Connecting Cloud and On-Premises Applications Using Windows Azure Virtual Network

Jason ChenSenior Program ManagerMicrosoft

COS303

What is Windows Azure Virtual Network?

New pillar of the Windows Azure platform Suite of network services that expand the range of application scenarios that can be delivered on the platform

Windows Azure ConnectFirst Virtual Network offering Enables cross-premises connectivity

Other servicesGlobal traffic management Datacenter network virtualization (coming in future)

Overview & Objectives

Windows Azure Connect enables new types of “hybrid” cloud computing scenarios to be delivered on the Windows Azure platform

Provides network-level bridge between cloud and on-premises environmentsFacilitates cloud migration and adoption

Session objectives:Understand the key capabilities and features of Windows Azure ConnectBe able to plan and perform a deployment of Windows Azure ConnectEvaluate scenarios where Windows Azure Connect can be utilized

Introducing Windows Azure Connect

Secure network connectivity between on-premises and cloud

Supports standard IP protocols

Customer benefits and motivation:Leverage current IT investmentsCloud app integration with existing apps / data sourcesCompliance / security drivers

Simple setup and managementNo VPN device or network configuration required

Available as CTP today

Azure

Enterprise

Windows Azure Connect in Context

CLOUD ENTERPRISE

Data SynchronizationSQL Azure Data Sync

Application-layer Connectivity & Messaging

Service Bus

SecurityFederated Identity and Access Control

Secure Network ConnectivityWindows Azure Connect

Windows Azure Connect – Closer Look

Enable WA Roles for external connectivity via service modelEnable external computers for connectivity by installing Connect agent

Win Server 2008, 2008 R2, Vista, and Win7 supported platforms

Network policy managed through WA portalGranular control over connectivity

Automatic setup of virtual IPv6 network between connected role instances and external computers

Tunnel firewalls/NAT’s through hosted SSL-based relay serviceSecured via end-to-end IPSecDNS name resolution

Role A Role B

Role C(multiple VM’s)

Windows Azure

Enterprise

Dev machines

Databases

Relay

Windows Azure Service Deployment

To use Connect with a WA service, enable one or more of its RolesFor Web & Worker Role, include the Connect plug-in as part of Service Model (.csdef file)For VM role, install the Connect agent in VHD image using the Connect VM install packageConnect agent will automatically be deployed for each new role instance that starts up

Connect agent configuration managed through the ServiceConfiguration (.cscfg) file

One required setting - “ActivationToken” Unique per-subscription token, accessed from Admin UI

On-Premises Deployment

Local computers are enabled for connectivity by installing & activating the Connect agentWeb-based installation link

Retrieved from admin UIContains per-subscription activation token embedded in URL

Standalone install packageReads activation token from registry keyEnables installation using existing S/W distribution tools

Connect agent tray icon & client UIView activation state & connectivity status Refresh network policy

Connect agent automatically manages network connectivity Sets up virtual network adapter“Auto-connects” to Connect relay service as neededConfigures IPSec policy based on network policy Enables DNS name resolution Automatically syncs latest network policies

Management of Network Policy

Connect network policy managed through Windows Azure admin portalManaged on a per-subscription basis

Local computers are organized into GroupsE.g. “SQL Servers”, “My Laptops”, “Project Foo”A computer can only belong to a single group at a timeNewly activated computers are ‘unassigned’ by default

WA Roles can be connected to GroupsEnables network connectivity between all Role instances (VM’s) and local computers in the GroupWA Connect does not control connectivity between Roles or Role instances (done through existing mechanisms)

Groups can be connected to other GroupsEnables network connectivity between computers in each groupIn addition, a Group can be ‘interconnected’ - enables connectivity within a groupUseful for ad-hoc & roaming scenarios

Connect Network Policy - Example

SERVER1

SERVER2

Windows Azure

SERVER3DEV_LAPTOP1

Role A

Instance3Instance2Instance

Role B

Instance3Instance2Instance

DEV_LAPTOP2

My Servers My Laptops

Connect Network Model

Connected resources (WA Role instances and external machines) have secure IP-level network connectivity

Regardless of physical network topology (Firewalls / NAT’s) so long as outbound HTTPS access to Connect service

Each connected machine has a routable IPv6 addressConnect agent sets up virtual network adapter No changes to existing networks (additive model)

Communication between resources is secured via end-to-end certificate-based IPSec

Scoped to Connect virtual networkAutomated management of IPSec certificates

DNS name resolution for connected resources based on machine names Windows Azure instance local computerLocal computer Windows Azure instance

