TechNet

Pon un DC de tu dominio en Azure IaaSCarlos Mayol y Javier DominguezPremier Field Engineers (PFE’s)Microsoft

TechNet

What is IaaS on Windows Azure ?

TechNet

Windows Azure Virtual Machines• Infrastructure as a Service introduces new functionality that allows full control

and management of both Windows and Linux virtual machines along with an extensive virtual networking offering.

Easily migrate existing applications as-is to the cloud

Assist New Cloud App Development by Integrating IaaS and PaaS Functionality

Set up new virtual machines in Windows Azure with only a few clicks.

Agentless Deployment for Windows Servers

Start from a pre-built image from our image library

Upload your own VHD from on-premises.

Create Your Own Customized Images

Support for community and commercial versions of Linux

Move images back on premise as necessary

Run enterprise applications such as SQL Server, SharePoint or Active Directory in the cloud

Easily create hybrid cloud and on-premises solutions with VPN connectivity between the Windows Azure Data Center and your own network.

SLA for Virtual Machines 99.95%*

Flexible SolidOpen

TechNet

Global Footprint

TechNet

Cloud Computing

Software-as-a-Service

consume

SaaSPlatform-as-a-Service

build

PaaSInfrastructure-as-a-

Service

host

IaaS

IaaS Global Availability since April 16 2013

TechNet

Cloud ComputingOn-Premise

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

You m

anag

e

Infrastructure(as a Service)

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

Manag

ed

by v

end

or

You m

anag

e

Platform(as a Service)

Manag

ed

by v

end

or

You m

anag

e

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data

Software(as a Service)

Manag

ed

by v

end

or

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data

The Ingredients…Windows Azure Virtual Machines

TechNet

• Storage• Network• Compute

(Virtual Machines)

Three elements in Windows Azure IaaS

TechNet

Storage on Windows Azure

TechNet

Windows Azure Storage

VM with persistent driveStorage

TechNet

Windows Azure Storage

VM with persistent driveStorage

TechNet

Windows Azure Storage

VM with persistent driveStorage

TechNet

Reliable and always on

Windows Azure Storage

VM with persistent drive

TechNet

Continuous storage

geo-replication

WEST

DC

EASTDC

> 500 miles

Windows Azure Storage

Base OS image for new Virtual Machines

Sys-Prepped/Generalized/Read Only

Created by uploading or by capture

Writable Disks for Virtual Machines

Created during VM creation or during upload of existing VHDs.

Images and DisksOS Images

MicrosoftPartner User

Disks

OS Disks Data Disks

Disks

TechNet

Disk CachingDisk Type Default Supported

OS Disk ReadWrite

ReadOnly and ReadWrite

Data Disk None None, ReadOnly and ReadWrite

Modify using Set-AzureOSDisk or Set-AzureDataDisk

TechNet

Storage cache – DC consideration(New AD) Create New VMConfigure Data Disk for ReadOnly Cache ModePlace .dit on Data Disk

(Existing AD) Upload Existing Domain Controller VHD(s)Create New VM with VHD(s) attachedConfigure Disk with .dit for ReadOnly Cache Mode

DEMO

Configuring storage

TechNet

Networking on Windows Azure

Virtual Machine Names and DNSFull Control Over Machine Names

Windows Azure provided DNSResolves VMs by name within the same cloud serviceMachine names are modeled explicitly and registered in the DNS service

Bring Your Own DNS ServerUse your On-premises DNS serversDeploy a DNS server in Windows AzureUse public DNS services

Port Forwarding Input Endpoints

PORT 3389PORT 5586

PORT 5587

Single Public IP Per Cloud Service

Cloud App / Hosted Service

EndpointPublic PortLocal PortProtocol (TCP/UDP)Name

PORT 3389

Windows Azure Virtual Networks

Your “virtual” branch office / datacenter in the cloudEnables customers to extend their Enterprise Networks into Windows AzureNetworking on-ramp for migrating existing apps and services to Windows AzureEnables customers to run “hybrid” apps that span cloud and their premises

A protected private virtual network in the cloudEnables customers to setup secure private IPv4 networks fully contained within Windows AzureIP address persistenceInter-service DIP-to-DIP communication

