Connecting Cloud and On-Premises Applications Using Windows Azure Virtual Network
Jason ChenSenior Program ManagerMicrosoft
COS303
What is Windows Azure Virtual Network?
New pillar of the Windows Azure platform Suite of network services that expand the range of application scenarios that can be delivered on the platform
Windows Azure ConnectFirst Virtual Network offering Enables cross-premises connectivity
Other servicesGlobal traffic management Datacenter network virtualization (coming in future)
Overview & Objectives
Windows Azure Connect enables new types of “hybrid” cloud computing scenarios to be delivered on the Windows Azure platform
Provides network-level bridge between cloud and on-premises environmentsFacilitates cloud migration and adoption
Session objectives:Understand the key capabilities and features of Windows Azure ConnectBe able to plan and perform a deployment of Windows Azure ConnectEvaluate scenarios where Windows Azure Connect can be utilized
Introducing Windows Azure Connect
Secure network connectivity between on-premises and cloud
Supports standard IP protocols
Customer benefits and motivation:Leverage current IT investmentsCloud app integration with existing apps / data sourcesCompliance / security drivers
Simple setup and managementNo VPN device or network configuration required
Available as CTP today
Azure
Enterprise
Windows Azure Connect in Context
CLOUD ENTERPRISE
Data SynchronizationSQL Azure Data Sync
Application-layer Connectivity & Messaging
Service Bus
SecurityFederated Identity and Access Control
Secure Network ConnectivityWindows Azure Connect
Windows Azure Connect – Closer Look
Enable WA Roles for external connectivity via service modelEnable external computers for connectivity by installing Connect agent
Win Server 2008, 2008 R2, Vista, and Win7 supported platforms
Network policy managed through WA portalGranular control over connectivity
Automatic setup of virtual IPv6 network between connected role instances and external computers
Tunnel firewalls/NAT’s through hosted SSL-based relay serviceSecured via end-to-end IPSecDNS name resolution
Role A Role B
Role C(multiple VM’s)
Windows Azure
Enterprise
Dev machines
Databases
Relay
Windows Azure Service Deployment
To use Connect with a WA service, enable one or more of its RolesFor Web & Worker Role, include the Connect plug-in as part of Service Model (.csdef file)For VM role, install the Connect agent in VHD image using the Connect VM install packageConnect agent will automatically be deployed for each new role instance that starts up
Connect agent configuration managed through the ServiceConfiguration (.cscfg) file
One required setting - “ActivationToken” Unique per-subscription token, accessed from Admin UI
On-Premises Deployment
Local computers are enabled for connectivity by installing & activating the Connect agentWeb-based installation link
Retrieved from admin UIContains per-subscription activation token embedded in URL
Standalone install packageReads activation token from registry keyEnables installation using existing S/W distribution tools
Connect agent tray icon & client UIView activation state & connectivity status Refresh network policy
Connect agent automatically manages network connectivity Sets up virtual network adapter“Auto-connects” to Connect relay service as neededConfigures IPSec policy based on network policy Enables DNS name resolution Automatically syncs latest network policies
Management of Network Policy
Connect network policy managed through Windows Azure admin portalManaged on a per-subscription basis
Local computers are organized into GroupsE.g. “SQL Servers”, “My Laptops”, “Project Foo”A computer can only belong to a single group at a timeNewly activated computers are ‘unassigned’ by default
WA Roles can be connected to GroupsEnables network connectivity between all Role instances (VM’s) and local computers in the GroupWA Connect does not control connectivity between Roles or Role instances (done through existing mechanisms)
Groups can be connected to other GroupsEnables network connectivity between computers in each groupIn addition, a Group can be ‘interconnected’ - enables connectivity within a groupUseful for ad-hoc & roaming scenarios
Connect Network Policy - Example
SERVER1
SERVER2
Windows Azure
SERVER3DEV_LAPTOP1
Role A
Instance3Instance2Instance
Role B
Instance3Instance2Instance
DEV_LAPTOP2
My Servers My Laptops
Connect Network Model
Connected resources (WA Role instances and external machines) have secure IP-level network connectivity
Regardless of physical network topology (Firewalls / NAT’s) so long as outbound HTTPS access to Connect service
Each connected machine has a routable IPv6 addressConnect agent sets up virtual network adapter No changes to existing networks (additive model)
Communication between resources is secured via end-to-end certificate-based IPSec
Scoped to Connect virtual networkAutomated management of IPSec certificates
DNS name resolution for connected resources based on machine names Windows Azure instance local computerLocal computer Windows Azure instance
Connect and Domain-Join
Connect plug-in supports domain-join of WA Roles to on-premises Active DirectoryProcess to enable:
Install Connect agent on DC / DNS server(s)For multiple DC environment, recommend creating dedicated Site
Configure Connect plug-in to automatically join WA role instances to ADSpecify credentials used for domain-join operationSpecify target OU for WA role instancesSpecify list of domain users / groups to add to local Administrators group
Configure network policy to enable connectivity between WA roles and DC / DNS serversNew WA role instances will automatically be domain-joined
Be aware: domain-joined WA Role instance != On-premises computerRole instance not guaranteed to persist local state; role instance identities may change over timeGeneral guidance – Role instances use AD identities vs. actively managed as a domain-joined computer
Windows Azure Connect - Scenarios
WA Role accessing on-premise SQL serverOr file server, line-of-business app, etc.
