This is part three in a four-part series that walks through a scenario in which the modern IT department in the medium and large enterprise treats internal business units as tenants (or customers) of a central IT department. There are four articles that describe this scenario, built using Microsoft System Center 2012 Service Pack 1 and Windows Server 2012 (the last article is still to come):

The last two posts are alternative ways to consume cloud capacity in the Microsoft solution. You don’t need App Controller to use WASWS. App Controller is a web-based application that runs on premise or in your private cloud, and connects you to:

  • Your local Microsoft private clouds using an SCVMM connection, and to
  • Windows Azure public cloud, and
  • Remotely to Microsoft private clouds using Service Provider Foundation (SPF).

In contrast, WASWS is a web portal hosted by a service provider that interacts directly with the service provider’s SCVMM and does not require SPF. The last article in the series will cover WASWS.

Prepare the service provider private cloud using SPF

In this third article in the series, we will cover adding a service provider’s private cloud to the tenant’s App Controller instance, and then deploy a virtual machine into the private cloud. We are going to focus on how the service provider and tenant interact to connect the private cloud to the tenant’s infrastructure. The back-end technology used, which is new to System Center 2012 SP1, is Service Provider Foundation (SPF).

SPF is installed from the System Center 2012 SP1 Orchestrator installation media and consists of a web service and PowerShell modules. You administrator SPF using PowerShell; there is no built-in user interface. The tenant will make an SSL connection over the Internet from an on-premise instance of App Controller to the service provider instance of SPF. Authentication occurs based on a certificate that the tenant provides.

In the SPF model, the administrative scaling unit of the stamp is introduced. Normally there is a 1:1 correspondence between instances of SCVMM and stamps. Since a single instance of SCVMM can manage several hundred hosts, a stamp can support thousands of virtual machines (VMs), organized into administrative management units called clouds, with up to about 450 VMs per cloud. For example, the following PowerShell command creates a stamp named TechRepublicStamp that is based on the SCVMM server named scvmm-srv1.techrepublic.local:

Set-SCSPFStamp -Stamp "TechRepublicStamp" -Servers SCVMM-srv1.techrepublic.local

Create the tenant account in SPF

The tenant account is created manually in the SPF database by the service provider running some PowerShell.  The service provider requires the tenant to create or purchase a certificate and provide the public key to the service provider. (The link for more information “Create Tenant Certificate” at the bottom of this article has tips on how to create a self-signed certificate.)

There are a few ways to create the tenant account with the New-SCSPFTenant PowerShell cmdlet. Figure A is a Microsoft code example that lists a sequence of PowerShell cmdlets to create a tenant named ‘ADatum’ using a DER-encoded binary .CER file provided by the tenant. Figure B is a screenshot of PowerShell creating a tenant named ‘Carmine’ with a single cmdlet using a pasted Base64 copy of the public key, and storing the tenant ID as a variable ($tenant).

Figure A

Creating an SPF tenant using a DER-encoded .CER public key file supplied by the tenant. (Click images to enlarge.)

Figure B

Create an SPF tenant using pasted Base64 certificate public key data from the tenant.

When the service provider creates a tenant in the SPF database, a unique GUID is established that functions similarly to a Windows Azure subscription ID. Permission to execute instructions by the tenant over SPF is regulated by the knowledge of the GUID, and possession of the private key corresponding to the public key associated with the tenant the GUID represents.

After the tenant provides the service provider with a copy of their certificate’s public key, and the service provider creates the SPF tenant id, the service provider issues a unique URL to the tenant that includes the GUID. The tenant will take this URL and enter it into App Controller to connect to the service provider cloud. Here is an example SPF connection string:

Final steps the service provider needs to take are to assign the tenant to a cloud, and create user roles. (You may recall we created a cloud for this tenant in the previous post.)

  • Assigning the tenant to a cloud can be done in the SCVMM console by right-clicking the tenant name in the VMs and Services panel and selecting Properties. As seen in Figure C, on the Scope tab, select the cloud(s) the tenant will be able to see when they attach with App Controller.
  • Create user roles with PowerShell cmdlets as listed in the link for more information “Create Tenant Certificate” at the bottom of this article.

Figure C

Granting the tenant permission to use a service provider cloud, within the limits of their user role.

Consume cloud resources using App Controller

To connect your on-premise App Controller to the service provider cloud, click the “Add an external service provider connection” link in the Hosted Clouds section of the App Controller Overview pane. Enter in the dialog box the URL issued by the service provider, as well as the private certificate (.PFX file) and password matching the public key given to the service provider.

After completing that procedure, you’ll see “1 service provider connection” on the overview page and “Hosted VMM” listed in the App Controller | Settings | Connections page. You will also find the SPF cloud VM templates in the App Controller | Library pane. To deploy a VM into the service provider cloud, select a VM template and push the Deploy button. Figure D shows the cloud (prepared by the service provider for the tenant) ready to select as the deployment cloud.

Figure D

Deploy a VM with App Controller to the service provider’s SPF cloud.

After selecting the service provider cloud as shown in Figure D, there is one more interactive dialog, where you must minimally give the VM a name. Then push a final Deploy button and in a few minutes your VM will be ready to use in the service provider cloud.
More Information

For full details on the steps covered in this article, consult these links at Microsoft: