all the users who have permissions to configure the network controller. For example, create a group named Network Controller Admins.
   • All the users that you add to this group must also be members of the Domain Users group in Active Directory.
   • The group for network controller management must be a domain local group. Members of this group will be able to create, delete, and update the deployed network controller configuration.
   • Create at least one user account that is a member of this group and have access to its credentials. After the network controller is deployed, VMM can be configured to use the user account credentials to establish communication with the network controller.

2. Create another security group for network controller clients.

   • Add users with permissions to configure and manage networks using network controller. For example, create a group named Network Controller Users.
   • All the users that you add to the new group must also be members of the Domain Users group in Active Directory.
   • All Network Controller configuration and management is performed using Representational State Transfer (DNS).
   • The group must be a Domain Local group. After the network controller is deployed, any members of this group will have permissions to communicate with the network controller via the REST-based interface.
   • Create at least one user account that is a member of this group. After the network controller is deployed, VMM can be configured to use the user account credentials to establish communication with the network controller.

1. Optionally create a file share in the VMM library to keep diagnostic logs.
2. Ensure that the share can be accessed by the network controller. The network controller accesses the share to store diagnostic information. Note the credentials for the account that will have write access to the share.

1. Create a dedicated host group for Hyper-V hosts that will be managed by SDN.
2. Ensure that Hyper-V hosts are running Windows Server 2016 with the latest patches installed.

You can create a management logical network in VMM to mirror your physical management network.

• The logical network provides network connectivity settings for the VMM host, network controller hosts, and tenant VM hosts.
• We recommend that you create this logical network specifically to provide connectivity for infrastructure VMs that are managed by the network controller.
• If you already have a VMM logical network that's configured with Create a VM Network with the same name to allow virtual machines to access this logical network directly, then you can reuse this logical network to provide management connectivity to network controller.

Use the following procedure to create management logical network:

1. Select Fabric > Networking. Right-click Logical Networks > Create Logical Network.
2. Specify a Name and optional Description.

4. Select Network Site > Add. Select the host group for the hosts that will be managed by the network controller. Insert your management network IP subnet details. This network must already exist and be configured in your physical switch.
5. Review the Summary information and select Finish to complete.

If you want to allocate static IP addresses to network controller VMs, create an IP address pool in the management logical network. If you're using DHCP, you can skip this step.

1. In the VMM console, right-click the management logical network and select Create IP Pool.

2. Provide a Name and optional description for the pool, and ensure that the management network is selected for the logical network.

3. In Network Site panel, select the subnet that this IP address pool will service.

4. In IP Address range panel, enter the starting and ending IP addresses.

5. To use an IP as REST IP, enter one of the IP addresses from the specified range in the IP addresses to be reserved for other uses box. In case you want to use the REST End Point, skip this step.

   • Don't use the first three IP addresses of your available subnet. For example, if your available subnet is from .1 to .254, start your range at .4 or greater.
   • If the nodes are in the same subnet, you must provide REST IP address. If the nodes are in different subnets, you must provide a REST DNS name.

6. Specify the default gateway address and optionally configure DNS and WINS settings.

7. In the Summary page, review the settings and select Finish to complete the wizard.

You need to deploy a logical switch on the management logical network. The switch provides connectivity between the management logical network and the network controller VMs.

1. In the VMM console, select Fabric > Networking > Create Logical Switch. Review the Getting Started information and select Next.

2. Provide a Name and optional description. Select No Uplink Team. If you need teaming, select Embedded Team.

   Note

   Don't use Team.

3. For minimum bandwidth mode, choose the Weight option.

4. In Extensions, clear all the switch extensions. This is important. If you select any of the switch extensions at this stage, it could block the network controller onboarding later.

5. You can optionally add a virtual port profile and choose a port classification for host management.

6. Select an existing uplink port profile, or select Add > New Uplink Port Profile. Provide a Name and optional description. Use the defaults for load balancing algorithm and teaming mode. Select all the network sites in the management logical network.

7. Select New Network Adapter. This adds a host virtual network adapter (vNIC) to your logical switch and uplink port profile, so that when you add the logical switch to your hosts, the vNICs get added automatically.

8. Provide a Name for the vNIC. Verify that the management VM network is listed in Connectivity.

9. Select This network adapter will be used for host management > Inherit connection settings from the host adapter. This allows you to take the vNIC adapter settings from the adapter that already exists on the host. If you created a port classification and virtual port profile earlier, you can select it now.

10. In Summary, review the information and select Finish to complete the wizard.

You must deploy the management logical switch on all the hosts where you intend to deploy the NC. These hosts must be a part of VMM host group that you created earlier. Learn more.

