My Experience at Cloud & Datacenter Conference Germany

Last week I was in Munich for the Cloud & Datacenter Germany conference. I landed in Munich on Wednesday for a pre-conference Hyper-V community event, and 2 hours later I was talking to a packed room of over 100 people about implementing Azure Site Recovery with Windows Server 2016 Hyper-V. This talk was very different to my usual “When Disaster Strikes” talk; I wanted to do something different so instead of an hour of PowerPoint, I had 11 slides, half of which were the usual title, who I am, etc, slides. Most of my time was spent doing live demos and whiteboarding using Windows 10 Ink on my Surface Book.

image

Photo credit: Carsten Rachfahl (@hypervserver)

On Friday I took the stage to do my piece for the conference, and I presented my Hidden Treasures in Windows Server 2016 Hyper-V talk. This was slightly evolved from what I did last month in Amsterdam – I chopped out lots of redundant PowerPoint and spent more time on live demos. As usual with this talk, which I’d previously done on WS2012 R2 for TechEd Europe 2014 and Ignite 2015, I ran all of my demos using PowerShell scripts.

Media preview

Photo credit: Benedikt Gasch (@BenediktGasch)

 

One of the great things about attending these events is that I get to meet up with some of my Hyper-V MVPs friends. It was great to sit down for dinner with them, and a few of us were still around for a quieter dinner on the Friday night. Below you can see me hanging out with Tudy Damian, Carsten Rachfahl, Ben Armstrong (Virtual PC Guy), and Didier Van Hoye.

Media preview

As expected, CDC Germany was an awesome event with lots of great speakers sharing knowledge over 2 days. Plans have already started for the next event, so if you speak German and want to stay up to speed with Hyper-V, private & public cloud in the Microsoft world, then make sure you follow the news on https://www.cdc-germany.de/

Irish Government Cancels Cloud Project

Anyone working in “cloud computing” in Ireland had heard that the Irish government had launched a process to deploy a “private cloud” that would be engineered by external service providers, but owned and located by the Irish state. It sounded like the project from hell/heaven, with a list of pre-approved cloud vendors/services.

The Irish Times reports that this project has been cancelled, and instead, they’re going with a shared computing model based on a single Government-owned cloud.

In my opinion, this is the way forward. Now I wonder if Microsoft will pitch CPS at this 🙂

ADFS Authentication Via Azure

I’ve recently started doing lots of presentation on Azure thanks to the release of Azure via Open licensing. People wonder what the scenarios ate where an SME would deploy machines in Azure and on premises. Here’s one I came up with this morning (an evolution of one I’d looked at before).

I was chatting with one of my colleagues about a scenario where a customer was looking deploying ADFS to provide Office 365 authentication for a medium-sized multinational company. I wondered why they didn’t look at using Azure. Here’s what I came up with.

Note: I know SFA about ADFS. My searches make me believe that deploying a stretch ADFS cluster with a mirrored SQL backend is supported.

image

The company has two on-premises networks, one in Ireland and one in the USA. We’ll assume that there is some WAN connection between the two networks with a single AD domain. They have users in Ireland, the USA, and roaming. They want ADFS for single sign-on and they need it to be HA.

This is where companies normally think about deploying ADFS on-premises. Two issues here:

  • You need local infrastructure: Not so bad if you have spare license and hardware capacity on your hosts, but that’s not a given in an SME.
  • Your ISP becomes a risk: You will place ADFS on premises. Your office has a single Internet connection. A stray digger or ISP issue can put the entire business (not just that office) out of action because ADFS won’t be there for roaming/remote users to authenticate with O365.

So my original design was to stretch the network into Azure. Create a virtual network in an Azure region that is local to your Office 365 account (for example, an Irish O365 customer would deploy a virtual network in Azure Europe North). Create a site-to-site VPN network to connect the on-premises network to the Azure VNet. Then deploy an additional DC, in the same domain as on-premises, in the Azure VNet. And now you can create an ADFS cluster in that site. All good … but what about the above multi-national scenario? I want HA and DR.

