Azure Site Recovery for VMware VMs

Azure Site Recovery orchestrates and manages disaster recovery for Azure VMs in Azure Cloud, and on-premises VMs in VMware, System Center VMM and physical servers.

Prerequisites:

• VMware Virtual Server
• Azure Subscription
• Azure Virtual Network
• ExpressRoute between On-premises to Azure Network
• Permit communication between Azure VMs to Azure Site Recovery Virtual Network
• Appropriate Azure Storage Network
• Administrative Credentials in Azure Cloud
• Administrative Credentials in On-premises Network inclusive VMware Virtual Infrastructure
• The Mobility service must be installed on each VM you want to replicate. Site Recovery installs this service automatically when you enable replication for the VM
• Set up an isolated virtual network for the test failover

Supported VMware Environment:

Component	Requirement
vCenter server	Version 5.5 or later
vSphere host	Version 5.5 or later

Supported VMs

VM Requirement	Details
OS disk size	Up to 2TB
OS disk count	1
Data disk count	64 or less
Data disk VHD size	Up to 4TB
Network adapters	Multiple adapters are supported
Shared VHD	Not supported
FC disk	Not supported
Hard disk format	VHD or VHDX. Azure Site Recovery automatically converts VHDX to VHD when you fail over to Azure. When you fail back to on-premises VMs continue to use the VHDX format.
Bit-locker	Not supported. Disable before you enable replication for a VM.
VM name	Between 1 and 63 characters. Restricted to letters, numbers, and hyphens. The VM name must start and end with a letter or number.
VM type	Generation 1 – Linux or Windows Generation 2 – Windows only

Site Recovery Scenario:

1. Fail over from the on-premises site to Azure Site
2. Reprotect the Azure VMs, so that they start replicating back to the on-premises VMware VMs.
3. Fail back from Azure Site to On-prem Site.
4. After data has failed back, re-protect the on-premises VMs that you failed back to, so that they start replicating back to Azure site.

Configuring Azure Site Recovery for the On-prem VMware Vcenter

Step1: Storage Account in Azure

1. Sign into the Azure portal using Global Admin, Click Menu, click New>Storage>Storage account>Add to create a new Storage Account.
2. Enter a name for your storage account. For these tutorials, I am going to use the name OnPremtoAzureSA01
3. Select the below properties

• Deployment model: Resource Manager
• Account Kind: General Purpose
• Performance: Standard
• Replication: RA-GRS

4. For replication, you have four options to choose from Locally redundant storage (LRS), Zone-redundant storage (ZRS), Geo-redundant storage (GRS), Read-access geo-redundant storage (RA-GRS)
5. Select the subscription in which you want to create the new storage account. For example, your EA or PAYG Account
6. Specify a new resource group. An Azure resource group is a logical container into which Azure resources are deployed and managed. For example: CorpRG
7. Select the geographic location for your storage account. The storage account must be in the same region as the Recovery Services vault. For these tutorials we use the location Australia East.
8. Click Create

Step2: Create a vault.

1. In the Azure portal menu, click New > Monitoring & Management > Backup and Site Recovery.
2. In Name, specify a friendly name to identify the vault. For example CorpVault.
3. Select the existing resource group named CorpRG.
4. Specify the Azure region Australia East.
5. Click Create

Step3: Create an On-premises Service Account for VMware Environment

1. In the Active Directory Users and Computers, Create a Service Account Named , SVC-AzureSR
2. Assign permission in the vCenter to the Data Center level and propagate to all
3. Windows Local Admin Permissions: Make the service account SVC-AzureSR a Member Off Domain Admins or Local Admin Security Group on the VMs where Azure Mobility Services Software will be installed.
4. Linux Admin Permission: Prepare a root account on the source Linux server which will be used to install Azure Mobility Services Software
5. VMware vCenter Permissions are:

Object	Permission
Data Center object	Propagate to Child Object
Datastore	Allocate space, browse datastore, low-level file operations, remove file, update virtual machine files
Network	Network assign
Resource	Assign VM to resource pool, migrate powered off VM, migrate powered on VM
Tasks	Create task, update task
Virtual machine	Configuration, answer question, device connection, configure CD media, configure floppy media, power off, power on, VMware tools install Create, register, unregister Allow virtual machine download, allow virtual machine files upload Remove snapshots

Step4: Configure Windows Firewall and IP Based Firewall

1. Create a Group Policy or amend an existing Group Policy to allow RDP for all profiles i.e. Domain, Private and Public
2. Allow Windows Firewall>Allowed apps and features for Domain and Private
3. Be sure to allow IP address ranges for the Azure region of your subscription. Any IP address-based firewall rules should allow communication between On-prem infrastructure to Azure Datacenter IP Ranges, and ports 443 (HTTPS) and 9443 (data replication). You have to allow these IP ranges in your on-prem firewall for example Cisco ASA and Cloud Firewall such as Azure NSG.

