An Introduction to Microsoft Cloud Solutions - Managing Microsoft Hybrid Clouds (2015)

Managing Microsoft Hybrid Clouds (2015)

Chapter 2. An Introduction to Microsoft Cloud Solutions

In this chapter, you will learn what products of Microsoft make a hybrid cloud and look at the characteristics and functionalities delivered by these solutions. The technical details and how-to's will be described in Chapter 3, Understanding the Microsoft Azure Architecture, and the later chapters.

You will learn how the products were developed and also take look at the service levels of Microsoft Azure, the cost structure, supported software, and license mobility.

Last but not least, we will have a fair and unbiased look at what is possible using Microsoft cloud solutions—because it is not only important to understand what a solution delivers, but also what a solution doesn't deliver at the moment.

As described in Chapter 1, An Introduction to Cloud Computing, the Microsoft hybrid cloud is made out of a few software components. The ones we will discuss in this chapter are:

· Windows Server

· System Center

· Microsoft Azure

· SQL Server

Cloud first

Microsoft, as a company, is making a switch from being a software company to being a service and devices company. About 5 years ago, each software license Microsoft sold in the enterprise space was used on hardware bought or leased by the customer. With the shift to the cloud, this is changing—along with the features of the Microsoft software.

Microsoft announced it will deliver new features first in cloud and only later in on-premises software. This also means that on-premises software has features to easily connect to Microsoft Azure. For example, an export of SQL Server database can easily be imported into Azure Storage with a few mouse clicks without leaving the SQL Server Management console. Visual Studio has a similar cloud integration.

We have to see how this works out. Currently, software offered in the SaaS model, such as SharePoint Online, Exchange Online, and part of Office 365, are restricted in available features compared to their on-premises versions. For example, SharePoint Online has a lower maximum number of list or library items that a database operation, such as a query, can process at one time. This number is restricted to 5,000 while there is no restriction for SharePoint used on-premises.

Tip

Make sure you know the restrictions of cloud-based applications and infrastructures.

Windows Server 2012

Windows Server 2012 and more specifically the Hyper-V role is the core of the Microsoft hybrid cloud. It will run on-premises in enterprises and in datacenters operated by service providers.

Hyper-V is now a mature hypervisor that offers essential features for the enterprise. Hyper-V is available for free in a product named Microsoft Hyper-V Server 2012. Once installed on a server and booted, a basic command shell interface is presented.

There is no graphical user interface available and no other roles can be installed. However, there are no restrictions from a Hyper-V point of view. All features available in Hyper-V can be used, including clustering, the High Availability feature of Hyper-V. A host running Hyper-V Server can be managed using System Center Virtual Machine Manager. Also this edition does not have the free Windows Server licenses that can be used in the guest operating systems.

For central management of Hyper-V hosts and the virtual machines running on those hosts either Cluster Manager or System Center Virtual Machine Manager can be used. While Cluster Manager offers some basic features, System Center Virtual Machine Manager offers additional features to manage storage, networking, templates, services, role-based management, deployment of physical servers, and a lot more.

System Center Virtual Machine Manager cannot be purchased separately. It comes as part of the System Center Suite. Other components of the System Center Suite are Data Protection Manager, Configuration Manager, Operations Manager, Orchestrator, Endpoint Protection, App Controller, Service Manager, and Windows Azure Pack. An alternative to purchasing the complete System Center suite is purchasing a solution like 5Nine Manager for Hyper-V. This is an easy-to-use and cost-effective management solution for Microsoft Hyper-V. It provides most of the features of Microsoft System Center VMM that SMBs need for everyday Hyper-V management.

Microsoft System Center 2012

Microsoft System Center 2012 is the infrastructure management suite of Microsoft. It contains all the software needed to deploy, operate, and monitor infrastructure components running either on-premises or in cloud platforms.

Obviously, Microsoft provides a good integration between System Center 2012 and Microsoft Azure. We will discuss many examples later in this book.

System Center is a cloud management platform that allows us to create and manage a private cloud. A private cloud allows non-IT staff to provision virtual machines and applications using a self-service portal and a catalog. Strong automation makes sure the requested resources are efficiently made available to the requester with no, or hardly any, involvement of the IT staff.

This book is about the hybrid cloud and not about the private cloud. So, we will not go into the details of the various components of the System Center suite or use case scenarios.

However, let's discuss what the private cloud offering of Microsoft looks like to have a good understanding of the products.

The platform consists of various independent software components that deliver the cloud management functionality when properly connected. These components are as follows:

· Configuration Manager

· Virtual Machine Manager

· Service Manager

· Orchestrator

· Operations Manager

· App Controller

· Data Protection Manager

· Windows Azure Pack

Combined together these solutions form a Cloud Management Platform. These tools can be used to operate a private and hybrid cloud.

In the next sections, we will slightly zoom into the functionalities of the components and especially how they integrate with Microsoft Azure.

System Center Configuration Manager

System Center Configuration Manager (SCCM) is used to deploy operating systems, applications, hot fixes, and other software to clients and servers. It can be used to manage systems such as Windows Server, Mac OS, Linux, and Unix. Also, mobile devices running Windows Phone, Symbian, iOS, and Android can be managed. However, an additional subscription to Windows Intune is preferred for this, since SCCM out of the box only supports older mobile operating systems, such as Windows Mobile 6.1 and Nokia Symbian.

SCCM 2012 SP1 allows us to create a cloud distribution point in Microsoft Azure. A distribution point is a library that contains applications, updates, and more that are ready for deployment to clients managed by SCCM. The advantage of a distribution point in Azure is that it is highly available and reachable from locations all over the globe with just an Internet connection. Data is encrypted before it is transferred to the distribution point.

System Center Virtual Machine Manager

System Center Virtual Machine Manager (SCVMM) has many features. It can be used to deploy physical servers and virtual machines. In this book, we concentrate on the features of System Center that enable a hybrid cloud.

