Managing Microsoft Hybrid Clouds (2015)
Chapter 5. Connecting to Microsoft Azure
Now that we have built some virtual machines, we are ready to connect our on-premises infrastructure to Microsoft Azure. This chapter is all about connections and will cover the following topics:
· Connecting to Azure using a VPN connection over the Internet
· Connecting to Azure using ExpressRoute as a dedicated connection
· Securing connections using two-way authentication
· Managing virtual machines using App Controller
Connection options
To be able to connect your own managed data centers with Azure, you have three options:
· A site-to-site (S2S) VPN connection using public Internet.
· A multisite VPN.
· Azure ExpressRoute using a private network. This option is available if your data center is located in a facility like a co-location that offers Azure ExpressRoute. Alternatively a customer site can be connected directly to Azure using network service providers.
For a S2S VPN, a connection is made between a VPN gateway running in Azure and an on-premises VPN endpoint. Initially, when S2S VPN became available, only a single S2S VPN connection could be created. As of May 2014, this has been extended to a maximum of 10 S2S VPN connections. This enables to connect, for example, multiple offices or data centers to the same Azure Virtual Network. Note that a maximum of 10 connections share a maximum of 80 to 100 Mbps throughput.
A multisite VPN connection at the time of writing this book cannot be created using Azure Management Portal. The network configuration file needs to be used instead.
Azure ExpressRoute
ExpressRoute is a new service that became publically available in May 2014. It allows customers to use dedicated connections from on-premises or colocation data centers to Azure without having to use public Internet.
The advantage of ExpressRoute over VPN connections is more bandwidth, lower latencies, more reliable because of redundancy, and more secure. This service is charged by Microsoft and backed by a SLA. Depending on the bandwidth, a fixed price has to be paid. When outgoing network traffic exceeds a certain threshold cost per GB is charged.
Microsoft partners with cloud exchange service providers such as Equinix and TeleCity Group who offer data center and infrastructure facilities for their customers. For connections between on-premises and Azure, Microsoft partners with point-to-site (P2S)connectivity service providers like level 3.
ExpressRoute is configured using the PowerShell ExpressRoute module or using REST API.
Most Microsoft Azure services can be accessed over an ExpressRoute connection. However some services such as RemoteApp and Multifactor Authentication are not supported over ExpressRoute. Also Office 365 can be used over ExpressRoute connections.
A single ExpressRoute connection can be shared by up to 10 other Azure subscriptions. Up to 10 virtual networks can be connected to an ExpressRoute connection.
The following figure shows the two deployment scenarios for ExpressRoute. Either via a facility that offers an ExpressRoute entry or directly via a WAN connection from customer on-premises sites to Azure.
Connecting to Azure using a point-to-site VPN
When a connection to Azure is made over the Internet, two types of connections can be made:
· An S2S VPN connection: This connects the Microsoft Azure virtual network to an on-premises network over VPN
· A P2S VPN connection: This allows a secure VPN connection between a client device and Microsoft Azure
To set up a P2S connection, these high-level steps need to be performed:
1. Create a virtual network in Azure.
2. Define the address block for the clients.
3. Create a dynamic routing gateway.
4. Create certificates.
5. Export certificates and upload them to Microsoft Azure.
6. Download and install the VPN client software.
Note
At the time of writing this book, it is not possible to disable VPN access for a certain user. This is required, for example, when an employee leaves the company he or she works for. The only way to disable VPN access is by recreating certificates.
Creating a virtual network
Virtual networks are an essential component in Azure. They allow control over IP address assignment and allow connectivity to on-premises data centers.
Since May 2014, virtual networks created in different Azure regions can be connected to each other. This allows network traffic to travel over dedicated Microsoft connections instead over S2S VPN connections. Also, virtual networks that are part of different Azure subscriptions can be connected to each other.
Perform the following steps to create a virtual network in Azure:
1. In the Azure Management Portal, select Networks in the left pane and click on New.
2. Select Quick Create.
3. Fill in a name using your naming convention.
4. Select an address space.
5. Select the appropriate affinity group.
6. Click on Create a virtual network.
The following screenshot shows the Quick Create window of a virtual network:
7. Once the virtual network is created, select the virtual network (called azurebook in our example) and then click on Configure.
