Tag Archives: Microsoft Windows Azure


Confusion over accounts used to access Microsoft’s online services

I recently bought a new computer, for family use (the Lenovo Flex 15 that I was whinging about the other week finally turned up). As it’s a new PC, it runs Windows 8 (since upgraded to 8.1) and I log in with my “Microsoft account”. All good so far.

I set up local accounts for the kids, with parental controls (if you don’t use Windows Family Safety, then I recommend you do! No need for meddling government firewalls at ISP level – all of the major operating systems have parental controls built in – we just need to be taught to use them…), then I decided that my wife also needed a “Microsoft account” so she could be registered as a parent to view the reports and over-ride settings as required.

Because my wife has an Office 365 mailbox, I thought she had a “Microsoft account” and I tried to use her Office 365 credentials. Nope… authentication error. It was only some time later (after quite a bit of frustration) that I realised that the “Organization account” used to access a Microsoft service like Office 365 is not the same as a “Microsoft account”. Mine had only worked because I have two accounts with the same username and password (naughty…) but they are actually two entirely separate identities. As far as I can make out, “organization accounts” use the Windows Azure Active Directory service whilst “Microsoft accounts” have their heritage in Microsoft Passport/Windows Live ID.

Tweeting my frustrations I heard back from a number of online contacts – including journalists and MVPs – and it seems to be widely accepted that Microsoft’s online authentication is a mess.

As Jamie Thomson (@JamieT) commented to Alex Simons (@Alex_A_Simons - the Programme Director for Windows Azure Active Directory), if only every “organization account” could have a corresponding “Microsoft account” auto-provisioned, life would be a lot, lot simpler.


Problems removing storage resources from Windows Azure virtual machines

Last year, I wrote about creating a virtual machine on Windows Azure, using the IaaS capabilities of the platform.  My free 90 day subscription is coming to an end so I needed to remove all resources before they become chargeable (running or otherwise). The problem was that, after the deleting the virtual machine, I couldn’t remove the storage because:

Storage account [...] has 1 container(s) which have an active image and/or disk artifacts. Ensure those artifacts are removed from the image repository before deleting this storage account.

That wasn’t too helpful as I couldn’t find anything that looked like an “image repository” in the management console.  Thankfully I found the answer on StackOverflow.com:

“[...] even if you’ve already deleted all of your Virtual Machines and it shows 0; there still will be artifacts under the disks tab”


[Amazon's] Reference architecture for utility computing

Earlier this week, I attended an Amazon Web Services (AWS) 101 briefing, delivered by Amazon UK’s Ryan Shuttleworth (@RyanAWS).  Although I’ve been watching the “Journey into the AWS cloud” series of webcasts too, it was a really worthwhile session and, when the videos are released to the web, well worth watching for an introduction to the AWS cloud.

One thing I particularly appreciate about Ryan’s presentations is that he approaches things from an architectural view. It’s a refreshing change from the evangelists I’ve met at other companies who generally market software by talking about features (maybe even with some design considerations/best practice or coding snippets) but rarely seem to mention reference architectures or architectural patterns.

During his presentation, Ryan presented a reference architecture for utility computing and, even though this version relates to AWS services, it’s a pretty good model for re-use (in fact, the beauty of such a  reference architecture is that the contents of each box could be swapped out for other components, without affecting the overall approach – maybe I should revisit this post and slot in the Windows Azure components!).

So, what’s in each of these boxes?

  • AWS global infrastructure: consists of regions to collate facilities, with availability zones that are physically separated, and edge locations (e.g. for content distribution).
  • Networking: Amazon provides Direct Connect (dedicated connection to AWS cloud) to integrate with existing assets over VPN Connections and Virtual Private Clouds (your own slice of networking inside EC2), together with Route 53 (a highly available and scalable global DNS service).
  • Compute: Amazon’s Elastic Compute Cloud (EC2) allows for the creation of instances (Linux or Windows) to use as you like, based on a range of instance types, with different pricing – to scale up and down, even auto-scalingElastic Load Balancing  allows the distribution of EC2 workloads across instances in multiple availability zones.
  • Storage: Simple Storage Service (S3) is the main storage service (Dropbox, Spotify and others runs in this) – designed for write once read many applications.  Elastic Block Store (EBS) can be used to provide persistent storage behind an EC2 instance (e.g. boot volume) and supports snapshotting, replicated within an availability zone (so no need to RAID). There’s also Glacier for long term archival of data, AWS Import/Export for bulk uploads/downloads to/from AWS and the AWS Storage Gateway to connect on-premises and cloud-based storage.
  • Databases: Amazon’s Relational Database Service (RDS) provides database as a service capabilities (MySQL, Oracle, or Microsoft SQL Server). There’s also DynamoDB – a provisioned throughput NoSQL database for fast, predictable performance (fully distributed and fault tolerant) and SimpleDB for smaller NoSQL datasets.
  • Application services: Simple Queue Service (SQS) for reliable, scalable, messages queuing for application decoupling); Simple Workflow Service (SWF) to coordinate processing steps across applications and to integrate AWS and non-AWS resources, to manage distributed states in complex systems; CloudSearch – an elastic search engine based on Amazon’s A9 technology to provide auto-scaling and a sophisticated feature set (equivalent to SOLR); CloudFront for a worldwide content delivery network (CDN), to easily distribute content to end users with a single DNS CNAME.
  • Deployment and admin: Elastic Beanstalk allows one click deployment from Eclipse, Visual Studio and Git  for rapid deployment of applications with all AWS resources auto-created; CloudFormation is a scripting framework for AWS resource creation that automates stack creation in a repeatable way. There’s also Identity and Access Management (IAM), software development kits, Simple Email Service (SES), Simple Notification Service (SNS), ElastiCache, Elastic MapReduce, and  the CloudWatch monitoring framework.

I suppose if I were to re-draw Ryan’s reference architecture, I’d include support (AWS Support) as well some payment/billing services (after all, this doesn’t come for free) and the AWS Marketplace to find and start using software applications on the AWS cloud.

One more point: security and compliance (security and service management are not shown as they are effectively layers that run through all of the components in the architecture) – if you implement this model in the cloud, who is responsible? Well, if you contract with Amazon, they are responsible for the AWS global infrastructure and foundation services (compute, storage, database, networking). Everything on top of that (the customisable parts) are up to the customer to secure.  Other providers may take a different approach.


Creating new endpoints to open up access to Windows Azure virtual machines

In my recent posts on creating a virtual machine on Windows Azure and connecting to a Windows computer running on Windows Azure, I mentioned endpoints but didn’t explain the process for creating new ones, i.e. opening up new ports for Internet access:

The RemoteDesktop endpoint shown above was created automatically when my virtual machine was provisioned but it may also be necessary to create new endpoints, for example allowing HTTP access over TCP port 80, HTTPS over TCP 443, etc.

To create a new endpoint, open up the virtual machine in the Windows Azure management console, then select Endpoints and click the Add Endpoint button at the bottom of the screen.  When creating endpoints, a new endpoint can be established or, if one already exists, this may be selected to load balance between multiple virtual machines. I only have a single virtual machine and so I selected add endpoint:

At this point, specify a name (HTTP would have been a better name than the one I used in the example below), select a protocol, and chose the port numbers:

The endpoint will then be created and the virtual machine will be accessible using the chosen protocol and port numbers:

To test the connection, I connected to my virtual machine over RDP and configured Windows Server roles/features in Server Manager (I installed IIS, just to prove that the machine was Internet-connected – but the server could be running any workload). Then, I connected to my virtual machine’s public DNS using a web browser (I could also have used the public virtual IP address shown in the dashboard for the virtual machine):



Connecting to a Windows computer running on Windows Azure

In yesterday’s post about creating a virtual machine in Windows Azure, I left out the details for connecting to the virtual machine.

