Shaun Xu

The Sheep-Pen of the Shaun


News

logo

Shaun, the author of this blog is a semi-geek, clumsy developer, passionate speaker and incapable architect with about 10 years’ experience in .NET and JavaScript. He hopes to prove that software development is art rather than manufacturing. He's into cloud computing platform and technologies (Windows Azure, Amazon and Aliyun) and right now, Shaun is being attracted by JavaScript (Angular.js and Node.js) and he likes it.

Shaun is working at Worktile Inc. as the chief architect for overall design and develop worktile, a web-based collaboration and task management tool, and lesschat, a real-time communication aggregation tool.

MVP

My Stats

  • Posts - 122
  • Comments - 539
  • Trackbacks - 0

Tag Cloud


Recent Comments


Recent Posts


Archives


.NET


 

With the new release of the Windows Azure platform there are a lot of new features available. In my previous post I introduced a little bit about one of them, the remote desktop access to azure virtual machine. Now I would like to talk about another cool stuff – Windows Azure Connect.

 

What’s Windows Azure Connect

I would like to quote the definition of the Windows Azure Connect in MSDN

With Windows Azure Connect, you can use a simple user interface to configure IP-sec protected connections between computers or virtual machines (VMs) in your organization’s network, and roles running in Windows Azure. IP-sec protects communications over Internet Protocol (IP) networks through the use of cryptographic security services.

There’s an image available at the MSDN as well that I would like to forward here

IC448757

As we can see, using the Windows Azure Connect the Worker Role 1 and Web Role 1 are connected with the development machines and database servers which some of them are inside the organization some are not.

With the Windows Azure Connect, the roles deployed on the cloud could consume the resource which located inside our Intranet or anywhere in the world. That means the roles can connect to the local database, access the local shared resource such as share files, folders and printers, etc.

 

Difference between Windows Azure Connect and AppFabric

It seems that the Windows Azure Connect are duplicated with the Windows Azure AppFabric. Both of them are aiming to solve the problem on how to communication between the resource in the cloud and inside the local network. The table below lists the differences in my understanding.

Category Windows Azure Connect Windows Azure AppFabric
Purpose An IP-sec connection between the local machines and azure roles. An application service running on the cloud.
Connectivity IP-sec, Domain-joint Net Tcp, Http, Https
Components Windows Azure Connect Driver Service Bus, Access Control, Caching
Usage
  • Azure roles connect to local database server
  • Azure roles use local shared files,  folders and printers, etc.
  • Azure roles join the local AD.
  • Expose the local service to Internet.
  • Move the authorization process to the cloud.
  • Integrate with existing identities such as Live ID, Google ID, etc. with existing local services.
  • Utilize the distributed cache.

 

And also some scenarios on which of them should be used.

Scenario Connect AppFabric
I have a service deployed in the Intranet and I want the people can use it from the Internet.   Y
I have a website deployed on Azure and need to use a database which deployed inside the company. And I don’t want to expose the database to the Internet. Y  
I have a service deployed in the Intranet and is using AD authorization. I have a website deployed on Azure which needs to use this service. Y  
I have a service deployed in the Intranet and some people on the Internet can use it but need to be authorized and authenticated.   Y
I have a service in Intranet, and a website deployed on Azure. This service can be used from Internet and that website should be able to use it as well by AD authorization for more functionalities. Y Y

 

How to Enable Windows Azure Connect

OK we talked a lot information about the Windows Azure Connect and differences with the Windows Azure AppFabric. Now let’s see how to enable and use the Windows Azure Connect. First of all, since this feature is in CTP stage we should apply before use it. On the Windows Azure Portal we can see our CTP features status under Home, Beta Program page.

image

You can send the apply to join the Beta Programs to Microsoft in this page. After a few days the Microsoft will send an email to you (the email of your Live ID) when it’s available.

In my case we can see that the Windows Azure Connect had been activated by Microsoft and then we can click the Connect button on top, or we can click the Virtual Network item from the left navigation bar.

