Post on 14-May-2015
MicrosoftVirtual Academy
M3: Security, Multi-tenancy & Flexibility
Symon Perriman Matt McSpiritTechnical Evangelist Technical Product Manager
MicrosoftVirtual Academy
Introduction to Hyper-V Jump StartPart 1 | Windows Server 2012
Hyper-V &. VMware vSphere 5.1Part 2 | System Center 2012 SP1 &
VMware’s Private Cloud
(01) Introduction & Scalability(05) Introduction & Overview of
System Center 2012
(02) Storage & Resource Management
(06) Application Management
(03) Security, Multi-tenancy & Flexibility
(07) Cross-Platform Management
(04) High-Availability & Resiliency(08) Foundation, Hybrid Clouds &
Costs
** MEAL BREAK **
Module Agenda
Multitenancy and SecurityHyper-V Extensible SwitchNetworking PerformanceSecurity
Flexible InfrastructureVirtual Machine Mobility Network Virtualization
Multi-Tenancy & Security
Benefits• Layer 2 virtual interface • Managed programmatically• Extensible by partners or customers
New featureHandles network traffic among virtual machines, external network, and host operating system
Hyper‑V Extensible SwitchISOLATION AND MULTITENANCY
Virtual machine
Networkapplication
Virtual network adapter
Hyper–V host
Hyper‑VExtensible Switch
Physical networkadapter
Physical switch
Virtual machine
Networkapplication
Virtual networkadapter
Virtual machine
Networkapplication
Virtual networkadapter
Hyper-V Extensible Switch
PVLANS
ARP/ND Poisoning Protection
DHCP Guard Protection
Virtual Port ACLs
Trunk Modeto Virtual Machines
Monitoring & Port Mirroring
Windows PowerShell & WMI Management
6
The Hyper-V Extensible Switch allows a deeper integration with customers’ existing network infrastructure, monitoring and security tools
Hyper-V Extensible Switch
CiscoNexus 1000VUCS VM-FEX
5nineSecurity Manager
NECOpenFlow
InMonsFlow
Multiple Partner Extensions
7
Hyper-V Extensible Switch is an open platform that lets multiple vendors provide extensions that are written to standard Windows API frameworks
Packet Inspection
Packet Filtering
Network Forwarding
Intrusion Detection
VMware ComparisonThe Hyper-V Extensible Switch is open and extensible, unlike VMware’s vSwitch, which is closed, and replaceable
Capability Hyper-V(2012)
vSphereHypervisor
vSphere 5.1Enterprise
Plus
Extensible vSwitch Yes No Replaceable1
Confirmed Partner Extensions 5 No 2
Private Virtual LAN (PVLAN) Yes No Yes1
ARP Spoofing Protection Yes No vCNS/Partner2
DHCP Snooping Protection Yes No vCNS/Partner2
Virtual Port ACLs Yes No vCNS/Partner2
Trunk Mode to Virtual Machines Yes No Yes3
Port Monitoring Yes Per Port Group Yes3
Port Mirroring Yes Per Port Group Yes31 The vSphere Distributed Switch (required for PVLAN capability) is available only in the Enterprise Plus edition of vSphere 5.1 and is replaceable (By Partners such as Cisco/IBM) rather than extensible.2 ARP Spoofing, DHCP Snooping Protection & Virtual Port ACLs require the App component of VMware vCloud Network & Security (vCNS) product or a Partner solution, all of which are additional purchases3 Trunking VLANs to individual vNICs, Port Monitoring and Mirroring at a granular level requires vSphere Distributed Switch, which is available in the Enterprise Plus edition of vSphere 5.1vSphere Hypervisor / vSphere 5.x Ent+ Information: http://www.vmware.com/products/cisco-nexus-1000V/overview.html, http://www-03.ibm.com/systems/networking/switches/virtual/dvs5000v/, http://www.vmware.com/technical-resources/virtualization-topics/virtual-networking/distributed-virtual-switches.html, http://www.vmware.com/files/pdf/techpaper/Whats-New-VMware-vSphere-51-Network-Technical-Whitepaper.pdf, http://www.vmware.com/products/vshield-app/features.html and http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/data_sheet_c78-492971.html
