Category: Cloud

Is Europe Going to “F-35” American Clouds?

There is no doubt that we are living in interesting times. It feels a little “Resevoir Dogs” in Europe these days: “There are threats to the east, threats to the west, and we’re stuck in the middle EU”. Those threats from the west have degraded trans-Atlantic trust more than any time in history. European organisations are starting to question the use of American-owned clouds from Microsoft, Amazon, Google, and others. Could this lead to them treating those clouds like some are demanding NATO members to cancel F-35 fighter jet orders?

I am not a political commentator. I have personal opinions, and I don’t intend to force them on you. This post is going to discuss how things are – we can agree to disagree on the why’s, the who’s etc.

The Threats

I don’t really know the awareness levels of this topic across the world, so I’m going to cover it very briefly.

Russia

Eastern European companies have a huge fear of Russia. I wasn’t all that familiar with the level of preparation/fear until recently. Countries like the Baltic states and Finland have been ready for many years – Finland since Russia invaded during WW2 and the Baltic states since they got their independence from the USSR.

If past patterns repeat (and history tells us that they will), Russia will re-arm once peace is negotiated in Ukraine. Russia will then look elsewhere – The Baltic states, or Georgia again, or who knows.

The USA

The USA has shattered all kinds of trust since January of this year:

  • Making demands to take Greenland, a territory of Denmark.
  • Threatening a trade war with the EU.
  • Rejecting various treaties that were signed by the USA, including some that were negotiated by Donald Trump (the trade agreement with Canada, for example).
  • Cancelling supplies of military hardware to Ukraine.
  • Cosying up to Russia and adopting the talking points of the Russian government.

Several NATO members have contracts in-place to purchase the F-35 fighter jet from the USA. Many in those countries are calling for those contracts to be torn up because they cannot trust that the USA will continue to supply parts for the maintenance-heavy F-35.

A change of government in the USA will not return trust – a new president might enter 4 years after the change and tear up treaties all over again. There is no respect for existing treaties anymore.

IT Relevance

In the IT world, we have two fears regarding the USA:

  1. The USA could tear up treaties regarding data privacy – we could see the USA demanding access to private EU data that is hosted by American-owned cloud services.
  2. An escalation of political or even military events might lead to the USA ordering that US-owned cloud services terminate access for European customers. We have to remember that many decisions are now emotional, not logical.

What Is Happening Now?

There has been a little bit of chatter about not using the USA-owned hyper-scalers. I wondered about this and I ran a poll on LinkedIn. I know that this kind of poll is far from scientific: my audience is skewed and the pool of respondents was small.

I posted the poll after the disastrous press conference with Ukraine’s President Zelenskyy and Donald Trump. I asked Europeans to answer if their organisations were considering not using USA-owned cloud services.

Honestly, I though that few would vote Yes. I was surprised to see that 60% of respondents said that the were considering only using non-USA cloud services.

Wired ran a story, Trump’s Aggression Sours Europe on US Cloud Giants, where they reported that:

The global backlash against the second Donald Trump administration keeps on growing. Canadians have boycotted US-made products, anti-Elon Musk posters have appeared across London amid widesprad Tesla protests and European officials have drastically increased military spending as US support for Ukraine falters. Dominant US teach services may be the next focus.

The article goes on to explain that some organisations are:

  • Pulling back from the likes of Azure/etc and choosing on-premises platforms or European-owned “cloud” operators.
  • Cancelling plans to move to hyperscale clouds.

Don’t get me wrong – this is not an avalanche. This is a few organisations today. But will that change? Will it become a flood?

What Are The Options?

If you believe that USA-owned clouds are not a viable future then I would argue that USA-owned IP also is not viable. For example, Windows and VMware would not be viable because a US government could order the termination of support (tech support, updates including security fixes, upgrades, etc) for specific countries or regions.

