Understanding Windows Azure Connect – PDC10 Session Review

Anthony Chavez – Director @ Windows Azure Networking Group

Introducing Windows Azure Connect

  • Secure network connectivity between on-premises and cloud
    • Supports standard IP protocols (TCP, UDP)
  • Example use cases:
    • Enterprise app migrated to Windows Azure that requires access to on-premise SQL Server
    • Windows Azure app domain-joined to corporate Active Directory
    • Remote administration and troubleshooting of Windows Azure roles
  • Simple setup and management

Roadmap

  • CTP release by end of 2010
    • Support connect from Azure to non-Azure resources
      • Supports Windows Server 2008 R2, Windows Server 2008, Windows 7, Windows Vista SP1, and up
  • Future releases
    • Enable connectivity using existing on-premises VPN devices

Closer Look

  • Three steps to setup Windows Azure connect
    1. Enable Windows Azure (WA) roles for External connectivity via service Model
      • Select only the roles that should be enabled for external onnectivity
    2. Enable local computers for connectivity by installing WA Connect Agent
    3. Configure/Manage your network policy that defines which Azure roles and which Azure computers can communicate.
      • defined using the Connect Portal
  • After the Configuration/Management of the Network Polity, Azure Connect automatically setups secure IP-level network between connected role instances and local computers
    • Tunnel firewall/NAT/s through hosted relay service
    • Secured via end-to-end IPSec
    • DNS name resolution

Windows Azure Service Deployment

  • To use Connect for a Windows Azure Service, enable one or more of its Roles
    • For Web & Worker Roles, include the connect plug-in as part of the Service Model (using .csdef file)
    • For VM Roles, install the connect agent in VHD image using Connect VM Install package
    • Connect agent will automatically be deployed for each new role instance that starts up
  • Connect agent configuration is managed through the ServiceConfiguration (.cscfg file)
    • One one configuration setting is required
      • ActivationToken
        • Unique per-subscription token, accessed from Admin UI
    • Several Optional settings for managing AD domain-join and service availability

Deployment

On-Premise

    • Local computers are enabled for connectivity by installing & activating the Connect Agent. It can be retrieved from:
      • Web-based installation link
        • Retrieved from the Admin Portal
        • Contains per-subscription activation token embedded in the url
      • Standalone install package
        • Retrieved from the Admin Portal
        • Enabled installation using existing software distribution tools
    • Connect agent tray icon & client UI, enables us to:
      • View activation state & connectivity status
      • Refresh network policy
    • Connect agent automatically manages network connectivity, by:
      • Setting up a virtual network adapter
      • “Auto-connecting” to Connect relay service as needed
      • Configuring IPSec policy based on network policy
      • Enabling DNS name resolution
      • Automatically syncing latest network policies

Management of Network Policy

    • Connect network policy managed through Windows Azure admin portal
      • Managed on a per-subscription basis
    • Local Computers are organized into groups
      • Eg. “SQL Server Group”, “Laptops Group”, …
      • A computer can only belong to a single group at a time
      • Newly activated computers aren’t assigned to any group
    • Windows Azure roles can be connected to groups
      • Enabled network connectivity between all Role instances (VMs) and local computer in the Group
      • Windows Azure connect doesn’t connect to other Windows Azure Roles
    • Groups can be connected to other Groups
      • Enabled network connectivity between computers in each group
      • A group can be ‘interconnected’ – enables connectivity within the group
      • Useful for ad-hoc & roaming scenarios
        • Eg. your laptop having a secure connection back to a server that resides inside the corp net

Network Behavior

  • Connect resources (Windows Azure role instances and external machines) have secure IP-level network connectivity
    • Regardless of physical network topology (Firewall / NATs) as long as they support outbound HTTPs access to Connect Relay service
  • Each connected machine has a routable IPv6 address
    • Connect agent sets up the virtual network address
    • No changes to existing networks
  • Communication between resources is secured via end-to-end certificate-based IPSec
    • Scoped to Connect Virtual network
    • Automated management of IPSec certificates
  • DNS name resolution for connected resources based on machine names
    • Both directions are supported (Windows Azure to Local Computer or vice-versa)

Active Directory Domain Join

  • Connect plug-in support domain-join of Windows Azure roles to on-premise Active Directory
  • Eg. Scenarios:
    • Log into Windows Azure using Domain Accounts
    • Connect to on-premise SQL Server using Windows Integrated Authentication
    • Migrate LOB apps to cloud that assume domain-join environment
  • Process:
    1. Install Connect agent on DC/DNS servers
      • Recommendation: create a dedicated site in the case of multiple DC environment
    2. Configure Connect plug-in to automatically join Windows Azure role instances to Active Directory
      • Specify credentials used for domain-join operation
      • Specify the target OU for Windows Azure roles
      • Specify the list of domain users / groups to add to the local administrators group
    3. Configure the network policy to enable connectivity between Windows Azure roles and DC/DNS Servers
    • Note: New Windows Azure role instances will automatically be domain-joined

Finally the recap of Windows Azure Connect

  • Enables secure network connectivity between Windows Azure and on-premise resources
  • Simple to Setup & Manage
    • Enabled Windows Azure Roles using connect plug-in
    • Install Connect agent on local computers
    • Configure network policy
  • Useful Scenarios:
    • Remote administration & troubleshooting
    • Windows Azure Apps Access to on-premise Servers
    • Domain-join Windows Azure roles

One thought on “Understanding Windows Azure Connect – PDC10 Session Review”

Leave a Reply

Your email address will not be published. Required fields are marked *


*