One of the most important features of SCVMM for multitenant clouds is network virtualization. Basically, this enables the use of IP subnets used by virtual machines, which are totally invisible to the IP-network used by Hyper-V hosts switches and other physical components. Network virtualization is useful for service providers. Two tenants who use the same IP subnets can be hosted in the same infrastructure. It also allows us to move virtual machines between infrastructures that are using different IP-subnets without changes in the IP configuration of the virtual machine.

So, for example, virtual machines can be moved (offline or soon via online Live migration) to a service provider or to Microsoft Azure without adjustment to IP configuration, DNS, and so on.

The best analogy is something we are all used to: when we travel abroad, we can still be contacted on our mobile phone using the same telephone number.

System Center Service Manager

System Center Service Manager (SCSM) allows organizations to manage incidents and problems. It is compliant with Microsoft Operations Framework and ITIL. It provides built-in processes for incident and problem resolution, change control, and asset lifecycle management. Service Manager has a self-service portal that enables end users to report incidents and perform some tasks themselves, for example, resetting passwords.

System Center Orchestrator

System Center Orchestrator (SCO) is an automation tool. Using drag-and-drop, administrators can create runbooks to automate tasks like deploying servers, creating user accounts, and so on. SCO can be connected to many System Center components to automate tasks. For example, it can receive status information from Operations Manager and use that information to instruct SCVMM to deploy additional virtual servers.

System Center Operations Manager

System Center Operations Manager (SCOM), often referred to as Ops Manager, is a monitoring and reporting tool. Using management packs that contain knowledge about applications or operating systems, SCOM reports on the status and condition of several infrastructure components.

System Center App Controller

App Controller is a cloud management portal. It allows administrators and end users to manage private and public clouds. A private cloud is a set of resources abstracted by SCVMM. A public cloud is a set of resources provided by Microsoft Azure or by a service provider. The service provider needs to have the Service Provider Foundation software running. This is a special component of the System Center suite.

In the next chapters, you will learn more about App Controller and how to connect to Microsoft Azure and service providers.

System Center Data Protection Manager

Data Protection Manager completes the datacenter management suite as the backup tool of choice for Microsoft workloads. Through use of the Volume Shadow Copy Service (VSS) it provides regular snapshots or full backups of Hyper-V hosts, virtual machines, or SQL/mail databases.

Windows Azure Pack

Microsoft Cloud OS is, as explained earlier, a vision of Microsoft on how to deliver services in a hybrid cloud as seamless as possible. Services can run on-premises, in Microsoft Azure, or in datacenters operated by service providers.

Microsoft offers software that enables service providers to offer Azure-like services in their datacenter. Windows Azure Pack runs on top of Windows Server 2012 Hyper-V and System Center 2012 R2.

It offers four services:

· Virtual machines

· Websites

· Service Bus

· SQL

Azure Pack has an Application Programming Interface (API), so customers can use scripting to perform all kind of management tasks, just as they are used to for Microsoft Azure. For manual management, a self-service portal is available. The user interface of Azure Pack looks similar to the Azure Management Portal.

In contrary to Microsoft Azure, Azure Pack makes it possible to connect to consoles of virtual machines without the need of RDP or network connectivity of the virtual machine. Windows Azure Pack Console Connect works the same way as VMConnect from the Hyper-V Manager console.

Microsoft StorSimple

StorSimple is a stranger in our midst, as this is the only component of the Cloud OS vision that is delivered as hardware. StorSimple highly integrates with cloud-based storage. It can use Microsoft Azure Storage storage services as a cost-effective storage tier.

I have never met a customer who has full control over the growth of data. Each organization is facing growth in the amount of data and the management of that data. End users believe data capacity is unlimited, while the IT management does not have insight if data is really useful or could be deleted.

The shortcut solution to the growing need for storage is simply to add storage. However, the cost of buying and managing storage is expensive. Most data needs a backup as well, which adds to the cost of backup infrastructure.

A common solution to reduce costs on storage is to archive data. About 80 percent of data is hardly ever accessed, so it can easily be moved to another type of storage.

Microsoft offers a complete solution with the StorSimple appliance. When using StorSimple, virtual machines or physical servers are connected to volumes presented by the StorSimple appliance that is deployed on-premises. The appliance offers two tiers of storage: SSD and SATA. SSD offers the best storage performance, while SATA offers good performance and is cheaper than SSD. The third tier is cloud-based storage. The appliance does auto-tiering such that frequently requested data is located on the fastest tier, while data that is rarely accessed is automatically moved to the cloud storage.

StorSimple is a hardware appliance. Depending on the required capacity, one or more appliances are purchased and connected to the network. If more storage capacity is needed, additional appliances need to be purchased.

It has features such as compression, deduplication, and encryption. As data is kept outside the datacenter, StorSimple can replace traditional tape in certain use cases. Data sent to the cloud is encrypted for security reasons. We know since the PRISM scandal around June 2013 that data could be watched by the NSA without the knowledge of the customer of a cloud provider.

Besides archiving and extension of storage capacity, StorSimple can also be used for disaster recovery purposes. Snapshots can be replicated to Microsoft Azure. When a disaster hits the on-premises datacenter, data can be retrieved from the cloud storage in an alternate datacenter. Instead of having to copy all the data back to the alternate datacenter, initially only the data requested by users is restored.

In a later chapter, you will learn how to use the StorSimple appliance.

Microsoft SQL Server 2014

The Cloud OS vision is not purely focused on delivering an infrastructure platform. Part of the vision is SQL Server 2014. As this book is about infrastructure, I will not go into much detail on SQL Server.

SQL Server 2014 is enabled for use in a hybrid scenario. It means that SQL Server data can be made highly available by using Microsoft Azure as a secondary location to store SQL Server data.

SQL Servers allows us to export a database (data and scheme) and import it into Microsoft Azure in a few simple steps.

Microsoft Azure

So what is Microsoft Azure exactly? To understand Azure we should first have a look at how it all started.

Work started on Microsoft Azure started in 2006 as a project. Microsoft saw how Amazon and Google cloud initiatives got traction and realized it should jump on the cloud train. Amitabh Srivastava of Microsoft was head of the team that had a mission to develop a cloud solution. At that time, Microsoft was planning to offer more cloud services than "just" Hotmail.

