Windows Azure and Cloud Computing Posts for 7/23/2012+

A compendium of Windows Azure, Service Bus, EAI & EDI,Access Control, Connect, SQL Azure Database, and other cloud-computing articles.

Note: This post is updated daily or more frequently, depending on the availability of new articles in the following sections:

• Windows Azure Blob, Drive, Table, Queue and Hadoop Services
• SQL Azure Database, Federations and Reporting
• Marketplace DataMarket, Social Analytics, Big Data and OData
• Windows Azure Service Bus, Access Control, Caching, Active Directory, and Workflow
• Windows Azure Virtual Machines, Virtual Networks, Web Sites, Connect, RDP and CDN
• Live Windows Azure Apps, APIs, Tools and Test Harnesses
• Visual Studio LightSwitch and Entity Framework v4+
• Windows Azure Infrastructure and DevOps
• Windows Azure Platform Appliance (WAPA), Hyper-V and Private/Hybrid Clouds
• Cloud Security and Governance
• Cloud Computing Events
• Other Cloud Computing Platforms and Services

---

Azure Blob, Drive, Table, Queue and Hadoop Services

Bruno Terkaly (@brunoterkaly) described How to create a custom blob manager using Windows 8, Visual Studio 2012 RC, and the Azure SDK 1.7 in a 7/24/2012 post:

Programmatically managing blobs

1. This post has two main objectives: (1) Educate you that you can host web content very economically; (2) Show you how you can create your own blob management system in the cloud.
2. Download the source to my VS 2012 RC project:

   Download The Source
   https://skydrive.live.com/embed?cid=98B7747CD2E738FB&resid=98B7747CD2E738FB%212850&authkey=AAWxTD4cCiYKJ60

   Free Trial Account
   http://www.windowsazure.com/en-us/pricing/free-trial/?WT.mc_id=A733F5829

3. Hosting web content as a blob on Windows Azure is powerful. To start with, it is extremely economical; it doesn’t require you to host a web server yourself. As a result blobs are very cost-effective. Secondly, the other powerful aspect of hosting html content as blobs on Windows Azure is that you get that blobs get replicated 3 times. It will always be available, with SLA support.
4. I use Windows Azure-hosted blobs for my blog. I store html, javascript, and style sheets. I manage video content as well. You can see my article in MSDN Magazine for further details.

   See my article in MSDN Magazine, Democratizing Video Content with Windows Azure Media Services
   http://msdn.microsoft.com/en-us/magazine/jj133821.aspx

   • I could store anything I want. When you visit my blog, you are pulling content from Windows Azure storage services.
5. You can dynamically create content and then upload to Azure. I’ll show you how to upload the web page as a blob.
6. But that web page can be dynamically created based on a database. The code I am about to show is infinitely flexible. You could adapt it to manage all your content programmatically.
7. I will illustrate with the latest tools and technologies, as of July 2012. This means we will use:
   • Windows 8
   • Visual Studio 2012 RC
   • Azure SDK and Tooling 1.7
   • I assume you have an Azure Account (free trials are available)

---

2 main blob types

1. The storage service offers two types of blobs, block blobs and page blobs.
2. You specify the blob type when you create the blob.
3. You can store text and binary data in either of "two types of blobs":
   • Block blobs, which are optimized for streaming.
   • Page blobs, which are optimized for random read/write operations and which provide the ability to write to a range of bytes in a blob.
4. Windows Azure Blob storage is a service for storing large amounts of unstructured data that can be accessed from anywhere in the world via HTTP or HTTPS.
5. A single blob can be hundreds of gigabytes in size, and a single storage account can contain up to 100TB of blobs.
6. Common uses of Blob storage include:
   • Serving images or documents directly to a browser
   • Storing files for distributed access
   • Streaming video and audio
   • Performing secure backup and disaster recovery
   • Storing data for analysis by an on-premise or Windows Azure-hosted service
7. Once the blob has been created, its type cannot be changed, and" it can be updated only by using operations appropriate for that blob type", i.e., writing a block or list of blocks to a block blob, and writing pages to a page blob.
8. All blobs reflect committed changes immediately.
9. Each version of the blob has a unique tag, called an ETag, that you can use with access conditions to assure you only change a specific instance of the blob.
10. Any blob can be leased for exclusive write access.
11. When a blob is leased, only calls that include the current lease ID can modify the blob or (for block blobs) its blocks.
12. You can assign attributes to blobs and then query those attributes within their corresponding container using LINQ.
13. Blobs allow you to write bytes to specific offsets. You can enjoy typical read/write block-oriented operations.
14. Note following attributes of blob storage:
    • Storage Account
      • All access to Windows Azure Storage is done through a storage account. This is the highest level of the namespace for accessing blobs. An account can contain an unlimited number of containers, as long as their total size is under 100TB.
    • Container
      • A container provides a grouping of a set of blobs. All blobs must be in a container. An account can contain an unlimited number of containers. A container can store an unlimited number of blobs.
    • Blob
      • A file of any type and size.
15. "A single block blob can be up to 200GB in size". "Page blobs, another blob type, can be up to 1TB in size", and are more efficient when ranges of bytes in a file are modified frequently. For more information about blobs, see Understanding Block Blobs and Page Blobs.
    • URL format
    • Blobs are addressable using the following URL format:
      • http://.blob.core.windows.net/

---

Web Pages as blobs

1. As I explained, what I am showing is how I power my blog with Windows Azure [1]. My main blog page starts with an <iframe>[2][3]. This tag lets you embed an html page within an html page. My post is basically a bunch of iframe‘s glued together. One of those iframe‘s is a menu I have for articles I have created. It really is a bunch of metro-styled hyperlinks.
2. As I said before, this post is about how I power my blog[1]. This post is about generating web content and storing it as a web page blob up in a MS data center. The left frame on my blog is nothing more than an iframe with a web page.[2][3]
3. The name of the web page is key_links.html. Key_links.html is generated locally, then uploaded to blog storage.
4. The pane on the left here that says Popular Posts. It is just an embedded web page, that is stored as a blob on Windows Azure. I upload the blob through a Windows 8 Application that I am about to build for you.
5. The actual one that I use his slightly more complicated. It leverages a SQL Server database that has the source for the content you see in Popular Posts.
6. For my blog, all I do is keep a database of up to date. The custom app we are writing generates a custom web page, based on the SQL server data that I previously entered.
7. My app then simply loops through the rows in the SQL server database table and generates that colorful grid you see labeled Popular Posts.
8. You can see my blob stored here:
   • https://brunoblogcontent.blob.core.windows.net/blobcalendarcontent/key_links.html

---

Dynamically created based on SQL Server Data

1. You can navigate directly to my blob content.
   • https://brunoblogcontent.blob.core.windows.net/blobcalendarcontent/key_links.html
2. The point here is that Key_links.html is generated based on entries in a database table
   • You could potentially store the entries in the cloud as well using SQL Database (formerly SQL Azure)
3. This post will focus on how you would send key_links.html and host it in the Windows Azure Storage Service
4. Here you can see the relationship between the table data and the corresponding HTML content.
5. The metro-like web interface you see up there is generated dynamically by a Windows 8 application. We will not do dynamic creation here.
6. I used Visual Studio 2012 RC to write the Windows 8 application. To upload the blob of all I needed the Windows Azure SDK and Tooling. …

Read more.

---

Denny Lee (@dennylee) posted a Power View Tip: Scatter Chart over Time on the X-Axis and Play Axis post on 7/24/2012:

As you have seen in many Power View demos, you can run the Scatter Chart over time by placing date/time onto the Play Axis. This is pretty cool and it allows you to see trends over time on multiple dimensions. But how about if you want to see time also on the x-axis?

For example, let’s take the Hive Mobile Sample data as noted in my post: Connecting Power View to Hadoop on Azure. As noted in Office 2013 Power View, Bing Maps, Hive, and Hadoop on Azure … oh my!, you can quickly create Power View reports right out of Office 2013.

Scenario

In this scenario, I’d like to see the number of devices on the y-axis, date on the x-axis, broken out by device make. This can be easily achieved using a column bar chart.

Yet, if I wanted to add another dimension to this, such as the number of calls (QueryTime), the only way to do this without tiling is to use the Scatter Chart. Yet, this will not yield the results you may like seeing either.

It does have a Play Axis of Date, but while the y-axis has count of devices (count of ClientID), the x-axis is the count of QueryTime – it’s a pretty lackluster chart. Moving Count of QueryTime to the Bubble Size makes it more colorful but now all the data is stuck near the y-axis. When you click on the play-axis, the bubbles only move up and down the y-axis.

Date on X-Axis and Play Axis

So to solve the problem, the solution is to put the date on both the x-axis and the play axis. Yet, the x-axis only allows numeric values – i.e. you cannot put a date into it. So how do you around this limitation?

What you can do is create a new calculated column:

DaysToZero = -1*(max([date]) – [date])

What this does is to calculate the number of days differing between the max([date]) within the [date] column as noted below.

As you can see, the max([date]) is 7/30/2012 and the [DaysToZero] column has the value of datediff(dd, [Date], max([Date]))

Once you have created the [DaysToZero] column, you can then place this column onto the x-axis of your Scatter Chart. Below is the scatter chart configuration.

With this configuration, you can see events occur over time when running the play axis as noted in the screenshots below.

---

Paul Miller (@paulmiller) described his GigaOM Pro report on Hadoop and cluster management in a 7/23/2012 post to his Cloud of Data blog:

My latest piece of work for GigaOM Pro just went live. Scaling Hadoop clusters: the role of cluster management is available to GigaOM Pro subscribers, and was underwritten by StackIQ.

Thanks to everyone who took the time to speak with me during the preparation of this report.

As the blurb describes,

From Facebook to Johns Hopkins University, organizations are coping with the challenge of processing unprecedented volumes of data. It is possible to manually build, run and maintain a large cluster and to use it to run applications such as Hadoop. However, many of the processes involved are repetitive, time-consuming and error-prone. So IT managers (and companies like IBM and Dell) are increasingly turning to cluster-management solutions capable of automating a wide range of tasks associated with cluster creation, management and maintenance.

This report provides an introduction to Hadoop and then turns to more-complicated matters like ensuring efficient infrastructure and exploring the role of cluster management. Also included is an analysis of different cluster-management tools from Rocks to Apachi Ambari and how to integrate them with Hadoop.

Compulsory picture of an elephant as it’s a Hadoop story provided by Flickr user Brian Snelson.

Related articles

• The unsexy side of big data: 6 tools to manage your Hadoop cluster (gigaom.com)

---

<Return to section navigation list>

SQL Azure Database, Federations and Reporting

No significant articles today.

---

<Return to section navigation list>

MarketPlace DataMarket, Social Analytics, Big Data and OData

No significant articles today.

---

<Return to section navigation list>

Windows Azure Service Bus, Access Control Services, Caching, Active Directory and Workflow

Manu Cohen-Yashar (@ManuKahn) described Running WIF Relying parties in Windows Azure in a 7/22/2012 post:

When running in a multi server environment like windows azure it is required to make sure the cookies generated by WIF are encrypted with the same pair of keys so all servers can open them.

Encrypt cookies using RSA

In Windows Azure, the default cookie encryption mechanism (which uses DPAPI) is not appropriate because each instance has a different key. This would mean that a cookie created by one web role instance would not be readable by another web role instance. This could lead to service failures effectively causing denial of the service. To solve this problem you should use a cookie encryption mechanism that uses a key shared by all the web role instances. The following code written to global.asax shows how to replace the default SessionSecurityHandler object and configure it to use the RsaEncryptionCookieTransform class:

void Application_Start(object sender, EventArgs e)
{
    FederatedAuthentication.ServiceConfigurationCreated += OnServiceConfigurationCreated;
}

private void OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e)
{
   List<CookieTransform> sessionTransforms =
       new List<CookieTransform>(new CookieTransform[] 
       {
          new DeflateCookieTransform(), 
          new RsaEncryptionCookieTransform(e.ServiceConfiguration.ServiceCertificate),
          new RsaSignatureCookieTransform(e.ServiceConfiguration.ServiceCertificate)
       });

       SessionSecurityTokenHandler sessionHandler =
         new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly());
            e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);
}

next upload the certificate to the hosted service and declare it in the LocalMachine certificate store of the running role.

Failing to do the above will generate the following exception when running a relying party in azure: "InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API". It means that decryption with DPAPI failed. It makes sense because DPAPI key is coupled with the physical machine it is running on.

After changing the encryption policy (like so) make sure to delete all existing cookies other wise you will get the following exception: CryptographicException: ID1014: The signature is not valid. The data may have been tampered with. (It means that an old DPAPI cookie is being processed by the new RSA policy and that will obviously will fail.

---

Richard Seroter (@rseroter) described Installing and Testing the New Service Bus for Windows in a 7/17/2012 post (missed when published):

Yesterday, Microsoft kicked out the first public beta of the Service Bus for Windows [Server] software. You can use this to install and maintain Service Bus queues and topics in your own data center (or laptop!). See my InfoQ article for a bit more info. I thought I’d take a stab at installing this software on a demo machine and trying out a scenario or two.

To run the Service Bus for Windows, you need a Windows Server 2008 R2 (or later) box, SQL Server 2008 R2 (or later), IIS 7.5, PowerShell 3.0, .NET 4.5, and a pony. Ok, not a pony, but I wasn’t sure if you’d read the whole list. The first thing I did was spin up a server with SQL Server and IIS.

Then I made sure that I installed SQL Server 2008 R2 SPI. Next, I downloaded the Service Bus for Windows executable from the Microsoft site. Fortunately, this kicks off the Web Platform Installer, so you do NOT have to manually go hunt down all the other software prerequisites.

The Web Platform Installer checked my new server and saw that I was missing a few dependencies, so it nicely went out and got them.

After the obligatory server reboots, I had everything successfully installed.

I wanted to see what this bad boy installed on my machine, so I first checked the Windows Services and saw the new Windows Fabric Host Service.

I didn’t have any databases installed in SQL Server yet, no sites in IIS, but did have a new Windows permissions Group (WindowsFabricAllowedUsers) and a Service Bus-flavored PowerShell command prompt in my Start Menu.

Following the configuration steps outlined in the Help documents, I executed a series of PowerShell commands to set up a new Service Bus farm. The first command which actually got things rolling was New-SBFarm:

$SBCertAutoGenerationKey = ConvertTo-SecureString -AsPlainText -Force -String [new password used for cert]

New-SBFarm -FarmMgmtDBConnectionString 'Data Source=.;Initial Catalog=SbManagementDB;Integrated Security=True' -PortRangeStart 9000 -TcpPort 9354 -RunAsName 'WA1BTDISEROSB01\sbuser' -AdminGroup 'BUILTIN\Administrators' -GatewayDBConnectionString 'Data Source=.;Initial Catalog=SbGatewayDatabase;Integrated Security=True' -CertAutoGenerationKey $SBCertAutoGenerationKey -ContainerDBConnectionString 'Data Source=.;Initial Catalog=ServiceBusDefaultContainer;Integrated Security=True';

When this finished running, I saw the confirmation in the PowerShell window:

But more importantly, I now had databases in SQL Server 2008 R2.

Next up, I needed to actually create a Service Bus host. According to the docs about the Add-SBHost command, the Service Bus farm isn’t considered running, and can’t offer any services, until a host is added. So, I executed the necessary PowerShell command to inflate a host.

$SBCertAutoGenerationKey = ConvertTo-SecureString -AsPlainText -Force -String [new password used for cert]

$SBRunAsPassword = ConvertTo-SecureString -AsPlainText -Force -String [password for sbuser account];

Add-SBHost -FarmMgmtDBConnectionString 'Data Source=.;Initial Catalog=SbManagementDB;Integrated Security=True' -RunAsPassword $SBRunAsPassword -CertAutoGenerationKey $SBCertAutoGenerationKey;

A bunch of stuff started happening in PowerShell …

… and then I got the acknowledgement that everything had completed, and I now had one host registered on the server.

I also noticed that the Windows Service (Windows Fabric Host Service) that was disabled before, was now in a Started state. Next I required a new namespace for my Service Bus host. The New-SBNamespace command generates the namespace that provides segmentation between applications. The documentation said that “ManageUser” wasn’t required, but my script wouldn’t work without it, So, I added the user that I created just for this demo.

New-SBNamespace -Name 'NsSeroterDemo' -ManageUser 'sbuser';

To confirm that everything was working, I ran the Get-SbMessageContainer and saw an active database server returned. At this point, I was ready to try and build an application. I opened Visual Studio and went to NuGet to add the package for the Service Bus. The name of the SDK package mentioned in the docs seems wrong, and I found the entry under Service Bus 1.0 Beta .

In my first chunk of code, I created a new queue if one didn’t exist.

//define variables
string servername = "WA1BTDISEROSB01";
int httpPort = 4446;
int tcpPort = 9354;
string sbNamespace = "NsSeroterDemo";

//create SB uris
Uri rootAddressManagement = ServiceBusEnvironment.CreatePathBasedServiceUri("sb", sbNamespace, string.Format("{0}:{1}", servername, httpPort));
Uri rootAddressRuntime = ServiceBusEnvironment.CreatePathBasedServiceUri("sb", sbNamespace, string.Format("{0}:{1}", servername, tcpPort));

//create NS manager
NamespaceManagerSettings nmSettings = new NamespaceManagerSettings();
nmSettings.TokenProvider = TokenProvider.CreateWindowsTokenProvider(new List() { rootAddressManagement });
NamespaceManager namespaceManager = new NamespaceManager(rootAddressManagement, nmSettings);

//create factory
MessagingFactorySettings mfSettings = new MessagingFactorySettings();
mfSettings.TokenProvider = TokenProvider.CreateWindowsTokenProvider(new List() { rootAddressManagement });
MessagingFactory factory = MessagingFactory.Create(rootAddressRuntime, mfSettings);

//check to see if topic already exists
if (!namespaceManager.QueueExists("OrderQueue"))
{
     MessageBox.Show("queue is NOT there ... creating queue");

     //create the queue
     namespaceManager.CreateQueue("OrderQueue");
 }
else
 {
      MessageBox.Show("queue already there!");
 }

After running this (directly on the Windows Server that had the Service Bus installed since my local laptop wasn’t part of the same domain as my Windows Server, and credentials would be messy), as my “sbuser” account, I successfully created a new queue. I confirmed this by looking at the relevant SQL Server database tables.

Next I added code that sends a message to the queue.

//write message to queue
 MessageSender msgSender = factory.CreateMessageSender("OrderQueue");
BrokeredMessage msg = new BrokeredMessage("This is a new order");
msgSender.Send(msg);

 MessageBox.Show("Message sent!");

Executing this code results in a message getting added to the corresponding database table.

Sweet. Finally, I wrote the code that pulls (and deletes) a message from the queue.

//receive message from queue
MessageReceiver msgReceiver = factory.CreateMessageReceiver("OrderQueue");
BrokeredMessage rcvMsg = new BrokeredMessage();
string order = string.Empty;
rcvMsg = msgReceiver.Receive();

if(rcvMsg != null)
{
     order = rcvMsg.GetBody();
     //call complete to remove from queue
     rcvMsg.Complete();
 }

MessageBox.Show("Order received - " + order);

When this block ran, the application showed me the contents of the message, and upon looking at the MessagesTable again, I saw that it was empty (because the message had been processed).

So that’s it. From installation to development in a few easy steps. Having the option to run the Service Bus on any Windows machine will introduce some great scenarios for cloud providers and organizations that want to manage their own message broker.

---

Abishek Lal described Service Bus [for Windows Server] Symmetry in a 7/16/2012 post (missed when published):

Whether your application runs in the cloud or on premises, it often needs to integrate with other applications or other instances of the application. Windows Azure Service Bus provides messaging technologies including Relay and Brokered messaging to achieve this. You also have the flexibility of using the Azure Service Bus (multi-tenant PAAS) and/or Service Bus 1.0 (for Windows Server). This post takes a look at both these hosting options from the application developer perspective.

The key principle in providing these offerings is to enable applications to be developed, hosted and managed consistently between cloud service and on-premise hosted environments. Most features in Service Bus are available in both environments and only those that are clearly not applicable to a certain hosting environment are not symmetric. Applications can be written against the common set of features and then can be run between these environments with configuration only changes.

Overview

The choice of using Azure Service Bus and Service Bus on-premise can be driven by several factors. Understanding the differences between these offering will help guide the right choice and produce the best results. Azure Service Bus is a multi-tenant cloud service, which means that the service is shared by multiple users. Consuming this service requires no administration of the hosting environment, just provisioning through your subscriptions. Service Bus on-premise is a when you install the same service bits on machines and thus manage tenancy and the hosting environment yourself.

Figure 1: Windows Azure Service Bus (PAAS) and Service Bus On-premise

Development

To use any of the Service Bus features, Windows applications can use Windows Communication Foundation (WCF). For queues and topics, Windows applications can also use a Service Bus-defined Messaging API. Queues and topics can be accessed via HTTP as well, and to make them easier to use from non-Windows applications, Microsoft provides SDKs for Java, Node.js, and other languages.

All of these options will be symmetric between Azure Service Bus and Service Bus 1.0, but given the Beta nature of the release, this symmetry is not yet available. The key considerations are called out below:

Similarities

• The same APIs and SDKs can be used to target Azure Service Bus and Service Bus on-premise
• Configuration only changes can target application to the different environments
• The same application can target both environments

Differences

• Identity and authentication methods will vary thus having application configuration impact
• Latency, throughput and other environmental differences can affect application performance since these are directly tied to the physical hardware that the service is hosted in
• Quotas vary between environments (details here)

It’s important to understand that there is only one instance of Azure Service Bus that is available as a PAAS service but several on-premise environments may exists either thru third-party hosters or self-managed IT departments. Since the service is continually evolving with new features and improvements it is a significant factor in deciding with features to consume based on the environment targeted. Below is a conceptual timeline of how the features will be released (note this does NOT track to any calendar dates):

Figure 2: Client SDK release and compatibility timeline

Application Considerations

The key considerations from an application perspective can be driven by business or engineering needs. The key similarities and differences from this perspective are listed below:

Similarities

• Namespaces are the unit for identity and management of your artifacts
• Queues/Topics are contained within a Namespace
• Claims based permissions can be managed on a per-entity basis
• Size constraints are applied on Queues/Topics

Differences

• Relay messaging is currently unavailable on Service Bus on-premise
• Service Registry is currently available on Service Bus on-premise
• Token based Identity providers for Service are ACS and for on-premise is AD and Self-signed tokens
• SQL Server is the storage mechanism that is provisioned and managed by you for on-premises
• Latency and throughput of messages vary between the environments
• The maximum allowable values for message size and entity size vary

Do give the Service Bus 1.0 Beta a try, following are some additional resources:

• Download Service Bus 1.0 Beta
• Service Bus 1.0 Beta Documentation
• NuGet package to develop with Service Bus 1.0 Beta

---

<Return to section navigation list>

Windows Azure Virtual Machines, Virtual Networks, Web Sites, Connect, RDP and CDN

Maarten Balliauw (@maartenballiauw) described Hands-on Windows Azure Services for Windows with Windows Azure in a 7/24/2012 post:

A couple of weeks ago, Microsoft announced their Windows Azure Services for Windows Server. If you’ve ever heard about the Windows Azure Appliance (which is vaporware imho ), you’ll be interested to see that the Windows Azure Services for Windows Server are in fact bringing the Windows Azure Services to your datacenter. It’s still a Technical Preview, but I took the plunge and installed this on a bunch of virtual machines I had lying around. In this post, I’ll share you with some impressions, ideas, pains and speculations.

