security beyond the standard isolation of VLANs and perimeter firewalls. In today’s
world of “assume breach,” it’s desirable to have as many layers of protection as
possible in order to help prevent lateral movement of an attacker after a network is
penetrated.
Another benefit to network virtualization is that the networking visible to the virtual
machines, which is now provided using software, can be managed by the virtualization
administrators and even the virtualization tenants instead of having to involve the
networking team, who can focus on the physical network infrastructure.
This virtual network capability is enabled through the use of two IP addresses for each
virtual machine and a virtual subnet identifier that indicates the virtual network to
which a particular virtual machine belongs. First, the customer address (CA) is the
standard IP address configured within the virtual machine. Second, the provider
address (PA) is the IP address used by the virtual machine to communicate over the
physical network. The PA is invisible to the virtual machine; the Hyper-V host owns
the PA.
This is best explored by an example. Say you have a single physical fabric, and running
on that fabric are two separate organizations: the red and blue organizations. Each
organization has its own IP scheme that can overlap, and the virtual networks can
span multiple physical locations. This is shown in Figure 3.30. Each virtual machine
that is part of the virtual red or blue network has its own customer address. A separate
provider address is used to send the IP traffic over the physical fabric. The important
part is that, as in other aspects of virtualization, the virtual machines have no
knowledge that the network is virtualized. The virtual machines in a virtual network
believe that they are operating on a physical network available only to them.
Figure 3.30 High-level overview of network virtualization
Windows Server 2012 and 2012 R2 exclusively used Network Virtualization Generic