Setting up an Environment for Self-Service Users of Networked Virtual Machines

This scenario helps you use Virtual Machine Manager (VMM) in System Center 2012 Service Pack 1 (SP1) to set up an environment where self-service users—your clients or customers—can create their own virtual machines and configure networks for those virtual machines. You can use VMM together with two other System Center components, Operations Manager and App Controller, to help support your self-service users.

 

This solution is intended to serve as a high-level example, not as comprehensive or detailed guidance. You can use the example solution as a guide to posting descriptions of your own solutions that are particular to your business or organization. Then, other members of the community can follow your descriptions to get ideas for how to combine System Center components to meet their business requirements. You can view an example template on the TechNet Wiki at Cross Component Scenario template.

Scenario description

Different organizations, organizational departments, administrators, and users (including users of cloud-based services) have different levels of expertise and different degrees to which they want to be involved with managing physical and virtual computer resources. In this scenario, each organization, department, or group wants to focus on their own area of expertise and not have to work with details that are related to other areas of expertise. The following list describes the scenario:

  • Providers of physical resources: Some organizations, departments, and IT administrators have deep expertise and capacity for managing physical resources such as servers, storage, and network hardware such as network adapters and switches. They might want to make computing capacity and connectivity available to others, but don’t want to reconfigure hardware each time a new user comes along, or each time someone wants different resources. They also might want to delegate some of the routine aspects of network configuration to other IT administrators.

Administrators at this level are called fabric administrators.

  • Providers of configuration and support for networks: Some organizations, departments, and IT administrators are familiar with basic networking concepts and processes, such as IP addressing, gateways, and network monitoring. They might want to define sets of networking resources and make them available to others, but don’t necessarily want to work at a detailed level with network hardware.

Administrators at this level are called tenant administrators.

  • Users of virtual machines and related resources: Some organizations, departments, IT administrators, and users don’t want to work with physical resources or all the complexities of networking, but want to easily add or remove virtual machines and connect them together in networks as needed.

People at this level are called application administrators or self-service users.

Solution description

By using VMM in System Center 2012 SP1, the fabric administrator can create a private cloud, which is an aggregate set of hosted storage, networking, and other resources, and work with a tenant administrator to make those resources available to self-service users. Specifically, among the networking resources in the private cloud, the fabric administrator configures logical networks that support network virtualization. The tenant administrator then uses those logical networks as a foundation and creates virtual machine networks (VM networks) that use network virtualization. Then the self-service users can create virtual machines and connect them to the VM networks, without requiring knowledge of the underlying physical resources. The tenant administrator controls resource usage through user role quotas. Self-service users can assign and reassign VM networks without having to ask administrators for assistance, other than requesting changes in capacity and quotas when their requirements change.

This solution focuses on the networking aspect of the configuration, although it also includes other aspects. Through networking options that are available in VMM in System Center 2012 SP1, administrators can configure not only logical networks, which provide a foundation on which to build, but also VM networks, which are the networks that your self-service users can assign to virtual machines that they create. The methods of configuration in VMM allow for collaboration among administrators at different levels of expertise—highly knowledgeable networking administrators (fabric administrators) and basic networking administrators (tenant administrators).

You can create a private cloud from either of the following sources:

  • Host groups that contain resources from Hyper-V hosts, VMware ESX hosts, and Citrix XenServer hosts
  • A VMware resource pool

System Center 2012 components and other products, features, and roles

  • System Center 2012 SP1 - Virtual Machine Manager
  • System Center 2012 SP1 - Operations Manager
  • System Center 2012 SP1 - App Controller

How does this solution fit into your IT strategy?

The Microsoft cloud strategy is hosted on the Private Cloud Solution Hub where architectural guidance is located. The strategy describes how a private cloud enables organizations to deliver information technology as services. The private cloud provides a pool of computing resources that are delivered as a standard set of capabilities that are specified, architected, and managed based on requirements defined by a private organization.

How do you prepare System Center for this solution?

