How to Configure Container Networking with SDN on Windows Server 2016

How to Configure Windows Server 2016 Container Networking SDN

Windows Server 2016 introduced native Windows container support, and with it, integration with Software Defined Networking (SDN) to provide scalable, flexible, and policy-driven networking for containerized workloads. Container Networking with SDN in Windows Server 2016 enables containers to be placed on tenant virtual networks managed by Network Controller, giving them the same rich network isolation, access control, and routing policies available to virtual machines.

Windows containers can be connected to SDN-managed networks through the Container Networking Interface (CNI), allowing Docker-based and Kubernetes-based workloads to participate in the SDN fabric. This is particularly important for enterprise deployments where containers need to communicate with VMs, other containers, and external services while maintaining traffic isolation and security.

Prerequisites

Before configuring container networking with SDN, ensure the following are available: Windows Server 2016 with Hyper-V and Containers features installed, Docker Enterprise Edition for Windows installed, Network Controller and Software Load Balancer deployed and configured, a configured SDN virtual network and subnets, and the Host Networking Service (HNS) available on the container host. PowerShell remoting and Docker CLI access are required for configuration.

Step 1: Install Container and Hyper-V Features

Install the Containers and Hyper-V roles on the host that will run containers:

Install-WindowsFeature Containers, Hyper-V, RSAT-Hyper-V-Tools -IncludeManagementTools -Restart

After restart, install Docker:

Install-PackageProvider -Name NuGet -Force
Install-Module -Name DockerMsftProvider -Force
Install-Package -Name Docker -ProviderName DockerMsftProvider -Force
Restart-Computer

Step 2: Configure the Host for SDN Container Networking

The container host must be added to the SDN fabric managed by Network Controller. The host needs provider addresses registered with Network Controller and a Hyper-V virtual switch connected to the SDN underlay network:

New-VMSwitch -Name "SDNSwitch" -NetAdapterName "Ethernet" -AllowManagementOS $true -EnableEmbeddedTeaming $true

Register the host with Network Controller using the SDN deployment scripts or the NetworkController PowerShell module.

Step 3: Create an SDN-backed Docker Network

Windows Server 2016 SDN integration with Docker is achieved through the l2bridge or transparent network driver, or through the SDN-specific overlay driver. Create a Docker network using the transparent driver connected to the SDN virtual switch:

docker network create -d transparent --subnet=192.168.100.0/24 --gateway=192.168.100.1 -o com.docker.network.windowsshim.vlanid=0 SDNNetwork

Alternatively, use the l2bridge driver for direct Layer 2 connectivity to the host’s SDN-connected switch:

docker network create -d l2bridge --subnet 192.168.200.0/24 --gateway 192.168.200.1 -o com.docker.network.windowsshim.networkname=SDNSwitch TenantNetwork

Step 4: Start a Container on the SDN Network

Run a container and attach it to the SDN-managed network:

docker run -it --network SDNNetwork --ip 192.168.100.10 mcr.microsoft.com/windows/servercore:ltsc2016 cmd

From within the container, verify the IP address and network connectivity:

ipconfig /all

Step 5: Configure SDN Access Control Lists for Containers

One of the key benefits of SDN container networking is the ability to apply Network Controller ACLs to container traffic. Define an ACL policy using Network Controller REST API or PowerShell. The following example allows HTTP and HTTPS traffic while blocking all other inbound traffic to a container endpoint:

$aclRules = @()
$aclRules += New-Object PSObject -Property @{Priority=100;Protocol="TCP";SourceAddressPrefix="*";SourcePortRange="*";DestinationAddressPrefix="*";DestinationPortRange="80";Action="Allow";Direction="Inbound"}
$aclRules += New-Object PSObject -Property @{Priority=110;Protocol="TCP";SourceAddressPrefix="*";SourcePortRange="*";DestinationAddressPrefix="*";DestinationPortRange="443";Action="Allow";Direction="Inbound"}
$aclRules += New-Object PSObject -Property @{Priority=65000;Protocol="*";SourceAddressPrefix="*";SourcePortRange="*";DestinationAddressPrefix="*";DestinationPortRange="*";Action="Deny";Direction="Inbound"}

Step 6: Verify Container Network Policies

Use the Host Networking Service (HNS) PowerShell module to inspect network endpoints created by Docker for containers:

Import-Module .HNS.psm1
Get-HnsNetwork

Get-HnsEndpoint

These commands show all HNS networks and the endpoints (container network interfaces) created for each running container. The endpoint details include the container IP, MAC address, and VSID used for SDN encapsulation.

Step 7: Configure Load Balancing for Container Services

The SDN Software Load Balancer can distribute traffic to container-hosted services. Create a load balancer VIP that distributes TCP traffic to multiple container endpoints:

docker service create --name webservice --publish published=8080,target=80 --replicas 3 --network SDNNetwork mcr.microsoft.com/windows/servercore:ltsc2016

The SDN SLB will handle distributing incoming requests to the container replicas across the available hosts.

Troubleshooting

If containers cannot reach the network, check the HNS event log, verify the Docker network configuration, and confirm Network Controller policies are correctly distributed to the host. Restart the HNS service if networks are in an inconsistent state:

Stop-Service hns
Start-Service hns

Container networking with SDN in Windows Server 2016 bridges the gap between containerized microservices and enterprise-grade network policy management, enabling consistent security and routing policies across VMs and containers alike.