Why would you run Windows Azure Services in your own datacenter? Why not! You will make your developers happy because they have access to all services they are getting to know and getting to love. You’ll be able to provide self-service access to SQL Server, MySQL, shared hosting and virtual machines. You decide on the quota. And if you’re a server hugger like a lot of companies in Belgium: you can keep hugging your servers. I’ll elaborate more on the “why?” further in this blog post.

Note: Currently only SQL Server, MySQL, Web Sites and Virtual Machines are supported in Windows Azure Services for Windows Server. Not storage, not ACS, not Service Bus, not…

You can sign up for my “I read your blog plan” at http://cloud.balliauw.net and create your SQL Server databases on the fly! (I’ll keep this running for a couple of days, if it’s offline you’re too late).

My setup

Since I did not have enough capacity to run enough virtual machines (you need at least four!) on my machine, I decided to deploy the Windows Azure Services for Windows Server on a series of virtual machines in Windows Azure’s IaaS offering.

You will need servers for the following roles:

• Controller node (the management portal your users will be using)
• SQL Server (can be hosted on the controller node)
• Storage server (can be on the cntroller node as well)

If you want to host Windows Azure Websites (shared hosting):

• At least one load balancer node (will route HTTP(S) traffic to a frontend node)
• At least one frontend node (will host web sites, more frontends = more websites / redundancy)
• At least one publisher node (will serve FTP and Webdeploy)

If you want to host Virtual Machines:

• A System Center 2012 SP1 CTP2 node (managing VM’s)
• At least one Hyper-V server (running VM’s)

Being a true ITPro (forgot the <irony /> element there…), I decided I did not want to host those virtual machines on the public Internet. Instead, I created a Windows Azure Virtual Network. Knowing CIDR notation (<irony />), I quickly crafted the BalliauwCloud virtual network: 172.16.240.0/24.

So a private network… Then again: I wanted to be able to access some of the resources hosted in my cloud on the Internet, so I decided to open up some ports in Windows Azure’s load balancer and firewall so that my users could use the SQL Sever both internally (172.16.240.9) and externally (sql1.cloud.balliauw.net). Same with high-density shared hosting in the form of Windows Azure Websites by the way.

Being a Visio pro (no <irony /> there!), here’s the schematical overview of what I setup:

Nice, huh? Even nicer is my to-be diagram where I also link crating Hyper-V machines to this portal (not there yet…):

My setup experience

I found the detailed step-by-step installation guide and completed the installation as described. Not a great success! The Windows Azure Websites feature requires a file share and I forgot to open up a firewall port for that. The result? A failed setup. I restarted setup and ended with 500 Internal Server Terror a couple of times. Help!

Being a Technical Preview product, there is no support for cleaning / restarting a failed setup. Luckily, someone hooked me up with the team at Microsoft who built this and thanks to Andrew (thanks, Andrew!), I was able to continue my setup.

If everything works out for your setup: enjoy! If not, here’s some troubleshooting tips:

Keep an eye on the C:\inetpub\MgmtSvc-ConfigSite\trace.txt log file. It holds valuable information, as well as the event log (Applications and Services Log > Microsoft > Windows > Antares).

If you’re also experiencing issues and want to retry installation, here are the steps to clean your installation:

1. On the controller node: stop services:
   
   net stop w3svc
   
   net stop WebFarmService

   net stop ResourceMetering

   net stop QuotaEnforcement

2. In IIS Manager (inetmgr), clean up the Hosting Administration REST API service. Under site MgmtSvc-WebSites:

   - Remove IIS application HostingAdministration (just the app, NOT the site itself)

   - Remove physical files: C:\inetpub\MgmtSvc-WebSites\HostingAdministration

3. Drop databases, and logins by running the SQL script: C:\inetpub\MgmtSvc-ConfigSite\Drop-MgmtSvcDatabases.sql
   
   
4. (Optional, but helped in my case) Repair permissions
   
   PowerShell.exe -c "Add-PSSnapin WebHostingSnapin ; Set-ReadAccessToAsymmetricKeys IIS_IUSRS"
   
   
5. Clean up registry keys by deleting the three folders under the following registry key (NOT the key itself, just the child folders):
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IIS Extensions\Web Hosting Framework
   
   Delete these folders: HostingAdmin, Metering, Security
   
   
6. Restart IIS
   
   net start w3svc
   
   
7. Re-run the installation with https://localhost:30101/

Configuration

After installation comes configuration. Configuration depends on the services you want to offer. I’m greedy so I wanted to provide them all. First, I registered my SQL Server and told the Windows Azure Services for Windows Server management portal that I have about 80 GB to spare for hosting my user’s databases. I did the same with MySQL (setup is similar):

You can add more SQL Servers and even define groups. For example, if you have a SQL Server which can be used for development purposes, add that one. If you have a high-end, failover setup for production, you can add that as a separate group so that only designated users can create databases on that SQL Server cluster of yours.

For Windows Azure Web Sites, I deployed one node of every role that was required:

What I liked in this setup is that if I want to add one of these roles, the only thing required is a fresh Windows Server 2008 R2 or 2012. No need to configure the machine: the Windows Azure Services for Windows Server management portal does that for me. All I have to do as an administrator in order to grow my pool of shared resources is spin up a machine and enter the IP address. Windows Azure Services for Windows Server management portal takes care of the installation, linking, etc.

The final step in offering services to my users is creating at least one plan they can subscribe to. Plans define the services provided as well as the quota on these services. Here’s an example quota configuration for SQL Server in my “Cloud Basics” plan:

Plans can be private (you assign them to a user) or public (users can self-subscribe, optionally only when they have a specific access code). …

Maarten goes on to illustrate “The End User Experience” with Windows Azure Services and concludes:

Conclusion

I’ve opened this post with a “Why?”, let’s end it with that question. Why would you want to use this? The product was announced on Microsoft’s hosting subsite, but the product name (Windows Azure Services for Windows Server) and my experience with it so far makes me tend to think that this product is a fit for any enterprise!

You will make your developers happy because they have access to all services they are getting to know and getting to love. You’ll be able to provide self-service access to SQL Server, MySQL, shared hosting and virtual machines. You decide on the quota. You manage this. The only thing you don’t have to manage is the actual provisioning of services: users can use the self-service possibilities in Windows Azure Services for Windows Server.

Want your departments to be able to quickly setup a WordPress or Drupal site? No problem: using Web Sites, they are up and running. And depending on the front-end role you assign them, you can even put them on internet, intranet or both. (note: this is possible throug some Powershell scripting, by default it’s just one pool of servers there)

The fact that there is support for server groups (say, development servers and high-end SQL Server clusters or 8-core IIS machines running your web applications) makes it easy for administrators to grant access to specific resources while some other resources are reserved for production applications. And I suspect this will extend to the public cloud making it possible to go hybrid if you wish. Some services out there, some in your basement.

I’m keeping an eye on this one.

---

<Return to section navigation list>

Live Windows Azure Apps, APIs, Tools and Test Harnesses

Nathan Totten (@ntotten) described a Windows Azure Web Sites Modern Application Sample – Cloud Survey in a 7/24/2012 post:

If you had a chance to watch the Windows Azure Web Site session at Learn Windows Azure you may have noticed an application used in the demos called Cloud Survey. The Cloud Survey sample is a modern web application that is build using ASP.NET MVC 4, ASP.NET Web API, SignalR, and Ember.js. This application is designed to be deployed and run on Windows Azure Web Sites and uses SQL Databases for persistence.

Today, I have published the entire source of the Cloud Survey application to Github and made it available under the Apache license. You can get download the source directly from Github. You can also see a live demo of the site deployed to Windows Azure Web Sites (username: admin; password: Contoso123!).

You can find a step-by-step tutorial on how to publish and use the Cloud Survey sample in the README. Additionally, I have recorded a screencast demonstrating and explaining the various features of the Cloud Survey application. You can view the screencast below or on Channel 9.

I hope you enjoy this sample. Please let me know if you have any questions or feedback.

[Download the source code:]cloudsurvey_hd.mp4

---

David Makogon posted ISV Guest Post Series: iVoteSports Scales its Baseball-Focused Mobile Game App with Windows Azure on 7/24/2012:

Editor’s Note: Today’s post, written by Bill Davidheiser [pictured at right], Chief Architect and Co-founder of iVoteSports, describes how the company uses Windows Azure to power its iVoteSports MLB-focused mobile game.

We started iVoteSports.com (sold on the Apple, Android and Amazon app markets) with a fairly simple idea that most sports, like baseball, can be broken down into games within the game. For example every baseball inning has many at-bats and each individual batter has a number of potential outcomes for his at-bat such as a walk, strike and home run.

The basic theme of the game is to let users to predict the outcome of each event and win points for guessing correctly. The winnable points are based on a number of factors such as the probability of the event outcome.

Determining the winner of a live sporting event is challenging due the volume and frequency of events. Using baseball as an example: Each game has 9 or more innings with 6 at-bats per inning, and each at-bat has at least 3 events (strike, ball, etc). This, coupled with a volume of 162 games per team per regular season, creates a tremendous volume of events that cannot be managed by a human umpire – at least not within the practical resource constraints of our game. To address this, we created a way to programmatically determine outcomes using crowd sourcing concepts.

WINDOWS AZURE DESIGN AND FLUCTUATING TRAFFIC

As mentioned, the nature of live sporting events is that a lot of people get together in relatively short time period (around 3 hours) and then they rapidly disperse. Since the iVoteSports application is played during the live game, it needs to support these dramatic usage spikes.

This type of fluctuating demand is perfect for a cloud application. In our idle state we maintain two small (single-core) Windows Azure web role instances. However, as many players come on board, we can quickly add web instances, scaling out as demand ramps up. The trigger point for adding additional instances intra-day is based mostly on processor utilization: if we are consistently exceeding 80% we will add additional instances.

In future versions we will programmatically add instances via the management API, taking advantage of the Microsoft Enterprise Library’s Autoscaling Application Block (WASABi), but for now scaling is performed manually. For days that have enough popular games to require increased capacity, we can proactively increase the instance counts.

The actual build-out of iVoteSports turned out to more closely resemble a multi-tier enterprise application than a mobile game. We have distinct concepts of presentation, application and data layers.

Since the database is multi-tenant, user id’s are associated with all tables that deal with activities such as keeping score, making a prediction, or asserting an outcome. Our views, UDF and stored procedure development was pretty much exactly like what would be created for a typical .Net application. Since only user prediction and outcome information is kept from day to day (stats and schedule data is archived) the 150GB Windows Azure SQL Database limit is not an issue.

Our initial decision to use SQL Database was driven mostly by the desire to create optimized TSQL that could be changed on the fly without need to redeploy code. For our next generation of the game, we will likely migrate some, if not all, of our data structures to the more cost effective Windows Azure Table Storage.

As a side note, a mobile app that has a lot of the logic in the server has nice benefits. Web developers get spoiled in the ability to push out a hot-fix in near real time to correct bugs. Unfortunately when a bug is found in mobile code there is nothing real-time about the fix. In the case of Apple, it could take as much as a week to get the change approved.

THE MOBILE APP

Our presentation tier is the mobile device. We started by creating a lightweight API that was really optimized for unpredictable traffic between a wide range of mobile devices – including the really old phones unable to make rapid network calls. The test case was an antique 1^st generation Droid that had such an overburdened processor it would take an Angry Bird around 5 seconds to cross the screen.

While security is not a major issue with the game, we implemented authentication enforced by coupling the email address with the physical device ID. If needed in the future, we can derive a security token used for role based authorization of certain functions.

All traffic originating from the mobile devices are stateless and effectively synchronous. Each mobile device will perform a lightweight sever poll every few seconds to check if there are messages waiting. If messages are waiting, a more expensive data exchange call is made.

