How to Configure Windows Server Software-Defined Networking (SDN) on Windows Server 2016

Software-Defined Networking (SDN) in Windows Server 2016 decouples the network control plane from the data plane, allowing administrators to programmatically configure and manage network infrastructure through a centralized controller. The Windows Server 2016 SDN stack is built on Hyper-V Network Virtualization and includes the Network Controller, Software Load Balancer (SLB), RAS Gateway, and Datacenter Firewall. This enables multi-tenant network virtualization, micro-segmentation, and dynamic network policy enforcement in private cloud and Hyper-V environments.

SDN on Windows Server 2016 is primarily designed for use with System Center Virtual Machine Manager (SCVMM) or Windows Admin Center in large deployments, but the PowerShell API layer allows direct configuration. The core components are: Network Controller (the centralized management plane), Hyper-V hosts running virtual switches with VXLAN/NVGRE encapsulation, and optional gateway VMs for connecting virtual networks to physical networks or other sites.

Prerequisites and Architecture Overview

SDN requires at least three Hyper-V hosts (or a cluster) for production, though a minimal lab can run on two. All Hyper-V hosts must run Windows Server 2016 Datacenter edition. The Network Controller itself runs as a highly available set of VMs. Each Hyper-V host needs a physical network capable of supporting VXLAN or NVGRE encapsulation, which requires jumbo frames (MTU 1600 or higher) on the physical network to accommodate the encapsulation overhead. RDMA/RoCE or iWARP is recommended for high-performance deployments but not required.

Ensure Hyper-V is installed on all hosts:

Install-WindowsFeature Hyper-V -IncludeManagementTools -Restart

Install the Network Controller feature on the designated Network Controller VMs:

Install-WindowsFeature NetworkController -IncludeManagementTools -Restart

Configuring the Network Controller Cluster

Create the Network Controller node objects. Each node specifies its FQDN, certificate subject, and REST interface:

$Node1 = New-NetworkControllerNodeObject -Name "NC1" -Server "NC1.corp.local" -FaultDomain "fd:/dc1/rack1/NC1" -RestInterface "Ethernet"

Install the Network Controller cluster using the node objects:

Install-NetworkControllerCluster -Node $Node1 -ClusterAuthentication Kerberos -ManagementSecurityGroup "corpNC-Admins" -CredentialEncryptionCertificate $cert

Install the Network Controller application on the cluster, specifying the REST endpoint:

Install-NetworkController -Node $Node1 -ClientAuthentication Kerberos -ClientSecurityGroup "corpNC-Clients" -RestIpAddress "192.168.100.10/24" -ServerCertificate $cert

Verify the Network Controller is operational:

Get-NetworkController

Configuring Hyper-V Hosts for SDN

On each Hyper-V host, create an external virtual switch connected to the physical uplink and enable VXLAN encapsulation. The switch must be created with embedded teaming for SDN:

New-VMSwitch -Name "SDNSwitch" -NetAdapterName "Ethernet","Ethernet 2" -EnableEmbeddedTeaming $true -AllowManagementOS $true

Configure the host virtual NIC for SDN overlay traffic with the Provider Address (PA):

New-NetIPAddress -InterfaceAlias "vEthernet (SDNSwitch)" -IPAddress 10.10.56.21 -PrefixLength 24 -DefaultGateway 10.10.56.1

Creating Virtual Networks

SDN virtual networks are defined through the Network Controller REST API. Use the NetworkController PowerShell module to create logical networks and virtual networks. First set the REST URI for your Network Controller:

$NCUri = "https://NC1.corp.local"

Create a logical network resource representing your physical provider network:

$logicalNetwork = New-Object Microsoft.Windows.NetworkController.LogicalNetwork
$logicalNetwork.ResourceId = "HNVPA"
$logicalNetwork.Properties = New-Object Microsoft.Windows.NetworkController.LogicalNetworkProperties
$logicalNetwork.Properties.NetworkVirtualizationEnabled = $true
New-NetworkControllerLogicalNetwork -ConnectionUri $NCUri -ResourceId "HNVPA" -Properties $logicalNetwork.Properties

Create a virtual network subnet for tenant isolation:

$vNetSubnet = New-Object Microsoft.Windows.NetworkController.VirtualSubnet
$vNetSubnet.ResourceId = "Tenant1-Subnet1"
$vNetSubnet.Properties = New-Object Microsoft.Windows.NetworkController.VirtualSubnetProperties
$vNetSubnet.Properties.AddressPrefix = "192.168.1.0/24"
$vNetSubnet.Properties.DefaultGateways = "192.168.1.1"

Datacenter Firewall Policies

SDN Datacenter Firewall provides distributed, stateful firewall enforcement at the VM vNIC level. Create an ACL policy to allow HTTP and HTTPS and deny everything else to a workload:

$aclRule1 = New-Object Microsoft.Windows.NetworkController.AclRule
$aclRule1.Properties = New-Object Microsoft.Windows.NetworkController.AclRuleProperties
$aclRule1.Properties.Protocol = "TCP"
$aclRule1.Properties.DestinationPortRange = "80"
$aclRule1.Properties.Action = "Allow"
$aclRule1.Properties.Priority = 100
$aclRule1.Properties.Direction = "Inbound"

Windows Server 2016 SDN represents a significant investment in infrastructure automation. For smaller environments, consider using Windows Admin Center’s SDN management features which wrap these PowerShell operations in a GUI. Always validate Network Controller certificate trust on all hosts before attempting to register them, as certificate issues are the most common cause of host registration failures in SDN deployments.