What’s New in Windows Server “8” Beta for Hyper-V (Part 2)Damir BersinicSenior Platform AdvisorMicrosoft Canada [email protected] Twitter: @DamirB http://blogs.technet.com/b/canitpro
Session Objectives and Takeaways
• Why Windows Server "8" Hyper-V for Private Cloud• What did we learn from you and our Partners?
• Networking
• Hyper-V VM Mobility
• Critical Cloud Security
• Hyper-V Replica
The Definitive Platform for Cloud:
Windows Server “8”.
Windows Server "8" Networking
Network ConsiderationsCustomers
• How do I ensure network multi-tenancy?
• IP Address Management is a pain.
• What if VMs are competing for bandwidth?
• Fully Leverage Network Fabric
• How do I integrate with existing fabric?
• Network Metering?• Can I dedicate a NIC to a
workload?
Hybrid CloudsWindows Server "8" is optimized for Hybrid Clouds to host multi-
tenant workloads
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
SecurityIn a multi-tenant environment …
… customers want security and isolation
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
Multi-Tenant Network Requirements• Tenant wants to easily move VMs to/from the cloud
• Hoster wants to place VMs anywhere in the data center
• Both want: Easy Onboarding, Flexibility & IsolationCloud Data
Center
Woodgrove BankBlue 10.1.0.0/16
Contoso BankRed 10.1.0.0/16
One Solution: PVLAN
• Isolation Scenario• Hoster wants to isolate all VMs from each other and allow internet connectivity
• #1 Customer Ask from hosters
• Community Scenario• Hoster wants tenant VMs to interact with each other but not with other tenant VMs
• Requires a VLAN id for each “community” (limited scalability, only 4095 VLAN IDs)
u
Win 8 Host
Blue10.1.1.21
Red110.1.1.11
To Internet (10.1.1.1)
Hyper-V Switch
Red210.1.1.12
Green10.1.1.31
Isolated4, 7
Isolated4, 7
Community4, 9
Community4, 9
Introducing Hyper-V Network Virtualization
Physical network
Physicalserver
Woodgrove VM
Contoso VM Woodgrove networkContoso network
Hyper-V Machine Virtualization• Run multiple virtual servers
on a physical server• Each VM has illusion it is
running as a physical server
Hyper-V Network Virtualization• Run multiple virtual networks on a physical network• Each virtual network has illusion it is running as a
physical fabric
ReliabilityEven when hardware fails …
… customers want continuous availability
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM WorkloadsTEAMING
PredictabilityEven when multiple VMs are competing for bandwidth …
… customers want predictability
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
15
25
$$
$$$$
ScalabilityCloud admins want scalability …
… and customers want performance
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
ExtensibilityCustomers want specialized functionality with lots of choice …
… for firewalls, monitoring and physical fabric integration
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
Hyper-V Extensible Switch
Physical NIC
Root Partition
Extensible Switch
Extension Protocol
Extension Miniport
Capture Extensions
WFP Extensions
Filtering Extensions
Forwarding Extensions
Host NICVM NIC
VM1
VM NIC
VM2 Capture extensions can inspect traffic
and generate new traffic for report purposes
Capture extensions do not modify existing Extensible Switch traffic
Example: sflow by inMon
Windows Filter Platform (WFP) Extensions can inspect, drop, modify, and insert packets using WFP APIs
Windows Antivirus and Firewall software uses WFP for traffic filtering
Example: Virtual Firewall by 5NINE Software
Filtering extensions can also be implemented using NDIS filtering APIs
Example: VM DoS Prevention by Broadcom
Forwarding extensions direct traffic, defining the destination(s) of each packet
Forwarding extensions can capture and filter traffic
Examples:– Cisco Nexus 1000V and UCS– NEC ProgrammableFlow's vPFS OpenFlow
Capture Extensions
WFP Extensions
Filtering Extensions
Forwarding Extensions
Filtering Engine
BFE Service Firewall
Callout
Feature Rich Networking in the Box• Open, Extensible Virtual Switch
• Nexus 1000 Support• Openflow Support• Network Introspection• Much more…
• Advanced Networking• ACLs• PVLAN• …much more…
• Windows NIC Teaming
• SR-IOV Network Support• Reduce Latency & CPU
Utilization
• Supports Live Migration
• Network QoS• Per VNIC bandwidth
reservation & limits
• Network Metering
Single-Root I/O Virtualization (SR-IOV)• Reduces latency of
network path• Reduces CPU utilization for
processing network traffic• Increases throughput• Direct device assignment
to virtual machines without compromising flexibility
• Supports Live Migration
Network I/O path with SR-IOVNetwork I/O path without SR-IOV
Physical NIC
Root Partition
Hyper-V Switch
RoutingVLAN Filtering
Data Copy
Virtual Machine
Virtual NIC
SR-IOV Physical NIC
Virtual Function
VMBUS
Virtual Machin
e
Network Stack
Software NIC
Enable IOV (VM NIC Property) Virtual Function is “Assigned” Team automatically created Traffic flows through VF
Turn On IOV Break Team Reassign Virtual Function
Assuming resources are available Migrate as normal
Live Migration Post Migration Remove VF from VM
VM has connectivity even if
Switch not in IOV mode IOV physical NIC not
present Different NIC vendor Different NIC firmware
SR-IOV Enabling & Live Migration
SR-IOV Physical NICPhysical
NIC
Software Switch
(IOV Mode)
“TEAM”Software NIC
Virtual Function
SR-IOV Physical NIC
Software Switch
(IOV Mode)
“TEAM”
Virtual Function
Software path is not used
Cloud Admins Want Scale, Customers PerfDVMQ, IPsec Task Offload, SR-IOV
IPsec Task Offload: Microsoft expects deployment of Internet Protocol security (IPsec) to increase significantly in the coming years. The large demands placed on the CPU by the IPsec integrity and encryption algorithms can reduce the performance of your network connections. IPsec Task Offload is a technology built into the Windows operating system that moves this workload from the main computer's CPU to a dedicated processor on the network adapter.
