take the spaghetti out of windows azure – an insight for it pro techies part 2
DESCRIPTION
More info on http://www.techdays.beTRANSCRIPT
Take the Spaghetti out of Windows Azure An insight for IT Pro Techies Part 2
John CraddockInfrastructure and security ArchitectXTSeminars Ltd
Agenda• Part1• Introduction to the Cloud• Windows Azure fundamentals• Building and deploying a Windows Azure service
• Part 2• Windows Azure storage• Connecting on-premise and Cloud systems• Managing identity with the Access Control Service
Demos
Storage• Local storage can be allocated on an instance• All roles including VM roles are stateless so local storage
should only be used for caching• Persistent storage is managed through• BLOBs• Tables• Queues• SQL Azure
Storage Access• Blobs, tables and queues are accessible via URLs• Accessible via Representational State Transfer (REST) APIs• Uses HTTP methods : POST, GET, PUT and DELETE
• Requests are signed with the storage key• All Windows Azure storage can be accessed from
anywhere
BLOBS – Just A Binary Object!
Client / RoleAzureBlob
Storage
GET https://storageaccountname.blob.core.windows.net/containername/blobname
Tables
• Provides structured and semi-structured data storage capabilities
• Each entry can have a different structure if required• Tables provide a non-relational store
AzureTable
StorageClient / Role
https://storageaccountname.table.core.windows.net/…
Queues
• Queues can be used to send asynchronous messagesto other role instances
Azurequeues
Client / Role
https://storageaccountname.queue.core.windows.net/…
Windows SQL Azure
SQL Azure
On-Premise application
Worker Role
On-Premise SQL
Database synchronizationTDS
TDS
DemoBlobs, Tables and Queues
Content Delivery Network
• CDN caches Windows Azure blobs and static output content at locations around the world• Provides best download performance for end
users
Hosted service
Cached content
Accessing Blobs via CDN
• CDN automatically caches• Blobs in public containers• Data contained in the /cdn folder of a hosted service• Only static content should be included
• Default TTL 72 hours • Can be set when uploading a blob
• Blob storage and CDN URLs can be enabled to use a customdomain name
http://myaccount.blob.core.windows.net/images/blob1.jpg
http://<identifier>.vo.msecnd.net/images/blob1.jpg
Access to blob storage
Access to CDN storage
DemoUsing CDN
Connecting Distributed Systems
Windows Azure Service Bus
• Endpoints establish the connection to the service bus• Bidirectional communications via HTTPs
• There are no firewall changes required provided outbound HTTPS is enabled
• The service bus supports queues
Point of Sale terminal
Point of Sale terminal
Point of Sale terminal
Invoicing
Stock Control
Azure Service Bus
Windows Azure Connect
• Creates a virtual network of computers and roles running in Windows Azure• IPsec protected
instance #0
instance #1
Web Role 1
instance #0
instance #1
Worker Role 1
Virtual network
on-Premise
Configuring Azure Connect• Role requires activation for Azure Connect• Via Visual Studio or editing the configuration and
definition files• The Connect ID must be specified
• Endpoint software must be installed on a local computer• Install via management portal
• Create an endpoint group and add activated roles and computers to enable connectivity• All computers within a group can optionally be allowed to
connect to each other• Computers connected via IPv6 protected by Ipsec• IPv6 address automatically configured
Creating A Group
List of computer endpoints
Allow endpoints tocommunicate witheach other
Connect computers listed aboveto roles and computers and roles
in another group
Domain Joined Azure Roles• Windows Azure roles can be joined to your domain
via Connect, enables• Logging in to a role instances using domain accounts• Connecting to an on-premises SQL server using Windows
Integrated Authentication• Migrating applications that assume a domain-joined
environment• The domain joining information must be configured
via Visual Studio or editing the configuration files• A domain controller running DNS must be part of
your Azure Connect virtual network
Firewall rules
• Firewall rules on roles and computers must be configured to allow required IPv6 traffic
• For roles the rules can be can be created in a cmd script and executed as a startup task• The script file will need to be added to the project directory
Echo Enable IPv6 Pingnetsh advfirewall firewall add rule name="ICMPv6 echo" dir=in action=allow enable=yes protocol=icmpv6:128,any exit /b 0
Pingenable.cmd
<Startup><Task commandLine=“pingenable.cmd" executionContext="elevated" taskType="simple"/></Startup>
ServiceDefinition.csdef
DemoWindows Azure Connect
Cloud services and identity
• Application• On-premise• Partner
organization• Somewhere!!!
User
• User• On-premise• Partner
organization• Somewhere!!! • User’s Identity
• On-premise• Partner
organization• 3rd Party Identity
provider
Name: FredPassword: *****Age: 107Country: Japan
Federation joins it all together
Access Control Service (ACS)• Windows Azure AppFabric Access Control Service
provides a method for applications and services to authenticate and authorize users
• ACS brokers authentication with popular identity providers• Live ID• Google• Yahoo• Facebook
• Relying parties can be applications or AD FS
Using ACSRelying partyAD FS serveror applicationUser
ACS token ST
Trust
Identity providers
LiveIDGoogleYahoo
AD FS 2.0FacebookOpenID
Management portal
STS
Access Control Service
Rules engine
Authenticate
ST
IdP token
ST
IdP token
Process rules
ST
Management Services
ACS administrator
Azure
Claims
The Security TokenContains claims about the user
For example:• Name• Group membership• User Principal Name (UPN)• Email address of user• Email address of manager• Phone number• Other attribute values
Signed by issuer
Configuring ACS
• The relying party trusts can be configured through the exchange of federation metadata
Create AppFabric
project
Create namespace
Configure identity
providers
Configure relying
party(ies)
Generate rules
Demo Environment
AD FS
SharePoint
Relying party andclaims provider
trusts
Windows Azure ACS
HTTPS
DemoUsing ACS
As IT Pros we can provide• Vision and insight on which systems to move to the cloud
and which to host on-premise• Defining the type of cloud service to use IaaS, PaaS or
SaaS• Certificate management• Authentication and authorization architectures• Monitoring and managing cloud services• Managing inter cloud networking• Strategies for service placement based on performance
and legal requirements • Backup strategies and implementation
TechEd 2012• I will be speaking a TechEd 2012• Precon: Building Federated External Access for Microsoft
SharePoint 2010• Other breakouts
Consulting Services on Request
John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including, TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk
John CraddockInfrastructure and security ArchitectXTSeminars Ltd
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.