Q. How do I create a NVGRE Gateway?
A. Virtual networks offer complete isolation and abstraction from the physical network fabric however if you want to connect a virtual network to another network such as a corporate network or the Internet you need a gateway device that may need to perform NAT if the IP scheme used in the virtual network is not compatible with the physical network fabric. Windows Server 2012 R2 and SCVMM 2012 R2 introdues a built-in NVGRE gateway. The requirements are as follows:
- A Hyper-V host that does not host VMs that are part of virtual networks. Other VMs can run on the host in addition to the NVGRE gatway VMs but they cannot use network virtualization. This host is configured in SCVMM as dedicated to NVGRE gateway usage via the Host Access tab of the host properties in SCVMM and the checkbox is selected to use the host as a dedicated gateway. This will stop VMs being placed on the host that use network virtualization
- A Windows Server 2012 R2 VM that will act as the gateway. The VM name and the OS name inside the VM should be the same. The VM must be deployed on the Hyper-V host that will be used to host gateways and must have at minimum two vmNICs. One is attached to the physical network that the gateway will be providing connectivity to, the other will be used to communicate to the virtual networks
The following actions must be taken inside the Windows 2012 R2 VM:
- Within the virtual machine created make sure the firewall is disabled for all profiles. This can be done through the Windows Firewall with Advanced Security application or with the command
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False.
- The Routing and DirectAccess and VPN (RAS) role services of Remote Access must be installed in the VM along with the Remote Access module for Windows PowerShell feature. This can be done using Server Manager or using the PowerShell command
Install-WindowsFeature RSAT-RemoteAccess-PowerShell, DirectAccess-VPN, Routing
- Stop the VM
- Once the virtual machine is deployed open the properties of the virtual machine and open the Hardware Configure and navigate to the second network adapter that was not connected. Select the “Connected to a VM network option” and click Browse… and in the Select a VM Network window click the Clear selection button then click OK. This allows the option to select a standard network which should be the the virtual switch however it is not connecting to a specific VM network which is the key detail. Click OK. Once the change has taken affect start the virtual machine
The VM is now ready to be used as a NVGRE gateway.
- Open the Fabric workspace in SCVMM and expand Networking - Network Service. Right click on Network Service and select the Add Network Service action.
- The Add Network Service Wizard will launch and will ask for a Name and Description of the new service. I typically use the name of the gateway VM as the name for the service. Click Next
- For the Manufacturer and Model select the Manufacturer as Microsoft and set the Model to Microsoft Windows Server Gateway. Click Next
- Select a Run As account that has local administrator privileges on the virtual machine then click Next
- The connection string for the gateway needs to be configured which is comprised of the Hyper-V host hosting the virtual machine and the virtual machines name, e.g. VMHost=savdalhv24.savilltech.net;GatewayVM=HNV-GW-1. Click Next
- A certificates screen is displayed which is not used for this configuration so just click Next
- The connection to the virtual machine can be tested using the Test button. It’s important that the Test open connection, Test capability discovery and Test system info test all show Passed. Click Next
- Next specify the host group where the HNV gateway can be used. Click Next
- Click Finish to go ahead and configure the gateway for virtualization
- Once configuration is complete right click the new network service and select Properties and select the Connectivity tab
- You need to tell SCVMM which of the adapters in the VM is the back end connection, i.e. connects to the network virtualizations side and is the adapter we directly connected to the switch, and which is the front end connection, i.e. connects to the target external network such as the Internet or corporate. It’s very important you get this right. Then click OK. Changes will now be made to the gateway virtual machine and this may take a few minutes. Monitor the Jobs workspace to confirm when the gateway configuration has completed
The gateway is now ready to be used. I walk through this process in video https://youtu.be/Ujo8cVsz2Os.