SR-IOV is a specification that allows a PCIe device to appear to be multiple separate physical PCIe devices. The SR-IOV specification was created and is maintained by the PCI SIG, with the idea that a standard specification will help promote interoperability. SR-IOV works by introducing the idea of physical functions (PFs) and virtual functions (VFs). Physical functions (PFs) are full-featured PCIe functions; virtual functions (VFs) are “lightweight” functions that lack configuration resources.
Dynamic Virtual Machine Queue (VMQ) is a feature available to computers running Windows Server 2008 R2 with the Hyper-V server role installed, that have VMQ-capable network hardware. VMQ uses hardware packet filtering to deliver packet data from an external virtual machine network directly to virtual machines, which reduces the overhead of routing packets and copying them from the management operating system to the virtual machine.
Advanced Network SecurityDHCP Guard, Router Guard, Monitor Port
• DHCP Guard is a security feature that drops DHCP server messages from unauthorized virtual machines pretending to be DHCP servers.
• Router Guard is a security feature that drops Router Advertisement and Redirection messages from unauthorized virtual machines pretending to be routers.
• Monitor Mode duplicates all egress and ingress traffic to/from one or more switch ports (being monitored) to another switch port (performing monitoring)
Manage to a Service Level AgreementNetwork Bandwidth & QoS
• Bandwidth Management allows you to easily reserve minimum or set maximums to provide QoS controls to manage to a service level agreement
Windows 8 Networking: It’s All ThereFeature rich, extensible, in the box, no compromises
Windows Server 2008 Windows Server 2008 R2 Windows Server "8“ Beta
NIC Teaming Yes, via partners Yes, via partners Windows NIC Teaming in box.
VLAN Tagging Yes Yes Yes
MAC Spoofing Protection No Yes, with R2 SP1 Yes
ARP Spoofing Protection No Yes, with R2 SP1 Yes
SR-IOV Networking No No Yes
Network QoS No No Yes
Network Metering No No Yes
Network Monitor Modes No No Yes
IPsec Task Offload No No Yes
VM Trunk Mode No No Yes
23
VMware Comparison
Capability Windows Server “8” Beta Hyper-V
VMwareESXi 5.0
VMware vSphere 5.0
Enterprise Plus
Extensible Switch Yes No Yes1
Confirmed Partner Extensions 4 No 2
Private Virtual LAN (PVLAN) Yes No Yes1
ARP Spoofing Protection Yes NovShield
App/Partner2
DHCP Snooping Protection Yes NovShield
App/Partner2
Virtual Port ACLs Yes NovShield
App/Partner2
Trunk Mode to Virtual Machines Yes No No
Port Monitoring Yes Per Port Group Yes3
Port Mirroring Yes Per Port Group Yes31. vSphere Distributed Switch (required for extensibility & PVLAN capability) is available
only in the Enterprise Plus edition of vSphere 5.02. ARP Spoofing, DHCP Snooping Protection & Virtual Port ACLs require either vShield App
or a Partner solution, all of which are additional purchases on top of vSphere 5.0 Enterprise Plus
3. Port Monitoring and Mirroring at a granular level requires vSphere Distributed Switch, which is available in the Enterprise Plus edition of vSphere 5.0.
