Microsoft Azure Hybrid Cloud - Getting Started For Techies

Hybrid Cloud with Microsoft Azure
Aidan Finn

About Aidan Finn
• Technical Sales Lead at MicroWarehouse
• Working in IT since 1996
• MVP (Virtual Machine)
• Experienced with Windows Server/Desktop,
System Center, virtualisation, and IT
infrastructure
• @joe_elway
• http://www.aidanfinn.com
• http://www.petri.co.il/author/aidan-finn
• Published author/contributor of several books

Agenda
• What is cloud computing?
• Introducing Microsoft Azure
• Azure IaaS
– Storage
– Virtual networking
– Virtual machines
– Hybrid cloud networking
– Azure Site Recovery
– Azure RemoteApp
• If we have time … System Center & Azure

What is a cloud?
• According to NIST (USA National Institute of
Standards and Technology), a cloud’s
characteristics are:
– On-demand self-service
– Broad network access
– Resource pooling
– Rapid elasticity
– Measured service
• In other words:
– More than just virtualization
– “Self-service” indicates large size

Cloud Models & Deployments
Public Cloud Private Cloud Hybrid Cloud
SaaS Bing,
Office 365, Outlook.com,
Google Apps
Salesforce
Office 365
PaaS Microsoft Azure,
Facebook
Pivotal CF
IaaS Microsoft Azure,
Windows Azure Pack,
OpenStack,
AWS,
Google Compute Engine
Windows Azure Pack,
OpenStack,
vCloud Suite
Microsoft “Cloud
OS”

The Cloud OS
Microsoft’s vision of the
unified platform for
modern business:
– Transforms the
datacenter
– Unlocks insights on any
data
– Empowers people-
centric IT
– Enables modern
business apps

HYBRID Cloud
• Microsoft Corporation is selling hybrid cloud
– On-premises servers still required
– Extend facilities into Azure and hosting partner
clouds
• Run:
– Hyper-V + System Center on premises
– Hosting partner: Hyper-V + System Center + WAP
– Microsoft Azure

Microsoft Azure
• Microsoft’s public cloud, offering IaaS and
PaaS
• Based on … Windows Server 2012 Hyper-V
– Rumoured to be 17% of global servers sales
– Tell me Hyper-V doesn’t scale!!!
– One consistent platform for private, public, and
hybrid cloud: Hyper-V virtual machines
• Incredibly innovative data centres
– Signed NDAs so I’ll leave it there 

Cloud Scalability
• Only 2 clouds can rival
Azure for scale (AWS and
Google)
• Take what you need,
never let IT limit business
growth
• Place services close to
customers … everywhere
• Local regions:
– Europe North: Dublin
– Europe West: Amsterdam

“Purchasing” Azure
• Think of it as a complicated mobile phone/data
service
– You take what you need and pay for what you use
• Three purchasing methods:
– Credit card: monthly bill
– Enterprise Agreement: pre-paid credit for large
enterprises
– Open (from August 1st 2014): pre-paid credit for SMEs
• Not easy to forecast
– Trials and PoCs are important

On To The Fun Stuff …
Microsoft Azure IaaS

Managing Azure
• One portal to manage all aspects of Azure IaaS
– https://manage.windowsazure.com
• New portal on the way
– https://portal.azure.com
– Health and subscription information more visible
• PowerShell cmdlets
– Scripting always gives more control
– Some features require PoSH, e.g. static IP address
• Microsoft Azure Automation
– Orchestration based on WAP Service Management
Automation (SMA)
– PowerShell workflows

Management Certificates
• Used by tools such as PowerShell to authenticate with
Azure
• Create certificate public/private pair
– Does not need public trust
– Use MakeCert
http://msdn.microsoft.com/library/azure/gg551722.aspx
• 2 files:
– .PFX private file loaded into personal certificate store
– .CER public file uploaded to Azure
• Install the Azure PowerShell Module
– Using the Web Platform Installer
http://www.microsoft.com/web/downloads/platform.aspx
– Import-Module Azure

Microsoft Azure IaaS
• Infrastructure services based on:
– Web sites > skipping this today due to time and
“easy factor”
– Storage
– Networking
– Virtual machines
• Solutions based on one or more of those
components

Fault Domains
• Azure is built to cloud scalability
• The focus is on service uptime, not server uptime
• Imagine a rack that has single:
– Power supply
– Network connection
• Racks are deployed in groups of 3
– One rack can fail/maintenance, others stay online
• These are fault domains
• A service that lives entirely in a single fault domain will
suffer downtime:
– Planned maintenance
– Unplanned outages (during failover)
• Service instances should span multiple fault domains

