Real World Azure - IT Pros


Published on

TechNet Events Presents – for the IT Professional
In this session, we will discuss:

Azure architecture from the IT professional’s point of view
Why an IT operations team would want to pursue Azure as an extension to the data center
Configuration, deployment and scaling Azure-based applications
The Azure roles (web, web service and worker)
Azure storage options
Azure security and identity options
How Azure-based applications can be integrated with on-premises applications
How operations teams can manage and monitor Azure-based applications

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • We will bend over backwards to help you out.
  • RTC (release to cloud) makes it easy to release new features, and upgrades. This would include better management tools, logging/tracking, etc.
  • How many servers does your company have?What is the IT Pro to Server ratio?Usually an average of 1:10 or 1:30.The Global Datacenter Team for Azure is 1:30,000The Azure Fabric makes this possible.
  • Here’s the datacenter in the cloudA collection of commodity hardwareA collection of storage servers; triple replicationLoad BalancersFabric Controller: the “Brains” behind it all. Web Portal: where to deploy and manage applicationsService – any app you want to run is the service.It’s about running your service in the Microsoft datacenter. Windows Azure is not a SKU that you would install onsite.
  • = Service Deployment (So easy, even a CEO can do it) =Service, the application you want to runModel, service configuration; tells what the service looks like, how many you want to run, etc.Today, you must deploy your service through the portal. In the future, there will be an API available that will you to deploy your service through command-line, TFS build procedures, and other types of automation In this scenario, we are deploying our service through the portal. We upload the two files (the service package and model configuration). The Fabric Controller reads the model configuration which describes how to deploy our service. In this case, we are deploying our service to 3 machines. The Fabric Controller determines which 3 machines to deploy to, copies the service package to the 3 machines, and fires up the services. [Transition] The Fabric Controller then configures the DNS so you have an endpoint exposed for your services for the outside world to communicate with your services. From there, it configures the load balancers and routers. That’s it. It’s completed automated.
  • Managed partner pipeline review -opps in Seibel, partner, PAM; get together and collaborate on opps - more social collaboration, ability to comment, ability to bring people inDidn’t do much in SQL Azure as it wasn’t available at the timeAccomplished goals in 5 mos.
  • Web role - support for multi-tennancy (host multiple customers or segments on set of infrastructure) - web service for updating the opportunity information.NET Service Bus was used to integrate on the backend with SeibelMoved worker role inside firewall as it made more sense (on premise)Heavy use of Tables and BlobsMost Queue work is done with the .NET Service Bus under-the-covers; not a whole lot of work writing directly to QueuesDuring development, SDS did a reset and became SQL Azure; use Azure storage until SQL Azure becomes available (one of the best decisions they made)
  • Community wants to control Personalization, Content, Membership
  • TODO: Convert to Whiteboard template
  • TODO: Convert to Whiteboard template
  • with alias. No password.Go to the roadshow page. Click through the headers. Show discussion threads.
  • Simply put, you basically do what you do today, as a general process goes. The biggest difference is you are pushing a package, instead of individual bits, with some bizzarre, poorly documented steps on how to deploy written at the last minute.
  • Native Code/FastCGI – Another reason to use Azure. If you aren’t used to managing different infrastructure, the you can host it on azure to not have to deal with the diversity.
  • Demo: Ask for logs. Show logs in storage that were already moved.This story will get better, especially with the management APIs as they come online.
  • Azure storage is interestingThe compute service is pretty standard - .net, by and largeThis is interesting in that it’s not quite as familiarAccessed by HTTP – restfulThree partsblob storage, for big chuncks of dataTables, which are not tablesQueues, which are what they sound like - queues
  • BlobsBlobs are stored in containers. There are 0 or more blobs per container and 0 or more containers per account. (since you can have 0 containers, but then you would not have any blobs either)Typically url in the cloud is paths can contain the / character, so you can give the illusion of multiple folders, but there is only 1 level of containers.Blob capacity at CTP is 50gb.There is an 8k dictionary that can be associated with blobs for metadata.Blobs can be private or public:Private requires a key to read and writePublic requires a key to write, but NO KEY to read.Use blobs where you would use the file system in the past.
  • It’s easier to describe what azure tables don’t do than it is to describe what they do do.Most everyone, when they hear tables, think of SQL Server or relational database tables and the functionality you get from these tables – but that’s not what we haveIn windows azure, you have storage accountsStorage accounts need to be signed by keys for access – greatIn your account you can have some number of tablesSome number of entitiesSome number of propertiesThen a name, type, and valueSo, I ask you, are these tables? Do you see rows, tables, columns? No, they’re not tablesHere’s the truth – windows azure tables have some issues
  • Tables are simply collections of Entities.Entites must have a PartitionKey and RowKey – can also contain up to 256 other properties.Entities within a table need not be the same shape! E.g.:Entity 1: PartitionKey, RowKey, firstnameEntity 2: PartitionKey, RowKey, firstname, lastnameEntity 3: PartitionKey, Rowkey, orderId, orderData, zipCodePartitions are used to spread data across multiple servers. This happens automatically based on the partition key you provide. Table “heat” is also monitored and data may be moved to different storage endpoints based upon usage.Queries should be targeted at a partition, since there are no indexes to speed up performance. Indexes may be added at a later date.Its important to convey that whilst you could copy tables in from a local data source (e.g. sql) it would not perform well in the cloud, data access needs to be re-thought at this level. Those wanting a more traditional SQL like experience should investigate SDS.
  • 07:17It’s an “Entity Store”, you can store entities, can retrieve entities, do simple querying on these entitiesPartitioned SQL Server: - A-M on this server - N-Z on this serverTop 5 customers that ordered the most, you have to poll 26 servers and aggregate the dataThat’s sort of what we have with Azure Table storage. We went with a highly partitioned approach upfront to gain scale and gain availability. We’ve had to sacrifice some of the complex queries such as joins to support this. It’s just a different way of having to deal with your data.
  • 11:53Getting the all of dunnry’s post it fast because we’re selecting the entities by a partition keyGetting all of the posts after a certain is slow because we may have to traverse across multiple servers because we’re selecting entities that span partition keysA query without the partition key is really a scan
  • 14:58Keep partitions small, this increases scalability; this allows us to replicate data when its hot and spread data across multiple servers
  • Use queues as a way of communicating w/ the backend worker rolesWRs call getmessage and pass timeoutTimeout value is importantExpiration time is important; message is marked in the queue as invisible; for duration of timeout it’s invisibleWhen we’re done processing, we call a message to remove the message through a deleteTh reason we do this is imagine we have a second worker role; if something goes wrong, once the timeout expires, the message becomes visible, and the next person to do a get message will get the message
  • Queues are simple:Messages are placed in queues. Max size is 8k (and it’s a string)Message can be read from the queue, at which point it is hidden.Once whatever read the message from the queue is finished processing the message, it should then remove the message from the queue. If not the message is returned to the queue after a specific user defined time limit. This can be used to handle code failures etc.
  • So, I have a simple service that I call the thumbnail generatorThis is a picture of the conceptual architecture of the serviceThere are number of things called web roles, which is code sitting behind a load balancerAnd they are taking requests where they’re taking in pictures.They are putting these pictures as blobs into this cloud storage system.We then have a set of worker roles that are running asynchronously and just sitting there, and watching these queues that are in the cloud, and they are picking images off the requests in the queues and generating thumbnails based on some code written in the worker role.Finally, the images will get displayed again on the website.The white box you see is meant to designate the service itself, and all of this is actually running on my desktop in this simulation environment.Key points that I want to make with this picture:This architecture represents best practices for how you build cloud services at scale – you don’t build up, you build out; you have a bunch of stateless compute nodes and any of these nodes can fail at any time – it doesn’t matter, your service is still going to run because there’s no data that’s only stored in one placeSecond is that it’s useful to build loosely coupled architectures – this is an example right here; the front end and back end are talking to each other through the queue – very scalable.This is an open platform. You can access it from anywhere, you can reach out to anywhere else, and you can imagine many different scenarios in which you have some code running in our data centers, and somewhere else.So, let’s switch over there.
  • Duh!
  • Any silo inhibits agility, slowing down IT’s ability to support the business to respond to the market
  • This inhibits reuse, and the ability to easily migrate to new environments
  • Don’t be plumber. If you are focusing on this, you aren’t focusing on what your company does in the market. Focus on code that only you can write.
  • Many deployments of security endpoints, leads to a greater attack surface, and the multiplication of common flaws across all of your systems.
  • It is rare that any sizable company has 1 directory. It is usually many, either through acquisition, or on purpose (hub and spoke model in LDAP is common, see me for a walkthrough of that). Many don’t have a directory per se, so some have 0. Very small companies might no do this.That, and code to hid AD (or and LDAP) is not an easy skill, doesn’t work like it should (from a dev perspective), and is easiest outsourced somehow (to a component, form /n software, etc.)
  • Many regulations and IT policies are moving towards more secure authN mechanisms. SmartCards, Certificates, etc.
  • Of course the proliferation of accounts for users leads to a diminished security profile. Stickys stuck to monitors, identical, simple passwords everywhere….
  • What about when you have an extranet that a customer needs access to. Usually you:0- pollute your AD with their info, thereby increasing AD management costs1- create a second AD (which leads to n AD’s, 1 for each customer)2- island of data in your app. Leads to costs in provisioning and managing the accounts. What if an employee of your customer leaves, and still has access to your extranet?What if your customers could still use their own credentials from their own company, so they aren’t your problem?<<<< Visit the Bike Store story here >>>>
  • If you move an app into the cloud, you are forced into a separate AuthN/Z infrastructure in this model. What if your internal users could use their everyday creds to login to the app you just launched into the cloud?Most company applications might use creds in a local directory, but you can’t do this if the app is running in the cloud, so you must have separate credentials. This is the primary use of federation for everyday companies.
  • Three geeks walk into a bar in California. The bouncer asks for ID. You whip our your drivers license from the state of Ohio. They inspect it, flash a purple light thing at it, verify your age, and let you in. They didn’t force you to register with them to get a bar credential. You would end up with a ton of credentials you were forced to use (like those grocery store customer loyalty cards). The bar trusts the credentials from a trusted provider (and has ways to validate those credentials are valid (the light, and known emebedded security features)).
  • A Claim is a property of a user
  • Turns out, companies need this ability even when they are not in a federation scenario. This helps when moving apps to the cloud, allowing customers/partners into your app, or with many directories through mergers.