24
VMware Comparison
Capability Windows Server “8” Beta Hyper-V
VMwareESXi 5.0
VMware vSphere 5.0
Enterprise Plus
Dynamic Virtual Machine Queue Yes Yes Yes
IPsec Task Offload Yes No No
SR-IOV YesDirectPath
I/O1 DirectPath I/O1
Storage Encryption Yes No No
1. DirectPath IO, whilst not identical to SR-IOV, aims to provide virtual machines with more direct access to hardware devices, with network cards being a good example. Whilst on the surface, this will boost VM networking performance, and reduce the burden on host CPU cycles, in reality, there are a number of caveats in using DirectPath I/O:• Very small Hardware Compatibility List• No Memory Overcommit• No vMotion (unless running certain configurations of Cisco UCS)• No Fault Tolerance• No Network I/O Control• No VM Snapshots (unless running certain configurations of Cisco UCS)• No Suspend/Resume (unless running certain configurations of Cisco UCS)• No VMsafe/Endpoint Security supportNo such restrictions are imposed when using SR-IOV, ensuring customers can combine the highest levels of performance with the flexibility they need for an agile infrastructure.
Windows Server “8” Hyper-V : VM Mobility
Customers Discuss VM Mobility• Don’t provide new
features that preclude Live Migration.
• I want to be able to securely move any part of a VM anywhere at anytime. No Limits.
• No Downtime Servicing– SAN Upgrades/Migrations
• When VMs migrate, move the historical data with the VM
• Fully Leverage hardware to speed migrations
Virtual Machine Mobility
• Live Migration with High Availability
• SMB Live Migration
• Live Storage Migration
Live Storage Migration• Enables Storage
Load Balancing
• No downtime servicing
• Leverages Hyper-V Offloaded Data Transfer (ODX)
Hyper-V
Virtual Machine
Source Device Destination Device
VHD VHD
VHD Stack
1
2
3
45
Wouldn’t it be great if you could Live Migrate a VM with nothing but an
Ethernet cable?We think so too…
Introducing: Share Nothing Live Migration
VM MobilityComplete mobility. Simply the best.
• Live Migration with High Availability• Live Migrate among servers in a failover cluster
• SMB Live Migration• Live Migrate VMs among servers with SMB storage
• Live Storage Migration• Live Migrate VM storage from one volume to another without downtime
• Share Nothing (SNO) Live Migration• Live Migrate VMs among servers with nothing, but an Ethernet connection
31
VMware Comparison
Capability Windows Server “8” Beta Hyper-V
VMwareESXi 5.0
VMware vSphere 5.0
Enterprise Plus
VM Live Migration Yes No1 Yes2
1GB Simultaneous Live Migrations Unlimited3 N/A 4
10GB Simultaneous Live Migrations Unlimited3 N/A 8
Live Storage Migration Yes No4 Yes5
Shared Nothing Live Migration Yes No No
Network Virtualization Yes No No1. Live Migration (vMotion) is unavailable in ESXi 5.0 – vSphere 5.0 required
2. Live Migration (vMotion) is available in Essentials Plus & higher editions of vSphere 5.0
3. Within the technical capabilities of the networking hardware4. Live Storage Migration (Storage vMotion) is unavailable in ESXi 5.05. Live Storage Migration (Storage vMotion) is available in Enterprise &
Enterprise Plus editions of vSphere 5.0
Disaster Recovery
Disaster Recovery Challenges
• Cost
• Complexity
• Inflexibility
• Initial Replication
• Distance Requirements
Hyper-V ReplicaUnlimited Replication
• Disaster Recovery Scenarios:
• Planned, Unplanned and Test Failover
• Pre-configuration for IP settings for primary/remote location
• Key Features:
• RPO/RTO in minutes
• Seamless integration with Hyper-V and Clustering
• Automatically handles all VM mobility scenarios (e.g. Live migration)
• Supports heterogonous storage between primary and recovery
• Integrates with Volume Shadow Services (VSS)
Hyper-V ReplicaComplements Array Based Replication
Replication Provider
Cost Management Performance
Hyper-VReplica
Microsoft • Flexible Storage Options Available
• Unlimited VM Replication included
• VM Granularity• Open APIs
provide extensibility, interoperability and prevent vendor lock-in
• 5 minutes RPOs• Application
Level Consistency
• File Level Consistency
Storage Based
Replication
NetApp, HP, Fujitsu,IBM, Hitachi,
FalconStor, 3Par, EMC, LSI, Compellent,
EqualLogic and more…
• High end replicating storage
• Additional replication software
• LUN-VM Layout• Coordination
with storage team
• Synchronous Replication
• High Data Volumes
VMware Comparison
CapabilityWindows
Server “8” Beta Hyper-V
VMwareESXi 5.0
VMware vSphere 5.0
Enterprise Plus
Incremental Backups Yes No Yes1
VM Replication Yes No vCenter SRM2
NIC Teaming Yes Yes Yes
Integrated High Availability Yes No3 Yes4
Guest OS Application Monitoring Yes N/A No5
Failover Prioritization Yes N/A Yes6
Affinity & Anti-Affinity Rules Yes N/A Yes6
Cluster-Aware Updating Yes N/A Yes6
1. VMware Data Recovery is available in Essentials Plus and higher vSphere 5.0 editions2. vSphere Replication is a feature of VMware vCenter Site Recovery Manager (SRM), which
is available in 2 editions and is a chargeable addition to vSphere 5.03. ESXi 5.0 has no high availability features built in – vSphere 5.0 is required.4. VMware HA is built in to Essentials Plus and higher vSphere 5.0 editions5. VMware have made APIs publicly available, but actual application monitoring is not
included6. Features available in all editions that have High Availability enabled.
VMware Comparison
Capability
Windows Server “8” Beta Hyper-
V
VMwareESXi 5.0
VMware vSphere 5.0 Enterprise
Plus
Nodes per Cluster 64 N/A1 32
VMs per Cluster 4,000 N/A1 3000
Max Size Guest Cluster (iSCSI) 64 Nodes 02 02
Max Size Guest Cluster (Fiber) 64 Nodes 2 2
Max Size Guest Cluster (File Based) 64 Nodes 03 03
Guest Clustering with Live Migration Support
Yes N/A1 No4
Guest Clustering with Dynamic Memory Support
Yes No5 No5
1. High Availability/vMotion/Clustering is unavailable in the standalone ESXi 5.0
2. VMware does not support VM Guest Clustering using iSCSI storage.3. VMware does not support VM Guest Clustering using File Based Storage
i.e. NFS4. VMware does not support the vMotion of a VM that is part of a Guest
Cluster5. VMware does not support the use of Memory Overcommit with a VM that
is part of a Guest Cluster
Why Windows Server "8" Hyper-V for Private Cloud?
Windows Server "8" for Cloud• Most Manageable & Extensible• Hyper-V Extensible Switch• New Minimal Server Install (MinShell)• PowerShell Flexibility• HTTP• WSMan• DCOM
• Persistent Metrics• Maintenance Mode in the Box
Windows Server "8" for Cloud• Most Scalable• Largest Virtual Disks• Native 4K disk support• Most NICs per Team• Most Virtual Disks per VM• Most Nodes per cluster• Most VMs per cluster
Windows Server "8" for Cloud• Most Secure• BitLocker integration with Failover Cluster• Secure Guest Fiber Channel• DHCP Guard, Router Guard• IPSec Task Offload• Secure Boot, Attestation, Measured Boot• Simple Authentication
Windows Server "8" for Cloud• Complete VM Mobility & In the Box• Share Nothing Live Migration• SMB Live Migration• Live Migration with High Availability• Live Storage Migration• Concurrent Live Migration• Concurrent Live Storage Migration
Windows Server "8" for Cloud• Most Feature Rich,
All Server Editions include:1. Hyper-V Extensible Virtual
Switch2. Hyper-V Replica3. Live Storage Migration4. Network I/O Control5. Storage I/O Control6. SR-IOV
• More…7. Hyper-V Resource
Pools8. Hyper-V Offloaded
Data Transfer9. GPU Accelerated VM
Video10.….And…
Hyper-V Network Virtualization
We Didn’t Even Get To…
• New CPU Instruction Support
• Dynamic Memory 2.0
• Network Resource Pools
• Storage Resource Pools
• Persistent Metrics
• Secure Boot, Measured Boot,
Attestation
• Simple Authorization
• In Box Maintenance Mode
• Configurable Saved States
• VDI
• RemoteFX 2.0
• Just scratching the surface..
In Review: Session Objectives and Takeaways
• Windows Server "8": The Definitive Cloud OS• Designed for Mission Critical, Scale Up• New Rich Industry Leading Networking• Hyper-V Extensible Switch• Hyper-V Network Virtualization
• Unparalleled VM Mobility• Share Nothing Live Migration
• Unlimited VM Replication with Hyper-V Replica
Next Steps in Your Journey
Download Windows Server “8” Beta
• http://technet.microsoft.com/en-us/evalcenter/hh670538
Microsoft Virtual Academyhttp://www.microsoftvirtualacademy.com
Download System Center 2012 RC Eval
http://technet.microsoft.com/en-ca/evalcenter/hh505660.aspx
Microsoft Virtualization Certifications
Exam Number and Title Core Exam for the Following Track
70-659, TS: Windows Server 2008 R2, Server Virtualization
Microsoft Certified Technology Specialist (MCTS)
70-669, TS: Windows Server 2008 R2, Desktop Virtualization
Microsoft Certified Technology Specialist (MCTS)
70-693, PRO: Virtualization Administrator 2008 R2
Microsoft Certified IT Professional (MCITP)
http://www.microsoft.com/learning/
Q & A
What’s New in Windows Server “8” Beta for Hyper-V (Part 2)Damir BersinicSenior Platform AdvisorMicrosoft Canada [email protected] Twitter: @DamirB http://blogs.technet.com/b/canitpro
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this
presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.