Load-Balanced Sets
• Typically deployed when creating multiple
instances of an identical web application
• For example, the public IP is load balanced on TCP
80 and TCP 443 across multiple web servers
• Two objectives:
– Increase scalability
– Fault tolerance
• Internal load balancing (non public tiers) is
available now
– Only via PowerShell

Availability Sets
• Virtual machines in the same availability set will reside
in different fault domains
• Place tiers of a service into availability sets
– Example: 3 load balanced VMs
– Each VM added to availability set
– Each VM is automatically placed in a different fault domain
– Host outage/maintenance leaves the service online
• Might have availability sets for:
– Web tier
– Application tier
– Data tier
• Availability sets required for 99.95% uptime – VM
external access

Load-Balanced & Availability Sets
Rack 1 Rack 2 Rack 3
Public IP Address
Availability Set
Load-Balanced Set

Blobs
• Azure stores stuff in blobs
– A blob is a multipurpose storage system
• We can create blobs to store:
– VMs (VHD files only!)
– Big data
– Templates
– Online backup and more
• Replicated storage:
– Locally redundant (cheapest): 3 copies stored in one region
– Geo redundant (default): 3 copies in region + 3 more in
neighbouring region
– Read-access geo redundant: 3 copies in region + 3 READ ONLY
copies in neighbouring region
– Zone Redundant Storage (future): 3 copies in one or two regions

Browsing Blobs
• Can be done in the portal
• Can also use 3rd-party tools to remotely connect
to/browse a blob
– Similar to an FTP tool
– Comparisons:
http://blogs.msdn.com/b/windowsazurestorage/archi
ve/2014/03/11/windows-azure-storage-explorers-
2014.aspx
• Requires:
– Storage account name
– Primary access key

Importing LOTS Of Data To Azure

Online Backup
• Use Azure blobs for backup
– Primary backup: Windows Server Backup (W2008 R2
SP1 and later)
– Off-site secondary backup: DPM, Commvault, CA
• Create a new Recovery Services > Backup Vault
• Install PFX/Private certificate on the server that
will be backed up
• Upload the paired public CER/public cert to the
backup vault
• Follow vendor specific instructions to enable
backup

StorSimple
• Tired Storage:
– Hot: Local SSD
– Warm: Local SAS
– Cold: Azure blob
• 1 GbE iSCSI appliance
– Xyratex (Mexico)
• NOT A SAN REPLACEMENT
– Use for specific roles
– Small working set of data

Cloud Service
• A high level concept
• Has a single public IP address that you can NAT
– Known as Virtual IP Address (VIP)
– Ports of the VIP are NATed to VMs or load-balancer
rules
• Think of it this way:
– Each isolated service/network should require a
cloud service

Cloud Service Reserved IP
• The VIP is not reserved by default for the cloud service
• A VIP remains with a cloud service as long as the cloud
service remains operational
– Running out of credit will offline a cloud service
• You can reserve a VIP
– #Reserve a IP
New-AzureReservedIP -ReservedIPName EastUSVIP -Label
"Reserved VIP in EastUS" -Location "East US"
– #Use the Reserved IP during deployment
New-AzureVM -ServiceName "MyApp" -VMs $web1 -
Location "East US" -VNetName VNetUSEast -
ReservedIPName EastUSVIP
• Portal management to come in a future release

Virtual Networks
• Software-defined networking (SDN)
– Same concept as Hyper-V Network Virtualization
• Carve out your own network and subnets
– No need to wait for Azure administrators
• Must be in:
– 10.0.0.0
– 172.16.0.0
– 192.168.0.0
• Define your own subnet mask and subnets
• Example:
– Virtual network: 10.0.0.0/16
– Subnet-1: 10.0.0.0/24
– Subnet-2: 10.0.1.0/24
– Subnet-3: 10.0.2.0/24

Demo – Creating Virtual Networks

Virtual Network IP Addresses
• First IP address available is .4
• Default gateway is .1
• Azure VMs can have a single NIC
• IP addresses are automatically assigned to VMs
– Guest OS will think it has a DHCP address
– Not actually DHCP
– Not static either
• IP remains with a VM while it remains operational
– Not guaranteed to return to a VM after being offline
– Can cause issues with name/IP relationship
• Can use PowerShell to statically assign an IP address