  • shows a claims-aware web service (the relying party) and a smart client that wants to use that service. The relying party exposes policy that describes its addresses, bindings, and contracts. But the policy also includes a list of claims that the relying party needs, for example user name, email address, and role memberships. The policy also tells the smart client the address of the STS (another web service in the system) where it should retrieve these claims. After retrieving this policy (1), the client now knows where to go to authenticate: the STS. The smart client makes a web service request (2) to the STS, requesting the claims that the relying party asked for via its policy. The job of the STS is to authenticate the user and return a security token that gives the relying party all of the claims it needs. The smart client then makes its request to the relying party(3), sending the security token along in the security SOAP header. The relying party now receives claims with each request, and simply rejects any requests that don’t include a security token from the issuing authority that it trusts. DEMO: SamplesBasicSimple STS for Active Clients
  • The user points her browser at a claims-aware web application (relying party). The web application redirects the browser to the STS so the user can be authenticated. The STS in Figure 3 is wrapped by a simple web application that reads the incoming request, authenticates the user via standard HTTP mechanisms, and then creates a SAML token and emits a bit of javascript that causes the browser to initiate an HTTP POST that sends the SAML token back to the relying party. The body of this POST contains the claims that the relying party requested. At this point it is common for the relying party to package the claims into a cookie so that the user doesn’t have to be redirected for each request. The WS-Federation specification includes a section3 that describes how to do these things in an interoperable way. *** The Trusted Auth web app is a simple aspx page with code behind that does all the work. This can easily be converted into an ISAPI handler of HTTP pipeline component.DEMO: SamplesBasicSimple STS For Passive Clients
  • the client is in a different security realm over in Bob’s bike shop, while the relying party is still in Fabrikam’s data center. In this case, the client (Alice, say) authenticates with Bob’s STS (1) and gets a security token that she can send to Fabrikam. This token indicates that Alice has been authenticated by Bob’s security infrastructure, and includes claims that specify what roles she plays in Bob’s organization. The client sends this token to Fabrikam’s STS, where it evaluates the claims, decides whether Alice should be allowed to access the relying party in question, and issues a second security token that contains the claims the relying party expects. The client sends this second token to the relying party(3), which now discovers Alice as a new user, and allows her to access the application according to the claims issued by Fabrikam’s STS. Note that the relying party didn’t have to concern itself with validating a security token from Bob’s bike shop. Fabrikam’s authority did all of that heavy lifting: making certain to issue security tokens only to trusted partners that have previously established a relationship with Fabrikam. In this example, the relying party will always get tokens from its own STS. If it sees a token from anywhere else, it will reject it outright. This keeps your applications as simple as possible. LAST BUILD: a company that uses .NET Framework and Zermatt to build its applications. They have recently merged with another company whose IT platform is based on Java. Because the Microsoft .NET-connected applications are already claims-aware, the company was able to install an STS built on Java technology and suddenly the Microsoft .NET-connected applications became accessible to users in the Java-based directory, with no changes to application code or even application configuration.
  • ActAs scenario. Alice has pointed her browser at a web application that, as part of its implementation, makes use of a back end web service. Alice’s browser goes through the passive redirection handshake just like normal in order to present a security token to the web front end. This is where things get interesting: the web front end which, for the sake of this discussion, runs under an identity called Bob, takes Alice’s token and submits it as an “ActAs” parameter in his request to get a security token for the back end web service. The issuing authority notes that Bob wants to make requests to the back end using Alice’s credentials, and so crafts an IClaimsIdentity for Alice and an IClaimsIdentity for Bob, and links them together via the Delegate property, as shown in Figure 23. These identities are serialized into a security token for the back end, where Zermatt rehydrates this same structure so that the back end can see that this is Alice making the request (but technically, Bob is delegating her credentials). The back end can then perform appropriate access control, typically granting access based on Alice’s level of permission. The back end can also audit the request, typically noting the fact that Bob delegated Alice’s credentials to make the request. This is richer than the current model of delegation in Kerberos on the Windows platform today, where the back end has no programmatic way to discover that Alice’s credentials were delegated by some middle tier component. In the claims-based model, the back end can see that Alice went to the web front end (Bob) and that Bob delegated her credentials to get to the back end. If the back end were to receive a token for Alice without Bob as a delegate, it would know that Alice was accessing the back end directly, and could take appropriate action (deny the request, perhaps). Different business logic possibilities: Consider the information the authority gets in this scenario. The authority knows which target relying party is the target of the request (the back end web service). It knows who is making the request (Bob) and knows that Bob wants to act on Alice’s behalf. The authority may decide not to issue a security token in this case if Alice is a sensitive user such as an administrator with very high privilege. Or it may issue a token with a restricted set of claims to limit what Bob can do while using Alice’s credentials. Or it may issue an entirely different set of claims based on what the back end needs. The authority might decide to deny direct requests from Alice to talk to the back end, if that is desirable. The only limitation is the policy supported by the STS that you buy. Of course, if you implement your own STS, you’ll only be limited by your imagination. Kerberos Two hop limit: You might ask what the two hop limit is. A very simple explanation of this limit is that impersonation authentication can only be exchanged between two machines by default. This means that if Machine A requests work to be done on Machine B for an impersonated user; Machine B can perform the work, but cannot offload the work to Machine C because the authentication for the user will fail.  The easiest way to fix this is by Implement Kerberos Delegation. Configuring this is challenging, and fraught with peril. You have to make changes in AD, all systems have to be in the same AD forest, the accounts must have the right delegation flags.DEMO: SamplesIntermediateIdentity Delegation Scenario
  • Demo: SamplesAdvancedAuthentication AssuranceSometimes different systems or operations in a system should be protected in stronger (which is usually more cumbersome) manner.The STS will add a property as to what the auth method was. And the RP can choose if that is sufficient for the operation. For example, normal ops can be done with Integration Auth, but for a high value wire transfer, you need a smartcard with PIN.Demo on page 31There are two issuers in this example: AuthPasssiveSTSWindows, and AuthPassiveSTSCert. The first uses Windows integrated authentication, and the second requires the client to present a certificate, which is a stronger but more cumbersome form of authentication. Each issuer adds an Authentication claim into the list of claims for the user, indicating the form of authentication used. You can see this in the GetOutputSubjects method found in the App_CodeSampleSTSService.cs file for each of these projects. The relying party in this example is a browser-based application (called AuthAssuranceRP) that exposes a low value page (LowValueResourcePage.aspxlow value page simply checks to see if the user is authenticated, and if not, redirects to default.aspx, on which is an instance of the FederatedPassiveSignIn control. This control presents the user with a link she can click in order to initiate the WS-Federation passive redirect to AuthPassiveSTSWindows, which uses Windows authentication to authenticate the user quickly and without much hassle. Regardless of whether the user is authenticated or not, when she visits HighValueResourcePage.aspx, the code checks not only whether the user is authenticated, but if she also has a claim that indicates the required strength of authentication, which is, “CertOrSmartCard”, and is only issued by AuthPassiveSTSCert STS, which requires the user to authenticate with a certificate (or smart card, if you have that infrastructure). So instead of redirecting the user to default.aspx, the high value page redirects to a separate sign-in page specifically for high-assurance logins. This is easy to implement; if you look at HighAssuranceSignInPage.aspx, you’ll see another instance of the FederatedPassiveSignIn control that redirects to the AuthPassiveSTSCert STS instead. ) and a high value page (HighValueResourcePage.aspx). The
  • Why are companies doing this? Ask the audience if they are, what are their reasons?Better use of resourcesQuicker provisioningDecouple solutions from physical environmentGives you agility to IT to respond to business needs
  • This makes you more agile, better able to meet their needs. Not only scale up and out as needed, but down and in as well. Reduce costs, reduce the amount grunt work. Focus on maintaining the systems in an efficient manner, not in growing the number of servers under your command.
