When Microsoft engineers started developing
Windows Azure
back in 2007, the overarching idea was to create a
mirror image of Windows Server in the cloud. A key element in that mirroring
involved the development of the “conceptual equivalent” of
Microsoft’s Active Directory directory service for Azure, which came to be
known as Windows Azure Active Directory (WAAD).

Microsoft publicly introduced WAAD
in the summer of 2012, and the Azure team made WAAD generally available
as of April 8, 2013. A number of Microsoft cloud properties are already relying
on WAAD as their directory service, including Windows Azure Online Backup,
Windows Azure, Office 365, Dynamics CRM Online, and Windows Intune. Microsoft
also is encouraging third-party apps and services developers to integrate WAAD
support into their offerings. (The developer tools supporting WAAD were still
in preview as of late August 2013.)

There are three
primary components of WAAD:

  • Access Control Service: Provides authentication
    and authorization of users to gain access to Web apps and services.
  • Graph API: Provides programmatic access to
    WAAD through REST application programming interface endpoints.
  • Authentication Library:  Enables client application developers to authenticate
    users to WAAD or other identity providers and then obtain access tokens for
    securing API calls.

WAAD is at the center
of how Microsoft is handling single sign-on and identity management for both first-party
(Microsoft-developed) and third-party Azure-hosted ones. Microsoft also
designed WAAD so it could federate identities and synchronize directories with
on-premises Active Directory-centric applications.

More acronym soup: SDN and DAL

While Microsoft
increasingly is introducing new technologies first as part of Windows Azure and
later making them available on Windows Server, it’s still worth noting that the
Azure cloud is powered, at the base level, by Windows Servers. This is one
reason why Microsoft management took to referring to Windows Server as the crux of its “Cloud OS”
— a branding decision that seems to have confused many of its customers and

Naming issues aside,
the reality is that many, if not all, of the networking and management features
Microsoft delivers for Windows Server also affect the Azure public-cloud

Like a number of its
rivals, Microsoft has been talking up software-defined networking (SDN) — the
ability to configure networking equipment and related networking services centrally
and via software. In a perfect world, SDN should allow IT admins to configure
their networks more quickly and easily without negatively affecting performance
and security.

Microsoft touts
Windows Server, System Center, Virtual Machine Manager, Hyper-V, and the Hyper-V
Extensible Switch (which debuted as part of Windows Server 2012) as the foundation of its SDN offering.
In combination, according to Microsoft officials, these products enable admins
to create virtual networks that run on top of physical networks; to create
virtual networks dynamically and support virtual machine (VM) mobility; to control
traffic flow within the data center; and to create policies that can span physical
and virtual networks.

(The Redmondians are
quick to point out that Microsoft’s approach to SDN isn’t entirely Windows
Server/Windows Azure-centric. Earlier this year, Microsoft joined a handful of
its competitors and partners, including Brocade, Cisco, Ericsson, IBM, Juniper,
Red Hat, and VMware, to build the OpenDaylight Project’s “open” SDN
, which is backed by The Linux Foundation.)

Another three-letter
acronym that customers and partners are likely to hear about from Microsoft in
the coming months is DAL, or data center abstraction layer. Conceptually,
DAL is something like the HAL, or hardware abstraction layer, which is part of
Windows. It’s meant to provide a base-level platform for applications and to
manage the hardware on which they run.

Architecturally, DAL
sits on top of the compute, storage, and network layer in the collection of
servers that reside in data centers. It uses existing DMTF management stacks to
manage data center resources, including servers, storage devices, networking
devices, hypervisors, operating systems, services, and applications.

In a recent white
paper on Microsoft’s DAL vision, company execs described DAL as “our work
with the industry to provide a common management abstraction for all the
resources of a data center to make it simple and easy to adopt and deploy cloud
computing.” The paper stressed that “the DAL is not specific to one
operating system; it benefits UNIX cloud-computing efforts every bit as much as

Network services: Sydney is coming to Brooklyn

are infrastructure-level components of Microsoft’s cloud. At the next level up
— where compute, data services, app services, and commerce services reside —
is where Microsoft’s Azure network services live.

Until recently,
Microsoft was touting three network services options in Azure: Virtual Network,
Traffic Manager, and Connect. But after introducing Connect in 2010 and
subsequently previewing/testing it with customers, Microsoft decided to
discontinue work on Connect. Connect, which was codenamed “Sydney,”
was designed to connect computers or virtual machines over IPSec. The new plan, Microsoft officials
have said, is to integrate the Connect functionality into Virtual Network at
some point down the road.

Azure Virtual Network, codenamed
“Brooklyn,” reached general availability in April 2013. It is
designed to connect enterprise on-premises networks to the Azure cloud. Specifically,
Virtual Network allows users to create a “logically isolated” section
in Windows Azure and connect it to an on-premises data center or single client
machine over IPSec.

Microsoft also
rolled out software VPN device support for Azure’s
“Site-to-Site VPN
,” which previously required the use of a
hardware VPN device from Cisco or Juniper. Those with Windows Server 2012 can
run a PowerShell script that will enable a site-to-site VPN tunnel connecting an
on-premises network and machines to Azure Virtual Network.

Microsoft says
Virtual Network offers a way for users to extend their data center, to build
distributed, hybrid applications without having to create custom code, and to
remotely debug applications. Connecting branch offices to data centers is
another scenario Microsoft has suggested would be a good candidate for Virtual
Network use.

Traffic Manager is
an Azure network service for load balancing incoming traffic across multiple
hosted Windows Azure services. These services can be running in the same data center
or different ones anywhere in the world. Traffic Manager supports a choice of
load-balancing methods: performance, failover, or round robin. Microsoft is
positioning Traffic Manager as a way to improve application availability and
reducing network latency.

Azure resources

Got a topic?

If there’s a
Microsoft product or service family you’d like Mary Jo to examine in a future
column, let her know and we’ll do our best to cover it.