The second member of the team was Dave Cutler. Cutler was the developer of VMS and Windows NT. One day, he and a couple of other Microsoft employees were driving in a car heading to a Hotmail datacenter. Cutler saw a really shady strip joint in San Jose called The Pink Poodle and thought that it could be a great name for the project.

The other guys in the car said no and thought of a different name. So, the project code name became Red Dog.

While this is the unofficial story, another story tells that the team developing Azure liked a brand of beer called Red Dog.

When Red Dog was announced at the PDC2008 developers conference in October 2008, the new name was Windows Azure. In March 2014 Windows Azure was rebranded to Microsoft Azure to emphasize Azure is a multi-platform cloud. Azure initially was also called by some as Windows as a Service. It allowed developers to quickly develop software without the hassle of setting up server hardware, networking, storage, operating systems, and developer tools.

Microsoft Azure was released on February 1, 2010. Initially, Azure was a Platform as a Service (PaaS) offering from Microsoft. Developers could access Azure and develop software using a wide range of tools like .NET, PHP, and so on.

It used a hypervisor that was a fork of Hyper-V but written from the ground up, and it used the VHD file format like the Hyper-V part of Windows Server.

Developers were limited in their choice of tooling as only Microsoft-supported tools were offered. It was not possible to control at the operating system-level. There were a few roles active as virtual machines; the worker role that was a virtual machine acting as an application server and the web role. This was a virtual machine running a web server.

The limited selection of developer tools was raised when Azure Virtual Machines were introduced. A new offer went live in April 2013 and gave the opportunity to provision virtual machines running Windows Server-based or Linux-based operating systems. Besides control over the operating system, Azure Virtual Machines also enable the management of networking. Customers can now control network connections between virtual machines by using a VLAN type of separation. They are also able to control access to network ports in the guest operating system.

In January 2015, Microsoft Azure runs in 17 regions (one or more data centers) located in four continents. Each continent (except South America) has at least two regions for data redundancy.

Note

New functionality is added almost every three weeks! While I did the most to keep this book as up to date as possible, it is very likely Microsoft has added new features to Azure that are not mentioned in this book. See the errata page on the Packt Publishing website (www.packtpub.com) for up-to-date information.

Microsoft Azure Services

As you learned before, Azure started as a platform for developers. Most functionality is still targeted at developers and to make applications running in the cloud accessible for consumers. In this section, we will shortly discuss those services to give you a better understanding of what Azure has to offer.

Basically, there are three main services offered by Azure:

· Websites

· Cloud services

· Virtual machines

Azure can be seen as a box full of Lego bricks. An Azure customer can choose which bricks to use for the application they require. Azure offers several of those bricks that are called services by Microsoft. Each service has its own pricing and Service Level Agreement and can be purchased separately. These can be categorized into four classes:

· Compute services: websites, virtual machines, mobile, and cloud services

· Data services: Backup, Cache, Site Recovery, and HDInsight

· App service: Media services, messaging, and Active Directory

· Network services: Virtual Network and Traffic Manager

As this book is solely focused on the Infrastructure as a Service (IaaS) features of Azure, we will not go into the details of each service in this book.

Using these Azure services, the following use cases can be built:

· Web Sites

· Mobile apps

· Dev/test

· Big data

· Media

· Storage, backup, and recovery

· Identity and access management

To get to know the Azure use cases in detail, we will discuss each of them in depth.

Web Sites was one of the first features available when Azure became available to public in 2010. Web Sites allows customers to deploy websites on Azure. Provisioning is made very easy using preconfigured virtual machine images. Many tools to create web-based applications are supported. To cover peaks in demand, bursting can be configured.

Mobile Apps services allow developers to support apps running on mobile devices. The backend for these apps are different from websites. Mobile Apps allows support for Software Development Kits of mobile platforms such as Windows Mobile, iOS, and Android. It allows us to send push notifications to mobile devices and is able to authenticate platforms such as Facebook, Twitter, and Microsoft.

Big data is a service that offers Hadoop software to perform data analytics. Hadoop is one of the best known software for analyzing all sorts of data. The service is called HDInsight by Microsoft.

On-demand and live streaming of media content such as video is offered by Media Services. Customers can upload, convert, and encode all kinds of media.

Storage, backup, and recovery allows us to store data into Microsoft Azure. This can be live data, backup data, or archival data. Recovery allows us to perform an orchestrated recovery of datacenters running System Center by Microsoft Azure. You will learn more about this in one of the next chapters.

Identity and access management services enable users to authenticate to Microsoft Azure Directory Services. Two-factor authentication is supported. On-premises Active Directory can be extended to Azure. Single sign-on is supported when Federation Services is used. You will learn more about authentication in the next chapters. Access management allows users to have single sign-on access to SaaS applications once they are authenticated to Windows Azure Active Directory.

Dev/test is all about the ability to quickly deploy virtual machines with preconfigured software. Microsoft made many software tools available that are preinstalled in a virtual machine image. Getting access to these applications is as simple as selecting the image, selecting the size of the virtual machine, selecting the location, and done!

Some examples of the software available in virtual machine images are Oracle WebLogic and Ruby on Rails.

When these images are not sufficient, there is also a library full of images. These are not stored in the Microsoft Azure datacenters but need to be downloaded. When even this does not meet the requirements of the needy customer, you can always upload your sysprepped company image or a prepared .vhd virtual disk to implement in the Microsoft Azure Cloud.

Stateless versus stateful virtual machines

As described earlier, Azure offers two models of cloud computing: PaaS and IaaS.

Services offered in PaaS run in a virtual machine, but the consumer is not aware of this. They don't have to create a virtual machine, networking, or storage and are also not able to manage the operating system. Patching and updates on the operating system are done by Microsoft. Microsoft does this by deploying a new operating system with the latest patches.

Virtual machines in PaaS are stateless, which means if the host crashes, a new virtual machine will be created. All data on the crashed virtual machine, however, is lost. Data in this model needs to be stored in Microsoft Azure Storage, which is persistent storage.

