Connecting Windows Azure to Your Enterprise Network & Applications What is connectivity, why it is required in current environment? Building applications for cloud and hosting them on cloud is one of the great things that happened in recent times. However, you might be having number of existing applications that you wish to migrate to cloud, but you do not want to move your database server to the cloud. Or you want to create a new application and host it in the cloud, but this new application needs to communicate with your existing on-premise applications hosted in your enterprise's network. Other case might be that your new application that you wish to host in cloud will rely for its authentication on your enterprise's Active Directory. What options do you have? You can think of re-writing your on-premise applications for azure and then host them in azure, or in case of Database servers, you can move your DB servers to SQL Azure in cloud. But you have other easier option too.
Takeaways from this Session CLOUD ENTERPRISE Secure Network Connectivity Windows Azure Connect Application-layer Connectivity & Messaging Service Bus Windows Azure Connect provides secure network connectivity between your on-premises environments and Windows Azure through standard IP protocols such as TCP and UDP. Connect provides IP-level connectivity between a Windows Azure application and machines running outside the Microsoft cloud. The Service Bus provides secure messaging and connectivity capabilities that enable building distributed and disconnected applications in the cloud, as well hybrid application across both on-premise and the cloud. It enables using various communication and messaging protocols and patterns, and saves the need for the developer to worry about delivery assurance, reliable messaging and scale. How many people here are familiar with Azure Connect or Service Bus? How many people here have actually used Azure Connect or Service Bus in one of their project/engagement? Data Synchronization SQL Azure Data Sync
Windows Azure Connect
Introducing Windows Azure Connect Secure network connectivity between on-premises and cloud Customer benefits and motivation Simple setup and management Secure network connectivity between on-premises and cloud Supports standard IP protocols Customer benefits and motivation: Leverage current IT investments Cloud app integration with existing apps / data sources Compliance / security drivers Simple setup and management Focus more in application development, rather than working on network connectivity. Azure connect takes care of network connectivity and secure communication. Enterprise
Windows Azure Connect – Closer Look Enable WA Roles for external connectivity via service model Enable external computers for connectivity by installing Connect agent Network policy managed through WA portal Automatic setup of secure IPv6 network between connected role instances and external computers Windows Azure Role A Role B Role C (multiple VM’s) Relay Enable WA Roles for external connectivity via service model Identify which roles require connectivity using Connect. Identify which external resources need to be connected with Azure roles. Enable external computers for connectivity by installing Connect agent Win Server 2008, 2008 R2, Vista, and Win7 supported platforms Network policy managed through WA portal Granular control over connectivity Automatic setup of secure IPv6 network between connected role instances and external computers Tunnel firewalls/NAT’s through hosted SSL-based relay service Secured via end-to-end IPSec DNS name resolution Dev machines Databases Enterprise
Windows Azure Service Deployment To use Connect with a WA service, enable one or more of its Roles For Web & Worker Role, include the Connect plug-in as part of Service Model (.csdef file) For VM role, install the Connect agent in VHD image using the Connect VM install package Connect agent will automatically be deployed for each new role instance that starts up Connect agent configuration managed through the ServiceConfiguration (.cscfg) file “ActivationToken” - Unique per-subscription token, accessed from Admin UI
On-Premise Deployment Local computers are enabled for connectivity by installing & activating the Connect agent Connect agent tray icon & client UI Connect agent automatically manages network connectivity Sets up virtual network adapter “Auto-connects” to Connect relay service as needed Configures IPSec policy based on network policy Enables DNS name resolution Automatically syncs latest network policies Local computers are enabled for connectivity by installing & activating the Connect agent Web-based installation link Standalone install package Connect agent tray icon & client UI View activation state & connectivity status Refresh network policy Connect agent automatically manages network connectivity Sets up virtual network adapter “Auto-connects” to Connect relay service as needed Configures IPSec policy based on network policy Enables DNS name resolution Automatically syncs latest network policies
Management of Network Policy Connect network policy managed through Windows Azure admin portal Local computers are organized into Groups WA Roles can be connected to Groups Groups can be connected to other Groups Connect network policy managed through Windows Azure admin portal Managed on a per-subscription basis Local computers are organized into Groups A computer can only belong to a single group at a time Newly activated computers are ‘unassigned’ by default WA Roles can be connected to Groups Enables network connectivity between all Role instances (VM’s) and local computers in the Group Groups can be connected to other Groups Enables network connectivity between computers in each group In addition, a Group can be ‘interconnected’ - enables connectivity within a group Useful for ad-hoc & roaming scenarios
Windows Azure Connect Scenarios WA Role accessing on-premise SQL server Domain-join scenarios Remote Powershell to WA Role instances WA Role accessing on-premise SQL server Or file server, line-of-business app, etc. Domain-join scenarios Control access to WA Role instances using domain accounts Web role using IIS Windows Integrated Auth Run role under domain account to access on-premises resources (e.g. SQL server secured with Windows Integrated Auth) Remote Powershell to WA Role instances Or remotely access a file share, event log, etc.
DEMO Connecting App running on Azure with on-premise database server
Windows Azure AppFabric Service Bus The Service Bus provides secure messaging and connectivity capabilities that enable building distributed and disconnected applications in the cloud, as well hybrid application across both on-premise and the cloud. It enables using various communication and messaging protocols and patterns, and saves the need for the developer to worry about delivery assurance, reliable messaging and scale.
Connectivity Challenges Service Bus Outbound, bi-directional TCP socket connection Outbound, bi-directional TCP socket connection FIREWALL NAT The Service Bus provides secure messaging and connectivity capabilities that enable building distributed and disconnected applications in the cloud, as well hybrid application across both on-premise and the cloud. It enables using various communication and messaging protocols and patterns, and saves the need for the developer to worry about delivery assurance, reliable messaging and scale. Use Service Bus to Connect Windows Azure Platform applications with existing applications and databases Bridge on and off-premises applications Create composite applications Client ? Service
AppFabric Service Bus Provides secure messaging and connectivity across different network topologies Enables hybrid applications that span on-premises and the cloud Enables various communication protocols and patterns for developers to engage in reliable messaging Service Bus Benefits Expose apps and services through firewalls, NAT gateways, and other problematic network boundaries Lower barriers to building composite applications by exposing endpoints easily, supporting multiple connection options and publish and subscribe for multicasting. Lightweight developer friendly programming model that supports standard protocols and extends similar standard bindings for Windows® Communication Foundation programmers Helps block malicious traffic and shields your services from intrusions and denial-of-service attacks Service Bus Features Services discovered through a stable, internet-accessible URL, irrespective of location One-way messaging between sender and listener supports unicast and multicast datagram distribution Full-duplex connection-oriented sessions between sender and listener support bi-directional communication Full-duplex, connection-oriented peer-to-peer sessions with network-boundary traversal create direct end-to-end connectivity through NAT Multiple publishers and multiple subscribers can simultaneously use the service’s topic management and event distribution system Support of REST and HTTP Access from non-.NET platforms Global hierarchical namespaces that are DNS- and transport-independent Anonymous access to services is supported only if you permit it
Service Bus – Usage Patterns Connectivity – patterns for integrating apps Service Remoting – Extend services to the cloud Cloud Eventing – Distribute event notifications to remote listeners via the cloud Messaging – patterns for building scalable apps Loosely Connected Clients – Buffer messages for asynchronous retrieval by remote clients Connectivity Patterns Service Remoting Cloud Eventing Messaging Buffer messages for async retrieval using AppFabric Queue
Service Bus – New Features Load Balancing Management Services Durable Message Buffer
Load Balancing Explicit “Connection Points” Multiple listeners can share the same connection point Load balancing Sticky sessions Multiplexed traffic options for connection latency reduction Service Bus <ConnectionPoint> … </ ConnectionPoint > Subscribe Sender Sender The Anycast feature enables service providers to expose many services listeners on a single Windows Azure AppFabric Service Bus address and distribute incoming client connections and messages among the listening services. Load balancing feature allows multiple listeners on the same connection point, which provides for load balancing solutions with no single point of failure. It is implemented through load-balancing with sticky sessions, i.e. not per call basis, but per session(or client) basis. Listener Listener
Namespace and Management Management Surface Today Implicit for connectivity Connection points created on-the-fly Explicit for message buffer Runtime artifacts (listeners, message buffers) share address space with management The Windows Azure AppFabric Management Service is a Web service API that provides programmatic access to manage AppFabric Service Bus resources in the Windows Azure AppFabric CTP October Release. Using the Management Service API you can manage connection points and message buffers. The Management Service API is an AtomPub feed that supports creation, deletion and listing of connection points and message buffers. All the API operations are performed over SSL and are authenticated using a Simple Web Token from the AppFabric Access Control service. The Management Service API can be accessed from within a service running in Windows Azure, or directly over the Internet from any application that can send an HTTPS request and receive an HTTPS response. The SDK includes sample code for management operations via the Management Service.
