Embed Size (px)
Citation preview
Connecting Cloud and On-Premises Applications
Yousef A. KhalidiDistinguished EngineerMicrosoft Corporation
Why Embrace the Cloud?
• Greater agility• Reduced cost• Enable new scenarios– Cloud as communication hub– Data sharing across devices
• High-scale sharing is key– Economies of scale– Elasticity– Increased utilization
Applications
Value Added
Services
Applications
Value Added Services
Cloud SpectrumWindows Server Windows Azure Appliance Windows Azure
On Premises• Full system
control
On or Off Premises• Turnkey cloud
platform appliance
Off Premises• Global
datacenters and CDN
• Consumption or subscription pricing options
Developer ExperienceUse existing skills and tools.
Windows Azure Appliance
Storage Hardware
Network Hardware
Server Hardware
Windows Azure Appliance
Storage Hardware
Network Hardware
Server Hardware
Evolving into Hybrid Clouds
Public Cloud
Private CloudHosted Private
Cloud
Secure Cloud Federation
Targeting Apps to Cloud
Application State
Data Sensitivity
Connectivity Needs
Application Portability
Latency Between Components
Regulation and Compliance
Some Easy Casese.g., web site sharing public data
Often, Forklift Approach Will Not Work
Careful decomposition needed
Application Scale
Questions To Consider
Targeting Apps to the Cloud
Application Data State must be replicated, by app directly or in a replicated store
Application Configuration & Installation Configuration state only a cache; no lengthy install step
Application Scale App must scale horizontally (scale-out) not vertically (scale-up)
Application Dependencies App must be able to run on cloud platform with no special hardware needs
Latency Needs Shared cloud systems may not guarantee uniform/low latency among app components
Connectivity Needs Intra- and inter- app connectivity needs must be clear
Data Sensitivity Public clouds may not be able to host all sensitive data; encryption may be needed
Regulation & Compliance Location and type of cloud matters
Secure Cloud FederationCloud On-premises
Data SynchronizationSQL Azure Data Sync
Application-layer Connectivity & Messaging Windows Azure AppFabric Service Bus
SecurityFederated Identity and Access Control
Secure Network Connectivity
Windows Azure Connect
Windows Azure Connect
• Secure network connectivity between on-premises and cloud– Supports standard IP protocols
• Enables hybrid apps access to on-premises servers
• Allows remote administration of Windows Azure apps
• Simple setup and management– Integrated with WA Service
Model– Web, Worker and VM Roles
supportedEnterprise
Windows Azure
Windows Azure ConnectExample Use Cases
• Windows Azure enterprise apps that require connectivity to on-premises SQL Server– Migrate apps without requiring changes or relocating on-
premises resources to be internet accessible
• Windows Azure app domain-joined to on-premises AD – Control access to WA apps based on existing AD accounts
and groups
• Remote administration and trouble-shooting of WA apps– Remote PowerShell to access WA role instances
Windows Azure ConnectCloser Look
• Network policy managed through Windows Azure portal– Granular control of
connectivity between WA roles and external machines
• Automatic setup of IPsec– Tunnel firewalls/NAT’s through
hosted SSL-based relay – Network policies enforced
& traffic secured viaend-to-end certificate-based IPSec
– DNS name resolution based on endpoint machine names
Enterprise
Windows Azure
Databases
Dev machines
Relay
Role A
Role B
Role C(multiple VM’s)
Windows Azure ConnectRoadmap
• CTP release in November 2010– On-premises agent for non-Windows
Azure apps• Supports Windows Server 2008, Windows 7,
Windows Vista SP1, and up
• Future release– Enable connectivity using existing on-
premises VPN devices
Secure Cloud FederationCloud On-premises
Data SynchronizationSQL Azure Data Sync
Application-layer Connectivity & Messaging
Service Bus
SecurityFederated Identity and Access Control
Secure Network Connectivity
Windows Azure Connect
Cloud Security Considerations
• Identity and Access Management– Federate from on-premises to the cloud– Federate across organization and country borders
• Application operational processes – Should be integrated into the organization’s
security management
• Communication and endpoint Integrity– Applications and clients are no longer
behind firewall
• Compliance and Risk Management– Cloud customers still responsible for
compliance and risk management
Regulations andNational Boundaries
• Do you know where your data resides?
