Embed Size (px)
DESCRIPTION
Präsentation im Rahmen der Windows Azure Starter Roadshow: - Azure Service Bus --Notification Hub --Message Relaying --Queues - Active Directory, ACS --Authenfizierung und Single-Sign-on-Lösungen für Applikationen - SQL Databases
Citation preview
2013 © Trivadis
BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN
Microsoft Azure Advanced Topics
Stefan Geiger
Gerry Keune
@trivadis.com
12.06.2014
Advanced Topics
1
2013 © Trivadis
AGENDA
1. Service Bus
2. Identity
3. SQL Database
12.06.2014
Advanced Topics
2
2013 © Trivadis
Azure Service Bus Overview
PaaS Messaging Middleware
All Microsoft Azure Datacenters
Multiple Clusters (Scale-Units) per Datacenter
Provides secure messaging and connectivity across different network
topologies
Uses ACS to allow sending messages to and listening on endpoints
Key Features
Pub/Sub Reliable Messaging (Brokered Messaging)
Relay
Notifications
05.06.2014
Advanced Topics
3
*customer preview
2013 © Trivadis
Service Bus Relay Service
Enables hybrid applications that span on-premises and the cloud
Implements open format and protocols
Supports REST and WS-*
Exposes Service Endpoints into the Cloud
Accessible for Cloud & On-Premise Services
Relay Service allows communication between the client and services
behind firewalls and NAT routers
Communication Patterns
One-way communication,
Publish/Subscribe
Peer-to-Peer
Multicast
Direct Connections
05.06.2014
Advanced Topics
5
2013 © Trivadis
Architecture
05.06.2014
Advanced Topics
6
2013 © Trivadis
Challenges
Addressability and discoverability
Private addresses and Network Address Translation (NAT)
Dynamic addresses (e.g. ISP)
Connectivity
Firewalls (denial of inbound connections)
Event distribution
Transient connectivity
05.06.2014
Advanced Topics
7
2013 © Trivadis
Service Bus Relaying Messages
05.06.2014
Advanced Topics
9
2013 © Trivadis
Security
Messages travelling between communication parties can be secured
[Microsoft.ServiceBus.EndToEndSecurityMode]
Message security is independent of relay security
Message Security Types
None
- Disables Security
Transport (Default)
- Message is sent through a secure channel (e.g HTTPS) to and from the relay
service. (Not Secure within AppFabric SB)
Message
- Encrypt body of the message (X509)
TransportWithMessageCredentials
- Combination of Transport/Message types
05.06.2014
Advanced Topics
10
2013 © Trivadis
05.06.2014
Advanced Topics
11
Demo Service Bus Relay
2013 © Trivadis
Service Bus Brokered Messaging
Sophisticated Pub / Sub mechanism
Disconnected communication between producers and consumers
Scales independently of each other since the intermediate message broker
buffers any difference
Supports two distinct forms of brokered messages
Queues
Topics & Subscriptions
Features (some not all)
Deadlettering, Sessions, Transaction
Scheduled Messages
Duplicate Detection, Prefetch
05.06.2014
Advanced Topics
12
2013 © Trivadis
Message Dimension
Max Message: 256 Kbyte
Max Total Props: 64 Kbyte
Includes sys props, reserve ~4 KByte
Max Prop: No explicit limit
Constrained by de-facto HTTP limits
if you use HTTP; ~4KB for a header max
Max Body:
256KByte – sizeof(Props)
05.06.2014
Advanced Topics
13
2013 © Trivadis
Delivery Options
Receive and Delete
Fastest. Message lost if receiver crashes or transmission fails
Peek Lock
Message is locked when retrieved. Reappears on broker when not deleted
within lock timeout.