Networking Performance
DynamicVMq
IPsec Task Offload
SR-IOV Support
The Hyper-V Extensible Switch takes advantage of hardware innovation to drive the highest levels of networking performance within virtual machines
Dynamically span multiple CPUs when processingvirtual machine network trafficOffload IPsec processing from within virtual machine,to physical network adaptor, enhancing performance
Map virtual function of an SR-IOV capable physical network adaptor, directly to a virtual machine
Single-Root I/O Virtualization (SR-IOV)
• Reduces latency of network path
• Reduces CPU utilization for processing network traffic
• Increases throughput• Direct device assignment to
virtual machines without compromising flexibility
• Supports Live MigrationNetwork I/O path with SR-IOVNetwork I/O path without SR-
IOV
Physical NIC
Root Partition
Hyper-V Switch
RoutingVLAN Filtering
Data Copy
Virtual Machine
Virtual NIC
SR-IOV Physical NIC
Virtual Function
VMBUS
Virtual MachineNetwork Stack
Software NIC
Enable IOV (VM NIC Property) Virtual Function is “Assigned” Team automatically created Traffic flows through VF
Turn On IOV Break Team Reassign Virtual Function
Assuming resources are available Migrate as normal
Live Migration Post Migration
Remove VF from VM
VM has connectivity even if
Switch not in IOV mode IOV physical NIC not
present Different NIC vendor Different NIC firmwareSR-IOV Physical NIC
Physical NIC
Software Switch
(IOV Mode)
“TEAM”Software NIC
Virtual Function
SR-IOV Physical NIC
Software Switch
(IOV Mode)
“TEAM”
Virtual Function
Software path is not used
SR-IOV Enabling & Live Migration
Physical SecurityBitLocker ensures your data stays secure, even when your Hyper-V hosts, clusters, and storage reside in less-physically-secure locations
Local DiskTraditional Cluster Disk CSV 2.0
BitLocker
VMware Comparison
Unlike VMware, Hyper-V’s SR-IOV support ensures the highest performance without sacrificing key features such as Live Migration
Capability Hyper-V(2012)
vSphereHypervisor
vSphere 5.1Enterprise
Plus
Dynamic Virtual Machine Queue Yes NetQueue1 NetQueue1
IPsec Task Offload Yes No No
SR-IOV with Live Migration Yes No2 No2
Storage Encryption Yes No No1 VMware vSphere and the vSphere Hypervisor support VMq only (NetQueue)2 VMware’s SR-IOV implementation does not support vMotion, HA or Fault Tolerance. DirectPath I/O, whilst not identical to SR-IOV, aims to provide virtual machines with more direct access to hardware devices, with network cards being a good example. Whilst on the surface, this will boost VM networking performance, and reduce the burden on host CPU cycles, in reality, there are a number of caveats in using DirectPath I/O:
• Very small Hardware Compatibility List• No Memory Overcommit• No vMotion (unless running certain configurations of Cisco UCS)• No Fault Tolerance• No Network I/O Control• No VM Snapshots (unless running certain configurations of Cisco UCS)• No Suspend/Resume (unless running certain configurations of Cisco UCS)• No VMsafe/Endpoint Security support
SR-IOV also requires the vSphere Distributed Switch, meaning customers have to upgrade to the highest vSphere edition to take advantage of this capability. No such restrictions are imposed when using SR-IOV in Hyper-V, ensuring customers can combine the highest levels of performance with the flexibility they need for an agile infrastructure.