PROBABILITIES AND POINTS

Probabilities are central to our game. The probability of a play outcome is driven off a handful of key influences such as historical event outcomes (fly-outs are more common than walks), player match-ups (batter-X does well against pitcher-Y) and player aptitude (batter hits .240). There are of course other factors such as stadium, injury and weather that play a part in the probability, but on average these factors are minimal and mostly just applicable to a local sports bookie.

Mashing key influences together produces a combined probability that can be converted to winnable points for the predictor of the play outcome. We call that prediction an iVote. For example: a home run against Casey Jones batting against Joe Throwhard will earn 30 points for a correct iVote while a home run predication for a weaker batter than Casey may give the opportunity for 100 points. Las Vegas people commonly refer to this as a “point spread.”

Taking it one step further, when many people are involved with the same play, point motivations can be created to encourage less popular predictions to be made and keep a more even distribution of iVotes. This concept is roughly patterned after a what is often known to as “Spread Betting.”

It is important to note that even though iVoteSports.com deals with a lot of gambling concepts, we are in no way a gambling application. There are only points involved – never actual money.

STATISTICS FEEDS

Adding current stats allows up to make the game quite a bit more interesting by preloading batting line-ups, showing player bios and trivia, and of course use the most current stats so that our probability calculations are using good data.

We get two types of data from Stats.com: daily and pre-game. The daily data includes schedule, roster and player statistics and are loaded into our SQL Database at 4am Pacific time each morning. The pre-game data is loaded about 15 minutes before each baseball game starts and contains the starting batting line-up for each team along with the starting pitchers.

OUTCOME DETERMINATIONS

Programmatic determination of an event’s outcome is quite difficult. This is not an issue when a trusted official is recording each event, but as mentioned earlier using a human official was not a scalable answer for our mobile app where we can have dozens of games occurring at once at many different times of the day.

Crowdsourcing design patterns turned out to be an excellent answer for us. As documented by many excellent articles and practical examples such as the Truthsquad Experiment, if you get enough people saying that something is true then it probably is. Of course there are caveats to “collective truth” such as ensuring against collaborators and having less than a critical mass of people. However these challenges can be mitigated and on the whole crowdsourcing is a mathematically proven approach and quite effective for our purpose.

As shown in the graph ‘Relation of assertions to accuracy,’ when we reach the critical mass of players in a given event asserting an outcome we gain have confidence the assertion accurately represents the outcome. For example, if we have 30% users from the total population that say a specific event occurred (such as a player has struck out) we have a confidence exceeding 50% that we have a confirmed, actual outcome.

Confidence greater than 60% allows us to not only reward the people that predicted correctly but penalize those that appeared to have cheated by saying they iVoted right when they really didn’t.

LESSONS LEARNED

We feel very comfortable with our overall design; specifically by running a large component of our game in Windows Azure, we will be able to rapidly develop to new presentation platforms.

We found the Windows Azure SQL Database query optimization process to be more challenging than with regular SQL server. We used the now discontinued RedGate backup utility to create a local copy of the DB and then ran the SQL Profiler, feeding the results into the SQL DB Tuning Advisor. We manually applied the Tuning Advisor suggested indexes to our SQL Database via SQL Management Studio. Hopefully Microsoft will give tools to improve this process in the near future. The main Windows Azure lesson we learned during the development process had to do with deployment. We initially used the web role’s web deploy option without realizing that the VM would be reset on a periodic basis. The non-persistent nature of web deploy will cause the deployment to be reverted back to its original state when the web role VM is re-imaged. When re-imaging occurs, Microsoft does not send notification – at least no notification that we were aware of. This caused confusion when our application kept reverting back to older behavior.

However overall we had an excellent experience with Windows Azure. With unpredictable and rapid demand variations, Windows Azure proved to be an ideal operational platform for our game. In addition the development tools gave us good productivity with short learning curves.

While technical in nature, we hope the end result is an easy to use and entertaining sports game. To check out the results of our work, please visit us at www.ivotesports.com.

---

Nathan Totten (@ntotten) started a series with Facebook Apps and Windows Azure Web Sites (Part 1 – Getting Started) on 7/23/2012:

Windows Azure Web Sites (WAWS) is a great platform for deploying Facebook Applications. Not only is it super easy to deploy your application to WAWS, but it is also free to get started. This post is the first in a three part series about building Facebook Apps and deploying them to Windows Azure Web Sites.

In this first part you will see how to build a site using ASP.NET MVC 4 and the Facebook C# SDK that allows your users to login to your application with Facebook. For this post I will be using Visual Studio 2012 RC, but you could also use Visual Studio 2010. I will be targeting .Net 4.0 as .Net 4.5 is not yet supported in Windows Azure Web Sites.

To begin I have created an ASP.NET MVC 4 using the basic project template.

Next, add the Facebook C# SDK to the project using NuGet by running the following command.

Install-Package Facebook

Next, we need to build the basic components of the application. I am going to add three controllers – HomeController, AccountController, and AppController. Additionally, I am going to add two views App/Index.cshtml and Home/Index.cshtml. The App/Index view will be show to authenticated users and the Home/Index view will be the public landing page for the application.

The AccountController won’t have any views in our simple application; it will only be used to perform the server-side functions for Facebook Authentication. In a real application you may want to use the AccountController to handle alternate authentication methods and tasks like resetting your account password.

Now that we have our basic application shell setup we need create a Facebook Application on Facebook’s developer site. For this demo I am actually going to create two different applications – one will be used for local development and the other will be used for production deployments. This is a common practice for Facebook developers. When you login to Facebook’s developer site click the “Create New App” button. You will need to perform these steps twice, once for local development and once for production. I tend to use the naming convention “MyAppName – Local” for my local test app and “MyAppName” for my production app. You could also have a “MyAppName – Staging” for a staging app if you wanted.

After each of your applications are created you will be taken to the app information page. You will see both your App Id and App Secret on these pages. Save this information for both apps as you will need it in the next step.

Next set the App Id and App Secret values in our web.config files so we can use them in our application. We can use Web.config transforms in order to set the appropriate Facebook application for local development or production. For local development add the following keys to your Web.config file.

<appSettings>
  ...
  <add key="FacebookAppId" value="your_local_app_id"/>
  <add key="FacebookAppSecret" value="your_local_app_secret" />
</appSettings>

For the production environment add the following keys to your Web.Release.config file.

<appSettings>
<add key="FacebookAppId" value="your_prod_app_id"
     xdt:Transform="SetAttributes" xdt:Locator="Match(key)"/>
<add key="FacebookAppSecret" value="your_prod_app_secret"
     xdt:Transform="SetAttributes" xdt:Locator="Match(key)" />
</appSettings>

Next we will setup our MVC Application for user authentication using Facebook’s OAuth API. To begin, we set a page that will be secured. Open your AppController and add the [Authorize] attribute to the controller as shown below. This will ensure that only authorized users can access this page.

[Authorize]
public class AppController : Controller
{
    //
    // GET: /App/

    public ActionResult Index()
    {
        return View();
    }

}

The next step is to create our Facebook login action. We will do this in the AccountController. To begin, rename the Index action to Login. Next we need to create the Facebook OAuth url and redirect our user there. You can see below how to do this using the Facebook C# SDK.

public class AccountController : Controller
{
    //
    // GET: /Account/Login

    public ActionResult Login()
    {
        // Build the Return URI form the Request Url
        var redirectUri = new UriBuilder(Request.Url);
        redirectUri.Path = Url.Action("FbAuth", "Account");

        var client = new FacebookClient();

        // Generate the Facebook OAuth URL
        // Example: https://www.facebook.com/dialog/oauth?
        //                client_id=YOUR_APP_ID
        //               &redirect_uri=YOUR_REDIRECT_URI
        //               &scope=COMMA_SEPARATED_LIST_OF_PERMISSION_NAMES
        //               &state=SOME_ARBITRARY_BUT_UNIQUE_STRING
        var uri = client.GetLoginUrl(new
        {
            client_id = ConfigurationManager.AppSettings["FacebookAppId"],
            redirect_uri = redirectUri.Uri.AbsoluteUri,
            scope = "email",
        });

        return Redirect(uri.ToString());
    }
}

Next, go ahead and run the site and navigate to http://localhost:####/App, where #### is the port number your site is running on. Because the AppController requires users to be authenticated you will be redirected to the Facebook OAuth page. However, you will notice that Facebook will give you an error as shown below.

This error is caused by our redirect_uri not being set as our Site url in the Facebook App settings. To remedy this go back to your Facebook App settings and set the value of Site url equal to the local url your application is running. You can see this setting below. Note, we will need to perform this same step on the production app as well.

After you have saved this setting, return navigate your browser again to http://localhost:####/App. You will now be redirected to the Facebook OAuth dialog asking you to authorize your application.

After you click “Go to App” Facebook will redirect the user to the URL specified in the redirect_uri parameter as specified above. In this case the redirect_uri is http://localhost:####/Account/FbAuth. We have not created this page so you will receive a 404 error.

The FbAuth action that Facebook will redirect the user is responsible for reading the Facebook authorization result information, validating that information, and setting the user authentication cookie. You can perform these actions with the code below.

public ActionResult FbAuth(string returnUrl)
{
    var client = new FacebookClient();
    var oauthResult = client.ParseOAuthCallbackUrl(Request.Url);

    // Build the Return URI form the Request Url
    var redirectUri = new UriBuilder(Request.Url);
    redirectUri.Path = Url.Action("FbAuth", "Account");

    // Exchange the code for an access token
    dynamic result = client.Get("/oauth/access_token", new
    {
        client_id = ConfigurationManager.AppSettings["FacebookAppId"],
        redirect_uri = redirectUri.Uri.AbsoluteUri,
        client_secret = ConfigurationManager.AppSettings["FacebookAppSecret"],
        code = oauthResult.Code,
    });

    // Read the auth values
    string accessToken = result.access_token;
    DateTime expires = DateTime.UtcNow.AddSeconds(Convert.ToDouble(result.expires));

    // Get the user's profile information
    dynamic me = client.Get("/me", 
                  new { 
                     fields = "first_name,last_name,email", 
                     access_token = accessToken 
                  });

    // Read the Facebook user values
    long facebookId = Convert.ToInt64(me.id);
    string firstName = me.first_name;
    string lastName = me.last_name;
    string email = me.email;

    // Add the user to our persistent store
    var userService = new UserService();
    userService.AddOrUpdateUser(new User
    {
        Id = facebookId,
        FirstName = firstName,
        LastName = lastName,
        Email = email,
        AccessToken = accessToken,
        Expires = expires
    });

    // Set the Auth Cookie
    FormsAuthentication.SetAuthCookie(email, false);

    // Redirect to the return url if availible
    if (String.IsNullOrEmpty(returnUrl))
    {
        return Redirect("/App");
    }
    else
    {
        return Redirect(returnUrl);
    }
}

That is everything required to authenticate a user with Facebook. Now all that remains is to publish the site to Windows Azure Web Sites. If you don’t already have a Windows Azure account you can sign up for a free trial on WindowsAzure.com. If you already have an account login in the new management portal and click “New” and click “Web Site”. Select quick create and fill in the form as shown below. Use your own URL for your application.

Click “Create Web Site” and wait a few seconds for your site to be created. After the site is ready click the name to go to the web site dashboard. On the dashboard page you will see a set of links on the left side under the heading “quick glance”. Click the link titled “Download publish profile” as show.

A file, called a publish profile, will be downloaded that contains all the information necessarily to publish your web site to Windows Azure right from Visual Studio.

Back in Visual Studio right-click on your project and click “Publish”.

This will open the Web Publish dialog. In this dialog click “Import” and select the publish profile that you downloaded in the previous step.

After you have imported the publish profile the Publish Web window will populate with the information needed to publish your website. Click “Publish” to publish your site.