This model does not work in IaaS. So, here the virtual machine is stateful.

Microsoft Azure Infrastructure Services

Microsoft Azure is a service name. It provides virtual machines and virtual networking. But it goes a bit further in available services than the average IaaS offering. Azure Infrastructure Services also offer a SQL server running inside virtual machines which allows you to use Microsoft Azure as a DR site. It is also possible to connect an on-premises Active Directory with Microsoft Windows Azure Active Directory (WAAD) to provide single sign-on for applications running on Azure.

Microsoft Azure Virtual Machines

The Azure Virtual Machines service allows us to create, delete, and modify virtual machines running a selected number of operating systems. Currently (January 2015) supported operating systems are Windows Server 2008, Windows Server 2012, Windows Server 2012 R2, and 6 different Linux distributions.

Virtual machines come in fixed sizes. Generally, these are called "t-shirt-sized virtual machines." Currently (January 2015), there are 23 choices of configurations, and each configuration is a fixed number of virtual cores and virtual memory. Virtual machine configurations are grouped in A, D and G series.

It is not possible to configure specific preferences for the number of virtual processors, amount of internal memory, or the disk size of the operating system disk. Customers are able to add additional virtual disks, but the maximum number of disks that can be added to the virtual machine depends on the size of the virtual machine.

Microsoft Azure Storage

Microsoft offers cloud-based storage. Storage capacity can be used by customers without the need to consume processing, as in the case of virtual machines. Azure storage can be used for backup purposes for storage of virtual machine data, SQL Server, SharePoint data, and so on.

Data can be accessed by customers using a REST API. That is a standard protocol of accessing various sources. Using the REST API, it is very simple for applications to connect to Microsoft Azure. Data located on Azure storage is stored three times in a single datacenter; this way, the data is protected from the failure of a single disk. Thanks to geo-replication the data is replicated to yet another location. If enabled (which is the case by default), geo-replication will replicate the data to another datacenter in the same region.

In the next chapter on Microsoft Azure architecture, you will learn about storage in detail. You will learn about storage accounts, IOPS, best practices, and so on.

Azure Virtual Network

Azure Virtual Networks allow customers to extend their on-premises infrastructure to Microsoft Azure. Azure Virtual Networks offer functionality like site-to-site (S2S) VPN, point-to-site VPN, and internal cloud networking.

Azure customers can set up a secure connection over the Internet using a S2S VPN between Microsoft Azure and an on-premises location. At the moment, only one S2S connection can be set up per subscription.

A secure connection between desktops/laptops and Microsoft Azure can be set ( ) up as well without installing a VPN client to the corporate network. This point-to-site connection will be described later.

Virtual machines running in Microsoft Azure will require a network connection to communicate with each other, and they will need IP configuration as well.

Microsoft Azure has dynamic IP addresses for virtual machines. The addresses are fixed to the virtual machine as long as the cloud service to which the virtual machine belongs to is active.

In September 2013, Microsoft announced that Microsoft Azure will be connected to the AT&T network. As many datacenters of US organizations are already connected to the AT&T MPLS VPN network, this means a very easy connection to Azure. Besides easy on-boarding to Azure, it will also provide additional security benefits, reduced latencies, and faster data transfers.

Microsoft Azure Directory Services

Almost all enterprise applications require some sort of authentication. This enables control over who has access and permission to the application.

Microsoft Active Directory is used by many organizations worldwide for identity management and access control. A multitenant version of Active Directory called Windows Azure Active Directory (WAAD) is available in Microsoft Azure. It is a very important component of many online Microsoft services. Examples of these services are Office 365, Dynamics CRM Online, Windows Intune, and other (third-party) cloud services.

On-premises Active Directory hosted on Windows Server can be synchronized with WAAD. The process of setting up WAAD and directory synchronization with on-premises Active Directory will be described later in this book.

To enable single sign-on for on-premises users to services running in Microsoft Azure Active Directory Federation Services (ADFS) needs to be installed on-premises. ADFS is a kind of proxy between the AD and the Microsoft Azure AD. It does not relay the username/password, but it uses a ticket to authenticate to Azure services.

For an even higher level of security, Microsoft has developed multifactor authentication. Users don't just use their credentials to log on to a server or service, but they must additionally authenticate with another device (another factor), with an app or by responding to an automated text message, before access is granted.

Azure Preview

New features in Microsoft Azure do not come available as a beta. Microsoft adds new features in an extremely rapid pace of about every three weeks. Most new features are first being made available as a Preview. Sometimes, the Preview is open to the public and sometimes usage of the Preview is limited. An example of a limited Preview was Azure Site Recovery.

Like in a beta of any Microsoft software, you should not use Preview features in any production environment. The Preview is meant to do research on the new feature before it eventually becomes generally available. It is also much appreciated when Preview users provide their feedback to Microsoft.

Azure Previews are likely to become generally available at some time. However, there is no guarantee.

An overview of Azure Preview features can be found at http://www.windowsazure.com/en-us/services/preview/.

Best effort versus reliable clouds

Not every IaaS cloud service is the same. There are some fundamental differences between IaaS clouds. The main difference is in the architecture of the platform. Gartner has named the two most common architectures a best effort cloud and a reliable cloud. Other names for these different types of clouds are designed for failure versus enterprise clouds or stateless cloud service model versus stateful cloud service model.

A designed for failure cloud has been designed for running applications that have resiliency built into the application. This means that when a particular part of the application fails, the application continues to be available. This comes down to an application made up of many different virtual machines. Think about an application with a web tier, an application server tier, and a database tier. Each tier has at least two nodes so that if one node fails, the application will continue to be available.

A best effort cloud uses commodity hardware with no redundancy built into the hardware. For example, there is only one power supply, and a single fan for cooling. There is a single top-of-rack switch, no live migration of virtual machines, and so on. In some cases, the cloud provider does not have a Service Level Agreement available for single instance virtual machines.

As virtual machines are nonpersistent, there is no need for backup virtual machines. Backup at the storage layer is good enough.

Microsoft Azure is an example of a best effort cloud. In the next section, you will learn why.

A reliable cloud has been designed to host legacy, non-cloud ready applications that have single points of failures built into the application. In this cloud, the infrastructure is designed such that it provides resiliency for the application. An enterprise class with redundant components is the server hardware used. The cloud platform provides high availability and fault tolerance.

Virtual machines are persistent and a frequent backup is required. VMware vCloud Air and other VMware vClouds are examples of reliable cloud platforms.

Microsoft Azure is a best effort cloud

Microsoft Azure is designed for cattle type applications. We discussed cattle versus pets in Chapter 1, An Introduction to Cloud Computing.

Azure does not have facilities to move virtual machines without downtime to other nodes in case of planned maintenance. Virtual machines will restart when Microsoft installs updates on the nodes. For this reason, Microsoft does not have a Service Level Agreement for single-instance virtual machines.

For customers to get guarantees on availability via an SLA, there needs to be at least two instances serving the same application role that are required to be part of the same availability set. In the next chapter, we will discuss availability sets.

Microsoft also does not support the Windows Server Failover Clustering role in virtual machines running on Azure. The only exception is SQL Server AlwaysOn Availability Groups, which are fully supported by Microsoft. So Windows clustering cannot be used to have redundant instances. This restriction means that many traditional applications will not be the most obvious choice to move to Microsoft Azure. If the application runs on a single virtual machine only, Microsoft will not offer an SLA on the virtual machine. Customers will need to rearchitect those traditional applications to be able to run on best effort clouds.

The result is that many traditional applications currently in use will have to be rewritten if they are to be deployed on Microsoft Azure and require high availability.

Microsoft is working on a solution for downtime because of planned maintenance on Azure hosts. The technology will be some sort of hot patching. This will allow installation of hotfixes on Azure hosts without the need to reboot the host. At the moment no information is publicly available on this new technology Microsoft is developing.

An alternative to rearchitecting the application or acquiring a new application is to use a reliable cloud platform like VMware vCloud Air.

Dedicated versus private virtual clouds

Cloud service providers sometimes offer their customers two options in their IaaS offering:

· A dedicated, private cloud

· A shared cloud

Private cloud hosting or dedicated cloud means the virtualization host machines exclusively run virtual machines of a single tenant, and there is physical isolation at the compute level. Storage, networking, and other components are mostly logical, isolated using virtual LAN and virtual storage features. Without logical isolation, this will be a very expensive kind of cloud.

The advantage of this kind of cloud is on security and performance. Some organizations do not want shared processing by multiple tenants. They believe there is a risk other tenants might be able to look into virtual machines of other tenants. Another aspect is performance.

The third possible reason for using a dedicated cloud is compliance requirements regarding licensing. Some vendors believe their customers need to license the number of CPU sockets that a virtual machine can possibly run on. When using a dedicated cloud, the potential number of CPUs is restricted and is easy to count in a license assessment.

In shared cloud processing, resources are shared between multiple tenants. This makes this offer cheaper than a dedicated cloud. Virtual machines of multiple tenants are processes on the same host. Tenants do not have any control over where their virtual machines are running.

Microsoft Azure does not offer a private/dedicated cloud. Compute, network, and storage resources are logically isolated. So, virtual machines of multiple tenants will share the same Azure host.

Use case scenarios for Microsoft Azure

In the previous section, you learned that Microsoft Azure is not well suited to run legacy, traditional stateful applications which rely on single nodes. You can easily recognize that type of application. If you are afraid to stop a virtual machine that serves an application, that application is a legacy, not a cloud aware application.

So what are the use case scenarios for using Microsoft Azure in general and in a hybrid cloud scenario in particular? We will answer this question in the following sections.

Test and development

Azure offers a lot of facilities for software developers. Images complete with operating systems and applications such as SQL Server, SharePoint, or Oracle databases can be deployed with a few mouse clicks. Several developer tools are available. The best thing for dev/test scenarios is that when Microsoft Azure VMs are shut down, Microsoft stops billing you for them. So, when developers need a virtual machine for programming and another virtual machine for testing the code, they can stop working when they leave the office and their expenses (for compute resources) stop when they turn off the lights in their office.

Temporary processing power

Microsoft Azure provides lots of processing power that can be provisioned very quickly. There are many use cases in the medical world where applications are running in Azure that perform analytics on DNA or medicines. Instead of days of calculations in an on-premises infrastructure, calculations in Azure can be done in hours. This happens without the capital investment needed for on-premises compute resources.

Cloud bursting

Some information of services available via Internet have temporary peaks in demand. Think about web shops that get a lot of additional page views in the weeks before Christmas, or websites of events like the Olympic Games. Another example is the website of the Swedish organization that awards the Nobel Prize.

Demand peaks only during a couple of week per year. It does not make sense to invest into infrastructure just to handle these peaks. Microsoft Azure is a perfect cloud platform for use during peak demand on web services.

Windows Server and Data Protection Manager cloud backup

There are many use cases for using Microsoft Azure as an offsite location for storage of backup data. Azure could potentially replace backup tapes. Storage on disk is much more efficient and easier to handle. There is one caveat and that is the restore time. If you need to restore lots of data back from Azure, it can take a lot of time.

Backup data created by Windows Server backup and Microsoft Data Protection Manager can be stored in Microsoft Azure using a standalone backup agent.

SQL Server cloud backup

Microsoft makes it very easy for customers to store backup data of on-premises SQL Server in Microsoft Azure. SQL Server 2012 and 2014 offer a built-in ability to store SQL Server backup in Microsoft Azure. The backup data is encrypted.

For versions like SQL Server 2008 and earlier, Microsoft offers a standalone tool that is able to automatically store, compress, and encrypt SQL Server backup files in Microsoft Azure. Configuration of backup to Azure from the SQL Server user interface is very straight forward

StorSimple seamless backup

StorSimple is a hardware appliance which serves as a local storage device. It offers several storage tiers. One of the tiers is Azure storage. The StorSimple device will automatically move infrequently used blocks of data to Microsoft Azure, thus reducing on-premises storage costs.

