Introducing Windows Azure Connect
- Secure network connectivity between on-premises and cloud
- Supports standard IP protocols (TCP, UDP)
- Example use cases:
- Enterprise app migrated to Windows Azure that requires access to on-premise SQL Server
- Windows Azure app domain-joined to corporate Active Directory
- Remote administration and troubleshooting of Windows Azure roles
- Simple setup and management
Roadmap
- CTP release by end of 2010
- Support connect from Azure to non-Azure resources
- Supports Windows Server 2008 R2, Windows Server 2008, Windows 7, Windows Vista SP1, and up
- Support connect from Azure to non-Azure resources
- Future releases
- Enable connectivity using existing on-premises VPN devices
Closer Look
- Three steps to setup Windows Azure connect
- Enable Windows Azure (WA) roles for External connectivity via service Model
- Select only the roles that should be enabled for external onnectivity
- Enable local computers for connectivity by installing WA Connect Agent
- Configure/Manage your network policy that defines which Azure roles and which Azure computers can communicate.
- defined using the Connect Portal
- Enable Windows Azure (WA) roles for External connectivity via service Model
- After the Configuration/Management of the Network Polity, Azure Connect automatically setups secure IP-level network between connected role instances and local computers
- Tunnel firewall/NAT/s through hosted relay service
- Secured via end-to-end IPSec
- DNS name resolution
Windows Azure Service Deployment
- To use Connect for a Windows Azure Service, enable one or more of its Roles
- For Web & Worker Roles, include the connect plug-in as part of the Service Model (using .csdef file)
- For VM Roles, install the connect agent in VHD image using Connect VM Install package
- Connect agent will automatically be deployed for each new role instance that starts up
- Connect agent configuration is managed through the ServiceConfiguration (.cscfg file)
- One one configuration setting is required
- ActivationToken
- Unique per-subscription token, accessed from Admin UI
- ActivationToken
- Several Optional settings for managing AD domain-join and service availability
- One one configuration setting is required
Deployment
On-Premise
- Local computers are enabled for connectivity by installing & activating the Connect Agent. It can be retrieved from:
- Web-based installation link
- Retrieved from the Admin Portal
- Contains per-subscription activation token embedded in the url
- Standalone install package
- Retrieved from the Admin Portal
- Enabled installation using existing software distribution tools
- Web-based installation link
- Connect agent tray icon & client UI, enables us to:
- View activation state & connectivity status
- Refresh network policy
- Connect agent automatically manages network connectivity, by:
- Setting up a virtual network adapter
- “Auto-connecting” to Connect relay service as needed
- Configuring IPSec policy based on network policy
- Enabling DNS name resolution
- Automatically syncing latest network policies
Management of Network Policy
- Connect network policy managed through Windows Azure admin portal
- Managed on a per-subscription basis
- Local Computers are organized into groups
- Eg. “SQL Server Group”, “Laptops Group”, …
- A computer can only belong to a single group at a time
- Newly activated computers aren’t assigned to any group
- Windows Azure roles can be connected to groups
- Enabled network connectivity between all Role instances (VMs) and local computer in the Group
- Windows Azure connect doesn’t connect to other Windows Azure Roles
- Groups can be connected to other Groups
- Enabled network connectivity between computers in each group
- A group can be ‘interconnected’ – enables connectivity within the group
- Useful for ad-hoc & roaming scenarios
- Eg. your laptop having a secure connection back to a server that resides inside the corp net
Network Behavior
- Connect resources (Windows Azure role instances and external machines) have secure IP-level network connectivity
- Regardless of physical network topology (Firewall / NATs) as long as they support outbound HTTPs access to Connect Relay service
- Each connected machine has a routable IPv6 address
- Connect agent sets up the virtual network address
- No changes to existing networks
- Communication between resources is secured via end-to-end certificate-based IPSec
- Scoped to Connect Virtual network
- Automated management of IPSec certificates
- DNS name resolution for connected resources based on machine names
- Both directions are supported (Windows Azure to Local Computer or vice-versa)
Active Directory Domain Join
- Connect plug-in support domain-join of Windows Azure roles to on-premise Active Directory
- Eg. Scenarios:
- Log into Windows Azure using Domain Accounts
- Connect to on-premise SQL Server using Windows Integrated Authentication
- Migrate LOB apps to cloud that assume domain-join environment
- Process:
- Install Connect agent on DC/DNS servers
- Recommendation: create a dedicated site in the case of multiple DC environment
- Configure Connect plug-in to automatically join Windows Azure role instances to Active Directory
- Specify credentials used for domain-join operation
- Specify the target OU for Windows Azure roles
- Specify the list of domain users / groups to add to the local administrators group
- Configure the network policy to enable connectivity between Windows Azure roles and DC/DNS Servers
- Note: New Windows Azure role instances will automatically be domain-joined
- Install Connect agent on DC/DNS servers
Finally the recap of Windows Azure Connect
- Enables secure network connectivity between Windows Azure and on-premise resources
- Simple to Setup & Manage
- Enabled Windows Azure Roles using connect plug-in
- Install Connect agent on local computers
- Configure network policy
- Useful Scenarios:
- Remote administration & troubleshooting
- Windows Azure Apps Access to on-premise Servers
- Domain-join Windows Azure roles
By: Anthony Chavez – Director @ Windows Azure Networking Group
Author : NunoGodinho
No comments:
Post a Comment