mountainss Cloud and Datacenter Management Blog

Microsoft SystemCenter blogsite about virtualization on-premises and Cloud

Microsoft Hybrid #Cloud Multi-Tenant Networking Solution #SCVMM #Hyperv #WAP #Winserv


This guide describes a hybrid cloud solution where a hosting provider can connect multiple tenant networks to their network and offer secure network isolation to each tenant in a way that is simple to set up and efficient to operate. A self-service portal makes it easy for tenants to provision their private network and virtual machines without the need for the hosting provider to intervene if a change is required.

The following diagram illustrates the problem and scenario that this solution guide addresses.

Hybrid Cloud Multi-Tenant Networking

Hybrid Cloud Multi-Tenant Networking

Example scenario

The example organization described in this guide is a medium-sized hosting provider that offers managed services, including infrastructure as a service (IaaS). This organization is seeing a lot of interest from their enterprise customers to move some of their enterprise workloads to the cloud, while maintaining connectivity back to their on-premises network.

This organization provides a hybrid cloud service that makes it possible for a customer to create a virtual network that spans their cloud infrastructure and the customer’s on-premises network, using the customer’s existing private IP address space.

Their marketing has been so successful that the demand for their service is increasing rapidly. This rapid rise in demand has made it imperative for the organization to lower their operating expenses to make it a profitable service, given the inefficiencies in their current implementation.

Problem statement

The organization has found that their current hybrid cloud solution does not scale well, and is inefficient and expensive to operate. For example, in their experience:

  • Their current solution requires two virtual machine network virtualization gateways for every tenant (for redundancy), and each pair of gateways requires a public IP address. As the number of tenants increases, the number of virtual machine gateways required increases linearly, and they can become very difficult to administer. The costs associated with all these network virtualization gateways can add up rather quickly, which makes the current solution not cost-effective.
  • Connecting multiple sites per tenant requires a virtual machine gateway for each tenant site.
  • Without an industry standard routing protocol, the administrator must manually administer network routes. This is inefficient and subject to configuration errors.
  • Using VLANs for network isolation limits the number of networks that can be supported.

The organization is looking for a simpler, cost-effective way for a hosting provider to connect tenant networks in a hybrid cloud offering. They want to deploy virtual machine gateways that can connect multiple tenant networks and multiple sites per tenant simultaneously. Also, they want virtual machine gateways to be clustered to offer redundancy and connection preservation in case of failure, and multiple virtual machine gateways to be deployed to address throughput requirements. In addition, they want to use an industry standard routing protocol, and enable a scalable virtual network isolation protocol that is not limited by current VLAN technologies.

Also, this organization needs to use an easy-to-use management interface, which includes IP address space management, together with an easy-to-use self-service tenant portal provided to make a hybrid cloud simple and efficient to deploy.

Organization goals

To summarize, the example organization for this guide has the following goals for a hybrid cloud solution:

  • I can use a single gateway to connect multiple tenant sites in a hybrid cloud offering, which means that I do not need multiple gateways using multiple public IP addresses for each of my tenants. This solution scales well, which allows me to connect more tenants with fewer resources.
  • I can isolate my tenant networks using network virtualization, which scales better than VLANs. VLANs are typically implemented with a limit of about 1000 different identifiers, which limits the number of tenant networks I can support. Network virtualization can support thousands of tenants, without any of the constraints imposed by VLANs, switches, and physical network locations.
  • I can manage my hybrid cloud offering using an easy to use management interface that allows me to manage my virtual networks, IP address spaces, and gateways all in one location. This makes it easier and more efficient to manage many tenants at a time.
  • I can offer my tenants a common self-service portal, which allows them to efficiently place their computing resources where it best meets their business needs. I can offer tenants a customizable portal compatible with Windows Azure, utilizing the same Service Management API based on REST (Representational State Transfer).
  • I can offer my tenant customers easy-to-follow guidance to connect their on-premises network to my hosting provider network through a secure site-to-site VPN (virtual private network). Router configuration guidance includes required protocols, settings, and end-point addresses.

To address the problem and scenario described in the previous section, Microsoft integrates various products and technologies. Windows Server 2012 R2 Preview together with System Center 2012 R2 Virtual Machine Manager give hosting providers a multi-tenant gateway solution that supports multiple host-to-host VPN tenant connections. Hyper-V Network Virtualization provides tenant virtual network isolation with Network Virtualization using Generic Routing Encapsulation (NVGRE), which allows tenants to bring their own address space and allows hosting providers better scalability than is possible using VLANs for isolation.

Virtual Machine Manager offers a simple user interface to manage the gateways, virtual networks, virtual machines and other fabric items. When integrated with Windows Server IP Address Management (IPAM), you can manage the IP address space for the tenant and fabric networks.

Windows Azure Pack creates a self-service portal for tenants to manage their own virtual networks. With Windows Azure Pack, you can deploy a common self-service experience, a common set of management APIs, and an identical website and virtual machine hosting experience. Tenants can take advantage of the common interfaces, which frees them to move their workloads where it makes the most sense for their business or for their changing requirements.

The following diagram illustrates the Microsoft Hybrid Cloud Multi-Tenant Networking solution, which connects each tenant’s network to the hosting service provider network using a site-to-site VPN tunnel and Border Gateway Protocol (BGP) for automatic routing table synchronization. Each tenant must configure their own gateway to connect to the hosting provider gateway. The gateway then isolates each tenant’s network data using the NVGRE protocol for network virtualization.

Hybrid Cloud Multi-Tenant Networking Solution Architecture

Multi-Tenant Networking solution

When planning this solution, you need to consider the following:

  • High availability design for the gateway
  • Tenant virtual machine Internet access requirements
  • Infrastructure physical hardware capacity and throughput
  • Site-to-site connection throughput
  • Network isolation technologies
  • Authentication mechanisms
  • IP addressing
  1. Plan and design for hybrid cloud multi-tenant networking.

    Use the Hybrid Cloud Multi-Tenant Networking Planning and Design Guide to plan and design your solution.

    After you complete this step, verify that you have a completed worksheet showing your selected solution design options.

  2. Deploy Virtual Machine Manager.

    Use the Virtual Machine Manager Deployment Guide to install and configure Virtual Machine Manager. Virtual Machine Manager is used to deploy and manage your gateway and other network components for this solution.

    After this step is complete, verify you have the features configured.

  3. Deploy Windows Server IPAM.

    Use the IPAM Deployment Guide to install and configure IPAM. Windows Server IPAM is integrated with Virtual Machine Manager to deploy and manage the IP address space for your customer and fabric infrastructure.

    After this step is complete, verify you have the features configured.

  4. Deploy the Windows Server 2012 R2 Preview Gateway.

    Use the Windows Server 2012 R2 Gateway Deployment Guide to install and configure the gateway. The gateway is deployed using Virtual Machine Manager and provides a connection point for multiple tenant site-to-site VPN connections.

    After this step is complete, verify you have the features configured.

  5. Deploy the Windows Azure Pack.

    Use the Windows Azure Pack Deployment Guide to install and configure the Windows Azure Pack. The Windows Azure Pack integrates with Virtual Machine Manager and allows your tenants to create and manage their own private networks and compute resources.

    After this step is complete, verify you have the features configured.

  6. Connect a test tenant gateway to the hosting provider Windows Server 2012 R2 Preview gateway.

    Use the Tenant Gateway Configuration Guide to connect a test tenant gateway to the hosting provider Windows Server 2012 R2 Preview gateway. This is the documentation that you will provide to your tenant customers so that they can connect their network to your hosting service. By testing these steps, you will verify that your customers will be successful if they follow your instructions.

    After this step is complete, verify you have the features configured.

  7. Verify the solution.
  8. Mark Your Calendars for Oct. 18: The R2 Wave is Coming!

Related resources:

What’s New in Windows Server 2012 R2

Technical Scenarios for Windows Server 2012

IPAM Planning and Design Guide

Networking Overview

Configuring Networking in VMM Overview

Windows Azure Pack for Windows Server

What’s New in 2012 R2: Enabling Modern Apps with the Windows Azure Pack



Author: James van den Berg

I'm Microsoft Architect and ICT Specialist and Microsoft MVP System Center Cloud and Datacenter Management

3 thoughts on “Microsoft Hybrid #Cloud Multi-Tenant Networking Solution #SCVMM #Hyperv #WAP #Winserv

  1. Pingback: Microsoft Most Valuable Professional (MVP) – Best Posts of the Week around Windows Server, Exchange, SystemCenter and more – #50 - Flo's Datacenter Report

  2. Pingback: Microsoft Most Valuable Professional (MVP) – Best Posts of the Week around Windows Server, Exchange, SystemCenter and more – #50 - TechCenter - Blog - TechCenter - Dell Community

  3. Pingback: Microsoft Most Valuable Professional (MVP) – Best Posts of the Week around Windows Server, Exchange, SystemCenter and more – #50 - Dell TechCenter - TechCenter - Dell Community

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.