Besides backup, the StorSimple appliance is also useful for disaster recovery. Full backups can be stored in Azure. When on-premises storage is unavailable, the StorSimple device can be used to restore access to data in minutes without having to perform a full restore. The device will copy only the hot data to the on-premises StorSimple device.

A use case for StoreSimple in the medical field could be built around X-ray scans. These scans need to be available to doctors for long periods after a patient leaves the hospital, but when an unfortunate person returns with another broken limb after years of good health, the specialist should be able to consult the earlier data. This data doesn't need to be on-site, but should be available to the doctor as if it were on site.

SQL Server cloud replica

SQL Server 2014 offers the ability to use a SQL Server 2014 running as a virtual machine in Azure as a replica. This offers a cost-effective disaster recovery solution for SQL databases.

DFS cloud replica

Windows Distributed File Shares can be replicated to a DFS server running in Azure. This enables easy offsite storage.

Disaster recovery

Azure Site Recovery allows for an orchestrated failover in case of a disaster. It also enables Azure as a target for replication. If a customers' primary on-premises datacenter is protected by Hyper-V Replica and managed by System Center, Azure Site Recovery can perform a fully automated failover to the customers' secondary datacenter. No customer data is stored in Microsoft Azure, just the metadata of the infrastructure, such as virtual machine names and network names.

In the next chapters, we will go into the details of the scenarios described earlier. You will learn about the benefits, the caveats, and how to install and manage.

On-premises and cloud feature misalignment

It is likely that Microsoft customers using Hyper-V and System Center on-premises will consider Microsoft Azure as their preferred cloud platform for hybrid cloud. Microsoft does a lot of promotion of its Cloud OS vision and makes sure System Center integrates nicely with Azure.

While a seamless experience for management of both on- and off-premises might be very obvious, there are some caveats. The caveats are in the missing features in Azure on virtual machine management compared to what Hyper-V has to offer.

Despite Microsoft Azure running Hyper-V on the nodes, there are quite some differences in management features between on-premises and Microsoft Azure. This is partly caused by the mixture of Windows Server 2008 R2 Hyper-V and Windows Server 2012 Hyper-V deployed in Azure datacenters. The exact percentage of 2008 versus 2012 Hyper-V is not made public by Microsoft.

So let's have a look of what Azure is missing at the moment (January 2015) for the management of virtual machines:

· There is no VMConnect capability for console access to the virtual machine as there is with Hyper-V. The virtual machine in Azure can be managed remotely using Remote Desktop Protocol (RDP), PowerShell, or Server Manager. However, these all need a working network connection. If the network connection is not available, there is no way anymore to manage the virtual machine. Microsoft is working on a way to reset the network if an administrator made a mistake so RDP access is not possible anymore.

· No live migration for planned maintenance. Azure customers are not able to use the Hyper-V Live Migration feature to move a virtual machine to another host. Simply because Azure does not offer Live Migration. This is because of the stateless architecture of the platform. If an application depends on a single virtual machine, the application will be offline when Microsoft performs maintenance on nodes. Another reason for Microsoft not to offer Live Migration on Azure is the amount of network bandwidth required for Live Migration. Image all those virtual machines moving to other servers. Microsoft need that east-west network bandwith for regular network traffic generated by customers. Microsoft is working on a solution. Little is known at the moment (January 2015) about this solution. It is based on a new technology which enables a fast switch from an old host operating system to a new, patched operating system. The virtual machines on that host will not have downtime during the switch or very limited downtime.

· There are no checkpoints/snapshots. Currently, it is not possible to make a point in time backup of a running virtual machine using checkpoints. A checkpoint, also can be very handy in situations where a rollback to a known good state is required. Microsoft is considering adding a snapshot feature in the future.

· There is no VDHX support. Virtual disks in Windows Server 2012 Hyper-V can be as large as 64 TB when the VHDX format is used. However Azure does not support VHDX. It is currently limited to VHD format only.

· There is no resize of VHD files. Azure does not allow an online change in the format of a VHD file.

Microsoft Azure security

No book on public cloud computing is complete without a chapter on security and compliancy. Security means doing the best possible to prevent unauthorized access to data and components publishing that data.

Microsoft Azure datacenters are not accessible for unauthorized persons. The only persons allowed to enter the datacenter are security guards and Microsoft staff responsible for operating the infrastructure. Customers are not allowed to enter under any circumstances.

Azure datacenters have a ISO 27001 certification. Each year, a third-party auditing company checks if Microsoft complies with its security policy.

To allow Dutch financial organizations to use Azure, the Dutch bank regulator De Nederlandsche Bank (Dutch Central Bank) has a right to examine Microsoft Azure.

Azure runs in many datacenters worldwide. Two datacenters are located in Europe: one in Amsterdam and one in Dublin. Besides being close to European customers and thus limit latency, it is also required for certain European organizations that data stays within EU boundaries. Azure complies with the EU-US Safe Harbour Framework.

Other certifications are:

· SSAE 16/ISAE 3402 SOC 1, 2, and 3 (this replaces SAS70)

· HIPPA/HITECH

· PCI Data Security Standard Certification (this is a certification required when credit card payments are processed)

The infrastructure under management of Microsoft is protected against unauthorized access. Network access is routed via firewalls, and the physical network is separated using VLANs. Network traffic from the Internet is encrypted using HTTPS and using VPN.

Microsoft does not encrypt replication traffic going to another datacenter yet. Also, data stored on Azure storage is not encrypted by Microsoft. Encryption needs to be done by tooling running on-premises.

Luckily, many of Microsoft's software solutions encrypt data on-premises before it is stored in Azure. System Center Configuration Manager, Data Protection Manager, and StorSimple all encrypt data.

Two-step authentication to the management portal is possible. To access data on the storage system, a complex key (Shared Access Signature) that is used like a password is required.