Deploy an Azure VNet for Ireland office (Azure Europe North) and for the USA office (Azure USA East) and place virtual DCs in both. Connect both VNets using a VPN. And connect both on-premises networks to both VNets via site-to-site VPNs. Then create an ADFS stretch cluster (mirrored SQL cluster) that resides in both VNets. Now the company’s users (local, roaming and remote) have the ability to authenticate against O365 using ADFS if:

  • Any or both local on-premises networks go offline
  • Either Azure region goes offline

As I said, I am not an ADFS person, so I’ll be interested in hearing what those how know ADFS think of this potential solution.

TechCamp 2014 Presentation – Hybrid Cloud Using Microsoft Azure

This presentation was an introduction for IT pros to deploying hybrid cloud solutions based on Microsoft Azure, in conjunction with on-premises Hyper-V / System Center deployments. Here’s the deck that I presented … and yes … there are LOTS of slides because there is constantly new stuff in Azure.

 

Using WatchGuard XTM To Create A Hybrid Cloud With Windows Azure

My job is weird. I basically get told to learn something and spend time promoting it, teaching it, assisting with it to a Microsoft partner audience in Ireland. Lately we’ve taken on some hardware products and I’ve also been given a target to promote Windows Azure. So I’ve been spending time in the lab at work and in Windows Azure.

The latest “mini project” that I set for myself was to create a hybrid cloud, merging my on-premise Hyper-V farm (with SMB 3.0 storage on DataOn Storage JBOD) with VMs running in Windows Azure. Traffic between the two “sites” would be via a secure site-site VPN tunnel. This is Microsoft’s strategy: hybrid cloud.

The On-Premise VPN Concentrator

The first step in that was to get a new firewall appliance operational. Although you can use an on-premise Windows Server to create a site-site VPN connection, I don’t like that option. I’d rather use an edge appliance so my routing can be simplified.

Note: I’m documenting my experience instead of the specific instructions. You’ll read why later.

My employers recently started distributing the XTM range of universal threat management (UTM) firewall appliances from WatchGuard to the Irish reseller market. I have an old 2 series appliance in my lab, equipping me with firewall, AV, URL management, wireless and VPN connectivity. While the hardware might be old, it’s running the latest software and management interface and gives me all the same functionality as the latest and largest 8 series appliances from WatchGuard (just with smaller scalability).

WatchGuard 2 series XTM

I placed the WatchGuard behind the Netgear ADSL router, and have enabled ports passthrough from the router to the firewall:

  • L2TP port: UDP 1701
  • IPsec port: UDP 500
  • IKEv2 port: UDP 4500

My internal network is physical, operating on 172.16.1.0/24, with the XTM being the default gateway on 172.16.1.1.

Enabling Site-Site VPN in Windows Azure Virtual Networking

The next thing I did was sign into Windows Azure and create a virtual network. It’s not quite obvious, but what you are doing in the Azure portal is creating software-defined networks using Hyper-V Network Virtualization. I created a virtual network called 10.0.0.0/16 and then created 3 virtual subnets:

  • 10.0.0.0/24
  • 10.0.1.0/24
  • 10.0.2.0/24

Any virtual machines I created would reside in those subnets and be assigned IPs from those pools (they appear like DHCP addresses in the guest OS). Note that Azure uses a few of the IPs in each virtual subnet and that the subnets will route automatically to each other within the virtual network.

An additional gateway subnet was created on 10.0.255.0/24.

image

My virtual network and subnets in Windows Azure

Here’s the fun bit; you can assign IP address(es) for your desired DNS server(s) in the virtual network settings. I assigned 172.16.1.40, my on-premise DC/DNS VM, as the DNS server for this in-Azure virtual network. My plan: I would only run DCs on premise, and everything in Azure will authenticated against my on-premise DCs via the VPN. Honestly, in the real world I think I would run some VMs as DCs in the same domain/forest within Azure for network fault tolerance. Old fashioned AD replication would be used, treating Azure’s virtual network as another AD site.

