windows azure connect
DESCRIPTION
Тема 6. Windows Azure Connect. Сергей Байдачный [email protected] Специалист по разработке программного обеспечения Майкрософт Украина. Introducing Windows Azure Connect. Windows Azure. Secure network connectivity between on-premises and cloud - PowerPoint PPT PresentationTRANSCRIPT
Windows Azure Connect
Сергей Байдачный[email protected]Специалист по разработке программного обеспеченияМайкрософт Украина
Тема 6
Introducing Windows Azure Connect
• Secure network connectivity between on-premises and cloud• Supports standard IP
protocols• Example use cases:
• Enterprise app migrated to Windows Azure that requires access to on-premise SQL Server
• Windows Azure app domain-joined to corporate Active Directory
• Remote administration and trouble-shooting of Windows Azure Roles
• Simple setup and management
Windows Azure
Enterprise
Windows Azure Connect – Closer Look• Enable Windows Azure (WA)
Roles for external connectivity via service model
• Enable local computers for connectivity by installing WA Connect agent
• Network policy managed through WA portal• Granular control over
connectivity• Automatic setup of secure IP-
level network between connected role instances and local computers• Tunnel firewalls/NAT’s through
hosted relay service• Secured via end-to-end IPSec• DNS name resolution
Role A
Role B
Role C(multiple
VM’s)
Windows Azure
Enterprise
Dev machines
Databases
Relay
Windows Azure Service Deployment
• To use Connect with a WA service, enable one or more of its Roles• For Web & Worker Role, include the Connect plug-in as part of
Service Model (.csdef file)• For VM role, install the Connect agent in VHD image using the
Connect VM install package• Connect agent will automatically be deployed for each new
role instance that starts up
• Connect agent configuration managed through the ServiceConfiguration (.cscfg) file• One required setting - “ActivationToken”
o Unique per-subscription token, accessed from Admin UI• Optional settings for managing AD domain-join and service
availability
On-Premises Deployment
• Local computers are enabled for connectivity by installing & activating the Connect agent• Web-based installation link
o Retrieved from admin UIo Contains per-subscription activation token embedded in URL
• Standalone install packageo Reads activation token from registry keyo Enables installation using existing S/W distribution tools
• Connect agent tray icon & client UI• View activation state & connectivity status • Refresh network policy
• Connect agent automatically manages network connectivity • Sets up virtual network adapter• “Auto-connects” to Connect relay service as needed• Configures IPSec policy based on network policy • Enables DNS name resolution • Automatically syncs latest network policies
Management of Network Policy
• Connect network policy managed through Windows Azure admin portal• Managed on a per-subscription basis
• Local computers are organized into Groups• E.g. “SQL Servers”, “My Laptops”, “Project Foo”• A computer can only belong to a single group at a time• Newly activated computers are ‘unassigned’ by default
• WA Roles can be connected to Groups• Enables network connectivity between all Role instances (VM’s) and
local computers in the Group• WA Connect does not control connectivity between Roles or Role
instances (done through existing mechanisms)• Groups can be connected to other Groups
• Enables network connectivity between computers in each group• In addition, a Group can be ‘interconnected’ - enables connectivity
within a group• Useful for ad-hoc & roaming scenarios
Network Policy - Example
SERVER1
SERVER2
Windows Azure
SERVER3 DEV_LAPTOP1
Role A
Instance3Instance2Instance
Role B
Instance3Instance2Instance
DEV_LAPTOP2
My Servers My Laptops
Active Directory Domain Join
• Connect plug-in supports domain-join of WA Roles to on-premises Active Directory
• Scenarios enabled:• Log into WA role instances using domain accounts• Connect to on-premise SQL server using Windows Integrated Auth• Migrate LOB apps to cloud that assume domain-joined environment
• Process to enable:• Install Connect agent on DC / DNS server(s)
o For multiple DC environment, recommend creating dedicated Site• Configure Connect plug-in to automatically join WA role instances to
ADo Specify credentials used for domain-join operationo Specify target OU for WA role instanceso Specify list of domain users / groups to add to local Administrators group
• Configure network policy to enable connectivity between WA roles and DC / DNS servers
• New WA role instances will automatically be domain-joined
Вопросы?
Virtual Machine Role
Сергей Байдачный[email protected]Специалист по разработке программного обеспеченияМайкрософт Украина
Тема 7
VM Role – Overview
Developers have full control over the OS image
Ability to upload your own customized WS08R2 Enterprise images
Operators can reboot, re-image and Remote Desktop
Continue to benefit from automated service management, including service model enhancements described on subsequent slides
VM Role Lifecycle• Convert product DVD to a VHD, or use existing VHD• Prepare the VHDBuild VM Image
• Create a service model with the above image.Create Service
• Store in Windows Azure blob storageUpload VM Image
• Include in service model. Specify instance count.• Package as cspkg.• Upload cskpg.
Deploy Service• Remote Desktop• Reboot• Reimage
Maintain Service
• Repeat above steps, with a new OS image.Upgrade Service
VM Role Lifecycle
CloudOn-Premises
Blob Storag
eBoot VHD
Customize VHD
Save Diff.VHD
Base.VHD
Identical/similar deployment instances using common uploaded OS image (base.VHD + diff.VHD)
& Additional Software& Windows Azure Integration Components - Agent - Runtime Interface (topo, config, shutdown notification, …) - Remote Desktop configurator - Diagnostics - Windows Azure Drives driver& Generalize (Recommended)
Creating a Service – Service Definition<ServiceDefinition name="MyVMRoleService" xmlns="…"> <VirtualMachineRole name="MachineRole" vmsize="Medium"> <Imports> <Import moduleName="RemoteAccess" /> <Import moduleName="RemoteForwarder" /> <Import moduleName="Diagnostics" /> </Imports> </VirtualMachineRole></ServiceDefinition>
Creating a Service – Service Configuration
<ServiceConfiguration serviceName="MyVMRoleService" xmlns="…"> <Role name="MachineRole"> <OsImage href="20101020BaseVM.vhd" /> <Instances count="2" /> <ConfigurationSettings> <Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" value="DefaultEndpointsProtocol=http;AccountName=mohittest;AccountKey=JEBzeqFeP176KkIeXoHxvs8pzs1SrdCTwQfrc2nk+mml7+tKc3k5TWMciGPmHgd1G2IOsT5FyJvv3dvaAqioRg==" /> <Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.Enabled" value="true" /> <Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountUsername" value="" /> <Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountEncryptedPassword" value="" /> <Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountExpiration" value="2012-07-23T23:59:59.0000000-07:00" /> <Setting name="Microsoft.WindowsAzure.Plugins.RemoteForwarder.Enabled" value="true" /> </ConfigurationSettings> <Certificates> <Certificate name="Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption" thumbprint="195FD938F86D8785FF53C660BCBD283819E0271A" thumbprintAlgorithm="sha1" /> </Certificates> </Role></ServiceConfiguration>
Как получить доступ к облаку
Azure.comДоступ возможен через MSDNДоступ на 24 часа через http://dev-club.in.uaДоступ на 30 дней – письмо мне
Ресурсы
Windows Azure Platform Training Kit (http://msdn.microsoft.com/en-us/wazplatformtrainingcourse.aspx)
Вопросы?