Windows Azure Connect (Jan 2011): http://www.microsoft.com/en-gb/showcase/details.aspx?uuid=c7764a37-be8e-4c47-b908-837a4f0b3059
Virtual Network
Windows Azure offers a range of networking capabilities to help you integrate existing applications with the cloud and manage your network traffic.
Setup Windows Azure.
1.Windows Azure roles that have been activated for WindowsAzure Connect:To activate a Windows Azure role, ensure that an activation tokenthat you obtain in the Windows Azure Connect interface is included in theconfiguration for the role
2.Endpoint software installed on local computers or VMs
3.Endpoint groups (for configuring network connectivity)
standard protocal
SSL,IPSec
Scenarios:
azure app& on-premise sql server
domain-joinedazure instance, domain user can single sign on to azure instance
remoteadmin
Windows Azure Connect provides IPSec protected connections between on-premise machines and cloud role instances. Protocols and Ports
Note that Azure connectivity is based on IPv6 and HTTPS. This means that on the machine hosting the local endpoint software, TCP port 443 outbound must be opened, and firewall excpetions must be created for Internet Control Message Protocol version 6 (ICMPv6) communication. This is critical toestablishing an IPv6 link. The endpoint software configures these for you, but you should be aware of these protocol/port/firewall requirements in case you run into issues. Additionally, you will need to
configure other firewall exceptions as required by your applications.
How on-premise computer / domain connect with azure instance?
relayservice, need to have outbound port 443(ssl)
ssl tunnel
Ipv6,IPsec, point to point connect
connectagent in azure instance as well as on-premise
both azureinstance and on-premise connect to relay service via ssl tunnel
activitiontoken
web/workerrole and vm role control by .cscfg file
on-premise
Two ways touse Remote desktop to connect to Windows Azure Instance
-potalremotedesktop via internet
-useWindows azure connect from on-premise
bothrequirement: remote desktop of windows azure shoud be turn on
domain-joining
-Requiredino
-domain-name
-ou
-localadmin accts
-credswith permissions for doman-join
-...
what happento azure connect if windows azure instance reboot?
-newclient certificate , portal not longer know the certificate need to reconfigconnect???
how windowsazure passwords workflow?
-usewindows Azure certificate
-on-premise->usepublic key decrpt the pasword=>store password into
cscfg=>sendto windows azure=>retrive encryp password =>use private key to dodecryption
Troubleshooting
1.D:drive(systemdrive)
programfile=>windows connect=>endpoint=>logs
2.useremote desktop to ping each other
3.useon-premise remote desktop to azure instance base on machine name
4.windowsazure software Diagnostic
5.if usingdomain join, check computer property whether is in the domain or not
-weare able to login into this machine use any domain user name and password
Certificates
-deploymentcertificate
-remotedesktop certificate
-windwosazure connect client root certificate (identity the computer to the portal)
-Ipseccertificate for point to point connect
for domainjoin, will need one more time reboot system, when azure instance see the*.cscfg has domain join, then reboot the instance
Troubleshooting
-Ping
-usingdns name
-on-premto azure (using internet RDP from portal)
-azureto on-prem
-usingIPv6 address
-on-premto azure (using internet RDP from portal)
-azureto on-prem
-RDP
-fromportal
-fromon-prem
-connectagent
-activitiontoken
-firewallrules
-dominjoin
-checklog file:D://program file=>windows connect=>endpoint=>logs
**Overview of Firewall Settings Related to Windows Azure Connect
http://msdn.microsoft.com/en-us/library/windowsazure/gg433061.aspx
In Windows Azure Connect, the firewall settings on local endpoints (local computers or VMs) are under your control. Windows Azure Connect uses HTTPS, which uses port 443. Therefore, the port that you must open on local endpoints is TCP 443 outbound. In addition, configure program or port exceptions needed by your applications or tools.
=> Make sure azure connect is working in locally
In addition, Since the Azure Connect need to remote connect to the local database, so need to enable TCP/IP protocal and open local endpoint defaultTCP 1433 inbound.
Confirm that you can reach the SQL server on its port 1433
a. From your web role run: telnet <SQL-SERVER-NAME> 1433 – if you get an error:
i. Check the firewall rules on SQL server, ensure tcp 1433 inbound is allowed.
ii. Make sure that SQL server is configured to accept remote connections.
b. From local machine run SQLCMD -E -S YourServer\SQLEXPRESS,1433
The "," in the server name tells SQCMD it's a port.
If ping fails, make sure that the firewall is not blocking Internet Control Message Protocol version 6 (ICMPv6) by running the following command and then trying ping again:
netsh advfirewall firewall add rule name="ICMPv6" dir=in action=allow enable=yes protocol=icmpv6
Windows Azure Traffic Manager
WindowsAzure Traffic Manager is a load balancing solution that enables thedistribution of incoming traffic among different hosted services in yourWindows Azure subscription, regardless of their physical location. Trafficrouting occurs as a the result of policies that you define and that are basedon one of the following criteria:
Performance – traffic is forwarded to the closest hostedservice in terms of network latency
- TrafficManager maintains a network performance table that it updates periodically andcontains the round trip time between various IP addresses around the world andeach Windows Azure data center.
Round Robin – traffic is distributed equally across allhosted services
- It keeps track of the last hosted servicethat received traffic and sends traffic to the next one in the list of hostedservices.
Failover – traffic is sent to a primary service and, if thisservice goes offline, to the next available service in a list
-if theprimary hosted service is offline, traffic is sent to the next one in asequence defined by the policy.Unlike the performance and round robin policies,where order does not matter, the load balancer chooses an active service basedon its position in the list of selected DNS names. Choose the hosted servicethat will act as theprimary and then move it to the top of the list.When aservice comes back online, Traffic Manager detects the change in its statuswithin the next polling interval. Thus, the interval shown by the HealthMonitor Timeout when switching from offline to online is only 30 seconds.
You assign each policy a DNS name and associate it withmultiple hosted services.
IMPORTANT: DNSCaching
-trafficmanager DNS caching
-BrowserDNS caching
The client resolver in Windows caches DNS host entries forthe duration of their time-to-live (TTL).
default DNS cache of IE is 30 minutes. Different browsers have different DNS cacheexpiration time.
Note: Please use "nslookup" to figure out thecurrent DNS name of [yourapp].trafficmanager.net, because the browser caching also affect our thinking
cmd>>nslookup [yourapp].trafficmanager.com