Step5: Setup SAN Policy in Diskpart MS KB

1. Log on to the VM which will be protected by Azure Site Recovery, Open Command Prompt as an Admin

• Type DiskPart then type SAN
• It will show SAN Policy : Online All

·         If not then type SAN POLICY=ONLINEALL

2.  On the on-premises machine before failover, check that the Secure Shell service is set to start automatically on system boot. Check that firewall rules allow an SSH connection3.       On the Azure VM after failover, check Boot diagnostics to view a screenshot of the VM if you can’t connect.

Step6: Setup Azure Site Recovery Component in an On-premises Server

1. Create a Windows Server 2012 R2 VM in VMware vCenter comprised of 8 vCPU, 12GB vRAM, 1 OS Disk, 1 600GB Cache Data Disk, 1 600GB retention disk and 1 VMXNET3 NIC with Static IP
2. Allow port 443, 9443 for this VMs if you maintain internal firewall and Azure virtual network NSG. This VM must Access *.Windows.Net, *. windowsazure.com, time.nist.gov , time.windows.com
3. Make this VM has access to internet and browse Azure Cloud storage account.
4. Assign a static IP address
5. Join the Computer to the domain

Step7: Download the Site Recovery Unified Setup

1. Open the Azure portal and click on All resources.
2. Click on the Recovery Service vault named ContosoVMVault.
3. Click Site Recovery > Prepare Infrastructure > Protection goal.
4. Select On-premises for where your machines are located, To Azure for where you want to replicate your machines, and Yes, with VMware vSphere Hypervisor. Then, click OK.
5. In the Prepare source pane, click +Configuration server.
6. In Add Server, check that Configuration Server appears in Server type.
7. Download the Site Recovery Unified Setup installation file.

8. Download the vault registration key. You need this when you run Unified Setup. The key is valid for five days after you generate it.

Step8: Run and Configure Site Recovery Unified

1. Run the Unified Setup installation file.

2. In Before You Begin, select Install the configuration server and process server then click Next.
3. In Third Party Software License, click I Accept to download and install MySQL, then click Next.
4. In Registration, select the registration key you downloaded from the vault.
5. In Internet Settings, specify how the Provider running on the configuration server connects to Azure Site Recovery over the Internet. If you have an internet proxy server, provide the proxy details here.
6. In Prerequisites Check, Setup runs a check to make sure that installation can run. If a warning appears about the Global time sync check, verify that the time on the system clock (Date and Time settings) is the same as the time zone.
7. In MySQL Configuration, create credentials for logging on to the MySQL server instance that is installed.
8. In Environment Details, select Yes to protect VMware VMs. Setup checks that PowerCLI 6.0 is installed.
9. In Install Location, select where you want to install the binaries and store the cache. The drive you select must have at least 5 GB of disk space available, but we recommend a cache drive with at least 600 GB of free space.
10. In Network Selection, specify the listener (network adapter and SSL port) on which the configuration server sends and receives replication data. Port 9443 is the default port used for sending and receiving replication traffic, but you can modify this port number to suit your environment’s requirements. We also open port 443, which is used to orchestrate replication operations. Do not use port 443 for sending or receiving replication traffic.
11. In Summary, review the information and click Install. Setup installs the configuration server and registers with it the Azure Site Recovery service.
12. When installation finishes, a passphrase is generated. You will need this when you enable replication, so copy it and keep it in a secure location. The server is displayed on the Settings > Servers pane in the vault.
13. On your configuration server, launch exe. It is available as a shortcut on the desktop and located in the install location\home\svsystems\bin folder.
14. Click Manage Accounts > Add Account.
15. In Account Details, add the account that will be used for automatic discovery.

Step9: Add vCenter Server to Azure Site Recovery Vault

1. Open the Azure portal and click on All resources.
2. Click on the Recovery Service vault named ContosoVMVault.
3. Click Site Recovery > Prepare Infrastructure > Source
4. Select +vCenter to connect to a vCenter server or vSphere ESXi host.
5. In Add vCenter, specify a friendly name for the server. Then, specify the IP address or FQDN.
6. Leave the port set to 443, unless your VMware servers listen for requests on a different port.
7. Select the account SVC-AzureSR to use for connecting to the server. Click OK.
8. Seat back and relax for Azure Site Recovery to discover VMs.

Step10: Select and verify target resources.