  • Dynamic Data Center Toolkit enables you to build an ongoing relationship with your customers while you scale your business with these resources:Step-by-step instructions and technical best practices to provision and manage a reliable, secure, and scalable data center Customizable marketing material you can use to help your customers take advantage of these new solutions Sample code and demos to use in your deployment
  • Real World Azure - IT Pros

    1. 1. TechNet Events Presents:Real World Azure<br />clint edmonson | architect evangelist |<br />shawntravers| it pro evangelist |<br />
    2. 2. This is Jim<br />Cloud Computing<br />
    3. 3. Jim has many questions about cloud computing<br />Cloud Computing<br />
    4. 4. The more he reads, the more confused he gets <br />Cloud Computing<br />
    5. 5. “What is Cloud Computing?”<br />Cloud Computing<br />
    6. 6. “What can I use the Cloud for?”<br />Cloud Computing<br />
    7. 7. “What is Microsoft’s roadmap in this space?”<br />Cloud Computing<br />
    8. 8. “Is this going to eat my job?”<br />Cloud Computing<br />
    9. 9. “Am I prepared for when my boss asks me about this?”<br />Cloud Computing<br />
    10. 10.
    11. 11. Define Cloud Computing<br />Break down the parts<br />Highlight the implementation of a Real World Azure scenario<br />
    12. 12.
    13. 13. Jim has heard all the buzzwords<br />
    14. 14. Service Oriented Architecture<br />
    15. 15. Rich Internet Applications<br />
    16. 16. Software as a Service<br />
    17. 17. Software + Services<br />
    18. 18. Are any of these cloud computing?<br />
    19. 19. No. They are Styles of applications.<br />
    20. 20. These styles can work in the cloud, but they are not cloud computing<br />
    21. 21. Where do your applications “live”?<br />
    22. 22. On Premises<br />Hosted<br />Cloud<br />Vendor’s Problem<br />
    23. 23. S+S Chapter<br />
    24. 24. “Packaged”<br />Application<br />An application that I buy “off the shelf” and run myself<br />Heads in the Cloud, Feet on the Ground<br />Hosted <br />“Packaged”<br />An application that I buy “off the shelf” and then run at a hoster<br />“Packaged”<br />using cloud <br />An application that I buy “off the shelf”, that is hosted using cloud platform<br />“Software as a Service”<br />A hosted application that I buy from a vendor<br />Buy<br />Build vs. Buy<br />“Home Built”<br />Application<br />An application that I develop and run myself<br />Hosted <br />“Home Built”<br />An application that I develop myself, but run at a hoster<br />“Home Built”<br />using cloud <br />An application that I develop myself, that is hosted using cloud platform<br />“Platform as a Service”<br />A vendor hosted development and runtime environment<br />Build<br />Hoster<br />Vendor<br />On Premise<br />Cloud<br />
    25. 25. “Packaged”<br />Application<br />Big Pharmaceutical Example<br />Hosted <br />“Packaged”<br />“Packaged”<br />using cloud <br />“Software as a Service”<br />Buy<br />ERP<br />“Too costly to run this myself, but I’ve made too many customizations”<br />CRM<br />Email<br />Build vs. Buy<br />“Home Built”<br />Application<br />Hosted <br />“Home Built”<br />“Home Built”<br />using cloud <br />“Platform as a Service”<br />HR System<br />Molecule Research<br />Build<br />Clinical Trial<br />Hoster<br />Vendor<br />On Premise<br />Cloud<br />
    26. 26. “Packaged”<br />Application<br />Big Pharmaceutical Example<br />Hosted <br />“Packaged”<br />“Packaged”<br />using cloud <br />“Software as a Service”<br />Buy<br />ERP<br />CRM<br />“CRM and Email are commodity services – They have no customizations, and it’s cheaper for someone else to run these”<br />Email<br />Build vs. Buy<br />“Home Built”<br />Application<br />Hosted <br />“Home Built”<br />“Home Built”<br />using cloud <br />“Platform as a Service”<br />HR System<br />Molecule Research<br />Build<br />Clinical Trial<br />Hoster<br />Vendor<br />On Premise<br />Cloud<br />
    27. 27. Big Pharmaceutical Example<br />“Packaged”<br />Application<br />Hosted <br />“Packaged”<br />“Packaged”<br />using cloud <br />“Software as a Service”<br />Buy<br />ERP<br />CRM<br />Email<br />Build vs. Buy<br />“Home Built”<br />Application<br />Hosted <br />“Home Built”<br />“Home Built”<br />using cloud <br />“Platform as a Service”<br />“I can’t afford to maintain this old HR application written in VB – it’s driving me mad!”<br />HR System<br />“…but due to regulatory issues, I cannot store my HR data off-premise”<br />Molecule Research<br />Build<br />Clinical Trial<br />Hoster<br />Vendor<br />On Premise<br />Cloud<br />
    28. 28. “Packaged”<br />Application<br />Big Pharmaceutical Example<br />Hosted <br />“Packaged”<br />“Packaged”<br />using cloud <br />“Software as a Service”<br />Buy<br />ERP<br />CRM<br />Email<br />HR System<br />Build vs. Buy<br />“Home Built”<br />Application<br />Hosted <br />“Home Built”<br />“Home Built”<br />using cloud <br />“Platform as a Service”<br />“I wish I had access to cheaper compute and storage when I need it”<br />Molecule Research<br />Build<br />Clinical Trial<br />Hoster<br />Vendor<br />On Premise<br />Cloud<br />