During the virtual network wizard, I also enabled site-site connectivity and afterwards I created a gateway. That creates the listener in Azure, on a public IP address, that allows a site-site VPN connection. A really long secret key is created.  I documented all the required information and then returned to the lab.

Starting & Testing The Site-Site VPN

I logged into the console for the WatchGuard XTM and created a site-site VPN connection. The connection was initiated, and then there was suspense. In the Azure portal I could see an “attempting connection” status. That sat there for what felt like an eternity. And then … bingo! It connected.

image

The connected site-site VPN, details obscured

I fired up a VM in Windows Azure on my 10.0.0.0/24 network. It was assigned the first address, 10.0.0.4 with the DNS setting pointing to my DC which is on-premise as 172.16.1.40. With the Windows Firewall configured for ICMPv4 echo requests, I was able to ping in both directions.

The end result? The virtual network in Windows Azure is effectively a remote data center in my “corporate network”. My on-premise 172.16.1.0/24 can route to the 10.0.0.0/16 network/subnets in Windows Azure and back again. I can deploy VMs to the most suitable networks: on-premise or in the public cloud. If I fire up System Center VMM and App Controller, I can delegate users and give them a single portal for deploying VMs on either part of the hybrid cloud.

Some Useful Info

I had two sources of information to implement this solution.

The first was the excellent blog post by Ryan Boud called Creating a VPN between a WatchGuard XTM 510 and Windows Azure Virtual Networks. The terminology for setting up the site-site VPN is confusing: What’s a local subnet? What’s a remote subnet? It’s all relative! Ryan has excellent clear screenshots that inform you what to type where in the Windows Azure portal to create your virtual network and get the gateway operational. He also goes step-by-step through the WatchGuard XTM configuration.

The second is a set of instructions by WatchGuard. Their documentation only covers the XTM side of things but it does give you a nice method for recording the required information from the Azure portal.

Microsoft has also  shared links to instructions for creating site-site VPN connections using devices from lots of manufacturers, such as Cisco, Juniper, F5, Citrix, Fortinet and Openswan.

FYI, my lab is operating on an ADSL line. It has a single IP address. I am still able to do remote device VPN into my lab. In fact, I am able to VPN into the lab from home and communicate with the Windows Azure VMs by routing through the site-site VPN connection. The Windows Azure network is really acting like a remote data center for my lab.

Summary

I thought setting the site-site VPN up between my “private cloud” and Microsoft’s public cloud was going to be a nightmare. Instead, it was easy. In fact, following Ryan’s and WatchGuard’s instructions enabled me to get it working on my first attempt. The results: magic.

Windows Azure Backup Is Generally Available & Other Azure News

The following message came in an email overnight:

Windows Azure Backup is now generally available, Windows Azure AD directory is created automatically for every subscription, and Hyper-V Recovery Manager is in preview.

What does that mean?  Some backup plans charge you based on the amount of data that you are protecting.  Personally, I prefer that approach because it is easy to predict – I have 5 TB of data and it’s going to cost me 5 * Y to protect it.  Azure Online Backup has gone with the more commonly used approach of charging you based on how many GB/month of storage that you consume on Microsoft’s cloud.  This is easy for a service provider to create bills, but it’s hard for the consumer to estimate their cost … because you have elements like deduplication and compression to account for.

The pricing of Azure Online Backup looks very competitive to me. 

Windows Azure Backup is billed in units based on your average daily amount of compressed data stored during a monthly billing period.

Some plans get the first 5GB free and then it’s €00.3724 per GB per month.  In the USA, it will be $00.50 per GB per month.  Back when I worked in backup, €1/GB per month was considered economic.

In other Azure news:

A Windows Azure AD directory is created automatically for every subscription:

Starting today, every Windows Azure subscription is associated with an autocreated directory in Windows Azure Active Directory (AD). By using this enterprise-level identity management service, you can control access to Windows Azure resources.

To accommodate this advancement, every Windows Azure subscription can now host multiple directories. Additionally, Windows Azure SDK will no longer rely on static management certificates but rather on user accounts in Active Directory. Existing Active Directory tenants related to the same user account will be automatically mapped to a single Windows Azure subscription. You can alter these mappings from the Windows Azure Management Portal.

Take advantage of the new Windows Azure Hyper-V Recovery Manager preview.

Windows Azure Hyper-V Recovery Manager helps protect important applications by coordinating the replication of Microsoft System Center clouds to a secondary location, monitoring availability, and orchestrating recovery as needed.

The service helps automate the orderly recovery of applications and workloads in the event of a site outage at the primary data center. Virtual machines are started in an orchestrated fashion to help restore service quickly.

The Euro GA pricing for Hyper-V Recovery Manager was included in the email.  It will cost 11,9152€ per virtual machine per month to use this service.  The website is not updated with GA pricing.

Hold Onto Your Knickers, I’m About To Compliment Windows Phone On Something!

As a listener to TWiT’s Windows Weekly, I’ve heard Paul Thurrott and Leo Laporte talk about Xbox Music Pass.  Also called Xbox Music, it is a leasing agreement, where for a few dollars a month, you can stream, download/play (on up to 5 devices) unlimited music.

Because of how Microsoft has typically put arbitrary regional restrictions on apps and contents over the years, I assumed (Arrgh! and regulars know how I hate assumptions) that a sweet deal like this would not be available outside of the USA, or maybe the usual 7 countries.  This morning, one of my colleagues came over and asked if I’d tried Xbox Music because he was loving it.  I was … surprised.

I just checked Andrew Birch’s amazing feature availability matrix on Andrew Tech Help, and lo and behold, XBox Music is available in more (not all, not even most) countries than I expected.

My colleague has Xbox Music set up on his Windows Phone.  It’s nice and seamless.  The leasing agreement (you keep the music as long as your subscription is active) allows you to download to and play music on up to 5 devices (just like with Windows Store Apps).  We went over to his PC so I could explore.  OK, I expect to find mainstream stuff like Radiohead, David Bowie, or X-Craptor, but what about the stuff I listen to?  It’s the stuff you don’t find on music shelves (actually there are none of those anymore), but would Microsoft have bothered to add my quirky music in addition to the usual Crappy Lee Jepson or James Farter?  Yup, the albums were there.  I’m impressed.

So, in Ireland, for €99 per year, you can have unlimited music listening, legally.  New stuff and old (the stuff I searched for was released in late 80’s and mid 90’s).  You can listen on your Windows Phone or via the (XBox) Music app in Windows 8.  Searching is a fantastic experience in Windows 8 (for everything: settings, files, app content) so finding the music you want to listen to or try is superb.

There is a free 30 day trial.  I’m told it restricts the number of hours you can listen until you start to pay.  It looks like, if you start the trial it will automatically convert into a paid subscription unless you cancel.

Albums seem to be a thing of the past for most people.  You can try a new artist or style of music with no financial commitment (better than laying down €22 for a CD in a “store”), pick and choose songs you like, download them to your Windows Phone to listen to on a plane (with no Internet connection), and create playlists.  And it’s all legal.  And €100 is a paltry annual amount.

Right now Xbox Music is available on Windows Phone 8, Xbox 360 (stream only and requires Xbox Live Gold), Windows 8 and Windows RT.  Windows 7 and Windows Phone 7 are not included, and XP is well out of mainstream support so it’ll never be included.  Other services such as Spotify have great cross-platform support.  They’ll have that advantage while Xbox Music doesn’t support Android and iOS.  Allegedly, Microsoft will bring support to those two mobile device OSs sometime this year.  Back in November, Brad Chacos on PCworld.com reported:

Android and iOS support will come "within 12 months

It’s good to see some of the “3 screens and a cloud” stuff appearing in the consumer space on Windows 8/RT, Xbox, and Windows Phone 8.

The People hub in WP8 is superb if the phone is your personal device (I still hate that it opts in social network contacts lists by default on my work device), and live tiles are better than dead icons.  Those are innovations by Microsoft (sure, MSFT are being sued over Live Tiles so there is some question there [covering my a$$]) that we should be thankful for, and that might be contributing to the aging of iOS. 

