Windows Azure Connect

NameTitleMicrosoft Corporation

Introducing Windows Azure ConnectSecure network connectivity between on-premises and cloudSupports standard IP protocols

Example use cases:Enterprise app migrated to Windows Azure that requires access to on-premise SQL ServerWindows Azure app domain-joined to corporate Active Directory Remote administration and trouble-shooting of Windows Azure Roles

Simple setup and management

Enterprise

Windows Azure Connect – Closer LookEnable Windows Azure (WA) Roles for external connectivity via service model

Enable local computers for connectivity by

installing WA Connect agent

Network policy managed through WA portalGranular control over connectivity

Automatic setup of secure IP-level network between connected role instances and local computersTunnel firewalls/NAT’s through hosted relay serviceSecured via end-to-end IPSecDNS name resolution Enterpri

se

Role C(Multiple

VM’s)

Role A Role B

Relay

Dev Machines Databases

Windows Azure Connect

demo

Windows Azure Service DeploymentTo use Connect with a WA service, enable one or more of its RolesFor Web & Worker Role, include the Connect plug-in as part of Service Model (.csdef file)

For VM role, install the Connect agent in VHD image using the Connect VM install package

Connect agent will automatically be deployed for each new role instance that starts up

Connect agent configuration managed through the Service Configuration (.cscfg) fileOne required setting - “ActivationToken”

Unique per-subscription token, accessed from Admin UI

Optional settings for managing AD domain-join and service availability

On-Premises DeploymentLocal computers are enabled for connectivity by installing & activating the Connect agentWeb-based installation link Retrieved from admin UIContains per-subscription activation token embedded in URL

Standalone install packageReads activation token from registry keyEnables installation using existing S/W distribution tools

Connect agent tray icon & client UIView activation state & connectivity status Refresh network policy

Connect agent automatically manages network connectivity Sets up virtual network adapter“Auto-connects” to Connect relay service as neededConfigures IPSec policy based on network policy Enables DNS name resolution Automatically syncs latest network policies

Management of Network PolicyConnect network policy managed through Windows Azure admin portalManaged on a per-subscription basis

Local computers are organized into GroupsE.g. “SQL Servers”, “My Laptops”, “Project Foo”

A computer can only belong to a single group at a time

Newly activated computers are ‘unassigned’ by default

WA Roles can be connected to GroupsEnables network connectivity between all Role instances (VM’s) and local computers in the Group

WA Connect does not control connectivity between Roles or Role instances (done through existing mechanisms)

Groups can be connected to other GroupsEnables network connectivity between computers in each group

In addition, a Group can be ‘interconnected’ - enables connectivity within a group

Useful for ad-hoc & roaming scenarios

Network Policy - Example

My Laptops

DEV_LAPTOP1

DEV_LAPTOP2

SERVER1

SERVER2

SERVER3

My Servers

Networking BehaviorConnected resources (WA Role instances and external machines) have secure IP-level network connectivityRegardless of physical network topology (Firewalls / NAT’s) so long as outbound HTTPS access to Connect Relay service

Each connected machine has a routable IPv6 addressConnect agent sets up virtual network adapter

No changes to existing networks (additive model)

Communication between resources is secured via end-to-end certificate-based IPSec Scoped to Connect virtual network

Automated management of IPSec certificates

DNS name resolution for connected resources based on machine names Windows Azure instance local computer

Local computer Windows Azure instance

Active Directory Domain JoinConnect plug-in supports domain-join of WA Roles to on-premises Active Directory

Scenarios enabled:Log into WA role instances using domain accounts

Connect to on-premise SQL server using Windows Integrated Auth

Migrate LOB apps to cloud that assume domain-joined environment

Process to enable:Install Connect agent on DC / DNS server(s)For multiple DC environment, recommend creating dedicated Site

Configure Connect plug-in to automatically join WA role instances to ADSpecify credentials used for domain-join operation

Specify target OU for WA role instances

Specify list of domain users / groups to add to local Administrators group

Configure network policy to enable connectivity between WA roles and DC / DNS servers

New WA role instances will automatically be domain-joined

Windows Azure Connect - Roadmap

CTP Available Now

Future release

On-premises agent for non-Windows Azure resourcesSupports Windows Server 2008 R2, Windows Server 2008, Windows 7, Windows Vista SP1, and up

Sign up on Windows Azure Portal under ‘Beta’ programs

Enable connectivity using existing on-premises VPN devices

SummaryWindows Azure Connect enables secure network connectivity between Windows Azure services and on-premises resources

Simple to setup & manageEnable WA Roles using Connect plug-inInstall Connect agent on local computersConfigure network policy

Useful scenarios:Remote administration & troubleshootingWindows Azure app access to on-premises serversDomain-join Windows Azure roles

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.