If you are not already familiar with the system requirements, review them in the following topics before you begin to deploy software:

Next, deploy the software. For more information about deployment, see the following topics:

You’ll also need to connect VMM with the other components. For more information about connecting VMM, see the following topics:

Before you begin to configure networking in VMM, you will need to create host groups (as containers to which you’ll later add hosts):

It is also a good idea to configure storage, add a VMM library server or VMM library share, and add hosts before you begin to configure networking in VMM. You can delay these steps, although you have to complete them before you apply a logical switch to host network adapters (as described in the following procedures) and before you create a private cloud. For more information, see the following topics:

How to accomplish this solution

The steps for accomplishing this solution are divided into three stages:

  1. Configuration steps for the fabric administrator
  2. Configuration steps for the tenant administrator
  3. Configuration steps for a self-service user (or tenant administrator testing the configuration)

Before you start, you might want to familiarize yourself with some of the networking options in VMM by reviewing the diagrams in Networking in VMM Illustrated Overview. If you want to see screenshots before you start to create your own configuration, the blog post at http://blogs.technet.com/b/scvmm/archive/2013/01/08/virtual-networking-in-vmm-2012-sp1.aspx walks through networking in VMM and includes screenshots.

Configuration steps for the fabric administrator

By taking the following steps, a fabric administrator can make computing capacity and connectivity available to others, in a way that does not require reconfiguration each time a new user comes along, or each time someone wants different resources.

1.     Optionally, configure global network settings in VMM in System Center 2012 SP1

By default, when you add a Hyper-V host to VMM management, if a physical network adapter on the host does not have an associated logical network, VMM automatically creates and associates a logical network that matches the first DNS suffix label of the connection-specific DNS suffix. On the logical network, VMM also creates a VM network that is configured with “no isolation.” No network sites are created automatically.

These default logical network name creation and virtual network creation settings are customizable.

How to Configure Global Network Settings in VMM

2.     Create logical networks, one of which has network virtualization enabled

You’ll need logical networks for basic functions, such as host management, plus a logical network with network virtualization enabled (to support virtual machines that self-service users will create). The logical network, and the network sites that you create inside the logical network, help you organize your network configuration. For example, you might base the name of a logical network Contoso1 on the name of your hosting company, Contoso Hosters. Inside that logical network, you can have a network site that is named Contoso1_Building1 and another network site that is named Contoso1_ Building2. The logical network and the network sites will provide a foundation on which you build additional network infrastructure.

By creating the logical network with network virtualization enabled, you can later create multiple virtual machine networks (VM networks) on top of that logical network, with each VM network serving the needs of a particular group of self-service users. The users can assign VM networks as part of virtual machine and service creation without having to understand the network details.

How to Create a Logical Network in VMM

3.     Create an IP address pool for your logical network

Because you will be using network virtualization, you will need an IP address pool for your logical network.

How to Create IP Address Pools for Logical Networks in VMM

4.     Decide on the properties and capabilities that you want for the network adapters in your VMM configuration

As your network configurations grow, you will want to simplify the process of configuring the network adapters on your host systems. You can do this with native port profiles and logical switches, which act as containers for the properties or capabilities that you want your network adapters to have. By applying a logical switch and port profiles to a network adapter, you can apply the required properties with a minimum of steps.

Before you begin to configure port profiles and logical switches, you might want to review the “Settings” and “Prerequisites” sections in the following overview.

Configuring Ports and Switches for VM Networks in VMM You can begin to familiarize yourself with native port profiles and logical switches in VMM by reviewing the diagrams for logical switches in Networking in VMM Illustrated Overview.

5.     Create a native port profile for uplinks

A native port profile for uplinks acts as a container for the network sites that you want to connect a network to. It also provides details about how to configuring teaming for a network adapter, if you specify in your logical switch (a few steps later in this list) that you want to use teaming with any network adapters that are on the same host and have the same logical switch and port profiles applied to them.

How to Create a Port Profile for Uplinks in VMM

6.     Choose or create a native port profile for virtual network adapters

A native port profile for virtual network adapters specifies capabilities for those adapters, and makes it possible for you to control how bandwidth is used on the adapters. The capabilities include offload settings and security settings. You can choose from the native port profiles that are already included in VMM, or create your own. For example, you might use the native port profile named “High Bandwidth Adapter” to configure high-bandwidth virtual network adapters.

How to Create a Port Profile for Virtual Network Adapters in VMM

7.     Choose or create a port classification

Port classifications provide global names for identifying different types of virtual network adapter port profiles. A port classification can be used across multiple logical switches while the settings for the port classification remain specific to each logical switch. You can choose from the port classifications that are already included in VMM, or create your own. For example, you might use the port classification that is named “High bandwidth” to identify ports that are configured with high bandwidth.