Session + Peek Lock
Message is locked along with all subsequent messages w/ same session-id
ensuring order
05.06.2014
Advanced Topics
14
Receive and Delete
2. Delete/Unlock
1. Peek/Lock
2013 © Trivadis
Service Bus Queues
Ordered Message Log Ordered by arrival (broker assigns strongly monotonic sequence number to each msg)
Timestamped on arrival (authoritative clock)
Stored in SQL; once accepted, the message is as safe as any data in the SQL deployment
Multiplexing with sessions
Two modes: Pull and Forward Pull – delivers messages on request, allowing concurrent readers
Forward – delivers message to single forward destination
05.06.2014
Advanced Topics
15
2013 © Trivadis
Service Bus Topics
All features of Queues, plus Multiple, Independent Subscriptions Named, durably created (optional)
- Quota: Up to 2000 concurrent subscriptions
Rules with filter conditions on msg headers
- Quota: Up to 2000 rules per subscription
- Optional action set/modify message props
- Each rule hit yields a message
Topic 'tail' and subscription 'head' are fully protocol compatible with
Queues
05.06.2014
Advanced Topics
17
2013 © Trivadis
Programming Options
05.06.2014
Advanced Topics
19
Apps
NetMessagingBinding
.NET Service Bus Messaging API
.NET WCF Service Model
SB Messaging Protocol
(net.tcp, proprietary) AMQP 1.0
C/C++(incl
Embedded)
Apache
Proton-C
HTTP(S)
PHP
client
Node.js
client
Python
client
Java/JMS
Apache
Qpid JMS
AMQP
1.0
Any
HTTP
client
2013 © Trivadis
AGENDA
1. Service Bus
2. Identity
3. SQL Database
12.06.2014
Advanced Topics
22
2013 © Trivadis
Security
Authentication and Authorization
Use Claims-based Identity
Authentication and access management based on open protocols
Reduces infrastructure dependencies
- can be hosted on-premises or in the cloud without changes
Factoring authentication out of applications
Identity technologies and services used with Azure
Windows Identity Foundation (WIF)
Active Directory Federation Services 2.0
Azure Access Control Service
05.06.2014
Advanced Topics
23
2013 © Trivadis
Claims-based solution
Stop building custom identification and user account databases into
every new application
One approach to identity that works in various scenarios
Factoring out authentication of applications
Easy upgrade to stronger authentication methods
Identity Federation
WIF (Windows Identity Foundation) Framework simplifies implementing
claims-based identity in your applications
05.06.2014
Advanced Topics
24
2013 © Trivadis
Claims-based Identity Model
User’s identity to your application as a set of claims
Claims are attributes made by an issuer (e.g. email adress, username)
Identity data you receive comes from a trusted source
If you trust the issuer you will trust the claim
claim is a statement about a user made from a authority
Releases Application from
Authenticating users, storing user accounts and passwords
Calling to enterprise directories to look up user identity details.
Integrating with identity systems from other platforms or companies.
05.06.2014
Advanced Topics
25
User Name:
Email:
Roles:
IsNETNerd:
Stefan
Consultant, Trainer
true
2013 © Trivadis
Security Token
The user delivers a set of claims to your application piggybacked along
with her request
Token is a Serialized set of claims digitally signed by the issuing
authority
Signature assures authenticity of claims
Web-Service carries the claim in the security header of the SOAP
envelope.
Browser-based Web application sends claims via an HTTP POST from the
user’s browser
Can be cached in a cookie if a session is desired
05.06.2014
Advanced Topics
26
2013 © Trivadis
Security Token Service (STS)
STS builds, signs, and issues security tokens
Claims, tokens, and STSs are the foundation of claims-based identity
05.06.2014
Advanced Topics
27
Claim
List of
Trusted
STS
Token
Token
1Authenticate user,
return token
2 Submit token
3Verfify token’s
signature
and STS is trusted
4 Use claims in token
2013 © Trivadis
05.06.2014
Advanced Topics
28
Demo Claims-based Authentication
2013 © Trivadis
Identity Federation
Authenticate users across different security domains
SAML (Security Assertion Markup Language )
XML-based standard for exchanging authentication and authorization data
between security realms
05.06.2014
Advanced Topics
29
1 2
3
Organisation 1 Organisation 2
2013 © Trivadis
Access Control Service
Allows you to integrate single sign on (SSO) and centralized
authorization into your web applications
05.06.2014
Advanced Topics
30
2013 © Trivadis
Access Control Service
Out-of-the-box support for popular web identity providers including:
Windows Live ID, Google, Yahoo, and Facebook
Support for OAuth 2.0 (draft 13), WS-Trust, and WS-Federation protocols
Support for the SAML 1.1, SAML 2.0, and Simple Web Token (SWT) token
formats
05.06.2014
Advanced Topics
31
2013 © Trivadis
Security Best Practices
Authentication and Authorization
Use Claims-based Identity
Authentication and access management based on open protocols
Reduces infrastructure dependencies
- can be hosted on-premises or in the cloud without changes
Factoring authentication out of applications
Identity technologies and services used with Azure
Windows Identity Foundation (WIF)
Active Directory Federation Services 2.0
Azure Access Control Service
05.06.2014
Advanced Topics
32
2013 © Trivadis
AGENDA
1. Service Bus
2. Identity
3. SQL Database
12.06.2014
Advanced Topics
33
2013 © Trivadis
SQL Database Overview
Relational database engine provided as Service based on SQL Server
technology
Many SQL features are supported
Use with On-Premise and Cloud Application
Data access through ADO.NET or other providers
Data manipulation using standard T-SQL statements.
