This scenario helps you use Virtual Machine Manager (VMM) in System Center 2012 Service Pack 1 (SP1) to set up an environment where self-service users—your clients or customers—can create their own
virtual machines and configure networks for those virtual machines. You can use VMM together with two other System Center components, Operations Manager and App Controller, to help support your self-service users.
This solution is intended to serve as a high-level example, not as comprehensive or detailed guidance. You can use the example solution
as a guide to posting descriptions of your own solutions that are particular to your business or organization. Then, other members of the community can follow your descriptions to get ideas for how to combine System Center components to meet their business
requirements. You can view an example template on the TechNet Wiki at Cross
Component Scenario template.
Different organizations, organizational departments, administrators, and users (including users of cloud-based services) have different levels of expertise and different
degrees to which they want to be involved with managing physical and virtual computer resources. In this scenario, each organization, department, or group wants to focus on their own area of expertise and not have to work with details that are related to other
areas of expertise. The following list describes the scenario:
Administrators at this level are called
Administrators at this level are called
People at this level are called
application administrators or self-service users.
By using VMM in System Center 2012 SP1, the fabric administrator can create a private cloud, which is an aggregate set of hosted storage, networking, and other resources,
and work with a tenant administrator to make those resources available to self-service users. Specifically, among the networking resources in the private cloud, the fabric administrator configures logical networks that support network virtualization. The tenant
administrator then uses those logical networks as a foundation and creates virtual machine networks (VM networks) that use network virtualization. Then the self-service users can create virtual machines and connect them to the VM networks, without requiring
knowledge of the underlying physical resources. The tenant administrator controls resource usage through user role quotas. Self-service users can assign and reassign VM networks without having to ask administrators for assistance, other than requesting changes
in capacity and quotas when their requirements change.
This solution focuses on the networking aspect of the configuration, although it also includes other aspects. Through networking options that are available in VMM in
System Center 2012 SP1, administrators can configure not only logical networks, which provide a foundation on which to build, but also VM networks, which are the networks that your self-service users can assign to virtual machines that they create. The methods
of configuration in VMM allow for collaboration among administrators at different levels of expertise—highly knowledgeable networking administrators (fabric administrators) and basic networking administrators (tenant administrators).
You can create a private cloud from either of the following sources:
The Microsoft cloud strategy is hosted on the
Private Cloud Solution Hub where architectural guidance is located. The strategy describes how a
private cloud enables organizations to deliver information technology as services. The private cloud provides a pool of computing resources that are delivered as a standard set of capabilities that are specified, architected, and managed based on requirements
defined by a private organization.
If you are not already familiar with the system requirements, review them in the following topics before you begin to deploy software:
Next, deploy the software. For more information about deployment, see the following topics:
You’ll also need to connect VMM with the other components. For more information about connecting VMM, see the following topics:
Before you begin to configure networking in VMM, you will need to create host groups (as containers to which you’ll later add hosts):
It is also a good idea to configure storage, add a VMM library server or VMM library share, and add hosts before you begin to configure networking in VMM. You can delay
these steps, although you have to complete them before you apply a logical switch to host network adapters (as described in the following procedures) and before you create a private cloud. For more information, see the following topics:
The steps for accomplishing this solution are divided into three stages:
Before you start, you might want to familiarize yourself with some of the networking options in VMM by reviewing the diagrams in
Networking in VMM Illustrated Overview.
If you want to see screenshots before you start to create your own configuration, the blog post at
walks through networking in VMM and includes screenshots.
By taking the following steps, a fabric administrator can make computing capacity and connectivity available to others, in a way that does not require reconfiguration
each time a new user comes along, or each time someone wants different resources.
Optionally, configure global network settings in VMM in System Center 2012 SP1
By default, when you add a Hyper-V host to VMM management, if a physical network adapter on the host does not have an associated logical network, VMM automatically
creates and associates a logical network that matches the first DNS suffix label of the connection-specific DNS suffix. On the logical network, VMM also creates a VM network that is configured with “no isolation.” No network sites are created automatically.
These default logical network name creation and virtual network creation settings are customizable.
How to Configure Global Network Settings in VMM
Create logical networks, one of which has network virtualization enabled
You’ll need logical networks for basic functions, such as host management, plus a logical network with network virtualization enabled (to support virtual machines
that self-service users will create). The logical network, and the network sites that you create inside the logical network, help you organize your network configuration. For example, you might base the name of a logical network
Contoso1 on the name of your hosting company, Contoso Hosters. Inside that logical network, you can have a network site that is named
Contoso1_Building1 and another network site that is named
Contoso1_ Building2. The logical network and the network sites will provide a foundation on which you build additional network infrastructure.
