Virtualization can bring many benefits for businesses, including increased agility, greater flexibility, and improved cost efficiency. Combining virtualization with the infrastructure and tools needed to provision cloud applications and services brings even greater benefits for organizations that need to adapt and scale their infrastructure to meet the changing demands of today’s business environment. With its numerous improvements, Hyper-V in Windows Server 2012 provides the foundation for building private clouds that can use
the benefits of cloud computing across the business units and geographical locations that typically make up today’s enterprises. By using Windows Server 2012, you can begin transitioning your organization’s datacenter environment toward an infrastructure as a service (IaaS) private cloud that can provide your business units with the “server instances on demand” capability that they need to be able to grow and respond to changing market conditions.
Hosting providers also can use Windows Server 2012 to build multi-tenant cloud infrastructures (both public and shared private clouds) that they can use to deliver
cloud-based applications and services to customers. Features and tools included in Windows Server 2012 enable hosting providers to fully isolate customer networks from one another, deliver support for service level agreements (SLAs), and enable chargebacks for implementing usage-based customer billing.
Let’s dig into these features and capabilities in more detail. We’ll also get some insider perspective from experts working at Microsoft who have developed, tested, deployed, and supported Windows Server 2012 during the early stages of the product release cycle.
Scenario-focused design in Windows Server 2012
ne of the best things about Windows Server 2012 is that it was designed from the ground up, with a great focus on actual customer scenarios.
Windows Server is the result of a large engineering effort, and in past releases, each organization delivered its own technology innovations and roadmap in its respectively relevant area. The networking team would build great networking features; the storage team would innovate on file and storage systems; the manageability team would introduce Windows PowerShell to enable a standard way to manage servers, and so on.
Windows Server 2012 is different. Instead of having vertical technology-focused roadmaps and designs, it was built around specific customer scenarios for the server. I was the scenario leader for the “hosted cloud” scenario, which was all about building the most cloud-optimized operating system ever built and aligning multiple feature crews on enabling enterprises and hosting providers to build clouds that are better than ever.
Scenario-focused design starts by understanding the business need and the real customer pain points and requirements. During the planning phase, we talked to
a very long list of customers and did not limit ourselves to any specific technology. Instead, we have framed the discussion around the need to build and run clouds and discovered pain points, such as the need to offer secure multi-tenancy and isolation to your cloud tenants, so that hosting providers can be more efficient in
utilizing their infrastructure and lowering their cost. There’s also a need to be able to automate manual processes end to end because manual processes just don’t cut it anymore, and the need to lower the cost of storage because customers were clearly overpaying for very expensive storage even when they don’t really need it. We then translated that understanding into investments that cross technology boundaries that will solve those business problems and satisfy the customer requirements.
For example, to enable multi-tenancy, we didn’t just add some access control lists (ACLs) on the Hyper-V switch. Instead, we’ve built a much better Hyper-V switch with isolation policy support and added Network Virtualization to decouple the physical cloud infrastructure from the VM networks. Then we added quality of service (QoS) policies to help hosting providers ensure proper SLAs for different tenants and resource meters to enable them to measure and charge for activities, and we also ensured that everything will be fully automatable (via Windows PowerShell, of course), in a consistent way.
Here’s another example: we didn’t just add support for a new network interface card (NIC) technology called Remote Direct Memory Access (RDMA). Instead, we’ve designed it to work well with file servers and provide SMB Direct support to enable the use of file servers in a cloud infrastructure over standard Ethernet fabric, and
used storage spaces for low-cost disks. This way, competitive performance compared to SANs is made available at a fraction of the cost.
Finally, scenario-focused design doesn’t actually end at the design phase. It’s a way of thinking that starts at planning but continues all the way through execution, internal validation, external validation with our TAP program, partner relations, documentation, blogging, and, of course, bringing the product to market. Basically, at every stage of the Windows Server 2012 execution cycle, the focus was on
making the scenario work, rather than on making specific features work.
This kind of a scenario-focused requires an amazingly huge collaborative effort across technology teams. This is exactly where Windows Server 2012 shines and is the reason you’re seeing all of these great innovations coming together in one massive release that will change the way clouds are built.