    29. 29. “Packaged”<br />Application<br />Big Pharmaceutical Example<br />Hosted <br />“Packaged”<br />“Packaged”<br />using cloud <br />“Software as a Service”<br />Buy<br />ERP<br />CRM<br />Email<br />HR System<br />Build vs. Buy<br />“Home Built”<br />Application<br />Hosted <br />“Home Built”<br />“Home Built”<br />using cloud <br />“Platform as a Service”<br />Molecule Research<br />Build<br />“THIS is where I want to spend my IT resources – I’m going to double down on this application!”<br />Clinical Trial<br />Hoster<br />Vendor<br />On Premise<br />Cloud<br />
    30. 30. Challenges and Concerns with Cloud Computing<br />
    31. 31. Security<br />
    32. 32. “Packaged”<br />Application<br />Hosted <br />“Packaged”<br />“Packaged”<br />using cloud <br />“Software as a Service”<br />Buy<br />ERP<br />CRM<br />Email<br />HR System<br />Build vs. Buy<br />“Home Built”<br />Application<br />Hosted <br />“Home Built”<br />“Home Built”<br />using cloud <br />“Platform as a Service”<br />Molecule Research<br />Build<br />Clinical Trial<br />Hoster<br />Vendor<br />On Premise<br />Cloud<br />Identity and AuthN<br />
    33. 33. Scalability<br />
    34. 34. Regulations and other legal issues<br />
    35. 35. Software + Services is the answer<br />
    36. 36. Lap of Azure Chapter<br />
    37. 37. Warning – this session contains information about Microsoft Technologies that are in the CTP (pre-Beta) stages. Specifics of the technology may change before final release.<br />
    38. 38. Hey! <br />Why are you showing me CTP stuff?<br />
    39. 39. Feedback.<br />
    40. 40. We are here to help. Send us your questions, doubts, concerns, challenges, adoration, regrets, denials, and alibis.<br />We will start a discussion and help you out.<br /><br />
    41. 41. RTC makes it easy to ship updates and new features.<br />
    42. 42. Windows Azure Platform Roadmap<br />?<br />Additional Geos<br />Enhanced compliance<br />Commercial launch<br />Geo location<br />Future<br />CY 2010<br />Q4 2009<br />Inter-Role Communication<br />Variable VM Sizes<br />Enhanced compliance<br />
    43. 43. Windows Azure Platform<br />Microsoft Cloud Services<br />Applications<br />
    44. 44. Windows Azure Platform<br />Compute:Virtualized compute environment based on Windows Server<br />Storage: Durable, scalable, & available storage<br />Management: Automated, model-driven management of the service<br />Database:Relational processing for structured/unstructured data<br />Service Bus: General purpose application bus<br />Access Control: Rules-driven, claims-based access control<br />
    45. 45. Azure Datacenter Chapter<br />
    46. 46.
    47. 47.
    48. 48.
    49. 49. OS Analogy Chapter<br />
    50. 50. What does an Operating System do?<br />App1<br />App2<br />App3<br />App4<br />Management / Security / etc.<br />Task Scheduler<br />Hardware Abstraction Layer<br />DISK<br />CPU<br />GPU<br />Memory<br />
    51. 51. Azure does this for the cloud<br />App1<br />App2<br />App3<br />App4<br />APIs / .NET ACS / etc.<br />Azure Fabric Controller<br />Azure Fabric<br />Server 1<br />Server 2<br />Server 3<br />Server 3,500<br />
    52. 52. How many servers do you support?<br />
    53. 53. “What is Microsoft doing in Cloud Computing?”<br />
    54. 54. 3 x Critical Concepts<br />
    55. 55. Roles<br />Web Role<br />Worker Role<br />
    56. 56. Storage<br />Table, Blob, Relational<br />
    57. 57. Messaging<br />Queues, .NET Service Bus<br />
    58. 58. Patterns for Cloud Computing<br />Using the Cloud for Scale<br />
    59. 59. “Isn’t the cloud good for applications that need to scale dynamically?”<br />Patterns for Cloud Computing<br />
    60. 60. For example, tax applications<br />Patterns for Cloud Computing<br />
    61. 61. “How does this work?”<br />Patterns for Cloud Computing<br />
    62. 62. Let’s do some white boarding for Jim…<br />Patterns for Cloud Computing<br />
    63. 63. Using the Cloud for Scale<br />“Wow! What a great site!”<br />Database<br />Request<br />Web Tier<br />Backend Tier<br />Browser<br />Response<br />
    64. 64. Using the Cloud for Scale<br />Browser<br />Browser<br />Database<br />Web Tier<br />Backend Tier<br />Browser<br />“Server Busy”<br />Browser<br />Browser<br />
    65. 65. Using the Cloud for Scale<br />Browser<br />Browser<br />Database<br />Web Tier<br />Backend Tier<br />Browser<br />“Timeout”<br />Browser<br />Browser<br />
    66. 66. How would Jim do this today on premises?<br />
    67. 67. Using the Cloud for Scale<br />How would Jim do this today on premises?<br />Browser<br />Web Tier<br />N L B<br />Browser<br />Database<br />Web Tier<br />Backend Tier<br />Browser<br />Browser<br />Web Tier<br />Browser<br />
    68. 68. Using the Cloud for Scale<br />How would Jim do this today on premises?<br />Browser<br />Backend Tier<br />N L B<br />Browser<br />Database<br />Web Tier<br />Browser<br />Backend Tier<br />Browser<br />Backend Tier<br />Browser<br />
    69. 69. Using the Cloud for Scale<br />How would Jim do this today on premises?<br />Browser<br />Web Tier<br />N L B<br />Backend Tier<br />N L B<br />Browser<br />Database<br />Web Tier<br />Browser<br />Backend Tier<br />Browser<br />Web Tier<br />Backend Tier<br />Browser<br />
    70. 70. Using the Cloud for Scale<br />How would Jim do this today on premises?<br />Browser<br />p1 p2 p3<br />Web Tier<br />N L B<br />Backend Tier<br />N L B<br />Browser<br />Database<br />Web Tier<br />Browser<br />Backend Tier<br />Browser<br />Web Tier<br />Backend Tier<br />Browser<br />