Domain-join scenariosControl access to WA Role instances using domain accountsWeb role using IIS Windows Integrated AuthRun role under domain account to access on-premises resources (e.g. SQL server secured with Windows Integrated Auth)
Remote Powershell to WA Role instancesOr remotely access a file share, event log, etc.
“VPN as a Service”Ad-hoc connectivity between resources distributed across the internetEnable remote management & access
demo
Windows Azure ConnectScenario Demo
Demo Overview
MyContoso.com
Windows Azure
DC SQL Server
http://customersearch.mycontoso.com
IIS Servers
http://customersearch.mycontoso.com
Web Role
Requirements for Customer Search• Frontend servers hosted in Windows
Azure• SQL server on-premise allows Windows
Integrated Authentication only• IIS / ASP.net connect to SQL server on-
premise using Windows Integrated Authentication
• Domain join Windows Azure machines to a specific OU
• Use AD accounts to lock down who can access the Windows Azure machines
• Remote Admin Windows Azure machines using Remote Powershell
• Windows Azure machine can access file shares on on-premise machine
Remote Admin
File Server
Considerations for using Connect
Appropriate for scenario?Connect or Service Bus or ..?Network-level “machine” connectivity vs. application-level “service” federationNo code vs. code changes
Platform requirementsWindows Azure Connect currently supports Windows resources (Vista/Win7 and Win Server 2008 / 2008 R2)
Deployment topologyRequires installation of Connect agent software on local computerDoes not support connectivity to virtual IP addresses (e.g. F5 device, cluster)
PerformanceImpact of distributing app communication over the internet
Latency is function of internet connectivity to / from Relay – Connect adds minimal overheadThroughput impacted by “distance” to Relay service
May require app changes to mitigate (e.g. caching)
Windows Azure Connect – Roadmap
CTP Refresh released on 3/8 and 5/5Multi-admin supportImproved client UI and diagnostics; support for non-English OSNew relays in Europe and AsiaCertificate-based Connect agent activation
Production releaseGeo-distributed Relays (co-located with all WA datacenters)Client updates distributed through Microsoft Update
Planned future enhancements:Connect management functionality exposed via REST APIUDP-based relays for higher throughput
Futures: Windows Azure Connect Gateway
Customer assigns IPv4 address ranges / subnets in which their Windows Azure services & roles reside
Tenants are fully isolated & can have overlapping address ranges
Customer connects their existing VPN edge appliance with cloud-hosted VPN gateway
Support standard IKE IPSec VPN’s
Customer uses WA role-to-subnet mapping to manage on-premises network policies (routing rules, ACLs) for cloud resources
Role A Role B
Role C
WindowsAzure
Corpnet
Subnet 1
Subnet 2
In Closing
Hopefully this session has provided you with a useful overview of Windows Azure Connect:
Key capabilities and featuresHow to deploy and manage Scenarios and considerations
Resources:http://microsoft.com/windowsazure to learn more & sign-upRequest access to the CTP through the Windows Azure PortalTeam blog - http://blogs.msdn.com/b/windows_azure_connect_team_blog/Questions, issues - http://social.msdn.microsoft.com/Forums/en/windowsazureconnectivity
Announcement Title
announcement
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.
You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
Complete an evaluation on CommNet and enter to win!
Scan the Tag to evaluate this session now on myTech•Ed Mobile
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.