1. Click Prepare infrastructure > Target, and select the Azure subscription you want to use.
2. Specify whether your target deployment model is Resource Manager-based, or classic.
3. Site Recovery checks that you have one or more compatible Azure storage accounts and networks.

Step11: Create a replication policy

1. Open the Azure portal and click on All resources.
2. Click on the Recovery Service vault named CorpVault.
3. To create a replication policy, click Site Recovery infrastructure > Replication Policies > +Replication Policy.
4. In Create replication policy, specify a policy name VMwareRepPolicy.
5. In RPO threshold, use the default of 60 minutes. This value defines how often recovery points are created. An alert is generated if continuous replication exceeds this limit.
6. In Recovery point retention, use the default of 24 hours for how long the retention window is for each recovery point. For this tutorial we select 72 hours. Replicated VMs can be recovered to any point in a window.

7. In App-consistent snapshot frequency, use the default of 60 minutes for the frequency that application-consistent snapshots are created. Click OK to create the policy.
8. The policy is automatically associated with the configuration server. By default, a matching policy is automatically created for failback.

Step12: Enable replication as follows:

1. Click Replicate application > Source.
2. In Source, select the configuration server.
3. In Machine type, select Virtual Machines.
4. In vCenter/vSphere Hypervisor, select the vCenter server that manages the vSphere host, or select the host.
5. Select the process server (configuration server). Then click OK.
6. In Target, select the subscription and the resource group in which you want to create the failed over VMs. Choose the deployment model that you want to use in Azure (classic or resource management), for the failed over VMs.
7. Select the Azure storage account you want to use for replicating data.
8. Select the Azure network and subnet to which Azure VMs will connect, when they’re created after failover.
9. Select Configure now for selected machines, to apply the network setting to all machines you select for protection. Select Configure later to select the Azure network per machine.
10. In Virtual Machines > Select virtual machines, click and select each machine you want to replicate. You can only select machines for which replication can be enabled. Then click OK.
11. In Properties > Configure properties, select the account that will be used by the process server to automatically install the Mobility service on the machine.
12. In Replication settings > Configure replication settings, verify that the correct replication policy is selected.
13. Click Enable Replication. You can track progress of the Enable Protection job in Settings > Jobs > Site Recovery Jobs.

Step13: Verify VM Properties

1. In Protected Items, click Replicated Items > VM.
2. In the Replicated item pane, there’s a summary of VM information, health status, and the latest available recovery points. Click Properties to view more details.
3. In Compute and Network, you can modify the Azure name, resource group, target size, availability set, and managed disk settings
4. You can view and modify network settings, including the network/subnet in which the Azure VM will be located after failover, and the IP address that will be assigned to it.
5. In Disks, you can see information about the operating system and data disks on the VM.

Step14: Disaster Recovery Drill or Testing a DR

1. In Settings > Replicated Items, click the VM > +Test Failover.
2. Select a recovery point to use for the failover:

• Latest processed : Fails the VM over to the latest recovery point that was processed by Site Recovery. The time stamp is shown. With this option, no time is spent processing data, so it provides a low RTO (recovery time objective).
• Latest app-consistent: This option fails over all VMs to the latest app-consistent recovery point. The time stamp is shown.
• Custom: Select any recovery point.

3. In Test Failover, select the target Azure network to which Azure VMs will be connected after failover occurs.
4. Click OK to begin the failover. You can track progress by clicking on the VM to open its properties. Or you can click the Test Failover job in vault name > Settings > Jobs > Site Recovery jobs.
5. After the failover finishes, the replica Azure VM appears in the Azure portal > Virtual Machines. Check that the VM is the appropriate size, that it’s connected to the right network, and that it’s running.
6. You should now be able to connect to the replicated VM in Azure.
7. To delete Azure VMs created during the test failover, click Cleanup test failover on the recovery plan.

Step15: Understanding and Preparing for failover and failback

Objective 1: Run a failover to Azure

1. In Settings > Replicated items click the VM > Failover.
2. In Failover select a Recovery Point to fail over to. You can use one of the following options:

1. • Latest (default): This option first processes all the data sent to Site Recovery. It provides the lowest RPO (Recovery Point Objective) because the Azure VM created after failover has all the data that was replicated to Site Recovery when the failover was triggered.
   • Latest processed: This option fails over the VM to the latest recovery point processed by Site Recovery. This option provides a low RTO (Recovery Time Objective), because no time is spent processing unprocessed data.
   • Latest app-consistent: This option fails over the VM to the latest app-consistent recovery point processed by Site Recovery.
   • Custom: Specify a recovery point.