    71. 71. Not without consequences...<br />
    72. 72. Using the Cloud for Scale<br />How would Jim do this today on premises?<br />Browser<br />p1 p2 p3<br />Web Tier<br />N L B<br />Backend Tier<br />N L B<br />Browser<br />Database<br />Web Tier<br />Browser<br />Backend Tier<br />Browser<br />Web Tier<br />Backend Tier<br />Browser<br />“That took a lot of work - and money!”<br />
    73. 73. Using the Cloud for Scale<br />How would Jim do this today on premises?<br />p1 p2 p3<br />“Not so great now…”<br />Web Tier<br />N L B<br />Backend Tier<br />N L B<br />Database<br />Web Tier<br />Browser<br />Backend Tier<br />Web Tier<br />Backend Tier<br />“That took a lot of work - and money!”<br />“Hmmm... Most of this stuff is sitting idle...”<br />
    74. 74. Using the Cloud for Scale<br />Lost Business<br />Datacenter peak load<br />Idle time<br />Usage<br />Jan<br />Apr<br />Jul<br />Oct<br />
    75. 75. How can Windows Azure help?<br />
    76. 76. #1 - Using the Cloud for Scale<br />“Wow! What a great site!”<br />Azure Storage<br />Request<br />Web Role<br />Worker Role<br />Browser<br />Response<br />
    77. 77. Using the Cloud for Scale<br />Browser<br />Browser<br />Azure<br />Storage<br />Web Role<br />Worker Role<br />Browser<br />“Server Busy”<br />Browser<br />Browser<br />
    78. 78.
    79. 79. Using the Cloud for Scale<br />Browser<br />Web Role<br />N L B<br />Browser<br />AzureStorage<br />Web Role<br />Worker Role<br />Browser<br />Browser<br />Web Role<br />Browser<br />You don’t see this bit<br />
    80. 80. Using the Cloud for Scale<br />Browser<br />Web Role<br />N L B<br />Worker Role<br />N L B<br />Browser<br />AzureStorage<br />Web Role<br />Browser<br />Worker Role<br />Browser<br />Web Role<br />Worker Role<br />Browser<br />
    81. 81. Using the Cloud for Scale<br />Browser<br />p1 p2 p3<br />Web Role<br />N L B<br />Worker Role<br />N L B<br />Browser<br />AzureStorage<br />Web Role<br />Browser<br />Worker Role<br />Browser<br />Web Role<br />Worker Role<br />Browser<br />
    82. 82. What’s going on behind the scenes?<br />
    83. 83. Windows Azure<br />Your<br />Service<br />DNS<br />LB<br />Web Portal<br />(API)<br />LB<br />Fabric<br />Controller<br />
    84. 84. Service<br />Service<br />Service<br />Model<br />Your<br />Service<br />DNS<br />LB<br />Web Portal<br />(API)<br />DNS<br />config<br />LB<br />Service Deployment<br />Fabric<br />Controller<br />
    85. 85. Your<br />Service<br />Service<br />Service<br />DNS<br />Service<br />Service<br />Service<br />Service<br />Service<br />LB<br />Service<br />Web Portal<br />(API)<br />LB<br />Model<br />Service Scaling<br />Fabric<br />Controller<br />
    86. 86. Your<br />Service<br />Service<br />DNS<br />Service<br />Service<br />Service<br />LB<br />Web Portal<br />(API)<br />!<br />LB<br />Model<br />Service Monitoring & Recovery<br />Fabric<br />Controller<br />
    87. 87. Maintenance OS<br />1<br /> Guest Partition<br /> Host Partition<br /> Guest Partition<br /> Guest Partition<br />Service 1<br />Bits<br />Service 2<br />Bits<br />Service 3<br />Bits<br />6<br />Web<br />VHD<br />Worker<br />VHD<br />Worker<br />VHD<br />5<br />Host Differencing<br />VHD<br />Guest Differencing<br />VHD<br />Guest Differencing<br />VHD<br />Guest Differencing<br />VHD<br />4<br />Enterprise base<br />VHD<br />Server Core<br />VHD<br />Server Core base VHD<br />2<br />7<br />3<br />Hypervisor<br />Physical Server Hardware<br />CPU, memory, disk, and network<br />
    88. 88. Fault and Update Domains<br />
    89. 89. On to the Case Study…<br />
    90. 90. Project Austin delivers a next-generation, micro-community based opportunity management and collaboration experience that brings a managed feel to the unmanaged space, allowing Microsoft to observe and participate in the sales process at scale through dynamic, customer-driven collaboration. <br />Project Austin leverages Windows Azure, CRM Services, and SharePoint Services to provide a rich set of customer and partner capabilities in the cloud while integrating with existing on-premise solutions. <br />Project Austin significantly enhances our understanding of our customers and partners by facilitating relationships with and between customers, partners, and Microsoft, while providing data that allows Microsoft to identify and promote world-class selling techniques and content.<br />Project Austin Vision<br />
    91. 91. Project Goals<br />Gain first-hand experience on Azure<br />Cloud Storage – Security – Integration – Web – SQL Azure<br />Explore a business scenario that leverages the promises of the cloud<br />Provide enterprise feedback to the Azure team<br />Deliver a working prototype in FY09<br />Project Austin Overview<br />
    92. 92. Web Role<br />Multi-Tenant; Web App; Web Service<br />Integration<br />Worker Role; .NET Service Bus; Siebel<br />Data Storage<br />Tables; Blobs; Queues; SQL Azure<br />Live ID Integration<br />Web Auth; Access Control Service; WIF; RPS<br />Technical Overview<br />