Persistent Azure VM IP Addresses
Requires some PowerShell:
1. Stop-AzureVM -ServiceName “DemoService”
-Name “VM01“
2. Get-AzureVM -ServiceName “DemoService” -
Name “VM01” | Set-AzureStaticVNetIP -
IPAddress "10.0.0.4" | Update-AzureVM
3. Start-AzureVM -ServiceName “DemoService"
-Name “VM01"

Network Isolation
• A virtual network is isolated
• You choose what, if any, external ports are
opened
• Virtual subnets inside of a virtual network are
able to route to each other
• Isolation inside of a virtual network:
– Windows Firewall
– IPsec
• VNet to VNet connectivity
– Enable isolated VNets to route to each other
– http://msdn.microsoft.com/library/azure/dn690122.as
px

Connecting Networks
• For all but a few services, disconnected
services are useless
• Extend your on-premises network into Azure
• Have private connection to Azure
• Extend on-premises management into Azure
• Two options:
– Site-to-site VPN
– ExpressRoute

Site-to-Site VPN
• Create encrypted tunnel
into an Azure virtual
network
• Routing between sites
• Extend your network
into Azure
• A number of supporting
devices, including
Watchguard
Watchguard
XTM
Microsoft Azure
On-Premise
Internet

Create a Site-to-Site VPN
• WatchGuard instructions:
http://customers.watchguard.com/articles/Article
/Configure-a-VPN-connection-to-a-Windows-
Azure-virtual-network/
• Record:
– Local Gateway ID: Your public VPN IP
– Remote Gateway ID: Azure public VPN IP
– Shared Key: The Azure secret VPN key
– Local Network IP Address: The local address space
– Remote Network IP Address: The Azure address space

Site-to-Site VPN Solution
• Can take a little while to come online on the
Azure end
• You have simultaneous:
– Direct Internet access
– Site-to-Site VPN routing to Azure Virtual Network
• Can extend services into Azure
– Active Directory
– SQL Always On
– And much more

Pros/Cons of Site-to-Site VPN
• Pros:
– Quick to deploy
– Very affordable
– You are in control
• Cons:
– Local VPN site is bottleneck
– That site is also a point of failure
– Can’t implement SLA on VPN because it uses public
Internet for the tunnel
– It routes only virtual network traffic. What about other
Azure services?

ExpressRoute
• Site-to-Site VPN extends your network into an
Azure virtual network
• Azure data center services are added to your
WAN using ExpressRoute partner
– Not just virtual networks
– Everything: virtual networks, StorSimple, RDS, backup,
replication, …
• Two flavours of ExpressRoute that use MPLS
WANs
• Local service providers:
– BT: Network service provider
– Telecity: Exchange provider

ExpressRoute Flavours
Public
internet
Microsoft
Azure
Public
internet
Microsoft
Azure

Pros/Cons of Site-to-Site VPN
• Pros:
– Includes all Azure services
– No single point of network failure
– No site is a bottleneck for other sites
– Is subject to service provider SLA
• Cons:
– Requires MPLS contract
– More expensive than site-to-site VPN
– Slower to deploy

What Are Azure VMs?
• Pretty much like Generation 1 Hyper-V virtual machines
– Single virtual NIC
– VHD only
• Files stored in a blob
• Uses a D: drive for non-persistent data
– Do not delete or use this drive
• Add additional drives for data
– Examples: SQL database, AD database files
• Can store application data on SMB 2.01 shared folders
– Example: IIS shared content
• More supported versions of Linux than Windows!!!

Deploying Azure VMs?
Multiple options:
• Deploy VMs from Azure gallery
• Create a template in Azure
http://azure.microsoft.com/documentation/articles/virtual-
machines-capture-image-windows-server/
• Upload a custom template into Azure
http://azure.microsoft.com/documentation/articles/virtual-
machines-create-upload-vhd-windows-server/
• From vSphere to Azure using MVMC 2.0
http://vniklas.djungeln.se/2014/04/08/using-mvmc-2-0-to-
migrate-a-vmware-vm-to-azure-iaas/
• Upload a Hyper-V virtual machine
http://michaelwasham.com/2013/01/04/migrate-a-virtual-
machine-to-windows-azure-with-powershell/

• Myth: “Why would I put my applications in the cloud where
anyone can get at them?!”
– You decide what services are publicly visible
– No different to what you do now
• We configure Endpoints to NAT ports through the cloud
service VIP (public IP address)
• Examples:
– VIP:TCP80 -> 10.0.0.4:TCP80
– VIP:TCP21 -> 10.0.0.5:TCP21
– VIP:TCP443 -> 10.0.0.6:TCP443
• You can close everything for complete privacy
• By default, VMs created in the portal will have these open:
– TCP 5986 (PowerShell remote administration)
– TCP 3389 (Remote Desktop)
Endpoints