I hate to admit it: the city of Munich might have been ahead of their time. Munich decided to star the journey to dump Microsoft software and shift to opensource back in 2004. I, like many others, laughed at that concept. And history proved that we were probably right – the journey would be expensive and very difficult thanks to a legacy of Windows-based applications and a huge dependency on a diverse ecosystem of Windows-based applications. The journey was a rollercoaster and one can argue that it was a failure. But maybe, just maybe they were right but:

  • For the wrong reasons
  • They were 20 years too early

I would argue that the EU needs to establish a native IT ecosystem that is independent of the USA. That means:

  • Creating an EU Linux distro.
  • Funding a Manhattan Project style project to R&D relevant technologies and services in cooperation with suitable tech expert corporations from the EU. This will result in the construction of cloud-scale data centers with minimally viable software-defined services to enable migration from existing cloud services.

Will this happen? I don’t know. I have little faith in politicians of any background. They are usually self-interested and slow to enact painful change.

I think change is required, and I believe that change will be expensive and disruptive. I hate that it’s necessary. I’ve built a career on the Microsoft stack. I truly believe that Microsoft means the best – note that Satya Nadella is one of the few tech giant CEOs not to be visibly supporting the current administration in the USA. Microsoft is stuck between a rock and a hard place. They cannot be seen to be critical of Donald Trump because they would find their government contracts being cancelled – despite all of the damage that would cost to the USA. And they cannot openly support the administration because of the inevitable reactions from their diverse staff and their global customers. But here we are. Let’s see how things progress.

My Experience at Cloud & Datacenter Conference Germany

Last week I was in Munich for the Cloud & Datacenter Germany conference. I landed in Munich on Wednesday for a pre-conference Hyper-V community event, and 2 hours later I was talking to a packed room of over 100 people about implementing Azure Site Recovery with Windows Server 2016 Hyper-V. This talk was very different to my usual “When Disaster Strikes” talk; I wanted to do something different so instead of an hour of PowerPoint, I had 11 slides, half of which were the usual title, who I am, etc, slides. Most of my time was spent doing live demos and whiteboarding using Windows 10 Ink on my Surface Book.

image

Photo credit: Carsten Rachfahl (@hypervserver)

On Friday I took the stage to do my piece for the conference, and I presented my Hidden Treasures in Windows Server 2016 Hyper-V talk. This was slightly evolved from what I did last month in Amsterdam – I chopped out lots of redundant PowerPoint and spent more time on live demos. As usual with this talk, which I’d previously done on WS2012 R2 for TechEd Europe 2014 and Ignite 2015, I ran all of my demos using PowerShell scripts.

Media preview

Photo credit: Benedikt Gasch (@BenediktGasch)

 

One of the great things about attending these events is that I get to meet up with some of my Hyper-V MVPs friends. It was great to sit down for dinner with them, and a few of us were still around for a quieter dinner on the Friday night. Below you can see me hanging out with Tudy Damian, Carsten Rachfahl, Ben Armstrong (Virtual PC Guy), and Didier Van Hoye.

Media preview

As expected, CDC Germany was an awesome event with lots of great speakers sharing knowledge over 2 days. Plans have already started for the next event, so if you speak German and want to stay up to speed with Hyper-V, private & public cloud in the Microsoft world, then make sure you follow the news on https://www.cdc-germany.de/

Irish Government Cancels Cloud Project

Anyone working in “cloud computing” in Ireland had heard that the Irish government had launched a process to deploy a “private cloud” that would be engineered by external service providers, but owned and located by the Irish state. It sounded like the project from hell/heaven, with a list of pre-approved cloud vendors/services.

The Irish Times reports that this project has been cancelled, and instead, they’re going with a shared computing model based on a single Government-owned cloud.

In my opinion, this is the way forward. Now I wonder if Microsoft will pitch CPS at this 🙂

ADFS Authentication Via Azure

I’ve recently started doing lots of presentation on Azure thanks to the release of Azure via Open licensing. People wonder what the scenarios ate where an SME would deploy machines in Azure and on premises. Here’s one I came up with this morning (an evolution of one I’d looked at before).

