260 likes | 812 Views
COS303. Connecting Cloud and On-Premises Applications Using Windows Azure Virtual Network. Jason Chen Senior Program Manager Microsoft. What is Windows Azure Virtual Network?. New pillar of the Windows Azure platform
E N D
COS303 Connecting Cloud and On-Premises Applications Using Windows Azure Virtual Network Jason Chen Senior Program Manager Microsoft
What is Windows Azure Virtual Network? • New pillar of the Windows Azure platform • Suite of network services that expand the range of application scenarios that can be delivered on the platform • Windows Azure Connect • First Virtual Network offering • Enables cross-premises connectivity • Other services • Global traffic management • Datacenter network virtualization (coming in future)
Overview & Objectives • Windows Azure Connect enables new types of “hybrid” cloud computing scenarios to be delivered on the Windows Azure platform • Provides network-level bridge between cloud and on-premises environments • Facilitates cloud migration and adoption • Session objectives: • Understand the key capabilities and features of Windows Azure Connect • Be able to plan and perform a deployment of Windows Azure Connect • Evaluate scenarios where Windows Azure Connect can be utilized
Introducing Windows Azure Connect Azure • Secure network connectivity between on-premises and cloud • Supports standard IP protocols • Customer benefits and motivation: • Leverage current IT investments • Cloud app integration with existing apps / data sources • Compliance / security drivers • Simple setup and management • No VPN device or network configuration required • Available as CTP today Enterprise
Windows Azure Connect in Context CLOUD ENTERPRISE Data Synchronization SQL Azure Data Sync Application-layer Connectivity & Messaging Service Bus Security Federated Identity and Access Control Secure Network Connectivity Windows Azure Connect
Windows Azure Connect – Closer Look Windows Azure • Enable WA Roles for external connectivity via service model • Enable external computers for connectivity by installing Connect agent • Win Server 2008, 2008 R2, Vista, and Win7 supported platforms • Network policy managed through WA portal • Granular control over connectivity • Automatic setup of virtual IPv6 network between connected role instances and external computers • Tunnel firewalls/NAT’s through hosted SSL-based relay service • Secured via end-to-end IPSec • DNS name resolution Role A Role B Relay Role C (multiple VM’s) Dev machines Databases Enterprise
Windows Azure Service Deployment • To use Connect with a WA service, enable one or more of its Roles • For Web & Worker Role, include the Connect plug-in as part of Service Model (.csdef file) • For VM role, install the Connect agent in VHD image using the Connect VM install package • Connect agent will automatically be deployed for each new role instance that starts up • Connect agent configuration managed through the ServiceConfiguration (.cscfg) file • One required setting - “ActivationToken” • Unique per-subscription token, accessed from Admin UI
On-Premises Deployment • Local computers are enabled for connectivity by installing & activating the Connect agent • Web-based installation link • Retrieved from admin UI • Contains per-subscription activation token embedded in URL • Standalone install package • Reads activation token from registry key • Enables installation using existing S/W distribution tools • Connect agent tray icon & client UI • View activation state & connectivity status • Refresh network policy • Connect agent automatically manages network connectivity • Sets up virtual network adapter • “Auto-connects” to Connect relay service as needed • Configures IPSec policy based on network policy • Enables DNS name resolution • Automatically syncs latest network policies
Management of Network Policy • Connect network policy managed through Windows Azure admin portal • Managed on a per-subscription basis • Local computers are organized into Groups • E.g. “SQL Servers”, “My Laptops”, “Project Foo” • A computer can only belong to a single group at a time • Newly activated computers are ‘unassigned’ by default • WA Roles can be connected to Groups • Enables network connectivity between all Role instances (VM’s) and local computers in the Group • WA Connect does not control connectivity between Roles or Role instances (done through existing mechanisms) • Groups can be connected to other Groups • Enables network connectivity between computers in each group • In addition, a Group can be ‘interconnected’ - enables connectivity within a group • Useful for ad-hoc & roaming scenarios
Connect Network Policy - Example Windows Azure Role A Role B Instance3 Instance3 Instance2 Instance2 Instance Instance My Servers My Laptops DEV_LAPTOP2 DEV_LAPTOP1 SERVER3 SERVER2 SERVER1
Connect Network Model • Connected resources (WA Role instances and external machines) have secure IP-level network connectivity • Regardless of physical network topology (Firewalls / NAT’s) so long as outbound HTTPS access to Connect service • Each connected machine has a routable IPv6 address • Connect agent sets up virtual network adapter • No changes to existing networks (additive model) • Communication between resources is secured via end-to-end certificate-based IPSec • Scoped to Connect virtual network • Automated management of IPSec certificates • DNS name resolution for connected resources based on machine names • Windows Azure instance local computer • Local computer Windows Azure instance
Connect and Domain-Join • Connect plug-in supports domain-join of WA Roles to on-premises Active Directory • Process to enable: • Install Connect agent on DC / DNS server(s) • For multiple DC environment, recommend creating dedicated Site • Configure Connect plug-in to automatically join WA role instances to AD • Specify credentials used for domain-join operation • Specify target OU for WA role instances • Specify list of domain users / groups to add to local Administrators group • Configure network policy to enable connectivity between WA roles and DC / DNS servers • New WA role instances will automatically be domain-joined • Be aware: domain-joined WA Role instance != On-premises computer • Role instance not guaranteed to persist local state; role instance identities may change over time • General guidance – Role instances use AD identities vs. actively managed as a domain-joined computer
Windows Azure Connect - Scenarios • WA Role accessing on-premise SQL server • Or file server, line-of-business app, etc. • Domain-join scenarios • Control access to WA Role instances using domain accounts • Web role using IIS Windows Integrated Auth • Run role under domain account to access on-premises resources (e.g. SQL server secured with Windows Integrated Auth) • Remote Powershell to WA Role instances • Or remotely access a file share, event log, etc. • “VPN as a Service” • Ad-hoc connectivity between resources distributed across the internet • Enable remote management & access
Demo Overview Windows Azure Remote Admin • Requirements for Customer Search • Frontend servers hosted in Windows Azure • SQL server on-premise allows Windows Integrated Authentication only • IIS / ASP.net connect to SQL server on-premise using Windows Integrated Authentication • Domain join Windows Azure machines to a specific OU • Use AD accounts to lock down who can access the Windows Azure machines • Remote Admin Windows Azure machines using Remote Powershell • Windows Azure machine can access file shares on on-premise machine http://customersearch.mycontoso.com IIS Servers http://customersearch.mycontoso.com Web Role File Server DC SQL Server MyContoso.com
Considerations for using Connect • Appropriate for scenario? • Connect or Service Bus or ..? • Network-level “machine” connectivity vs. application-level “service” federation • No code vs. code changes • Platform requirements • Windows Azure Connect currently supports Windows resources (Vista/Win7 and Win Server 2008 / 2008 R2) • Deployment topology • Requires installation of Connect agent software on local computer • Does not support connectivity to virtual IP addresses (e.g. F5 device, cluster) • Performance • Impact of distributing app communication over the internet • Latency is function of internet connectivity to / from Relay – Connect adds minimal overhead • Throughput impacted by “distance” to Relay service • May require app changes to mitigate (e.g. caching)
Windows Azure Connect – Roadmap • CTP Refresh released on 3/8 and 5/5 • Multi-admin support • Improved client UI and diagnostics; support for non-English OS • New relays in Europe and Asia • Certificate-based Connect agent activation • Production release • Geo-distributed Relays (co-located with all WA datacenters) • Client updates distributed through Microsoft Update • Planned future enhancements: • Connect management functionality exposed via REST API • UDP-based relays for higher throughput
Futures: Windows Azure Connect Gateway WindowsAzure • Customer assigns IPv4 address ranges / subnets in which their Windows Azure services & roles reside • Tenants are fully isolated & can have overlapping address ranges • Customer connects their existing VPN edge appliance with cloud-hosted VPN gateway • Support standard IKE IPSec VPN’s • Customer uses WA role-to-subnet mapping to manage on-premises network policies (routing rules, ACLs) for cloud resources Role A Role B Subnet 1 Role C Subnet 2 Corpnet
In Closing • Hopefully this session has provided you with a useful overview of Windows Azure Connect: • Key capabilities and features • How to deploy and manage • Scenarios and considerations • Resources: • http://microsoft.com/windowsazure to learn more & sign-up • Request access to the CTP through the Windows Azure Portal • Team blog - http://blogs.msdn.com/b/windows_azure_connect_team_blog/ • Questions, issues - http://social.msdn.microsoft.com/Forums/en/windowsazureconnectivity
Announcement Title announcement
Track Resources • Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward. • You can also find the latest information about our products at the following links: • Cloud Power - http://www.microsoft.com/cloud/ • Private Cloud - http://www.microsoft.com/privatecloud/ • Windows Server - http://www.microsoft.com/windowsserver/ • Windows Azure - http://www.microsoft.com/windowsazure/ • Microsoft System Center - http://www.microsoft.com/systemcenter/ • Microsoft Forefront - http://www.microsoft.com/forefront/
Resources • Connect. Share. Discuss. http://northamerica.msteched.com Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.