    93. 93. Community<br />Community <br />Micro Community<br />Factory<br />Community<br />Community<br />Community<br />Groups<br />Community Group A<br />Community Group B<br />Personalization<br />Membership<br />Content<br />Personalization<br />Membership<br />Content<br />High Level Services<br />Personalization<br />Customization<br />Content<br />Security<br />Integration<br />…<br />Navigation<br />Search<br />Membership<br />Identity<br />Groups<br />…<br />Foundation Services<br />Identity<br />Security<br />Storage<br />Eventing<br />Config<br />Content<br />…<br />Micro Community<br />Compute<br />93<br />
    94. 94.
    95. 95.
    96. 96. Demo: Project Austin<br />
    97. 97. (Transition to IT Evangelist…)<br />This slide is Hidden<br />
    98. 98. Developers build it<br />Test locally<br />Build package w/ Tools<br />Upload your package to the web portal<br />Push “deploy”<br />Monitor, upgrade, scale…<br />Deploying Your Service To The Cloud<br />
    99. 99. Demo: Deployment Experience<br />
    100. 100. Roles<br />Web Role<br />Worker Role<br />Windows Server 2008 x64<br />.NET Start<br />Native Code<br />User Mode<br /><ul><li>Windows Server 2008 x64
    101. 101. IIS 7
    102. 102. FastCGI - PHP
    103. 103. Native Code
    104. 104. Full Trust
    105. 105. User Mode</li></li></ul><li>Sign up for Azure tokens before you need them<br />Include instrumentation and logging from day 1<br />Performance test early & often<br />Azure changes the build – deploy – test process<br />The Azure Portal is sometimes down / slow<br />There is no debugging in the cloud<br />“Response.Write()” is your friend<br />Lessons LearnedOperations<br />
    106. 106. Have a backup plan<br />Know how to reload the data<br />Practice your deployments<br />Practice your deployments again<br />Know how to rollback as needed<br />Lessons LearnedOperations - Deployment<br />
    107. 107. Store startup config data in the Azure config files<br />Retire use of web.config<br />Use Azure tables to store shared config across instances<br />Log to Azure tables<br />In addition to Azure logs<br />Must be asynch<br />Don’t forget to close connections<br />Lessons LearnedOperations<br />
    108. 108. Change scale and connection config in deployed scenario<br />
    109. 109. Demo: Adjust system for scale<br />
    110. 110. Look at current logging<br />
    111. 111. Demo: Access to logs<br />
    112. 112. Upgrade a deployment<br />
    113. 113. DEMO: Deploy V2<br />
    114. 114. The Oh Crap moment, rolling back<br />
    115. 115. Storage in the Cloud…<br />
    116. 116. Windows Azure Storage Service<br />HTTP<br />Blobs<br />Queues<br />Tables<br />Application<br />Storage<br /> Compute<br />Fabric<br />…<br />
    117. 117. Blobs stored in Containers<br />1 or more Containers per account<br />…/Container/blobpath<br />Blobs<br />Capacity 50GB in CTP<br />Metadata, accessed independently <br />name/value pairs (8kb total)<br />Private or Public container access<br />Use Blobs for file system<br />Blobs<br />
    118. 118. Windows Azure Storage Service<br />. . .<br />Table<br />Table<br />Table<br />Entity<br />. . .<br />Entity<br />Entity<br />Property<br />Property<br />Property<br />Storage Accounts<br />Name<br />Type<br />Value<br />
    119. 119. Entities and properties (rows & columns)<br />Tables scoped by account<br />Designed for billions+<br />Scale-out using partitions<br />Partition key & row key<br />Operations performed on partitions<br />Efficient queries<br />No limit on number of partitions<br />Automatic load management for hot data<br />Use ADO.NET Data Services<br />Tables<br />
    120. 120. No join<br />No group by<br />No order by<br />Think: relational DB partitioned to the max<br />Not a Relational Database<br />
    121. 121. Key Example – Blog Posts<br />Partition 1<br />Partition 2<br />Getting all of dunnry’s blog posts is fast<br />Single partition<br />Getting all posts after 2008-03-27 is slower<br />Traverse all partitions<br />
    122. 122. Partition Key – how data is partitioned<br />Row Key – unique in partition, defines sort<br />Goals<br />Keep partitions small (increased scalability)<br />Specify partition key in common queries<br />Query/sort on row key<br />Keys<br />
    123. 123. Azure Queues<br />RemoveMessage<br />GetMessage (Timeout)<br />Worker Role<br />PutMessage<br />Queue<br />Msg 1<br />Msg 2<br />Msg 2<br />Msg 1<br />Web Role<br />Worker Role<br />Worker Role<br />Msg 3<br />Msg 4<br />Msg 2<br />
    124. 124. Simple asynchronous dispatch queue<br />Create and delete queues<br />Message:<br />Retrieved at least once<br />Max size 8kb<br />Queues<br />
    125. 125. Example: Thumbnail Generator<br />n<br />m<br />Worker Role<br />Web Role<br />LB<br />Cloud Storage (blob, table, queue)<br />
    126. 126. SQL Azure<br />
    127. 127. Storage Strategy, what/when?<br />
    128. 128. MMS/Powershell Azure Storage demo<br />
    129. 129. SQL Azure demo<br />
    130. 130. Resiliency / Planning to fail<br />
    131. 131. Federated Identity<br />
    132. 132. Companies have lots of applications<br />
    133. 133. Each with their own silo of identity data<br />
    134. 134. Each system is hardcoded for Az/An<br />
    135. 135. Tedious to implement every time<br />
    136. 136. Leads to greater risk as well<br />
    137. 137. Many companies have 0 or n directories<br />
    138. 138. Username & Password just isn’t enough anymore<br />
    139. 139. An array of accounts for users<br />
    140. 140. Intracompany?<br />
    141. 141. Doesn’t work in the cloud<br />
    142. 142.