8. Once you click on Configure, the screen shown in the following screenshot will appear:
9. Enable Configure point-to-site connectivity.
10. Click on SAVE at the bottom of the screen.
11. The next step is to create a virtual gateway. Select the Dashboard menu option at the top of the screen.
12. Select the Create Gateway button located at the bottom of the screen.
13. Select Yes for the question Do you want to create a virtual gateway?
Creating certificates
The next steps describe how to create certificates. Certificates are used as a way to authenticate clients to Microsoft Azure and are an alternative to account-based authentication.
Certificates can be created using Public Key Infrastructure (PKI). If your organization does not use PKI, you can use the makecert tool. This tool is part of the Windows SDK, which can be downloaded for free. It is also part of Visual Studio. Alternatively, it could also be downloaded separately.
If you use the Windows SDK, installation of the Windows Software Development Kit feature is sufficient. Uncheck the other features during setup to keep the installation base as small as possible.
First, we create a self-signed root certificate by performing the following steps:
1. Start a command prompt as administrator and enter the following command:
2. makecert-sky exchange –r -n "CN = <RootCertificateName>"-pe -sk <NameofCertificate> -a sha1 -len 2048 -ss MyStore
3. The next step is to generate a client certificate with the following command:
4. makecert.exe -n "CN=CertificateName" -pe -sk Name -sky exchange -m 96 -ss Mystore -in "RootCertificateName" -is MyStore -a sha1
5. Then, export the root certificate. Start the Microsoft Management Console on the client machine you used to create the certificates.
6. Add the certificates add-on and select the current user.
7. Then, go to the MyStore folder.
8. Select the root certificate (in our example this is named azurebook).
9. Click on the right mouse button, go to All tasks, and choose Export.
10. Click on Next.
11. Choose not to export the private key.
12. Select DER encoded binary X.509 CER file.
13. Select a folder and give the certificate a name.
The next step is to export the client certificate:
1. While still in the MMC, select the client certificate.
2. Click on the right mouse button, select All tasks, and choose Export.
3. Click on Next.
4. Yes, export the private key.
5. Accept options and click on Next.
6. Enable the password option and set the password.
7. Click on Next.
8. Select a folder and type in a filename.
The next step is to upload the root certificate to Azure:
1. Open the Azure Management Portal.
2. Select Networks in the left pane.
3. Select the network we created in the previous step.
4. Select the Certificates menu option.
5. Click on the UPLOAD A CERTIFICATE link shown at the bottom of the screen.
We're done with certificates. The only thing we need to do is to download and install the VPN client software from Azure on the clients from which we'd want to set up our P2S VPN connection.
Installing the client certificate and downloading the VPN client
In this section, we will install the client certificate and the VPN client software.
1. Navigate to the folder on your client PC where the client certificate is stored, and double-click on the .pfx file.
2. This will start the import wizard. Select all the default options. Do not modify the installation location.
3. We need to download and install the VPN client software. Select the Dashboard menu option in the Network section of Azure Management Portal.
4. Select the download link for your client operating system. The supported operating systems are:
· Windows 7 (32-bit and 64-bit)
· Windows Server 2008 (64-bit only)
· Windows 8 (32-bit and 64-bit)
· Windows Server 2012 (64-bit only)
5. Next, we make a P2S connection to Microsoft Azure. In Windows 8, you can do that by clicking on the connections icon in the bottom-right corner.
6. Select the connection we created. In our example, it should be named azurebook:
7. Click on Connect.
We now have an operational VPN connection from a client into Microsoft Azure. This scenario is often used for developers who need access to their development environment in Azure without a S2S VPN in place.
Support on Microsoft Azure
You might have technical questions or run into issues related to Microsoft Azure. When using your own managed infrastructure, you just walk to your co-worker who is responsible for managing storage, application, or network. When using Microsoft Azure, the customer is not able to manage networking, storage, and compute. So, you will have to request Microsoft for assistance.
Microsoft offers several levels of support:
· Free (included in the free trial period)
· Developer
· Standard
· Professional direct
· Premier
The free support is available for MSDN and evaluation-based subscriptions. However, the support is limited to questions on billing. Also, requests to increase the quote on the number of cores per subscription are also handled.
To solve technical issues that you can't solve, you will need a paid support subscription. Microsoft has outsourced the customer and technical support on Microsoft Azure to several companies, mostly located in India. One of them is Spectrum Consultants.