I was chatting with one of my colleagues about a scenario where a customer was looking deploying ADFS to provide Office 365 authentication for a medium-sized multinational company. I wondered why they didn’t look at using Azure. Here’s what I came up with.

Note: I know SFA about ADFS. My searches make me believe that deploying a stretch ADFS cluster with a mirrored SQL backend is supported.

image

The company has two on-premises networks, one in Ireland and one in the USA. We’ll assume that there is some WAN connection between the two networks with a single AD domain. They have users in Ireland, the USA, and roaming. They want ADFS for single sign-on and they need it to be HA.

This is where companies normally think about deploying ADFS on-premises. Two issues here:

  • You need local infrastructure: Not so bad if you have spare license and hardware capacity on your hosts, but that’s not a given in an SME.
  • Your ISP becomes a risk: You will place ADFS on premises. Your office has a single Internet connection. A stray digger or ISP issue can put the entire business (not just that office) out of action because ADFS won’t be there for roaming/remote users to authenticate with O365.

So my original design was to stretch the network into Azure. Create a virtual network in an Azure region that is local to your Office 365 account (for example, an Irish O365 customer would deploy a virtual network in Azure Europe North). Create a site-to-site VPN network to connect the on-premises network to the Azure VNet. Then deploy an additional DC, in the same domain as on-premises, in the Azure VNet. And now you can create an ADFS cluster in that site. All good … but what about the above multi-national scenario? I want HA and DR.

Deploy an Azure VNet for Ireland office (Azure Europe North) and for the USA office (Azure USA East) and place virtual DCs in both. Connect both VNets using a VPN. And connect both on-premises networks to both VNets via site-to-site VPNs. Then create an ADFS stretch cluster (mirrored SQL cluster) that resides in both VNets. Now the company’s users (local, roaming and remote) have the ability to authenticate against O365 using ADFS if:

  • Any or both local on-premises networks go offline
  • Either Azure region goes offline

As I said, I am not an ADFS person, so I’ll be interested in hearing what those how know ADFS think of this potential solution.

TechCamp 2014 Presentation – Hybrid Cloud Using Microsoft Azure

This presentation was an introduction for IT pros to deploying hybrid cloud solutions based on Microsoft Azure, in conjunction with on-premises Hyper-V / System Center deployments. Here’s the deck that I presented … and yes … there are LOTS of slides because there is constantly new stuff in Azure.

 

Using WatchGuard XTM To Create A Hybrid Cloud With Windows Azure

My job is weird. I basically get told to learn something and spend time promoting it, teaching it, assisting with it to a Microsoft partner audience in Ireland. Lately we’ve taken on some hardware products and I’ve also been given a target to promote Windows Azure. So I’ve been spending time in the lab at work and in Windows Azure.

The latest “mini project” that I set for myself was to create a hybrid cloud, merging my on-premise Hyper-V farm (with SMB 3.0 storage on DataOn Storage JBOD) with VMs running in Windows Azure. Traffic between the two “sites” would be via a secure site-site VPN tunnel. This is Microsoft’s strategy: hybrid cloud.

The On-Premise VPN Concentrator

The first step in that was to get a new firewall appliance operational. Although you can use an on-premise Windows Server to create a site-site VPN connection, I don’t like that option. I’d rather use an edge appliance so my routing can be simplified.

Note: I’m documenting my experience instead of the specific instructions. You’ll read why later.

My employers recently started distributing the XTM range of universal threat management (UTM) firewall appliances from WatchGuard to the Irish reseller market. I have an old 2 series appliance in my lab, equipping me with firewall, AV, URL management, wireless and VPN connectivity. While the hardware might be old, it’s running the latest software and management interface and gives me all the same functionality as the latest and largest 8 series appliances from WatchGuard (just with smaller scalability).