Microsoft support on Azure

When organizations use Azure IaaS they are themselves responsible for management of the operating system and all the software running on top of that. Microsoft is responsible for management of the virtualization layer and anything below that layer (IT infrastructure). So, when things look broken or organizations have an issue with the components Microsoft is responsible for, you need to contact Microsoft support.

You do need a support contract to be able to get support. Contracts are available in various forms. Microsoft Support can be contacted over the phone or by submitting a support request.

T-shirt virtual machines versus tailor-made virtual machines

Virtual machine sizes are offered by many cloud IaaS providers as t-shirt sizes. That means the configuration of virtual machines memory, number of virtual processors, and hard disk size is limited.

Most likely they do that for their own benefit. Having a limited number of sizes makes it possible to maximize the utilization of the hosts and reduces what is called cutting waste. A fully utilized host makes the most revenue and enables to reduce costs and be competitive.

Virtual machine size offerings are often named like extra small, small, medium, large, and extra-large. Microsoft initially started with naming their virtual machine sizes like this, but later realized this naming has its limits. What about a super-super-large virtual machine name. So, Microsoft switched to names like A5, A6, A7, and so on.

The disadvantage of t-shirt sized virtual machines is that you are probably going to pay for resources you are not going to consume. For example, you need 32 GB of internal memory and two cores, but the provider only offers 32 GB and four cores.

Other IaaS providers like VMware vCloud Air offer a custom sized virtual machine. Customers can configure any combination of number of cores, internal memory, and disk size.

Microsoft Azure cost model

Cloud computing has different cost models:

· Pay-as-you-go

· A commitment consumption-based plan

· Free, on demand, reserved capacity, spot capacity dedicated

Amazon EC2 calls virtual machine capacity that is reserved but not yet used Reserved Instances. Customers who bought a reservation but did not use all of it can sell it to other customers in the Amazon EC2 Reserved Instance Marketplace.

When customers choose the pay-as-you-go model, they pay only what they consume. A virtual machine that is switched off is not billed for processing. However, the virtual machine still has storage allocated, so billing for storage will continue while the virtual machine is switched off.

Pay-as-you-go is unpredictable for cloud service providers. They cannot predict how much revenue they will make exactly. They also do not have a good estimate on the number of resources they have to allocate.

So an alternative is a plan. In this model, the customer pays in advance and commits to consuming a certain amount of resources. For this commitment, the customer gets a discount. The discount is increased when the commitment is higher.

Microsoft Azure has a spending limit. This means a customer can set a limit on the amount of costs per month. If a particular service is consuming more than expected, the service will be paused when the spending limit is reached.

Obviously, some caution needs to be taken. You do not want your web shop to be shut down because the spending limit was reached and the cloud platform has paused or stopped servers hosting the website. Microsoft charges by the minute and not by the hour, like many other providers.

Also, the average usage over a certain time frame is calculated. Suppose a customer has 100 GB of data at the first of the month and 200 GB at the end of the month, Microsoft will bill 150 GB for the whole month.

Microsoft Azure service-level agreement

The cloud consumer wants to have a guarantee that their services will be available for a certain amount of time. If not, there should be some sort of compensation. Agreements on the availability are documented in Service Level Agreements (also called SLAs).

SLAs are not sexy. I have seen many providers with an unclear SLA and customers not worrying about it. If you are a customer of a cloud service provider, you should be concerned about a SLA: know what it says, what the maximum downtime is, and how the service provider compensates for this.

Each SLA of a cloud provider is different. For one provider, the SLA is effective for the complete virtual machine, including dependent services such as storage and networking, while for another provider, the SLA only covers the virtual machine and is not applicable to virtual machine storage. Some are measured in years and some in months of availability.

As Microsoft Azure offers various services, each service has its own SLA. The following SLAs are available for:

· Virtual machines

· Cloud networking

· Cloud services

· On storage

· Multifactor authentication

· Websites

· SQL database

· SQL Reporting

· Caching

· CDN

· Service Bus

Microsoft uses a whole year in their SLA availability. 99.95 percent means a maximum of 263 minutes of downtime per year. An availability of 99.9 percent means 526 minutes of downtime per year.

Most of these services offer a 99.90 percent availability. For cloud services and Virtual Machines Microsoft even offers an availability of 99.95 percent. The caveat here is that to get this availability, virtual machines need to have to have at least two instances deployed in the same availability set. We will discuss this in detail in the next chapter.

To calculate the maximum downtime per year customers need to add the various Azure components of which their service is depending on.

For example, consider a customer who is using two virtual machines. They depend on the virtual machines (99.95 percent), storage (99.9 percent), cloud networking (99.9 percent), and cloud services (99.95 percent) Azure services.

So, the maximum downtime of the customer service without Microsoft having to credit is 1576 minutes per year (263 + 525 + 525 + 263 = 1576), which equals over 26 hours per year.

Microsoft software support

As Microsoft Azure is a Microsoft product, it doesn't automatically mean that all Microsoft software is fully supported to run on the Microsoft Azure platform.

However, most Microsoft software is supported. Supported means that customers can call Microsoft support and will get full support if their software is running on Microsoft Azure.

Windows Server 2008 and later is supported. There are a few roles that are unsupported:

· Dynamic Host Configuration Protocol Server

· Hyper-V

· Remote Access (Direct Access)

· Rights Management Services

· Windows Deployment Services

Besides the aforementioned roles, Microsoft also does not support the following features:

· Bitlocker drive encryption (on the operating system hard disk, but it can be used on data disks)

· Windows Server Failover Clustering (except for SQL Server AlwaysOn Availability Groups)

· High Availability and Disaster Recovery for SQL Server in Microsoft Azure Virtual Machines

· Internet Storage Name Server

· Multipath I/O

· Network Load Balancing

· Peer Name Resolution Protocol

· SNMP Services

· Storage Manager for SANs

· Windows Internet Name Service

· Wireless LAN Service

At the moment (January 2015), Microsoft supports the following software on Azure:

· SharePoint (2013 and 2013)

· SQL Server (2008 and later)

· BizTalk (2013) and Dynamic NAV

· System Center 2012 SP1 App Controller

· Operations Manager

· Orchestrator

· App-V and Service Manager

· Dynamics GP

· Team Foundation Server

Exchange Server, Dynamics CRM, and Dynamics AX are currently in validation for support by Microsoft to be run on Microsoft Azure.