By creating the logical network with network virtualization enabled, you can later create multiple virtual machine networks (VM networks) on top of that logical
network, with each VM network serving the needs of a particular group of self-service users. The users can assign VM networks as part of virtual machine and service creation without having to understand the network details.
How to Create a Logical Network in VMM
Create an IP address pool for your logical network
Because you will be using network virtualization, you will need an IP address pool for your logical network.
How to Create IP Address Pools for Logical Networks in VMM
Decide on the properties and capabilities that you want for the network adapters in your VMM configuration
As your network configurations grow, you will want to simplify the process of configuring the network adapters on your host systems. You can do this with native
port profiles and logical switches, which act as containers for the properties or capabilities that you want your network adapters to have. By applying a logical switch and port profiles to a network adapter, you can apply the required properties with a minimum
Before you begin to configure port profiles and logical switches, you might want to review the “Settings” and “Prerequisites” sections in the following overview.
Configuring Ports and Switches for VM Networks in VMM
You can begin to familiarize yourself with native port profiles and logical switches in VMM by reviewing the diagrams for logical switches in
Networking in VMM Illustrated Overview.
Create a native port profile for uplinks
A native port profile for uplinks acts as a container for the network sites that you want to connect a network to. It also provides details about how to configuring
teaming for a network adapter, if you specify in your logical switch (a few steps later in this list) that you want to use teaming with any network adapters that are on the same host and have the same logical switch and port profiles applied to them.
How to Create a Port Profile for Uplinks in VMM
Choose or create a native port profile for virtual network adapters
A native port profile for virtual network adapters specifies capabilities for those adapters, and makes it possible for you to control how bandwidth is used on
the adapters. The capabilities include offload settings and security settings. You can choose from the native port profiles that are already included in VMM, or create your own. For example, you might use the native port profile named “High Bandwidth Adapter”
to configure high-bandwidth virtual network adapters.
How to Create a Port Profile for Virtual Network Adapters
Choose or create a port classification
Port classifications provide global names for identifying different types of virtual network adapter port profiles. A port classification can be used across multiple
logical switches while the settings for the port classification remain specific to each logical switch. You can choose from the port classifications that are already included in VMM, or create your own. For example, you might use the port classification that
is named “High bandwidth” to identify ports that are configured with high bandwidth.
How to Create a Port Classification in VMM
Note This document does not describe virtual switch
extensions or virtual switch extension managers. However, it’s a straightforward process to add these to your configuration after you finish this guide. If you want to learn how virtual switch extensions or virtual switch extension managers can help you with
your configuration, see
Configuring Ports and Switches for VM Networks in VMM on TechNet. Go to the “Settings” section, and review the “Logical switch” and “Virtual switch extension manager” rows of the table.
Create a logical switch
A logical switch brings your port profiles and port classifications together so that you can apply them to multiple network adapters.
Note that when you add an uplink port profile to a logical switch, the uplink port profile appears in a list of profiles that are available through that logical
switch. When you apply the logical switch to a network adapter in a host, the uplink port profile is available in the list of profiles, but it is not applied to that network adapter until you select it from the list. This helps you to create consistency in
the configurations of network adapters across multiple hosts, but it also makes it possible for you to configure each network adapter according to your specific requirements.
How to Create a Logical Switch in VMM
Configure network settings on a host by applying your logical switch
To bring together the network settings that you configured in port profiles and logical switches, apply them to network adapters on a host. The network adapters
can be physical network adapters or virtual network adapters on the host.
As described in the previous step, after you select the logical switch that you want to apply to a network adapter on a host, you see a list of the uplink port
profiles that are available in that switch. You must select the one that you want for that specific adapter.
How to Configure Network Settings on a Host by Applying a
Logical Switch in VMM
Optionally, add a gateway
If you already have the provider software that supports your tenant administrator’s gateway server, this is a good time to add the gateway server to your configuration.
The gateway allows the virtual machines that you will be hosting to connect to another network. Typically, this gateway will be a “VPN gateway,” also called a “remote gateway,” which means that it connects VM networks on your site through a VPN tunnel to a
network on the premises of the tenant administrator. There are various prerequisites for configuring a VPN gateway, but the first one is to obtain the provider software that comes from the manufacturer of the gateway device, install the provider on the VMM
management server, and then restart the System Center Virtual Machine Manager service.