Handset hardware quality is infinitely better than it was in the last generation.  The few of us in the office that have the HTC 8x love the hardware. 

I still cannot forgive the arbitrary regional fencing of features.  There is no licensing issue for podcasts.  They are put out on the net via RSS feeds and shared via loads of catalogs.  If Microsoft can share podcasts via the Marketplace in some countries then there is absolutely no reason not to do it in all countries.  That sort of bollo% is what led me to assume (arrgh!) that Xbox Music (actual licensed content) wouldn’t be available here.

Technorati Tags:

Three Quarters of Datacenter Managers Admit To Failing On Performance

There is an alarming story on TechCentral.ie this morning where that majority of IT managers are admitting that they do not adequately manage the quality of service that their data centres (or clouds) are delivering.

A survey of over 400 European data centre managers found that while 93% of them acknowledged the criticality of optimising application performance across their data centres and networks, the large majority said they were failing to do so

Sounds like they need to start using System Center Operations Manager to monitor network, storage, hardware (servers/blades/chassis/etc), operating systems, applications, code, services, and service level agreement from a component and a service perspective.

Embracing automation (System Center Orchestrator) and self-service (System Center Service Manager and the entire suite) frees up engineer/operator time in the cloud where data centres are filled with centralised, broadly available, and measured/controlled/secured infrastructure and services.  It is the responsibility of the data centre, as the “hosting company” of this cloud, to guarantee SLAs.  SLAs cannot be measured or met without adequate systems management.

So here’s my advice if you are setting company strategy for the cloud:

  • If you’re implementing private cloud then ask your tech staff, IT Manager, CIO (or whatever) what complete and deeply integrated/automated systems management solution they are using.  Nagios is not the correct answer because it meets none of the criteria (complete, deep, integration, automation, etc).  Make sure you’re going to see quarterly/annual reports appearing automatically in your inbox or on a SharePoint site for you to review.
  • If you’re about to place your services in a public cloud, ask the same question.  And make sure you have visibility of the monitoring for yourself.
Technorati Tags: ,

Office 365 Open Program

Microsoft Partners have not been quiet about some of their displeasure with Office 365.  O365 committed a cardinal sin in business; in the eyes of some partners, Microsoft stole the business relationship with the customer from the partner by direct invoicing the customer.  In some parts of New Jersey, that’d get you swimming with the fishes, capiche?

I work with Microsoft partners.  I have had more than a few tell me that they wouldn’t bring Microsoft in on a meeting because of the Office 365 and cloud first strategy that would be pitched, attempting to “steal” that relationship.  To be honest, I felt their pain.  He who owns the invoice, owns the customer’s business.  And therefore, many partners continued to steer the customer away from Microsoft’s public cloud services.  Remember, in this world, the MSFT partner is the IT department, they are the trusted advisor, they are the ones presenting the viable solutions and discrediting the “bad ones”.  You have to bring the partner on board to have a hope of getting Office 365 to be the norm in this space.

Throw in the disquiet about the disappearance of SBS (with on premises Exchange/SharePoint) as a product, left with Windows Server 2012 Essentials (designed to work with Office 365), and the MSFT partner working in the SME space was left like they were not loved.

And what do you get?  Angry partners who saw Microsoft as competing with them.  That was never going to win for Microsoft.

Microsoft had to change.

And today they announced Office 365 Open Program.

Key points of this new partner friendly program are:

  • Microsoft partners can invoice their customers for Office 365, bundling in additional value added services
  • Partners can earn up to 23% margin in the first year, way above the 11% that currently is available

I use Office 365 for my own stuff.  I like it.  It has been trouble free for me.  It was a pity that the only obstacle to the product was legal crappola (see The Curse of Zune).  I’ll be very interested to see when this new program will launch, and what the actual details of it will be.

I want to hear from MSFT partners that are selling Office 365.  What do you think?

 

Technorati Tags: ,