31 Days of Servers in the Cloud: Connecting Windows Azure PaaS to IaaS (Part 24 of 31)
If you’ve been following our 31 Days of Servers in the Cloud, you know there is quite a bit that can be done with Virtual Machines in Windows Azure. In Part 13, Kevin Remde walked through creating VMs using App Controller and in Part 14, Brian Lewis walked through the process of creating VMs using PowerShell. Now that you have your Virtual Machine infrastructure (IaaS) up and running in Windows Azure, I want to walk you through the process of connecting PaaS resources such as Web Roles, Worker Roles or VM Roles to your IaaS infrastructure. We will use the information from Part 10 where Bob Hunt did a great job of explaining Virtual Networking and how to configure it.
Scenario:
I have PaaS resources (Worker Role, Web Role and VM Roles) that need to authenticate using our corporate Active Directory for certain operations. One option is to connect the PaaS resources directly to our On Premises Datacenter infrastructure. This will probably generate more traffic than I want between Azure and our Datacenter. Another option is to deploy a Read Only Domain Controller (RODC) in a Virtual Machine in Azure that communicates with our DCs in our Datacenter. Then have all the PaaS resources authenticate to the RODC.
For the purpose of this article, I deployed a full DC in a Virtual Machine in Azure as it is a bit difficult to connect to a On Premises Datacenter that I don’t have.
From my Azure management portal, I went to Networks | Affinity Groups and created an Affinity Group called ITProsRockAG.
Once that was done, I went to Networks | Networks and created a new Virtual Network named ITProsRockVNet that I associated to the AG created in the previous step. From there, I added an Address Space of 192.168.0.0/16 and created a subnet of 192.168.0.0/19 named CoreSubnet.
When I created my Virtual Machine for my Domain Controller, I connected it to ITProsRockVNet and CoreSubnet. I do want to point out that you cannot use quick create when provisioning a new Virtual Machine as that wizard does not allow you to customize the Virtual Network and Subnet settings.
After the new VM was fully provisioned, I logged in via RDP and changed the settings for IP to assign a static DNS entry that pointed to itself. Then I installed the Active Directory Domain Services Role and then promoted the server to a Domain Controller.
When deploying Web Roles, Worker Roles and VM Roles using the Web portal, I cannot select a Virtual Network or Subnet from the deployment wizard. Instead, I must configure that from the ServiceConfiguration.Cloud.cscfg file. The following is the entries I entered for my environment:
<NetworkConfiguration>
<VirtualNetworkSite name="ITProsRockVNet" />
<AddressAssignments>
<InstanceAddress roleName="WebRole1">
<Subnets>
<Subnet name="CoreSubnet" />
</Subnets>
</InstanceAddress>
</AddressAssignments>
</NetworkConfiguration>
Once the Web Role is successfully deployed, I logged into the instance via RDP and confirmed the IP Address was indeed on the same subnet as my DC. I modified the DNS setting to point to the DC (which is also the DNS server for the AD Domain). I then joined it to my AD domain (haroldw.net). Upon reboot, I am able to login via RDP using my domain credentials.
The thing to keep in mind about PaaS instances is that they are stateless. If the instance that I just configured were to fail and Azure spun up a replacement instance, all the work I just did to join the domain would not carry over. The correct way to ensure these PaaS instances are joined to the domain, is to run a provisioning script as part of the provisioning process that would join the instance to the domain.
I hope this shows that it is indeed possible to connect Azure IaaS with Azure PaaS resources.
Keith Mayer has a blog post that has information for a TechNet Virtual Lab where you can do something similar – Connect a MVC4 Application to a SQL Server Virtual Machine.
I also want to thank my team mate, Bruno Terkaly, for providing me the simple Web Role package to deploy into Azure for the purpose of writing this post.
Harold Wong