You need an SSL certificate that will be used for secure/HTTPS communication with the network controller. You can use the following methods:

• Self-signed certificate: You can generate a self-signed certificate, and export it with the private key protected with a password.
• Certificate Authority (CA) certificate: You can use a certificate signed by a CA.

The following example creates a new self-signed certificate and must be run on the VMM server.

Export the certificate and its private key in .pfx format.

1. Open the Certificates snap-in (certlm.msc) and locate the certificate in Personal/Certificates.

2. Select the certificate > All Tasks > Export.

3. Select Yes, export the private key option, and select Next.

4. Choose Personal Information Exchange - PKCS #12 (.PFX) and accept the default to Include all certificates in the certification path if possible.

5. Assign the Users/Groups and a password for the certificate you're exporting; select Next.

6. On the File to export page, browse the location where you want to place the exported file, and give it a name.

7. Similarly, export the certificate in .CER format

   Note

   To export to .CER format, uncheck the Yes, export the private key option.

8. Copy the .PFX to the ServerCertificate.cr folder.

9. Copy the .CER file to the NCCertificate.cr folder.

When you're done, refresh these folders, and ensure that you've these certificates copied.

1. Request a CA-signed certificate. For a Windows-based enterprise CA, request certificates using the certificate request Wizard.

2. Ensure that the certificate includes the serverAuth EKU, specified by the OID 1.3.6.1.5.5.7.3.1. In addition, the certificate subject name must match the DNS name of the network controller.

3. Copy the .PFX to the ServerCertificate.cr folder.

4. Copy the .CER file to the NCCertificate.cr folder.

5. Copy the public key of the CA in .CER format to TrustedRootCertificate.cr.

   Note

   Ensure that the enterprise CA is configured for certificate auto enrollment.

1. If the Personal (My – cert:\localmachine\my) certificate store on the Hyper-V host has more than one X.509 certificate with Subject Name (CN) as the host Fully Qualified Domain Name (FQDN), ensure that the certificate that is used by SDN has an additional custom Enhanced Key Usage property with the OID 1.3.6.1.4.1.311.95.1.1.1. Otherwise, the communication between Network Controller and the host might not work.

2. Ensure that certificate issued by CA for south bound communication has an additional custom Enhanced Key Usage property with the OID 1.3.6.1.4.1.311.95.1.1.1.

Import the template and update the parameters for your environment.

Import the service template into the VMM library. For this example, we'll import the Generation 2 template.

1. Select Library > Import Template.

2. Browse to your service template folder, select the Network Controller Production Generation 2 VM.xml file.

3. Update the parameters for your environment as you import the service template. Review the details and then select Import.

   • WinServer.vhdx Select the base virtual hard drive image that you prepared earlier.
   • NCSetup.cr: Map to the NCSetup.cr library resource in the VMM library.
   • ServerCertificate.cr: Map to the ServerCertificate.cr resource in the VMM library. In addition, put the .pfx SSL certificate that you prepared earlier inside this folder. Ensure that you only have one certificate in the ServerCertificate.cr folder.
   • TrustedRootCertificate.cr: Map to the TrustedRootCertificate.cr folder in your VMM library. If you don't need a trusted root certificate, this resource still needs to be mapped to a CR folder. However, the folder must be left empty.

4. Once done, ensure that the Job is complete.

You can customize the service template to meet any specific requirements related to your organization, such as product key, IP assignment, DHCP, MAC Spoofing, and High availability. You can also customize properties for objects such as host groups, host clusters, and service instances.

As an example, here are the steps to enter the product key, enable DHCP and high availability:

1. In the VMM library, select the service template, and open it in designer mode.

2. Double-click the computer tier to open the Windows Server Network Controller Properties page.

3. To specify a product key, select OS Configuration > Product Key, and specify the key shared by CCEP.

4. To enable high availability, select Hardware configuration > Availability, select the Make the Virtual machine highly available checkbox.

5. To enable dynamic IP configuration and use DHCP for network controller management, select network adapter on the designer, and change the IPV4 address type to Dynamic.

   Note

   • If you customize the template for high availability, ensure that you deploy this on clustered nodes.
   • While configuring your Network Controller and specifying FQDN as the REST name, don’t pre-create Host A record for your primary NC node in your DNS. This may impact Network Controller connectivity once primary NC node changes. This is applicable even if you're deploying the NC by using the SDN Express or VMM Express script.

1. Select the network controller service template > Configure Deployment. Enter a service name, and select a destination for the service instance. The destination must map to the dedicated host group containing hosts that will be managed by the network controller.