TechNet

Azure IaaS Anatomy- Network

VIP

DIP

VIP

DIPDIP

DIP DIP DIP

VIP

VIPVIPVIP VIP VIP

DIP DIP DIP

DIP DIP DIP

DIP DIP DIP

VIP

VIPVIPVIP VIP VIP

DIP DIP DIP

DIP DIP DIP

Azure Gateway

Internal Gateway

S2S VPN

Azure Virtual Network

VMs and Cloud Services

interconnected

VMs and Cloud Services

(independent)

(“Local Network”)

VIP = Virtual IP (public) “Endpoints”DIP = Dynamic IP (internal)

TechNet

Complex Topologies

DIP DIP DIP

VIP

VIPVIPVIP VIP VIP

DIP DIP DIP

DIP DIP DIP

S2S VPN

DIP DIP DIP

VIP

VIPVIPVIP VIP VIP

DIP DIP DIP

DIP DIP DIP

S2S VPN

Client Line

An Azure VNETCan not be

connected to more than one Local

Network

TechNet

The Branch Office

The Corp. HQ

IIS Servers

AD / DNS

SQL Servers

Exchange

The “virtual” branch office

The Virtual Network

in Windows AzureS2S VPN Device

S2S VPN Device

S2S VPN tunnel

Gateway

S2S VPN tunnel

AD / DNS

TechNet

Example: Contoso’s Deployment

The Corp. HQ (10.0.0.0/16)

Contoso Branch Windows Azure

(10.2.0.0/16)

Contoso Production VNet in Windows Azure (10.1.0.0/16)

S2S VPN Device

IIS Servers

AD / DNS

SQL Farm

ExchangeBRK Gateway

S2S VPN tunnels10.0.0.1010.0.0.11

131.57.23.120

10.2.2.0/24

10.2.3.0/24

10.1.2.0/24

10.1.3.0/24

65.52.249.2210.1.0.4 10.1.1.4

TechNet

Example: Contoso’s Deployment

Contoso Branch in Windows Azure

(10.2.0.0/16)

Contoso Production VNet in Windows Azure (10.2.0.0/16)

BRK Gateway

S2S VPN tunnels

The Corp. Brach

S2S VPN Device

AD / DNS

Exchange

10.2.2.0/24

10.2.3.0/24

10.2.2.0/24

10.2.3.0/24

65.52.249.2210.1.0.4 10.1.1.4

The Corp. HQ

S2S VPN Device

AD / DNS

Exchange

S2S VPN tunnels

DEMO

Configuring network

TechNet

Network – ConsiderationPlan and define your network before start

Define your affinity groups to be close to your data consumersDefine your DNS servers

On Azure DNS, your first persistent IP will be X.X.X.4On Premises, use your own DNS servers

Define your local networks if you plan to use “Azure Gateway”Create you Gateway connectionDeploy your VMsAfter you have deployed VMs to this network you cannot change you’re the network settings!

TechNet

Virtual Machines on Windows Azure

TechNet

Windows Azure Instance Sizes

Each Persistent Data Disk Can be up to 1 TB

VM Size CPU Cores Memory Bandwidth # Data Disks

Extra Small Shared 768 MB 5 (Mbps) 1

Small 1 1.75 GB 100 (Mbps) 2

Medium 2 3.5 GB 200 (Mbps) 4

Large 4 7 GB 400 (Mbps) 8

Extra Large 8 14 GB 800 (Mbps) 16

New A6 4 28GB 1.000(Mbps) 8

New A7 8 56GB 2.000(Mbps) 16

TechNet

Flexibility of Azure Virtual Machines Persisted

in Storage…

Blob Storage

Cloud

Variety of images to select…

Multiple ways to get started…

Management Portal

>_Scripting

(Windows, Linux and Mac)

REST API

Boot VM from New DiskServer

TechNet

Avoiding Lock-InWindows Virtual machines can move freely between all 3 clouds.

Windows Azure

Customer Data CenterOther Service Providers

WindowsVirtual Machine

DEMO

Moving a VM from “On Premise to Azure”

Using App Controller

TechNet

Virtual Machine Availability SetsUpdate Domains are honored by host OS updates

RackRack

Virtual Machine

Availability SetVirtual

Machine

Virtual Machine

Virtual Machine

IIS1 IIS2

SQL1 SQL2

UD #2

UD #2

UD #1

UD #1

TechNet

Service Level Agreements

What’s includedCompute Hardware failure (disk, cpu, memory)Datacenter failures - Network failure, power failureHardware upgrades, Software maintenance – Host OS UpdatesPlanned downtime – 6 day notice, 6 hour window, 25 minute downtime