Virtual machine connections are controlled using endpoints, like the one shown below:

In this case, the endpoint for RemoteDesktop was created automatically as part of the virtual machine creation process so it’s pretty simple to connect to the virtual machine. Just fire up a Remote Desktop client and connect to the DNS name given to the virtual machine when it was created (in my case, that was mwil-playground.cloudapp.net). Alternatively, click the Connect button at the bottom of the Windows Azure management console:

Then, follow the prompts to:

  • Connect to an computer with an unknown publisher:
  • Provide  appropriate credentials:
  • Confirm that there is no certificate to validate the connection:
(It is possible to specify management certificates in the Windows Azure management console but that’s outside the scope of this post.)
After a short while, during which remote desktop configures the session, a connection should be made and the operating system can be administered as normal:


Creating a virtual machine on Windows Azure in 10 easy steps

Despite my reservations about Microsoft’s charging model for Windows Azure’s virtual machine (IaaS) capabilities, I was interested enough to take a look after last week’s Microsoft Tech.Days Online event. I signed up for a 90 day (750-hours/month) free trial (which, on the face of it, seems pretty poor in comparison to the 1 year free usage tier from Amazon but, because Amazon have to license Windows, and Microsoft can presumably cross-charge itself, Windows virtual machines are excluded from Amazon’s trial).

It was amazingly simple to get myself up and running with a new virtual machine and I thought I’d demonstrate that here:

  1. If you don’t already have one, sign up for a Windows Azure account and log on to the Windows Azure management console.
  2. On the All Items pane, select Create An Item:
  3. Select Virtual Machine and then From Gallery:
  4. Choose an operating system for the virtual machine, for example Windows Server 2012:
  5. Give the virtual machine a name, supply an Administrator password, and select a size (if you’re using the free trial, then you’ll want to select the small option):
  6. This will be a standalone virtual machine, but it needs a DNS name (for access from the Internet), some storage (I auto-generated the storage) and a region/affinity group/virtual network (I selected the West Europe region, as I’m in the UK and didn’t yet have any virtual networks assigned):
  7. The availability set is not really of any significance when running a single VM, so I left this as none:
  8. Windows Azure will start to provision the virtual machine:
  9. Once completed, the newly-created virtual machine and associate storage will be visible in the console:
  10. Click on the virtual machine name to access the virtual machine dashboard which contains performance information as well as configuration details. From here, you can make further configuration changes (e.g. creating endpoints for access to the virtual machine):



Windows Azure IaaS pricing “gotcha”

One of the concerns with moving more infrastructure services into a public cloud is cost. It’s all very well that the costs are low, and that the CapEx has switched to OpEx but it’s also good to be able to budget. Subscription-based charging models can make that difficult at times.

Over the last couple of weeks, I’ve been brushing up my knowledge of both Amazon’s and Microsoft‘s infrastructure as a service (IaaS) offerings and I found something that’s quite alarming. Not only is the Windows Azure IaaS offering less fully-featured than Amazon EC2 but, from a cursory glance, it could potentially cost a lot more because of the way that Microsoft charges for compute service provision.

Whereas Amazon only charging for the hours when a virtual machine is “powered on”, Microsoft charges for the fact that the virtual machine has been provisioned, regardless of whether it’s actually doing anything.  This sounded odd, so I asked a question of one of the evangelists at Microsoft UK, who used a rental car analogy to explain that when I have a virtual machine deployed in Azure I’ve still taken resources that can’t be allocated to someone else until I “undeploy” it (think of booking and returning the hire car). On the other hand though, Amazon only charges for the time I use the virtual machine (although I will of course have to pay for the storage that it is actually using), so the analogy is more one of a pool of shared cars.

Microsoft using rental car analogy for Azure IaaS: VM charged whether running or not; think Amazon EC2 is more like car share! #TechDays2012
Mark Wilson

I tried to confirm this with Amazon Web Services (@awscloud) and Microsoft Windows Azure (@windowsazure) but have not received a response at the time of writing; however Dave Hood alerted me to a clause in the Windows Azure pricing details:

“Compute hours are charged whenever the Virtual Machine is deployed, irrespective of whether it is running or not.”

That could work out quite expensive for those who have spare virtual machines deployed, ready to fire up at a moment’s notice, but not normally in operation (e.g. in a disaster recovery failover scenario).

[Update 12:22]: Microsoft’s Windows Azure team have responded via Twitter to confirm that VMs are charged, even when not running:

@ #WindowsAzure VMs are in preview. You are charged for hours even when shut down as long as the image exists in your gallery.

Tech.Days Online 2012: Day 1 (#TechDays2012)

For the last couple of years, I’ve been concentrating on IT Strategy but I miss the hands-on technology.  I’ve kind of lost touch with what’s been happening in my former world of Microsoft infrastructure and don’t even get the chance to write about what’s coming up in new releases as the powers that be have decided my little blog is not on their RADAR (to be honest, I always suspected they had me mixed up with another Mark Wilson, who writes at Gizmodo!).

Anyway, I decided to dip into the pool again and see what Microsoft is up to in its latest releases, with two day-long virtual events under the Microsoft Tech.Days Online banner.

Presented by members of the UK evangelist team, Simon May (@simonster), Andrew Fryer (@DeepFat) and Steve Plank (@plankytronixx), day 1 focused on Windows Server and Azure, whilst day 2 will be about Windows 8 and System Center.

So, what did I learn?  Far too much for a single blog post, but here are the highlights from day 1…

Windows Server 2012

Windows Server 2012 looks to be a significant step forward from 2008 R2. The full list of what’s new is extensive but the main focus is on Microsoft’s “next generation” file server, management, virtualisation and networking:

  • “Next generation” file server. Ignore the next generation part – after all, it’s just marketing speak to make a file server sound interesting (some of us remember the early battles between Novell NetWare and Windows NT!) – but there are some significant improvements in Windows Server’s file capabilities.
  • When it comes to management:
    • Windows can be used to manage non-Windows environments and vice versa.  The details were pretty sketchy in yesterday’s event, but apparently Microsoft now understands that we all run heterogeneous environments!
    • Automation continues to be at the heart of the management story, with both DISM and PowerShell.
    • There’s a new version of PowerShell (v3), which promises to be more intuitive as as result of the Integrated Scripting Environment with IntelliSense as well as adding robust sessions that persist across connection dropouts and even reboots, together with simple creation of parallel workflows.  The good news (although you wouldn’t know it from yesterday’s session) is that PowerShell 3 is also available for Windows 7 and Server 2008 (SP2 or later).
    • Remote management is enabled by default.
    • Server Core is still there, but MinShell is another attempt to reduce the attack surface of Windows Server, providing GUI management tools, without a GUI, as described by Mitch Garvis.
  • Virtual machine mobility provides new scenarios for migrating resources around the entreprise:
    • Using shared storage with live migration now supporting VMs on non-clustered hosts (just on an SMB share).
    • By live migrating storage between hosts, moving the virtual disks attached to a running virtual machines from one location to another.
    • With shared-nothing live migration.
    • Using new Hyper-V replica functionality to replicate virtual machines between sites, e.g in a disaster recovery scenario.
    • There’s also a new VHDX format for larger virtual disks, released as an open specification.
  • Enhanced networking:
    • Windows Server now has built-in NIC teaming (load balancing/failover, or LBFO), described by Don Stanwyck in Yegal Edery’s post.
    • Network virtualisation allows the creation of a multi-tenant virtual network environment on top of the existing infrastructure, decoupling network and server configuration.

Windows Server 2012 is already available but an evaluation edition is also available as an ISO or a VHD.

Windows Azure

Windows Azure has been around for a while, but back in my days as an MVP (and when running the Windows Server User Group with Mark Parris), I struggled to get someone at Microsoft to talk about it from an IT Pro perspective (lots of developer stuff, but nothing for the infrastructure guys). That changed when Steve Plank spent an entire afternoon on the topic today.

