Build your test lab with Boot-to-VHD. Here are the steps.
	Deploy a VM to cloud and build your lab in Windows Azure with 90-day free trial. Here's how.
	Preping for Microsoft certifications? Join our Windows Server 2012 "Early Experts" Study Group.

As IT architectures, methodologies, solutions, and cloud computing are rapidly converging, system management plays an increasingly critical role and has become a focal point of any cloud initiative. A system management solution now must identify and manage not only physical and virtualized resources, but those deployed as services to private cloud, public cloud, and in hybrid deployment scenarios. An integrated operating environment with secure access, self-servicing mechanism, and a consistent user experience is essential to be efficient in daily IT routines.

App Controller as a Single Pane of Glass

App Controller is a component and part of the self-service portal solution in System Center 2012 SP1. By connecting to System Center Virtual Machine Manager (SCVMM) servers, Windows Azure subscriptions, and 3rd-party host services, App Controller offers a vehicle that enables an authorized user to administer resources deployed to private cloud, public cloud, and those in between without the need to understand the underlined fabric and physical complexities. It is a single pane of glass to manage multiple clouds and deployments in a modern datacenter where a private cloud may securely extend it boundary into Windows Azure, or a trusted hosting environment. The user experience and operations are consistent with those in Windows desktop and Internet Explorer. The following is a snapshot showing App Controller securely connected to both on-premise SCVMM-based private cloud and cloud services deployed to Windows Azure.

Delegation of Cloud Management

A key delivery of App Controller is the ability to delegate authority by allowing a user to connect to multiple resources based on user’s authorities, while hiding the underlying technical complexities.

The security of App Controller is a role-based model by creating a user role in the Settings workspace using SCVMM admin console. The wizard in essence create a policy, or profile, of a created user role by defining the membership, scope, resource availability, tasks can be operated on authorized objects, etc. In other words, the security model not only restrict how much one can use, but also what one can operate on it. SCVMM-based cloud deployments employs this role-based security model to delegate cloud management to authorized users.

An user can then manage those authorized resources by logging in App Controller and authorized by an associated user role, i.e. profile. In App Controller, a user neither sees, nor needs to know the existence of cloud fabric, i.e. under the hood how infrastructure, storage virtualization, network virtualization, and various servers and server virtualization hosts are placed, configured, and glued together.

When first logging into App Controller, a user needs to connect with authorized datacenter resources including SCVMM servers, Windows Azure Subscriptions, and 3rd party host services.

Connecting with SCVMM Server

The seamless integration within System Center family and Active Directory makes the connectivity between App Controller and SCVMM servers uneventful. Form App Controller UI, Settings/Connections is where to add a SCVMM server. Simply provide the FQDN and port to establish the connectivity. Notice 8100 is the default port employed by SCVMM as sown here. Once connected, the SCVMM VMs, cloud private services, and library resources the user is authorized to manage become visible with App Controller.

The user experience of App Controller is much the same with that of operating a Windows desktop. Connecting App Controller with a service provider on the other hand is per the provider’s instructions. However the process will be very similar with that of connecting with a Windows Azure subscription.

Connecting with Windows Azure Subscriptions

Connecting App Controller with Windows Azure on the other hands requires certificates and information of Windows Azure subscription id. This routine although may initially appear complex, it is actually quite simple and logical.

Establishing a secure channel for connecting App Controller with a Windows Azure subscription requires a private key/public key pair. App Controller employs a private key by installing the associated Personal Information Exchange (PFX) format of a chosen digital certificate, and the paired public key is in the binary format (.CER) of the digital certificate and uploaded to an intended Windows Azure subscription account. The following walks through the process.

Step 1 Acquire certificates

For those who are familiar with PKI, use Microsoft Management Console, or MMC, to directly export a digital certificate in PFX and CER formats from local computer certificate store. Those relatively new to certificate management should first take a look into what certificates IIS are employing first to better understand which certificate to use.

Optionally Review IIS Server Certificates

Since App Controller is installed with IIS, acquiring a certificate is quite simple to do. When installing App Controller with IIS, a self-signed certificate is put in place for accessing App Controller web UI with SSL.

	In IIS console, Server Certificate will list out all certificates visible to IIS. As needed, new certificates can be requested or created easily from the Actions pane of IIS Server Certificates UI, which is described elsewhere
	Here, there are two certificates listed. The self-signed certificate is created by installing App Controller, while the SSL certificate is later manually added. From Server Certificates, identify a target certificate to be used for connecting Windows Azure. Then use MMC to export certificates from the local computer certificate store.

Use MMC with Certificate Snap-In to Expert Certificates

The certificate store of an OS instance can be accessed with MMC.

	In a command prompt, type MMC and hit Enter to bring up MMC. Use CNTL-M or Add/Remove Snap-in from the File dropdown menu to add Certificate snap-in to manage the certificate stores of the local computer.
	From the local computer’s personal certificate store, highlight the target certificate to be employed for connecting with Windows Azure. Right-click and navigate to start the export process.
	Export the target certificate in PFX format with a password. The PFX one has the private key and stays with App Controller installed in the local compute.
	Export the target certificate again in CER format which is the public key to be uploaded to Windows Azure.

The two export processes, for example, created two certificates for connecting App Controller with Windows Azure as the following.

Step 2 Upload CER format certificate to Windows Azure

	Log in Windows Azure with an intended account and go to SETTINGS. Click Upload from the lower task bar to upload a certificate.
	Specify the CER format certificate exported in Step 1. A CER format certificate has the public key of an associated digital certificate.
	Once uploaded, the certificate is listed.

Step 3 Record Windows Azure subscription ID

	To find out Windows Azure subscription ID, from the management portal click Subscriptions from the upper right navigation bar to access the dropdown menu. Click “Manage your subscriptions” to access subscription information. And select an intended Windows Azure subscription account.
	The highlighted area is where the subscription ID of the current account. This ID is needed for connecting App Controller with this Windows Azure subscription account.

Step 4 Connect App Controller with Window Azure

	From App Controller, in the Setting workspace add a Windows Azure subscription. In the dialog, provide the intended Windows Azure subscription id recorded in Step 3. Pick the PFS format certificate and enter the password for accessing the private key. Click OK to initiate the connection.
	Once a connection is established between App Controller and an intended Windows Azure subscription, the connection is listed.
	In a moment upon establishing the connection, Windows Azure resources will become visible in App Controller. For instance, here in the Virtual Machines workspace, three Windows Azure VMs are listed. And now from App Controller, an authorized user can, for instance, directly manage Windows Azure VMs by simply right-clicking and choosing the option as shown.
	Go to Windows Azure portal and click to verify if App Controller correctly present what has been deployed to Windows Azure. In this case, examine the number of virtual machines and there are indeed three corresponding Windows Azure VMs deployed.

Closing Thoughts

Upon connecting to on-premise and off-premise datacenter resources, App Controller is a secure vehicle enabling a user to manage authorized resources in a self-servicing manner. It is not just the technologies are fascinating. It is about shortening the go-to-market, so resources can be allocated and deployed based on a user’s needs. This is a key step in realizing of IT as a Service.