WatchGuard 2 series XTM

I placed the WatchGuard behind the Netgear ADSL router, and have enabled ports passthrough from the router to the firewall:

  • L2TP port: UDP 1701
  • IPsec port: UDP 500
  • IKEv2 port: UDP 4500

My internal network is physical, operating on 172.16.1.0/24, with the XTM being the default gateway on 172.16.1.1.

Enabling Site-Site VPN in Windows Azure Virtual Networking

The next thing I did was sign into Windows Azure and create a virtual network. It’s not quite obvious, but what you are doing in the Azure portal is creating software-defined networks using Hyper-V Network Virtualization. I created a virtual network called 10.0.0.0/16 and then created 3 virtual subnets:

  • 10.0.0.0/24
  • 10.0.1.0/24
  • 10.0.2.0/24

Any virtual machines I created would reside in those subnets and be assigned IPs from those pools (they appear like DHCP addresses in the guest OS). Note that Azure uses a few of the IPs in each virtual subnet and that the subnets will route automatically to each other within the virtual network.

An additional gateway subnet was created on 10.0.255.0/24.

image

My virtual network and subnets in Windows Azure

Here’s the fun bit; you can assign IP address(es) for your desired DNS server(s) in the virtual network settings. I assigned 172.16.1.40, my on-premise DC/DNS VM, as the DNS server for this in-Azure virtual network. My plan: I would only run DCs on premise, and everything in Azure will authenticated against my on-premise DCs via the VPN. Honestly, in the real world I think I would run some VMs as DCs in the same domain/forest within Azure for network fault tolerance. Old fashioned AD replication would be used, treating Azure’s virtual network as another AD site.

During the virtual network wizard, I also enabled site-site connectivity and afterwards I created a gateway. That creates the listener in Azure, on a public IP address, that allows a site-site VPN connection. A really long secret key is created.  I documented all the required information and then returned to the lab.

Starting & Testing The Site-Site VPN

I logged into the console for the WatchGuard XTM and created a site-site VPN connection. The connection was initiated, and then there was suspense. In the Azure portal I could see an “attempting connection” status. That sat there for what felt like an eternity. And then … bingo! It connected.

image

The connected site-site VPN, details obscured

I fired up a VM in Windows Azure on my 10.0.0.0/24 network. It was assigned the first address, 10.0.0.4 with the DNS setting pointing to my DC which is on-premise as 172.16.1.40. With the Windows Firewall configured for ICMPv4 echo requests, I was able to ping in both directions.

The end result? The virtual network in Windows Azure is effectively a remote data center in my “corporate network”. My on-premise 172.16.1.0/24 can route to the 10.0.0.0/16 network/subnets in Windows Azure and back again. I can deploy VMs to the most suitable networks: on-premise or in the public cloud. If I fire up System Center VMM and App Controller, I can delegate users and give them a single portal for deploying VMs on either part of the hybrid cloud.

Some Useful Info

I had two sources of information to implement this solution.

The first was the excellent blog post by Ryan Boud called Creating a VPN between a WatchGuard XTM 510 and Windows Azure Virtual Networks. The terminology for setting up the site-site VPN is confusing: What’s a local subnet? What’s a remote subnet? It’s all relative! Ryan has excellent clear screenshots that inform you what to type where in the Windows Azure portal to create your virtual network and get the gateway operational. He also goes step-by-step through the WatchGuard XTM configuration.

The second is a set of instructions by WatchGuard. Their documentation only covers the XTM side of things but it does give you a nice method for recording the required information from the Azure portal.

Microsoft has also  shared links to instructions for creating site-site VPN connections using devices from lots of manufacturers, such as Cisco, Juniper, F5, Citrix, Fortinet and Openswan.

FYI, my lab is operating on an ADSL line. It has a single IP address. I am still able to do remote device VPN into my lab. In fact, I am able to VPN into the lab from home and communicate with the Windows Azure VMs by routing through the site-site VPN connection. The Windows Azure network is really acting like a remote data center for my lab.