In summary:

  • Windows Azure has always provided PaaS but it now has IaaS capabilities (although they don’t sound to be as mature as Amazon’s offerings, they might better suit some organisations).
  • When deploying to the cloud, the datacentre or affinity group is selected. Azure services are available in eight datacentres around the world, with 4 in the US, 2 in Europe and 2 in Asia.
  • Applications are deployed to Azure using an XML service model.
  • Virtual machines in Azure differ from the cloud platform services in that they still require management (patching, etc.) at the operating system level.  They may be deployed using a REST API, scripted (e.g. using PowerShell), or created inside a management portal.
  • Virtual hard disks may be uploaded to Azure (they are converted to BLOB storage), or new virtual machines created from a library and it’s possible to capture virtual machines that are not running as images for future deployment.  Virtual machine images may also be copied from the cloud for on-premise deployment.
  • If two virtual machines are connected inside Azure, both are on the  same network, which means they can connect to the same load balancer.
  • Virtual networks may be used to connect on premise networks to Windows Azure, or completely standalone Azure networks can be created (e.g. with their own DNS, Active Directory, etc.)
  • When using a virtual network inside Azure, there is no DHCP but DIPs (dynamic IPs) are provided and the operating system must be configured to use DHCP. Each service has a single IP address to connect to the Internet, with port forwarding used to access multiple hosts.
  • Inside Azure, operating system disks are cached (for performance) but data disks are not (for integrity). Consequently, when installing data-driven operating systems (such as Active Directory), make sure the database is on a data drive.
  • Applications on Azure may be federated with on-premise infrastructure (e.g. Active Directory). Alternatively, a new service is currently in developer preview called the Windows Azure Active Directory. This differs significantly from the normal Active Directory role in Windows Server (which may also be deployed to a virtual machine on Azure) in that: it has a REST API (the Graph API), not an LDAP one; it does not use Kerberos; and it is accessed as an endpoint – i.e. individual instances are not exposed. Windows Azure Active Directory is related to the Office 365 Directory (indeed, logging on to the Windows Azure Active Directory preview shows me my Office 365 details).  Single sign on with Windows Azure Active Directory is described in detail in a post by Vittorio Bertocci.
  • Microsoft provides service level agreements for Azure availability, not for performance. These are based around fault domains and update domains.

A Windows Azure pricing calculator is available, as is a 90-day free trial.

Photograph of Steve Plank taken from the TechNet UK Facebook page.


Microsoft’s Windows Azure datacentres: some statistics

Last week I blogged about designing a private cloud infrastructure, based on the practices employed by the major cloud service providers.

Today I got a taste of the scale of some of those cloud operations, when Microsoft gave an online presentation on Windows Azure to their International Customer Advisory Board (ICAB) for Server and Cloud (of which I’m a participant).

Remember the shipping contains that I mentioned as units of scale in a modern datacentre? Here are a few stats about Microsoft’s Azure datacentres:

  • Each datacentre runs at around 95°F (or 35°C): that’s pretty warm but, even though there is air conditioning installed, it’s rarely used, as the containers are self-cooling (using a water system).
  • Containers are stacked in units that are two high and then connected to power, water and networks. (Now that’s some appliance!)

Microsoft's Azure appliances

  • Each container unit contains around 2500 servers and a whole datacentre has 360,000 servers.

Inside onr of the containers

  • The containers are normally dark – I described resource decay in my earlier post – that means that it’s rarely necessary to enter the datacentre.
  • In fact, the datacentres are so highly automated, that there are just 12 staff: 9 armed security guards and 3 administrators. (I’m guessing that’s working 3 shifts, so only 3 or 4 on duty at any one time.)
  • Humans are never alone – systems exist to ensure that people can only enter in pairs, and leave in pairs too.
  • So far, Microsoft has spent $2.5bn on its six Azure data centres, with more planned (and that doesn’t include the datacentres for its other operations).

Resources from recent Windows Server User Group Live Meeting

Thanks to everyone who attended the rescheduled Live Meeting last month on Connecting on-premise applications with the Windows Azure platform (with Allan Naim and Phil Winstanley).

Unfortunately the gremlins didn’t subside – after rescheduling the event I was unable to get a microphone working – which is a bit of an issue for a facilitator (thanks to Phil for stepping up to the mark) and the Live Meeting recording has not worked completely either.

Nevertheless, resources from the event (slide deck, audio recording, demonstration video, and readme file Live Meeting recordings) are now available.

For information on future Windows Server User Group events, check the WSUG blog or follow @windowsserverug on Twitter.

[A version of this post also appears on the Windows Server User Group blog]
[Updated 18 April 2011: Live Meeting recordings are now available]

%d bloggers like this: