Hybrid Cloud Addendum

Transcription

1 Hybrid Cloud Addendum 20-Dec-14 Version 2.0 Final Prepared by Microsoft i Hybrid Cloud Addendum " last modified on 20 Dec. 14

2 Revision and Signoff Sheet Change Record Date Author Version Change Reference 9/26/2013 Core IO 2.0 Release ii Hybrid Cloud Addendum " last modified on 20 Dec. 14

3 Table of Contents 1 Purpose Document Usage Hybrid Cloud Addendum Overview Windows Azure Windows Azure Compute Services Windows Azure Data Services Windows Azure Network Services Windows Azure Application Services Windows Azure Accounts and Subscriptions Sharing Service Management by Adding Co-Administrators Manage Storage Accounts for Your Subscription Create Affinity Groups to Use with Storage Accounts and Hosted Services Add Management Certificates to a Windows Azure Subscription Creating and Managing Windows Azure Environments Windows Azure Service-Level Agreements (SLAs) Caching CDN Cloud Services, Virtual Machines, and Virtual Network Media Services iii Hybrid Cloud Addendum " last modified on 20 Dec. 14

4 3.7.5 Mobile Services Multi-Factor Authentication Service Bus SQL Database SQL Reporting Storage Web Sites Windows Azure Pricing Extending the Network to Windows Azure Storage Windows Azure Storage Storage Windows Azure Storage Services Storage StorSimple Compute Windows Azure IaaS Windows Azure Cloud Service Windows Azure Virtual Machine Windows Azure Virtual Machine Storage Windows Azure Virtual Machine Placement and Affinity Groups Windows Azure Endpoints and ACLs Windows Azure Virtual Machine High Availability (HA) Windows Azure Virtual Machine Load Balancing Limitations of Windows Azure IaaS Virtual Machines Compute PaaS iv Hybrid Cloud Addendum " last modified on 20 Dec. 14

5 4.4 Compute Azure HDInsight (Hadoop) Compute Windows Azure and High-Performance Computing (HPC) Network Windows Azure Networking Windows Azure Virtual Network Windows Azure VPN (Site-to-Site) Windows Azure VPN (Point-to-Site) Affinity Groups Name Resolution DNS Considerations Windows Azure Traffic Manager Windows Azure Content Delivery Network (CDN) Identity Management Windows Azure Active Directory Integration with Your On-Premises Active Directory Integration with Your Applications Extending On-Premises Active Directory to Windows Azure Overview Deployment Architectures Sites Managing DNS and DHCP Full or Read-Only Domain Controllers Windows Server 2012 AD DS Virtualization Benefits Placement of the DIT and SYSVOL v Hybrid Cloud Addendum " last modified on 20 Dec. 14

6 4.9.8 Protecting AD DS in Windows Azure Windows Azure Security Windows Azure Fabric and Datacenter Security Security Compliance and Accreditation Penetration Testing Hybrid Cloud Use Cases Deploying SQL in Windows Azure Deploying SharePoint in Windows Azure Dev/Test in Windows Azure vi Hybrid Cloud Addendum " last modified on 20 Dec. 14

7 Datacenter Infrastructure and Management 1 Purpose The scope of this document is to provide architects with the necessary guidance to develop solutions for a Microsoft hybrid cloud infrastructure, in accordance with the IaaS patterns that are identified for use with Windows Server 2012 R2. This document will provide specific guidance for extending the private cloud IaaS fabric and fabric-management architecture to an overall hybrid cloud solution that encompasses Windows Azure. 1.1 Document Usage This document is intended for use by Microsoft Services and Microsoft Partners. This document provides significant background information, guidance and best practices for the hybrid cloud, but it is not a customer-facing design document. This document can and should be used to create customer deliverables, but it should not be provided directly. 2 Hybrid Cloud Addendum Overview The IaaS architecture is focused on architecting Windows Server 2012 R2 and System Center 2012 R2 virtualization fabric and fabricmanagement technologies to support private cloud scenarios. This addendum for hybrid cloud includes reference architectures, best practices, and processes for extending a private cloud infrastructure to Windows Azure or a Microsoft service-provider partner for hybrid cloud scenarios such as: Extending the data-center fabric to the cloud Extending fabric management to the cloud Hybrid deployment of Microsoft applications Underpinning the architecture and approach is the Server & Tools Business s overall Cloud OS strategy, which is described at the following locations: Overview Just as the Internet changed the way in which people work, interact and play, the cloud era is transforming the very landscape of IT. It is disrupting every aspect from hardware, to software, to services. The cloud requires a redefinition of the server operating system transforming it into a strategic asset that you can use to react more quickly to market shifts, deliver new products and services faster, and get ahead of the competition but only if you have the right technology in place to make it happen. Datacenter Infrastructure and Management, Version 2.0 Final Getting Started Guide" last modified on 20 Dec. 14 Page 7

8 Transform Your Data Center It is no longer just about servers and nodes; it is about managing the entire data center and even multiple clouds in a holistic way. With massive scale, elasticity and ubiquitous availability, you can now build and deploy applications in powerful new ways. Enable Modern Applications Today s applications must be deployed rapidly. They must scale by demand. And they must work reliably on multiple devices, in multiple data-center or cloud environments, and with multiple programming languages. By reimagining application lifecycle management, you can increase developer and IT productivity and ensure greater availability for your applications. Unlock Insights on Any Data Because of lower storage costs and growing data volumes, businesses are processing larger volumes and varieties of data and asking new questions. You can explore all types of data including rich third-party data sources through immersive experiences and gain new insights for better, faster business decisions. Empower People-Centric IT Given the proliferation and range of new devices, today s users must be productive wherever they choose, on whatever device they choose. You can easily manage these devices and securely deliver applications and data in an extended, dynamic environment. The hybrid cloud addenda are the first steps toward providing architecture guidance and best practices to enable realization of the Cloud OS vision. The key attribute of the Cloud OS vision is hybrid infrastructure, in which customers have the option of leveraging on-premises infrastructure, Windows Azure, or Microsoft hosting-partner infrastructure. The customer IT organization will be both a consumer and provider of services, enabling workload and application development teams to make sourcing selections for services from all three of the possible infrastructures or create solutions that span them. The following diagram illustrates the infrastructure level, the cloud service catalog space, and examples of application scenarios and service-sourcing selections (for example, a workload team determining if it will use virtual machines that are provisioned on-premises, in Windows Azure, or in a Microsoft hosting partner). Page 8

9 Cloud Customer / Consumer Publicly Facing Web Application / Service Hybrid Application Complex Multi-Tier / Multi-Datacenter Application Legacy LOB Application Architect Focus: Workload Architect Solution Architect Enterprise Architect SQL Database Specs: Cost: 1TB Raw Storage Storage Specs: Cost: Azure Service Bus SQL Database Specs: Cost: 1TB Raw Storage Specs: Cost: SQL Database Specs: Cost: 1TB Raw Storage Specs: Cost: Virtual Machine Specs: 8 vcpu, 12 GB RAM Cost: IIS Web Site Specs: Cost: Hadoop Cluster Specs: Cost: SQL Azure Sync Virtual Machine Specs: Live Migration Storage Live Migration 64 vcpu, 1TB RAM Cost: IIS Web Site Specs: Cost: Hadoop Cluster Specs: Cost: Virtual Machine Specs: 8 vcpu, 12 GB RAM Cost: IIS Web Site Specs: Cost: Blob Storage Specs: Cost: Cloud Service Catalog Cloud Provider IaaS Services PaaS Services SaaS Services IaaS Services PaaS Services SaaS Services IaaS Services PaaS Services SaaS Services Windows Azure Office 365 Computer Storage Network App Controller Azure VPN Fabric Management Fabric Computer Storage Network App Controller Service Provider Foundation (SPF) Fabric Management Fabric Computer Storage Network Architect Focus: Datacenter / Fabric Architect Service Architect Windows Azure / Office 365 Enterprise Datacenter Microsoft Hosting Partner Customer Hybrid Infrastructure By having a hybrid infrastructure in place, consumers of IT infrastructure will focus on the service catalog instead of infrastructure. Whereas workloads historically would design their full supporting stack from hardware through operating system and application stack workloads in a hybrid environment will draw from the service catalog that is provided by IT, which consists of services that are delivered by the hybrid infrastructure. As an example, all three infrastructure choices provide virtual machines; but in each case, those virtual machines have different attributes and costs. The consumer will have the choice of which one or which combination to utilize. Some virtual machines might be very low-cost but have limited features available, while others might be higher-cost but support more capability. Page 9

10 3 Windows Azure Windows Azure is the Microsoft platform for the public cloud. You can use this platform in many different ways. For instance, you can use Windows Azure to build a web application that runs and stores its data in Microsoft data centers. You can use Windows Azure just to store data, with the applications that use this data running on-premises (that is, outside the public cloud). You can use Windows Azure to create virtual machines for development and test or to run production deployments of SharePoint and other applications. You can use Windows Azure to build massively scalable applications that have thousands or millions of users. A detailed description of the Windows Azure services can be found at this link: Windows Azure provides public-cloud platform as a service (PaaS) and infrastructure as a service (IaaS) with the addition of Windows Azure virtual machines. With the IaaS capability, Windows Azure becomes a core part of the Cloud OS vision. It is critical to have a deep understanding of Windows Azure services and architecture to be able to create hybrid cloud architectures. Figure 1 WIndows Azure Windows Azure Compute Services Virtual Machines Windows Azure Virtual Machines enable you to deploy a Windows Server or Linux image in the cloud. You can select images from a gallery or bring your own customized images. Page 10

11 Cloud Services Windows Azure Cloud Services remove the need to manage server infrastructure. With web and worker roles, they enable you to quickly build, deploy, and manage modern applications. Web Sites Windows Azure Web Sites enables you to deploy web applications on a scalable and reliable cloud infrastructure. You can quickly scale up and out or even scale automatically to meet your application needs. Mobile Services Windows Azure Mobile Services provides a scalable cloud backend for building Windows Store, Windows Phone, Apple ios, Android, and HTML/JavaScript applications. Store data in the cloud, authenticate users, and send push notifications to your application within minutes. 3.2 Windows Azure Data Services Storage Windows Azure Storage offers non-relational data storage including Blob, Table, Queue, and Drive storage. SQL Database Windows Azure SQL Database is a relational database service that enables you to rapidly create, extend, and scale relational applications into the cloud. SQL Reporting Windows Azure SQL Reporting allows you to build easily accessible reporting capabilities into your Windows Azure application. You can get up and running in hours versus days at a lower upfront cost without the hassle of maintaining your own reporting infrastructure. Backup Windows Azure Backup manages cloud backups through familiar tools in Windows Server 2012, Windows Server 2012 Essentials, or System Center 2012 Data Protection Manager. Cache Windows Azure Cache is a distributed, in-memory, scalable solution that enables you to build highly scalable and responsive applications by providing super-fast access to data. HDInsight Windows Azure HDInsight Service is a Hadoop-based service that brings an Apache Hadoop solution to the cloud. Gain full value of Big Data with a cloud-based data platform that manages data of any type and any size. Hyper-V Recovery Manager Page 11

