Becoming A Hybrid Cloud Expert
One essential characteristics of cloud computing is a self-service mechanism. Both NIST SP 800-145 and Chou’s 5-3-2 Principle have discussed well. The self-servicing capability is essential since not only it reduces support cost fundamentally, but making it easy for a user to consume provided services will continually promote the usage and ultimately accelerate the ROI. In System Center 2012 SP1, App Controller is the self-service vehicle for managing a hybrid cloud based on SCVMM, Windows Azure, and 3rd party hosting services.
This article assumes a reader is familiar with System Center 2012 SP1, and particularly System Center Virtual Machine Manager (SCVMM) and App Controller. Those who are new to System Center 2012 SP1 should first download and install at least SCVMM 2012 SP1and App Controller 2012 SP1 from http://aka.ms/2012 to better follow the presented content.
The concept of a role-based security model in SCVMM is to package security settings and policies on who can do what, and how much on an object into a single concept, the so-called user role. The idea of a user role is to define a job function which a user performs as opposed to simply offering a logical group of selected user accounts.
To delegate authority, a user role is set with tasks, scope, and quotas based on a target business role and assigned responsibilities. The members of a user role are then with the authority to carry out specific tasks on authorized objects for performing a defined business function. For instance, a first-tier help desk support may perform a few specific diagnostic operations on a VM or service, but not debugging, storing, or redeploying it, while a datacenter administrator as an escalation path for the first-tier help desk can do all. In this case, a help desk support and an escalation engineer are to be defined as two user roles for delegating authority.
Operationally, creating a user role is to configure a profile which include membership, scope, resources, credentials, etc. A user role defines who can do what and how much on an authorized resource. And in essence a defined user role is a policy imposed on those who are assigned with this role, i.e. having a membership of this role.
To set up a user role in SCVMM, use the admin console and go to Setting workspace followed by clicking Create User Role from the ribbon as shown below. There are four user roles profiles available in SCVMM 2012 SP1. Each profile includes membership, scope, accessible networks and resources, allowed operations, etc.
The self-service model of SCVMM is to employ App Controller and SCVMM admin console as the self-service vehicle and enables an authorized user to self-manage resource consumption based on SLA with minimal IT involvement in the lifecycle of a deployed resource and without the need to expose the underlying fabric which is a key abstraction in cloud computing.
A difference of using App Controller and SCVMM is that the former does not reveal the underlying fabric regardless, while the latter will according to the user role of an authenticated user.
In System Center 2012 SP1, there are a number of new operations available for App Controller as documented in http://technet.microsoft.com/en-us/library/jj605414.aspx. These operations as listed below facilitate the migration and deployment of resources among SCVMM-based private clouds, Windows Azure, and 3rd party hosting services.
Cloud is here to stay and hybrid is the way to go. Be ready. Learn, master, and take advantage of it. Make profits. Grow a career. Eat well and sleep well while welcoming XaaS, Everything as a Service, which we will have a lot to talk about soon.
As IT architectures, methodologies, solutions, and cloud computing are rapidly converging, system management plays an increasingly critical role and has become a focal point of any cloud initiative. A system management solution now must identify and manage not only physical and virtualized resources, but those deployed as services to private cloud, public cloud, and in hybrid deployment scenarios. An integrated operating environment with secure access, self-servicing mechanism, and a consistent user experience is essential to be efficient in daily IT routines.
App Controller is a component and part of the self-service portal solution in System Center 2012 SP1. By connecting to System Center Virtual Machine Manager (SCVMM) servers, Windows Azure subscriptions, and 3rd-party host services, App Controller offers a vehicle that enables an authorized user to administer resources deployed to private cloud, public cloud, and those in between without the need to understand the underlined fabric and physical complexities. It is a single pane of glass to manage multiple clouds and deployments in a modern datacenter where a private cloud may securely extend it boundary into Windows Azure, or a trusted hosting environment. The user experience and operations are consistent with those in Windows desktop and Internet Explorer. The following is a snapshot showing App Controller securely connected to both on-premise SCVMM-based private cloud and cloud services deployed to Windows Azure.
A key delivery of App Controller is the ability to delegate authority by allowing a user to connect to multiple resources based on user’s authorities, while hiding the underlying technical complexities.
An user can then manage those authorized resources by logging in App Controller and authorized by an associated user role, i.e. profile. In App Controller, a user neither sees, nor needs to know the existence of cloud fabric, i.e. under the hood how infrastructure, storage virtualization, network virtualization, and various servers and server virtualization hosts are placed, configured, and glued together.
When first logging into App Controller, a user needs to connect with authorized datacenter resources including SCVMM servers, Windows Azure Subscriptions, and 3rd party host services.
The user experience of App Controller is much the same with that of operating a Windows desktop. Connecting App Controller with a service provider on the other hand is per the provider’s instructions. However the process will be very similar with that of connecting with a Windows Azure subscription.
Connecting App Controller with Windows Azure on the other hands requires certificates and information of Windows Azure subscription id. This routine although may initially appear complex, it is actually quite simple and logical.
Establishing a secure channel for connecting App Controller with a Windows Azure subscription requires a private key/public key pair. App Controller employs a private key by installing the associated Personal Information Exchange (PFX) format of a chosen digital certificate, and the paired public key is in the binary format (.CER) of the digital certificate and uploaded to an intended Windows Azure subscription account. The following walks through the process.
For those who are familiar with PKI, use Microsoft Management Console, or MMC, to directly export a digital certificate in PFX and CER formats from local computer certificate store. Those relatively new to certificate management should first take a look into what certificates IIS are employing first to better understand which certificate to use.
Since App Controller is installed with IIS, acquiring a certificate is quite simple to do. When installing App Controller with IIS, a self-signed certificate is put in place for accessing App Controller web UI with SSL.
The certificate store of an OS instance can be accessed with MMC.
The two export processes, for example, created two certificates for connecting App Controller with Windows Azure as the following.
Upon connecting to on-premise and off-premise datacenter resources, App Controller is a secure vehicle enabling a user to manage authorized resources in a self-servicing manner. It is not just the technologies are fascinating. It is about shortening the go-to-market, so resources can be allocated and deployed based on a user’s needs. This is a key step in realizing of IT as a Service.
This lab demonstrates the ability to easily deploy and manage a VM in Windows Azure. Here, this VM happens to be a SQL Server 2012 which makes it more interesting by walking through the process to configure and remotely maintain a SQL Server 2012 instance running in a Windows Azure VM. This is however not intended to be a SQL lab and SQL Server experience is helpful but not required for completing the following tasks:
Placing a SQL database in the cloud and maintaining it remotely is a straightforward concept. Similar to connecting to an on-premise SQL database, a database client configures a connection string and connects to a target database which in this case is a SQL Server 2012 instance running in a Windows Azure VM in the cloud. Regardless where a SQL instance runs much of the sys admin routine is much the same by configuring firewall rules, setting authentication methods, creating SQL users, etc. The following depicts the conceptual model.
A step-by-step, screen-by-screen lab guide as shown detailing the process and steps to deploy, configure, and test database connectivity is available for download.
Here I am making this lab guide available as a download in pdf. This is a lab that I believe will accelerate many of us to better understand cloud computing and Windows Azure. Either you are a system admin or a DBA, go through this lab will connect many dots for you. If nothing else, use this lab as a self-study material for Windows Server 2012 and SQL Server 2012 and update your skill set.
At the same time, I also want to ask all to help sharing this resource broadly across the IT community. So other fellow IT pros can also benefit from it. Click the button to post a short tweet about this document, and you'll automatically receive a direct link to download this lab guide immediately afterwards. I hope you will find the document helpful. If you prefer not to share it with a tweet, email me from this post and I will understand and direct you to download the document.
To do this lab, you will need to have a Windows Azure subscription for deploying VMs. If not already, this is a good opportunity to start and learn Windows Azure. You can sign up and use Windows Azure 90-day free trial at http://aka.ms/90 to do the lab. A screencast as a supplement to the lab guide is available at http://aka.ms/AzureVMSQL.
This particular blog post presents the routines to conduct a RDS Quick Start session-based deployment, which is also an accelerated learning roadmap of RDS in Windows Server 2012. These routines build the essential skills and set the foundation for later carry out a Microsoft’s Virtual Desktop Infrastructure (VDI) deployment. Those who would like get familiar with RDS should first review the article, RDS Architecture Explained.
RDS is the delivery vehicle of Microsoft RemoteApp programs and VDI. In enterprise IT strategies, RDS plays an important role in adopting consumerization of IT and BYOD (or Bring Your Own Device) initiatives by minimizing application and desktop device requirements down to almost just an HTTP session for anytime, anywhere, any network access.
In Windows Server 2008 releases, setting up RDS can be a daunting task. There are many moving parts with various configurations, polices, certificates, etc. to integrate together. This is however not the case anymore. Now in Windows Server 2012, the RDS deployment and maintenance processes have been dramatically simplified and automated with a smooth and rich user experience as presented later in this article.
Above all, RDS realizes flexible desktop concept and the so-called modern work-style where authorized LOB applications with location and device transparencies following a user and not the other way around. RDS is becoming an essential part of enterprise infrastructure for enabling application deployment as a service.
The complexities of what happens under the hood in RDS can easily overwhelm even an experienced Windows administrator. Windows Server 2012 introduces the so-called Quick Start deployment. And as the name suggests it minimizes the infrastructure requirement and makes a deployment a very quick and straightforward process.
Quick Start is an option in RDS deployment during the process of adding roles and features with Windows Server 2012 Service Manager. It dramatically simplifies the deployment process and shortens go-to-market while still providing the ability to add additional RDS servers as needed. The abstraction formed by RDWA, RDCB, and RDSH offers such elegancy that the Quick Start process integrates the three and deploy all to one server in a process rather uneventful. For
For prototyping a centralized remove access environment, demonstrating and testing a VDI solution, or simply building a study lab for self-training, Quick Start is a fast track for getting RDS up and running in a matter of minutes.
At this time, RDS session-based deployment is in place with three sample RemoteApp programs published. Let’s examine the user experience of accessing RDS RemoteApp programs.
Once RDS RemoteApp programs are published, a user can simply access https://the-RDWA-Server-URL/rdwab. Once authenticated, authorized RemoteApp programs are presented to the user.
In January, our team had a fun project to tell 31 stories, present 31 opportunities for IT professionals to get started on Windows Server 2012 and Windows Azure, something we all feel very passionate about. Cloud computing is an exciting movement and offering so much to grow as an individual, as an organization, as a business.
Find out who is your area Evangelist, stay in touch with the team, and move forward with the communities. Together, let’s welcome the challenges, embrace the changes, get started, learn it, master it, and take advantages of it. Now here are your 31 opportunities:
Windows Azure relevant to Microsoft private cloud solutions is, in my view, as critical as what Active Directory means to Windows infrastructure. In a Windows domain, Active Directory holds the one version of truth and is the ultimate authority of all resources defined. Similarly when it comes to Microsoft cloud computing, there is no question that Windows Azure is the de facto platform as an extension of Active Directory in the cloud. While enterprise IT is transitioning form on-premise deployment to an emerging architecture of hybrid cloud, IT professionals are facing unprecedented challenges to change from managing servers deployed on premise to managing services delivered with hybrid cloud, and at the same time extraordinary opportunities to upgrade and expand an individual's skill profile and become a leader in cloud initiatives and a contributor in IT communities.
For IT professionals, a productive and direct way to learn and master Microsoft cloud computing solutions is to walk through and gain hands-on experience of the features available in Windows Azure. And the 90-day free trial and many readily available resources offer IT professionals at no cost to access, experience, and experiment deploying cloud resources of VMs, web sites, media and mobile services, virtual networks, etc. There are now many options for IT professionals to better deliver services. The following highlights the available features in Windows Azure and the significance to IT professionals.