How to Create a Port Classification in VMM

Note   This document does not describe virtual switch extensions or virtual switch extension managers. However, it’s a straightforward process to add these to your configuration after you finish this guide. If you want to learn how virtual switch extensions or virtual switch extension managers can help you with your configuration, see Configuring Ports and Switches for VM Networks in VMM on TechNet. Go to the “Settings” section, and review the “Logical switch” and “Virtual switch extension manager” rows of the table.

8.     Create a logical switch

A logical switch brings your port profiles and port classifications together so that you can apply them to multiple network adapters.

Note that when you add an uplink port profile to a logical switch, the uplink port profile appears in a list of profiles that are available through that logical switch. When you apply the logical switch to a network adapter in a host, the uplink port profile is available in the list of profiles, but it is not applied to that network adapter until you select it from the list. This helps you to create consistency in the configurations of network adapters across multiple hosts, but it also makes it possible for you to configure each network adapter according to your specific requirements.

How to Create a Logical Switch in VMM

9.     Configure network settings on a host by applying your logical switch

To bring together the network settings that you configured in port profiles and logical switches, apply them to network adapters on a host. The network adapters can be physical network adapters or virtual network adapters on the host.

As described in the previous step, after you select the logical switch that you want to apply to a network adapter on a host, you see a list of the uplink port profiles that are available in that switch. You must select the one that you want for that specific adapter.

How to Configure Network Settings on a Host by Applying a Logical Switch in VMM

10.   Optionally, add a gateway

If you already have the provider software that supports your tenant administrator’s gateway server, this is a good time to add the gateway server to your configuration. The gateway allows the virtual machines that you will be hosting to connect to another network. Typically, this gateway will be a “VPN gateway,” also called a “remote gateway,” which means that it connects VM networks on your site through a VPN tunnel to a network on the premises of the tenant administrator. There are various prerequisites for configuring a VPN gateway, but the first one is to obtain the provider software that comes from the manufacturer of the gateway device, install the provider on the VMM management server, and then restart the System Center Virtual Machine Manager service.

Later, if you are creating a connection to a VPN gateway, you will configure the appropriate VM network to make the connection. If you want to review the full list of prerequisites for that process, see the “Prerequisites for gateways” section in the following overview topic:

Configuring VM Networks and Gateways in VMM

For the steps for adding a gateway to VMM, see the following procedure:

How to Add a Gateway in VMM in System Center 2012 SP1

11.   Review your configuration in preparation for creating a private cloud

A private cloud is an aggregate set of storage, networking, and other resources that you can make available to self-service users. During private cloud creation, you select the underlying fabric resources that will be available, configure library paths for private cloud users, and set the capacity for the private cloud. Therefore, before you create a private cloud, you might want to review your configuration. For more information, see the following sections:

Preparing the Fabric in VMM on TechNet (for links to other topics)

Configuring Storage in VMM Overview

How to Add a VMM Library Server or VMM Library Share

Creating Host Groups in VMM Overview

12.   Create a private cloud

One way to create a private cloud is to use host groups that contain resources from Hyper-V hosts, VMware ESX hosts, Citrix XenServer hosts, or a combination of these hosts. The other way is to use a VMware resource pool. The wizard for creating a private cloud has a page where you can select the logical network that supports network virtualization, and also has a page where you can select the port classification that you created. Use one of the following procedures to create a cloud:

How to Create a Private Cloud from Host Groups

How to Create a Private Cloud from a VMware Resource Pool

13.   Optionally, view a diagram of your network configuration

It can be useful to see a diagram of your network configuration. At this point, the type of diagram that shows the parts of the network that you have already configured is the Host Networks diagram. For information about how to view this and other diagrams, see the following procedure:

How to View VMM Network Configuration Diagrams in VMM

14.   Optionally, review the kinds of information that you can gather with Operations Manager

It can be useful to review the kinds of VMM configuration information that are available through Operations Manager:

Using Reporting in VMM

15.   Create and configure the Tenant Administrator user role in VMM

The actions that members of the Tenant Administrator user role in VMM can take are controlled by the fabric administrator who creates the Tenant Administrator user role. Typically, tenant administrators can take the following actions. They can manage self-service users and VM networks. They can create, deploy, and manage their own virtual machines and services. They can also specify which tasks the self-service users can perform on their virtual machines and services. Also, tenant administrators can place quotas on computing resources and virtual machines.

