multitenant gateway solution; the gateway VMs can run on the same hosts as VMs in
a virtual network.
BGP and BGP transit routing are also supported. This solves the problem traditionally
associated with adding new subnets to a virtual network: Other networks would not
know how to get to the subnet without being manually configured. With BGP, as new
subnets are added, the BGP instance (the gateway) will notify all other BGP instances
of the new subnet and of the route to get to that subnet. Additionally, BGP transit
routing adds the capability for BGP instances not only to notify other routes that it can
be used to get to its subnets, but it can also notify routers of other networks that it can
be used to access. This means that if another part of the network loses its direct
connection to a network, it could use the BGP instance as an extra hop still to reach
the target.
BGP ROUTE REFLECTOR
Ordinarily, all the BGP instances form a mesh, with every instance talking to
every other to enable the full synchronization of routing. To avoid the need for
this full-mesh connectivity and considerable network traffic, you can use a BGP
route reflector, which is included as part of SDNv2. With a BGP route reflector, all
BGP instances communicate only with the route reflector, which is responsible
for the learning of all routes, calculating the best routes, and then distributing
those routes to all BGP instances. The first gateway deployed for each tenant
becomes the BGP route reflector.
When using BGP, you can work with several useful PowerShell cmdlets. You can
use Get-BgpRouter to view the particular BGP router being used and its
configuration, Get-BgpPeer to see any BGP peers, and Get-BgpRouteInformation
to see known routes.
A single gateway instance has the following capacity:
100 tenants
200 site-to-site VPN tunnels
15,000 routes learned via BGP
8Gbps L3 forwarding throughput
2.5Gbps GRE gateway throughput
300Mbps (one core) per IPsec tunnel (site-to-site VPN)
Datacenter Firewall
Traditional network security focuses primarily on the network’s perimeter. Firewall
devices on the edge of the network allow certain types of traffic into a set of specific
hosts in a perimeter network (the DMZ), which has another set of firewalls allowing