Databases in Azure are limited to either 1/500GB depending on the
edition selected
Consider size limitation for migration scenarios
Automatically provides High Availability “out of box”
Transparent failover in case of failure
Load balancing of data to ensure SLA
12.06.2014
Advanced Topics
34
2013 © Trivadis
SQL Database Network Topology
12.06.2014
Advanced Topics
35
Application
Internet
LBTDS (tcp)
TDS (tcp)
TDS (tcp)
Apps use standard SQL client
libraries: ODBC, ADO.Net, PHP, …
Load balancer forwards ‘sticky’
sessions to TDS protocol tier
Gateway Gateway Gateway Gateway Gateway Gateway
Availability: Fabric, Failover, Replication, and Load balancing
SQL SQL SQL SQL SQLSQL
Gateway: TDS protocol gateway, enforces AUTHN/AUTHZ policy; proxy to backend SQL
2013 © Trivadis
Database Replicas
12.06.2014
Advanced Topics
36
Replica 1
Replica 2
Replica 3
DB
Replica 4
2013 © Trivadis
Provisioning
12.06.2014
Advanced Topics
37
Each account has zero or more logical
servers
Provisioned via a common portal
Establishes a billing instrument
Each logical server has one or more
databases
Contains metadata about database &
usage
Unit of authentication, geo-location,
billing, reporting
Generated DNS-based name
Each database has standard SQL
objects
Users, Tables, Views, Indices, etc
Unit of consistency
Account
Server
Database
2013 © Trivadis
05.06.2014
Advanced Topics
38
Demo SQL Database
2013 © Trivadis
SQL Database Management
Microsoft Azure Management Portal
Create and Delete Servers and Databases
Create Credentials
Configure Firewall settings
Maintain databases
Using Master Database
System Procedures for maintaining database
Show data usage -> billing information
Create / Delete Databases
12.06.2014
Advanced Topics
39
2013 © Trivadis
Security
Network Access Control
Server is firewall protected (default no access)
Configure using special SP sys.firewall_rule…..
Authentication and Authorisation
SQL Authentication (Username,Password)
Authorisation identical to SQL Server (Roles)
Admin Roles have special privileges
- Create / Drop Database
- Manage Logins
- Change Firewall Rules
12.06.2014
Advanced Topics
40
2013 © Trivadis
SQL Database Limitations
Security
SSPI authentication is not supported
No database encryption
Certain users are disallowed (sa, admin, administrator, guest, root)
It isn’t possible to define another listening port rather 1433
Backups
Backup and restore operations are not available
- Use Import/Export
- Database clones are possible using create database statement
Objects
CLR. The .NET CLR isn’t available in SQL Azure
Tables need Clustered Index
12.06.2014
Advanced Topics
41
2013 © Trivadis
SQL Database Limitations
Miscellaneous
No distributed transactions
Database size limited to chosen subscription (max 500GB)
No Service Broker
No SQL Agent
No Database file placement
Reduced subset of system schema objects
12.06.2014
Advanced Topics
42
2013 © Trivadis
Data Migration
Existing SQL Server databases cannot be restored or attached to SQL
Database
Data migration is a manual task using tools
Generate SQL Scripts
SQL Server Integration Service SSIS
BCP utility
BACPAC Export to Blob
12.06.2014
Advanced Topics
43
2013 © Trivadis
Database Backup
Database Copy
Allows you to create a single copy of a source database using the
AS COPY OF argument to the CREATE DATABASE statement:
Copy process is background task. Query DMV sys.dm_database_copies
SQL Data Sync
Synchronize on-premise / cloud
Manual
To Blob Storage
Import / Export (bacpac)
Bacpac (schema and data)
Dacpac (schema only)
12.06.2014
Advanced Topics
44
2013 © Trivadis
BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN
Thank You Q & A
12.06.2014
Advanced Topics
45
