My customer is looking at deploying Azure Stack HCI. The network infrastructure I am responsible for designing will be based around Aruba CX10000 switches which have embedded Pensando module that will allow stateful firewall services. In order to use this feature for microsegmentation policy enforcement we would need make sure VM to VM traffic within the hypervisor gets sent north towards the switch. The "standard" way of doing this is by deploying a Private Isolated VLAN (PVLAN) and relying on the switch to use proxy arp to inform a VM it needs to send even local VLAN traffic northbound to the switch. I have seen that PVLAN support was added in Hyper-V 2016. Does anyone know whether Azure Stack HCI allows you to create vSwitches that support PVLAN in this way. (I'm sure people will say why aren't you using Datacenter Firewall for this, which is a fair point, but because the environment will be a mixture of other hosted workloads it might be good to have a consistent approach to make use of the Aruba hosted firewall and hence a single point of policy management)
Design options only at this stage