Connecting Cloud and On-Premises Applications Yousef A. Khalidi Distinguished Engineer Microsoft Corporation
Why Embrace the Cloud? Greater agility Reduced cost Enable new scenarios –Cloud as communication hub –Data sharing across devices High-scale sharing is key –Economies of scale –Elasticity –Increased utilization
Applications Value Added Services Applications Value Added Services Cloud Spectrum Windows Server Windows Azure Appliance Windows Azure On Premises Full system control On or Off Premises Turnkey cloud platform appliance Off Premises Global datacenters and CDN Consumption or subscription pricing options Storage HardwareStorage Hardware Network HardwareNetwork Hardware Server HardwareServer Hardware Storage HardwareStorage Hardware Network HardwareNetwork Hardware Server HardwareServer Hardware
Evolving into Hybrid Clouds Public Cloud Private Cloud Hosted Private Cloud Secure Cloud Federation
Targeting Apps to Cloud Application State Data Sensitivity Connectivity Needs Application Portability Latency Between Components Regulation and Compliance Some Easy Cases e.g., web site sharing public data Often, Forklift Approach Will Not Work Careful decomposition needed Application Scale Questions To Consider
Targeting Apps to the Cloud Application Data State must be replicated, by app directly or in a replicated store Application Configuration & Installation Configuration state only a cache; no lengthy install step Application Scale App must scale horizontally (scale-out) not vertically (scale-up) Application Dependencies App must be able to run on cloud platform with no special hardware needs Latency Needs Shared cloud systems may not guarantee uniform/low latency among app components Connectivity NeedsIntra- and inter- app connectivity needs must be clear Data Sensitivity Public clouds may not be able to host all sensitive data; encryption may be needed Regulation & ComplianceLocation and type of cloud matters
Secure Cloud Federation CloudOn-premises Data Synchronization SQL Azure Data Sync Application-layer Connectivity & Messaging Windows Azure AppFabric Service Bus Security Federated Identity and Access Contro l Secure Network Connectivity Windows Azure Connect
Secure network connectivity between on-premises and cloud –Supports standard IP protocols Enables hybrid apps access to on- premises servers Allows remote administration of Windows Azure apps Simple setup and management –Integrated with WA Service Model –Web, Worker and VM Roles supported Enterprise Windows Azure
Windows Azure Connect Example Use Cases Windows Azure enterprise apps that require connectivity to on-premises SQL Server –Migrate apps without requiring changes or relocating on-premises resources to be internet accessible Windows Azure app domain-joined to on-premises AD –Control access to WA apps based on existing AD accounts and groups Remote administration and trouble-shooting of WA apps –Remote PowerShell to access WA role instances
Windows Azure Connect Closer Look Network policy managed through Windows Azure portal –Granular control of connectivity between WA roles and external machines Automatic setup of IPsec –Tunnel firewalls/NAT’s through hosted SSL-based relay –Network policies enforced & traffic secured via end-to-end certificate-based IPSec –DNS name resolution based on endpoint machine names Enterprise Windows Azure Databases Dev machines Relay Role A Role B Role C (multiple VM’s) Role C (multiple VM’s)
Windows Azure Connect Roadmap CTP release in November 2010 –On-premises agent for non-Windows Azure apps Supports Windows Server 2008, Windows 7, Windows Vista SP1, and up Future release –Enable connectivity using existing on- premises VPN devices
Secure Cloud Federation CloudOn-premises Data Synchronization SQL Azure Data Sync Application-layer Connectivity & Messaging Service Bus Security Federated Identity and Access Contro l Secure Network Connectivity Windows Azure Connect
Cloud Security Considerations Identity and Access Management –Federate from on-premises to the cloud –Federate across organization and country borders Application operational processes –Should be integrated into the organization’s security management Communication and endpoint Integrity –Applications and clients are no longer behind firewall Compliance and Risk Management –Cloud customers still responsible for compliance and risk management
Regulations and National Boundaries Do you know where your data resides? Hybrid clouds can span national boundaries Many governments regulate where data can live –And where it cannot Policy controls are needed for data and applications –Driven by regulations and business needs