vSphere Hypervisor / vSphere 5.x Ent+ Information: http://www.vmware.com/pdf/Perf_Best_Practices_vSphere5.1.pdf
Flexible Infrastructure
Virtual Machine Mobility
LiveMigrationFaster, unrestricted, simultaneous VM live migrations between cluster nodes with no downtime
Migrate virtual machines without downtime
Improvements• Faster and simultaneous migration
• Live migration outside a clustered environment
• Store virtual machines on a File Share
VM VM
Target host
Live migration setup
SMB network storage
IP connection
Configuration data
Memory pages transferred
Memory content
MEM
ORY
MEM
ORY
Modified pages transferred
Modified memory pages
Storage handle moved
VIRTUAL MACHINE MOBILITY
Live migration based on server message block (SMB) share
VM
Virtual Machine Mobility
LiveMigrationFaster, unrestricted, simultaneous VM live migrations between cluster nodes with no downtime
Live StorageMigrationMove the virtual hard disks of running virtual machines to a different storage location with no downtime
Computer running Hyper‑V
Target device
Move virtual machine storage without downtime
Source device
VIRTUAL MACHINE MOBILITY
Benefits• Manage storage in a cloud
environment with greater flexibility and control
• Move storage with no downtime
• Update physical storage available to a virtual machine (such as SMB-based storage)
• Windows PowerShell cmdlets
Live migration of storageMove virtual hard disks attached to a running virtual machine
Reads and writes go to the source VHD
Disk contents are copied to new destination VHD
VHD
Disk writes are mirrored; outstanding changes are replicated
Reads and writes go to new destination VHD
Virtual machine
VHD
Virtual Machine Mobility
LiveMigrationFaster, unrestricted, simultaneous VM live migrations between cluster nodes with no downtime
Live StorageMigrationMove the virtual hard disks of running virtual machines to a different storage location with no downtime
Shared-Nothing Live MigrationMove Virtual Machines between Hyper-V hosts with nothing but a network cable
Destination
Hyper‑VVirtualmachine
Target deviceSource device
Virtualmachine
Source Hyper‑V
IP connection
Configuration dataMemory contentModified memory pages
Migrate virtual machines without downtime
VIRTUAL MACHINE MOBILITY
Benefits• Increase flexibility of virtual machine
placement
• Increase administrator efficiency
• Reduce downtime for migrations across cluster boundaries
Shared-nothing live migration
Reads and writes go to the source VHD
Reads and writes go to the source VHD. Live Migration
Begins
Disk contents are copied to new destination VHD
Disk writes are mirrored; outstanding changes are
replicatedLive Migration
MEM
ORY
MEM
ORY
VHDVHD
Live Migration ContinuesLive Migration Completes
Network Virtualization
SecureIsolationIsolate network traffic from different business units or customers on a shared infrastructure without VLANs
FlexibleMigrationsMove VMs as needed within your virtual infrastructure while preserving their virtual network assignments
SeamlessIntegrationTransparently integrate these private networks into a preexisting infrastructure on another site
Dynamic VLAN Reconfiguration is Cumbersome
VLAN tags
ToR
AggregationSwitches
VMs
ToR
Topology limits VM placement and requires reconfiguration of production switches
Hyper-V Network Virtualization
Server Virtualization Run multiple virtual servers
on a physical server Each VM has illusion it is running
as a physical server
Hyper-V Network Virtualization
Run multiple virtual networks on a physical network
Each virtual network has illusion it is running as a physical network
Blue VM Red VMVirtualization
PhysicalServer
Blue Network Red Network
PhysicalNetwork
Virtualization Policy
System Center
Virtualize Customer Addresses
Customer Address Space (CA)
Red2
Blue2
10.0.0.5
Red1
Blue1
10.0.0.5 10.0.0.7 10.0.0.7
Blue
10.0.0.5192.168.4.1
1
10.0.0.7192.168.4.2
2Red
10.0.0.5192.168.4.1
1
10.0.0.7192.168.4.2
2
Blue10.0.0.510.0.0.7
BlueCorp
RedCorp Red
10.0.0.510.0.0.7
Datacenter Network
Host 1 Host 2
Provider Address Space (PA)
192.168.4.22192.168.4.11
Blue
10.0.0.5192.168.4.
11
10.0.0.7192.168.4.
