pauze. virtualization storage networking identity and access

Virtualization Storage Networking Identity and Access

Enables software to dynamically manage the network by: Enabling integrated policies that span physical and virtual networks Abstracting workloads from the physical network Controlling datacenter traffic flow

Benefits Requires no upgrade of network adapters, switches, or network appliances Can be deployed today without sacrificing performance Hyper V Network Virtualization How IP address rewrite works Maps each Customer Address (CA) to a unique Provider Address (PA) Sends information in regular TCP/IP packets on the wire Blue Corp Yellow Corp Policy settings Customer Address Provider Address 10.1.1.1192.168.1.10 10.1.1.2192.168.1.12 Customer Address Provider Address 10.1.1.1192.168.1.11 10.1.1.2192.168.1.13 192.168.10192.168.11192.168.12192.168.13 10.1.1.1 10.1.1.2 Customer address spaces Datacenter network

Tenants with overlapping IP Address range share same physical network Policies enforced at host level using PowerShell or System Center Virtual Machine Manager DHCP servers can be part of virtualized network to enable locally assigned IP addresses Supports guest clustering SQL ServerWeb Orange sees SQL ServerWeb Blue sees SQL Server Web 192.168.2.12192.168.1.10 10.1.1.1192.168.1.10 10.1.1.2192.168.2.12 Whats really happening 192.168.n.n PROVIDER ADDRESS SPACE (PA) 10.1.1.2 10.1.1.1 10.1.1.2 CUSTOMER ADDRESS SPACE 10.1.1.1192.168.1.10 10.1.1.2192.168.2.12 10.1.1.1 10.1.1.2 10.1.1.110.1.1.2

IP Virtualization Policy Enforcement Routing Hyper-V Switch VSID ACL Enforcement Network Virtualization Packet Flow Blue 1 sending to Blue 2 Network Virtualization ARP TABLE 34:29:af:c7:d9:12 10.10.10.11 34:29:af:c7:d9:12 IP Virtualization Policy Enforcement Routing Hyper-V Switch VSID ACL Enforcement Network Virtualization

IP Virtualization Policy Enforcement Routing Hyper-V Switch VSID ACL Enforcement Network Virtualization IP Virtualization Policy Enforcement Routing Hyper-V Switch VSID ACL Enforcement Network Virtualization Network Virtualization Packet Flow Blue 1 sending to Blue 2 MAC B1 -> MAC B2 10.10.10.10 -> 10.10.10.11 5001MAC B1 -> MAC B2 10.10.10.10 -> 10.10.10.11 MAC P1 -> MAC P2 192.168.2.10 -> 192.168.5.12 5001 MAC B1 -> MAC B2 10.10.10.10 -> 10.10.10.11

Challenges Hoster wants to provide isolated networks for tenant VMs with integral S2S VPN and NAT Enterprises have virtualized networks split across different datacenters or virtualized networks (NVGRE aware) communicating to physical networks (NVGRE unaware) Solution Multi-tenant VPN gateway in Windows Server 2012 R2 Preview Integral multitenant edge gateway for seamless connectivity Guest clustering for high availability BGP for dynamic routes update Encaps/Decaps NVGRE packets Multitenant aware NAT for Internet access Host Datacenter Network Virtualization Fabric Host Internet FabrikamContoso Multi-tenant VPN Gateway Bridge Between VM Networks & Physical Networks

Virtual adapters Team network adapter Provides network fault tolerance andcontinuous availability when network adaptersfail by teaming multiple network interfaces Supports all vendors in-box Facilitates local or remote managementthrough Windows PowerShell or UI Enables teams of up to 32 network adapters Aggregates bandwidth from multiple networkadapters Includes multiple nodes: switch dependentand independent

SMB client SMB server File copy NIC File copy Automatic detection and use of multiple networkconnections between SMB client and server Helps server applications be resilient to networkfailure Transparent Failover with recovery of networkfailure if another connection is unavailable Improved throughput Bandwidth aggregation through NICTeaming Multiple nodes/CPUs for networkprocessing with RSS-capable networkadapters Automatic configuration with very littleadministrative overhead

File Client SMB Buffer File Server With RDMAWithout RDMA App Buffer SMB Buffer OS Buffer Driver Buffer SMB Buffer OS Buffer Driver Buffer App Buffer SMB Buffer rNIC NIC Adapter Buffer NIC Adapter Buffer Adapter Buffer Adapter Buffer iWARP InfiniBand Higher performance through offloading of network I/O processing onto network adapter Higher throughput with low latency and ability to take advantage of high-speed networks (such as InfiniBand and iWARP) Remote storage at the speed of direct storage Transfer rate of around 50 Gbps on a single NIC port Compatible with SMB Multichannel for load balancing and failover

Without VMQ Hyper-V Virtual Switch is responsible forrouting & sorting packets for VMs This leads to increased CPU processing, allfocused on CPU0 With VMQ Physical NIC creates virtual networkqueues for each VM to reduce host CPU With Dynamic VMQ Processor cores dynamically allocated fora better spread of network trafficprocessing Increased efficiency of network processing on Hyper-V hosts Hyper V Host

VM traffic bypasses virtual switch and performs I/Odirectly to NIC Ideal for high I/O workloads that do not require portpolicies, QoS, or network virtualization enforced at theend host virtual switch Most 10Gbps and in-box NICs SR-IOV capable Benefits Maximizes use of host system processors and memory Reduces host CPU overhead for processing networktraffic (by up to 50%) Reduces network latency (by up to 50%) Provides higher network throughput (by up to 30%) Full support for Live Migration Host Virtual Machine VM Network Stack Synthetic NIC Hyper V Extensible Switch SR-IOV NICVF Virtual Function VF