• Hybrid clouds can span national boundaries
• Many governments regulate where data can live– And where it cannot
• Policy controls are needed for data and applications– Driven by regulations and business needs
• Federated Identity and Access Control
• .NET Windows Identity Foundation– WS-Federation, WS-Security, WS-Trust protocols
• ADFS2– On-premises server
• Access Control– Identity federation service
Security
SecurityFederated Identity and Access Control
Secure Cloud FederationCloud On-premises
Data SynchronizationSQL Azure Data Sync
Application-layer Connectivity & Messaging
Service Bus
SecurityFederated Identity and Access Control
Secure Network Connectivity
Windows Azure Connect
Service Bus
Receive
App 1 App 2
SendReceive
Send
Service Bus
• Extends reach of applications securely through the cloud
• Enables multi-tenant apps to integrate with tenants’ on-premises services
• Securely integrates partners outside of org boundaries
• Extends reach of on-premises web services layer
• Enables leveraging cloud quickly without having to rewrite apps
Service Bus – Usage Patterns
• Connectivity – patterns for integrating apps– Service Remoting – Extend services to the cloud– Cloud Eventing – Distribute event notifications to remote
listeners via the cloud– Protocol Tunneling – Interconnect distributed applications
that are not web services
• Messaging – patterns for building scalable apps– Load Leveling – Mediate message flows between
components with different send/receive rates– Loosely Connected Clients – Buffer messages for
asynchronous retrieval by remote clients
Service Bus – Core Capabilities
• Service location and discovery– Simple registry, endpoint naming and discovery– Access via lightweight ATOM protocols from any platform
• Cloud-based communications relay– Allows bridging across NATs and Firewalls– Claims-based access control with identity federation
and rules– Standards based HTTP or High Performance TCP
• Cloud-based messaging service– Message buffers accessible via a simple REST API
• BizTalk Server 2010 (AppFabric Connect)– Service Bus plus BizTalk 2010 to connect to
on-premises legacy systems
Service Bus – Roadmap
• CTP release in October 2010
– Durable Message Buffers
– Listener Load Balancing
• New features coming in CY2011
– Message Buffer Enhancements (Grouping, Batching, etc.)
– Topics (Publish/Subscribe)
– Router (Push Messaging)
• AppFabric Connect ships with BizTalkServer 2010
Secure Cloud FederationCloud On-premises
Data SynchronizationSQL Azure Data Sync
Application-layer Connectivity & Messaging
Service Bus
SecurityFederated Identity and Access Control
Secure Network Connectivity
Windows Azure Connect
SQL Azure Data Sync
• Powers movement of data– Cloud cloud– On-premises cloud
• Getting data where you need it– Sync SQL Azure instances– Sync SQL Server to SQL Azure– Sync offline apps to SQL Azure– Enable geo-replication of data
Sync
SQL Azure
SQL Azure Data SyncExample Use Cases
• Move workloads in stages preserving existing infrastructure– Move part of the application and sync its data
• Meet compliance and regulations– Control data synchronized off-premises
• Enable scale-out read or read/write– Multiple synchronized databases for scalability
• Preserve data – geo replication of data
• Enable new scenarios– Spanning enterprise, cloud and remote offices/retail stores
SQL Azure Data SyncCloser Look
Data Sync Service
SQL Azur
e
TDS
SQL Serve
r
Local Agent
SQL Server Sync
Provider
SQL Server Proxy
Provider
Sync Orchestrator
SQL ServerProvider
Sync Orchestrator
HTTPS
On Premises Windows Azure
SQL Azure Data Sync – Roadmap
On-Premises (Headquarters)
Sync
Sync
Remote OfficesData Sync Service For SQL Azure
Retail Stores
Sync Sync
Sync
SQL Azure Database
Sync Sync Now
CTP2
– C
om
ing
Soon
Getting Connected:Where to Start
• You can use all services together as they play different roles
• You can mix and match
If you are optimizing SQL data access:• Look at SQL
Data Sync
Or use them All!
If you are composing application services:• Look at Service
Bus and Access Control
If you are bridging systems:• Look at
Windows Azure Connect
SummarySQL Azure Data Sync• Synchronize SQL Azure
instances• SQL Server to
SQL Azure Sync• Move Data Closer to Apps
AppFabric Service Bus• Application-layer
connectivity & messaging• Secure WCF service-
remoting, eventing & protocol tunneling
Windows Azure Connect• Secure network connectivity
between on-premises and cloud
• IP-level connectivity, IP-sec based
• Extend Active Directory to cloud
Security• Windows Identity
Foundation• WS-Federation, WS-
Security, WS-Trust• ADFS2, Access Control
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