Later, if you are creating a connection to a VPN gateway, you will configure the appropriate VM network to make the connection. If you want to review the full
list of prerequisites for that process, see the “Prerequisites for gateways” section in the following overview topic:
Configuring VM Networks and Gateways in VMM
For the steps for adding a gateway to VMM, see the following procedure:
How to Add a Gateway in VMM in System Center 2012 SP1
Review your configuration in preparation for creating a private cloud
A private cloud is an aggregate set of storage, networking, and other resources that you can make available to self-service users. During private cloud creation,
you select the underlying fabric resources that will be available, configure library paths for private cloud users, and set the capacity for the private cloud. Therefore, before you create a private cloud, you might want to review your configuration. For more
information, see the following sections:
Preparing the Fabric in VMM
on TechNet (for links to other topics)
Configuring Storage in VMM Overview
How to Add a VMM Library Server or VMM Library Share
Creating Host Groups in VMM Overview
Create a private cloud
One way to create a private cloud is to use host groups that contain resources from Hyper-V hosts, VMware ESX hosts, Citrix XenServer hosts, or a combination
of these hosts. The other way is to use a VMware resource pool. The wizard for creating a private cloud has a page where you can select the logical network that supports network virtualization, and also has a page where you can select the port classification
that you created. Use one of the following procedures to create a cloud:
How to Create a Private Cloud from Host Groups
How to Create a Private Cloud from a VMware Resource Pool
Optionally, view a diagram of your network configuration
It can be useful to see a diagram of your network configuration. At this point, the type of diagram that shows the parts of the network that you have already
configured is the Host Networks diagram. For information about how to view this and other diagrams, see the following procedure:
How to View VMM Network Configuration Diagrams in VMM
Optionally, review the kinds of information that you can gather with Operations Manager
It can be useful to review the kinds of VMM configuration information that are available through Operations Manager:
Using Reporting in VMM
Create and configure the Tenant Administrator user role in VMM
The actions that members of the Tenant Administrator user role in VMM can take are controlled by the fabric administrator who creates the Tenant Administrator
user role. Typically, tenant administrators can take the following actions. They can manage self-service users and VM networks. They can create, deploy, and manage their own virtual machines and services. They can also specify which tasks the self-service
users can perform on their virtual machines and services. Also, tenant administrators can place quotas on computing resources and virtual machines.
When you create the Tenant Administrator user role and select the
Actions that are allowed, be sure to include Author VMNetwork.
How to Create a Tenant Administrator User Role in VMM
Optionally, create a user role in App Controller
You might want self-service users to use App Controller as a portal for deploying virtual machines. If so, perform this step to specify the access that users
How to Create a User Role in App Controller
If instead you want self-service users to use the VMM console, you don’t have to create a user role in App Controller.
Create a VM network to which a self-service user can connect a virtual machine
By using network virtualization for your virtual machine networks (VM networks), you can create multiple VM networks on each logical network and configure IP
subnets for those VM networks as needed. You do not have to be concerned about whether the IP addresses overlap from one VM network to the next. However, when a VM network connects through a gateway to another network, you do need to pay attention to overlap
with the IP addresses in that network.
In the following topic, use the first procedure, which is the one for network virtualization:
How to Create a VM Network in VMM in System
Center 2012 SP1 You can begin to familiarize yourself with VM networks and how they relate to logical networks by reviewing the diagrams in
Networking in VMM Illustrated Overview.
Create an IP address pool for the VM network
You must create a static IP address pool for a VM network so that VMM can assign static IP addresses to Windows-based virtual machines (running on any supported
hypervisor platform) that use the VM network.
How to Create IP Address Pools for VM networks in VMM
Create and configure an “Application Administrator (Self-Service User)” role
In VMM, self-service users can use the VMM console or the VMM command shell to create and manage their own virtual machines and services. Tenant administrators
can specify which tasks the self-service users can perform on their virtual machines and services. Tenant administrators can also place quotas on computing resources and virtual machines.
How to Create a Self-Service User Role in VMM
How to Enable Self-Service Users to Share Resources in VMM
How to Configure the Library to Support Self-Service Users
Log on as a self-service user (or if you are an administrator, test your configuration by logging on as a self-service
You can log on as a self-service user by using either App Controller as a portal, or by using the VMM console. When you open a connection through the VMM console,
you can specify the user role through which you want to log on.
Review the permissions and resources available to self-service users
After logging on as a self-service user, you can try a few actions to confirm that the self-service user role under which you logged on provides the appropriate
resources and permissions.
If you are an administrator but you’re logged on as a self-service user, it’s also a good idea to confirm that all expected resources are visible. Also, if you
want a self-service user to be able to share resources (for example, a new service template) with other self-service users, confirm that the
Share and Receive permissions are assigned to the intended self-service users.
Configuring the Library to Support Self-Service Users
How to Configure the Library to Support Self-Service Users
To confirm that you can share a resource while you are logged on as a self-service user, see
How to Share Resources as a Self-Service User in VMM.