12 Hyper-V Recovery Manager helps to protect your important services by coordinating the replication and recovery of System Center 2012 private clouds at a secondary location. 3.3 Windows Azure Network Services Virtual Network Windows Azure Virtual Network enables you to create Virtual Private Networks (VPN) within Windows Azure and securely link these with on-premises IT infrastructure. Traffic Manager Windows Azure Traffic Manager allows you to load-balance incoming traffic across multiple hosted Windows Azure services whether they re running in the same datacenter or across different datacenters around the world. 3.4 Windows Azure Application Services Active Directory Windows Azure Active Directory provides identity management and access control capabilities for your cloud applications. You can synchronize your on-premises identities and enable single sign-on to simplify user access to cloud applications. Multi-Factor Authentication Windows Azure Multi-Factor Authentication helps prevent unauthorized access to on-premises and cloud applications by providing an additional layer of authentication. Follow organizational security and compliance standards while also addressing user demand for convenient access. Service Bus Windows Azure Service Bus is a messaging infrastructure that sits between applications allowing them to exchange messages for improved scale and resiliency. Notification Hubs Notification Hubs provide a highly scalable, cross-platform push notification infrastructure that enables you to either broadcast push notifications to millions of users at once or tailor notifications to individual users. BizTalk Services Windows Azure BizTalk Services is a powerful and extensible cloud-based integration service that provides Business-to-Business (B2B) and Enterprise Application Integration (EAI) capabilities for delivering cloud and hybrid integration solutions. Media Services Page 12

13 Windows Azure Media Services offer cloud-based media solutions from many existing technologies including ingest, encoding, format conversion, content protection, and both on-demand and live streaming capabilities. Windows Azure provides a robust set of training and documentation in the Windows Azure Training kit: Windows Azure Training Kit website available at Link. Windows Azure Training Kit presentations are available at Link. Windows Azure Training Kit demos are available at Link. 3.5 Windows Azure Accounts and Subscriptions A Windows Azure subscription grants you access to Windows Azure services and to the Windows Azure Management Portal. The terms of the Windows Azure account, which is acquired through the Windows Azure Account Portal, determine the scope of activities that you can perform in the Management Portal and describe the limits on available storage, network, and compute resources. In the Management Portal, you see only the services that are created by using a subscription for which you are an administrator. The billing account sets the number of compute units (virtual machines), hosted services, and storage that can be used. You can view usage information for a service by clicking the service in the Management Portal. A Windows Azure subscription has two aspects: The Windows Azure account, through which resource usage is reported and services are billed. Each account is identified by a Windows Live ID or corporate account and is associated with at least one subscription. The account owner monitors usage and manages billings through the Windows Azure Account Center. The subscription itself, which governs access to and use of the Windows Azure subscribed service. The subscription holder uses the Management Portal to manage services. The account and the subscription can be managed by the same individual or by different individuals or groups. In a corporate enrollment, an account owner might create multiple subscriptions to give members of the technical staff access to services. Because resource usage within an account billing is reported for each subscription, an organization can use subscriptions to track expenses for projects, departments, regional offices, and so forth. In this scenario, the account owner uses the Windows Live ID that is associated with the account to sign in to the Windows Azure Account Center. However, this individual does not have access to the Management Portal unless he or she has created a subscription for him- or herself. Subscriptions that are created through a corporate enrollment are based on credentials that the organization provides. In this scenario, the subscription holder who uses the services but is not responsible for billings has access to the Management Portal but not to the Windows Azure Account Center. By contrast, the personal account holder who performs both duties can sign in to either portal by using the Windows Live ID that is associated with the account. Page 13

14 By default, Windows Azure subscriptions have the following boundaries: 20 storage accounts (soft limit) 200 terabytes (TB) per storage account 50 virtual machines in cloud service 25 PaaS roles in cloud service (soft limit) 20 cloud services per subscription (soft limit) 250 endpoints per cloud service 1,024 virtual machines in a virtual network Sharing Service Management by Adding Co-Administrators When a Windows Azure subscription is created, a service administrator is assigned. The default service administrator is the contact person for the subscription. For an individual subscription, this is the person who holds the Windows Live ID that identifies the subscription. The Windows Azure account owner can assign a different service administrator by editing the subscription in the Windows Azure Account Center. The service administrator for a subscription has full administrator rights to all Windows Azure services that are subscribed to and all hosted services that are deployed under the subscription. The service administrator also can perform administrative tasks for the subscription itself in the Management Portal. For example, the service administrator can manage storage accounts, affinity groups, and management certificates for the subscription. To share management of hosted services, the service administrator can add co-administrators to the subscription. To be added as a co-administrator, a person needs only a Windows Live ID. Subscription co-administrators share the same administrator rights as the service administrator, with one exception: a coadministrator cannot remove the service administrator from a subscription. Only the Windows Azure account owner can change the service administrator for a subscription, by editing the subscription in the Windows Azure Account Center. Important: Because service administrators and co-administrators in Windows Azure have broad Administrator rights for Windows Azure services, you should assign strong passwords for the Windows Live IDs that identify the subscribers and ensure that the credentials are not shared with unauthorized users. Note that in the Management Portal, the enterprise account owner only has the rights that are granted to any subscription holder. To sign in to the Management Portal, the account owner must be an administrator for a subscription. As soon as an account owner has signed in to the Management Portal, the account owner will be able to see and manage only those hosted services that have been created under subscriptions for which he or she is an administrator. Enterprise account owners cannot see hosted services for subscriptions that they create for other people. To gain visibility into service management under subscriptions that they create, enterprise account owners can ask the subscription holders to add them as co-administrators. Page 14

15 3.5.2 Manage Storage Accounts for Your Subscription Add storage accounts to a Windows Azure subscription to provide access to Windows Azure storage services. The storage account represents the highest level of the namespace for accessing each of the storage-service components: Blob services, Queue services, and Table services. Each storage account provides access to storage in a specific geographic region or affinity group Create Affinity Groups to Use with Storage Accounts and Hosted Services By using affinity groups, you can co-locate storage and hosted services within the same data center. To use an affinity group with a hosted service, assign an affinity group instead of a geographic region when you create the service. The same option is available when you create a storage account. You cannot change the affinity group for an existing hosted service or storage account Add Management Certificates to a Windows Azure Subscription Management certificates enable client access to Windows Azure resources when using the Windows Azure SDK tools, the Windows Azure Tools for Microsoft Visual Studio, or the Windows Azure Service Management REST API. For example, a management certificate is used to authenticate the user when creating and managing hosted services by using Visual Studio tools or when deploying virtual machine role images by using Windows PowerShell or command-line tools. Management certificates are not required when you work in the Management Portal. In the Management Portal, authentication is performed by using the credentials of the administrator who is performing the operation. 3.6 Creating and Managing Windows Azure Environments Getting started with Windows Azure is relatively straightforward on an individual or small-business basis. However, for enterprise scenarios, proper management and utilization of the preceding constructs is critical from security, administration, and billing standpoints. As an example, the following diagram illustrates a simple scenario in which the Finance department utilizes a combination of billing accounts, Windows Azure subscriptions, Windows Azure Service Administrators, and Windows Azure Co- Administrators to model development, test, and production environments in Windows Azure: Finance Cost Center Azure Billing Account Finance Dev Finance Test Finance Prod App1Dev Azure Subscription App2 Dev Azure Subscription Test Azure Subscription App1 Prod Azure Subscription App2 Prod Azure Subscription Dev1 Azure Service Admin Dev3 Azure Service Admin Test1 Azure Service Admin Ops1 Azure Service Admin Ops3 Azure Service Admin Dev2 Azure Co-Admin Dev4 Azure Co-Admin Test2 Azure Co-Admin Ops2 Azure Co-Admin Ops4 Azure Co-Admin Page 15

16 During creation of Windows Azure environments for medium- and large-size organizations, careful planning of the billing and administration scope is required. The preceding diagram outlines an example of how to model an organization that wants centralized billing but with different organizational units to manage and track its Windows Azure usage. It is important to realize that in many areas, a Windows Azure subscription and the resources (networks, virtual machines, and so on) within that subscription have access boundaries. Communication between resources in two different subscriptions is not possible except by configuring publicly accessible endpoints or utilizing Windows Azure virtual private network (VPN) functionality to connect the on-premises data center to each subscription and routing traffic between the two. (This will be covered in more detail throughout this document.) Related to billing accounts and subscriptions, administrator and co-administrator management is also a key consideration in designing Windows Azure environments. While use of a Microsoft account and Windows Live ID represents the default scenario, there are also options for federating an on-premises instance of Active Directory with Windows Azure Active Directory for a variety of scenarios, including management of administrative access to Windows Azure subscriptions. If the customer uses an on-premises directory service, you can integrate it with their Windows Azure Active Directory tenant to automate cloud-based administrative tasks and provide users with a more streamlined sign-in experience. Windows Azure Active Directory supports the following two directory-integration capabilities: Directory synchronization used to synchronize on-premises directory objects (such as users, groups, and contacts) to the cloud to help reduce administrative overhead. Directory synchronization is also referred to as directory sync. After directory synchronization has been set up, administrators will be able to provision directory objects from the onpremises instance of Active Directory into their tenant. Single sign-on (SSO) used to provide users with a more seamless authentication experience as they access Microsoft cloud services while they are logged on to the corporate network. To set up SSO, organizations must deploy a security-token service on premises. After SSO has been set up, users will be able to use their Active Directory corporate credentials (user name and password) to access the services in the cloud and in their existing on-premises resources. Design Guidance Example of how to use Windows Azure accounts and subscriptions for a development scenario: Development and Test on Windows Azure Virtual Machines Page 16