Hyper-V extensible switch
The new Hyper-V extensible switch in Windows Server 2012 is key to enabling the creation
of secure cloud environments that support the isolation of multiple tenants. The Hyper-V extensible switch in Windows Server 2012 introduces a number of new and enhanced capabilities for tenant isolation, traffic shaping, protection against malicious virtual machines, and hassle-free troubleshooting. The extensible switch allows third parties to develop plug-in extensions to emulate the full capabilities of hardware-based switches and support more complex virtual environments and solutions.
Previous versions of Hyper-V allowed you to implement complex virtual network environments by creating virtual network switches that worked like physical layer-2 Ethernet switches. You could create external virtual networks to provide VMs with connectivity with externally located servers and clients, internal networks to allow VMs on the same host to communicate with each other as well as the host, or private virtual networks (PVLANs) that you can use to completely isolate all VMs on the same host from each other and allow them to communicate only via external networks.
The Hyper-V extensible switch facilitates the creation of virtual networks that can
be implemented in various ways to provide great flexibility in how you can design your virtualized infrastructure. For example, you can configure a guest operating system within a VM to have a single virtual network adapter associated with a specific extensible switch
or multiple virtual network adapters (each associated with a different switch), but you can’t connect the same switch to multiple network adapters.
What’s new however is that the Hyper-V virtual switch is now extensible in a couple of different ways. First, you can now install custom Network Driver Interface Specification (NDIS) filter drivers (called extensions) into the driver stack of the virtual switch. For example, you
could create an extension that captures, filters, or forwards packets to extensible switch ports. Specifically, the extensible switch allows for using the following kinds of extensions:
■ Capturing extensions, which can capture packets to monitor network traffic but cannot
modify or drop packets
■ Filtering extensions, which are like capturing extensions but also can inspect and drop packets
■ Forwarding extensions, which allow you to modify packet routing and enable integration with your physical network infrastructure
Second, you can use the capabilities of the Windows Filtering Platform (WFP) by using the built-in Wfplwfs.sys filtering extension to intercept packets as they travel along the data path of the extensible switch. You might use this approach, for example, to perform packet inspection within your virtualized environment.
These different extensibility capabilities of the Hyper-V extensible switch are intended primarily for Microsoft partners and independent software vendors (ISVs) so they can update their existing network monitoring, management, and security software products so they
can work not just with physical hosts, but also with VMs deployed within any kind of virtual networking environment that you might possibly create using Hyper-V in Windows Server
2012. In addition, being able to extend the functionality of the Hyper-V networking by adding extensions makes it easier to add new networking functionality to Hyper-V without needing to replace or upgrade the switch. You’ll also be able to use the same tools for managing these extensions that you use for managing other aspects of Hyper-V networking, namely the Hyper-V Manager console, Windows PowerShell, and Windows Management Instrumentation (WMI). And because these extensions integrate into the existing framework of Hyper-V networking, they automatically work with other capabilities, like Live Migration.
Table 2-1 summarizes some of the benefits of the Hyper-V extensible switch from both the
IT professional and ISV perspective.
Configuring virtual switches
Figure 2-1 shows the Windows Filtering Platform (WPF) extension selected in the Virtual Switch Manager of the Hyper-V Console in Windows Server 2012. Note that once extensions are installed on the host, they can be enabled or disabled and also have their order rearranged by moving them up or down in the list of switch extensions.
FIGURE 2-1 Virtual switch extensions for the Hyper-V extensible switch.
You can also use Windows PowerShell to create, delete, and configure extensible switches on Hyper-V hosts. For example, Figure 2-2 shows how to use the Get-VMSwitchExtension cmdlet to display details concerning the extensions installed on a specific switch.
FIGURE 2-2 Displaying all extensions installed on the virtual switch named CONTOSO.
You also can display the full list of Windows PowerShell cmdlets for managing the extensible switch, as Figure 2-3 illustrates.
FIGURE 2-3 Displaying all Windows PowerShell cmdlets for managing virtual switches.
Troubleshooting virtual switches
Microsoft also has extended Unified Tracing through the Hyper-V extensible switch, which makes it easier for you to diagnose problems that may occur. For example, if you are experiencing issues that you think might be connected with the extensible switch, you could attempt to troubleshoot the problem by turning on tracing using the Netsh command
like this:
netsh trace start provider=Microsoft-Windows-Hyper-V-VmSwitch capture=yes capturetype=vmswitch
Then you would try and reproduce the issue while tracing is turned on. Once a repro has occurred, you could disable tracing with netsh trace stop and then review the generated Event Trace Log (ETL) file using Event Viewer or Network Monitor. You also could review the System event log for any relevant events.
Performance monitoring improvements
indows Server 2012 exposes more Event Tracing for Windows (ETW) data
providers and performance items than Windows Server 2008 R2. With this exposure comes the vital need for the IT professional to know which datasets are relevant to their specific monitoring situation. It’s not feasible nor appropriate to just gather everything, for system monitoring has in it a touch of physics . . .
a modified Heisenberg uncertainty principle is afoot; One cannot monitor a system without impacting it to some degree. To how much of a degree is at question. Finely tuned data collector sets by Performance Analysis of Logs (PAL; see http://pal.codeplex.com) can be used by the IT professional to ensure they are only gathering the data necessary to their problem set, so as to not negatively impact system performance too heavily while monitoring or baselining systems.
One advantage to using ETW data providers rather than performance counter object items is that ETW providers come from the kernel itself typically, rather than coming from user mode measurements. What this means is that the data from ETW data providers is more accurate and more reliable and also puts a lower load on the system. ETW logging is unlikely to suffer from missing data sets due to high system load as well. Look for guidance on which items to collect though before diving in; ETL tracing can grow log files quickly.
A number of other advanced capabilities also have been integrated by Microsoft into the Hyper-V extensible switch to help enhance security, monitoring, and troubleshooting functionality. These additional capabilities include the following:
■ DHCP guard Helps safeguard against Dynamic Host Configuration Protocol (DHCP) man-in-the-middle attacks by dropping DHCP server messages from unauthorized VMs pretending to be DHCP servers
■ MAC address spoofing Helps safeguard against attempts to use ARP spoofing to steal IP addresses from VMs by allowing VMs to change the source MAC address in outgoing packets to an address that is not assigned to them
A complete virtualization platform Chapter 2 25
■ Router guard Helps safeguard against unauthorized routers by dropping router advertisement and redirection messages from unauthorized VMs pretending to be routers
■ Port mirroring Enables monitoring of a VM’s network traffic by forwarding copies of
destination or source packets to another VM being used for monitoring purposes
■ Port ACLs Helps enforce virtual network isolation by allowing traffic filtering based
on media access control (MAC) or IP address ranges
■ Isolated VLANs Allows segregation of traffic on multiple VLANs to facilitate
isolation of tenant networks through the creation of private VLANs (PVLANs)
■ Trunk mode Allows directing traffic from a group of VLANs to a specific VM
■ Bandwidth management Allows guaranteeing a minimum amount of bandwidth and/or enforcing a maximum amount of bandwidth for each VM
■ Enhanced diagnostics Allows packet monitoring and event tracing through the
extensible switch using ETL and Unified Tracing
Most of these additional capabilities can be configured from the graphical user interface (GUI) by opening the VM’s settings. For example, by selecting the network adapter under Hardware, you can specify bandwidth management settings for the VM. Figure 2-4 shows these settings configured in such a way that the VM always has at least 50 MBps of network bandwidth available, but never more than 100 MBps. If your hosts reside in a shared cloud being used to provision applications and services to business units or customers, these new bandwidth management capabilities can provide the benefit of helping you meet your SLAs with these business units or customers.
FIGURE 2-4 Minimum and maximum bandwidth settings have been configured for this VM.
Clicking the plus sign (+) beside Network Adapter in these settings exposes two new pages of network settings: Hardware Acceleration and Advanced Features. We’ll examine the Hardware Acceleration settings later in this chapter, but for now, here are the Advanced Features
settings which lets you configure MAC address spoofing, DHCP guard, router guard, port
mirroring and NIC teaming for the selected network adapter of the VM, as shown in Figure 2-5.
As the sidebar demonstrates, you also can use Windows PowerShell to configure and
manage the various advanced capabilities of the Hyper-V extensible switch.
FIGURE 2-5 Configuring advanced features for network adapter settings for a VM.
Posts
Very informative blog.Articles are very helpful..
ReplyDeleteVirtualization services