2. Configure the deployment settings as described in the table below.

3. It's normal for the virtual machine instances to be initially red. Select Refresh Preview to have the deployment service automatically find suitable hosts for the virtual machines to be created.

4. After you configure these settings, select Deploy Service to begin the service deployment job.

   Note

   Deployment times will vary depending on your hardware but are typically between 30 and 60 minutes. If you're not using a volume licensed VHD\VHDX, or if the VHD\VHDX doesn't supply the product key using an answer file, then the deployment stops at the Product Key page during network controller VM provisioning. You need to manually access the VM desktop and either skip or enter the product key.

5. If the network controller deployment fails, delete the failed service instance before you retry the network controller deployment. Select VMs and Services > All Hosts > Services, and delete the instance.

After the network controller service is successfully deployed, the next step is to add it to VMM as a network service.

1. In Fabric, right-click Networking > Network Service, and select Add Network Service.

2. The Add Network Service Wizard starts. Specify a name and optional description.

3. Select Microsoft for the manufacturer and for model select Microsoft network controller.

4. In Credentials, provide the Run As account you want to use to configure the network service. This must be the same account that you included in the network controller clients group.

5. For the Connection String:

   • In multi-node deployment, ServerURL must use the REST endpoint, and servicename must be the name of the network controller instance.
   • In single node deployment, ServerURL must be the network controller FQDN and, servicename must be the network controller service instance name. Example: serverurl=https://NCCluster.contoso.com;servicename=NC_VMM_RTM

6. In Review Certificates, a connection is made to the network controller virtual machine to retrieve the certificate. Verify that the certificate shown is the one you expect. Ensure that you select These certificates have been reviewed and can be imported to the trusted certificate store box.

7. On the next screen, select Scan Provider to connect to your service and list the properties and their status. This is also a good test of whether the service was created correctly, and that you’re using the right connect string to connect to it. Examine the results, and check that isNetworkController = true. When it completes successfully, select Next.

8. Configure the host group that your network controller will manage.

9. Select Finish to complete the wizard. When the service has been added to VMM, it will appear in the Network Services list in the VMM console. If the network service isn't added, check Jobs in the VMM console to troubleshoot.

You can optionally validate the network controller deployment. To do this:

1. Create HNV provider network (the backend network), managed by the network controller for tenant VM connectivity. This network is used to validate that the network controller has been deployed successfully and that tenant VMs within the same virtual network can ping each other. This network must exist in your physical network infrastructure, and all SDN fabric hosts must have physical connectivity to it.
2. After creating the HNV provide network, you configure two tenant VM networks on top of it. Create VM networks and IP address pools, and then deploy the tenant VMs. You can also test connectivity between two tenant VMs deployed on different hosts to ensure the network controller is deployed correctly.

1. Start the Create Logical Network Wizard. Enter a name and optional description for this network.

3. In Network Site, add the network site information for your HNV provider network. This must include the host group, subnet, and VLAN information for the network.
4. Review the Summary information and complete the wizard.

The configure HNV logical network needs an IP address pool, even if DHCP is available on this network. If you've more than one subnet on the configure HNV network, create a pool for each subnet.

1. Right-click the configure HNV logical network > Create IP Pool.
2. Provide a name and optional description, and ensure that the HNV Provider logical network is selected for the logical network.

4. In IP Address range, configure the starting and ending IP address. Don't use the first IP address of your available subnet. For example, if your available subnet is from .1 to .254, start your range at .2 or greater.

5. Next, configure the default gateway address. Select Insert next to the Default gateways box, enter the address, and use the default metric. Optionally configure DNS and WINS.

6. Review the summary information and select Finish to complete the wizard.

7. As part of network controller onboarding, the switch that you deployed on the hosts for the Management logical network connectivity was converted to an SDN switch. This switch can now be used to deploy a network controller managed network, including the HNV provider logical network. Ensure that you select the network site corresponding to the HNV provider logical network in the uplink port profile settings for the Management logical switch.

   

The HNV provider logical network is now accessible to all the hosts in the network controller managed host group.

Now, create two VM networks and IP pools for two tenants in your SDN infrastructure to test connectivity.

1. Create a VM network for each tenant.

2. Create an IP address pool for each VM network.

Now, you can create tenant virtual machines connected to the tenant virtual network.

1. If you want to create a VM from an existing hard disk, follow these instructions.
2. After you deploy at least two VMs connected to the network, you can ping one tenant virtual machine from the other tenant virtual machine to validate that the network controller has been deployed as a network service successfully, and that it can manage the HNV Provider network so that tenant virtual machines can ping each other.

Create a software load balancer