Modernizing Your Infrastructure with Hybrid Cloud - Getting Started with On-demand Private Clouds using Windows Azure Pack (Part 23)
This article is part 23 in our continuing series on Modernizing Your Infrastructure with Hybrid Cloud by our US IT Pro team. After you've read this article, be sure to catch all of the other articles in our series!
As I’ve been traveling and speaking to IT Pros about the great scalability, resiliency and offerings in our Microsoft Azure public cloud platform, there’s also been lots of interest around deploying our free Windows Azure Pack (WAP) to bring the power and consistency of the same self-service Azure portal user interface to on-demand Private Clouds provisioned in an on-premises datacenter.
Service Management Portal in Windows Azure Pack
In this article, we’ll step through the process of setting up Windows Azure Pack in a lab environment for provisioning and delegating VM private clouds. Along the way, I’ll call out the specific details that I found helpful to successfully build my own lab environment.
What is Windows Azure Pack?
For a technical overview of the Windows Azure Pack, check out this great Microsoft TechEd session:
In addition, Thomas Maurer, MVP for Cloud and Virtualization, has written a great article that describes the overall architecture of Windows Azure Pack:
For more detailed training on Azure Pack, attend this free online Microsoft Virtual Academy Jump Start that was recently recorded by Symon Perriman and Andrew Zeller:
What are we building?
Windows Azure Pack certainly has the ability to scale to support very large Private Cloud environments consisting of multiple datacenters. However, in this article, we’ll get started by building a basic lab environment that consists of the following four (4) VMs:
- System Center 2012 R2 Virtual Machine Manager (VMM) management server VM
- SQL Server 2012 database server VM
- Service Provider Foundation (SPF) server VM
- Windows Azure Pack (WAP) server VM
To configure all four (4) VMs in your lab environment, you’ll need a virtualization host with at least 16GB RAM and 300GB available disk space.
Virtualization Hosts and Fabric Controller
Before installing Windows Azure Pack, it’s important to confirm that your on-premises virtualization infrastructure is in-place. Windows Azure Pack leverages System Center 2012 R2 Virtual Machine Manager (VMM) as a private cloud fabric controller for handling on-demand provisioning and management of virtual machines “behind-the-scenes”, so you’ll want to confirm that VMM is setup in your environment and is connected to one or more supported virtualization host platforms for running virtual machines, such as Hyper-V, VMware or Citrix XenServer.
To setup VMM in your lab environment, be sure to review the following resources:
- Download: Microsoft System Center 2012 R2 Evaluation Kit
- System Requirements: Virtual Machine Hosts
- Step-by-Step: Build Your Private Cloud
As part of this base configuration, you’ll also install a Microsoft SQL Server that will be used by all components in this lab environment.
Private Clouds, VM Networks and VM Templates
After VMM is setup and connected to your virtualization hosts, there’s a few specific configuration tasks to keep in mind when defining Private Clouds and VM Networks as part of your cloud fabric in VMM. These steps are important if you’ll be using Windows Azure Pack, because WAP won’t recognize your fabric resources as being available for on-demand provisioning via the Service Management Portal unless they are configured properly.
VM Network Guidelines
You must have a VM network available to which tenant VMs can be associated. This VM network can be created using the VMM Console if you wish to provide a standard VM network that is shared across tenants.
- For instructions on how to create VM networks, see Create VM Networks for Windows Azure Pack.
If you wish tenants to be able to create their own on-demand VM Networks in the WAP Service Management Portal for Tenants, you must configure the Logical Network that is associated with your cloud in the steps above for Hyper-V Network Virtualization (HNV). To do this, be sure to select the One Connected Network option, and then select the Allow VM Networks created on this logical network to use network virtualization checkbox in the VMM console when configuring your Logical Network.
If you plan to leverage Hyper-V Network Virtualization (HNV) for your Logical Network and VM Networks, check out these resources for more details and step-by-step guidance:
- Why R2? Software Defined Networking with Hyper-V Network Virtualization
- Microsoft Virtual Academy: Software Defined Networking JumpStart
Private Cloud Guidelines
When configuring Private Clouds in VMM, be sure to follow these TechNet guidelines:
- You must create a cloud from host groups. For instructions, see How to Create a Private Cloud from Host Groups.
- You must have already created logical networks that can be associated with the cloud. For instructions, see How to Create a Logical Network in VMM.
- You must have already created a VM library share. For instructions, see How to Add a VMM Library Server or VMM Library Share.
- You must assign the right amount of capacity to the cloud. The capacity that you assign to the cloud governs the resources that will be available to the tenants while provisioning virtual machines using VM Clouds.
- You must not select any of the available capability profiles (ESX Server, Hyper-V, XenServer) while creating the cloud. If you do so, tenants will not be able to deploy virtual machine roles using the VM Clouds service.
VM Template Guidelines
When creating virtual machine templates in VMM that you will use with WAP, follow this TechNet guidance:
- While selecting a source, make sure the VHD you select has the option to connect to the virtual machine using remote desktop.
- While configuring the hardware settings, make sure you do not select any of the cloud capability profiles (XenServer, ESX Server, Hyper-V) available.