17 3.7 Windows Azure Service-Level Agreements (SLAs) For the most up-to-date information on Windows Azure service-level agreements (SLAs), refer to the following link: Caching We guarantee at least 99.9% of the time that customers will have connectivity between the Caching endpoints and our Internet gateway. SLA calculations will be based on an average over a monthly billing cycle, with five-minute time intervals. Download Caching SLA CDN We guarantee that at least 99.9% of the time CDN will respond to client requests and deliver the requested content without error. We will review and accept data from any commercially reasonable independent measurement system that you choose to monitor your content. You must select a set of agents from the measurement system s list of standard agents that are generally available and represent at least five geographically diverse locations in major worldwide metropolitan areas (excluding PR of China). Download CDN SLA Cloud Services, Virtual Machines, and Virtual Network For Cloud Services, we guarantee that when you deploy two or more role instances in different fault and upgrade domains, your Internetfacing roles will have external connectivity at least 99.95% of the time. For all Internet-facing Virtual Machines that have two or more instances deployed in the same Availability Set, we guarantee you will have external connectivity at least 99.95% of the time. For Virtual Network, we guarantee a 99.9% Virtual Network Gateway availability. Download Cloud Services, Virtual Machines, and Virtual Network SLA Media Services We guarantee 99.9% availability of REST API transactions for Media Services Encoding. On-Demand Streaming will successfully service requests with a 99.9% availability guarantee for existing media content when at least one On-Demand Streaming Reserved Unit is purchased. Availability is calculated over a monthly billing cycle. Download Media Services SLA Mobile Services We guarantee 99.9% availability of REST API calls to all provisioned Windows Azure Mobile Services running in Standard and Premium tiers in a customer subscription. No SLA is provided for the Free tier of Mobile Services. Availability is calculated over a monthly billing cycle. Download Mobile Services SLA. Page 17

18 3.7.6 Multi-Factor Authentication We guarantee 99.9% availability of Windows Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process authentication requests for the Multi-Factor authentication provider deployed in a customer subscription. Availability is calculated over a monthly billing cycle. Download Multi-Factor Authentication SLA Service Bus For Service Bus Relays, we guarantee that at least 99.9% of the time, properly configured applications will be able to establish a connection to a deployed Relay. For Service Bus Queues and Topics, we guarantee that at least 99.9% of the time, properly configured applications will be able to send or receive messages or perform other operations on a deployed Queue or Topic. For Service Bus Basic and Standard Notification Hub tiers, we guarantee that at least 99.9% of the time, properly configured applications will be able to send notifications or perform registration management operations with respect to a Notification Hub deployed within a Basic or Standard Notification Hub Tier. Download Service Bus SLA SQL Database SQL Database customers will have connectivity between the database and our Internet gateway. SQL Database will maintain a Monthly Availability of 99.9% during a billing month. Monthly Availability Percentage for a specific customer database is the ratio of the time the database was available to customer to the total time in the billing month. Time is measured in five-minute intervals in a 30-day monthly cycle. Availability is always calculated for a full billing month. An interval is marked as unavailable if the customer s attempts to connect to a database are rejected by the SQL Database gateway. Download SQL Database SLA SQL Reporting SQL Reporting will maintain a Monthly Availability of 99.9% during a billing month. Monthly Availability Percentage is the ratio of the total time the customer s SQL Reporting instances were available to the total time the instances were deployed in the billing month. Time is measured in 5-minute intervals. Availability is always calculated for a full billing month. An interval is marked as unavailable if the customer s initiated attempts to upload, execute or delete reports fail to ever complete due to circumstances within Microsoft s control. Download SQL Reporting SLA Storage We guarantee that at least 99.9% of the time we will successfully process correctly formatted requests that we receive to add, update, read and delete data. We also guarantee that your storage accounts will have connectivity to our Internet gateway. Download Storage SLA. Page 18

19 Web Sites Windows Azure Web Sites running in the Standard tier will respond to client requests 99.9% of the time for a given billing month. Monthly availability is calculated as the ratio of the total time the customer s Standard web sites were available to the total time the web sites were deployed in the billing month. The web site is deemed unavailable if the web site fails to respond due to circumstances within Microsoft s control. Download Web Sites SLA. 3.8 Windows Azure Pricing Windows Azure pricing is based on utilization, with different metrics and pricing, and depending on the Windows Azure service or resource (storage, virtual machines, and so on). For details on pricing and pricing calculators, refer to the following link: There are different payment models, from pay-as-you-go to prepaid plans. 4 Extending the network to Windows Azure As customers move to a hybrid cloud architecture, a primary scenario is extending their datacenter fabric (compute, storage, or network) to the cloud. There are technical (burst capacity, backup and DR, and so on) and financial (usage-based costing) reasons for doing so. Extending the fabric to the cloud can be performed in a number of different ways, such as utilizing Windows Azure, a Microsoft hosting partner, or a competitor s cloud services (such as from Amazon or Google). Over time, it will also be quite common for large customers to use a mix of all of these approaches. For the purposes of this document, the two approaches that will be covered will extend to Windows Azure or Microsoft hosting partners. 4.1 Storage Windows Azure Storage This section provides information about using Windows Azure Storage Services to store and access data. The Windows Azure Storage services consist of the following: Blobs Used to store unstructured binary and text data Queues Used to store messages that may be accessed by a client and provide reliable messaging between role instances Tables Used to store non-relational structured data Page 19

20 Windows Azure drives Used to mount an NTFS file-system volume that is accessible to code that is running in your Windows Azure service In addition to the Windows Azure storage services, Microsoft s acquisition of StorSimple provides a new hybrid cloud storage solution that integrates on-premises storage with Windows Azure storage services. Additionally, multiple Microsoft partners and independent software vendors (ISVs) such as CommVault and STEALTH also deliver solutions that integrate with Windows Azure Storage Windows Azure Storage Services Windows Azure storage services underpin all of the PaaS and IaaS storage needs in Windows Azure. While the Windows Azure storage services are typically used in PaaS scenarios by application developers, they are relevant to IaaS, because all Windows Azure disks and images (including virtual machine VHD files) utilize the underlying Windows Azure storage services, such as blob storage and storage accounts. Windows Azure Blob storage is a service for storing large amounts of unstructured data that can be accessed from anywhere in the world via HTTP or HTTPS. A single blob can be hundreds of gigabytes in size, and a single storage account can contain up to 100 TB of blobs. Common uses of Blob storage include: Serving images or documents directly to a browser. Storing files for distributed access. Streaming video and audio. Performing secure backup and disaster recovery. Storing data for analysis by an on-premises or Windows Azure hosted service. You can use Blob storage to expose data publicly to the world or privately for internal application storage. The Blob service contains the following components: Storage Account: All access to Windows Azure Storage is done through a storage account. This is the highest level of the namespace for accessing blobs. An account can contain an unlimited number of containers, as long as their total size is under 100 TB. Container: A container provides a grouping of a set of blobs. All blobs must be in a container. An account can contain an unlimited number of containers. A container can store an unlimited number of blobs within the 100-TB storage-account limit. Blob: A file of any type and size within the overall size limits that are outlined in this section. You can store two types of blobs in Windows Azure Storage: block blobs and page blobs. Most files are block blobs. A single block blob can be up to 200 GB in size. Page blobs can be up to 1 TB in size and are more efficient when ranges of bytes in a file are modified frequently. For more information about blobs, see Migrating Data to Windows Azure Blob Storage. URL format: Blobs are addressable by using the following URL format: account>.blob.core.windows.net/<container>/<blob> For a detailed view of the Windows Azure storage-service architecture, the following resources are highly recommended: Windows Azure Storage: A Highly Available Cloud Storage Service with Strong Consistency Paper: Slides: Page 20

21 Recording: Windows Azure storage services are critical in a hybrid cloud scenario because all data that is stored in Windows Azure, including IaaS virtual machine VHD files, utilizes the underlying Windows Azure storage services, which distribute data across multiple disks and data centers that are transparent to the running virtual machines. Each individual storage account has the following scalability targets: Capacity Up to 200 TBs Transactions Up to 20,000 entities/messages/blobs per second Bandwidth for a Geo Redundant storage account o Ingress up to 5 gigabits per second o Egress up to 10 gigabits per second Bandwidth for a Locally Redundant storage account o Ingress up to 10 gigabits per second o Egress up to 15 gigabits per second Note: The actual transaction and bandwidth targets that are achieved by your storage account will very much depend upon the size of objects, access patterns, and the type of workload that your application exhibits. To go above these targets, a service should be built to use multiple storage accounts and partition the blob containers, tables, queues, and objects across those storage accounts. By default, a single Windows Azure subscription gets 20 storage accounts. However, you can contact customer support to get more storage accounts if you have to store more data than that for example, petabytes of data. Planning the usage of storage accounts for deployed virtual machines and services is a key design consideration. Virtual Hard Drives (VHDs) Drives, disks, and images are all virtual hard drives (VHDs) that are stored as page blobs within your storage account. There are actually several slightly different VHD formats: fixed, dynamic, and differencing. Currently, Windows Azure supports only the format that is named fixed. This format lays out the logical disk linearly within the file format, so that disk offset X is stored at blob offset X. At the end of the blob, a small footer describes the properties of the VHD. All of this, which is stored in the page blob, adheres to the standard VHD format, so that you can take this VHD and mount it on your server on-premises if you choose to. Often, the fixed format wastes space, because most disks have large unused ranges in them. However, we store our fixed VHDs as a page blob, which is a sparse format, so that we get the benefits of both the fixed and the expandable disks at the same time. Page 21

22 Storage Replication Windows Azure storage services provide several options some of which are enabled by default and included in the base pricing for data redundancy and replication. For storage pricing information, refer to Locally Redundant Storage (LRS) Locally redundant storage provides highly durable and available storage within a single location (sub-region). Windows Azure maintains an equivalent of three copies (replicas) of your data within the primary location, as described in the previously linked Symposium on Operating Systems Principles (SOSP) paper; this ensures that Windows Azure can recover from common failures (disk, node, rack) without affecting your storage account s availability and durability. All storage writes are performed synchronously across three replicas in three separate fault domains before success is returned to the client. If there were to be a major data center disaster, in which part of a data center were lost, Microsoft would contact customers about potential data loss for LRS by using the customer s subscription contact information. Geo Redundant Storage (GRS) Geo Redundant Storage provides Windows Azure s highest level of durability by additionally storing your data in a second location (sub-region) within the same region hundreds of miles away from the primary location. All Windows Azure Blob and Table data is geo-replicated. However, Queue data is not geo-replicated at this time. With Geo Redundant Storage, Windows Azure maintains three copies (replicas) of the data in both the primary location and the secondary location. This ensures that each data center can recover from common failures on its own and provides a geo-replicated copy of the data in case of a major disaster. As in LRS, data updates are committed to the primary location before success is returned to the client. After this has been completed with GRS, these updates will be geo-replicated asynchronously to the secondary location. Primary Region North Central US South Central US East US West US North Europe West Europe South East Asia East Asia Secondary Region South Central US North Central US West US East US West Europe North Europe East Asia South East Asia Page 22

