Introduction to Software-Defined Networking on Windows Server 2019

Software-Defined Networking (SDN) in Windows Server 2019 provides a programmable network infrastructure that decouples network configuration from the underlying hardware. Windows Server 2019 SDN, part of the Microsoft SDN stack, includes Network Controller (NC), Software Load Balancer (SLB), Windows Server Gateway (WSG), and Hyper-V Network Virtualisation (HNV). Together these components allow administrators to automate network provisioning, centralise policy management, and build multi-tenant virtualised networks.

SDN is typically deployed in large organisations, cloud providers, or organisations building hybrid cloud infrastructure. The Network Controller is the management plane that provides a centralised API (via RESTful interfaces) for creating and managing virtual networks, load balancers, gateways, and access control lists. This guide covers the foundational setup of the SDN infrastructure on Windows Server 2019.

SDN Infrastructure Prerequisites

SDN on Windows Server 2019 requires Hyper-V hosts running Windows Server 2019 Datacenter, Active Directory, DNS, a management IP network, and a dedicated VLAN for the SDN management plane. The minimum deployment requires three Network Controller nodes for high availability, two SLB MUX nodes, and two gateway nodes, in addition to your compute Hyper-V hosts.

All Hyper-V hosts need the following features installed:

Install-WindowsFeature -Name Hyper-V, Failover-Clustering, Data-Center-Bridging, RSAT-Clustering-PowerShell, Hyper-V-PowerShell, WindowsServerBackup -IncludeManagementTools -Restart

Create a Hyper-V virtual switch on each host with RDMA enabled for storage and SDN traffic:

New-VMSwitch -Name "SDNSwitch" -NetAdapterName "RDMA NIC 1","RDMA NIC 2" -EnableEmbeddedTeaming $true -AllowManagementOS $false

Installing and Configuring Network Controller

Install the Network Controller feature on the three NC VMs (Windows Server 2019 Datacenter):

Install-WindowsFeature -Name NetworkController -IncludeManagementTools -Restart

Configure the Network Controller cluster. First, create the NC node objects on the first NC node:

$NodeFQDN = @("NC01.contoso.com","NC02.contoso.com","NC03.contoso.com")

$nodes = @()
foreach ($fqdn in $NodeFQDN) {
    $NodeObject = New-NetworkControllerNodeObject -Name ($fqdn.split(".")[0]) -Server $fqdn -FaultDomain "fd:/rack1" -RestInterface "Ethernet"
    $nodes += $NodeObject
}

Install-NetworkControllerCluster -Node $nodes -ClusterAuthentication Kerberos -ManagementSecurityGroup "CONTOSONC Managers" -CredentialEncryptionCertificate (Get-Item Cert:LocalMachineMyTHUMBPRINT)

Install the Network Controller application on the cluster:

Install-NetworkController -Node $nodes -ClientAuthentication Kerberos -ClientSecurityGroup "CONTOSONC Admins" -RestIpAddress "192.168.1.90/24" -PassThru

Verify the Network Controller is responding:

Get-NetworkController

Configuring the SDN Physical Network Fabric

Register Hyper-V hosts with the Network Controller so NC can manage their virtual switches and policies. On each Hyper-V host, configure the NC connection:

$uri = "https://nc01.contoso.com"
$credential = Get-Credential

# Set the NC endpoint on the host
Set-Item WSMan:localhostClientTrustedHosts -Value "NC01.contoso.com" -Force

New-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesNcHostAgentParameters" -Name "Connections" -Value $uri -PropertyType MultiString -Force

Register the physical host with Network Controller via REST:

$serverProperties = New-Object Microsoft.Windows.NetworkController.ServerProperties
$serverProperties.Connections = @()
$conn = New-Object Microsoft.Windows.NetworkController.Connection
$conn.ManagementAddresses = @("192.168.1.51")
$conn.Credential = @{"ResourceRef" = "/credentials/hostagent-credential"}
$serverProperties.Connections += $conn

New-NetworkControllerServer -ConnectionUri $uri -ResourceId "HyperVHost01" -Properties $serverProperties -Credential $credential

Creating Virtual Networks with HNV

Hyper-V Network Virtualisation allows creating isolated virtual networks for tenants. Create a logical network for the SDN provider address space:

# Create Logical Network
$logNetProperties = New-Object Microsoft.Windows.NetworkController.LogicalNetworkProperties
$logNetProperties.NetworkVirtualizationEnabled = $false

$logicalNetwork = New-NetworkControllerLogicalNetwork -ConnectionUri $uri -ResourceId "ProviderNetwork" -Properties $logNetProperties

# Create a Virtual Network for a tenant
$vnetProperties = New-Object Microsoft.Windows.NetworkController.VirtualNetworkProperties
$vnetProperties.AddressSpace = New-Object Microsoft.Windows.NetworkController.AddressSpace
$vnetProperties.AddressSpace.AddressPrefixes = @("192.168.100.0/24")

New-NetworkControllerVirtualNetwork -ConnectionUri $uri -ResourceId "Tenant1-VNet" -Properties $vnetProperties

Configuring Access Control Lists via NC

SDN ACLs are configured through Network Controller and applied to virtual machine network interfaces. Create a simple ACL that allows web traffic:

$aclRules = @()

$ruleInbound = New-Object Microsoft.Windows.NetworkController.AclRule
$ruleInbound.Protocol = "TCP"
$ruleInbound.DestinationPortRange = "80"
$ruleInbound.Action = "Allow"
$ruleInbound.Priority = 100
$ruleInbound.Type = "Inbound"
$aclRules += $ruleInbound

$aclProperties = New-Object Microsoft.Windows.NetworkController.AccessControlListProperties
$aclProperties.AclRules = $aclRules

New-NetworkControllerAccessControlList -ConnectionUri $uri -ResourceId "WebServerACL" -Properties $aclProperties

Windows Server 2019 SDN brings enterprise cloud networking capabilities to on-premises datacenters, enabling network virtualisation, micro-segmentation, and software-defined load balancing that rivals commercial cloud platforms.