What is not includedVM crashes caused by 3rd party software, Guest OS Updates

99.95% for multiple role instances4.38 hours of downtime per year

TechNet

Support considerations on Azure VMsRoles not supported on Windows Azure Virtual Machines:

Dynamic Host Configuration Protocol ServerHyper-VRemote Access (Direct Access)Windows Deployment Services

Notable features that are not supportedBitLocker Drive Encryption (on the OS disk – may be used on data disks)Failover ClusteringInternet Storage Name ServerMultipath I/ONetwork Load BalancingPeer Name Resolution ProtocolSNMP ServicesStorage Manager for SANsWindows Internet Name ServiceWireless LAN Service

DEMO

They will be out Domain Controllers on Windows Azure

Deploying our VM’s

TechNet

Active Directory on Azure

TechNet

Why Active Directory?

Placing Active Directory domain controllers in Windows Azure equates to running virtualized domain controllersHypervisors provide or trivialize technologies that don’t sit well with many distributed systems… including Active Directory

Business driversSupport pre-requisites for other Applications or ServicesServe as substitute or failover for branch-office/HQ domain controllersServe as primary authentication for cloud only data center

Design considerationsCertain Active Directory configuration knobs and deployment topologies are better suited to the cloud than others

TechNet

ConsiderationsIs it safe to virtualize DCs?Placement of the Active Directory database (DIT)Optimizing your deployment for traffic and costRead-Only DCs (RODC) or Read-Writes?Global Catalog or not?Trust or Replicate?IP addressing and name resolutionGeo-distributed cloud-hosted domain controllers

TechNet

Is it safe to virtualize DCs?BackgroundCommon virtualization operations such as backing up/restoring VMs/VHDs can rollback the state of a virtual DC

Introduces USN bubbles leading to permanently divergent state causing:• lingering objects• inconsistent passwords• inconsistent attribute values• schema mismatches if the Schema FSMO is rolled back

The potential also exists for security principals to be created with duplicate SIDs

TechNet

Placement of the Active Directory DITActive Directory DIT’s/sysvol should be deployed on data disksData Disks and OS Disks are two distinct Azure virtual-disk types• they exhibit different behaviors (and different defaults)

Unlike OS disks, data disks do not cache writes by default• NOTE: data disks are constrained to 1TB• 1TB > largest known Active Directory database == non-issue

Why is this a concern?Write-behind disk-caching invalidates assumptions made by the DC• DC’s assert FUA (forced unit access) and expect the IO subsystem to honor it• FUA is intended to ensure sensitive writes make it to durable media• can introduce USN bubbles in failure scenarios

TechNet

Optimizing your deployment for traffic and costConsider cost and deploy according to requirements

Inbound traffic is free, outbound traffic is notStandard Azure outbound traffic costs apply

Nominal fee per hour for the gateway itselfCan be started and stopped as you see fitif stopped, VMs are isolated from corporate network

RODCs will likely prove more cost effective

TechNet

Optimizing your deployment for traffic and cost (cont.)DC-locator and ISTG/ISM (intersite topology generator and messenger)Correctly defining and connecting Active Directory subnets and sites will influence your bottom-line• sites, site-links and subnets affect who authenticates where and DCs’ replication topology

Ensure the cost between any on-premises site and the cloud-sites are appropriately dissuasive• i.e. the notion of “next closest site” (a common fallback in Active Directory) should not

conclude that the cloud is the next closestEnsure replication is scheduled (not “Notify-”driven)Ensure it’s compressed (and crank it up—domain controllers offer aggressive controls around compression of replication traffic)Align replication schedule with latency tolerance• DCs replicate only the last state of a value so slowing replication down saves cost if there’s

sufficient churn

TechNet

Global Catalog (GC) or not?GCs are necessary in multi-domain forests for authenticationWorkloads in the cloud that authenticate against a DC in the cloud will still generate outbound authentication traffic without one • used to expand Universal Group memberships• less predictable cost associated with GCs since they host every domain (in-part)• completely unpredictable cost if workload hosts Internet-facing service and authenticates

users against Active Directory

Could leverage “Universal Group Membership Caching”

Predominantly replicates inbound only• outbound replication is possible with other GCs

TechNet

Trust or Replicate?ChoiceAdd replica DCs in the cloud or build a new forest and create a trust?• Kerberos or Federated

MotivatorsSecurity (selective authentication feature)Compliance/privacy (HBI/PII concerns)Cost• replicate more or generate more outbound traffic as a result of authentication and query

loadResiliency/fault-tolerance• if the link goes down, trusted scenarios are likely entirely broken

TechNet

IP addressing and name resolution

Name resolutionDeploy Windows Server DNS on the domain controllers

• Windows Azure provided DNS does not meet the complex name resolution needs of Active Directory (DDNS, SRV records, etc.)