23 GRS is enabled by default for all storage accounts that are in production today. You can choose to disable this default state by turning off geo-replication in the Windows Azure portal for your accounts. You can also configure your redundant storage option when you create a new account via the Windows Azure Portal. For further details on GRS, see the following blog post: IMPORTANT: Geo-redundant storage is not compatible or supported when OS disk striping is utilized. For example, if you are using 16 1-TB disks in a virtual machine and using operating system striping to create a single 16-TB volume in the virtual machine, the storage must be locally redundant only Storage StorSimple StorSimple, a Microsoft company, is the leading vendor of cloud-integrated storage. StorSimple solutions combine the datamanagement functions of primary storage, backup, archive, and disaster recovery (DR) with Windows Azure integration, enabling customers to optimize storage costs, data protection, and service agility. With its unique cloud-snapshot capability, StorSimple automatically protects and rapidly restores production data by using Windows Azure storage. The StorSimple solution combines a number of storage technologies, including Internet SCSI (iscsi) Storage Area Network (SAN), snapshot, backup, deduplication, and compression with storage services that are offered by cloud service providers. StorSimple solutions seamlessly integrate advanced SAN technologies such as SSDs, SAS, automated storage tiering, deduplication, compression, and encryption with cloud storage to reduce the storage footprint significantly and lower both capital expenditure (CapEx) and operating expenditure (OpEx). With StorSimple, Microsoft has a strong solution for storage tiering (optimizing usage of different cost or performance storage options that are based automatically on data usage) that is also integrated tightly with Windows Azure storage. This significant new competitive advantage opens up a large number of architecture scenarios. NOTE: StorSimple is currently a hardware storage appliance available from Microsoft/StorSimple. The appliance acts as an iscsi target for on-premises servers and provides several tiers of on-premises storage (SSD, SAS) while also natively integrating with Windows Azure storage. StorSimple consolidates primary storage, archive, backup, and DR through seamless integration with the cloud. By combining StorSimple software and a custom-designed enterprise-grade hardware platform, StorSimple solutions provide high performance for primary storage and enable revolutionary speed, simplicity, and reliability for backup and recovery. Page 23

24 Application Servers StorSimple CiS Most Active Data on SSD SAS Local Tier Speed of SSD/SAN + Elasticity of Cloud Azure Storage Inactive Data + Backup Copies in Cloud Infrastructure consolidation. StorSimple solutions consolidate primary storage, archival, backup and disaster recovery through seamless integration with the cloud. Simpler, faster backup & recovery. StorSimple cloud-based snapshots enable revolutionary speed, simplicity, and reliability for backup and recovery. Users can achieve up to 100x faster data recovery vs. traditional backup methods used in the cloud. Secure data storage. StorSimple applies AES-256 encryption for all data transferred and stored in the cloud using a private key that is known only to customers. Lower overall storage costs. By integrating the cloud with local enterprise storage, StorSimple can reduce total storage costs by 60 to 80%. StorSimple solutions use cloud storage as an automated storage tier, offloading capacity-management burdens and ongoing capital costs. Using local and cloud snapshots, application-consistent backups complete in a fraction of the time that traditional backup systems require, while reducing the amount of data that is transferred and stored in the cloud. Cloud-based and location-independent DR allows customers to recover their data from virtually any location that has an Internet connection and test their DR plans without affecting production systems and applications. Thin restore from data in the cloud enables users to resume operations after a disaster much faster than possible with physical or cloud-based tape. Appliance Model* Capacity Usable local hard-drive capacity 2 TB 4 TB 10 TB 20 TB SSD (Enterprise MLC [emlc]) physical capacity 400 GB 600 GB 1.2 TB 2 TB Effective local capacity** 4 10 TB 8 20 TB TB TB Page 24

25 Maximum capacity 100 TB 200 TB 300 TB 500 TB High-Availability Features Dual, redundant, hot-swappable, power-cooling modules (PCMs) Network interfaces Controllers RAID protection Storage Features iscsi with multipath IO support Primary data reduction Acceleration Microsoft certification W PCMs, VAC W and W PCMs, VAC 4 1 gigabit per second (Gbps) copper Dual, redundant, hot-swappable, active, or hot-standby controllers with automatic failover Yes, including SAS hot-spare Yes Yes Nonvolatile random-access memory (NVRAM), SSD, cloud-storage acceleration Microsoft Windows Hardware Quality Labs (WHQL) VMware certification Yes, VMware vsphere versions 4.1 and 5.1 Support for VMware vstorage APIs for Array Integration (VAAI) Automatic storage tiering Adaptive I/O processing Data portability Data-Protection Features Local backups Offsite backups or tape elimination Microsoft VSS application-consistent backups Windows Cluster Shared Volumes (CSV) and dynamic disk support Protected storage migration Security Features Virtual private storage Data-in-motion encryption Data-at-rest encryption Volume access control Additional security features Manageability and Serviceability Nondisruptive software upgrade Hot-swappable components Management and monitoring Hardware Footprint Yes (pending future certification) SSD, SAS, and cloud storage Yes, optimizes IO performance of mixed-pattern workloads Yes, access data sets across StorSimple appliances Yes, by using snapshots Yes, by using cloud snapshots and cloud clones Yes, by using Data Protection Console and hardware VSS provider Yes; backup CSV, mirrored dynamic disks, multi-partition disks By using Windows host-side mirroring; allows online backups and nondisruptive cutover Yes HTTPS/Secure Socket Layer (SSL) AES-256-CBC IQN, CHAP Multiple user accounts (local and Active Directory), role-based access, secure web proxy support Yes, updates and new releases Controllers, power and cooling modules, NVRAM batteries, SSD, and SAS drives Integrated web GUI, alerts with call-home, Simple Network Management Protocol (SNMP) v1/v2c Form factor 2U rack-mountable appliance 4U rackmountable appliance Dimensions (L W H [in inches]) The StorSimple solution uses the industry-standard iscsi SAN protocol to connect to servers. ISCSI is easily configured for use with both Microsoft and VMware servers and is widely understood by storage administrators. Page 25

26 StorSimple is intended to run as primary storage for enterprise tier 2 applications, including , file shares, Microsoft SharePoint, content management systems, virtual machines, and large unstructured data repositories. It is not built for latency-sensitive applications such as online transaction processing. The StorSimple solution uses three different types of storage: performance-oriented flash SSDs, capacity-oriented SAS disk drives, and cloud storage. Data is moved from one type of storage to another according to its relative activity level and customer-chosen policies. Data that becomes more active is moved to a faster type of storage and data that becomes less active is moved to a higher capacity type of storage. There are four logical tiers in the system, two at the SSD level and one each in the SAS and cloud storage levels: Tier Name Storage Type Data Activity Reduction Applied Native SSD New, most active None Hot SSD Existing, most active Deduplication Warm SAS Between hot and cool Full Cool Cloud Least active Full The fourth column in the preceding table indicates the type of data-reduction technology that is used in the various tiers. The native tier has none, the hot tier uses deduplication (or dedupe ), and the warm and cool tiers use full reduction, which means that data is both compressed and deduped. Notice that the progression from native tier to warm tier implies that data is first deduped before it is compressed. Dedupe reduces the amount of data stored in the system by identifying data duplicates and removing excess copies. Dedupe is particularly effective in virtual server environments. Compression reduces the amount of data stored in the system by identifying strings of repeated data values and replacing them with encoded shorthand. Another capacity-conserving technology in the StorSimple solution is thin provisioning, which allocates storage capacity as it is needed, as opposed to reserving capacity in advance. All storage in StorSimple is thinly provisioned. StorSimple provides a broad set of data-management tools that enable customers to use Windows Azure cloud storage in ways that are familiar to them, including archive and backup storage. Cloud snapshots are point-in-time copies of data that are stored in cool tiers in the cloud. All cloud snapshots are fully reduced (deduped and compressed) to minimize the amount of storage that is consumed. Cloud data reduction and cloud storage wide-area network (WAN) optimization refers to the fact that data that is transferred and stored in the cloud by a StorSimple solution already has been fully reduced. This minimizes the cost of cloud storage and the transaction costs and WAN bandwidth that are associated with storing data in the cloud. Cloud tier refers to the automated use of cloud storage as the cool tier in a StorSimple system. Data that is ranked lowest is sent to a cool tier in the cloud, where it remains until it is accessed again and promoted to the warm tier. Page 26

27 StorSimple systems provide volume-level cloud mapping between storage volumes on StorSimple systems and the Windows Azure public cloud. Different volumes can have cool tiers on the same or different Windows Azure storage. Every StorSimple system keeps a metadata map that describes the state of the system and provides an image of the volume s contents at the time that a snapshot is taken. This map is typically 0.1% the size of the stored data. AES-256 encryption is applied to all data that is transmitted and stored in the cloud by the StorSimple solution to ensure its security. SHA-256 hashing is applied to all data that is transmitted and stored in the cloud as a means to guarantee data integrity. Cloud clones are the equivalent of a synthetic full backup that have all of the current data for a volume at the time of the last snapshot. They are stored in the cool tier for use in disaster-recovery scenarios, but they occupy separate repositories from cloud snapshots and can reside within the same or a different cloud service as the volume s cloud snapshots. The following figure shows that cloud clones are located in different repositories from cloud snapshots and that they can use the same or a different cloud service. A thin restore is a disaster-recovery process whereby a StorSimple system downloads data from the cloud. The first thing that is downloaded is the metadata map, after which users and applications can start accessing their working sets and download them. As data is downloaded, it is ranked and placed in the appropriate tier. Page 27

28 Thin restores tend to have extremely short Recovery Time Objectives (RTOs), because systems can begin accessing data after the metadata map has been downloaded. Thin restores do not restore cool data that does not belong to any working sets. Location-independent recovery refers to the ability to perform thin restores from any location that has a suitable Internet connection. This differs from legacy DR operations, which are restricted to having to run at specific recovery sites. Location independence adds an additional level of redundancy to the recovery process and does not require the capital investment that traditional replication solutions do. A customer who has multiple data-center locations can use StorSimple systems running in any of those locations to recover from disasters in any of the other sites. Similarly, a single StorSimple system can act as a spare for any of the others, providing an extremely cost-effective DR implementation. 4.2 Compute Windows Azure IaaS There are a number of compute-related services in Windows Azure, including web and worker roles, cloud services, and HD Insight. The focus of this paper is hybrid cloud IaaS. Although some of the other compute capabilities will be covered briefly, the focus will be on Windows Azure IaaS virtual machines Windows Azure Cloud Service When you create a virtual machine or application and run it in Windows Azure, the virtual machine or the code and configuration together are called a Windows Azure cloud service. Page 28