When you create the Tenant Administrator user role and select the Actions that are allowed, be sure to include Author VMNetwork.

How to Create a Tenant Administrator User Role in VMM

Configuration steps for the tenant administrator

16.   Optionally, create a user role in App Controller

You might want self-service users to use App Controller as a portal for deploying virtual machines. If so, perform this step to specify the access that users should have.

How to Create a User Role in App Controller

If instead you want self-service users to use the VMM console, you don’t have to create a user role in App Controller.

17.   Create a VM network to which a self-service user can connect a virtual machine

By using network virtualization for your virtual machine networks (VM networks), you can create multiple VM networks on each logical network and configure IP subnets for those VM networks as needed. You do not have to be concerned about whether the IP addresses overlap from one VM network to the next. However, when a VM network connects through a gateway to another network, you do need to pay attention to overlap with the IP addresses in that network.

In the following topic, use the first procedure, which is the one for network virtualization:

How to Create a VM Network in VMM in System Center 2012 SP1 You can begin to familiarize yourself with VM networks and how they relate to logical networks by reviewing the diagrams in Networking in VMM Illustrated Overview.

18.   Create an IP address pool for the VM network

You must create a static IP address pool for a VM network so that VMM can assign static IP addresses to Windows-based virtual machines (running on any supported hypervisor platform) that use the VM network.

How to Create IP Address Pools for VM networks in VMM

19.   Create and configure an “Application Administrator (Self-Service User)” role

In VMM, self-service users can use the VMM console or the VMM command shell to create and manage their own virtual machines and services. Tenant administrators can specify which tasks the self-service users can perform on their virtual machines and services. Tenant administrators can also place quotas on computing resources and virtual machines.

How to Create a Self-Service User Role in VMM

How to Enable Self-Service Users to Share Resources in VMM

How to Configure the Library to Support Self-Service Users

Configuration steps for a self-service user (or tenant administrator testing the configuration)

20.   Log on as a self-service user (or if you are an administrator, test your configuration by logging on as a self-service user)

You can log on as a self-service user by using either App Controller as a portal, or by using the VMM console. When you open a connection through the VMM console, you can specify the user role through which you want to log on.

21.   Review the permissions and resources available to self-service users

After logging on as a self-service user, you can try a few actions to confirm that the self-service user role under which you logged on provides the appropriate resources and permissions.

If you are an administrator but you’re logged on as a self-service user, it’s also a good idea to confirm that all expected resources are visible. Also, if you want a self-service user to be able to share resources (for example, a new service template) with other self-service users, confirm that the Share and Receive permissions are assigned to the intended self-service users.

Configuring the Library to Support Self-Service Users (background information)

How to Configure the Library to Support Self-Service Users  (procedures)

How to Enable Self-Service Users to Share Resources in VMM

To confirm that you can share a resource while you are logged on as a self-service user, see How to Share Resources as a Self-Service User in VMM.

How can you maintain, update, or extend this solution?

  • Make load balancing available to your tenant administrators and self-service users. (This option is not supported through App Controller.) To do this, for the load balancer, you will also need a separate logical network and, on top of that network, a VM network that is configured with “no isolation.” For more information, see Configuring Load Balancing in VMM Overview.
  • Integrate with the Windows Server 2012 role called IP Address Management (IPAM). For a script to assist with this, on the VMM product media, open the Scripts folder and copy the IpamIntegration.ps1 script to the VMM management server. In the VMM console, in any workspace, on the Home tab, find the Window group, and click PowerShell. At the prompt, type the full path and file name (IPAMIntegration.ps1) of the script. The syntax for a cmdlet, Invoke-IPAMIntegration, is displayed. By running Invoke-IPAMIntegration, you can configure the VMM management server to export IP address information to the IPAM server. If you run the cmdlet without parameters, it prompts you for information and asks you to confirm your choices before it runs. There are two ways to configure IPAM integration: as a one-time action or a regularly scheduled task. To run it as a regularly scheduled task, see the cmdlet syntax that includes the -Periodic parameter and related parameters such as -Interval. For information about the IPAM server role in Windows Server 2012, see IP Address Management (IPAM) Overview.

Link to TechNet Library topics, Tech Center pages, blogs, forums, etc.