Summary

I thought setting the site-site VPN up between my “private cloud” and Microsoft’s public cloud was going to be a nightmare. Instead, it was easy. In fact, following Ryan’s and WatchGuard’s instructions enabled me to get it working on my first attempt. The results: magic.

Windows Azure Backup Is Generally Available & Other Azure News

The following message came in an email overnight:

Windows Azure Backup is now generally available, Windows Azure AD directory is created automatically for every subscription, and Hyper-V Recovery Manager is in preview.

What does that mean?  Some backup plans charge you based on the amount of data that you are protecting.  Personally, I prefer that approach because it is easy to predict – I have 5 TB of data and it’s going to cost me 5 * Y to protect it.  Azure Online Backup has gone with the more commonly used approach of charging you based on how many GB/month of storage that you consume on Microsoft’s cloud.  This is easy for a service provider to create bills, but it’s hard for the consumer to estimate their cost … because you have elements like deduplication and compression to account for.

The pricing of Azure Online Backup looks very competitive to me. 

Windows Azure Backup is billed in units based on your average daily amount of compressed data stored during a monthly billing period.

Some plans get the first 5GB free and then it’s €00.3724 per GB per month.  In the USA, it will be $00.50 per GB per month.  Back when I worked in backup, €1/GB per month was considered economic.

In other Azure news:

A Windows Azure AD directory is created automatically for every subscription:

Starting today, every Windows Azure subscription is associated with an autocreated directory in Windows Azure Active Directory (AD). By using this enterprise-level identity management service, you can control access to Windows Azure resources.

To accommodate this advancement, every Windows Azure subscription can now host multiple directories. Additionally, Windows Azure SDK will no longer rely on static management certificates but rather on user accounts in Active Directory. Existing Active Directory tenants related to the same user account will be automatically mapped to a single Windows Azure subscription. You can alter these mappings from the Windows Azure Management Portal.

Take advantage of the new Windows Azure Hyper-V Recovery Manager preview.

Windows Azure Hyper-V Recovery Manager helps protect important applications by coordinating the replication of Microsoft System Center clouds to a secondary location, monitoring availability, and orchestrating recovery as needed.

The service helps automate the orderly recovery of applications and workloads in the event of a site outage at the primary data center. Virtual machines are started in an orchestrated fashion to help restore service quickly.

The Euro GA pricing for Hyper-V Recovery Manager was included in the email.  It will cost 11,9152€ per virtual machine per month to use this service.  The website is not updated with GA pricing.

Hold Onto Your Knickers, I’m About To Compliment Windows Phone On Something!

As a listener to TWiT’s Windows Weekly, I’ve heard Paul Thurrott and Leo Laporte talk about Xbox Music Pass.  Also called Xbox Music, it is a leasing agreement, where for a few dollars a month, you can stream, download/play (on up to 5 devices) unlimited music.

Because of how Microsoft has typically put arbitrary regional restrictions on apps and contents over the years, I assumed (Arrgh! and regulars know how I hate assumptions) that a sweet deal like this would not be available outside of the USA, or maybe the usual 7 countries.  This morning, one of my colleagues came over and asked if I’d tried Xbox Music because he was loving it.  I was … surprised.

I just checked Andrew Birch’s amazing feature availability matrix on Andrew Tech Help, and lo and behold, XBox Music is available in more (not all, not even most) countries than I expected.

My colleague has Xbox Music set up on his Windows Phone.  It’s nice and seamless.  The leasing agreement (you keep the music as long as your subscription is active) allows you to download to and play music on up to 5 devices (just like with Windows Store Apps).  We went over to his PC so I could explore.  OK, I expect to find mainstream stuff like Radiohead, David Bowie, or X-Craptor, but what about the stuff I listen to?  It’s the stuff you don’t find on music shelves (actually there are none of those anymore), but would Microsoft have bothered to add my quirky music in addition to the usual Crappy Lee Jepson or James Farter?  Yup, the albums were there.  I’m impressed.