29 By creating a cloud service, you can deploy multiple virtual machines or a multi-tier application in Windows Azure, defining multiple roles to distribute processing and allow flexible scaling of your application. A cloud service can consist of one or more virtual machines or web roles and worker roles, each of which has its own application files and configuration. Windows Azure virtual machines must be contained within cloud services. A single Windows Azure subscription by default is limited to 20 cloud services, and each cloud service can include up to 50 virtual machines Windows Azure Virtual Machine An IaaS virtual machine in Windows Azure is a persistent virtual machine in the cloud that you can control and manage. After you create a virtual machine in Windows Azure, you can delete and recreate it whenever you have to, and you can access the virtual machine just like any other server. Virtual hard disks (.vhd files) are used to create a virtual machine. You can use the following types of virtual hard disks to create a virtual machine: Image a template that you use to create a new virtual machine. An image does not have specific settings such as the computer name and user account settings that a running virtual machine has. If you use an image to create a virtual machine, an operating system disk is created automatically for the new virtual machine. Disk a VHD that you can start and mount as a running version of an operating system. After an image has been provisioned, it becomes a disk. A disk is always created when you use an image to create a virtual machine. Any VHD that is attached to virtualized hardware and running as part of a service is a disk. You can use the following options to create a virtual machine from an image: Create a virtual machine by using a platform image from the Windows Azure Management Portal. Create and upload a.vhd file that contains an image to Windows Azure, and then use the uploaded image to create a virtual machine. Windows Azure provides specific combinations of central processing unit (CPU) cores and memory for IaaS virtual machines. These combinations are known as virtual machine sizes. When you create a virtual machine, you select a specific size. This size can be changed after deployment. The sizes that are available for virtual machines are the following: Virtual Machine Size CPU Cores Memory Disk Space for Cloud Services Disk Space for Virtual Machines Maximum Data Disks (1 TB Each) Maximum IOPS (500 Maximum per Disk) ExtraSmall Shared 768 MB 19 GB 20 GB Small GB 224 GB 70 GB Medium GB 489 GB 135 GB Large 4 7 GB 999 GB 285 GB Page 29

30 ExtraLarge 8 14 GB 2,039 GB 605 GB A GB 4 4 x 500 A GB 999 GB 285 GB A GB 2,039 GB 605 GB Source: Virtual Machine Sizes IMPORTANT: Note that virtual machines will begin to incur cost as soon as they are provisioned, regardless of whether or not they are turned on Windows Azure Virtual Machine Storage A Windows Azure virtual machine is created from an image or a disk. All virtual machines use one operating system disk, a temporary local disk, and possibly multiple data disks. All images and disks, except for the temporary local disk, are created from VHDs, which are.vhd files that are stored as page blobs in a storage account in Windows Azure. You can use platform images that are available in Windows Azure to create virtual machines, or you can upload your own images to create customized virtual machines. The disks that are created from images are also stored in Windows Azure storage. You can create new virtual machines easily by using existing disks. VHD Files A.vhd file is stored as a page blob in Windows Azure storage and can be used for creating images, operating system disks, or data disks in Windows Azure. You can upload a.vhd file to Windows Azure and manage it just as you would any other page blob. The.vhd files can be copied or moved, and they can be deleted as long as a lease does not exist on the VHD. A VHD can be in either a fixed format or a dynamic format; currently, however, only the fixed format of.vhd files is supported in Windows Azure. The fixed format lays out the logical disk linearly within the file, so that disk offset X is stored at blob offset X. At the end of the blob, a small footer describes the properties of the VHD. Often, the fixed format wastes space because most disks contain large unused ranges. However, in Windows Azure, fixed.vhd files are stored in a sparse format, so that you receive the benefits of both the fixed and dynamic disks at the same time. When you create a virtual machine from an image, a disk is created for the virtual machine, which is a copy of the original.vhd file. To protect against accidental deletion, a lease is created if you create an image, an operating system disk, or a data disk from a.vhd file. Before you can delete the original.vhd file, you must first delete the disk or image to remove the lease. To delete a.vhd file that is being used by a virtual machine as an operating system disk, you must delete the virtual machine, delete the operating system disk, Page 30

31 and then delete the original.vhd file. To delete a.vhd file that is used as a source for a data disk, you must detach the disk from the virtual machine, delete the disk, and then delete the.vhd file. Design Guidance Note that Windows Azure virtual machines do not support the VHDX format. Ensure that any virtual machines or images that are planned for use in or migration to Windows Azure use the VHD format. Note that if a VHD file on-premises is a dynamic VHD, it is converted to fixed when it is uploaded to Windows Azure. VHD files can be created on-premises by using Hyper-V or Disk Manager and uploaded to Windows Azure. Uploaded VHDs can then be added as disks. Images An image is a.vhd file that you can use as a template to create a new virtual machine. An image is a template because it does not have specific settings such as the computer name and user account settings that a configured virtual machine does. You can use images from the Image Gallery to create virtual machines, or you can create your own images. The Windows Azure Management Portal enables you to choose from several platform images to create a virtual machine. These images contain the Windows Server 2008 R2 operating system, Windows Server 2012 operating system, and several distributions of the Linux operating system. A platform image can also contain applications, such as SQL Server. To create a Windows Server image, you must run the Sysprep command on your development server to generalize and shut it down before you can upload the.vhd file that contains the operating system. Design Guidance Custom operating system images for Windows or Linux can be created on-premises and uploaded to Windows Azure. Customer base images can be utilized if they have been sysprepped and are using operating systems that are supported in Windows Azure. Virtual machine images can be made to domain-join Windows Azure hosted or VPN-connected Active Directory domains. Consider the storage locations of images in Windows Azure in terms of where virtual machines will be provisioned, so that images do not have to be copied across data centers. Disks You use disks in different ways with a virtual machine in Windows Azure. An operating system disk is a VHD that you use to provide an operating system for a virtual machine. A data disk is a VHD that you attach to a virtual machine to store application data. You can create and delete disks whenever you have to. Page 31

32 You choose from among multiple ways to create disks, depending on the needs of your application. For example, a typical way to create an operating system disk is to use an image from the Image Gallery when you create a virtual machine, and an operating system disk is created for you. You can create a data disk by attaching an empty disk to a virtual machine, and a new data disk is created for you. You can also create a disk by using a VHD file that has been uploaded or copied to a storage account in your subscription. You cannot use the portal to upload VHD files, but you can use other tools that work with Windows Azure storage including the Windows Azure PowerShell cmdlets to upload or copy the file. Operating System Disk Every virtual machine has one operating system disk. You can upload a VHD that can be used as an operating system disk, or you can create a virtual machine from an image, and a disk is created for you. An operating system disk is a VHD that you can start and mount as a running version of an operating system. Any VHD that is attached to virtualized hardware and running as part of a service is an operating system disk. The maximum size of an operating system disk can be 127 GB. When an operating system disk is created in Windows Azure, three copies of the disk are created for high durability. Additionally, if you choose to use DR that is geo-replication based, your VHD is also replicated at a distance of more than 400 miles away. Operating system disks are registered as Serial Advanced Technology Attachment (SATA) drives and labeled as drive C. Data Disk A data disk is a VHD that can be attached to a running virtual machine to store application data persistently. You can upload and attach to the virtual machine a data disk that already contains data, or you can use the Windows Azure Management Portal to attach an empty disk to the virtual machine. The maximum size of a data disk is 1 TB; you are limited in the number of disks that you can attach to a virtual machine, based on the size of the virtual machine. Data disks are registered as SCSI drives, and you can make them available for use within the operating system by using the Disk Manager in Windows. The maximum number of data disks per virtual machine size was shown in the preceding table. If multiple data disks are attached to a virtual machine, striping inside the virtual machine operating system can be utilized to create a single volume on the multiple attached disks (a volume of up to 16 TB that consists of a stripe of 16 1-TB data disks). As mentioned previously, use of operating system striping is not possible with geo-redundant data disks. Temporary Local Disk Each virtual machine that you create has a temporary local disk, which is labeled as drive D. This disk exists only on the physical host server on which the virtual machine is running; it is not stored in blobs on Windows Azure storage. This disk is used by applications and processes that are running in the virtual machine for transient and temporary storage of data. It is used also to store page files for the operating system. Note that any data will not survive a host-machine failure or any other operation that requires moving the virtual machine to another piece of hardware. Use of the letter D for the drive is by default. You can change the letter by using the following workaround: 1. Deploy the virtual machine normally, with or without the second data disk attached. (The data disk initially will be drive E, if it is a formatted volume.) Page 32

33 2. Move the pagefile from drive D to drive C. 3. Reboot the virtual machine. 4. Swap the drive letters on the current drives D and E. 5. Optionally, move the pagefile back to the resource drive (now drive E). If the virtual machine is resized or moved to new hardware for service healing, the drive naming will stay in place. The data disk will stay at drive D, and the resource disk will always be the first available drive letter (which would be E, in this example). Host Caching The operating system disk and data disk has a host-caching setting (sometimes called host-cache mode) that enables improved performance under some circumstances. However, these settings can have a negative effect on performance in other circumstances, depending on the application. By default, host caching is OFF for both read operations and write operations for data disks. Host caching is ON by default for read and write operations for operating system disks. RDP and Remote Windows PowerShell New virtual machines that are created through the Windows Azure Management portal will have both RDP and Remote Windows PowerShell available Windows Azure Virtual Machine Placement and Affinity Groups Using affinity groups is how you group the services in your Windows Azure subscription that must work together to achieve optimal performance. When you create an affinity group, it lets Windows Azure know to keep all of the services that belong to your affinity group running at the same data-center cluster. For example, if you wanted to keep different virtual machines close together (within the same data center), you would specify the same affinity group for those virtual machines and associated storage. That way, when you deploy those virtual machines, Windows Azure will locate them in a data center as close to each other as possible. This reduces latency and increases performance, while potentially lowering costs. Affinity groups are defined at the subscription level, and the name of each affinity group has to be unique within the subscription. When you create a new resource, you can either use an affinity group that you previously created or create a new one Windows Azure Endpoints and ACLs When you create a virtual machine, it is fully accessible from any of your other virtual machines that are within the Windows Azure virtual network to which it is connected. All protocols such as TCP, UDP, and Internet Control Message Protocol (ICMP) are supported within the local virtual network. Virtual machines on your virtual network are automatically given an internal IP address from a private range (RFC 1918) that you defined when you created the network. Page 33