Management Services Management consistently explicit Atom Pub protocol for management Split management and runtime surface Two different views Runtime URI: http://Namespace.servicebus.appfabriclabs.com Management URI: https://Namespace-mgmt.servicebus.appfabriclabs.com The Windows Azure AppFabric Management Service is a Web service API that provides programmatic access to manage AppFabric Service Bus resources in the Windows Azure AppFabric CTP October Release. Using the Management Service API you can manage connection points and message buffers. The Management Service API is an AtomPub feed that supports creation, deletion and listing of connection points and message buffers. All the API operations are performed over SSL and are authenticated using a Simple Web Token from the AppFabric Access Control service. The Management Service API can be accessed from within a service running in Windows Azure, or directly over the Internet from any application that can send an HTTPS request and receive an HTTPS response. The SDK includes sample code for management operations via the Management Service.
DEMO AppFabric Service Bus – Load Balancing Running this example for CTP – appfabric labs. So you can expect some exceptions.
Feature Comparison Category Connect AppFarbic Purpose An IP-sec connection between the local machines and azure roles. An application service running on the cloud. Connectivity IP-sec, Domain-joint NetTcp, Http, Https Components Windows Azure Connect Driver Service Bus, Access Control, Caching Usage • Azure roles connect to local database server. • Azure roles use local shared files, folders and printers, etc. • Azure roles join the local AD. • Expose the local service to Internet. • Move the authorization process to the cloud. • Integrate with existing identities such as Live ID, Google ID, etc. with existing local services. • Utilize the distributed cache.
Which one to choose? ü ü ü ü ü ü Scenario Connect AppFabric I have a service deployed in the Intranet and I want the people can use it from the Internet I have a website deployed on Azure and need to use a database which deployed inside the company. And I don’t want to expose the database to the Internet I have a service deployed in the Intranet and is using AD authorization. I have a website deployed on Azure which needs to use this service I have a service deployed in the Intranet and some people on the Internet can use it but need to be authorized and authenticated I have a service in Intranet, and a website deployed on Azure. This service can be used from Internet and that website should be able to use it as well by AD authorization for more functionalities ü ü ü ü ü ü
SQL Azure Data Sync
Introduction to SQL Azure Data Sync SQL Azure Database SQL Azure Database Sync SQL Azure Data Sync Sync Remote Offices Retail Stores Sync Sync Sync Sync On-Premises (Headquarters)
SQL Azure Data Sync – Key Features Elastic Scale No-Code Sync Configuration Schedule Sync Conflict Handling Logging and Monitoring Elastic Scale Service scales as resources requirements grow No-Code Sync Configuration Easily define data to be synchronized Schedule Sync Choose how often data is synchronized Conflict Handling Handle issues where same data is changed in multiple locations Logging and Monitoring Administration capabilities for tracking data and monitoring potential issues
On-Premise to Cloud Sync Benefits Makes cloud extension rather than replacement Enables moving workload to cloud in stages preserving investment in existing infrastructure New scenarios spanning enterprise, cloud SQL Azure Sync
Sync End to End Scenarios SQL Azure Data Sync Offline Applications Sync Sync Sync Sync On-Premises Applications Sync Sync SQL Azure Database Sync Sync Sync Sync SQL Azure Data Sync Retail & Remote Offices Microsoft Sync Framework 4.0 CTP available now!
DEMO SQL Azure Data Sync
Questions
Software Application Developers Infrastructure Professionals Resources Software Application Developers Infrastructure Professionals http://msdn.microsoft.com/ http://technet.microsoft.com/ msdnindia @msdnindia technetindia @technetindia
© 2011 Microsoft Corporation. All rights reserved © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.