After the publish process has completed your website will open. As noted above, we need to set the production Facebook App with the correct site Url in the same way we did with our local application. To do this open your Facebook App settings in the Facebook developer portal and set the Site Url to your Windows Azure Web Site Url (http://yoursitename.azurewebsites.net). With this step complete you can now navigate to http://yoursitename.azurewebsites.net/App and login with your Facebook account.

You can find the entire source for this demo application on Github. Additionally, keep an eye out on this blog for two additional posts on Facebook development with Windows Azure Websites.

---

Bruce Kyle posted an ISV Video: Windows Azure Performance Management, Monitoring Using AppDynamics to the US ISV Evangelism blog on 7/23/2012:

Customers seeking to simply migrate their applications to the cloud and use traditional server monitoring tools or legacy Application Performance Management (APM) software quickly find themselves stymied. Such obsolete strategies require manual configuration and instrumentation, and they are incapable of monitoring highly elastic cloud environments without producing gaping blind spots.

ISV Video: Windows Azure Performance Management, Monitoring Using AppDynamics

In contrast, AppDynamics‘ automatic instrumentation and configuration make it a perfect fit for managing cloud environments with a high rate of change. In addition, AppDynamics’ auto-scaling feature allows Windows Azure customers to automatically provision Windows Azure resource based on the performance and throughput of business transactions.

In this video cloud solutions architect Neil Mackenzie talks with Stephen Burton of AppDynamics who explains how Windows Azure users can:

• Monitor the health of their Windows Azure application
• Troubleshoot performance problems in real time
• Rapidly diagnose root cause of performance problems
• Dynamically scale up and scale down their Windows Azure application

With the release of AppDynamics Pro 3.4.3, Windows Azure customers can now monitor and troubleshoot applications that leverage:

• Windows Azure Compute
• Windows Azure Service Bus
• Windows Azure SQL
• Windows Azure Storage

To provide the best possible solution for Windows Azure users, AppDynamics has made available its multi-tenant Monitoring-as-a-Service platform within Windows Azure itself. This minimizes the network bandwidth costs for Windows Azure customers using AppDynamics because they will not have to transfer monitoring data outside of Windows Azure. In addition, online support, documentation and training are all available directly through the Windows Azure Marketplace.

AppDynamics is available now on the Windows Azure Marketplace. Free trials of AppDynamics Pro for Windows Azure last for 30 days and then revert to AppDynamics Lite for Windows Azure, which is currently free. For more information, please visit www.appdynamics.com/azure

.NET application owners who currently manage production applications in their own physical data center can also benefit from AppDynamics. To take advantage of AppDynamics free solution for .NET monitoring, please visit www.appdynamics.com/free or register to try AppDynamics Pro for 30 days at http://www.appdynamics.com/30-day-trial.php

About AppDynamics

AppDynamics is a leading provider of Software-as-Service (SaaS) and on-premise application performance management for modern application architectures in both the cloud and the data center. The company delivers solutions for highly distributed and agile environments, helping companies such as Priceline, TiVo, AMICA Insurance, Hotels.com, StubHub, DSW, Staples, Insight Technologies, Abercrombie & Fitch, and Cornell University monitor, troubleshoot, diagnose, and scale their production applications. Over 80,000 people have downloaded AppDynamics Lite, the company’s free troubleshooting solution for Java/.NET, and the company was recognized as an APM Innovator by Gartner.

---

Sebastian Waksmundzki described The Power of the Worker Role: Windows Azure + Microsoft Dynamics CRM 2011 Better Together, Part Three in a 7/19/2012 post to the MSDynamicsWorld.com blog:

If you are using Windows Azure, then you have probably noticed huge amount of recent changes. We have a new portal which looks and functions very nicely, more IaaS, and a lot of extended capabilities.Scott Guthrie published a summary article on his blog about new Azure 2.0 that is worth a look.

Let’s than start with another part of Windows Azure that might be a very helpful for those of us working in Microsoft Dynamics world, the “Worker Role”. (You can see our previous explorations on routing orders and brokered messaging also.) It sounds very mysterious but it’s actually simple and powerful at the same time. Worker roles are applications that are developed to run asynchronously and to work on long-running or perpetual tasks independent of user interaction or input. I would definitely compare them to the older (before cloud era ) “Windows Service” . The beauty of the worker role comes also with interoperability – a worker role can host almost any type of application including Java-based, Apache Tomcat, .NET of course, even WCF web services.

But enough theory let’s present our…

Business Problem

Company XYZ is adding more and more customers and they need to perform more and more periodic jobs. Two of these jobs in particular are consuming a lot of resources. One is generation and transfer of invoices and the other is monitoring of their SLA’s (Service Level Agreements).

Generation of invoices seems like a pretty simple job, but our company has many to prepare and they are generated as PDF files. That process happens only during the last two days of every month. In the old days they would have needed to invest in a new server to perform that task effectively and the server would be fully utilized over those two days only. Now they have access to the Windows Azure platform and worker roles. The worker role is designed to execute long-running processes. It can connect to their Dynamics CRM systems, generate PDF files, and attach those PDFs to emails or SharePoint libraries.

And because a worker role uses the same principle as other Azure Services, it can be scaled on demand. Combining the strength of the Windows Azure Diagnostics API and the Service Management API makes really easy to implement custom logic for auto-scaling Azure Services. That means Company XYZ will pay only for effective usage of compute when they will need it. And if suddenly the number of invoices increases, they will be able to handle that very quickly without ordering and waiting for new hardware.

The worker role comes in very handy for all sorts of monitoring type activities. Usually in the Dynamics CRM world all kind of SLAs are handled by workflow and that works quite well usually. But workflows have some limitations when it comes to quick, scalable behaviour, and also it is difficult to run workflows across multiple instances of Dynamics CRM. For that reason, XYZ invested in one central, scalable SLA monitor in an Azure worker role that monitors not just Dynamics CRM cases, but also other systems.

Summary

Worker roles can be very handy for Dynamics CRM implementations and other business applications that require periodic activities and reliable background processes. They provide effective scalability, very good elasticity, and full control over background processes. Yet again, Azure plus Dynamics CRM 2011 prove to be good match

---

<Return to section navigation list>

Visual Studio LightSwitch and Entity Framework 4.1+

Paul van Bladel (@paulbladel) described how to Inject dynamically a column with data-aware icons in a lightswitch datagrid in a 7/25/2012 post:

Introduction

There is no out-of-the-box solution in LightSwitch to show an icon in a datagrid based on the current row data (e.g. show an exclamation mark for customers satisfying a certain condition (or predicate). In many cases, developers would create a custom control for this. That’s a good solution but time-consuming and since LightSwitch is all about saving time and focussing and the business part of the application…. we need something better.

What do we have in mind?

This:

As you can see, an exclamation mark is shown for customers from Belgium.

How do we want to inject such an icon column?

We want that injecting such a column is simple, preferably in 2 lines of code:

 public partial class SearchCustomers
    {
        partial void SearchCustomers_Created()
        {
            Predicate<Customer> predicate = (c) => c.Country.Equals("belgium", StringComparison.InvariantCultureIgnoreCase);
            this.FindControl("grid").InjectColumnWithIcon<Customer, Customer.DetailsClass>(predicate,"important.png");
        }
    }

The first line is specifying our predicate or the condition under which we want to show the icon. In our case: customers from Belgium deserve an exclamation mark.

The second line is rendering the grid with the “icon column”.

Which is the base infrastructure we need?

Allow me first to tell you that my implementation is heavily inspired by an exquisite technique introduced by Jewel Lambert. See: http://dotnetlore.com/vertical-column-header-text-in-lightswitch-grids/ and here: http://social.msdn.microsoft.com/Forums/en-US/lightswitch/thread/3e7993c0-e51b-40bb-981d-99bcf878eb64

public static class GridExtensions
    {
        public static void InjectColumnWithIcon<TEntity, TDetails>(this IContentItemProxy gridProxy, Predicate<TEntity> predicate, string imagefileName)
            where TEntity : EntityObject<TEntity, TDetails>
            where TDetails : EntityDetails<TEntity, TDetails>, new()
        {
            EventHandler<ControlAvailableEventArgs> gridProxy_ControlAvailable = null;

            gridProxy_ControlAvailable = (s1, e1) =>
            {
                BitmapImage bitmapImage = GetBitmapImage(imagefileName);
                DataGrid dataGrid = e1.Control as DataGrid;
                var col = new DataGridTemplateColumn();
                var xaml =
                    @"<DataTemplate xmlns=""http://schemas.microsoft.com/winfx/2006/xaml/presentation"">
                      <Image Height =""25"" Width=""25""  />
                </DataTemplate>";

                var dataTemplate = XamlReader.Load(xaml) as DataTemplate;
                col.CellTemplate = dataTemplate;
                col.IsReadOnly = true;
                dataGrid.Columns.Insert(0, col);
                dataGrid.LoadingRow += new EventHandler<DataGridRowEventArgs>((s2, e2) =>
                {
                    TEntity currentEntity = e2.Row.DataContext as TEntity;
                    if (predicate(currentEntity))
                    {
                        DataGridColumn column = dataGrid.Columns[0];
                        Image image = column.GetCellContent(e2.Row) as Image;
                        image.Source = bitmapImage;
                    }
                });
                gridProxy.ControlAvailable -= gridProxy_ControlAvailable;
            };

            gridProxy.ControlAvailable += gridProxy_ControlAvailable;
        }

        private static BitmapImage GetBitmapImage(string fileName)
        {
            byte[] bytes = GetImageByName(fileName);
            using (MemoryStream ms = new MemoryStream(bytes))
            {
                var bi = new BitmapImage();
                bi.SetSource(ms);
                return bi;
            }
        }

        private static byte[] GetImageByName(string fileName)
        {
            Assembly assembly = Assembly.GetExecutingAssembly();
            fileName = Application.Current.Details.Name + ".Resources." + fileName;

            using (Stream stream = assembly.GetManifestResourceStream(fileName))
            {
                if (stream == null) return null;
                byte[] buf = new byte[stream.Length];
                stream.Read(buf, 0, (int)stream.Length);
                return buf;
            }
        }
    }

How do I have to include my icon in the silverlight project?

Include your icon (or image) in the Resource folder of the client project.

Make sure to mark is as embedded resource:

Source Code

Can be downloaded here: InjectColumnWithIcons

Conclusion

A simple solution for something that would take hours to implement in a regular line of business framework. In lightSwitch it takes now 1 minute

---

Paul Patterson (@PaulPatterson) posted Microsoft LightSwitch – List of Printers on 7/24/2012:

An interesting LightSwitch question came up on the MSDN forums. A developer was asking how to get a list of printers from the “server” side of a LightSwitch application. I posted an answer (see here), however thought it worth while re-posting the information here.

By the way; I am using Visual Studio 2012 RC for this.

Open up the LightSwitch solution in File View. Then, in the Server project, create a custom class file named Printing…

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Drawing;
using System.Drawing.Printing;

namespace LightSwitchApplication
{
    public class Printing
    {

        public IEnumerable<string> GetServerPrinters()
        {
            List<string> listOfPrinters = new List<string>();

            foreach (string printer in PrinterSettings.InstalledPrinters)
            {
                listOfPrinters.Add(printer);
            }

            return listOfPrinters;
        }

    }
}

Then go back into the Logical View of the solution, and create a table named Printer…

I have a Home screen that is the default screen that opens whenever my LightSwitch application runs. On this Home screen I have query that auto executes. In this example, the query that auto executes on the screen is named Companies….