34 To provide access to your virtual machines from outside of your virtual network, you will have to use the external IP address and configure public endpoints. These endpoints are similar to firewall and port forwarding rules and can be configured in the Windows Azure portal. By default, when they are created by using the Windows Azure Management Portal, ports for both RDP and Remote Windows PowerShell are opened. These ports use random public-port addresses, which are mapped to the correct ports on the virtual machines. You can remove these preconfigured endpoints if you have network connectivity via a VPN. A Network Access Control List (ACL) is a security enhancement available for your Windows Azure deployment. An ACL provides the ability to selectively permit or deny traffic for a virtual machine endpoint. This packet filtering capability provides an additional layer of security. Currently, you can specify network ACLs for virtual machines endpoints only. You cannot specify an ACL for a virtual network or a specific subnet contained in a virtual network. Using Network ACLs, you can do the following: Selectively permit or deny incoming traffic based on remote subnet IPv4 address range to a virtual machine input endpoint Blacklist IP addresses Create multiple rules per virtual machine endpoint Specify up to 50 ACL rules per virtual machine endpoint Use rule ordering to ensure the correct set of rules are applied on a given virtual machine endpoint (lowest to highest) Specify an ACL for a specific remote subnet IPv4 address An ACL is an object that contains a list of rules. When you create an ACL and apply it to a virtual machine endpoint, packet filtering takes place on the host node of your VM. This means the traffic from remote IP addresses is filtered by the host node for matching ACL rules instead of on your VM. This prevents your VM from spending the precious CPU cycles on packet filtering. When a virtual machine is created, a default ACL is put in place to block all incoming traffic. However, if an endpoint is created for (port 3389), then the default ACL is modified to allow all inbound traffic for that endpoint. Inbound traffic from any remote subnet is then allowed to that endpoint and no firewall provisioning is required. All other ports are blocked for inbound traffic unless endpoints are created for those ports. Outbound traffic is allowed by default. You can selectively permit or deny network traffic for a virtual machine input endpoint by creating rules that specify permit or deny. It s important to note that by default, when an endpoint is created, all traffic is denied to the endpoint. For that reason, it s important to understand how to create permit/deny rules and place them in the proper order of precedence if you want granular control over the network traffic that you choose to allow to reach the virtual machine endpoint. Points to consider: 1. No ACL By default when an endpoint is created, we permit all for the endpoint. 2. Permit When you add one or more permit ranges, you are denying all other ranges by default. Only packets from the permitted IP range will be able to communicate with the virtual machine endpoint. Page 34

35 3. Deny When you add one or more deny ranges, you are permitting all other ranges of traffic by default. 4. Combination of Permit and Deny You can use a combination of permit and deny when you want to carve out a specific IP range to be permitted or denied. Network ACLs can be set up on specific virtual machine endpoints. For example, you can specify a network ACL for an RDP endpoint created on a virtual machine which locks down access for certain IP addresses. The table below shows a way to grant access to public virtual IPs (VIPs) of a certain range to permit access for RDP. All other remote IPs are denied. We follow a lowest takes precedence rule order. Network ACLs can be specified on a Load Balanced set (LB Set) endpoint. If an ACL is specified for a LB Set, the Network ACL is applied to all Virtual Machines in that LB Set. For example, if a LB Set is created with Port 80 and the LB Set contains 3 VMs, the Network ACL created on endpoint Port 80 of one VM will automatically apply to the other VMs. Page 35

36 4.2.6 Windows Azure Virtual Machine High Availability (HA) You can ensure the availability of your application by using multiple Windows Azure virtual machines. By using multiple virtual machines in your application, you can make sure that your application is available during local network failures, local disk-hardware failures, and any planned downtime that the platform might require. You manage the availability of your application that uses multiple virtual machines by adding the virtual machines to an availability set. Availability sets are directly related to fault domains and update domains. A fault domain in Windows Azure is defined by avoiding single points of failure, like the network switch or power unit of a rack of servers. In fact, a fault domain is closely equivalent to a rack of physical servers. When multiple virtual machines are connected together in a cloud service, an availability set can be used to ensure that the virtual machines are located in different fault domains. The following diagram shows two availability sets, each of which contains two virtual machines. Windows Azure periodically updates the operating system that hosts the instances of an application. A virtual machine is shut down when an update is applied. An update domain is used to ensure that not all of the virtual machine instances are updated at the same time. When you assign multiple virtual machines to an availability set, Windows Azure ensures that the virtual machines are assigned to different update domains. The previous diagram shows two virtual machines running Internet Information Services (IIS) in separate update domains and two virtual machines running SQL Server also in separate update domains. IMPORTANT: The Windows Azure virtual machine high availability (HA) concepts are not the same as on-premises Hyper-V. Windows Azure does not support live migration or movement of running virtual machines. For HA, multiple virtual machines per application or role must be created, and Windows Azure constructs such as availability groups and load balancing must be utilized. Each application that is being considered for deployment must be analyzed to determine how HA features of Windows Azure can be utilized. If a given application cannot use multiple roles or instances for HA (meaning that a single virtual machine that is running the application must be online at all times), Windows Azure cannot support that requirement. Page 36

37 You should use a combination of availability sets and load-balancing endpoints (discussed in subsequent sections) to help ensure that your application is always available and running efficiently. For more information on Windows Azure host updates and how they affect virtual machines and services, refer to the following: Windows Azure Host Updates Design Guidance For each workload that is deployed in Windows Azure virtual machines and each tier of that workload, strongly consider deploying an availability set for each tier and two or more virtual machines for the tier that is within that availability set. This provides virtual machine HA through host updates and other scheduled fabric-level maintenance. For data-center and geographic resiliency, ensure that geo-replication is enabled for storage. Consider the use of affinity groups to ensure that related virtual machines and resources are located within the same data center, while using geo-replication for availability across data centers. Remember that host maintenance activities can take down any individual virtual machine, so that workloads that are hosted in Windows Azure likely will require workload-level HA, such as load balancing Windows Azure Virtual Machine Load Balancing External communication with virtual machines can occur through Windows Azure endpoints. These endpoints are used for different purposes, such as load-balanced traffic or direct virtual machine connectivity like RDP or SSH. You define endpoints that are associated with specific ports and are assigned a specific communication protocol. An endpoint can be assigned a protocol of TCP or UDP (the TCP protocol includes HTTP and HTTPS traffic). Each endpoint that is defined for a virtual machine is assigned a public and private port for communication. The private port is defined for setting up communication rules on the virtual machine, and the public port is used by Windows Azure to communicate with the virtual machine from external resources. Page 37

38 If you configure it, Windows Azure provides round-robin load balancing of network traffic to publicly defined ports of a cloud service. When your cloud service contains instances of web roles or worker roles, you enable this load balancing by setting the number of instances that are running in the service to greater than or equal to two and by defining a public endpoint in the service definition. For virtual machines, you can set up load balancing by creating new virtual machines, connecting them under a cloud service, and adding load-balanced endpoints to the virtual machines. A load-balanced endpoint is a specific TCP or UDP endpoint that is used by all virtual machines that are contained in a cloud service. The following image shows a load-balanced endpoint that is shared among three virtual machines and uses a public and private port of 80: A virtual machine must be in a healthy state to receive network traffic. You can optionally define your own method for determining the health of the virtual machine by adding a load-balancing probe to the load-balanced endpoint. Windows Azure probes for a response from the virtual machine every 15 seconds and takes a virtual machine out of the rotation if no response has been received after two probes. You must use Windows PowerShell to define probes on the load balancer. Design Guidance Load balancing is required for any workload or service that must remain online through host or virtual machine maintenance. LoadBalancerProbe Schema Page 38

39 4.2.8 Limitations of Windows Azure IaaS Virtual Machines While Windows Azure IaaS virtual machines are full running instances of Windows or Linux from an operating system perspective, in some cases because they are virtual machines or are running on a cloud infrastructure some operating system features and capabilities might not be supported. The following table provides examples of Windows operating system features that are not supported in Windows Azure virtual machines: OS Roles/Features Not Supported in Azure IaaS VMs Hyper-V Dynamic Host Configuration Protocol (DHCP) Failover clustering BitLocker on operating system disk Client operating systems Virtual Desktop Infrastructure (VDI) using RDS Explanation It is not supported to run Hyper-V within a virtual machine that is already running on Hyper-V. Windows Azure virtual machines do not support broadcast traffic to other virtual machines. Windows Azure does not handle clustering s virtual or floating IP addressing for network resources. Windows Azure does not support Trusted Platform Module (TPM). Windows Azure licensing does not support client operating systems. Windows Azure licensing does not support the running of VDI virtual machines through RDS. Additionally, over time, more Microsoft applications are being tested and supported for deployment in Windows Azure virtual machines. The following Microsoft Knowledge Base (KB) article contains the list of Microsoft software that is supported in Windows Azure virtual machines. Microsoft Software Supported in Windows Azure Virtual Machines Page 39

40 4.3 Compute PaaS While this document is primarily IaaS focused, it is important to understand the basics of compute in the PaaS scenario. Windows Azure PaaS currently supports the following types of roles: Web role A web role is a role that is customized for web application programming as supported by IIS 7 and ASP.NET. The benefit of using this type of role is that the IIS setup is done for you. This role is best used for providing a web-based front end for your cloud service. It is not suited for long-running processes. Worker role A worker role is a role that is useful for generalized development and can perform background processing for a web role. When you need a background process that performs long-running or intermittent tasks, you should use this role. The preceding roles can also be used for other application development platforms, such as Java, Node.js, and Python. A cloud service in Windows Azure consists of an application that is designed to run in the cloud service by using web roles, worker roles, and XML configuration files that define how the cloud service should run. The service model is determined by the settings that are listed in the ServiceDefinition.csdef file and configured in the ServiceConfiguration.cscfg file. The definition file is packaged with the role binaries when the application is prepared for deployment. The ServiceConfiguration.cscfg file is deployed with the package and is used by Windows Azure to determine how the application should run. By defining settings in the ServiceDefinition.csdef file, you can define the roles and resources for an application. An application that runs as a cloud service in Windows Azure implements one or more instances of the available role types. Within Windows Azure, running instances of a role are replicated across multiple computers to implement all or part of the functionality of the cloud service. 4.4 Compute Azure HDInsight (Hadoop) While this document is primarily IaaS focused, it is important to understand the basics of compute in an HDInsight (Hadoop) scenario. Windows Azure HDInsight Service is a service that deploys and provisions Apache Hadoop clusters in the cloud, providing a software framework that is designed to manage, analyze, and report on big data. Big Data Data is described as "big data" to indicate that it is being collected in ever-escalating volumes, at increasingly high velocities, and for a widening variety of unstructured formats and variable semantic contexts. Collection of big data does not provide value to an enterprise on its own. Not only must the right questions be asked and data that is relevant to the issues be collected: For big data to provide value in the form of actionable intelligence or insight, it must be accessible, cleaned, analyzed, and presented in a useful way, often in combination with data from various sources. Apache Hadoop Apache Hadoop is a software framework that facilitates big-data management and analysis. The Apache Hadoop core provides reliable data storage with the Hadoop Distributed File System (HDFS) and a simple MapReduce programming model to process and Page 40