Also, operations and troubleshooting, including incident response, service updates, and security investigations, are being subcontracted. Here, most of the work is done by a contractor in India called Mindtree Consulting. Operations and troubleshooting on Microsoft Azure Active Directory is mostly done by US companies.
Set up Multi-factor Authentication in Microsoft Azure Management Portal
In the previous chapter, you learned that Microsoft Azure Management Portal is one of the ways to manage virtual machines, networks, and more. As the portal is accessible from the Internet, we want to make sure only those who are authorized have access to the portal.
The default authentication to access the management portal is by typing in an account name and password. In specific cases, this is not enough and two-way authentication is required. Think about security-sensitive information. A combination of just an account name and password could be not secure enough as hackers can make guesses or execute social hacking to get the credentials.
Two-way authentication works by requiring any two or more of the following verification methods:
· Something you know (typically a password)
· Something you have (a trusted device that is not easily duplicated, such as a phone)
· Something you are (biometrics)
Microsoft Azure has several options to supply a token required for two-way authentication:
· Using an app on a mobile phone
· Using a mobile phone
· Using a smart card
Microsoft calls this service Multi-Factor Authentication (MFA), and it is additionally charged. For customers of Azure Active Directory Premium MFA is free both for on-premises as well as for cloud-based users.
Multi-Factor Authentication can be used for both Azure-based services as well as for on-premises resources. Customers can, for example, add an additional layer of security to their Microsoft Desktop Services by using MFA. To do so an Azure Multi-Factor Authentication Server needs to be installed on-premises. Authentication will then be redirected to Azure. Azure MFA will request the user to enter a secret code or enter the # sign on a mobile phone.
One of the advantages of using this cloud-based MFA over traditional solutions such as RSA is costs. Azure MFA is considerately cheaper than RSA and scales much better with the organization. If the organization grows, additional users can easily be enabled for MFA with a single click of the mouse. There's need to purchase additional licenses and hardware tokens.
Lets have a look how multi-factor authentication is enabled.
Configuring Multi-factor Authentication using a phone
Multi-Factor Authentication using a phone involves the following steps:
1. A user is authenticated on Microsoft Azure using a username and password. Then, the user is automatically called by Microsoft Azure. The user answers the phone, presses the # sign, and is then authenticated.
2. Multi-Factor Authentication is not free. Microsoft offers two billing options:
· The first is charged per enabled user. Each unique user can authenticate an unlimited number of times per month.
· The other billing option charges on per authentication. In this, a number of authentications can be performed that are user-independent.
Multi-Factor Authentication is free for Microsoft Azure Active Directory Global Administrators. To configure Multi-Factor Authentication, perform the following steps:
1. In Azure Management Portal, select Active Directory in the left pane.
2. Then select Multi-factor auth providers.
3. Create a new Multi-Factor Authentication provider. Fill in your name in the NAME field and set the USAGE MODEL as Per Enabled User or Per Authentication User. Then, select the Microsoft Azure Active Directory for which you like to enable Multi-Factor Authentication.
4. Click on Create.
5. After creation, make sure the correct authentication provider is selected and click on the Manage button at the bottom of the screen.
6. The Azure Multi-Factor Authentication management screen is displayed. Close this window.
Enable a user for Multi-factor Authentication
In this section, we will discuss how to enable Multi-Factor Authentication for a user account. This will enable an additional challenge during authentication. This can either be filling in a passcode or pressing the # sign on a mobile phone.
Note
Keep in mind that it can take a couple of hours before a user account created in Microsoft Azure Active Directory shows up in the Multi-Factor Authentication window!
The procedure to enable Multi-Factor Authentication is as follows:
1. The administrator enables Multi-Factor Authentication.
2. The user logs in and completes the registration process.
3. Select Active Directory in the left pane of Azure Management Portal.
4. Select the default directory.
5. Select User.
6. Click on the Manage multi-factor Auth button at the bottom of the screen.
7. Select the user accounts you like to enable and click on Enable in the right pane.
8. Click on Enable multi-factor auth. The user account is now enabled.
9. Now, the user has to sign in to Azure Management Portal.
The administrator can set the user account to have the user enforce configuring Multi-Factor Authentication. This is done from a different portal which is available at https://account.activedirectory.windowsazure.com/.