3. Select Shut down machine before beginning failover to attempt to do a shutdown of source virtual machines before triggering the failover. Failover continues even if shutdown fails. You can follow the failover progress on the Jobs
4. If you prepared to connect to the Azure VM, connect to validate it after the failover.
5. After you verify, Commit the failover. This deletes all the available recovery points.
6. Don’t Cancel the Task. Seat back, relax, take a coffee break. If you cancel a failover in progress, failover stops, but the VM won’t replicate again.

Objective2: Re-protect Azure VMs

Note: This procedure presumes that the on-premises VM isn’t available and you’re re-protecting to an alternate location.

1. In Settings > Replicated items, right-click the VM that was failed over and Re-Protect.
2. In Re-protect, verify that Azure to On-premises, is selected.

3. Specify the on-premises master target server, and the process server.
4. In Datastore, select the master target datastore to which you want to recover the disks on-premises. Use this option when the on-premises VM has been deleted, and you need to create new disks. This settings is ignored if the disks already exist, but you do need to specify a value.

1. Select the master target retention drive. The failback policy is automatically selected.
2. Click OK to begin re-protection. A job begins to replicate the virtual machine from Azure to the on-premises site. You can track the progress on the Jobs tab.

Objective3: Run a failover from Azure to on-premises

Note: To replicate back to on-premises, a failback policy is used. This policy is automatically created when you created a replication policy for replication to Azure:

1. On the Replicated Items page, right-click the machine > Unplanned Failover.

2. In Confirm Failover, verify that the failover direction is from Azure.
3. Select the recovery point that you want to use for the failover. An app-consistent recovery point occurs before the most recent point in time, and it will cause some data loss. When failover runs, Site Recovery shuts down the Azure VMs, and boots up the on-premises VM. There will be some downtime, so choose an appropriate time.

1. Right-click the machine, and click Commit. This triggers a job that removes the Azure VMs.
2. Verify that Azure VMs have been shut down as expected.

Objective4: Re-protect on-premises machines to Azure

Note: Data should now be back on your on-premise site, but it isn’t replicating to Azure. You can start replicating to Azure again as follows:

1. In the vault > Settings >Replicated Items, select the failed back VMs that have failed back, and click Re-Protect.
2. Select the process server that is used to send the replicated data to Azure, and click OK.

 

Understanding Software Defined Networking (SDN) and Network Virtualization

The evolution of virtualization lead to an evolution of wide range of virtualized technology including the key building block of a data center which is Network. A traditional network used be wired connection of physical switches and devices. A network administrator has nightmare making some configuration changes and possibility of breaking another configuration while doing same changes. Putting together a massive data center would have been expensive venture and lengthy project. Since the virtualization and cloud services on the horizon, anything can be offered as a service and almost anything can virtualised and software defined.

Since development of Microsoft SCVMM and VMware NSX, network function virtualization (NFV), network virtualization (NV) and software defined network (SDN) are making bold statement on-premises based customer and cloud based service provider. Out of all great benefits having a software defined network, two key benefits standout among all which are easy provisioning a network and easy change control of that network. You don’t have to fiddle around physical layer of network and you certainly don’t have to modify virtual host to provision a complete network with few mouse click. How does it work?

Software Defined Networking- Software defined networking (SDN) is a dynamic, manageable, cost-effective, and adaptable, high-bandwidth, agile open architecture. SDN architectures decouple network control and forwarding functions, enabling network control to become directly programmable and the underlying infrastructure to be abstracted from applications and network services. Examples of Cisco software defined networking is here.

The fundamental building block of SDN is:

• Programmable: Network control is directly programmable because it is decoupled from forwarding functions.
• Agile: Abstracting control from forwarding lets administrators dynamically adjust network-wide traffic flow to meet changing needs.
• Centrally managed: Network intelligence is (logically) centralized in software-based SDN controllers that maintain a global view of the network, which appears to applications and policy engines as a single, logical switch.
• Programmatically configured: SDN lets network managers configure, manage, secure, and optimize network resources very quickly via dynamic, automated SDN programs, which they can write themselves because the programs do not depend on proprietary software.
• Open standards-based and vendor-neutral: When implemented through open standards, SDN simplifies network design and operation because instructions are provided by SDN controllers instead of multiple, vendor-specific devices and protocols.

Cisco SDN Capable Switches

Modular Switches

Cisco Nexus 9516
Cisco Nexus 9508
Cisco Nexus 9504

Fixed Switches

Cisco Nexus 9396PX
Cisco Nexus 9396TX
Cisco Nexus 93128TX
Cisco Nexus 9372PX
Cisco Nexus 9372TX
Cisco Nexus 9336PQ ACI Spine Switch
Cisco Nexus 9332PQ

Network Virtualization- A virtualized network is simply partitioning existing physical network and creating multiple logical network. Network virtualization literally tries to create logical segments in an existing network by dividing the network logically at the flow level. End goal is to allow multiple virtual machine in same logical segment or a private portion of network allocated by business. In a physical networking you cannot have same IP address range within same network and manage traffic for two different kind of services and application. But in a virtual world you can have same IP range segregated in logical network. Let’s say two different business/tenant have 10.124.3.x/24 IP address scheme in their internal network. But both business/tenant decided to migrate to Microsoft Azure platform and bring their own IP address scheme (10.124.3.x/24) with them. It is absolutely possible for them to retain their own IP address and migrate to Microsoft Azure. You will not see changes within Azure portal. You even don’t know that another organisation have same internal IP address scheme and possibly hosted in same Hyper-v host. It is programmatically and logically managed by Azure Stack and SCVMM network virtualization technology.

Network Functions Virtualization- Network function virtualization is virtualising layer 4 to layer 7 of OSI model in a software defined network. NFV runs on high-performance x86 platforms, and it enables users to turn up functions on selected tunnels in the network. The end goal is to allow administrator to create a service profile for a VM then create logical workflow within the network (the tunnel) and then build virtual services on that specific logical environment. NFV saves a lot of time on provisioning and managing application level of network. Functions like IDS, firewall and load balancer can be virtualised in Microsoft SCVMM and VMware NSX.

Here are some Cisco NFV products.

IOS-XRv Virtual Router: Scale your network when and where you need with this carrier-class router.

• Cloud ASAv Firewall: Get consistent carrier-class firewall security for private, public, and hybrid clouds.
• Cloud Services Router 1000V: Let business customers extend their WAN services to your cloud.
• Identity Services Engine: Support comprehensive, highly secure access across all access methods.
• Cisco Nexus 1000V Virtual Switch: Build an extensible virtualized infrastructure and prepare for your future needs.
• Cisco Virtualized Evolved Packet Core: Scale mobile capacity and add services much faster at less cost.
• Cisco Self-Organizing Networks: Automate the Radio Access Network (RAN) to boost performance.
• Cisco Services Platform: Accelerate the deployment of new mobile Internet services and tap into network intelligence.

Network Service Virtualization- Network Service Virtualization (NSV) virtualizes a network service, for example, a firewall module or IPS software instance, by dividing the software image so that it may be accessed independently among different applications all from a common hardware base. NSV eliminates cost of acquiring a separate hardware for single purpose instead it uses same hardware to service different purpose every time a network is accessed or service is requested. It also open the door for service provider offer security as a service to various customer.

Network security appliances are now bundled as a set of security functions within one appliance. For example, firewalls were offered on special purpose hardware as were IPS (Intrusion Protection System), Web Filter, Content Filter, VPN (Virtual Private Network), NBAD (Network-Based Anomaly Detection) and other security products. This integration allows for greater software collaboration between security elements, lowers cost of acquisition and streamlines operations.

Cisco virtualized network services available on the Cisco Catalyst 6500 series platform.

Network security virtualization

• Virtual firewall contexts also called security contexts
• Up to 250 mixed-mode multiple virtual firewalls
• Routed firewalls (Layer 3)
• Transparent firewalls (Layer 2, or stealth)
• Mixed-mode firewalls combination of both Layer 2 and Layer 3 firewalls coexisting on the same physical firewall. 

Virtual Route Forwarding (VRF) network services

• NetFlow on VRF interfaces
• VRF-aware syslog
• VRF-aware TACACS
• VRF-aware Telnet
• Virtualized address management policies using VRF-aware DHCP
• VRF-aware TACACS
• Optimized traffic redirection using PBR-set VRF

Finally you can have all these in one basket without incurring cost for each component once you have System Center Virtual Machine Manager or Microsoft Azure Stack implemented in on-premises infrastructure or you choose to migrate to Microsoft Azure platform.

Relevant Articles

Comparing VMware vSwitch with SCVMM Network Virtualization

Understanding Network Virtualization in SCVMM 2012 R2

Cisco Nexus 1000V Switch for Microsoft Hyper-V

How to implement hardware load balancer in SCVMM

Understanding VLAN, Trunk, NIC Teaming, Virtual Switch Configuration in Hyper-v Server 2012 R2

Comparing VMware vSwitch with SCVMM Network Virtualization

Feature	VMware vSphere		System Center VMM 2012 R2
	Standard vSwitch	DV Switch
Switch Features	Yes	Yes	Yes
Layer 2 Forwarding	Yes	Yes	Yes
IEEE 802.1Q VLAN Tagging	Yes	Yes	Yes
Multicast Support	Yes	Yes	Yes
Network Policy	–	Yes	Yes
Network Migration	–	Yes	Yes
NVGRE/ VXLAN	–	Procure NSX or Cisco Appliance	Yes
L3 Network Support	–	Procure NSX or Cisco Appliance	Yes
Network Virtualization	–	Procure NSX or Cisco Appliance	Yes
NIC Teaming	Yes	Yes	Yes
Network Load Balancing	–	Procure NSX or Cisco Appliance	Yes
Virtual Switch Extension	–	Yes	Yes
Physical Switch Connectivity
EtherChannel	Yes	Yes	Yes
Load Balancing Algorithms
Port Monitoring	Yes	Yes	Yes
Third party Hardware load balancing	–	Yes	Yes
Traffic Management Features
Bandwidth Limiting	–	Yes	Yes
Traffic Monitoring	–	Yes	Yes
Security Features
Port Security	Yes	Yes	Yes
Private VLANs	–	Yes	Yes
Management Features
Manageability	Yes	Yes	Yes
Third Party APIs	–	Yes	Yes
Port Policy	Yes	Yes	Yes
Netflow	Yes*	Yes*	Yes
Syslog	Yes**	Yes**	Yes
SNMP	Yes	Yes	Yes

* Experimental Support

** Virtual switch network syslog information is exported and included with VMware ESX events.

References:

VMware Distributed Switch

VMware NSX

Microsoft System Center Features 

Related Articles:

Understanding Network Virtualization in SCVMM 2012 R2

Cisco Nexus 1000V Switch for Microsoft Hyper-V

How to implement hardware load balancer in SCVMM

Understanding VLAN, Trunk, NIC Teaming, Virtual Switch Configuration in Hyper-v Server 2012 R2

Understanding Network Virtualization in SCVMM 2012 R2

Networking in SCVMM is a communication mechanism to and from SCVMM Server, Hyper-v Hosts, Hyper-v Cluster, virtual machines, application, services, physical switches, load balancer and third party hypervisor. Functionality includes:

Logical Networking of almost “Anything” hosted in SCVMM- Logical network is a concept of complete identification, transportation and forwarding of Ethernet traffic in virtualized environment.

• Provision and manage logical networks resources of private and public cloud
• Management of Logical networks, subnets, VLAN, Trunk or Uplinks, PVLAN, Mac address pool, Templates, profiles, static IP address pool, DHCP address pool, IP Address Management (IPAM)
• Integrate and manage third party hardware load balancer and Cisco virtual switch 1000v
• Provide functionality of Virtual IP Addresses (VIPs), quality of service (QoS), monitor network traffic and virtual switch extensions
• Creation of virtual switches and virtual network gateways

Network Virtualization – Network virtualization is a parallel concept to a server virtualization, where it allows you to abstract and run multiple virtual networks on a single physical network

• Connects virtual machines to other virtual machines, hosts, or applications running on the same logical network.
• Provides an independent migration of virtual machine which means when a VM moved to a different host from original host, SCVMM will automatically migrate that virtual network with the VM so that it remains connected to the rest of the infrastructure.
• Allows multiple tenants to have their own isolated networks for security and privacy reason.
• Allows unique IP address ranges for a tenant for management flexibility.
• Communicate using a gateway of a site or a different site if permitted by firewall
• Connect a VM running on a virtual network to any physical network in the same site or a different location.
• Connect cross-network using an inbox NVGRE gateway that can be deployed as a VM to provide this cross-network interoperability.

Network Virtualization is defined in Fabric>Networking Tab of SCVMM 2012 R2 management console. Virtual Machine networking is defined in VMs and Services>VM Networks Tab of SCVMM 2012 R2 management console.

Network virtualization terminology in SCVMM 2012 R2:

Logical networks: A logical network in VMM which contains the information of VLAN, PVLAN and subnets of a site in a Hyper-v host or a Hyper-v clusters. An IP address pool and a VM network can be associated with a logical network. A logical network can connect to another network or many network or vice-versa. Cloud function of each logical network is:

Logical network	Purpose	Tenant Cloud
External	·Site-to-site endpoint IP addresses ·Load balancer virtual IP addresses (VIPs) ·Network address translation (NAT) IP addresses for virtual networks ·Tenant VMs that need direct connectivity to the external network with full inbound access	Yes
Infrastructure	Used for service provider infrastructure, including host management, live migration, failover clustering, and remote storage. It cannot be accessed directly by tenants.	No
Load Balancer	·Uses static IP addresses ·Has outbound access to the external network via the load balancer ·Has inbound access that is restricted to only the ports that are exposed through the VIPs on the load balancer	Yes
Network Virtualization	· This network is automatically used for allocating provider addresses when a VM that is connected to a virtual network is placed onto a host. ·Only the gateway VMs connect to this directly. · Tenant VMs connect to their own VM network. Each tenant’s VM network is connected to the Network Virtualization logical network. ·A tenant VM will never connect to this directly. ·Static IP addresses are automatically assigned.	Yes
Gateway	Associated with forwarding gateways, which require one logical network per gateway. For each forwarding gateway, a logical network is associated with its respective scale unit and forwarding gateway.	No
Services	· The Services network is used for connectivity between services in the stamp by public-facing Windows Azure Pack features, and for SQL Server and MySQL Database DBaaS deployments. ·All deployments on the Services network are behind the load balancer and accessed through a virtual IP (VIP) on the load balancer. ·This logical network is also designed to provide support for any service provider-owned service and is likely to be used by high-density web servers initially, but potentially many other services over time.	No

IP Address Pool: An IP address pool is a range of IP addresses assigned to a logical network in a site which provides IP address, subnets, gateway, DNS, WINS related information to virtual machines and applications.

Mac Address Pool: Mac Address Pool contains default mac address ranges of virtual network adapter of virtual machine. You can also create customised mac address pool and assign that pool to virtual machines.

Pool Name	Vendor	Mac Address
Default MAC address pool	Hyper-V and Citrix XenServer	00:1D:D8:B7:1C:00 – 00:1D:D8:F4:1F:FF
Default VMware MAC address pool	VMware ESX	00:50:56:00:00:00 – 00:50:56:3F:FF:FF

Hardware Load Balancer: Hardware load balancer is a functionality within SCVMM networking to provide third party loading balancing of application and services. A virtual IP or IP address Pool can be associated with hardware load balancer.

VIP Templates: VIP templates is a standard template used to define virtual addresses associated with hardware load balancer. VIP is allocated to application, services and virtual machines hosted in SCVMM 2012 R2. A template that specifies the load-balancing behaviour for HTTPS traffic on a specific load balancer by manufacturer and model.

Logical Switch: logical switches act as containers for the properties or capabilities that you want network adapters to have. Instead of configuring individual properties or capabilities for each network adapter, you can specify the capabilities in port profiles and logical switches, which you can then apply to the appropriate adapters. Logical switches act as an extension of physical switch with a major difference that you don’t have to drive to data center, take a patch lead and connect to computer, then configure switch ports and assign VLAN tag to that port.  Logical switch where you define uplinks or physical adapter of Hyper-v hosts, associate uplinks with logical networks and sites.

Port Profiles: Port profiles act as containers for the security and privacy that you want network adapters to have. Instead of configuring individual properties or capabilities for each network adapter, you can specify these capabilities in port profiles, which you can then apply to the appropriate adapters. Port profiles are associated with an uplinks in logical switch.

Port Classification: Port classifications provide global names for identifying different types of virtual network adapter port profiles. A port classification can be used across multiple logical switches while the settings for the port classification remain specific to each logical switch. For example, you might create one port classification named FAST to identify ports that are configured to have more bandwidth, and another port classification named SLOW to identify ports that are configured to have less bandwidth.

Network Service: Network service is container whether you can add Windows and non-Windows network gateway and IP address management and monitoring information. An IP Address Management (IPAM) server that runs on Windows Server 2012 R2 to provide resources in VMM. You can use the IPAM server in network resource tab of SCVMM to configure and monitor logical networks and their associated network sites and IP address pools. You can also use the IPAM server to monitor the usage of VM networks that you have configured or changed in VMM.

Virtual switch extension: A virtual switch extension manager in a SCVMM allows you to use a software based vendor network-management console and the VMM management server together. For example you can install Cisco 1000v extension software in a VMM server and add the functionality of Cisco switches into the VMM console.

VM Network: A VM network in a logical network is the endpoint of network virtualization which directly connect a virtual machine to allow public or private communication among VMs or other network and services. A VM network is associated with a logical network for direct access to other VMs.

Related Articles:

Cisco Nexus 1000V Switch for Microsoft Hyper-V

How to implement hardware load balancer in SCVMM

Understanding VLAN, Trunk, NIC Teaming, Virtual Switch Configuration in Hyper-v Server 2012 R2

How to implement hardware load balancer in SCVMM

The following procedure describe Network Load Balancing functionality in Microsoft SCVMM. Microsoft native NLB is automatically included into SCVMM when you install SCVMM. This procedure describe how to install and configure third party load balancer in SCVMM.

