1 azure ™ services platform microsoft.net services an introduction clemens vasters technical lead...
DESCRIPTION
A Look Inside AzureTRANSCRIPT
1
Azure™ Services Platform
Microsoft .NET ServicesAn Introduction
Clemens VastersTechnical LeadMicrosoft Corporation
2
Azure™ Services Platform
A Look Inside Azure
ServiceBus
AccessControl
Workflow
…
Database
Reporting
Analytics
…
Compute Storage Manage
Identity
Devices
Contacts
…
…
…
Your Applications
Extending .NET technologies to the cloudOpen and Interoperable
REST, SOAP, ATOM, …Class libraries for Java, Ruby, …
Easy-to-use from .NET Build on existing skills and concepts
Initial focus on three key challengesApplication IntegrationApplication ExtensibilityFederated Access Control
.NET Services - Principles
Enterprise Service Bus
Service Orchestration
Service Registry
NamingFederated Identity and
Access Control Messaging Fabric
CRM
Customers Leads
TrendsCampaigns
Supply Chain
Inventory Order Entry
PlanningPurchasing
Point Of Sale
POS Integration
Product Catalog
ReturnsWeb Store
Internet Service Bus
Service Orchestration
Service Registry
NamingFederated Identity and
Access Control Messaging Fabric
Clients MS/3rd Party ServicesOn-Premise ESB
ESBDesktop, RIA, Web
Desktop, RIA, & Web
Your Services
Secure Cross-Enterprise Integration
Fabrikam
AD
.NET Service Bus. NET Access Control Service
Contoso
AD
Purcha-sing
Order Entry
IdentityProvider
Trust
Access Control Rules govern endpoint access
Zero Inbound Firewall/NAT Ports
Secure Cross-Enterprise Integration
Fabrikam
AD
Access Control
Contoso
AD
Purcha-sing
Order Entry
IdentityProvider
Trust
Access Control Rules govern endpoint access
Outbound-only Internet edges
Access Control
AD
Purcha-sing
Order Entry
1 . Acquire Identity Token
2 . Acquire Access
Token w/ ID Token 3 . Send
Message with Access
Token
4 . Validate Access Token
5. Relay Message to
Target
Point Of Sale Integration
Fabrikam
AD
.NET Service Bus. NET Access Control Service
Partner StoreHelsinki
Analytics Inventory
Factory StoreMadrid
Inventory
FactoryStoreBrussels
Inventory
Real-time Sales and Inventory Analytics
Document Itineraries
Fabrikam
AD
.NET Workflow Service
.NET Service Bus. NET Access Control Service
Parts VendorB
Purcha-sing
Order Entry
PartsVendorA
Order Entry
LogisticsPartner
Order Entry
Just-In-Time Acquisition and Delivery
On-Demand Delivery
Workflow
Personal Photo Sharing
. NET Access Control Service
Borge’sHomeServer
Photos
Ahti’sPDA
Photos
Maria’sMac
Photos
Celine’sPC
Photos
.NET Service Bus
Eva’sPhone
Photos
Residential Broadband or
GSM or 3G
.NET Access Control Service
Service Orchestration
Service Registry
NamingFederated Identity and
Access Control Messaging Fabric
Many identity providers, many vendors, many protocols, complex semantics – tricky to get rightApplication strewn with one-off access logicHard to get right, not agile, not compliant, many dead ends
Access Control – Key Challenges
Corporate Directory
Solution Identities
Extranet Identities
SaaS Platform Identities
…
Automate federation for a wide-range of identity providers and technologiesFactor the access control logic from the application into manageable collection of rulesEasy-to-use framework that ensures correct
token processing
Access Control – Approach
Corporate Directory
Solution Identities
Extranet Identities
SaaS Platform Identities
…
.NET Access Control Service
Access Control Interactions
Your Access Control Project(a hosted STS)
Relying Party(Your App)
2. Send Claims4. Send Token
(output claims from 3)
5. Send Messagew/token
0. Certificate exchange; periodically refreshed
Requestor(Your Customer)
Define access control rules for a customer
6.Claims checked in
Relying Party
3. Map input claims to output claims based on access control rules
IP
1. Acquire Claims
Scope: Protected resource hierarchySubscope: Delegated, independent branch
Rule: ‘All’ or ‘Any’ input-claims matchPositive rule match yields single output-claim
Access Control Rules Contoso Litware Fabrikam
Scope – http://contoso.com/
Subscope – http://contoso.com/sales/Group ‘CorpSales’ from Contoso ‘Contrib-Internal’
Group ‘Contoso’ from Litware ‘Contrib-External’
Group ‘Purchasing’ from Fabrikam ‘Read-Partners’
Group ‘Admins’ from Contoso ‘Administrator’