When the account has been set to enforce, the next time the user logs in, they have to set an additional authentication method. This can be done by either of these two methods:
· Using a mobile phone
· Using an app
When choosing a mobile phone, the user can select whether the code has to be sent by SMS or by phone. The user needs to fill in the phone number. When the option of SMS has been selected, the user receives a verification code of six digits. The user fills in this code in the browser. If the code is filled in correctly, the account has been enabled for Multi-Factor Authentication.
Each time the user wants to log in to Azure Management Portal, they will need to supply a password as well as a six-digit code that is sent by SMS to authenticate to Azure.
Enabling IP Whitelist
In specific situations, it can be inconvenient for users to perform Multi-Factor Authentication. When a request originates from your internal network, for example, there is no need for additional authentication. Azure allows to Whitelist ranges of IP addresses. Requests with such an IP address as source will be excluded from Multi-Factor Authentication.
To enable IP whitelist, log in to Azure Management Portal as an administrator and then perform the following steps:
1. Select Active Directory in the left pane.
2. Choose the directory for which IP Whitelist should be enabled.
3. Select Configure at the top of the window.
4. Select Manage service settings listed under Multi-factor authentication.
5. Under ip whitelist, enter the IP addresses in the boxes provided using CIDR notation. For example: xxx.xxx.xxx.0/24 for IP addresses in the range xxx.xxx.xxx.1 to xxx.xxx.xxx.254, or xxx.xxx.xxx.xxx/32 for a single IP address. You can enter up to 12 IP address ranges:
Multi-factor apps
Users can select to perform the multi-factor authentication using an app on their mobile phone. Apps for iOS, Android, and Windows mobile are available. Examples of apps are:
· Multi-factor authentication by PhoneFactor (free) for iOS and Android
· Google Authenticator app
In certain situations, for example, when no mobile phone coverage exists or the mobile phone is lost, the administrator can enable One-Time Bypass. This allows the user to only use the user account and password for authentication.
Introduction to System Center App Controller
One of the essential characteristics of cloud computing is that it provides a self-service portal. A self-service portal enables persons without or with minor IT knowledge to deploy virtual machines and services running on it.
The on-premises self-service portal of Microsoft System Center is called App Controller. App Controller is a web-based tool that allows developers and non-IT staff to manage virtual machines on both private and public clouds.
App Controller is not a replacement for System Center Virtual Machine Manager or Azure Management Portal. It is limited to provisioning new virtual machines and the target audience is certainly not system administrators.
The target audience for App Controller is application developers, application owners, and other roles that require to roll out applications but cannot be given full control to Virtual Machine Manager.
In the R2 release, App Controller misses some features that are available when using SCVMM or Azure Management Portal. There is no indication of costs and App Controller does not suggest which cloud is most appropriate for the placement of virtual machines. Also, an approval workflow is missing. It can be used to have a manager or administrator approve the creation on an object such as a cloud or virtual machine. When you need this kind of functionality, you need to explore more products within the System Center Suite, such as Service Manager and Orchestrator.
The main purpose of App Controller is to provide a common Windows Graphical User Interface delivering a single and consistent pane of glass for management of both public and private clouds.
Also, it provides the possibility to copy virtual machines from your on-premises private cloud to Microsoft Azure or a service provider. At the moment, this copy involves downtime.
For access to Azure, App Controller communicates with the Microsoft Azure REST API. To be able to access SCVMM, App Controller needs to have a local installation of the SCVMM console on the server where you are running App Controller.
To access System Center managed clouds hosted by service providers, the Service Provider Foundation (SPF) software is accessed. SPF is a component of System Center and is installed by service providers to empower their tenants with self service capabilities.
To be able to install App Controller we first need to install System Center Virtual Machine Manager. Virtual Machine Manager requires a SQL database. As SQL is required in almost any Active Directory we need to make sure this is available as well.
App Controller is a web-based application that uses Microsoft SilverLight. This automatically means App Controller cannot be used for instance using the Safari browser on iPad and iPhone as Safari do not support Microsoft SilverLight.
In this section, you will learn about the following tasks:
· Installing App Controller
· Connecting App Controller to Virtual Machine Manager
· Connecting App Controller to Microsoft Azure
Prerequisites
The installation prerequisites for App Controller 2012 R2 are:
· Virtual Machine Manager console installed on the App Controller server
· WCF Data Services 5.0
· Web Server IIS Role and Role Services
Log in using your domain user account that is a member of the SCVMMAdmins group (this is a group you created when you installed SCVMM and will ensure you have rights to SCVMM) and then perform the following steps:
1. Click on Install.
2. On the next screen, type in the product key. You can skip this if you are evaluating App Controller.
3. On the next screen, make sure that you have read and agree with the terms of the license agreement.
4. The installation wizard will check whether the server has the Web Server role and Role Services installed. If not, it will be installed automatically. The installer also checks whether WCF Data Services are installed. If not, it they will be installed automatically as well.