41 analyze in parallel the data that is stored in this distributed system. HDFS uses data replication to address hardware failure issues that arise when such highly distributed systems are deployed. MapReduce To simplify the complexities of analyzing unstructured data from various sources, the MapReduce programming model provides a core abstraction that provides closure for map and reduce operations. The MapReduce programming model views all of its jobs as computations over key-value pair (KVP) datasets; thus, both input and output files must contain datasets that consist only of KVPs. Other Hadoop-related projects such as Pig and Hive are built on top of HDFS and the MapReduce framework and are used to provide a simpler way to manage a cluster than working with the MapReduce programs directly. For example, Pig enables you to write programs in JavaScript that are compiled to MapReduce programs on the cluster. It also provides fluent controls to manage data flow. Hive provides a table abstraction for data in files that are stored in a cluster that can be queried by using SQL-like statements. The HDInsight Service The HDInsight Service for Windows Azure makes Apache Hadoop available as a service in the cloud. It makes available the HDFS and MapReduce software framework and related projects in a simpler, more scalable, and cost-efficient environment. One of the efficiencies that is introduced by the HDInsight Service is how it manages and stores data. The HDInsight Service uses Windows Azure Blob Storage as the default file system. Windows Azure Blob Storage and HDFS are distinct file systems that are optimized, respectively, for the storage of data and for computations on that data: Windows Azure Blob Storage provides a highly scalable and available, low-cost, long-term, and shareable storage option for data that is to be processed by using the HDInsight Service. The Hadoop clusters that are deployed by the HDInsight Service on HDFS are optimized for running MapReduce computational tasks on the data. HDInsight Service clusters are deployed in Windows Azure on compute nodes to run MapReduce tasks, and they can be dropped by users as soon as these tasks have been completed. Keeping the data in the HDFS clusters after computations have been completed would be an expensive way to store this data. Windows Azure Blob Storage is a robust, general-purpose Windows Azure storage solution, so that storing data in Blob Storage enables the clusters that are used for computation to be deleted safely without loss of user data. However, Blob Storage is not just a low-cost solution. Windows Azure Vault Storage (ASV) provides a fully featured HDFS file-system interface for Blob Storage that provides a seamless experience to customers by enabling the full set of components in the Hadoop ecosystem to operate (by default) directly on the data that is managed by Blog Storage. To simplify the configuring, running, and post-processing of Hadoop jobs, the HDInsight Service provides JavaScript and Hive interactive consoles. The JavaScript console is unique to HDInsight. It implements and makes available JavaScript, Pig, and the Hadoop file-system commands from the console. This simplified JavaScript approach enables IT professionals, database professionals, and a wider group of developers to deal with bigdata management and analysis by providing a more accessible path for them to begin using the Hadoop framework. It addition to the available Apache Hadoop-related ecosystem projects, the HDInsight Service for Windows Azure provides Open Database Connectivity (ODBC) drivers to integrate Business Intelligence (BI) tools such as Excel, SQL Server Analysis Services, and Reporting Services facilitating and simplifying end-to-end data analysis. Page 41

42 Design Guidance Introduction to Windows Azure HDInsight Service Getting Started with Windows Azure HDInsight Service Compute Windows Azure and High-Performance Computing (HPC) The Windows Azure HPC Scheduler SDK includes modules and features that developers can use to create Windows Azure deployments that support compute-intensive, parallel applications that can scale when more compute power is available. The Windows Azure HPC Scheduler SDK enables developers to define a Windows Azure deployment that includes built-in job scheduling and resource management; runtime support for Message Passing Interface (MPI), service-oriented architecture (SOA), and parametric sweep applications; web-based job-submission interfaces; and persistent state management of job queue and resource configuration. Applications that have been built by using the on-premises job-submission API in Microsoft HPC Pack can use very similar jobsubmission interfaces in the Windows Azure HPC Scheduler. Windows Azure HPC Scheduler Network Windows Azure Networking The Windows Azure network service provides a variety of solutions for network connectivity within Windows Azure, as well as between on-premises infrastructure and Windows Azure. In calendar year 2012, Windows Azure made substantial upgrades to the Windows Azure fabric and network architecture to flatten the design and significantly increase the horizontal (or node-to-node) bandwidth that is available. These upgrades have been described publically and, along with software improvements, provide significant bandwidth between compute and storage that uses a flat-network topology. The specific implementation of the flat network for Windows Azure is referred to as the Quantum 10 (Q10) network architecture. Q10 provides a fully nonblocking 10 Gbps based fully meshed network, providing an aggregate backplane in excess of 50 terabytes per second (Tbps) of bandwidth for each Windows Azure data center. Page 42

43 Another major improvement in reliability and throughput is moving from a hardware load balancer to a software load balancer. After these upgrades, the storage architecture and design that were described in previous sections was tuned to leverage the new Q10 network fully to provide flat-network storage for Windows Azure Storage. For architectural details of the Q10 design, see VL2: A Scalable and Flexible Data Center Network (link) Windows Azure Virtual Network Windows Azure Virtual Network enables you to create secure site-to-site connectivity and protected private virtual networks in the cloud. You can specify the address space that will be used for both your virtual network and the virtual network gateway. Additionally, new name-resolution features allow you to connect directly to role instances and virtual machines by host name. These features allow you to use Windows Azure as you would a branch office or as a protected private virtual network in the cloud. Before you configure Windows Azure Virtual Network, you should carefully consider possible scenarios. For this release, it can be difficult to make changes after your virtual network has been created and you have deployed role instances and virtual machines. After this stage of deployment, you cannot easily modify the baseline network configuration, and many values cannot be modified without pulling back roles and virtual machines and then reconfiguring. Therefore, you should not attempt to create a virtual network and then try to adapt the scenario to fit the network. Scenarios that are enabled by Windows Azure virtual networks include: Create secure site-to-site network connectivity between Windows Azure and your on-premises network, effectively creating a virtual branch office or data center in the cloud. This is possible by using a hosted VPN gateway and a supported VPN gateway device (including Windows Server 2012 RRAS). Extend your enterprise networks into Windows Azure. Migrate existing applications and services to Windows Azure. Hostname resolution. You can specify your own on-premises Domain Name System (DNS) server or a dedicated DNS server that is running elsewhere. Persistent dynamic IP addresses for virtual machines. This means that the internal IP address of your virtual machines will remain persistent and will not change, even when you restart a virtual machine. Join virtual machines that are running in Windows Azure to your domain that is running on-premises. Create point-to-site virtual networks, enabling individual workstations to establish VPN connectivity to Windows Azure virtual networks for example for developers in a remote site to be able to connect to Windows Azure networks. Windows Azure virtual networks have the following properties: Virtual machines can have only one IP address (or one IP plus a virtual IP, if they are load-balanced). Every virtual machine gets an IP from DHCP; static IP addresses are not supported. Virtual machines on the same virtual network can communicate. Virtual machines on different virtual networks cannot communicate directly. Egress traffic from Windows Azure is charged. Ingress traffic to Windows Azure is free (not charged). All virtual machines by default have Internet access. There is currently no official way to force Internet traffic to go through on-premises devices, such as proxies. There is only one virtual gateway per virtual network. Page 43

44 As mentioned previously, virtual networks and subnets in Windows Azure must utilize private (RFC 1918) IP-address ranges Windows Azure VPN (Site-to-Site) You can link your Windows Azure virtual network to an on-premises network via site-to-site VPN connection. Page 44

45 To create a secure VPN connection, the person who will configure the VPN device must coordinate with the person who will create the Management Portal configuration. This coordination is required, because the Management Portal requires IP-address information from the VPN device to start the VPN connection and create the shared key. The shared key is then exported to configure the VPN gateway device and complete the connection. Sample configuration scripts are available for many, but not all, VPN devices. If your VPN device is in the list of supported devices, you can download the corresponding sample configuration script to help you configure the device. If you do not see your VPN device in the list, your device still might work with Windows Azure virtual network if it satisfies the requirements. For more information, see Requirements for VPN devices Windows Azure VPN (Point-to-Site) The Windows Azure point-to-site VPN allows you to set up VPN connections between individual computers and a Windows Azure virtual network without the need for a VPN device. This feature is called Point-to-Site Virtual Private Networking. It greatly simplifies the setup of secure connections between Windows Azure and client computers, whether from an office environment or from remote locations. It is especially useful for developers who want to connect to a Windows Azure virtual network (and to the individual virtual machines within it) from either behind a corporate firewall or a remote location. Because the connection is point-to-site, they do not need their IT staff to perform any activities to enable it, and no VPN hardware must be installed or configured. Instead, you can just use the built-in Windows VPN client to tunnel to your virtual network in Windows Azure. This tunnel uses the Secure Sockets Tunneling Protocol (SSTP) and can traverse firewalls and proxies automatically, while giving you complete security. Here s a visual representation of the point-to-site scenarios enabled: Page 45

46 4.6.4 Affinity Groups After you have created a virtual network, an affinity group will also be created. When you create resources (such as storage accounts) in Windows Azure, an affinity group will let Window Azure know that you want to keep these resources located together. When you have an affinity group, you should reference this always when you are creating related resources Name Resolution To refer to virtual machines and role instances within a cloud service by host name directly, Windows Azure provides a nameresolution service. This service is used for internal host-name resolution within a cloud service. The name-resolution service that is provided by Windows Azure is a completely separate service from that which is used to access your public endpoints on the Internet. Before you deploy role instances or virtual machines, you must consider how you want name resolution to be handled. Two options are available. You can either use internal name resolution that is provided by Windows Azure or choose to specify a DNS server that is not maintained by Windows Azure. Not all configuration options are available for every deployment type. Carefully consider your deployment scenario before you make this choice DNS Considerations Name resolution is an important consideration for virtual network design. Even though you may create a secure site-to-site VPN connection, communication by host name is not possible without name resolution. There are multiple ways to provide name Page 46

47 resolution for your Windows Azure virtual network. You can use the name resolution that Windows Azure has provided, or you can use your own DNS server. When you define a virtual network, Windows Azure will provide a DNS service. However, if you want to use your existing DNS infrastructure, or you have a dependency on Active Directory, you need to define your own. Defining your own in the virtual network configuration doesn t actually create a DNS server. Instead, you are configuring the DHCP service to include the DNS server IP that you define. This DNS server could be a reference to an existing on-premises DNS server, or a new DNS server that you will provision in the cloud. Configuring your virtual network to use Windows Azure-provided name resolution is a relatively simple option. However, you may require a more full-featured DNS solution in order to support virtual machines or complex configurations. Your choice of name resolution method should be based on the scenario that it will support. Scenario Name Resolution Points to Consider Cross-premises: Name resolution between role instances or virtual machines in Windows Azure and onpremises computers DNS solution of your choice (Not Windows Azure provided) Name resolution (DNS) design Address space Supported VPN gateway device Internet-accessible IP address for your VPN gateway device Cross-premises: Name resolution between on-premises computers and role instances or virtual machines in Windows Azure DNS solution of your choice (not Windows Azure provided) Name resolution (DNS) design Address space Supported VPN gateway device Internet-accessible IP address for your VPN gateway device Name resolution between role instances located in the same cloud service Windows Azure name resolution (internal) Name resolution (DNS) design Name resolution between virtual machines located in the same cloud service Windows Azure name resolution (internal) Name resolution (DNS) design Name resolution between virtual machines and role instances located in DNS solution of your choice (not Name resolution (DNS) design Page 47