Demo – Endpoints & Load
Balanced Sets

• Advanced configuration options:
– Change a virtual machine’s specification
• Tier: Basic/Standard
• Size
• Availability set
– Monitoring (Preview)
• Test a cloud service’s web app from multiple global
locations
• Monitoring VMs
– High level metrics utilization
– Between 1 hour and 7 days of data
Configuring & Monitoring VMs

Demo – Configure & Monitor VMs

• Services can have increases/drops in demand
• Cloud is elastic
– Quickly grow/shrink
– Very affordable compared to on-premise capital +
operational expenditure
• Autoscaling enables you to:
– Deploy & configure lots of virtual machines
– Add them to an availability set
– Turn on/off VMs based on demand
– Note: powered off VMs only have a storage cost
Autoscaling VMs

• Normally VMs use cloud service VIPs and
Endpoints to be publicly accessible
• Not all services work well with NAT
• In preview today, you can reserve a public IP
address for a VM
– No longer using NAT behind the cloud service VIP
– Maybe publish FTP
– Monitor publicly accessible VMs via public IP
• Only available via PowerShell
– Requires new VMs and new virtual networks
Instance-Level Public IP Address

• Problem: DR/BC is expensive
• Partial solution: Hyper-V Replica
– Async VM replication built-into all versions of 2012
and later Hyper-V
• Problem: DR sites are expensive
– Solution: Use Azure Site Recovery (ASR)
• Preview starting June 2014
DR-as-a-Service (DRaaS)

• ASR is built on Hyper-V Recovery Manager (HRM)
• HRM offers orchestration of Hyper-V Replica
between two sites
– Even two privately owned sites
• Problems:
– HRM is expensive: €11.92/protected VM/month
– Requires SCVMM to be deployed on premises
• Licensing too expensive for most SMEs
• Consultants failing to deploy/configure SCVMM properly for
those who can afford it
DR Orchestration

• Very similar to WAP Service Management
Automation (SMA)
• Create runbooks
– PowerShell workflows
– PowerShell is in everything Microsoft
– Tip: Learn PowerShell or hit your career ceiling now
• Automate actions in the cloud and on-premises
via hybrid cloud
• Doing something twice?
– Automate it
– Time investment up front will pay dividends
– The more you do it, the easier it gets
Orchestration in the Cloud

• Client/Server programs will eventually become web
services driven mobile apps
• Until then, we need to support traditional desktop apps
– For cloud-based services
– On cross-platform devices
• You can deploy RDS in Azure VMs
– Requires RDS SALs through SPLA licensing
• Or you can deploy “Mohoro” aka Azure Remote App
– A multi-tenant RDS farm in the cloud run by Microsoft
– Currently in preview
– Clients include Windows, Android, iOS, and Mac OS X
RDS In The Cloud

• Forget releases every 3 years
– Windows Server & System Center out every 12-18
months
– vNext expected in April 2015
• With Azure it’s more like every few weeks
• Microsoft now doing “sprint development”
• Features announced on Azure & ScottGu blogs
• Learning has never been as important
– Forget traditional learning sources
– If you work for a MSFT partner, then watch for news
from MicroWarehouse
Learning

And If We Have Time …
System Center

• Orchestrator
– Add a subscription to the portal
– Enable end users to deploy VMs under IT management
• Operations Manager
– Azure Management Pack: Monitor your Azure subscription
– Global Service Monitoring: Monitor web services from Microsoft data
centers
– System Center Advisor: Additional monitoring from the cloud
• Data Protection Manager
– Azure Online Backup: Using blobs for secondary storage
• Windows Azure Pack
– Azure AD authentication via ADFS: Scale-out identity
• Configuration Manager
– Windows Intune: Cloud-based mobile device/app management
– Cloud-based distribution point: Internet-based clients
System Center & Microsoft Azure

Thank you!
Aidan Finn, Hyper-V MVP
Technical Sales Lead, MicroWarehouse Ltd.
http://www.mwh.ie
Twitter: @joe_elway
Blog: http://www.aidanfinn.com
Petri IT Knowledgebase: http://www.petri.co.il/author/aidan-finn

Microsoft Azure Hybrid Cloud - Getting Started For Techies

More Related Content

What's hot (13)

Viewers also liked (20)

Similar to Microsoft Azure Hybrid Cloud - Getting Started For Techies (20)

More from Aidan Finn (20)

Recently uploaded (20)

Microsoft Azure Hybrid Cloud - Getting Started For Techies