5. Next select the installation path.
6. Now, choose the account that is used for the App Controller service.
To add or configure server certificates, use the server certificates feature in IIS Manager.
If you use a self-signed certificate, the certificate must be added to the Trusted Root Certification Authorities store of all computers that will access the App Controller website. Some browsers will fail to display App Controller if the certificate is not trusted.
Tip
It is highly recommended that you use a certificate from a trusted certification authority instead of using a self-signed certificate in production environments.
7. Next, configure the SQL database. Select the server where the SQL server is running for your App Controller installation, or set localhost when the SQL server is running on the same server as App Controller will be installed on. Leave the Port field empty.
8. Choose if you want to participate in the Customer Experience Improvement Program or not, and select whether you want to use Microsoft Update to update App Controller.
9. Confirm the settings and click on the Install button.
Using App Controller
After the installation is done, we are ready to start exploring App Controller. The following software must be installed before installing the App Controller web console:
· Windows 7, Windows 8, Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 R2
· A 32-bit browser that supports Silverlight 5
· Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10
In your browser, type the Fully Qualified Domain Name (FQDN), which is associated to the IP address you typed in during the installation of App Controller. Be sure to use https for the URL.
Any user account that has the administrator role in SCVMM has access to App Controller.
User roles in App Controller
There are two types of user roles in App Controller:
· Administrator: Members of the administrators user role can perform all administrative actions on all App Controller objects. This is a built-in group and cannot be deleted or renamed. Virtual Machine Manager administrators in connected Virtual Machine Manager servers are not automatically added to the App Controller administrators user role. During setup, this role is automatically populated with all supported users and groups in the local administrators group of the computer on which App Controller is installed.
· Self-service user: Administrators can create one or more self-service user roles in which to delegate user access to Windows Azure subscriptions or hosting service providers. Self-service users can deploy and manage services only to Windows Azure subscriptions or hosting service providers to which they have access. Additionally, Self-service user roles can be designated as read-only for the specified scope.
As App Controller is meant to be used by non-system administrators you will have to create some dedicated Active Directory security groups. In this section, we will show you how to do that. The names used in this example are just that, examples. When other naming conventions are used within your environment, be sure to adhere to those policies.
To be able to use user roles in App Controller we perform the following steps:
1. Create a global security group in your Active Directory named appcontroller-users.
2. Create a user account named appcontroller-user1 and make this a member of the appcontroller-users group.
3. Start the SCVMM console and log in with a user account that has the administrator role in SCVMM.
4. Select Settings in the left pane, and then Security in the left pane.
5. Select Create User role from the top menu.
6. Provide a name, for example, appcontroller-users.
7. Provide a description, for example, allow use of App Controller and manage VMs of cloud name 'testcloud'.
8. Click on Next.
9. Select Application Administrators as the user role profile.
10. Click on Next.
11. Select the global security group appcontroller-users created in the first step.
12. Click on Next.
13. Select the scope of the user role. The scope is the clouds the user role should be allowed to consume resources from.
14. Click on Next.
15. Optionally, set quotas.
16. Select the allowed networks.
17. Click on Next.
18. Set which resources can be used and press Next.
19. Set the allowed action for this user role.
20. Click on Next.
21. Set Run As to Accounts.
22. Click on Next.
23. Click on Finish.
Now when the user with account appcontroller-user1 authenticates to App Controller, they will be able to perform all the actions you allowed them for on the private cloud managed by SCVMM. However, to be able to use the Azure cloud we first need to connect to Azure.
Connecting App Controller to Virtual Machine Manager
After we connect to the App Controller website, we can connect to System Center Virtual Machine Manager by performing the following steps:
1. In App Controller, click on Connect to a Virtual Machine under Private Clouds.
2. Fill in a connection name. Make sure this name makes sense as it is used at several places in App Controller, for example, private cloud New York or something similar.
3. Fill in a description.
4. Fill in the FQDN of the SCVMM server.
5. Click on OK.
The following screenshot shows the input mentioned in the preceding steps:
There's a checkbox in the connection screen. The Automatically import SSL certificates option that should be selected allows you to copy needed files and templates to and from a Virtual Machine Manager server. This also enables you to copy resources between different Virtual Machine Manager server environments / libraries easily—something that enables the IT process of moving a service from development to test to production, for instance.
Today, you can't define a service in Virtual Machine Manager or Windows Azure that spans both clouds, so you can't define a service template in Virtual Machine Manager that also creates VMs in Azure at the time of deployment. The Virtual Machine Manager server and App Controller server needs to be in the same domain or in domains with two-way trust established. It's also strongly recommended, although not required, that a Virtual Machine Manager administrator is also an App Controller administrator.
If all goes well you will be able to see virtual machines managed by your SCVMM server.
Connecting App Controller to Microsoft Azure
To connect App Controller to Microsoft Azure, you need a self-signed certificate. These certificates are required for many scenarios such as when using Azure as a storage location for offsite Windows backups.
There are two ways to create self-signed certificates:
· Using the Microsoft makecert tool
· Using Internet Information Server (IIS)
In this section, you will learn how to use IIS to create self-signed certificates.
Using IIS to create self-signed certificates
In this section, you will learn how to create self-signed certificates using IIS. To do so, please perform the following steps:
1. Install the IIS Management console feature on a Windows server or Windows 8 system. IIS Manager has already been installed on the server where you installed App Controller.
2. Once it is installed, open IIS Manager.
3. Double-click on Server Certificates.
4. In the Action pane on the right, select create self-signed certificate.
5. Specify a friendly name.
6. Make sure the Personal certificate store is selected.
7. Click on OK.
Next we need to export the certificate to a .pfx file. To do so, perform the following steps:
1. Select the certificate created in the previous step.
2. Select Export in the right pane.
3. Select a folder to store the exported certificate in and type in a password.
In the following step, we create a .cer file that we are going to upload to Microsoft Azure.
4. Run certmgr.msc and select the folder named Personal.
5. Right-click on the folder name, and select Import under All tasks.
6. The certificate import wizard starts. Select Next.
7. Navigate to the folder in which you stored the certificate, and make sure that the file type is set to Personal Information Exchange.
8. Type in the password for the certificate and click on.
9. Save the certificate in the Personal store. Click on Next.
10. Click on Finish.
11. Now, select the certificate we just imported. It is under the Personal store. The Friendly name is displayed as typed in at step 4.
12. Right-click on this certificate and select Export under All tasks.
13. Keep all the default values ('such as' DER Encoded), and store the exported certificate in a folder.
Uploading the certificate to Microsoft Azure
Now we need to upload the certificate we just created to Microsoft Azure; the steps are as follows:
1. Open Azure Management Portal and select Settings in the left pane.
2. Then, select MANAGEMENT CERTIFICATES in the upper menu.
3. Then press UPLOAD in the lower menu.
4. Select the .cer file and click on the OK button.
If the upload succeeds, you will see a certificate listed in Management Portal.
Configure App Controller to connect to Microsoft Azure
The final step is configuring App Controller to connect to Microsoft Azure. To do so, we need the subscription ID. There are various ways to get the subscription ID, for instance:
1. In Azure Management Portal, navigate to Settings | Subscriptions.
2. Copy the subscription ID.
3. Now, open App Controller and select Connect a Windows Azure Subscription.
4. Fill in the name and description of the connection. The name will we shown in App Controller when a cloud is selected.
5. Then, paste the subscription ID taken from Azure Management Portal.
6. Select the .PFX certificate we created in the previous steps and fill in the password associated to this certificate.
7. Click on OK.
If all went well, we now have a connection with Azure and we are ready to use App Controller to manage Azure resources such as virtual machines.
Authenticating a user to use Microsoft Azure
If a user account that does not have the SCVMM administrator user role, authenticates to Azure, it will not be able to access resources in Microsoft Azure.
App Controller will display No access to public clouds. What we need to do is add Active Directory users to User Roles in App Controller by performing the following steps:
1. In App Controller, go to Settings| User Roles.
2. Click on New.
3. Fill in the user role name.
4. Fill in the description.
5. Select the Active Directory users who should be part of this user role. We take the same AD group as in the previous sections: appcontroller-users.
