Microsoft enterprise primer on Windows Azure networking

Featured Content

This article is courtesy of TechRepublic Premium. For more content like this, as well as a full library of ebooks and whitepapers, sign up for Premium today. Read more about it here.

This article is courtesy of TechRepublic Premium. For more content like this, as well as a full library of ebooks and whitepapers, sign up for Premium today. Read more about it here.

Join Today

The latest edition of our Microsoft enterprise primer series will help you sort out Microsoft's rapidly evolving Azure technologies.

Windows Azure Cloud
When Microsoft engineers started developing Windows Azure back in 2007, the overarching idea was to create a mirror image of Windows Server in the cloud. A key element in that mirroring involved the development of the "conceptual equivalent" of Microsoft's Active Directory directory service for Azure, which came to be known as Windows Azure Active Directory (WAAD).

Microsoft publicly introduced WAAD in the summer of 2012, and the Azure team made WAAD generally available as of April 8, 2013. A number of Microsoft cloud properties are already relying on WAAD as their directory service, including Windows Azure Online Backup, Windows Azure, Office 365, Dynamics CRM Online, and Windows Intune. Microsoft also is encouraging third-party apps and services developers to integrate WAAD support into their offerings. (The developer tools supporting WAAD were still in preview as of late August 2013.)

Enjoying this article?

Download this article and thousands of whitepapers and ebooks from our Premium library. Enjoy expert IT analyst briefings and access to the top IT professionals, all in an ad-free experience.

Join Premium Today

There are three primary components of WAAD:

  • Access Control Service: Provides authentication and authorization of users to gain access to Web apps and services.
  • Graph API: Provides programmatic access to WAAD through REST application programming interface endpoints.
  • Authentication Library:  Enables client application developers to authenticate users to WAAD or other identity providers and then obtain access tokens for securing API calls.

WAAD is at the center of how Microsoft is handling single sign-on and identity management for both first-party (Microsoft-developed) and third-party Azure-hosted ones. Microsoft also designed WAAD so it could federate identities and synchronize directories with on-premises Active Directory-centric applications.


More acronym soup: SDN and DAL

While Microsoft increasingly is introducing new technologies first as part of Windows Azure and later making them available on Windows Server, it's still worth noting that the Azure cloud is powered, at the base level, by Windows Servers. This is one reason why Microsoft management took to referring to Windows Server as the crux of its "Cloud OS" -- a branding decision that seems to have confused many of its customers and partners.

Naming issues aside, the reality is that many, if not all, of the networking and management features Microsoft delivers for Windows Server also affect the Azure public-cloud platform.

Like a number of its rivals, Microsoft has been talking up software-defined networking (SDN) -- the ability to configure networking equipment and related networking services centrally and via software. In a perfect world, SDN should allow IT admins to configure their networks more quickly and easily without negatively affecting performance and security.

Microsoft touts Windows Server, System Center, Virtual Machine Manager, Hyper-V, and the Hyper-V Extensible Switch (which debuted as part of Windows Server 2012) as the foundation of its SDN offering. In combination, according to Microsoft officials, these products enable admins to create virtual networks that run on top of physical networks; to create virtual networks dynamically and support virtual machine (VM) mobility; to control traffic flow within the data center; and to create policies that can span physical and virtual networks.

(The Redmondians are quick to point out that Microsoft's approach to SDN isn't entirely Windows Server/Windows Azure-centric. Earlier this year, Microsoft joined a handful of its competitors and partners, including Brocade, Cisco, Ericsson, IBM, Juniper, Red Hat, and VMware, to build the OpenDaylight Project's "open" SDN platform, which is backed by The Linux Foundation.)

Another three-letter acronym that customers and partners are likely to hear about from Microsoft in the coming months is DAL, or data center abstraction layer. Conceptually, DAL is something like the HAL, or hardware abstraction layer, which is part of Windows. It's meant to provide a base-level platform for applications and to manage the hardware on which they run.

Architecturally, DAL sits on top of the compute, storage, and network layer in the collection of servers that reside in data centers. It uses existing DMTF management stacks to manage data center resources, including servers, storage devices, networking devices, hypervisors, operating systems, services, and applications.

In a recent white paper on Microsoft's DAL vision, company execs described DAL as "our work with the industry to provide a common management abstraction for all the resources of a data center to make it simple and easy to adopt and deploy cloud computing." The paper stressed that "the DAL is not specific to one operating system; it benefits UNIX cloud-computing efforts every bit as much as Windows." 

Network services: Sydney is coming to Brooklyn

WAAD, SDN, and DAL are infrastructure-level components of Microsoft's cloud. At the next level up -- where compute, data services, app services, and commerce services reside -- is where Microsoft's Azure network services live.

Until recently, Microsoft was touting three network services options in Azure: Virtual Network, Traffic Manager, and Connect. But after introducing Connect in 2010 and subsequently previewing/testing it with customers, Microsoft decided to discontinue work on Connect. Connect, which was codenamed "Sydney," was designed to connect computers or virtual machines over IPSec. The new plan, Microsoft officials have said, is to integrate the Connect functionality into Virtual Network at some point down the road.

Azure Virtual Network, codenamed "Brooklyn," reached general availability in April 2013. It is designed to connect enterprise on-premises networks to the Azure cloud. Specifically, Virtual Network allows users to create a "logically isolated" section in Windows Azure and connect it to an on-premises data center or single client machine over IPSec.

Microsoft also rolled out software VPN device support for Azure's "Site-to-Site VPN," which previously required the use of a hardware VPN device from Cisco or Juniper. Those with Windows Server 2012 can run a PowerShell script that will enable a site-to-site VPN tunnel connecting an on-premises network and machines to Azure Virtual Network.

Microsoft says Virtual Network offers a way for users to extend their data center, to build distributed, hybrid applications without having to create custom code, and to remotely debug applications. Connecting branch offices to data centers is another scenario Microsoft has suggested would be a good candidate for Virtual Network use.

Traffic Manager is an Azure network service for load balancing incoming traffic across multiple hosted Windows Azure services. These services can be running in the same data center or different ones anywhere in the world. Traffic Manager supports a choice of load-balancing methods: performance, failover, or round robin. Microsoft is positioning Traffic Manager as a way to improve application availability and reducing network latency.

Azure resources

Got a topic?

If there's a Microsoft product or service family you'd like Mary Jo to examine in a future column, let her know and we'll do our best to cover it.

Join Premium Today