Securing, Connecting, and Scaling in Windows Azure
description
Transcript of Securing, Connecting, and Scaling in Windows Azure
![Page 1: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/1.jpg)
Securing, Connecting, and Scaling in Windows AzureNameTitleMicrosoft Corporation
![Page 2: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/2.jpg)
Agenda
SecuringConnectingScaling
![Page 3: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/3.jpg)
AssumptionsYou know the basicsWeb/Worker RolesSQL AzureWindows Azure StorageAsynchronous ProgrammingWindows Azure diagnostics
![Page 4: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/4.jpg)
Securing
![Page 5: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/5.jpg)
![Page 6: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/6.jpg)
Access Control ServiceMakes it easy to authenticate and authorize usersIntegration Single Sign On and centralized authorization into your web applicationsStandards-based identity providersEnterprise directories (e.g. Active Directory Federation Server v2.0)Web identities (e.g. Windows Live ID, Google, Yahoo!, and Facebook)
![Page 7: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/7.jpg)
ASP.NET & ACS
demo
![Page 8: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/8.jpg)
12. Validate Token
6. Login8. Redirect to AC service
1. Request Resource2. Redirect to ACS
7. Authenticate & Issue Token
9. Send Token to ACS 10. Validate Token, Run Rules Engine, Issue Token11. Redirect to RP with ACS Token
13. Send ACS Token to Relying Party
14. Return resource representation
3. Auth/N5. Redirect to
IdP
Access Control
4. Home-realmDiscovery
![Page 9: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/9.jpg)
Access Control FeaturesIntegrates with Windows Identity Foundation and toolingClaims-based access controlSupport for OAuth WRAP, WS-Trust, and WS-Federation protocols
![Page 10: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/10.jpg)
Access Control FeaturesSupport for the SAML 1.1, SAML 2.0, and Simple Web Token token formatsIntegrated and customizable Home Realm DiscoveryOData-based Management Service to ACS configuration
![Page 11: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/11.jpg)
Connecting
![Page 12: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/12.jpg)
Connecting
Service Bus Windows Azure Connect
![Page 13: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/13.jpg)
Service BusProvides secure messaging and connectivityEnables various communication protocols and patterns for developers to engage in reliable messagingExchange messages between loosely coupled applicationsNetwork send/receive from any internet connected device
ConnectivityMessaging
![Page 14: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/14.jpg)
Service Bus ConnectivityProvides secure messaging and connectivity across different network topologiesTraverse NAT/FirewallFacilitate direct peer-to-peer connection
![Page 15: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/15.jpg)
Service Bus Connectivity
Outbound TCP (Ports 9350-9353)9350 Unsecured TCP One-way (client)9351 Secured TCP One-way (all listeners, secured clients)9352 Secured TCP Rendezvous (all listeners except one-way)9353 Direct Connect Probing Protocol (TCP listeners with direct connect)
Outbound HTTP (Port 80, Listeners)TCP equivalent tunnel with overlaid TLS/SSL formed over pair of HTTP requestsAlternate connectivity path if outbound TCP is blocked
Outbound HTTPS (Port 443, Senders)
Relayed One-Way Unicast and MulticastRelayed WCF NET.TCP with Direct Connect OptionRelayed WCF HTTP with support for REST and SOAP 1.1/1.2Endpoint protection with Access Control
Connectivity Options
Key Capabilities
![Page 16: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/16.jpg)
Relay Programming ModelFull WCF Programming ModelBindings functionally symmetric with WCFWebHttpRelayBinding (HTTP/REST)BasicHttpRelayBinding (SOAP 1.1)WS2007HttpRelayBinding (SOAP 1.2)NetTcpRelayBinding (Binary transport)
Special Service Bus BindingsNetOnewayRelayBinding(Multicast one-way)NetEventRelayBinding(Multicast one-way)
Transport binding elements for custom binding stacks
WebHttpRelayBindingprovides full interoperability with any HTTP/REST client, BasicHttpRelayBindingwith any SOAP client
![Page 17: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/17.jpg)
Backend
NamingRouting
Fabric
solution. a b
FrontendNodes
outbound
connect one-way
net.tcp
outbound connect bidi socket
MsgMsg
NATFirewall
Dynamic IP
NLB TCP/SSL HTTP(S)TCP/SSL HTTP(S)
RouteSubscribe
![Page 18: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/18.jpg)
Service Bus MessagingReliable, decoupled, transaction aware message queuesAddressable over HTTP REST
![Page 19: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/19.jpg)
QueuesQueue
Load LevelingReceiver receives and processes at its own pace. Can never be overloaded. Can add receivers as queue length grows, reduce receiver if queue length is low or zero. Gracefully handles traffic spikes by never stressing out the backend.