So, in Ireland, for €99 per year, you can have unlimited music listening, legally.  New stuff and old (the stuff I searched for was released in late 80’s and mid 90’s).  You can listen on your Windows Phone or via the (XBox) Music app in Windows 8.  Searching is a fantastic experience in Windows 8 (for everything: settings, files, app content) so finding the music you want to listen to or try is superb.

There is a free 30 day trial.  I’m told it restricts the number of hours you can listen until you start to pay.  It looks like, if you start the trial it will automatically convert into a paid subscription unless you cancel.

Albums seem to be a thing of the past for most people.  You can try a new artist or style of music with no financial commitment (better than laying down €22 for a CD in a “store”), pick and choose songs you like, download them to your Windows Phone to listen to on a plane (with no Internet connection), and create playlists.  And it’s all legal.  And €100 is a paltry annual amount.

Right now Xbox Music is available on Windows Phone 8, Xbox 360 (stream only and requires Xbox Live Gold), Windows 8 and Windows RT.  Windows 7 and Windows Phone 7 are not included, and XP is well out of mainstream support so it’ll never be included.  Other services such as Spotify have great cross-platform support.  They’ll have that advantage while Xbox Music doesn’t support Android and iOS.  Allegedly, Microsoft will bring support to those two mobile device OSs sometime this year.  Back in November, Brad Chacos on PCworld.com reported:

Android and iOS support will come "within 12 months

It’s good to see some of the “3 screens and a cloud” stuff appearing in the consumer space on Windows 8/RT, Xbox, and Windows Phone 8.

The People hub in WP8 is superb if the phone is your personal device (I still hate that it opts in social network contacts lists by default on my work device), and live tiles are better than dead icons.  Those are innovations by Microsoft (sure, MSFT are being sued over Live Tiles so there is some question there [covering my a$$]) that we should be thankful for, and that might be contributing to the aging of iOS. 

Handset hardware quality is infinitely better than it was in the last generation.  The few of us in the office that have the HTC 8x love the hardware. 

I still cannot forgive the arbitrary regional fencing of features.  There is no licensing issue for podcasts.  They are put out on the net via RSS feeds and shared via loads of catalogs.  If Microsoft can share podcasts via the Marketplace in some countries then there is absolutely no reason not to do it in all countries.  That sort of bollo% is what led me to assume (arrgh!) that Xbox Music (actual licensed content) wouldn’t be available here.

Technorati Tags:

Three Quarters of Datacenter Managers Admit To Failing On Performance

There is an alarming story on TechCentral.ie this morning where that majority of IT managers are admitting that they do not adequately manage the quality of service that their data centres (or clouds) are delivering.

A survey of over 400 European data centre managers found that while 93% of them acknowledged the criticality of optimising application performance across their data centres and networks, the large majority said they were failing to do so

Sounds like they need to start using System Center Operations Manager to monitor network, storage, hardware (servers/blades/chassis/etc), operating systems, applications, code, services, and service level agreement from a component and a service perspective.

Embracing automation (System Center Orchestrator) and self-service (System Center Service Manager and the entire suite) frees up engineer/operator time in the cloud where data centres are filled with centralised, broadly available, and measured/controlled/secured infrastructure and services.  It is the responsibility of the data centre, as the “hosting company” of this cloud, to guarantee SLAs.  SLAs cannot be measured or met without adequate systems management.

So here’s my advice if you are setting company strategy for the cloud:

  • If you’re implementing private cloud then ask your tech staff, IT Manager, CIO (or whatever) what complete and deeply integrated/automated systems management solution they are using.  Nagios is not the correct answer because it meets none of the criteria (complete, deep, integration, automation, etc).  Make sure you’re going to see quarterly/annual reports appearing automatically in your inbox or on a SharePoint site for you to review.
  • If you’re about to place your services in a public cloud, ask the same question.  And make sure you have visibility of the monitoring for yourself.
Technorati Tags: ,