Windows Azure Connect

Сергей БайдачныйSergiy.Baydachnyy@microsoft.comСпециалист по разработке программного обеспеченияМайкрософт Украина

Тема 6

Introducing Windows Azure Connect

• Secure network connectivity between on-premises and cloud• Supports standard IP

protocols• Example use cases:

• Enterprise app migrated to Windows Azure that requires access to on-premise SQL Server

• Windows Azure app domain-joined to corporate Active Directory

• Remote administration and trouble-shooting of Windows Azure Roles

• Simple setup and management

Windows Azure

Enterprise

Windows Azure Connect – Closer Look

• Enable Windows Azure (WA) Roles for external connectivity via service model

• Enable local computers for connectivity by installing WA Connect agent

• Network policy managed through WA portal• Granular control over

connectivity• Automatic setup of secure IP-

level network between connected role instances and local computers• Tunnel firewalls/NAT’s through

hosted relay service• Secured via end-to-end IPSec• DNS name resolution

Role A

Role B

Role C(multiple

VM’s)

Windows Azure

Enterprise

Dev machines

Databases

Relay

Windows Azure Service Deployment

• To use Connect with a WA service, enable one or more of its Roles• For Web & Worker Role, include the Connect plug-in as part of

Service Model (.csdef file)• For VM role, install the Connect agent in VHD image using the

Connect VM install package• Connect agent will automatically be deployed for each new

role instance that starts up

• Connect agent configuration managed through the ServiceConfiguration (.cscfg) file• One required setting - “ActivationToken”

o Unique per-subscription token, accessed from Admin UI• Optional settings for managing AD domain-join and service

availability

On-Premises Deployment

• Local computers are enabled for connectivity by installing & activating the Connect agent• Web-based installation link

o Retrieved from admin UIo Contains per-subscription activation token embedded in URL

• Standalone install packageo Reads activation token from registry keyo Enables installation using existing S/W distribution tools

• Connect agent tray icon & client UI• View activation state & connectivity status • Refresh network policy

• Connect agent automatically manages network connectivity • Sets up virtual network adapter• “Auto-connects” to Connect relay service as needed• Configures IPSec policy based on network policy • Enables DNS name resolution • Automatically syncs latest network policies

Management of Network Policy

• Connect network policy managed through Windows Azure admin portal• Managed on a per-subscription basis

• Local computers are organized into Groups• E.g. “SQL Servers”, “My Laptops”, “Project Foo”• A computer can only belong to a single group at a time• Newly activated computers are ‘unassigned’ by default

• WA Roles can be connected to Groups• Enables network connectivity between all Role instances (VM’s) and

local computers in the Group• WA Connect does not control connectivity between Roles or Role

instances (done through existing mechanisms)• Groups can be connected to other Groups

• Enables network connectivity between computers in each group• In addition, a Group can be ‘interconnected’ - enables connectivity

within a group• Useful for ad-hoc & roaming scenarios

Network Policy - Example

SERVER1

SERVER2

Windows Azure

SERVER3DEV_LAPTOP1

Role A

Instance3Instance2Instance

Role B

Instance3Instance2Instance

DEV_LAPTOP2

My Servers My Laptops

Active Directory Domain Join

• Connect plug-in supports domain-join of WA Roles to on-premises Active Directory

• Scenarios enabled:• Log into WA role instances using domain accounts• Connect to on-premise SQL server using Windows Integrated Auth• Migrate LOB apps to cloud that assume domain-joined environment

• Process to enable:• Install Connect agent on DC / DNS server(s)

o For multiple DC environment, recommend creating dedicated Site• Configure Connect plug-in to automatically join WA role instances to

ADo Specify credentials used for domain-join operationo Specify target OU for WA role instanceso Specify list of domain users / groups to add to local Administrators group

• Configure network policy to enable connectivity between WA roles and DC / DNS servers

• New WA role instances will automatically be domain-joined

Вопросы?

Virtual Machine Role

Сергей БайдачныйSergiy.Baydachnyy@microsoft.comСпециалист по разработке программного обеспеченияМайкрософт Украина

Тема 7

VM Role – Overview

Developers have full control over the OS image

Ability to upload your own customized WS08R2 Enterprise images

Operators can reboot, re-image and Remote Desktop

Continue to benefit from automated service management, including service model enhancements described on subsequent slides

VM Role Lifecycle• Convert product DVD to a VHD, or use existing VHD• Prepare the VHDBuild VM Image

• Create a service model with the above image.Create Service

• Store in Windows Azure blob storageUpload VM

Image• Include in service model. Specify instance count.• Package as cspkg.• Upload cskpg.

Deploy Service

• Remote Desktop• Reboot• Reimage

Maintain Service

• Repeat above steps, with a new OS image.Upgrade Service

VM Role Lifecycle

CloudOn-Premises

Blob Storag

eBoot VHD

Customize VHD

Save Diff.VHD

Base.VHD

Identical/similar deployment instances using common uploaded OS image (base.VHD + diff.VHD)

& Additional Software& Windows Azure Integration Components - Agent - Runtime Interface (topo, config, shutdown notification, …) - Remote Desktop configurator - Diagnostics - Windows Azure Drives driver& Generalize (Recommended)

Creating a Service – Service Definition

<ServiceDefinition name="MyVMRoleService" xmlns="…"> <VirtualMachineRole name="MachineRole" vmsize="Medium"> <Imports> <Import moduleName="RemoteAccess" /> <Import moduleName="RemoteForwarder" /> <Import moduleName="Diagnostics" /> </Imports> </VirtualMachineRole></ServiceDefinition>

Creating a Service – Service Configuration

<ServiceConfiguration serviceName="MyVMRoleService" xmlns="…"> <Role name="MachineRole"> <OsImage href="20101020BaseVM.vhd" /> <Instances count="2" /> <ConfigurationSettings> <Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" value="DefaultEndpointsProtocol=http;AccountName=mohittest;AccountKey=JEBzeqFeP176KkIeXoHxvs8pzs1SrdCTwQfrc2nk+mml7+tKc3k5TWMciGPmHgd1G2IOsT5FyJvv3dvaAqioRg==" /> <Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.Enabled" value="true" /> <Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountUsername" value="" /> <Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountEncryptedPassword" value="" /> <Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountExpiration" value="2012-07-23T23:59:59.0000000-07:00" /> <Setting name="Microsoft.WindowsAzure.Plugins.RemoteForwarder.Enabled" value="true" /> </ConfigurationSettings> <Certificates> <Certificate name="Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption" thumbprint="195FD938F86D8785FF53C660BCBD283819E0271A" thumbprintAlgorithm="sha1" /> </Certificates> </Role></ServiceConfiguration>

Как получить доступ к облаку

Azure.comДоступ возможен через MSDNДоступ на 24 часа через http://dev-club.in.uaДоступ на 30 дней – письмо мне

Ресурсы

Windows Azure Platform Training Kit (http://msdn.microsoft.com/en-us/wazplatformtrainingcourse.aspx)

Вопросы?