A critical configuration item for domain controllers and domain-joined clients• must be capable of registering (DCs) and resolving resources within their own

Since static addressing is not supported, these settings MUST be configured within the virtual network definition

Azure VMs require “DHCP leased addresses” but leases never expire or move between VMsThe non-static piece is the opposite of what most Active Directory administrators are used to using

When an Azure VM leases an address, it is routable for the period of the leaseThe period of the lease directly equates to the lifetime of the service so we’re good Traditional on-premises best practices for domain controller addressing do NOT apply Do NOT consider statically defining a previously leased address as a workaround

• this will appear to work for the remaining period of the lease but once the lease expires, the VM will lose all communication with the network not good when it’s a domain controller

AD Architecture Options

TechNet

Domain Controller On-Premises

The Virtual Networkin Windows Azure

Gateway

SQL ServersIIS Servers

Site to Site VPN Tunnel

AD Authentication+

On-Premises Resources

Contoso.com Active Directory

Contoso Corp Network

IIS Servers

AD / DNS

SQL Servers

Exchange

S2S VPN Device

Contoso.com Active Directory

Load BalancerPublic IP

TechNet

Active Directory Cloud Only

The Virtual Networkin Windows Azure

Gateway

SQL ServersIIS Servers

Load BalancerPublic IP

Site to Site VPN Tunnel

On Premises Resources

Contoso Corp Network

IIS Servers

AD / DNS

SQL Servers

Exchange

S2S VPN Device

Contoso.com Active Directory

AD / DNS

AD Auth

Extranet Active Directory

TechNet

Domain Controller in the Cloud

The Virtual Networkin Windows Azure

Gateway

SQL ServersIIS Servers

Site to Site VPN Tunnel

AD Authentication+

On-Premises Resources

Contoso.com Active Directory

Contoso Corp Network

IIS Servers

AD / DNS

SQL Servers

Exchange

S2S VPN Device

Contoso.com Active Directory

AD / DNS

AD Auth

Load BalancerPublic IP

DEMO

Deploying DCs on Azure

TechNet

89Australia

AustriaBelgium

BrazilCanada

ChileColombia

Costa RicaCyprus

Czech RepublicDenmark

FinlandFrance

GermanyGreece

Hong KongHungary

IndiaIreland

IsraelItaly

JapanKorea

LuxembourgMalaysia

MexicoNetherlands

New ZealandNorway

PeruPhilippines

PolandPortugal

Puerto RicoRomania

RussiaSingapore

SpainSweden

SwitzerlandTrinidad &

TobagoUK

United StatesNew

Countries:Algeria

ArgentinaBelarus

BulgariaCroatia

Dominican Rep

EcuadorEgypt

El SalvadorEstonia

GuatemalaIceland

IndonesiaJordan

KazakhstanKenya

KuwaitLatvia

LiechtensteinLithuania

MacedoniaMalta

MontenegroMorocco

AzerbaijanNigeriaOman

PakistanPanama

ParaguayQatar

Saudi ArabiaSerbia

SlovakiaSlovenia

South AfricaSri Lanka

TaiwanThailand

TunisiaTurkey

UAEUkraine

UruguayVenezuela

Bahrain

Azure countries and territories

Questions?

TechNet

Centro de evaluación

TechNet#hashtag

DescargaWindows Server 2012

Descarga Hyper-V Server

DescargaSystem Center 2012

PruebaWindows Azure

http://bit.ly/DescargaWS2012

http://bit.ly/AzureItPro

TechNet

Redes sociales

TechNet

http://www.facebook.com/TechNet.Spain

http://www.twitter.com/TechNet_es

TechNet Spain

TechNet

Enlaces

PFE blogsBlog de PFE España:http://blogs.technet.com/b/pfespain

Blog de PFE Plataforma WW (Inglés)http://blogs.technet.com/b/askpfeplat/

Azure Windows Azure MSDN Bloghttp://blogs.msdn.com/b/windowsazure/

Windows Azure YouTube Channelhttp://www.youtube.com/user/windowsazure

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

TechNet