Prerequisites:

• Microsoft System Center Virtual Machine Manager. 
• Load balancer provider from either Citrix Citrix NetScaler or Brocade ServerIron ADX or F5.
• Logical network is already configured.
• IP Address Pool is already configured. 

Note: Load balancer provider is a third party product must be obtained from third party website using third party credentials.

Step1: Download and install load balancer provider then restart SCVMM services in Windows services. For Citrix Netscaler VPX follow the procedure. 

1. Log on to Netscaler using nsroot account or LDAP account. 
2. Click on Dashboard>Click downloads on right hand side corner
3. Click on NetScaler LB Provider for Microsoft System Center Virtual Machine Manager 2012 to download load balancer provider. 
4. Copy the load balancer provider and install in SCVMM server.
5. Restart SCVMM Windows Services. 

Step2: Create a Run As Account for Load Balancer

1. Open the Settings workspace.
2. On the Home tab, in the Create group, click Create Run As Account.
3. The Create Run As Account dialog box opens.
4. Enter a name and optional description to identify the credentials in VMM.
5. Enter credentials for the Run As account in the User name and Password text boxes. This is the username and password of virtual load balancer you have download from third party website and deployed in Hyper-v.
6. Unselect Validate domain credentials.
7. Click OK to create the Run As account.

Step3: Add Hardware Load balancer. Follow the below procedure to add load balancer

1. Open the Fabric workspace.
2. In the Fabric pane, expand Networking>Load Balancer>Right click  then click Load Balancers.
3. On the Credentials page, next to the Run As account box, click Browse, and then click a Run As account you created in step 3, click OK, and then click Next.
4. On the Host Group page, select the check box next to each host group where the load balancer will be available. By default, any child host groups are also selected.
5. On the Manufacturer and Model page, specify the load balancer manufacturer and model, and then click Next.
6. On the Address page, Provide TCP/IP or FQDN and port number of Load Balancer>click Next
7. On the Logical Network Affinity page, specify the load balancer affinity to logical networks, and then click Next.
8. On the provide page select provider>Click Test>click next
9. On the Summary page, confirm the settings, and then click Finish.

Step4: Creating a VIP Template for third party hardware load balancer

You can create two types of load balancer 1. Generic 2. Vendor Specific. 

For vendor specific load balancer do the following.

1. In Virtual Machine Manager (VMM), open the Fabric workspace.
2. In the Fabric pane, expand Networking, and then click VIP Templates.
3. On the Home tab, in the Show group, click Fabric Resources.
4. On the Home tab, in the Create group, click Create VIP Template.
5. On the Name page, type name, description and port: 443 of the template>click Next
6. On the Type Page>Select Specific>Select third party Vendor & NLB type> Click Next
7. On the protocol page> Select either TCP or UDP or both based on your requirement>Click next>Click Next>Click Finish.

For a Generic Load Balancer provider change the step 6 and select Generic then follow the step.

1. In Virtual Machine Manager (VMM), open the Fabric workspace.
2. In the Fabric pane, expand Networking, and then click VIP Templates.
3. On the Home tab, in the Show group, click Fabric Resources.
4. On the Home tab, in the Create group, click Create VIP Template.
5. On the Name page, type name, description and port: 443 of the template>click Next
6. On the Type Page>Select Generic> Click Next
7. On the protocol page> Select either TCP or UDP or both based on your requirement>Click next>Click Next>Click Finish.

• HTTPS pass-through- Traffic directly terminate at virtual machine and is not decrypted at load balancer.
• HTTPS terminate – traffic decrypted at load balancer and re-encrypted to virtual machine. This option is best for Exchange OWA and other application. You must log on to load balancer portal then import SSL certificate of OWA and also select re-encrypt option in VIP Template.
• There are two other option in this page HTTP and custom as well.

8. On the Persistence page> Select either persistence or non-persistent (custom) traffic. A Persistent traffic allow an OWA session directed to specific Exchange CAS server.
9. On the load balancing page>Select Round-Robin>Click Next
10. On the health monitor page>Click Insert> do the following>Click Next

• Protocol: https
• Request: Get/
• Response: 200
• Interval: 120
• Timed-out: 60
• Retry: 3

Note: The time-out value should be less than the interval value. The interval and time-out values are in seconds.

11. On the Load Balancing page>Select load balancing method>Click Next
12. On the Summary page, review the settings, and then click Finish.

Next step to create load balanced web services template and connect to load balancer. On the port profile of service template of the VM you have to select network load balanced then deploy the template into production.