Guide to Windows Azure Connect
written on November 15, 2010
Building applications for cloud and hosting them on cloud is one of the great things that happened in recent times. However, you might be having number of existing applications that you wish to migrate to cloud, but you do not want to move your database server to the cloud. Or you want to create a new application and host it in the cloud, but this new application needs to communicate with your existing on-premise applications hosted in your enterprise’s network. Other case might be that your new application that you wish to host in cloud will rely for its authentication on your enterprise’s Active Directory.
What options do you have? You can think of re-writing your on-premise applications for azure and then host them in azure, or in case of Database servers, you can move your DB servers to SQL Azure in cloud. But you have other easier option too, that has been announced in PDC10 and which will be released by the end of this year. What we are talking about is Windows Azure Connect.
What is Windows Azure ConnectWindows Azure Connect provides secure network
connectivity between your on-premises environments and Windows Azure through standard IP protocols such as TCP and UDP. Connect provides IP-level connectivity between a Windows Azure application and machines running outside the Microsoft cloud.
|(http://2.bp.blogspot.com/_S92PTW6g_pk/TOFN9bVPzmI/AAAAAAAADHo/YfH9BydwcBo/s1600/connect1.png)||Figure 1: Windows Azure Connect
This combination can be of different scenarios, which we will see later in the
section of Use Case and Scenarios.
In first CTP release we can access Azure resources by installing connect agent
on the non-azure resources. The upcoming release will support Windows Server
2008 R2, Windows Server 2008, Windows 7, Windows Vista SP1, and up. A point to
be noted here is that this isn’t a full-fledged virtual private network
(VPN). However, future plans are to extend current functionality which will
enable connectivity using your already existing on premise VPN devices that
you use within your organization today.
Setup Azure ConnectWindows Azure Connect is a simple solution. Setting it up doesn’t require contacting your network administrator. All that’s required is the ability to install the endpoint agent on the local machine. Process for setting up Azure Connect involves 3 steps: 1. [Enable Windows Azure Roles for external connectivity](http://techyfreak.blogspot.com/2010/11/guide-to-windows-azure-connect.html#configure-roles). This is done using service model. 2. [Enable your on-premise/local computers for connectivity](http://techyfreak.blogspot.com/2010/11/guide-to-windows-azure-connect.html#configure-premise) by installing windows azure connect agent. 3. [Manage Network Policy](http://techyfreak.blogspot.com/2010/11/guide-to-windows-azure-connect.html#manage-policy) through Windows Azure Portal. Final step is to configure and define network policy. This defines which WA roles and local computers that you have enabled for connect are able to communicate with each other. This is done using WA admin portal. It provides very granular level of control.
1. Enable Windows Azure Roles for external connectivityTo use Connect with a Windows Azure service, we need to enable one or more of its Roles. These roles can be Web/worker role or a new role Vm Role announced at PDC10. For web/worker role, the only thing we need to do is to add an entry in your .csdef. You simply add a line of xml in your .csdef specifying to import or include windows connect plugin. Then, you need to specify your ActivationToken in ServiceConfiguration (.cscfg) file. ActivationToken is a unique per-subscription token, which means if you have two different Azure subscriptions then you will have individual Activation Token for each subscription. This token is direclty accessed from Admin UI. For VM role, install the Connect Agent in VHD image using the Connect VM install package. This package is available through Windows Azure Admin Portal and it contains the ActivationToken within itself. Also, in our .cscfg file you can specify optional settings for managing AD domain-join and service availability. Once these configuration are done for a role, connect agent will automatically be deployed for each new role instance that starts up. This means, if tomorrow, for example, you add more instances to the roles then each new instances will automatilcally be provisioned to use Azure Connect.
2. Enable your on-premise/local computers for connectivityYour Local on-premise computers are enabled for connectivity with Azure Services by installing & activating the Connect agent. The connect agent can be installed to your local computers in two ways: 1. **Web-based installation**: From your Windows Azure Admin portal you get a web-based installation link. This link is per-subscription basis and it has the activation token embedded within the URL. 2. S**tandalone install package**: Other option you have is to use standalone installation package. You can run this installation package using any standard software distribution tool installed in your system, as you do it for other programs. It will add activation token into registry and read its value from there. Once Connect agent is installed, you will also have a client UI on your system as well as connect agent tray icon in your system tray. Connect agent tray icon & client UI let you view the current status, both the activation status as well as network connectivity status, of azure connect agent. Also it provides basic tasks such as network refresh policy. Connect agent automatically manages network connectivity between your local computers and Azure services/apps. To do this it does several things including: 1. Setting up virtual network adapter 1. “Auto-connects” to Connect relay service as needed 1. Configures IPSec policy based on network policy 1. Enables DNS name resolution 1. Automatically syncs latest network policies
3. Manage Network PolicyOnce you have identified your Azure Roles that need to connect to on-premise comouters, and also you have installed and actiated Connect Agents on your local computers, you need to configure which roles connect to which of the configured local computers. To do this we specify Network Policy and it is managed through Windows Azure admin portal. Again, this is done on a per-subscription basis. Management model for connect is pretty simple. There are 3 different type of operations you can do: 1. You can take your local computers, that have been enabled and activated for Windows Azure Connect by installing connect agents on them, and organize them into groups. e.g. you might create a group that contain your SQL Server computers that one of your azure role needs to connect to, and call this "SQL Server Group". Or you might put all you developer laptops into My Laptops group or you might put computers related to a given project into a group. However, there are two constraints - first, a computer can only belong to a single group at a time and second, when you have a new computer where you just installed Windows Azure Connect agent on, the newly activated computer is unassigned by default meaning it doesn’t belong to any group, and therefore they wont have connectivity.