Offline/BatchAllows taking the receiver offline for servicing or other reasons. Requests are buffered up until the receiver is available again.
![Page 20: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/20.jpg)
Queues
Load BalancingMultiple receivers compete for messages on the same queue (or subscription). Provides automatic load balancing of work to receivers volunteering for jobs.Observing the queue length allows to determine whether more receivers are required.
Queue
![Page 21: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/21.jpg)
TopicsTopic Sub
SubSub
Message DistributionEach receiver gets its own copy of each message. Subscriptions are independent. Allows for many independent ‘taps’ into a message stream. Subscriber can filter down by interest.
Constrained Message Distribution (Partitioning)Receiver get mutually exclusive slices of the message stream by creating appropriate filter expressions.
![Page 22: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/22.jpg)
Runtime API Choices
HTTPREST
SOAP WS-*(Relay Clients)
![Page 23: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/23.jpg)
Connecting
Service Bus Windows Azure Connect
![Page 24: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/24.jpg)
Enterprise
Windows Azure ConnectSecure network connectivity between applications in Windows Azure and on-premises resources Supports standard IP protocols
Example use cases:Enterprise app migrated to Windows Azure that requires access to on-premise SQL ServerWindows Azure app domain-joined to corporate Active Directory Remote administration and trouble-shooting of Windows Azure Roles
Simple setup and management
![Page 25: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/25.jpg)
Enterprise
Windows Azure Connect DetailsEnable Windows Azure (WA) Roles for external connectivity via service modelEnable local computers for connectivity by installing WA Connect agentNetwork policy managed through WA portalGranular control over connectivity
Automatic setup of secure IP-level network between connected role instances and local computersTunnel firewalls/NAT’s through hosted relay serviceSecured via end-to-end IPSecDNS name resolution
Dev machinesDatabases
![Page 26: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/26.jpg)
Windows Azure DeploymentTo use Connect with a WA service, enable one or more of its RolesFor Web & Worker Role, include the Connect plug-in as part of Service Model (.csdef file)For VM role, install the Connect agent in VHD image using the Connect VM install packageConnect agent will automatically be deployed for each new role instance that starts up
![Page 27: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/27.jpg)
Windows Azure DeploymentConnect agent configuration managed through the ServiceConfiguration (.cscfg) fileOne required setting – “ActivationToken” Unique per-subscription token, accessed from Admin UI
![Page 28: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/28.jpg)
On-Premises DeploymentLocal computers are enabled for connectivity by installing & activating the Connect agentConnect agent tray icon & client UIView activation state & connectivity status Refresh network policy
![Page 29: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/29.jpg)
On-Premises DeploymentConnect agent automatically manages network connectivity Sets up virtual network adapter“Auto-connects” to Connect relay service as neededConfigures IPSec policy based on network policy Enables DNS name resolution Automatically syncs latest network policies
![Page 30: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/30.jpg)
Scaling
![Page 31: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/31.jpg)
Caching CDN Traffic Manager
Scaling
![Page 32: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/32.jpg)
CachingASP.NET providers for session state and page output cachingCache any managed objectNo object size limitsNo serialization costs for local caching
Easily integrates into existing applications
![Page 33: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/33.jpg)
CachingConsistent development model across both Windows Azure Cache and Windows Server CacheSecured by Access Control
![Page 34: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/34.jpg)
CachingExpiration default is 48hrs can set explicitly with Add/Put operationsCache Sizes of 128MB, 256MB, 512MB, 1GB, 2GB, 4GB
