Understanding Windows Azure Connect – PDC10 Session Review

Anthony Chavez – Director @ Windows Azure Networking Group

Introducing Windows Azure Connect

  • Secure network connectivity between on-premises and cloud
    • Supports standard IP protocols (TCP, UDP)
  • Example use cases:
    • Enterprise app migrated to Windows Azure that requires access to on-premise SQL Server
    • Windows Azure app domain-joined to corporate Active Directory
    • Remote administration and troubleshooting of Windows Azure roles
  • Simple setup and management


  • CTP release by end of 2010
    • Support connect from Azure to non-Azure resources
      • Supports Windows Server 2008 R2, Windows Server 2008, Windows 7, Windows Vista SP1, and up
  • Future releases
    • Enable connectivity using existing on-premises VPN devices

Closer Look

  • Three steps to setup Windows Azure connect
    1. Enable Windows Azure (WA) roles for External connectivity via service Model
      • Select only the roles that should be enabled for external onnectivity
    2. Enable local computers for connectivity by installing WA Connect Agent
    3. Configure/Manage your network policy that defines which Azure roles and which Azure computers can communicate.
      • defined using the Connect Portal
  • After the Configuration/Management of the Network Polity, Azure Connect automatically setups secure IP-level network between connected role instances and local computers
    • Tunnel firewall/NAT/s through hosted relay service
    • Secured via end-to-end IPSec
    • DNS name resolution

Windows Azure Service Deployment

  • To use Connect for a Windows Azure Service, enable one or more of its Roles
    • For Web & Worker Roles, include the connect plug-in as part of the Service Model (using .csdef file)
    • For VM Roles, install the connect agent in VHD image using Connect VM Install package
    • Connect agent will automatically be deployed for each new role instance that starts up
  • Connect agent configuration is managed through the ServiceConfiguration (.cscfg file)
    • One one configuration setting is required
      • ActivationToken
        • Unique per-subscription token, accessed from Admin UI
    • Several Optional settings for managing AD domain-join and service availability



    • Local computers are enabled for connectivity by installing & activating the Connect Agent. It can be retrieved from:
      • Web-based installation link
        • Retrieved from the Admin Portal
        • Contains per-subscription activation token embedded in the url
      • Standalone install package
        • Retrieved from the Admin Portal
        • Enabled installation using existing software distribution tools
    • Connect agent tray icon & client UI, enables us to:
      • View activation state & connectivity status
      • Refresh network policy
    • Connect agent automatically manages network connectivity, by:
      • Setting up a virtual network adapter
      • “Auto-connecting” to Connect relay service as needed
      • Configuring IPSec policy based on network policy
      • Enabling DNS name resolution
      • Automatically syncing latest network policies

Management of Network Policy

    • Connect network policy managed through Windows Azure admin portal
      • Managed on a per-subscription basis
    • Local Computers are organized into groups
      • Eg. “SQL Server Group”, “Laptops Group”, …
      • A computer can only belong to a single group at a time
      • Newly activated computers aren’t assigned to any group
    • Windows Azure roles can be connected to groups
      • Enabled network connectivity between all Role instances (VMs) and local computer in the Group
      • Windows Azure connect doesn’t connect to other Windows Azure Roles
    • Groups can be connected to other Groups
      • Enabled network connectivity between computers in each group
      • A group can be ‘interconnected’ – enables connectivity within the group
      • Useful for ad-hoc & roaming scenarios
        • Eg. your laptop having a secure connection back to a server that resides inside the corp net

Network Behavior

  • Connect resources (Windows Azure role instances and external machines) have secure IP-level network connectivity
    • Regardless of physical network topology (Firewall / NATs) as long as they support outbound HTTPs access to Connect Relay service
  • Each connected machine has a routable IPv6 address
    • Connect agent sets up the virtual network address
    • No changes to existing networks
  • Communication between resources is secured via end-to-end certificate-based IPSec
    • Scoped to Connect Virtual network
    • Automated management of IPSec certificates
  • DNS name resolution for connected resources based on machine names
    • Both directions are supported (Windows Azure to Local Computer or vice-versa)

Active Directory Domain Join

  • Connect plug-in support domain-join of Windows Azure roles to on-premise Active Directory
  • Eg. Scenarios:
    • Log into Windows Azure using Domain Accounts
    • Connect to on-premise SQL Server using Windows Integrated Authentication
    • Migrate LOB apps to cloud that assume domain-join environment
  • Process:
    1. Install Connect agent on DC/DNS servers
      • Recommendation: create a dedicated site in the case of multiple DC environment
    2. Configure Connect plug-in to automatically join Windows Azure role instances to Active Directory
      • Specify credentials used for domain-join operation
      • Specify the target OU for Windows Azure roles
      • Specify the list of domain users / groups to add to the local administrators group
    3. Configure the network policy to enable connectivity between Windows Azure roles and DC/DNS Servers
    • Note: New Windows Azure role instances will automatically be domain-joined

Finally the recap of Windows Azure Connect

  • Enables secure network connectivity between Windows Azure and on-premise resources
  • Simple to Setup & Manage
    • Enabled Windows Azure Roles using connect plug-in
    • Install Connect agent on local computers
    • Configure network policy
  • Useful Scenarios:
    • Remote administration & troubleshooting
    • Windows Azure Apps Access to on-premise Servers
    • Domain-join Windows Azure roles

One comment on “Understanding Windows Azure Connect – PDC10 Session Review

  1. Henry99 on said:

    I try to download the session-file CS67_AnthonyChavez_PDC_WMV_High_1280x720_2500k (high WMV) from
    but cannot achieve it.
    The right-click in Silverlight is not available.
    Can only left click which opens directly my Media Player without possibility to save the file to disk.
    Is there another way to get the Video-file to my hard-disk?
    Thanks, Heinrich

Leave a Reply

Your email address will not be published. Required fields are marked *



* Copy This Password *

* Type Or Paste Password Here *

2,821 Spam Comments Blocked so far by Spam Free Wordpress

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>