Flexible, rules-driven access controlRich support for a wide range of identity providersThe Geneva framework is the .NET developer experienceEasy to incorporate into existing applicationsWorks with lots of other environments; e.g. Sun’s Java Metro 1.3, …
Access Control Summary
.NET Workflow Service
Service Orchestration
Service Registry
NamingFederated Identity and
Access Control Messaging Fabric
Want to describe long-running processesWant to orchestrate work across servicesWant modularity and nestingEasy to describe but in practice harder to run
Hosting and scaling can be challengingSetup and installing, define scale-out approach, ensure long-running availability, manage upgrades, …
Workflow – Key Challenges
Internet-Scoped Service OrchestrationSpecialized Activity Library
Workflow Service – Overview
.NET Workflow
ServiceTypes Instances
WF Models(XOML)
Control Flow
+Activities
Portal API
Visual Studio Workflow Designer
Custom Designers / Generators
WF is a general-purpose FrameworkBroad extensibility: Custom and code activitiesSimple hosting options (standalone or via WCF)Sophisticated hosting options via extensions
.NET Workflow Service builds on WFSpecialized, high-scale, resilient hosting environmentSpecialized set of activities for OrchestrationIntentionally not a general-purpose host
Windows Workflow Foundation vs.
.NET Workflow Service
Scalability & Fault Resilience
Less Constrained Runtime More Constrained Runtime
22
Supported Workflow Activities (PDC)
Standard WF Activity Description
IfElse Conditional Branch
Sequence Sequence of Activities
Suspend Suspends execution until external intervention
Terminate Terminates the workflow
While Executes a conditional loop
.NET Workflow Activity Description
Delay Delays execution for a period of time
HttpSend Sends an outbound HTTP request
HttpReceive Waits for an inbound HTTP request
ServiceBusSend Sends a message via the Service Bus
XPathRead Extracts a value from a message using XPath
XPathUpdate Updates a value in a message using XPath
Execute Workflows with high availabilityDesign Workflows using existing toolsEasily deploy and manage WorkflowsPortal for easy accessManagement APIs for rich automation
Workflow Service Summary
.NET Service Bus
Service Orchestration
Service Registry
NamingFederated Identity and
Access Control Messaging Fabric
Key developer challengesWant to make it easy and secure for partners to use your applicationDon’t always know the characteristics or scale of the integrationPartners / customers / users have devices and services running behind firewalls
Approach Provide a high-scale, high-available “Service Bus” that supports open Internet protocols
Service Bus
IPv4 Address ShortageDynamic IP address allocationNetwork Address Translation (NAT)
Internet is pwn3d by the bad guysFirewalls layered over firewalls over firewalls
Connectivity Challenges
Sender Receiver?Machine Firewall
Network FirewallNetwork Address Translation
Dynamic IP
Service Bus Naming
Federated, hierarchical, DNS-integrated, transport-neutral naming system
Root
Solution
Solution
Solution
NameB
NameC
Name1
Name2
Name3
NameA
[http|sb]://servicebus.windows.net/services/account/svc/…
Service Registry
Rootservicebus.windows.
netservices
account
contoso
…
svc
Service Registry Root
Multi-Tenant
The service registry provides a mapping from URIs to services
Three key capabilitiesMulti-protocol, relayed connectivity
Ensure applications can interconnectDiscovery via common service registry
NAT-NAT Traversal Uses the relay to establish communication Then shortcuts for efficiency
One-way datagram/event distributionUnicast, Multicast and – soon – Anycast Lightweight publish/subscribe modelModel will expand to cover queues and topics
Available in .NET via WCF Bindings
Connectivity
Relayed Communication
Service Bus
Sender Receiver
sb://servicebus.windows.net/services/solution/a/b/
outb
ound
conn
ect o
ne-w
ay n
et.tc
p TCP/SSL 828
BackendNamingRoutingFabric
Frontend Nodes
TCP/SSL 808/828
outbound connect bidi socket
Msg Msg
NATFirewallDynamic IP
SubscribeRoute
NLB
Service RegistryRelay and direct connect connectivityEvent distributionIntegrated with Access Control services
Service Bus Summary
32
Q & A