Connect and Domain-Join

Connect plug-in supports domain-join of WA Roles to on-premises Active DirectoryProcess to enable:

Install Connect agent on DC / DNS server(s)For multiple DC environment, recommend creating dedicated Site

Configure Connect plug-in to automatically join WA role instances to ADSpecify credentials used for domain-join operationSpecify target OU for WA role instancesSpecify list of domain users / groups to add to local Administrators group

Configure network policy to enable connectivity between WA roles and DC / DNS serversNew WA role instances will automatically be domain-joined

Be aware: domain-joined WA Role instance != On-premises computerRole instance not guaranteed to persist local state; role instance identities may change over timeGeneral guidance – Role instances use AD identities vs. actively managed as a domain-joined computer

Windows Azure Connect - Scenarios

WA Role accessing on-premise SQL serverOr file server, line-of-business app, etc.

Domain-join scenariosControl access to WA Role instances using domain accountsWeb role using IIS Windows Integrated AuthRun role under domain account to access on-premises resources (e.g. SQL server secured with Windows Integrated Auth)

Remote Powershell to WA Role instancesOr remotely access a file share, event log, etc.

“VPN as a Service”Ad-hoc connectivity between resources distributed across the internetEnable remote management & access

demo

Windows Azure ConnectScenario Demo

Demo Overview

MyContoso.com

Windows Azure

DC SQL Server

http://customersearch.mycontoso.com

IIS Servers

http://customersearch.mycontoso.com

Web Role

Requirements for Customer Search• Frontend servers hosted in Windows

Azure• SQL server on-premise allows Windows

Integrated Authentication only• IIS / ASP.net connect to SQL server on-

premise using Windows Integrated Authentication

• Domain join Windows Azure machines to a specific OU

• Use AD accounts to lock down who can access the Windows Azure machines

• Remote Admin Windows Azure machines using Remote Powershell

• Windows Azure machine can access file shares on on-premise machine

Remote Admin

File Server

Considerations for using Connect

Appropriate for scenario?Connect or Service Bus or ..?Network-level “machine” connectivity vs. application-level “service” federationNo code vs. code changes

Platform requirementsWindows Azure Connect currently supports Windows resources (Vista/Win7 and Win Server 2008 / 2008 R2)

Deployment topologyRequires installation of Connect agent software on local computerDoes not support connectivity to virtual IP addresses (e.g. F5 device, cluster)

PerformanceImpact of distributing app communication over the internet

Latency is function of internet connectivity to / from Relay – Connect adds minimal overheadThroughput impacted by “distance” to Relay service

May require app changes to mitigate (e.g. caching)

Windows Azure Connect – Roadmap

CTP Refresh released on 3/8 and 5/5Multi-admin supportImproved client UI and diagnostics; support for non-English OSNew relays in Europe and AsiaCertificate-based Connect agent activation

Production releaseGeo-distributed Relays (co-located with all WA datacenters)Client updates distributed through Microsoft Update

Planned future enhancements:Connect management functionality exposed via REST APIUDP-based relays for higher throughput

Futures: Windows Azure Connect Gateway

Customer assigns IPv4 address ranges / subnets in which their Windows Azure services & roles reside

Tenants are fully isolated & can have overlapping address ranges

Customer connects their existing VPN edge appliance with cloud-hosted VPN gateway

Support standard IKE IPSec VPN’s

Customer uses WA role-to-subnet mapping to manage on-premises network policies (routing rules, ACLs) for cloud resources

Role A Role B

Role C

WindowsAzure

Corpnet

Subnet 1

Subnet 2

In Closing

Hopefully this session has provided you with a useful overview of Windows Azure Connect:

Key capabilities and featuresHow to deploy and manage Scenarios and considerations

Resources:http://microsoft.com/windowsazure to learn more & sign-upRequest access to the CTP through the Windows Azure PortalTeam blog - http://blogs.msdn.com/b/windows_azure_connect_team_blog/Questions, issues - http://social.msdn.microsoft.com/Forums/en/windowsazureconnectivity

Announcement Title

announcement

Track Resources

Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.

You can also find the latest information about our products at the following links:

Windows Azure - http://www.microsoft.com/windowsazure/

Microsoft System Center - http://www.microsoft.com/systemcenter/

Microsoft Forefront - http://www.microsoft.com/forefront/

Windows Server - http://www.microsoft.com/windowsserver/

Cloud Power - http://www.microsoft.com/cloud/

Private Cloud - http://www.microsoft.com/privatecloud/

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTech•Ed Mobile

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.