Other vendor software support

When server virtualization was new, many software vendors were reluctant about supporting their software when it was running in a virtual machine. Some vendors were only willing to give support if the customer was able to prove the issue was not related to virtualization. In some cases, they even had to perform a virtual to physical conversion of their workload as evidence. Oracle was one of those companies that clearly stated that in rare cases the customer had to perform such a conversion.

Software vendors nowadays are less reserved in supporting their software when it runs on cloud platforms and Microsoft Azure in particular. Microsoft has put in a lot of effort to make sure vendors support Azure. Many large software vendors support Azure, for example, SAP, Citrix, and Oracle. Oracle announced that it will fully support customers running their software on Microsoft Azure and Hyper-V.

Microsoft software license mobility

While software is in many cases supported by the vendor to be run on Microsoft Azure, there are some complications with licensing.

Basically, there are two scenarios. Customers can create a new virtual machine in Azure and one of the many available images. An image is a virtual machines that has operating system and application software preinstalled. The customer pays a fee for using the operating system and a fee for using the application; no hassles with license management here.

The second scenario is where the customer is either moving a current server or application from on-premises to the cloud including a license, or wants to create a new server in Azure using his own application license.

This second scenario called bring your own license is often very complicated. It is like your pension. Very important, but not sexy and very complicated. Many people trust that their pension is okay, but some will find out it is not when an audit is performed. When you find this out, it usually takes lots of time and effort, and thus money, to correct the situation.

Charging for the use of software is often still based on the usage of the numbers of sockets in a physical server. License agreements often do not allow software to be used in a multitenant environment. Both restrictions are a big issue in cloud infrastructures. A virtual machine can potentially be running on many physical servers during its lifecycle. If a customer is charged for each and every socket the software has run on, the charge will be enormous.

Finally, when a license forbids the usage in a multitenant environment, the software cannot be used in many cloud platforms. Compute resources in Microsoft Azure are always shared by multiple tenants/customers. Other cloud platforms offer a choice between dedicated cloud or shared cloud.

When a custom-made virtual machine image containing Windows Server is uploaded to Microsoft Azure, Microsoft provides the license key for that instance. When a Windows Server virtual machine originally created in Microsoft Azure is moved to on-premises, the customer needs to assign their own license to that instance when running the virtual machine on-premises.

I could dedicate a whole book on software licensing but that is out of the scope of this book. Here are a few important remarks about Microsoft software license mobility:

· License mobility is only eligible for Microsoft SQL Server, SharePoint, Exchange, System Center, and Lync Server.

· All other Microsoft software running in a multitenant cloud environment needs to be licensed using the Service Provider License Use (SPLA) licensing. This means the tenant is charged in a pay per use model for usage of the Microsoft software. The provider will collect the charge and will pay Microsoft for the usage of the license.

· Customers cannot transfer Windows Server licenses to the cloud. Also, Microsoft desktop operating system licenses cannot be transferred to cloud platforms.

· Software assurance is required for License mobility. Customers with the following Volume Licensing agreements have License mobility: Enterprise Agreements, Enterprise Subscription Agreements, and Microsoft Open Value Agreements.

· License mobility through Software Assurance allows us to use the customer owned license to run application software on shared hardware owned by a provider. However, despite sharing hardware, such instances must be dedicated to a single customer, and cannot be shared with other customers.

· Customers are not allowed to move licenses to any cloud or service provider. The provider should be an Authorized Mobility Partner of Microsoft.

· Customers must request Microsoft within 10 days of deploying their license on a cloud platform for confirmation the license is eligible for License Mobility.

· Microsoft licenses must be assigned to a cloud platform for at least 90 days.

Bring your own application license

Very few vendors have yet made firm statements that customer purchased software licenses can be used in cloud environments as well. Oracle allows you to bring your own license or license mobility for their products on both Azure and Amazon. Depending on the Oracle software, four virtual cores are counted as one socket, which is the equivalent to one processor license.

Trying Microsoft Azure

Now that you know a lot about the functionality of Microsoft Azure, you might be interested in trying Azure yourself. Microsoft made it very easy to try Microsoft Azure. Customers get a free trial for 30 days and a credit of $200/€150.

Within a few minutes from now, you will be able to log in to a Windows of a Linux server running in Azure.

The requirements to subscribe for a free Azure subscription are as follows:

· A credit card, which is used to authenticate you. It will not be charged.

· A Microsoft (LiveID) account.

· A mobile phone to receive an authorization code via SMS.

You will not be charged on the credit card. If the credit given by Microsoft has reached the value of zero, the trial stops.

To try out Azure go to http://www.windowsazure.com and click on Free Trial.

Microsoft customers who have an MSDN subscription with Visual Studio receive free Microsoft Azure usage credits per month and discounts on services like Virtual Machines. The free usage credits range from $50 to $150 per month.

This offer is only valid for test and development usage. If Microsoft finds out that the free Azure credits are used for production or are running over 120 hours, Microsoft has the right to terminate virtual machines or other Azure services.

If you are a student without a credit card, Microsoft offers a free 180-day Azure Academic Pass. You can apply for an Educator Grant of Microsoft Azure Academic Passes at http://www.windowsazurepass.com/azureu.

Note that Microsoft does not provide technical support for customers using the MSDN credits. Those customers are entitled for support on billing only. The response time is 8 hours.

Summary

In this chapter, you learned about the Microsoft Cloud OS vision of Microsoft and how this is translated into real-world solutions. We discussed the various components of System Center. You also learned that there are two types of clouds and that Microsoft Azure is a "best effort" cloud. We also discussed license mobility and the restrictions, which are very important.

The next chapter will be the first in this book where we will take a closer look at the technical side of things, and you will learn about the architecture of Microsoft Azure.