Automatic DHCP failover based on DHCPfailover IETF spec Provides multi-site IP address continuity toclients by helping eliminate single points offailure Provides in-box support for failover,without the need for clustering Uses a failover setup consisting of twoservers located across different geographiclocations Includes active/active or active/passivebehavior Simple provisioning and configuration ofDHCP server using PowerShell Hot standby DHCP failover in a hub-and-spoke deployment Load-sharing DHCP failover in a single site with a single subnet

Manages virtual address space in addition tophysical address space Imports and exports network configurationsautomatically through plugin for System CenterVirtual Machine Manager Enables synchronization of Active DirectorySites and subnets information with IPAM Supports large scale enterprise deployments Uses SQL Server to store IP address information Lets admins define user roles, access scope andaccess policy through role-based access control Data collection tasks Network Administrator Fabric Administrator System Administrator Forensics Investigator Security Groups

Virtualization Storage Networking Identity and Access

IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity IT can provide seamless corporate access with DirectAccess and automatic VPN connections. Users can work from anywhere on their device with access to their corporate resources. Users can register devices for single sign-on and access to corporate data with Workplace Join Users can enroll devices for access to the Company Portal for easy access to corporate applications IT can publish Desktop Virtualization (VDI) for access to centralized resources

19 Can originate admin connection from intranet Connection to intranet is always active Cannot originate admin connection from intranet VPN DirectAccess With DirectAccess, a users PC is automatically connected whenever an Internet connection is present. Traditional VPNs are user- initiated and provide on- demand connectivity to corporate resources. An automatic VPN connection provides automated starting of the VPN when a user launches an application that requires access to corporate resources. Firewall

User provided devices are unknown and IT has no control. Partial access may be provided to corporate information. Registered devices are known and device authentication allows IT to provide conditional access to corporate information Domain joined computers are under the full control of IT and can be provided with complete access to corporate information Browser session single sign-on Seamless 2-Factor Auth for web apps Enterprise apps single sign-on Desktop Single Sign-On

IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication. Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device Data from Windows Intune is sync with Configuration Manager which provides unified management across both on- premises and in the cloud

Users can access corporate applications and data wherever they are IT can use the Web Application Proxy to authenticate users and devices with multi-factor authentication Use conditional access for granular control over how and where the application can be accessed Active Directory provides the central repository of user identity as well as the device registration information Devices Apps & Data Published applications AD Integrated

Users can sync their work data to their devices. Users can register their devices to be able to sync data when IT enforces conditional access IT can publish access directly through a reverse proxy, or conditional access can be enforced via device registration through the Web Application Proxy IT can configure a File Server to provide Work Folder sync shares for each user to store data that syncs to their devices, including integration with Rights Management IT can selectively wipe the corporate data from Windows 8.1 clients Devices Apps & Data Active Directory discoverability provides users Work Folders location

Download Download Windows Server 2012 R2 Learn and Expand Act

Centrally manage access control and audit polices from Windows Server Active Directory. Automatically identify and classify data based on content. Classification applies as files are created or modified. Integration with Active Directory Rights Management Services provides automated encryption of documents. Central access and audit policies can be applied across multiple file servers, with near real-time classification and processing of new and modified documents. File classification, access policies and automated Rights Management works against client distributed data through Work Folders. 31

File/Folder Security Descriptor Central Access Policy Reference NTFS Permissions Active Directory (cached in local Registry) Cached Central Access Policy Definition Access Control Decision: 1)Access Check Share permissions if applicable 2)Access Check File permissions 3)Access Check Every matching Central Access Rule in Central Access Policy Share Security Descriptor Share Permissions Cached Central Access Rule

MCSA: Windows Server 2012 Find a Learning Partner + Administering Windows Server 2012 Administering Windows Server 2012 Configuring Advanced Windows Server 2012 Services Configuring Advanced Windows Server 2012 Services + = Installing and Configuring Windows Server 2012 Installing and Configuring Windows Server 2012 MCSA: Windows Server 2012

MCSE: Server Infrastructure Find a Learning Partner + Designing and Implementing a Server Infrastructure Designing and Implementing a Server Infrastructure Implementing an Advanced Server Infrastructure Implementing an Advanced Server Infrastructure + = MCSE: Server Infrastructure * Requires recertification Windows Server 2012

MCSE: Desktop Infrastructure Find a Learning Partner + Implementing a Desktop Infrastructure Implementing a Desktop Infrastructure Implementing Desktop Application Environments Implementing Desktop Application Environments + = MCSE: Desktop Infrastructure * Requires recertification Windows Server 2012

Upgrade paths Desktop Infrastructure Windows Server 2012 Upgrading Your Skills to MCSA Windows Server 2012 Any of the following certifications qualify: MCSA: Windows Server 2008* MCITP: Virtualization Administrator MCITP: Enterprise Messaging Administrator MCITP: Lync Server Administrator MCITP: SharePoint Administrator MCITP: Enterprise Desktop Administrator Server Infrastructure Designing and Implementing a Server Infrastructure Implementing an Advanced Server Infrastructure Implementing a Desktop Infrastructure Implementing Desktop Application Environments Either or Both

pauze. virtualization storage networking identity and access

Documents