connecting cloud and on-premises applications using windows azure virtual network name title...
TRANSCRIPT
Connecting Cloud and On-Premises Applications Using Windows Azure Virtual NetworkNameTitleMicrosoft Corporation
Agenda
Understand the key capabilities and features of Windows Azure Connect
Be able to plan and perform a deployment of Windows Azure Connect
Evaluate scenarios where Windows Azure Connect can be utilized
What is Windows Azure Virtual Network?New pillar of Windows AzureSuite of network services that expand the range of application scenarios that can be delivered on the platformWindows Azure ConnectFirst Virtual Network offering Enables cross-premises connectivity
Other servicesGlobal traffic management Datacenter network virtualization (coming in future)
Overview & Objectives
Windows Azure Connect enables new types of “hybrid” cloud computing scenarios to be delivered on Windows AzureProvides network-level bridge between cloud and on-premises environmentsFacilitates cloud migration and adoption
Session objectives:Understand the key capabilities and features of Windows Azure ConnectBe able to plan and perform a deployment of Windows Azure ConnectEvaluate scenarios where Windows Azure Connect can be utilized
Introducing Windows Azure ConnectSecure network connectivity between on-premises and cloudSupports standard IP protocols
Customer benefits and motivation:Leverage current IT investmentsCloud app integration with existing apps / data sourcesCompliance / security drivers
Simple setup and managementNo VPN device or network configuration required
Available as CTP today
Enterprise
Enterprise
Windows Azure Connect in Context
Cloud
Windows Azure Connect – Closer LookEnable WA Roles for external connectivity via service modelEnable external computers for connectivity by installing Connect agentWin Server 2008, 2008 R2, Vista, and Win7 supported platforms
Enterprise
Dev machines
Databases
Windows Azure Connect – Closer LookNetwork policy managed through WA portalGranular control over connectivity
Automatic setup of virtual IPv6 network between connected role instances and external computersTunnel firewalls/NAT’s through hosted SSL-based relay service
Secured via end-to-end IPSec
DNS name resolution
Enterprise
Dev machines
Databases
Windows Azure Deployment
To use Connect with a WA service, enable one or more of its RolesFor Web & Worker Role, include the Connect plug-in as part of Service Model (.csdef file)
For VM role, install the Connect agent in VHD image using the Connect VM install package
Connect agent will automatically be deployed for each new role instance that starts up
Windows Azure Deployment
Connect agent configuration managed through the ServiceConfiguration (.cscfg) fileOne required setting – “ActivationToken” Unique per-subscription token, accessed from Admin UI
On-Premises Deployment
Local computers are enabled for connectivity by installing & activating the Connect agentWeb-based installation link Retrieved from admin UIContains per-subscription activation token embedded in URL
Standalone install packageReads activation token from registry keyEnables installation using existing S/W distribution tools
Connect agent tray icon & client UIView activation state & connectivity status Refresh network policy
On-Premises Deployment
Connect agent automatically manages network connectivity Sets up virtual network adapter“Auto-connects” to Connect relay service as neededConfigures IPSec policy based on network policy Enables DNS name resolution Automatically syncs latest network policies
Management of Network Policy
Managed on a per-subscription basis
Local computers are organized into Groups
E.g. “SQL Servers”, “My Laptops”, “Project Foo”
A computer can only belong to a single group at a time
Newly activated computers are ‘unassigned’ by default
Enables network connectivity between all Role instances (VM’s) and local computers in the Group
WA Connect does not control connectivity between Roles or Role instances (done through existing mechanisms)
Enables network connectivity between computers in each group
In addition, a Group can be ‘interconnected’ - enables connectivity
within a group
Useful for ad-hoc & roaming scenarios
Connect network policy managed through Windows Azure admin portal
WA Roles can be connected to Groups
Groups can be connected to other Groups
Connect Network Policy – Example
Connect Network ModelConnected resources (WA Role instances and external machines) have secure IP-level network connectivityRegardless of physical network topology (Firewalls / NAT’s) so long as outbound HTTPS access to Connect service