48 the same Virtual Network, but different cloud services Windows Azure provided) Address space Supported VPN gateway device Internet-accessible IP address for your VPN gateway device Name resolution between virtual machines and role instances that are located in the same cloud services but not in a Windows Azure virtual network. Name resolution between role instances that are located in different cloud services but not in a Windows Azure virtual network. Name resolution between virtual machines that are located in the same Windows Azure virtual network. Not applicable Not applicable DNS solution of your choice (not Windows Azure provided) Virtual machines and role instances cannot be deployed in the same cloud service. Connectivity between virtual machines or role instances in different cloud services is not supported outside a virtual network. Name-resolution (DNS) design Address space Supported VPN gateway device Internet-accessible IP address for your VPN gateway device Use name resolution to direct traffic between data centers. Control the distribution of user traffic to Windows Azure hosted services. See Traffic Manager. See Traffic Manager. Although Windows Azure provided name resolution requires very little configuration, it is not the appropriate choice for all deployments. If your network requires name resolution across cloud services or across premises, you must use your own DNS server. If you want to register additional DNS records of your own, you will have to use a DNS solution that is not Windows Azure provided. Design Guidance Windows Azure provided DNS considerations Host-name resolution is not available between virtual machines or role instances that are distributed across multiple cloud services. Name resolution between virtual networks is not Page 48

49 available. Use of multiple host names for the same virtual machine or role instance is not supported. Cross-premises name resolution is not available. Reverse lookups (PTR) records are not available. The Windows Azure created DNS suffix cannot be modified. You cannot register your own records in Windows Azure provided DNS manually. WINS and NetBIOS are not supported. (You cannot list your virtual machines in the network browser in Windows Explorer.) Host names must be DNS-compatible. (They must use only numbers 0 9, letters a z, and the dash (-), and they cannot start or end with a dash. See RFC 3696 section 2.) DNS query traffic is throttled per virtual machine. If your application performs frequent DNS queries on multiple target names, it is possible for some queries to time out. A possible workaround is to reduce DNS query traffic from each virtual machine and retry the lookup Windows Azure Traffic Manager The Windows Azure Traffic Manager allows you to control the distribution of user traffic to Windows Azure hosted services. The hosted services can be running in the same data center or in different centers around the world. Traffic Manager works by applying an intelligent policy engine to the DNS queries on your domain name(s). The following conceptual diagram demonstrates Traffic Manager routing. The user uses the company domain and eventually reaches a hosted service to service the request. The Traffic Manager policy dictates which hosted service receives the request. Although Traffic Manager conceptually routes traffic to a given hosted service, the actual process is slightly different because it uses DNS. No actual service traffic routes through Traffic Manager. The user computer calls the hosted service directly when Traffic Manager resolves the DNS entry for the company domain to the IP address of a hosted service. Page 49

50 The numbers in the preceding diagram correspond to the numbered descriptions in the following list: 1. User traffic to company domain: The user requests information by using the company domain name. The typical process to resolve a DNS name to an IP address begins. Company domains must be reserved through normal Internet domain-name registration processes and are maintained outside of Traffic Manager. In this diagram, the company domain is 2. Company domain to Traffic Manager domain: The DNS resource record for the company domain points to a Traffic Manager domain that is maintained in Windows Azure Traffic Manager. In the example, the Traffic Manager domain is contoso.trafficmanager.net. 3. Traffic Manager domain and policy: The Traffic Manager domain is part of the Traffic Manager policy. Traffic enters through the domain. The policy dictates how to route that traffic. 4. Traffic Manager policy rules processed: The Traffic Manager policy uses the chosen load-balance method and monitoring status to determine which Windows Azure hosted service should service the request. 5. Hosted-service domain name sent to user: Traffic Manager returns the DNS name of the hosted service to the IP address of a chosen hosted service to the user. The user s local DNS resolver resolves the domain to the IP address of a chosen hosted service. Page 50

51 6. User calls hosted service: The user calls the chosen hosted service directly by using the returned IP address. Because the company domain and resolved IP address are cached on the client computer, the user continues to interact with the chosen hosted service until its local DNS cache expires. It is important to note that the client resolver in Windows caches DNS host entries for the duration of their time-to-live (TTL). Whenever you evaluate Traffic Manager policies, retrieving host entries from the cache bypasses the policy, and you can observe unexpected behavior. If the TTL of a DNS host entry in the cache expires, new requests for the same host name should result in the client resolver running a fresh DNS query. However, browsers typically cache these entries for longer periods, even after their TTL has expired. To reflect the behavior of a Traffic Manager policy accurately when accessing the application through a browser, it is necessary to force the browser to clear its DNS cache before each request. 7. Repeat: The process repeats itself when the client s DNS cache expires. The user might receive the IP address of a different hosted service, depending on the load-balancing method that is applied to the policy and the health of the hosted service at the time of the request. The following items include additional details about this process: Load-balancing methods in Windows Azure Traffic Manager Monitoring hosted services in Windows Azure Traffic Manager Best practices for hosted services and policies when using Windows Azure Traffic Manager Operations for Traffic Manager Design Guidance For highly available Windows Azure applications and servers that span multiple data centers, utilize Traffic Manager for global load-balancing capability Windows Azure Content Delivery Network (CDN) For awareness purposes, this section describes the Windows Azure Content Delivery Network (CDN). The Windows Azure CDN offers developers a global solution for delivering high-bandwidth content by caching blobs and static content of compute instances at physical nodes in the United States, Europe, Asia, Australia, and South America. For a current list of CDN node locations, see Windows Azure CDN Node Locations. The benefits of using CDN to cache Windows Azure data include: Page 51

52 Better performance and user experience for users who are far from a content source and are using applications for which many Internet trips are required to load content. Large distributed scale to handle instantaneous high load better say, at the start of an event such as a product launch. To use the Windows Azure CDN, you must have a Windows Azure subscription and enable the feature on the storage account or hosted service in the Windows Azure Management Portal. The CDN is an add-on feature to your subscription and has a separate billing plan. 4.7 Identity Management IMPORTANT: Identity Management is a critical topic in any hybrid cloud scenario. This document is focused on hybrid cloud IaaS; it does not include a full discussion of identity management in a hybrid cloud scenario or the wide range of on-premises and Windows Azure based identity-related solutions. These topics will be covered in complimentary PLA documents in the future. The increasing number of cloud services such as Office365, Windows Intune, and others, many of which span on-premises and public cloud makes identity management a key consideration. Each of these services now utilizes Windows Azure Active Directory (detailed in the next section). You can get a Windows Azure Active Directory tenant either by signing up for a Microsoft cloud service that you want to start using or evaluating or by creating one with your Windows Azure subscription. The first time that you sign up for a Microsoft cloud service such as Windows Azure Active Directory, Office 365, Windows Intune, or sign up for Windows Azure as an organization, you are prompted to provide details about your organization and your organization s Internet domain-name registration. This information is then used to create a new tenant for your organization in Windows Azure Active Directory. You have to sign up for a Windows Azure Active Directory tenant only once, and then you can sign in to that same tenant when you want to subscribe to multiple Microsoft cloud services. By using your organization s tenant in this way, any additional services that you might decide to subscribe to in the future can fully leverage the existing user accounts, policies, settings, or on-premises directory integration that you might have configured already to help improve efficiencies between your organization s on-premises identity infrastructure and Windows Azure Active Directory. For example, if you originally signed up for a Windows Intune subscription and completed the necessary steps to integrate further your on-premises instance of Active Directory with your Windows Azure Active Directory tenant by deploying directory synchronization or single sign-on servers, you can sign up for another Microsoft cloud service such as Office 365, which can also leverage the same directory-integration benefits that you now use with Windows Intune. As an administrator of one or more Microsoft cloud service subscriptions, you can use either the Windows Azure Management Portal, the Windows Azure Active Directory portal, the Windows Intune account portal, or the Office 365 account portal to manage your organization s tenant settings. You can also use the downloadable Windows Azure Active Directory Module for Windows PowerShell Page 52

53 cmdlets to help you manage your tenant data that is stored in Windows Azure Active Directory. For more information about your tenant, see What is a Windows Azure AD tenant? The Windows Azure Management Portal, Windows Azure Active Directory portal, Office 365 account portal, Windows Intune account portal, and cmdlets all read from and write to a single shared instance of Windows Azure Active Directory that is associated with your organization s tenant, as shown in the following illustration. In this way, portals (or cmdlets) act as a front-end interface that pull in or modify your tenant data. The previously listed account portals and the associated Windows PowerShell cmdlets that are used for Windows Azure Active Directory to manage users and your subscription are built on top of the Windows Azure Active Directory platform. 4.8 Windows Azure Active Directory Windows Azure Active Directory is a service that provides identity and access management capabilities in the cloud. In much the same way that Active Directory is a service made available to customers through the Windows Server operating system for onpremises identity management, Windows Azure Active Directory (Windows Azure AD) is a service that is made available through Windows Azure for cloud-based identity management. Page 53

54 Because it is your organization s cloud directory, you decide who your users are, what information to keep in the cloud, who can use the information or manage it, and what applications or services are allowed to access that information. When you use Windows Azure AD, it is Microsoft s responsibility to keep Active Directory running in the cloud with high-scale, highavailability, and integrated disaster recovery, while fully respecting your requirements for the privacy and security of your organization s information. In the cloud-enabled workplace, a tenant can be defined as a client or organization that owns and manages a specific instance of that cloud service. With the identity platform provided by Windows Azure, a tenant is simply a dedicated instance of Windows Azure Active Directory (Windows Azure AD) in the cloud that your organization receives and owns when it signs up for one of Microsoft's cloud services. Each Windows Azure AD tenant is distinct and separate from other Windows Azure AD tenants in the cloud. Just like a corporate office building is a secure asset specific to only your organization, a Windows Azure AD tenant was also designed to be a secure asset for use by only your organization. The Windows Azure AD architecture isolates customer data and identity information from comingling. This means that a tenant cannot accidentally or maliciously access another tenant's data. You can get a Windows Azure AD tenant by either signing up for a Microsoft cloud service that you want to start using or evaluating or by creating one with your Windows Azure subscription. The first time you sign up for a Microsoft cloud service such as Windows Azure Active Directory, Microsoft Office 365, Windows Intune, or sign up for Windows Azure as an organization, you are prompted to provide details about your organization and your organization s Internet domain name registration. This information is then used to create a new tenant for your organization in Windows Azure Active Directory. You only need to sign up for a Windows Azure AD tenant one time and then you can sign in to that same tenant when you want to subscribe to multiple Microsoft cloud services. Page 54