22Red
10.0.0.5192.168.4.
11
10.0.0.7192.168.4.
22
Blue
10.0.0.5192.168.4.
11
10.0.0.7192.168.4.
22Red
10.0.0.5192.168.4.
11
10.0.0.7192.168.4.
22
CA PA
Hyper-V NV Concepts Customer Network
One or more virtual subnets forming an isolation boundary A customer may have multiple Customer Networks
e.g. Blue R&D and Blue Sales
Virtual Subnet Broadcast boundary
Blue Corp Red Corp
Blue Subnet1
Blue Subnet3Blue Subnet2
Blue Subnet5
Blue Subnet4
Red Subnet2
Red Subnet1
Blue R&D Net Blue Sales Net Red HR Net
Hoster Datacenter
CustomerNetwork
VirtualSubnet
Different subnets
Standards-Based Encapsulation - NVGRE• Better network scalability by sharing PA among VMs• Explicit Virtual Subnet ID for better multi-tenancy
support
10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.7
192.168.2.22 192.168.5.55
192.168.2.22192.168.5.55
10.0.0.5 10.0.0.7
GRE Key 5001
MAC
10.0.0.5 10.0.0.7
GRE Key 6001
MAC192.168.2.22
192.168.5.55
10.0.0.510.0.0.7
10.0.0.510.0.0.7
10.0.0.5 10.0.0.7
10.0.0.510.0.0.7
Hyper-V NV Architecture• Network Virtualization is transparent to VMs
Management OS traffic is NOT virtualized; only VM traffic
• Hyper-V Switch and Extensions operate in CA space
PA Y
CA Y
Datacenter
Host 1
VM2 VMY
Host 2
CA2
PA2
CA1
AA1
PA1
VM1
CAX
AAX
PAX
VMX
System Center
Blue• VM1: MAC1, CA1, PA1
• VM2: MAC2, CA2, PA3
• VM3: MAC3, CA3, PA5
• … Red• VM1: MACX, CA1, PA2
• VM2: MACY, CA2, PA4
• VM3: MACZ, CA3, PA6
• …
Data Center Policy
NIC
Management
Cluster Storage
Live Migration
NIC
Hyper-V Switch
VSID ACL IsolationSwitch Extensions
Host Network Stack
PA1
Network Virtualization
VM1 VM1
SystemCenterHost
Agent
Windows Server 2012 CA1 CA1
IP VirtualizationPolicy Enforcement
Routing
Packet Flow: Blue1 Sending to Blue2
192.168.4.11
NIC
Hyper-V Switch
IP VirtualizationPolicy Enforcement
Routing
VSID ACL Enforcement
Blue1 Red1
Network Virtualization
10.0.0.510.0.0.5
MACPA1
VSID5001
VSID6001
where is 10.0.0.7 ?ARP for 10.0.0.7
192.168.4.22
NIC
IP VirtualizationPolicy Enforcement
Routing
Network Virtualization
MACPA2
Hyper-V Switch
VSID ACL Enforcement
Blue2 Red2
10.0.0.710.0.0.7
VSID5001
VSID6001
Hyper-V Switch broadcasts ARP to:1. All local VMs on VSID 50012. Network Virtualization filter
OOB: VSID:5001
Network Virtualization filter responds to ARP for IP 10.0.0.7 on VSID 5001
with Blue2 MAC
ARP for 10.0.0.7
ARP is NOT broadcast to the network
Packet Flow: Blue1 Sending to Blue2
192.168.4.11
NIC
Hyper-V Switch
IP VirtualizationPolicy Enforcement
Routing
VSID ACL Enforcement
Blue1 Red1
Network Virtualization
10.0.0.510.0.0.5
MACPA1
VSID5001
VSID6001
192.168.4.22
NIC
IP VirtualizationPolicy Enforcement
Routing
Network Virtualization
MACPA2
Hyper-V Switch
VSID ACL Enforcement
Blue2 Red2
10.0.0.710.0.0.7
VSID5001
VSID6001
ARP is NOT broadcast to the network
OOB: VSID:5001
Use MACB2 for 10.0.0.7
Use MACB2 for 10.0.0.7
Blue1 learns MAC of Blue2