![Page 35: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/35.jpg)
Latency PyramidWindows Azure Caching (local cache)
Windows Azure Caching (distributed cache)
Storage
Lowest latency
Lower latency
Highest latency
![Page 36: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/36.jpg)
Caching Service in Action
demo
![Page 37: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/37.jpg)
ASP.NET providers for session state and page output cachingExtremely low latencies with the local cacheCache any managed objectNo object size limitsNo serialization costs for local caching
Easily integrates into existing applicationsSecured by the Access Control service
Caching Features
![Page 38: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/38.jpg)
Caching CDN Traffic Manager
Scaling
![Page 39: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/39.jpg)
Content Delivery Network (CDN)High-bandwidth global blob content delivery24 locations globally (US, Europe, Asia, Australia and South America), and growingSame experience for users no matter how far they are from the geo-location where the storage account is hosted
Blob service URL vs CDN URL:Windows Azure Blob URL: http://images.blob.core.windows.net/Windows Azure CDN URL: http://<id>.vo.msecnd.net/ Custom Domain Name for CDN: http://cdn.contoso.com/
![Page 40: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/40.jpg)
Windows Azure CDN
pic1.jpg
To Enable CDN:Register for CDN via Dev PortalSet container images to public
pic1.jpg
GEThttp://guid01.vo.msecnd.net/images/pic.1jpg
http://sally.blob.core.windows.net/images/pic1.jpg
http://sally.blob.core.windows.net/ http://guid01.vo.msecnd.net/
pic1.jpg
404
TTL Content Delivery Network
Windows Azure Blob Service
EdgeLocation
EdgeLocation
EdgeLocation
![Page 41: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/41.jpg)
Caching CDN Traffic Manager
Scaling
![Page 42: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/42.jpg)
Why Performance Matters
![Page 43: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/43.jpg)
Why Performance Matters
![Page 44: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/44.jpg)
Why Performance Matters
50ms
100ms
![Page 45: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/45.jpg)
Why Performance Matters
50ms
100ms
200ms
![Page 46: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/46.jpg)
Why Performance Matters
50ms
100ms
200ms
Throughput vs. RTT
Throughput vs. Loss Rate
![Page 47: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/47.jpg)
Why Performance MattersMore responsive applicationsFaster page load times8 seconds vs. 3 seconds?
Higher interactivity – new type of applicationsBetter user experience – more $$$
![Page 48: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/48.jpg)
Traffic Manager
![Page 49: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/49.jpg)
Traffic Manager
![Page 50: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/50.jpg)
Traffic Manager – What is it?Business continuity (Failover)Decrease network latency (Performance)Scale applications (Performance)Cloak DNS (Disable policy)Perform Maintenance (Transfer live traffic)
![Page 51: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/51.jpg)
Traffic Manager
demo
![Page 52: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/52.jpg)
Traffic Manager FeaturesLive ID AccountWindows Azure Portal (no API, no SDK)Sends traffic to Windows Azure Hosted Services Load Balancing Methods (not nested)8 seconds vs. 3 seconds? PerformanceRound RobinFailover
![Page 53: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/53.jpg)
Traffic Manager FeaturesTTL configuration (>30 seconds)HTTP and HTTPS monitoring on any port, with probe file config(HTTP GET)Create/Read/Update/Delete policiesEnable and Disable traffic to policies and endpoints
![Page 54: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/54.jpg)
What We CoveredSecuringAccess Control Service
ConnectingService BusWindows Azure Connect
ScalingCachingCDNTraffic Manager
![Page 55: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/55.jpg)
Thank You
![Page 56: Securing, Connecting, and Scaling in Windows Azure](https://reader036.fdocuments.us/reader036/viewer/2022062305/56816859550346895dde8cf1/html5/thumbnails/56.jpg)
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.