Federated Identity and Access Control.NET Windows Identity Foundation –WS-Federation, WS-Security, WS-Trust protocols ADFS2 –On-premises server Access Control –Identity federation service Security Federated Identity and Access Contro l
Secure Cloud Federation CloudOn-premises Data Synchronization SQL Azure Data Sync Application-layer Connectivity & Messaging Service Bus Security Federated Identity and Access Contro l Secure Network Connectivity Windows Azure Connect
Service Bus Receive App 1 App 2 Send Receive Send Service Bus Extends reach of applications securely through the cloud Enables multi-tenant apps to integrate with tenants’ on- premises services Securely integrates partners outside of org boundaries Extends reach of on- premises web services layer Enables leveraging cloud quickly without having to rewrite apps
Service Bus – Usage Patterns Connectivity – patterns for integrating apps –Service Remoting – Extend services to the cloud –Cloud Eventing – Distribute event notifications to remote listeners via the cloud –Protocol Tunneling – Interconnect distributed applications that are not web services Messaging – patterns for building scalable apps –Load Leveling – Mediate message flows between components with different send/receive rates –Loosely Connected Clients – Buffer messages for asynchronous retrieval by remote clients
Service Bus – Core Capabilities Service location and discovery –Simple registry, endpoint naming and discovery –Access via lightweight ATOM protocols from any platform Cloud-based communications relay –Allows bridging across NATs and Firewalls –Claims-based access control with identity federation and rules –Standards based HTTP or High Performance TCP Cloud-based messaging service –Message buffers accessible via a simple REST API BizTalk Server 2010 (AppFabric Connect) –Service Bus plus BizTalk 2010 to connect to on-premises legacy systems
Service Bus – Roadmap CTP release in October 2010 –Durable Message Buffers –Listener Load Balancing New features coming in CY2011 –Message Buffer Enhancements (Grouping, Batching, etc.) –Topics (Publish/Subscribe) –Router (Push Messaging) AppFabric Connect ships with BizTalk Server 2010
Secure Cloud Federation CloudOn-premises Data Synchronization SQL Azure Data Sync Application-layer Connectivity & Messaging Service Bus Security Federated Identity and Access Contro l Secure Network Connectivity Windows Azure Connect
SQL Azure Data Sync Powers movement of data –Cloud cloud –On-premises cloud Getting data where you need it –Sync SQL Azure instances –Sync SQL Server to SQL Azure –Sync offline apps to SQL Azure –Enable geo-replication of data Sync SQL Azure
SQL Azure Data Sync Example Use Cases Move workloads in stages preserving existing infrastructure –Move part of the application and sync its data Meet compliance and regulations –Control data synchronized off-premises Enable scale-out read or read/write –Multiple synchronized databases for scalability Preserve data – geo replication of data Enable new scenarios –Spanning enterprise, cloud and remote offices/retail stores
SQL Azure Data Sync Closer Look Data Sync Service SQL Azure TDS SQL Server Local Agent SQL Server Sync Provider SQL Server Proxy Provider SQL Server Proxy Provider Sync Orchestrator SQL Server Provider SQL Server Provider Sync Orchestrator HTTPS On PremisesWindows Azure
SQL Azure Data Sync – Roadmap On-Premises (Headquarters) Sync Remote Offices Data Sync Service For SQL Azure Retail Stores Sync SQL Azure Database Sync Now CTP2 – Coming Soon
Getting Connected: Where to Start You can use all services together as they play different roles You can mix and match If you are optimizing SQL data access: Look at SQL Data Sync Or use them All! If you are composing application services: Look at Service Bus and Access Control If you are bridging systems: Look at Windows Azure Connect
Summary SQL Azure Data Sync Synchronize SQL Azure instances SQL Server to SQL Azure Sync Move Data Closer to Apps AppFabric Service Bus Application-layer connectivity & messaging Secure WCF service-remoting, eventing & protocol tunneling Windows Azure Connect Secure network connectivity between on-premises and cloud IP-level connectivity, IP-sec based Extend Active Directory to cloud Security Windows Identity Foundation WS-Federation, WS-Security, WS-Trust ADFS2, Access Control
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.