- While configuring the operating system, make sure you do not set the Guest OS Profile drop-down to None. You must specify a valid value for this drop-down.
For instructions, see How to Create a Virtual Machine Template.
Service Provider Foundation (SPF)
Windows Azure Pack uses Service Provider Foundation (SPF) to communicate with VMM when provisioning and managing VM Clouds. SPF provides an extensible OData web service that the WAP Service Management Portals communicate with to interact with VMM. SPF is a component that is included with System Center 2012 R2 Orchestrator, so you’ll be installing SPF from the Orchestrator media in these steps.
Review system requirements for the SPF server
Be sure to install all prerequisite components on the SPF server that are listed in the above document.
Create an SPF Service Account as an Active Directory Domain User account.
Confirm Local Security Groups and IIS Application Pools.
After installation, confirm the following local security groups and IIS Application Pools on the SPF server
Local Security Groups IIS Application Pools SPF_AdminMember: SPF Service Account AdminIdentity: SPF Service Account SPF_ProviderMember: SPF Service Account ProviderIdentity: SPF Service Account SPF_VMMMember: SPF Service Accout VMMIdentity: SPF Service Account SPF_UsageMember: SPF Service Account UsageIdentity: SPF Service Account AdministratorsMember: SPF Service Account Confirm that the SPF Service Account can communicate with the VMM server.
- Login at the console of the SPF server with the SPF Service Account credentials.
- Launch the Virtual Machine Manager Command Shell from the Start screen.
Tip: Hit the Windows key and just start typing “Virtual … ”
- Use the following PowerShell cmdlet to confirm communication:
Get-VMMServer VMM_Server_Name
If successful, you will receive output that includes the properties of your VMM server connection.
If unsuccessful, confirm that the SPF Service Account has been properly added as a VMM Administrator in step 3 above.
Confirm that the IIS site for SPF is configured with Basic Authentication enabled.
Using IIS Manager on the SPF server, drill into the properties of the SPF web site and click Authentication to confirm this configuration.
Create a local WAP Portal Service Account and add it as a member to all four SPF_ Local Security Groups.
In some deployments, the WAP portals may be running on servers in a different untrusted Active Directory domain. As a best practice, the WAP portal connections will be configured to connect to the SPF OData web service using local account credentials.
- Create this local WAP Portal Service Account using the Computer Management tool on the SPF server.
- Add the local WAP Portal Service Account as a member of the SPF_Admin, SPF_Provider, SPF_VMM and SPF_Usage groups.
Confirm that you are able to successfully communicate with the SPF OData web service.
- Browse to the following URL using IE with InPrivate browsing mode:
https://SPF_Server_Name:8090/SC2012R2/VMM/Microsoft.Management.Odata.svc
- If prompted with a Certificate warning dialog, click Continue.
- When prompted to authenticate, sign-in with the WAP Portal Service Account credentials.
If successful, you should receive an XML response page.
Success! We can communicate with the SPF OData web service.
If unsuccessful, see this great article for additional troubleshooting tips.
Install Windows Azure Pack
We’re now ready to install the Windows Azure Pack (WAP) components. In this article, we use the Express installation option, where all WAP server components are installed on a single VM that is separate from the SPF server VM. For larger installations involving lots of tenants, there are also options for distributed deployment and high availability.
- Review the system requirements for the WAP server
- Install software prerequisites on the WAP server
- Install an Express deployment of Windows Azure Pack
- Replace Self-Signed Certificates
After completing a default installation, the SPF web site on the SPF server and the WAP web sites on the WAP server are configured to use self-signed certificates. I recommend replacing these self-signed certificates with signed certificates from a trusted Certificate Authority (CA). If you don't yet have a CA configured in your lab environment, you can set one up in a few minutes using Active Directory Certificate Services (ADCS) on Windows Server 2012 R2. My friend and colleague, Yung Chou, has published a great article that steps through the process of doing exactly this ...
READ IT! Enterprise PKI with Windows Server 2012 R2 Active Directory Certificate Services
At a minimum, you may wish to do the following:
- To validate secure connections between the WAP and SPF servers, export the self-signed certificate from the SPF server and import into the following certificate store on the WAP server:
- Local Computer \ Trusted Root Certification Authorities \ Certificates
- To permit external tenant users to connect to the WAP Tenant Public Sites without receiving certificate validation errors, replace the self-signed certificates configured for these sites to use a certificate that is signed by a publicly trusted CA. If performing this step, replace the certificate on the following WAP Tenant Public Sites:
- WAPTenant Management Portal site
- WAPTenantAuth Authentication site
- WAPTenPubAPI Public Tenant API site
- To validate secure connections between the WAP and SPF servers, export the self-signed certificate from the SPF server and import into the following certificate store on the WAP server:
Ready to deploy to VM Clouds
Now that your lab environment is built, you’re ready to register your SPF server from the Windows Azure Pack admin portal and deploy to VM Clouds!
To continue down this path, be sure to reference these next steps …
What’s Next?
So far, we’ve setup the basics of provisioning and managing on-demand Private Clouds using the Windows Azure Pack. In future articles, we’ll work on extending our lab to include the following additional components …