Cloud architectures demand security baked into the network. One node of 1,000 must not attack the other 999 nodes on the network, and the IT team must be able to mitigate an attack quickly and efficiently, without a lot of fuss.
Software-defined networks offer an approach to network security, management and configuration that lets the network, firewalls and policies change over time or in response to a specific demand or threat. Windows Server 2016 users on the Datacenter edition can virtualize the entire customer networking stack. Microsoft software-defined networking (SDN) benefits extend from basic configuration to more complex, sophisticated operations such as virtual firewalls, load balancers and other security appliances inserted into the network data flow.
SDN on Windows Server 2016
The story of Microsoft software-defined networking technology starts with the network controller, a central point of automation. Within Windows Server, the user defines network configuration policies and attendant security policies for those networks in a management plane. That information is relayed to a control plane, which distributes the policies to the endpoints. The data plane -- the OS that runs on the endpoints -- receives, implements and enforces the policies on the individual endpoints. The network controller is the brain that pushes the desired state down into the network for enforcement. Because the network controller does not reside in the data path, VMs communicate between each other and policies enforce themselves on the nodes; the controller never becomes a bottleneck.
Other features of Microsoft SDN on Windows Server 2016 include virtual network isolation, network security groups and user-defined VM routing.
SDN introduces additional layers of defense that can thwart attacks. The first layer is virtual network isolation -- this allows an administrator to mark certain networks for production use. This results in isolated sandboxes for endpoints. If an attacker broke into the network and attempted to connect new machines or change other machines that are not part of the virtual network, Windows Server 2016's SDN technology will just discard the traffic. These virtual networks can even be part of an n-tier network strategy, with the front-end tier used to serve web traffic over one virtual network, the mid-tier network to shuffle requests used on another virtual network and the back end configured to do its work on a separate virtual network.
Windows Server 2016 administrators can create a network security group associated with a group of VMs. If a new VM is created in this group, it will automatically inherit the group settings. For example, a group can have just port 443 open and only the internet can talk to this group -- but the internet can't talk to any other group. Network security groups let IT dynamically segment the network as security needs evolve.
Microsoft Windows Server 2016 SDN vs. VMware NSX
In my opinion, the routing and isolation technologies, built upon the millions of virtual machines and switches Microsoft runs in its cloud data centers, are technically more sound and integrated in a much better way to the core virtualization technology than VMware's competitive offering of NSX.
Microsoft software-defined networking technology is included with a Windows Server 2016 Datacenter license; it is not considered an add-on and no additional packages are required. You need to purchase VMware NSX to really dig into this kind of technology on the VMware platform.
That is not to say it is worth switching hypervisor platforms over from vSphere to Hyper-V, but I think Microsoft has a leg up on SDN.
These network security group policies can be associated with container endpoints, not just virtual machines. It is the same technology used in the Microsoft Azure portal to create network security groups to open up ports and allow communication between guests on the tenant.
User-defined routing for virtual machines hosted on Hyper-V allows the administrator to define routes to direct tenant traffic to virtual appliances based on certain criteria.
For security-minded organizations, user-defined routing lets the admin inject a virtual appliance into traffic flow and create a route to send all traffic through it. For example, a state-of-the-art virtual firewall appliance can go into the path between the machines and tiers, so that all traffic gets routed through the appliance. All appliances that work in Azure will work in Windows Server 2016 without any modification.
Organizations can also turn on port mirroring to mirror inbound and outbound packets on a port to a virtual appliance. In this way, a single appliance can serve multiple ports on the network.
Considerations before a Windows Server 2016 upgrade
How Azure Stack combines with Windows Server 2016