Each connected machine has a routable IPv6 addressConnect agent sets up virtual network adapter No changes to existing networks (additive model)
Connect Network ModelCommunication between resources is secured via end-to-end certificate-based IPSec Scoped to Connect virtual networkAutomated management of IPSec certificates
DNS name resolution for connected resources based on machine names Windows Azure instance → local computerLocal computer → Windows Azure instance
Connect and Domain – Join
Connect plug-in supports domain-join of WA Roles to on-premises Active DirectoryProcess to enable:Install Connect agent on DC / DNS server(s)For multiple DC environment, recommend creating dedicated Site
Configure Connect plug-in to automatically join WA role instances to ADSpecify credentials used for domain-join operationSpecify target OU for WA role instancesSpecify list of domain users / groups to add to local Administrators group
Configure network policy to enable connectivity between WA roles and DC / DNS servers
New WA role instances will automatically be domain-joined
Connect and Domain – Join
Be aware: domain-joined WA Role instance != On-premises computerRole instance not guaranteed to persist local state; role instance identities may change over time
General guidance – Role instances use AD identities vs. actively managed as a domain-joined computer
Windows Azure Connect – ScenariosWA Role accessing on-premise SQL serverOr file server, line-of-business app, etc.
Domain-join scenariosControl access to WA Role instances using domain accounts
Web role using IIS Windows Integrated Auth
Run role under domain account to access on-premises resources (e.g. SQL server secured with Windows Integrated Auth)
Windows Azure Connect – ScenariosRemote Powershell to WA Role instancesOr remotely access a file share, event log, etc.
“VPN as a Service”Ad-hoc connectivity between resources distributed across the internetEnable remote management & access
Windows Azure Connect Scenario Demo
demo
Windows Azure
Demo Overview
Requirements for Customer SearchFrontend servers hosted in Windows Azure
SQL server on-premise allows Windows Integrated Authentication only
IIS / ASP.net connect to SQL server on-premise using Windows Integrated Authentication
Domain join Windows Azure machines to a specific OU
Use AD accounts to lock down who can access the Windows Azure machines
Remote Admin Windows Azure machines using Remote Powershell
Windows Azure machine can access file shares on on-premise machine
http://customersearch.mycontoso.com
MyContoso.com
IISServers
SQL ServerDC File Server
RemoteAdmin
http://customersearch.mycontoso.com
Web Role
Considerations For Using ConnectAppropriate for scenario?Connect or Service Bus or ..?
Network-level “machine” connectivity vs. application-level “service” federation
No code vs. code changes
Platform requirementsWindows Azure Connect currently supports Windows resources (Vista/Win7 and Win Server 2008 / 2008 R2)
Considerations For Using ConnectDeployment topologyRequires installation of Connect agent software on local computer
Does not support connectivity to virtual IP addresses (e.g. F5 device, cluster)
PerformanceImpact of distributing app communication over the internetLatency is function of internet connectivity to / from Relay – Connect adds minimal overheadThroughput impacted by “distance” to Relay service
May require app changes to mitigate (e.g. caching)
Corpnet
Futures: Windows Azure Connect GatewayCustomer assigns IPv4 address ranges / subnets in which their Windows Azure services & roles resideTenants are fully isolated & can have overlapping address ranges
Customer connects their existing VPN edge appliance with cloud-hosted VPN gatewaySupport standard IKE IPSec VPN’s
Customer uses WA role-to-subnet mapping to manage on-premises network policies (routing rules, ACLs) for cloud resources
Subnet 2
Subnet 1
In ClosingHopefully this session has provided you with a useful overview of Windows Azure Connect:Key capabilities and featuresHow to deploy and manage Scenarios and considerations
Resources:http://microsoft.com/windowsazure to learn more & sign-up
Request access to the CTP through the Windows Azure PortalTeam blog - http://blogs.msdn.com/b/windows_azure_connect_team_blog/
Questions, issues - http://social.msdn.microsoft.com/Forums/en/windowsazureconnectivity
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.