6. Scroll down, select the scope, and click on OK.
Users are now able to create, modify, and manage virtual machines in Microsoft Azure.
Note that Microsoft Azure does not have multiple user roles. Each user with access to Management Portal has administrative rights, which means full control.
This means if a single Azure subscription contains virtual machines for which different departments in an organization are responsible for management, you might want to create a subscription for each environment.
Using App Controller
In this section, I will give a quick tour of using App Controller. In the left pane, you will see the menu items shown in the following screenshot:
The various menu items are described as follows:
· The Overview menu item has a dashboard function. It shows the clouds that App Controller is connected to.
· The Clouds menu item allows connecting to SCVMM, Microsoft Azure, or to clouds running the Microsoft Azure Pack. It is also used to create cloud services in Microsoft Azure.
· The Services menu item allows deploying services. A service is a collection of one or multiple virtual machines that provide an application. When creating a service you will be presented with a diagram. The diagram guides you in the process of creating the service. It will request which cloud to use, which images/disks, which cloud service, and which virtual network, and it will present a wizard to create a new virtual machine.
· The Virtual Machines menu item allows virtual machines to be started or stopped. Also, properties such as size, availability set, and disks can be modified. You can also edit the endpoints. Unlike the Azure Management Portal, App Controller does not have the ability to edit Access Control Lists of endpoints.
· The Library menu item allows the management of disks and images.
· The Jobs menu shows an overview of jobs submitted in App Controller and the status of these jobs.
· The Settings menu item allows creating new connections to clouds, managing Azure subscriptions and managing user roles.
Deploying a virtual machine using App Controller
The deployment of a virtual machine using App Controller is very easy. Follow these steps:
1. Select Virtual Machines in the left pane.
2. Select Deploy.
3. You will be presented with a deployment diagram. Click on the blue link and select/fill in the requested items.
4. When ready, click on Deploy.
Have a look at the following deployment diagram:
Uploading files to Microsoft Azure
App Controller can be used to upload and download files between data centers on-premises, Azure, and service providers. To do this, select the Library menu item in the left pane. You can browse the various locations for storage of templates, images, disks, and VHD files.
Suppose you created a VHD file on your local system, you can upload that VHD to Azure by performing the following steps:
1. Create a new file share on the system containing the .vhd file.
2. After creating the share, select it and navigate to the folder that holds the .vhd file.
3. Select the .vhd file, right-click on it, and select Copy.
4. Browse to the destination of the .vhd. This could be a vhd folder on Azure.
5. Right-click somewhere in the destination folder and select Paste.
6. Now the .vhd file will be uploaded to Microsoft Azure or a service provider.
Installing the Windows PowerShell module for App Controller
The procedures in this section will describe how to install the Windows PowerShell Module for App Controller.
Before you begin the installation of the Windows PowerShell module for App Controller, ensure that you have a computer with a supported version of Windows PowerShell installed or enabled.
Membership in the local administrators group, or equivalent, on the computer that you are configuring is the minimum requirement to complete this procedure.
Installing the Windows PowerShell module for App Controller
To install the Windows PowerShell module for App Controller, perform the following steps:
1. On your installation media, right-click on setup.exe and then click on Run as administrator.
2. On the main setup page, click on Install Windows PowerShell module for App Controller.
3. On the End-User License Agreement page, review the license terms, select the I accept the terms in the License Agreement checkbox, and then click on Next.
4. Click on Install to install the Windows PowerShell Module for App Controller.
5. Verify the installation results and then click on Finish.
The Windows PowerShell module allows automated tasks to be performed on App Controller. The module contains about two dozen commandlets. The PowerShell module is, at the time of writing, quite limited in use. It is likely Microsoft will extend the functionality.
PowerShell for App Controller can be started in two ways:
1. On the server on which App Controller is installed, navigate to Start | All Programs | Microsoft System Center 2012 R2 | App Controller | App Controller PowerShell.
2. You can import the App Controller module into an open Windows PowerShell session using the Import-Module -Name AppController command.
To get an overview of available commandlets, execute the following command:
Get-command –module Appcontroller
Summary
In this chapter, you learned how to connect Azure to the on-premises infrastructure. You also learned how to install System Center App Controller to enable users to use resources in various clouds.
In the next chapter, we will focus on the operational aspects of virtual machines. You will learn how to manage virtual machines, cost management, and automation using PowerShell.