Network Function Virtualization Overview

发布时间: 2014年12月

更新时间: 2015年2月

应用到: Windows Server Technical Preview

In today’s software defined datacenters, network functions that are being performed by hardware appliances (such as load balancers, firewalls, routers, switches, and so on) are increasingly being virtualized as virtual appliances. This “network function virtualization” is a natural progression of server virtualization and network virtualization. Virtual appliances are quickly emerging and creating a brand new market. They continue to generate interest and gain momentum in both virtualization platforms and cloud services.

Microsoft included a standalone gateway as a virtual appliance starting with Windows Server 2012 R2. For more information, see Windows Server 网关. Now with Windows Server Technical Preview Microsoft continues to expand and invest in the network function virtualization market.

A virtual appliance is dynamic and easy to change because it is a pre-built, customized virtual machine. It can be one or more virtual machines packaged, updated, and maintained as a unit. Together with software defined networking (SDN), you get the agility and flexibility needed in today’s cloud-based infrastructure. For example:

  • SDN presents the network as a pooled and dynamic resource.

  • SDN facilitates tenant isolation.

  • SDN maximizes scale and performance.

  • Virtual appliances enable seamless capacity expansion and workload mobility.

  • Virtual appliances minimize operational complexity.

  • Virtual appliances let customers easily acquire, deploy, and manage pre-integrated solutions.

    • Customers can easily move the virtual appliance anywhere in the cloud.

    • Customers can scale virtual appliances up or down dynamically based on demand.

For more information about Microsoft SDN see Software Defined Networking.

The marketplace for virtualized network functions is growing quickly. The following network functions are being virtualized:

  • Security

    • Firewall

    • Antivirus

    • DDoS (Distributed Denial of Service)

    • IPS/IDS (Intrusion Prevention System/Intrusion Detection System)

  • Application/WAN optimizers

  • Edge

    • Site-to-site gateway

    • L2/L3 gateways

    • Routers

    • Switches

    • NAT

    • Load balancers (not necessarily at the edge)

    • HTTP proxy

Microsoft 网络功能虚拟化

The Microsoft platform has been engineered to be a great platform to build and deploy virtual appliances. Here’s why:

  • Microsoft provides key virtualized network functions with Windows Server Technical Preview.

  • You can deploy a virtual appliance from the vendor of your choice.

  • You can deploy, configure, and manage your virtual appliances with the Microsoft Network Controller which comes with Windows Server Technical Preview. For more information about the Network Controller, see Network Controller.

  • Hyper-V can host the top guest operating systems that you need.

The following virtual appliances are provided with Windows Server Technical Preview:

  • Software load balancer

    A layer-4 load balancer operating at datacenter scale. This is a similar version of Azure’s load balancer that has been deployed at scale in the Azure environment. For more information about the Microsoft Software Load Balancer, see Software Load Balancer Overview (coming soon). For more information about Microsoft Azure Load Balancing Services, see Microsoft Azure Load Balancing Services.

  • Site-to-Site gateway

    Provides a multitenant gateway solution that allows tenants to access and manage their resources over site-to-site VPN connections from remote sites, and that allows network traffic flow between virtual resources in the cloud and tenant physical networks. For more information about the Windows Server Gateway, see Windows Server 网关.

  • Forwarding gateway

    Routes traffic between virtual networks and the hosting provider physical network. For example, if tenants create one or more virtual networks, and need access to shared resources on the physical network at the hosting provider, the forwarding gateway can route traffic between the virtual network and the physical network to provide users working on the virtual network with the services that they need. For more information about the Windows Server Gateway, see Windows Server 网关.

  • GRE tunnel gateways

    GRE based tunnels enable connectivity between tenant virtual networks and external networks. Since the GRE protocol is lightweight and support for GRE is available on most network devices, it becomes an ideal choice for tunneling where data encryption is not required. GRE support in Site to Site (S2S) tunnels solves the problem of forwarding between tenant virtual networks and tenant external networks using a multi-tenant gateway. For more information about GRE tunnels, see GRE Tunneling in Windows Server Technical Preview.

  • Routing control plane (BGP)

    Hyper-V Network Virtualization (HNV) Routing Control is the logical, centralized entity in the control plane, which carries all the Customer Address plane routes and dynamically learns and then updates the distributed routers in the virtual network. For more information about the BGP router, see BGP Router (coming soon).

  • Distributed multi-tenant firewall

    The firewall protects the network layer of virtual networks. The policies are enforced at the SDN-vSwitch port of each tenant VM. It protects all traffic flows: east-west and north-south. The policies are pushed through the tenant portal and the Network Controller distributes them to all applicable hosts. For more information about the distributed multi-tenant firewall, see Datacenter Firewall Overview.

Service chaining allows the tenant administrator to specify multiple virtual appliances in a chain, grouped together so the selected network traffic passes through each of these appliances in the order specified. You can effectively load balance the chain and provide redundancy in the chain to handle situations of failure and excessive load in the service chain.

The Microsoft Network Controller interacts with the service chain to accomplish the following:

  • Detect the virtual network topology, including where tenant virtual machines and virtual appliances are hosted.

  • Know about all the virtual appliances and their deployment requirements.

  • Connect service chaining policies in response to management configuration or runtime events from the switching/routing endpoints. For example:

    • New tenant virtual machines, which require services from virtual appliances, are added or existing ones are removed.

    • Tenant virtual machines are live-migrated.

    • Services are added, updated or removed.

  • Monitor the health of virtual appliances

    • Spin off a new instance of virtual appliance.

    • Redirect traffic to a standby virtual appliance.

    • Block traffic in the data path until service is restored.

  • Meter network usage of virtual appliance.

Northbound APIs are available for 1st and 3rd party management applications to interact with the controller and manage the service chaining policies. Standard Southbound APIs are available to orchestrate and deploy virtual appliances as well as the service chaining policies.

There are no changes needed to deploy 3rd party virtual appliances on the Windows platform, and no extra information is needed to be passed to the virtual appliance. Also, there is no need for Microsoft to have a formal partnership with the virtual appliance creator.

The tenant administrator can monitor the appliance network connections and will be alerted if a link is down.

Virtual appliances running on the Windows platform perform competitively with other platforms. Bulk throughput as measured by iperf on a 10 Gbps interface (virtual machine to virtual machine) is around 9 Gbps. Forwarding throughput with a Linux virtual machine acting as a gateway (on 10 Gbps interfaces) is around 7 Gbps.