Windows Azure Virtual Network Connect & Traffic Manager Note

Windows Azure Connect (Jan 2011): http://www.microsoft.com/en-gb/showcase/details.aspx?uuid=c7764a37-be8e-4c47-b908-837a4f0b3059

Cloud Computing in PaaS with Windows Azure Connect (Part 2/2) http://blogs.technet.com/b/yungchou/archive/2011/05/09/cloud-computing-in-paas-with-windows-azure-connect-2-2.aspx

Virtual Network

Windows Azure offers a range of networking capabilities to help you integrate existing applications with the cloud and manage your network traffic.

Setup Windows Azure.

1.Windows Azure roles that have been activated for WindowsAzure Connect:To activate a Windows Azure role, ensure that an activation tokenthat you obtain in the Windows Azure Connect interface is included in theconfiguration for the role

2.Endpoint software installed on local computers or VMs

3.Endpoint groups (for configuring network connectivity)

 

standard protocal

            SSL,IPSec

 

Scenarios:

            azure app& on-premise sql server

            domain-joinedazure instance, domain user can single sign on to azure instance

            remoteadmin

 Windows Azure Connect provides IPSec protected connections between on-premise machines and cloud role instances. Protocols and Ports
Note that Azure connectivity is based on IPv6 and HTTPS. This means that on the machine hosting the local endpoint software, TCP port 443 outbound must be opened, and firewall excpetions must be created for Internet Control Message Protocol version 6 (ICMPv6) communication. This is critical toestablishing an IPv6 link. The endpoint software configures these for you, but you should be aware of these protocol/port/firewall requirements in case you run into issues. Additionally, you will need to
configure other firewall exceptions as required by your applications.

   How on-premise computer / domain connect with azure instance?

            relayservice, need to have outbound port 443(ssl)

            ssl tunnel

            Ipv6,IPsec, point to point connect

            connectagent in azure instance as well as on-premise

            both azureinstance and on-premise connect to relay service via ssl tunnel

           

           

            activitiontoken

            web/workerrole and vm role control by .cscfg file

            on-premise

 

            Two ways touse Remote desktop to connect to Windows Azure Instance

                        -potalremotedesktop via internet

                        -useWindows azure connect from on-premise

                        bothrequirement: remote desktop of windows azure shoud be turn on

           

            domain-joining

                        -Requiredino

                                    -domain-name

                                    -ou

                                    -localadmin accts

                                    -credswith permissions for doman-join

                                    -...

                                   

            what happento azure connect if windows azure instance reboot?

                        -newclient certificate , portal not longer know the certificate need to reconfigconnect???

                       

            how windowsazure passwords workflow?

                        -usewindows Azure certificate         

                        -on-premise->usepublic key decrpt the pasword=>store password into                  

                                    cscfg=>sendto windows azure=>retrive encryp password =>use private key to dodecryption

                                   

            Troubleshooting

            1.D:drive(systemdrive)

            programfile=>windows connect=>endpoint=>logs

            2.useremote desktop to ping each other

            3.useon-premise remote desktop to azure instance base on machine name

            4.windowsazure software Diagnostic

            5.if usingdomain join, check computer property whether is in the domain or not

                        -weare able to login into this machine use any domain user name and password

                       

            Certificates     

                        -deploymentcertificate

                        -remotedesktop certificate

                        -windwosazure connect client root certificate (identity the computer to the portal)

                        -Ipseccertificate for point to point connect

           

            for domainjoin, will need one more time reboot system, when azure instance see the*.cscfg has domain join, then reboot the instance

                       

            Troubleshooting

                        -Ping

                                    -usingdns name

                                                -on-premto azure (using internet RDP from portal)

                                                -azureto on-prem

                                    -usingIPv6 address

                                                -on-premto azure (using internet RDP from portal)

                                                -azureto on-prem

                        -RDP

                                    -fromportal

                                    -fromon-prem

                        -connectagent

                                    -activitiontoken

                                    -firewallrules

                        -dominjoin

                                    -checklog file:D://program file=>windows connect=>endpoint=>logs

**Overview of Firewall Settings Related to Windows Azure Connect

http://msdn.microsoft.com/en-us/library/windowsazure/gg433061.aspx

In Windows Azure Connect, the firewall settings on local endpoints (local computers or VMs) are under your control. Windows Azure Connect uses HTTPS, which uses port 443. Therefore, the port that you must open on local endpoints is TCP 443 outbound. In addition, configure program or port exceptions needed by your applications or tools.

=> Make sure azure connect is working in locally

In addition, Since the Azure Connect need to remote connect to the local database, so need to enable TCP/IP protocal and open local endpoint defaultTCP 1433 inbound.

http://blogs.msdn.com/b/tonyguid/archive/2011/03/21/troubleshooting-windows-azure-connect-to-on-premises-sql-server.aspx

 Confirm that you can reach the SQL server on its port 1433

a.       From your web role run: telnet <SQL-SERVER-NAME> 1433 – if you get an error:

                                    i.      Check the firewall rules on SQL server, ensure tcp 1433 inbound is allowed.

                                   ii.      Make sure that SQL server is configured to accept remote connections.

b.         From local machine run SQLCMD -E -S YourServer\SQLEXPRESS,1433
The "," in the server name tells SQCMD it's a port.

If ping fails, make sure that the firewall is not blocking Internet Control Message Protocol version 6 (ICMPv6) by running the following command and then trying ping again:

netsh advfirewall firewall add rule name="ICMPv6" dir=in action=allow enable=yes protocol=icmpv6

Note:

Once you deploy the application to Windows Azure, the Web Role will connect to the SQL Server running in your machine through the machine name. That is the reason why you need to change the.\SQLExpress value to useexplicitly your machine name. Notice also that you need to explicitly specify thedefault port as part of the data source because the connection will be set using TCP/IP as the protocol.

=>make sure web role is able to connect to local database server

Windows Azure Traffic Manager

            WindowsAzure Traffic Manager is a load balancing solution that enables thedistribution of incoming traffic among different hosted services in yourWindows Azure subscription, regardless of their physical location. Trafficrouting occurs as a the result of policies that you define and that are basedon one of the following criteria:

 

Performance – traffic is forwarded to the closest hostedservice in terms of network latency

            - TrafficManager maintains a network performance table that it updates periodically andcontains the round trip time between various IP addresses around the world andeach Windows Azure data center.

Round Robin – traffic is distributed equally across allhosted services

            -  It keeps track of the last hosted servicethat received traffic and sends traffic to the next one in the list of hostedservices.

Failover – traffic is sent to a primary service and, if thisservice goes offline, to the next available service in a list

            -if theprimary hosted service is offline, traffic is sent to the next one in asequence defined by the policy.Unlike the performance and round robin policies,where order does not matter, the load balancer chooses an active service basedon its position in the list of selected DNS names. Choose the hosted servicethat will act as theprimary and then move it to the top of the list.When aservice comes back online, Traffic Manager detects the change in its statuswithin the next polling interval. Thus, the interval shown by the HealthMonitor Timeout when switching from offline to online is only 30 seconds.

You assign each policy a DNS name and associate it withmultiple hosted services.

 

IMPORTANT:  DNSCaching

            -trafficmanager DNS caching

            -BrowserDNS caching

The client resolver in Windows caches DNS host entries forthe duration of their time-to-live (TTL).

default DNS cache of IE is 30 minutes.  Different browsers have different DNS cacheexpiration time.

Note: Please use "nslookup" to figure out thecurrent DNS name of [yourapp].trafficmanager.net, because the browser caching also affect our thinking

cmd>>nslookup [yourapp].trafficmanager.com