Windows Server 2019 embraces SDN

When Windows Server 2019 is released this fall, the updates will include features that enterprises can use to leverage software-defined networking (SDN).

SDN for Windows Server 2019 has a number of components that have attracted the attention of early adopters including security and compliance, disaster recovery and cusiness continuity, and multi-cloud and hybrid-cloud.

Virtual-network peering

The new virtual networking peering functionality in Windows Server 2019 allows enterprises to peer their own virtual networks in the same cloud region through the backbone network. This provides the ability for virtual networks to appear as a single network. 

Fundamental stretched networks have been around for years and have provided organizations the ability to put server, application and database nodes in different sites. However, the challenge has always been the IP addressing of the nodes in opposing sites. When there are only two static sites in a traditional wide area network, the IP scheme was relatively static. You knew the subnet and addressing of Site A and Site B.

However, in the public cloud and multi-cloud world – where your target devices may actually shift between racks, cages, datacenters, regions or even hosting providers – having addresses that may change based on failover, maintenance, elasticity changes, or network changes creates a problem. Network administrators have already  spent and will drastically increase the amount of time they spend addressing, readdressing, updating device tables, etc to keep up with the dynamic movement of systems.

With Vnet Peering, while the external location and fabric that the host and applications systems are running in may drastically change, the virtual network remains consistent.  No need to change source and target addresses within the application, no need for Web and Database pairs to change settings.

Virtual-network encryption

Another significant improvement in Windows Server 2019 is the ability for virtual-network traffic to be encrypted between virtual machines. Traffic encryption is not new to the industry, however having the encryption built in to the operating system as the basis of hypervisor communications, server communications and application communications provides both flexibility and that in the past was frequently done at the application layer.

Now with Vnet encryption, entire subnet communications between host servers can be protected, and all network traffic within that network is automatically encrypted. For organizations looking to ensure communications between a Web server and a database server is encrypted, Vnet encryption in Windows Server 2019 can be enabled. Since the communications is at the network/subnet level, if additional Web frontends and backend databases needed to be added, all those servers join the same encrypted communication stream, offloading the secured communications away from the application itself, improving performance and efficiency.

Some of this protection can be accomplished by isolating servers and systems on the same VLAN, but organizations can more simply and quickly encrypt the communications between systems as a method of secured communications and data protection. As organizations look to enable protection through software defined controls and eliminate complexities, configurations leveraging virtual network encryption greatly enhance security in a simplified manner.

Other SDN improvements in Windows Server 2019

A number of additional SDN features added and enhanced in Windows Server 2019 include:

• Auditing enhancements: Windows Server 2019’s SDN settings have an extremely helpful firewall-auditing component that can be enabled to log all network communications between SDN connections. The data available provides source and destination traffic information, and allows for ACLs on traffic to provide control, management and logging.
• Support for IPv6 in SDN configurations: Windows Server 2019 SDN provides IPv6 address configuration for virtual machines in the virtualized network environment. For organizations leveraging IPv6, or simply supporting IPv6 in system-to-system communications, the ability to enable, configure, track and manage IPv6 addresses is now built in to SDN.
• IPv6 load balancing, gateways, and firewall rules: With IPv6 support in SDN configurations in Windows Server 2019, organizations can create IPv6-supported load-balancing, gateways and firewall rules. This provides SDN controls beyond just routing IPv6 traffic, but also provides core SDN functionality supporting IPv6.
• Performance Improvements: As with most updates, there are always improvement in simplifying tasks and improving performance, and in the case of the SDN in Windows Server 2019, there are improvements in overall ease of configuration and performance. One significant area to note from early implementations is a 2x to 3x performance improvement in the SDN Gateway, particularly in IPsec VPN tunnel communications. These also decrease CPU utilization and thus will allow SDN to scale more significantly for large scale environments.

Windows Server 2019 resources:

• Windows Server 2019 Preview bits
• Step-by-step guidance on configuration encryption for a virtual subnet
• To configure Access Control Lists (ACLs) to manage datacenter network traffic flow
• Microsoft’s documentation on Software Defined Networking