 

The first thing we need, if it’s our first time to enter the Connect page, is to enable the Windows Azure Connect.

image

After that we can see our Windows Azure Connect information in this page.

image

 

Add a Local Machine to Azure Connect

As we explained below the Windows Azure Connect can make an IP-sec connection between the local machines and azure role instances. So that we firstly add a local machine into our Azure Connect. To do this we will click the Install Local Endpoint button on top and then the portal will give us an URL. Copy this URL to the machine we want to add and it will download the software to us.

image

This software will be installed in the local machines which we want to join the Connect. After installed there will be a tray-icon appeared to indicate this machine had been joint our Connect.

image

image

The local application will be refreshed to the Windows Azure Platform every 5 minutes but we can click the Refresh button to let it retrieve the latest status at once. Currently my local machine is ready for connect and we can see my machine in the Windows Azure Portal if we switched back to the portal and selected back Activated Endpoints node.

image

 

Add a Windows Azure Role to Azure Connect

Let’s create a very simple azure project with a basic ASP.NET web role inside. To make it available on Windows Azure Connect we will open the azure project property of this role from the solution explorer in the Visual Studio, and select the Virtual Network tab, check the Activate Windows Azure Connect.

The next step is to get the activation token from the Windows Azure Portal. In the same page there is a button named Get Activation Token. Click this button then the portal will display the token to me.

image

We copied this token and pasted to the box in the Visual Studio tab.

image

Then we deployed this application to azure. After completed the deployment we can see the role instance was listed in the Windows Azure Portal - Virtual Connect section.

image

 

Establish the Connect Group

The final task is to create a connect group which contains the machines and role instances need to be connected each other. This can be done in the portal very easy.

The machines and instances will NOT be connected until we created the group for them. The machines and instances can be used in one or more groups.

In the Virtual Connect section click the Groups and Roles node from the left side navigation bar and clicked the Create Group button on top. This will bring up a dialog to us. What we need to do is to specify a group name, description; and then we need to select the local computers and azure role instances into this group.

image

After the Azure Fabric updated the group setting we can see the groups and the endpoints in the page.

image

And if we switch back to the local machine we can see that the tray-icon have been changed and the status turned connected.

image

The Windows Azure Connect will update the group information every 5 minutes. If you find the status was still in Disconnected please right-click the tray-icon and select the Refresh menu to retrieve the latest group policy to make it connected.

 

Test the Azure Connect between the Local Machine and the Azure Role Instance

Now our local machine and azure role instance had been connected. This means each of them can communication to others in IP level. For example we can open the SQL Server port so that our azure role can connect to it by using the machine name or the IP address.

The Windows Azure Connect uses IPv6 to connect between the local machines and role instances. You can get the IP address from the Windows Azure Portal Virtual Network section when select an endpoint.

I don’t want to take a full example for how to use the Connect but would like to have two very simple tests. The first one would be PING.

 

When a local machine and role instance are connected through the Windows Azure Connect we can PING any of them if we opened the ICMP protocol in the Filewall setting. To do this we need to run a command line before test. Open the command window on the local machine and the role instance, execute the command as following

netsh advfirewall firewall add rule name="ICMPv6" dir=in action=allow enable=yes protocol=icmpv6

Thanks to Jason Chen, Patriek van Dorp, Anton Staykov and Steve Marx, they helped me to enable  the ICMPv6 setting. For the full discussion we made please visit here.

image

You can use the Remote Desktop Access feature to logon the azure role instance. Please refer my previous blog post to get to know how to use the Remote Desktop Access in Windows Azure.

Then we can PING the machine or the role instance by specifying its name. Below is the screen I PING my local machine from my azure instance.

image

We can use the IPv6 address to PING each other as well. Like the image following I PING to my role instance from my local machine thought the IPv6 address.

image

 

Another example I would like to demonstrate here is folder sharing. I shared a folder in my local machine and then if we logged on the role instance we can see the folder content from the file explorer window.

image

 

Summary

In this blog post I introduced about another new feature – Windows Azure Connect. With this feature our local resources and role instances (virtual machines) can be connected to each other. In this way we can make our azure application using our local stuff such as database servers, printers, etc. without expose them to Internet.

 

Hope this helps,

Shaun

All documents and related graphics, codes are provided "AS IS" without warranty of any kind.
Copyright © Shaun Ziyan Xu. This work is licensed under the Creative Commons License.

 

Thanks for all people who attended my session at the TechED 2010 on the 2nd of Dec in Beijing. I had uploaded my presentation (in Chinese) and the demos codes here.

As I said in my session please feel free to email me (shaun@ethos.com.cn) if you have any questions about the Windows Azure platform. And please have a look on my company’s website (www.ethos.com.cn) if you are interested.

 

Hope this helps,

Shaun

All documents and related graphics, codes are provided "AS IS" without warranty of any kind.
Copyright © Shaun Ziyan Xu. This work is licensed under the Creative Commons License.