    143. 143. Framework for Claims Based Identity<br />
    144. 144. Three geeks walk into a bar…<br />
    145. 145. What is a Claim?<br />Web Application/Service<br />Username: Brian<br />Roles: Evangelist, Speaker<br />Email:<br />IsOfLegalVotingAge: True<br />
    146. 146. The app is no longer concerned with<br />Authentication<br />Storing and securing usernames and passwords<br />Connecting to directories<br />Managing roles/rights/claims<br />
    147. 147. Allows for Federation<br />
    148. 148. Basic Scenario – Active Client<br />Directory/<br />Credential Store<br />Trusted Authority<br />(Web Service)<br />STS<br />Business Rules<br />2. Get Claims<br />(WS-Trust)<br />Relying Party<br />(Web Service)<br />1. Get Policy<br />Smart Client<br />3. Send Claims<br />
    149. 149. Basic Scenario – Passive Client<br />Directory/<br />Credential Store<br />Trusted Authority<br />(Web App)<br />STS<br />Business Rules<br />2. Redirect<br />(WS-Federation)<br />Relying Party<br />(Web App)<br />1. HTTP GET<br />Browser<br />3. HTTP POST<br />
    150. 150. Federated Scenario<br />(.NET?)<br />(Java?)<br />Internet<br />Trusted Authority<br />(Web Service)<br />Trusted Authority<br />(Web Service)<br />STS<br />Business Rules<br />STS<br />Business Rules<br />1<br />Relying Party<br />(Web Service)<br />2<br />Smart Client<br />3<br />
    151. 151. Delegation and ActAs<br />Directory/<br />Credential Store<br />Trusted Authority<br />STS<br />Business Rules<br />3. Get Claims for svcInv ActAs Dieter<br />1. Get Claims for Dieter<br />Dieter’s<br />Browser<br />Back End<br />Web Service<br />4. svcInv ActAs Dieter<br />Web Front End<br />2. Dieter<br />ID: Dieter<br />ID: Dieter<br />ID: svcInv<br />
    152. 152. Authentication Assurance<br />
    153. 153. Geneva Server / FX<br />
    154. 154. Pricing/SLA<br />
    155. 155. Purchasing Models<br />Consumption<br />Volume Licensing <br />Subscription<br />“Pay as you go and grow” <br />“Coordinated purchasing” <br />“Value for a commitment“<br />Available at launch <br />Available post launch<br />Select offers at launch<br />Plans for payment predictability <br />Discounts for commitment<br />Low barrier to entry and flexibility<br />Optimized for cloud elasticity <br />Unified purchasing through EA<br />Introduction to volume discounts <br />
    156. 156. Pricing Model<br />Compute<br />Per service hour<br />$0.12 / Hour<br />Storage<br />$0.15 GB / Month <br />$0.01/10K Transactions<br />Business Edition<br />10 GB Database<br />$99.99 / Month <br />Web Edition<br />1 GB Database<br />$9.99 / Month <br />Messages <br />Per message operation<br />$0.15 / 100K<br />Bandwidth <br />$0.10/GB inbound & $0.15/GB outbound<br />
    157. 157. Service Guarantee<br />Storage availability<br />Compute connectivity<br />Role instance monitoring and restart<br />Guarantee<br />Your service is connected and reachable via web<br />Internet facing roles will have external connectivity<br />All running roles will be continuously monitored<br />If role is unhealthy, we will detect and initiate corrective state<br />Storage service will be available / reachable <br />Your storage requests will be processed successfully<br />Technologypromise<br />Automated Systems Management<br />&lt;99.95%<br />&lt;99.9%<br />SLA<br />
    158. 158. Compare to virtualization<br />
    159. 159. Many companies are deploying virtualization<br />
    160. 160. The cloud is just the next step<br />
    161. 161. Many see the cloud, and want a private cloud.<br />
    162. 162. Azure is not shippable now.<br />
    163. 163. Dynamic Data Center Toolkit<br />
    164. 164. Customer wins/evidence<br />
    165. 165. (Transition to Architect Evangelist for wrap-up…)<br /><ul><li>Highlight customer wins or Partner experiences
    166. 166. Q&A
    167. 167. Collect surveys and Hand out tokens
    168. 168. Giveaways</li></ul>This slide is Hidden<br />
    169. 169.<br /><br />@matthewhester @brianhprince<br />© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.<br />The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.<br />