What I then do is select to add code to the Query_Executing code on the ApplicationDataService class of the Server project. I did this by going back to my Companies table and selecting selecting the Query_Executing item in the Write Code drop down…

In the Query_Executing method, I added the following code…

partial void Query_Executing(QueryExecutingDescriptor queryDescriptor)
        {
            if (queryDescriptor.Name == "Companies")
                LoadPrinters();
        }

The above code evaluates which query is being run, and then calls a LoadPrinter method I created (also in the same ApplicationDataService class file), which happens to look like this…

public void LoadPrinters()
        {
            Printing printing = new Printing();
            IEnumerable<string> listOfPrinters = printing.GetServerPrinters();

            IEnumerable<Printer> printers = DataWorkspace.ApplicationData.Printers.GetQuery().Execute();
            foreach (Printer p in printers)
                p.Delete();
            
            foreach (string printerName in listOfPrinters)
            {
                 Printer newprinter = DataWorkspace.ApplicationData.Printers.AddNew();
                newprinter.PrinterName = printerName;
            }
        
            DataWorkspace.ApplicationData.SaveChanges();
        }

What will happen is; each time a query is executed, if the query is the name of the query on my screen (which is Companies), the LoadPrinters() method fires. This LoadPrinters method refreshes the Printer table with a list of printers configured on the server. I can then use that Printer table in a drop down list, or whatever, on the client

---

Return to section navigation list>

Windows Azure Infrastructure and DevOps

David Linthicum (@DavidLinthicum) asserted “IT is placing different barriers to cloud adoption than it did four years ago, as old objections are overcome” in a deck for his 3 new roadblocks to cloud computing post of 7/24/2012 to InfoWorld’s Cloud Computing blog:

When it comes to adopting the cloud, enterprise IT remains split, with some for, some against, and the rest still waiting to see more results before jumping in. That’s typical for new technology adoption, given the large number of changes — both opportunuties and risks — that cloud computing engenders.

But I’ve noticed the internal IT roadblocks for moving to the cloud are changing now that the cloud push is four years old and not exactly so new or undefined. Of course, you still hear about the old concerns — control, security, and compliance — but new issues have arisen, including talent, infrastructure readiness, and budget.

Are these new roadblocks real problems or just a new set of excuses to say no or stay on the fence?

There is indeed a talent shortage — for now. If you move to Amazon Web Services, Google, or Microsoft Azure, who will maintain those cloud-based systems internally? IT managers are talking to recruiters and getting spooked around how much money cloud developers and admins are commanding these days, on top of the thin prospects for even finding qualified candidates.

Infrastructure readiness refers to the ability for the existing networks and computers that will consume cloud services to perform at the levels required. It’s true that many enterprises will have to upgrade their existing infrastructure to support the requirements of moving some systems to public and hybrid clouds.

The budget roadblock is a bit of a wild card. Many companies move to cloud computing to save money, so it’s hard at first glance to understand why a limited budget be a consideration. As a matter of fact, an initial investment is typically required, and many IT shops have static budgets that must be closely managed. They can’t spend $5 million upfront to reduce their IT costs from $100 million to $75 million annually. That seems like a silly reason, but anyone who has battled budgets in larger organizations understands this common issue.

Even as some roadblocks to adopting the cloud are fading, new ones emerge. That’s not bad, and the roadblocks aren’t always excuses to say no. There will always be a reason to move to the cloud — and reasons not to. It’s not the worst development, as it ensures that the technology and best practices improve.

---

J. C. Hornbeck reported Update Rollup 2 for System Center 2012 is now available for download in a 7/24/2012 post:

This rollup includes updates for App Controller, Data Protection Manager (DPM), Operations Manager (OpsMgr), Orchestrator, Service Manager (SCSM) and Virtual Machine Manager (VMM). Download links, installation instructions and the list of issues fixed for each component are documented in the following KB:

KB2706783 – Description of Update Rollup 2 for System Center 2012 (http://support.microsoft.com/kb/2706783)

[Emphasis added.]

---

<Return to section navigation list>

Windows Azure Platform Appliance (WAPA), Hyper-V and Private/Hybrid Clouds

No significant articles today.

---

<Return to section navigation list>

Cloud Security and Governance

Stevan Vidich reported a Security, Privacy & Compliance Update: Microsoft Offers Customers and Partners a HIPAA Business Associate Agreement (BAA) for Windows Azure in a 7/25/2012 post to the Widows Azure Blog:

Last month, we announced the availability of SSAE 16 / ISAE 3402 attestation for Windows Azure core services; an important milestone for our customers and partners, as many have requested and received a copy of the audit report. But what our health customers care most about are the HIPAA and HITECH Act compliance capabilities in Windows Azure that they need to fully leverage the cloud.

I’m pleased to announce that we have achieved the most important compliance milestone for our health customers: enabling the physical, technical, and administrative safeguards required by HIPAA and the HITECH Act inside Windows Azure core services, and offering a HIPAA BAA to our EA (Enterprise Agreement/volume licensing) customers and partners in the health industry.

HIPAA and the HITECH Act are United States laws that apply to most doctors’ offices, hospitals, health insurance companies, and other companies involved in the healthcare industry that may have access to patient information (called Protected Health Information or PHI). In many circumstances, for a covered healthcare company to use a service like Windows Azure, the service provider must agree in writing to adhere to certain security and privacy provisions set forth in HIPAA and the HITECH Act.

On July 24^th, we updated the Windows Azure Trust Center and made available a HIPAA BAA that includes Windows Azure breach monitoring and notification at the platform level for the following core services:

• Cloud Services (Web and Worker roles)
• Storage (Tables, Blobs, Queues)
• Virtual Machines (Infrastructure-as-a-Service)
• Networking (Windows Azure Connect, Traffic Manager, and Virtual Network)

Cloud computing made it possible for heath customers to quickly and cost effectively leverage big data technologies, augment storage needs, accelerate development and testing of new solutions, etc. The existence of Windows Azure BAA means that covered healthcare entities can now leverage Windows Azure core services in a pure public cloud platform, as well as a hybrid cloud configuration that extends their existing on premises assets and investments through the public cloud.

Earlier in 2012, Microsoft announced the availability of a BAA that covers Microsoft Office 365 and Dynamics CRM Online. The extension of this BAA to also cover Windows Azure core services is a significant accomplishment. With this BAA now in place, Microsoft is offering something unprecedented in the health IT market – a complete range of public, private and hybrid cloud solutions that support covered healthcare entities’ compliance needs. Rather than go to multiple cloud vendors for productivity, collaboration, application hosting, data storage, and relationship management, Microsoft’s customers can consolidate on one cloud, with one infrastructure partner with a common security and privacy framework that caters specifically to the needs of healthcare covered entities.

Covered entities can now confidently migrate and extend their datacenters on their terms into the public, private, or hybrid clouds, realizing immediate cost savings, organizational agility, and enabling collaboration across the care continuum. While Windows Azure includes features to help enable customer’s privacy and security compliance, customers are responsible for ensuring that their particular use of Windows Azure complies with HIPAA, the HITECH Act, and other applicable laws and regulations.

For more information about how health organizations can leverage cloud services to dramatically lower IT costs and drive greater productivity and collaboration, visit Microsoft in Health blog.

---

Phil Cox (@sec_prof) described PCI Compliance in the Public IaaS Cloud: How I Did It in a 7/24/2012 post to the RightScale blog:

Over the past few years, I have heard many folks assert that one can be a PCI compliant merchant using public IaaS cloud and I have heard just as many state that it’s not possible. In retrospect, I have found most of them – including myself – to be misinformed. After gaining more firsthand experience, I feel confident telling you where I sit at this state in the game on the question: “Can I be PCI compliant using a public IaaS cloud?”

To cut to the chase: The answer is yes, and the hardest part is knowing what you need to do, which I want to help you with here. I am a former Qualified Security Assessor (QSA) and have participated in multiple PCI working groups. As the Director of Security and Compliance for RightScale, I can speak for where we see things, but the information, processes, and opinions I express here are mine alone and are not intended to represent any guidance from the PCI Security Standards Council (SSC) or any card brand.

I’ll first talk about foundational principles and mindsets, then go through each PCI Data Security Standard (DSS) requirement and I’ll give you my “How I did it.” Note that you may disagree, and that is fine. A healthy discussion on this topic is beneficial to everyone! So with that, let’s get started.

Setting the Foundation for PCI Compliance

You will need to understand some foundational assumptions and working rules I go by. First, here are three environment assumptions/guidelines:

1. All Cardholder Data (CHD) will be housed in the IaaS provider. There is no other managed hosting or physical system in the design.
2. The application is structured into 3 tiers: Load balancer, app server, DB server.
3. Dev and Test are separate and have NO CHD, and thus are outside of Cardholder Data Environment (CDE). Thus the design only deals with production systems.

And the foundational assumptions/rules:

1. You will need to choose an IaaS Cloud Service Provider (CSP) that:
   1. Is on the “Approved Service Providers” list for one of the major card brands (for example the VISA list). If they are not listed, but have done a Level 2 assessment and can show you their Report on Compliance (RoC), that may suffice, depending on your situation.
   2. Will sign a contract that states they must protect CHD in accordance with PCI DSS to the extent it applies to them. This is basically covered if they have done (a) above.
   3. Note: The reason you need a PCI compliant IaaS CSP is because they control the physical systems up to, and including, the hypervisor. They will be responsible for the PCI DSS compliance of that part of the stack.
2. Find a QSA who knows cloud technology or has the knowledge internally. Note that IMHO very few organizations have the depth of knowledge needed in this area, and will likely get it wrong if they don’t get help.
   1. A good choice is the QSA who did the assessment for your IaaS CSP.
3. Design your application:
   1. Do not store the Primary Account Number (PAN) if you do not need it. Many payment processors have mechanisms for recurring billing or credits. Depending on your situation, it is highly likely that you do not need to store the PAN, thus making your life significantly easier from a PCI DSS compliance standpoint.
   2. If you are going to store PAN, then the design of crypto mechanism and, more importantly, the key management of data in the DB, is critical. This is really not a “cloud” thing, and is dealt with in any PCI application that stores CHD.
   3. Terminate SSL/TLS at the load balancer and run all other traffic over the private interface/network. This assumes that the “private” interfaces have been designed to meet the definition of “non-public” as far as PCI DSS. This is the case with Amazon Web Services. Traffic between the private IP addresses can be considered a private network and not require encryption. This does not mean that you can’t or shouldn’t do it, just that you do not have to in order to meet PCI DSS requirements.
4. Use host-based firewalls for isolation on the individual virtual machines.
   1. Using “security groups” or other hypervisor-based filtering is likely acceptable, but I like the control of the firewall at the host. Use them both if you want, but be careful of conflicts.
   2. I’d recommend using a tool such as CloudPassage to manage the firewall rules. This give the separation of duty that PCI DSS requires, and will make achieving compliance much easier.
5. I recommend using an IaaS cloud management solution. In my case, I am managing my PCI environment with RightScale, so some of my descriptions are based on that solution, but the principles I used can be applied regardless of the tools you use.
   1. Disclaimer: The RightScale platform has not undergone a Level 1 assessment, and thus is not on the list of “Approved Service Providers.” I use the fact that RightScale has the available documentation to help me “prove” that the SaaS Platform meets the PCI DSS requirements (using my previous QSA experience). Simply, our ability and willingness to be transparent and helpful in the assessment is key.

How to Determine Scope and Requirement Applicability

I use the following questionnaire for each system/application to determine what is in scope for my PCI assessment:

1. Does it “store/process/transmit” a Primary Account number (PAN)? If yes, in scope.
2. Can it be used to “directly manage” (i.e., make changes) on a system component in #1? If yes, in scope.
3. Does it provide ancillary services (e.g., DNS, NTP) to a system component in #1? If yes, in scope.
4. Are they segmented? Host-based firewalls restrict all other traffic, so out of scope.