Packet Flow: Blue1 Sending to Blue2
192.168.4.11
NIC
Hyper-V Switch
IP VirtualizationPolicy Enforcement
Routing
VSID ACL Enforcement
Blue1 Red1
Network Virtualization
10.0.0.510.0.0.5
MACPA1
VSID5001
VSID6001
sent from Blue1
MACB1MACB2 10.0.0.5 10.0.0.7
192.168.4.22
NIC
IP VirtualizationPolicy Enforcement
Routing
Network Virtualization
MACPA2
Hyper-V Switch
VSID ACL Enforcement
Blue2 Red2
10.0.0.710.0.0.7
VSID5001
VSID6001
OOB: VSID:5001
in Hyper-V switch
MACB1MACB2 10.0.0.5 10.0.0.7
in Network Virtualization filterOOB: VSID:5001
MACB1MACB2 10.0.0.5 10.0.0.7
NVGRE on the wireMACPA1 MACPA2 192.168.4.11 192.168.4.22 5001 MACB1MACB2 10.0.0.5 10.0.0.7
Packet flow: Blue2 receiving from Blue1
192.168.4.11
NIC
Hyper-V Switch
IP VirtualizationPolicy Enforcement
Routing
VSID ACL Enforcement
Blue1 Red1
Network Virtualization
10.0.0.510.0.0.5
MACPA1
VSID5001
VSID6001
received by Blue2
MACB1MACB2 10.0.0.5 10.0.0.7
192.168.4.22
NIC
IP VirtualizationPolicy Enforcement
Routing
Network Virtualization
MACPA2
Hyper-V Switch
VSID ACL Enforcement
Blue2 Red2
10.0.0.710.0.0.7
VSID5001
VSID6001
OOB: VSID:5001
in Hyper-V switch
MACB1MACB2 10.0.0.5 10.0.0.7
NVGRE on the wire
in Network Virtualization filterOOB: VSID:5001
MACB1MACB2 10.0.0.5 10.0.0.7
MACPA1 MACPA2 192.168.4.11 192.168.4.22 5001 MACB1MACB2 10.0.0.5 10.0.0.7
VMware ComparisonOnly Hyper-V provides key VM migration features in the box, with no additional licensing costs
Capability Hyper-V(2012)
vSphereHypervisor
vSphere 5.1Enterprise
Plus
VM Live Migration Yes No1 Yes2
1GB Simultaneous Live Migrations Unlimited3 N/A 4
10GB Simultaneous Live Migrations Unlimited3 N/A 8
Live Storage Migration Yes No4 Yes5
Shared Nothing Live Migration Yes No Yes5
Network Virtualization Yes No VXLAN61 Live Migration (vMotion) is unavailable in the vSphere Hypervisor – vSphere 5.1 required2 Live Migration (vMotion) and Shared Nothing Live Migration (Enhanced vMotion) is available in Essentials Plus & higher editions of vSphere 5.13 Within the technical capabilities of the networking hardware4 Live Storage Migration (Storage vMotion) is unavailable in the vSphere Hypervisor5 Live Storage Migration (Storage vMotion) is available in Standard, Enterprise & Enterprise Plus editions of vSphere 5.16 VXLAN is a feature of the vCloud Networking & Security Product, which is available at additional cost to vSphere 5.1. In addition, it requires the vSphere Distributed Switch, only available in vSphere 5.1 Enterprise Plus.
vSphere Hypervisor / vSphere 5.x Ent+ Information: http://www.vmware.com/products/vsphere/buy/editions_comparison.html, http://www.vmware.com/files/pdf/products/vcns/vCloud-Networking-and-Security-Overview-Whitepaper.pdf http://www.vmware.com/products/datacenter-virtualization/vcloud-network-security/features.html#vxlan
©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
34