 


 

The Windows Azure Team had just published their new development portal this week and the SDK 1.3. Within this new release there are a lot of cool feature available. The one I’m looking forward to is Remote Desktop Access to your running Windows Azure Virtual Machine.

 

Configuration Remote Desktop Access

It would be very simple to make the azure service enable the remote desktop access. First of all let’s create a new windows azure project from the Visual Studio. In this example I just created a normal MVC 2 web role without any modifications. Then we right-click the azure project node in the solution explorer window and select “Publish”.

image

Then let’s select the “Deploy your Windows Azure project to Windows Azure” on the top radio button. And then select the credential, deployment service/slot, storage and label as susal.

You must have the Management API Certificates uploaded to your Windows Azure account, and install the certification on you machine before in order to use this one-click deployment feature.

If you are familiar with this dialog you will notice that there’s a linkage named “Configure Remote Desktop connections”. Here is where you need to make this service enable the remote desktop feature.

image

After clicked this link we will set the configuration of the remote desktop access authorization information. There are 4 steps we need to do to configure our access.

  • Certificates: We need either create or select a certificate file in order to encypt the access cerdenticals. In this example I will use the certificate file for my Management API.
  • Username: The remote desktop user name to access the virtual machine.
  • Password: The password for the access.
  • Expiration: The access cerdentals would be expired after 1 month by default but we can amend here.

After that we clicked the OK button to back to the publish dialog.

image

 

The next step is to back to the new windows azure portal and navigate to the hosted services list. I created a new hosted service and upload the certificate file onto this service. The user name and password access to the azure machine must be encrypted from the local machine, and then send to the windows azure platform, then decrypted on the azure side by the same file. This is why we need to upload the certificate file onto azure.

We navigated to the “Hosted Services, Storage Accounts & CDN"” from the left panel and created a new hosted service named “SDK13” and selected the “Certificates” node. Then we clicked the “Add Certificates” button.

image

Then we select the local certificate file and the password to install it into this azure service.

image

 

The final step would be back to our Visual Studio and in the pulish dialog just click the OK button. The Visual Studio will upload our package and the configuration into our service with the remote desktop settings.

image

 

Remote Desktop Access to Azure Virtual Machine

All things had been done, let’s have a look back on the Windows Azure Development Portal. If I selected the web role that I had just published we can see on the toolbar there’s a section named “Remote Access”. In this section the Enable checkbox had been checked which means this role has the Remote Desktop Access feature enabled.

image

If we want to modify the access cerdentals we can simply click the Configure button. Then we can update the user name, password, certificates and the expiration date.

image

 

Let’s select the instance node under the web role. In this case I just created one instance for demo. We can see that when we selected the instance node, the Connect button turned enabled.

image

After clicked this button there will be a RDP file downloaded. This is a Remote Desctop configuration file that we can use to access to our azure virtual machine. Let’s download it to our local machine and execute.

image

We input the user name and password we specified when we published our application to azure and then click OK.

There might be some certificates warning dislog appeared. This is because the certificates we use to encryption is not signed by a trusted provider. Just select OK in these cases as we know the certificate is safty to us.

image

Finally, the virtual machine of Windows Azure appeared.

image

 

A Quick Look into the Azure Virtual Machine

Let’s just have a very quick look into our virtual machine. There are 3 disks available for us: C, D and E.

  • Disk C: Store the local resource, diagnosis information, etc.
  • Disk D: System disk which contains the OS, IIS, .NET Frameworks, etc.
  • Disk E: Sotre our application code.

image

The IIS which hosting our webiste on Azure.

image

The IP configuration of the azure virtual machine.

image

 

Summary

In this post I covered one of the new feature of the Azure SDK 1.3 – Remote Desktop Access. We can set the access per service and all of the instances of this service could be accessed through the remote desktop tool. With this feature we can deep into the virtual machines of our instances to see the inner information such as the system event, IIS log, system information, etc.

But we should pay attention to modify the system settings. 2 reasons from what I know for now:

1. If we have more than one instances against our service we should ensure that all system settings we modifed are applied to all instances/virtual machines. Otherwise, as the machines are under the azure load balance proxy our application process may doesn’t work due to the defferent settings between the instances.

2. When the virtual machine encounted some problem and need to be translated to another physical machine all settings we made would be disappeared.

 

Hope this helps,

Shaun

All documents and related graphics, codes are provided "AS IS" without warranty of any kind.
Copyright © Shaun Ziyan Xu. This work is licensed under the Creative Commons License.