Once I determine that a system/application is in scope, I use the following questionnaire to figure out what requirements need to be met by the component:

1. Does it ”store/process/transmit” a PAN? Then review the system component in view of all requirements (1-12). Example is front-end web server.
2. Can it be used to directly manage a system component in #1? Then review in context of Requirement 1, 2, 4, 5, 6.{1,2,4}, 7, 8, 10.{1-7}. Example is RightScale.
3. Does it provide services to a system component in #1 and do I own/manage it? Then review in context of Requirement 1, 2, 4, 5, 6.{1,2,4}, 7, 8, 10.{1-7}. Example is central log collection system.
4. Is it a 3rd party that provides services to a system component in #1 and I only have a SaaS/API interface to it? Then rely on contracts and review my configuration setting in context of Requirement 7, 8, 10.{1-7}. Example is DNS service.

Note: A realistic working definition of “connected to” (as defined in the PCI DSS) has never been made IMHO, so I used a pragmatic/risk-based definition in my scoping process. At some level, only an air-gap would suffice, which is ridiculous.

The Top-Level PCI DSS Requirements and Public IaaS Cloud

I’ve listed the 12 top-level PCI DSS requirements along with a brief “gist” of how I did it (or would do it if it applied) for RightScale. The full document is 37+ pages – too long for a blog post. The good news is that you can get the full paper here on PCI DSS requirements and public IaaS cloud.

Req	Description	My Summary
1	Install and maintain a firewall configuration to protect cardholder data	Rely on CSP for HW->Hypervisor related compliance Design the application and communications flows so they can be secured The state of networking features make cloud “different” than traditional environments. This will have an affect on how you provide isolation for scoping. Currently host-based firewalls or similar technology is the most likely solution implement appropriate restriction. It is what I use Review/audit regularly to make sure design and implementations have not changed. Since hosts come and go more frequently, so need  for regular review is increased. Nice aspect of the cloud is that since automation is part of the DNA, automation of these reviews is easier
2	Do not use vendor-supplied defaults for system passwords and other security parameters	Rely on CSP for HW->Hypervisor related compliance Make sure to change the defaults- I use RightScale ServerTemplates™ to enforce this, as well as provide version control of configurations Note: The cloud actually helps you with in this area (usually), as you should have had to think how to build systems. There is not “throw in the CD, plug in the cable, and leave it”. So, you should have a leg up in this area when using a cloud technology
3	Protect stored cardholder data	Rely on CSP for HW->Hypervisor related compliance Gets down to not storing what you don’t need, good crypto selection, and proper key management For non-DB-based encryption, use of a third party like TrendMicro SecureCloud (or similar) is a big help here Note: Cloud really is not an issue here, as you have many of the same concerns in a managed hosting environment. The main difference is between owned or third-party infrastructure.
4	Encrypt transmission of cardholder data across open, public networks	Rely on CSP for HW->Hypervisor related compliance- Use SSL to the Load Balancer, private network behind that Use well-vetted VPN if linking networks Note: No huge difference between cloud or hosted here. The cloud issues in this area are more around maturity of the networking stacks (e.g., arguably easier to slap in a physical VPN concentrator and hookup networks). This will change as the technology matures
5	Use and regularly update anti-virus software or programs	Rely on CSP for HW->Hypervisor related compliance Not much specific to a “cloud” deployment, except that serves come and go more frequently, so you need to make sure the solution is operating. If I had Windows systems for servers, I’d be using RightScale ServerTemplates to make sure things were configured correctly Note: Nice aspect of the cloud is that since automation is part of the DNA, automation of this should actually make it easier to meet the requirements
6	Develop and maintain secure systems and applications	Rely on CSP for HW->Hypervisor related compliance The “what” (securing systems) is not really a “cloud” specific problem, but the “how” is. I use RightScale ServerTemplates and built in versioning to makes it easy and provide change tracking. You can choose how you want to do it, just do it Note: Nice aspect of the cloud is that since automation is part of the DNA, automation of these should actually make it easier to meet the requirements
7	Restrict access to cardholder data by business need to know	Rely on CSP for HW->Hypervisor related compliance Again, not the “What to do” that is the issue, but “How to do it”. I use the Role-Based Access Control (RBAC) and ServerTemplate features of RightScale and a strict provisioning policy to get this done. You can choose any method that works Note: Really no different than a hosted environment
8	Assign a unique ID to each person with computer access	Rely on CSP for HW->Hypervisor related compliance Another “Not What but How”. You guessed it, I use a combination of RightScale, policies, and regular audits. You can choose any method that works Note: Really no different than a hosted environment
9	Restrict physical access to cardholder data	Rely on CSP for HW->Hypervisor related compliance You need to worry about user systems and any hard copy Note: Really no different than a hosted environment
10	Track and monitor all access to network resources and cardholder data	Rely on CSP for HW->Hypervisor related compliance Use RightScale to configure systems and send local system and application logs to central log server. You can choose any method that works for you Note: Public cloud does make this different. The lack of transparency into some of the devices you don’t have access to (e.g., hypervisor logs) needs to be taken into account
11	Regularly test security systems and processes	Rely on CSP for HW->Hypervisor related compliance I do internal as well as third-party testing Note: Coordination with the CSP when doing testing may be something that is new and require modification of your process
12	Maintain a policy that addresses information security for all personnel	Rely on CSP for HW->Hypervisor related compliance Ensure policy states the requirements for need to know access to CHD Ensure that if you share CHD with others, contracts state they must protect CHD in accordance with PCI DSS Have an incident response plan and make sure it works! Make sure you have appropriate policies and can prove that you are doing what they say Note: The policies need to exist with or without the cloud. Biggest difference here is working with contracts to make sure appropriate language is included

Summary

Having worked with a number of customers on their PCI compliance strategy, I am definitely of the opinion that you CAN be PCI compliant operating in a public IaaS cloud. A lot of the work to get there is actually relatively standard and the hardest part is knowing what you need to do and what you have to rely on your partners to do.

As is common practice, you need to have “proof” for what you assert. When it comes to partners, you have two mechanisms to get that “proof” for their parts: They can get onto the list of PCI approved Service Providers or they can be transparent and willing to work with you to document their compliance adherence. In reality, both options require you to do your due diligence on the partner, one just makes it a easier in some regards.

The other key aspect of PCI compliance is making sure you manage the system components correctly. The industry knows how to manage traditional environments, but the nuances of public IaaS cloud can make mistakes more egregious. Thus it is critical that you manage the systems components correctly. I believe that the functionality that RightScale gives me in terms of management and governance of system components is invaluable (otherwise I would be working elsewhere). With that said, there are other management options (other vendors, do-it-yourself, or a combination) that you can leverage to make it happen. Just make it happen.

PCI compliance in a public IaaS cloud is a very touchy subject, and it should not be. This is my attempt to shed some light on an area that I think has too much mystery around it. I hope you find it useful.

---

<Return to section navigation list>

Cloud Computing Events

Tim O’Brien (@_TimOBrien) posted Announcing BUILD 2012 to the Channel9 blog on 7/25/2012:

In January we shared some thoughts on our approach to developer events, including a commitment to come back with more on our plans for an event this coming fall. Well, here it is: our next developer conference will be this fall, and it’s (again) called BUILD. It will be held on Microsoft’s campus in Redmond, Washington, from October 30^th until November 2^nd. Yes, that’s right … it’s the week after Windows 8 becomes generally available worldwide. And in addition to Windows 8, we will have lots of other stuff to talk about, too: Windows Azure, Windows Phone 8, Windows Server 2012, Visual Studio 2012, and much more. [Emphasis added.]

BUILD 2012 will be on the Microsoft campus, and I know what you’re thinking … if it’s not in some cavernous convention hall, then it must be a dialed-down version of last year’s event, etc. … but don’t be confused: this will be unlike anything we’ve held on our corporate campus in a long time. More details to come. And, as we talked about in the January post, if you’ve gone to a Microsoft developer event, you know that most of the speakers and participants are from our engineering teams, so a campus event puts you in the thick of things along with the engineers directly responsible for our products and the platform opportunities they represent. This one’s not to be missed.

So what happens next? Well, at 8AM Pacific time on 8.8 (see what we just did there?), we will open registration for BUILD 2012 at www.buildwindows.com. At that point, we’ll start sharing details over time about keynoters, sessions, content, and more, but for the time being, set a reminder for August 8^th.

That’s it for now. Because my thesaurus was unable to suggest a decent synonym for "super excited", let’s just say we’re stoked about BUILD 2012, and we hope to see you there.

---

Michael Collier (@MichaelCollier) gave a post mortem of his What’s New for the Windows Azure Developer? Lots!! (Presentation) to mid-western and eastern US user groups in a 7/23/2012 post:

Recently I had the pleasure of presenting about new Windows Azure features at a few excellent user groups Michigan (Ann Arbor and Lansing) and Boston, MA. It was great getting to share the updated Windows Azure story with so many passionate developers!

• Boston Azure Cloud User Group
• Ann Arbor .NET Developer’s Group
• Greater Lansing User Group for .NET

During this presentation we covered Windows Azure Web Sites and Windows Azure Virtual Machines – probably two of the biggest recent platform enhancements. We also touched on updates to the Windows Azure storage features, Visual Studio tooling updates, and well as a few nice productivity boosters in the Windows Azure SDK.

If you’d like to check out this presentation, you can view it on my SlideShare page.

---

<Return to section navigation list>

Other Cloud Computing Platforms and Services

Joe Panettieri (@joepanettieri) reported Google Cloud Partner Program: Big Data Companies Jump In in a 7/24/2012 post to the TalkinCloud blog:

When the Google Cloud Partner Program launched today, numerous cloud services providers (CSPs), integrators, consultants and Big Data software companies announced support for the effort. But who exactly is jumping on the Google Cloud Partner Program bandwagon? Here’s an early list of supporters, and what they had to say.

The initial partners include (but are not limited to…)

• Agosto Inc., a Google Apps cloud services consulting firm. Agosto provides Google Cloud services and solutions including Google App Engine development, Google Cloud Storage, and Google APIs to help customers build and run applications, host sites and store and access data.
• CliQr Technologies provides a cloud application management platform, named CloudCenter. The company claims to simplify the process of on-boarding, testing and securely running applications on any private, public or hybrid cloud, including Google’s Compute Engine cloud service.
• Informatica Corp., a data integration software company, allows enterprises to securely move data to and from their on-premise and cloud IT systems and Google Cloud services such as Google Cloud Storage and Google BigQuery. The secret sauce is Informatica Cloud Connector for Google Cloud.
• Jaspersoft, a business intelligence platform provider. Jaspersoft is making available an open source connector for Google BigQuery customers who want to run business intelligence reports and analytics on the Google Cloud Platform. This technology connector brings Jaspersoft’s BI tools into the Google Cloud Platform, offering integrated access to reporting and business analytics.
• MapR Technologies, which offers an enterprise-grade distribution for Apache Hadoop. Back in June, MapR said it will make its Hadoop distribution available on Google Compute Engine. Now, customers can provision large MapR clusters on demand and take advantage of the cloud-based solution.
• Pervasive Software is preparing Pervasive RushAnalyzer for Google BigQuery. Users will be able to query multi-terabyte datasets to discover patterns and correlations that can transform their business, Pervasive claims.
• QlikTech helps customers and partners to build Business Discovery solutions that take advantage of the computing power and scalability of Google’s Cloud Platform.
• SADA Systems is applying software development expertise to Google App Engine, Google Cloud Storage, Google BigQuery and Google Compute Engine.
• SQLstream offers Big Data solutions that allow customers to act instantly on new information as it arrives, improving operational efficiency and driving new revenue opportunities, the company claims.
• Talend, provider of Open Studio for Big Data. The open source big data integration solution combines the power of Talend with Google BigQuery’s real-time analytics.

That’s just a sampling of first-round partners. Talkin’ Cloud will be watching to see which partners next jump into Google’s Cloud.

Read More About This Topic

• Google Cloud Partner Program: Google Apps Resellers Join In
• Google Compute Engine Cloud: What’s In It for Partners?
• Google Cloud Transformation Program: Helping CSPs Help Customers?
• Amazon Web Services Unveils High I/O Instances
• RightScale Acquisition Forecasts Cloud Costs

I’m waiting now for an invitation to run MapR’s Hadoop/MapReduce implementation on the Google Compute Engine.

---

Joe Panettieri (@joepanettieri) announced Google Cloud Partner Program: Google Apps Resellers Join In in a 7/24/2012 post to the TalkinCloud blog:

The Google Cloud Partner Program, launched today, is designed for service partners and technology partners. But it may also appeal to existing Google Apps Authorized Resellers. In fact, some resellers are already jumping into the Google Cloud Partner Program. Think of it this way: Most Google partners already see the opportunity to move customers onto Google Apps (SaaS). But the Google Cloud Partner Program allows partners to move additional customer applications and services on the Google Compute Engine and Google App Engine (IaaS and PaaS).

Translation: The Google Apps Authorized Reseller Program and now the Google Cloud Partner Program together give channel partners every major cloud service they need (IaaS, PaaS, SaaS) for end-customer services.

Initial Examples of Success

Google today offered six examples of how partners can benefit/already benefit from the new cloud partner program.

On the service provider front the examples include…

1. Business apps: Ci&T, a global systems integrator, built a quotation app on Google App Engine to help an insurance provider provide better policy quotes to customers.
2. Mobile apps: Agosto built a smartphone app running on Google App Engine to help the Minneapolis Loppet Foundation register participants in a Nordic ski event.
3. Social apps: PA Consulting built a crowd-sourced app on Google App Engine and Google Maps for MetOffice to provide richer, up-to-date local weather forecasts around the world.

Meanwhile, technology partners can us the Cloud Partner Program to plug into such services as…

1. Google Compute Engine: Allows partners to configure and manage applications running on Google’s infrastructure.
2. Google BigQuery: Partners can import data from existing on-premise and cloud data sources into BigQuery for analysis.
3. Google Cloud Storage: Partners can offer active archiving, backup and recovery, and primary storage solutions.

Google Apps Resellers Join In

Take a closer look at the Google Cloud Partner program and you’ll notice quite a few Google Apps Authorized Resellers jumping into the game. Examples include Cloud Sherpas and SADA Systems, both of which rank among the world’s top 100 cloud services providers, according to Talkin’ Cloud’s second-annual Top 100 CSP research.

More than 6,000 companies are Google Apps Authorized Resellers. I’ll be curious to see how many of those resellers become Google Cloud Partner Program Members, moving customer systems onto Google’s cloud.

Google in recent days also confirmed its commitment to enterprise customers, stating that the Apps business was gaining critical mass. At the same time, software partners like BetterCloud are promoting Google Apps management tools designed for channel partners and customers.

Fierce Competition for Cloud Partners

Still, the competition remains fierce. Microsoft is adjusting its Office 365 partner program to give partners end-customer billing capabilities (a long-desired feature that Google Apps already offers). And the Office 365-Windows Azure combo essentially counters Google Apps, Google Compute Engine and Google App Engine. Plus, Amazon continues to attract partners that are loading customer workloads into Amazon’s cloud.

Read More About This Topic

• Google Cloud Partner Program: Big Data Companies Jump In
• Google Compute Engine Cloud: What’s In It for Partners?
• Google Cloud Transformation Program: Helping CSPs Help Customers?
• Google Apps Management: BetterCloud FlashPanel Catching On?
• Google Apps: 6,000 Resellers Embrace Cloud Consulting

---

Marcia Savage (@marciasavage) reported AWS security now documented in CSA STAR in a 7/24/2012 post to TechTarget’s SearchCloudSecurity.com blog:

The 800-pound gorilla of the Infrastructure as a Service (IaaS) world – Amazon Web Services (AWS) — has joined the Cloud Security Alliance’s Security, Trust and Assurance Registry (STAR).

AWS filed its documentation to CSA STAR late last week. Launched by the CSA about a year ago, STAR is an online registry where cloud providers voluntarily submit documentation of their security controls. The registry, which is freely available, has been growing slowly, but with the addition of AWS, it took a big leap forward in its mission to increase cloud provider security transparency and help cloud computing customers make better decisions about the security of their services.

The AWS security STAR entry is a 42-page document (.pdf) on the cloud giant’s risk and compliance practices. It includes information on AWS’s security certifications (e.g., ISO 27001) and the company’s responses to the CSA Consensus Assessments Initiative Questionnaire. The questions cover common security-related concerns for cloud customers, such as data isolation and location.

For example, with regards to its ability to logically segment or encrypt customer data, AWS said it has strong tenant isolation capabilities, but notes that customers retain control and ownership of their data, and it’s their responsibility to encrypt it.

On the data location front, Amazon said in its documentation that customers can designate which AWS physical region their data and servers are located; the company won’t move the data without notifying the customer unless required to comply with a government request. At the same time, Amazon said it won’t hesitate to challenge orders from law enforcement if it thinks the orders lack a solid basis.

With the addition of Amazon, STAR now has 12 entries, including three from Microsoft. Verizon’s Terremark subsidiary is another new addition, having added documentation in June.

The participation of AWS may be a sign that STAR is turning into the vehicle for peer pressure that CSA leaders had hoped. One of the CSA’s primary goals is to advocate for the security needs of cloud customers and the on-going need for cloud transparency.

Full Disclosure: I’m a paid contributor to Tech Target’s SearchCloudComputing.com blog.

---

James Staten (@staten7) posted Gelsinger Brings The "H" Word To VMware to his Forrester Research blog on 7/23/2012:

The long-rumored changing of the guard at VMware finally took place last week and with it came down a stubborn strategic stance that was a big client dis-satisfier. Out went the ex-Microsoft visionary who dreamed of delivering a new "cloud OS" that would replace Windows Server as the corporate standard and in came a pragmatic refocusing on infrastructure transformation that acknowledges the heterogeneous reality of today’s data center.

Paul Maritz will move into a technology strategy role at EMC where he can focus on how the greater EMC company can raise its relevance with developers. Clearly, EMC needs developer influence and application-level expertise, and from a stronger, full-portfolio perspective. Here, his experience can be more greatly applied — and we expect Paul to shine in this role. However, I wouldn’t look to see him re-emerge as CEO of a new spin out of these assets. At heart, Paul is more a natural technologist and it’s not clear all these assets would move out as one anyway.

Pat Gelsinger’s move into the VMware CEO role signals a need for refocus on holding share and increasing profits from the core data center infrastructure layer. The CloudFoundry announcement last year and the strategy to create a new vertically integrated platform from infrastructure up through middleware was taking longer to gain traction than expected. It was also muddying VMware’s traditionally strong infrastructure virtualization story — right when they could least afford it. Microsoft, Oracle, Citrix, and other virtualization management vendors and of course the public IaaS market were all capitalizing on this with maturing infrastructure virtualization stories and pushed for enterprises to create islands of hypervisors and thus breaking the VMware stronghold.

At the same time, enterprises have been voicing strong concerns about VMware lock-in. The result was more push-back by customers on long-term enterprise agreements with VMware and a reluctance to commit to VMware-only management stacks. When every competitor is touting their heterogeneity, it was becoming increasingly hard for VMware to convince customers that a single-vendor virtualization strategy was a long term bet worth making.

Meanwhile, vCloud Director has been struggling, as customers remain unprepared (from an operational maturity perspective) to deploy and manage a private cloud. Through discussions with Forrester enterprise clients we found more customers had purchased vCloud Director as part of their VMware enterprise license renewal but had not deployed it in production. …

Read more

---

Brian Proffitt (@TheTechScribe) posted VMware Denies Cloud Spin-Off Rumors – Keeps Focus on Platform-as-a-Service to the ReadWriteCloud blog on 7/20/2012:

Rumors of a VMware/EMC spin-off are “completely unfounded,” according to a company executive, who sees little chance that VMware will change its approach to cloud computing during its current transition in leadership.

Earlier this week, the company announced that VMware CEO Paul Maritz is being replaced by EMC COO Pat Gelsinger. But the rumors didn’t stop there. Reports circulated that Maritz would head up a VMware spinoff combining cloud assets from VMware and parent company EMC.

“None of that is founded,” VMware’s VP of Cloud Services Matthew Lodge emphasized in an interview Thursday.

Lodge’s denial addressed not only the possibility of a spin-off, but also the existence of Project Rubicon, allegedly a joint EMC/VMware Infrastructure-as-a-Service (IaaS) project mentioned by various media outlets (including this one) earlier in the week. Lodge also described such a project’s existence as “unfounded.”

Paas, Not IaaS

In fact, IaaS is not really where VMware wants to be. According to Lodge, VMware’s strategy is strictly centered on Platform-as-a-service (PaaS), represented by its flagship open source PaaS project Cloud Foundry.

IaaS is used when cloud clients outsource all of their operational hardware elements, such as storage, networking and servers. The virtualization and operating system layers are also included. The Infrastructure-as-a-Service provider actually owns and maintains the physical hardware, but the client has to provide additional tools, such as middleware software to manage their servers. PaaS, on the other hand, provides all of those features and the middleware and database software… so all PaaS clients have to do is bring their applications and data.

Perhaps the best-known example of IaaS in action is Amazon Web Services (AWS), which provides customers virtual machine images with a preloaded operating system. The customer has to manage each virtual image, maintaining and upgrading it as needed. Third-party middleware like Eucalyptus is used to provision the virtual machines.

Rather than go head-to-head with IaaS providers like AWS, Google Compute Engine and Microsoft’s Windows Azure, VMware is taking the PaaS role in the cloud sector.

Cloud Foundry is the center of VMware’s two-fold strategy:

First, VMware capitalizes on its huge vSphere virtualization market share (estimated to be in the 80% range), encouraging that existing customer base to migrate their existing virtual infrastructure to the cloud. Because it’s a PaaS solution, an app that works on a “local” vSphere virtual machine will easily move to a cloud-based vSphere VM.

The other side of the strategy is targeting new app developers and demonstrating the advantages of PaaS over IaaS for developers keen on the cloud.

“AWS and Google are not good for moving existing apps to the cloud,” Lodge claimed. “They are better for developers writing new apps from scratch.”

Help Moving Apps to the Cloud

Rewriting existing apps to be cloud friendly can be a massive undertaking. It can be done, certainly: Lodge related how Netflix’s development team essentially rewrote all of its code to take advantage of cloud computing. “They basically wrote their own PaaS, which shows how talented they are.”

Mere mortals may not have that kind of time or energy, Lodge said, which is where Cloud Foundry comes in. It handles all of the virtual machines and infrastructure issues for the developer, so the app they’re coding doesn’t have to.

Thus far, VMware’s PaaS-centric strategy seems to be working. By focusing its attention on working with partners in the PaaS space, the company is not grabbing cloud headlines to rival Amazon, Google and Microsoft, but it has a fast-growing presence.

“We’re on over 130 clouds in 26 countries,” Lodge boasted. “Not even AWS has that kind of footprint.”

If it ain’t broke, don’t fix it, seems to be the current feeling in the halls of VMware. If Gelsinger sticks to this course under his tenure, don’t look for an IaaS play from VMware anytime soon.

---

<Return to section navigation list>

Technorati Tags: Windows Azure, Windows Azure Platform, Windows Azure Cloud Services, Windows Azure Storage Services, Windows Azure Service Broker, Windows Azure Access Control Services, Windows Azure Virtual Machines, Windows Azure Virtual Networks, Windows Azure Active Directory, Windows Azure SQL Database, SQL Database Federations, Open Data Protocol, OData, Cloud Computing, Visual Studio LightSwitch, LightSwitch, Amazon Web Services, AWS, Windows Azure Services for Windows Server, WASWS, Windows Identity Framework, WIF, VMWare, HIPAA, PCI, Google Cloud Partner Program, Google Compute Engine, GCE, Hadoop, BigData

http://oakleafblog.blogspot.com/2012/07/windows-azure-and-cloud-computing-posts_25.html