Managing Access to Cloud Resources

As you start your cloud incubation journey, one of the very first hurdles you would run into is access management. How to secure access to your cloud provider? Whom do you allow to provision resources? Do you want to centralize the provisioning, or empower project teams with self-service capability? Can we leverage on-premise identity stores for cloud access? Needless to say, these aspects can get quite tricky. In this post, I will talk about different options around managing accessibility to cloud services and as always would love to hear your feedback.

No Self Service: Many organizations looking at cloud as an extension to their data center, and want similar to enforce similar control over their cloud environment. Their IT team provisions and de-provisions cloud resources as necessary. But the end users have no direct access from their end. They still raise a ticket through tools like Service Now which are then full filled by IT Ops through automation or manual setup.

Self Service via Custom Portal: This is standard practice across many organizations. Instead of providing direct access via cloud service provider portal, they create a layer of abstraction – a custom portal for managing access. This is definitely feasible as most of the cloud service providers have APIs, controlling access to cloud resources. A typical custom portal can help drive governance. An example use case could be – someone requests a VM image and an request approval email is automatically sent to her manager. Further custom portals can provide a unified view catering to different cloud platforms – i.e. a single UI to provision workload on AWS, Azure or Google Cloud. But challenge with such initiative is to keep pace with new cloud services. Most of the cloud platforms are introducing new features biweekly, making custom portal a never ending project. One solution here could be to control the feature scope of the custom portal – e.g. cater to just IaaS services – Compute, Network, Storage & Security.

Controlled Access to Provider portal with extensions: Many enterprises don’t want to reinvent the wheel. Their intent is to add only delta functionality to the existing self-service cloud provider portal. For instance, most of the cloud provider portal have no context of the consuming enterprise, its projects, its policies, etc. In such cases, it makes sense to augment cloud provider portal with additional project view and build an ecosystem to enforce organizational policies. E.g. When User A logs into the extended Portal she can view the list of projects (a project can have a direct mapping to cloud subscription or account), her role / rights on each. But provisioning any cloud resources would have to be carried out through provider portal (may be a SSO with provider portal). Depending on the rights user has, she will be able to provision only those cloud resources.

Let’s understand the last option from Microsoft Azure perspective, though similar features are available in other cloud platforms like AWS as well.

Single Sign On:
To setup Single sign on you will require Azure Active Directory domain configuration and ADFS setup. You can find more details here. This ensures that only employees of the organization will have access to Azure portal & resources.

Controlling access to resources:
SSO is great, but you don’t want every user of the organization to have unrestricted access to Azure resources. Rather only the authorized set of users should have access to them. That’s where Role based access control comes in. A role in RBAC terms is a collection of actions that can be performed on an Azure resources or group of Azure resources (group of resources referred to as ‘Resource Groups’ in Azure are containers holding resources for a given application). RBAC is currently supported in Azure Preview Portal only. You can also configure the access through PowerShell.

Azure RBAC

Subscription, Administrators & Azure AD:
While RBAC is the preferred way of setting access control, knowing the different Azure Portals administrative roles is necessary to gain comprehensive understanding. Once you sign up for Azure EA, MS sets up an account for you called ‘Enterprise administrator’. As an enterprise admin you can create different accounts and subscriptions. Each account has an Account administrators who in turn can create multiple subscriptions, with each subscription having its own service administrator. Service Administrator is the super user having complete access to the subscription and can provision resources (VMs, Databases, etc.) as required. Service Administrator can also create co-administrators as required to support them with administrative tasks.
Coming to Azure AD, you can create, rename, delete Azure AD from Azure Portal. Every Azure Subscription can trust only one Azure AD and only service administrator has the rights to choose the trusted AD for a given subscription (Settings -> Subscriptions -> Edit Directory).

Azure Subscription & Azure AD

Hope that provided some good perspective. As always do drop a note below, on how are you managing access to cloud resources.


Your Deals, Your Way – Leveraging Windows Azure for Facebook Applications

In this blog post I will describe how you can use the demo version of Your Deals, Your Way (YDYW). YDYW is a web application hosted on Windows Azure and integrates with Facebook. You can access the application at – Below is a quick walkthrough of major workflows of the application (subscribing a deal and posting a deal) and a quick discussion on preventing your Facebook account from being spammed. Let;s get started:

As a first step you need login with your Facebook account and grant it the required permissions.

Now you will be moved to ‘Pick Your Deals!!!’ Page where you can pick deals you wish for

Once you pick up a deal you see it populated in your wishful deals.

Now whenever these deals would be available YDYW would leave a message on your Facebook wall, helping your friends to know about them and help you connect with others in case a bulk order discount is offered by vendor.

For the demo version posting a deal is open to anyone. One needs to browse the application page – Login with account for which you want to post the deal

Once logged into the application, you can see the subscribers’ graph allowing the account owner to see how many people are subscribed for his products, at what discounts and identify what is the viral reach of total subscribers for each product.

Deals can be placed then for a given product, given discount till a given date and once placed they too will be available inside ‘Deals already placed’ section

Whenever deal is placed it would notify all the subscribes in step (a) by leaving a message on their wall as below

As posting deals is open to general public at times you might find lot more posts on your walls. They way to turn of them is either deleting that post or unsubscribing to all the deals or remove access to the application. These are described below.

1) Removing a post on your wall is simple – just remove it by clicking close button

2) Unsubscribing to deals too is quite easy just delete them. Application notifies you only when you are subscribed to a deal, removing these deals would ensure that you receive any unwanted messages

3) Finally you can remove the access to ‘Your Deals, Your Way’, a route which I hope you won’t take . Do the same you need to go your account privacy settings as shown below

Browse to Apps and Websites

And finally remove the ‘Your Deals, Your Way’

That’s it!!! Hope you had a good time visiting YDYW. Thanks for your time in testing out the alpha version and I look forward to your feedback 🙂 .

India’s First Windows Azure MVP

Phew, Am I Busy 🙂 ? While this a month back old news I am still glad to share it with all of you. Last October my MVP competency has been moved to Windows Azure. That makes me India’s first and currently the only Windows Azure MVP. Thanks to each one of you in community for your continued support and encouragement. Thanks to all my readers and all my session attendees. Thanks to my MVP lead and MVP friends. And finally thanks to my family for allowing me the time to pursue these dreams. I am also excited presenting tomorrow @VTD on – Integrating Silverlight and Azure with SharePoint. I Hope to catch you there. Thank you, once again!!!

How to Assess Web Applications for Migration to Windows Azure?

Your company’s top management has decided to leverage Cloud computing. They have zeroed on Windows Azure considering their existing investments in Microsoft stack, seamless developer experience, on-premise integration capabilities, competitive pricing, etc. You have been tasked to prepare a roadmap for migrating to Windows Azure. You are not quite sure where to start, what to do, which process to follow, how to come up with a strategy that would show bottom line benefits to top the management? If this is your story, I encourage you to read further.

Windows Azure Platform is an end-to-end development and deployment platform for building cloud services. But moving your on premise applications to Windows Azure isn’t a simple decision. Ideally, one would like to move an application that provides maximum ROI and poses minimum risks. Risks could be ensuring business continuity, data security, technology investments, etc. To get started, a good approach is to take the existing portfolio of web applications in your enterprise and prepare a dashboard. This can help assessing where you stand. Dashboard sample shown below captures not only on-premise applications but also hosted applications enabling you to do vis-à-vis with Cloud model.

Dashboard should also include packaged applications in addition to your home grown applications. It’s important to include package applications as there is quite a possibility that the vendor of the packaged application may have a cloud based offering too. Such an offering can be a quick win for your organization, and you immediately mitigate all risks apart from the once related to governance. Another value add is ROI calculations. Calculations could be quite accurate for these packaged applications and your vendor in most cases will provide you with all the necessary inputs. An example of this could be moving to Microsoft’s Business Productivity Online Suite (BPOS) which provides cloud based versions of Exchange, SharePoint, etc.

Coming to assessment of home grown web applications one needs to look for specific patterns to get maximum ROI. I strongly recommend to get started by using TCO calculator available on Windows Azure Portal. Though TCO numbers may vary a lot, what I like is – it provides a thought pattern. It helps you identify the key parameters you need to consider for your assessment. For instance it forces you to pick one of the 4 growth profiles for your web application

In order to justify your ROI it becomes imperative that you are able to map your web applications to one of these profiles. A Key motivation for this activity is to leverage Windows Azure’s “Scale on demand” capability. Depending on these traffic patterns additional server resources can be dynamically assigned to the web application. After the purpose is met these server resources can be dropped and with “Pay as you go” model, you pay only for the capacity you require. Although patterns above are self-explanatory let’s walk through them quickly. Time Bound refers to the short team compute requirements catering to launch of new products, marketing campaigns, etc. Steady growth is one of those applications in your enterprise which has a steady growing user base and your IT keeps bringing new hardware every few years. Predictable spikes attributes to known scenarios where you expect users to flock on your site. E.g. could be a sports season or a festival season. Unpredictable spikes refer to unforeseen scenarios like bad / good press, mergers, etc. It’s quite obvious to see the value add Windows Azure can bring in for such web applications.

Further compute resources aren’t the only ones that a web application requires. It could be storage resources too. I have come across quite a few web applications that store various kinds of data including images, videos, voice calls, etc. for analysis, processing and streaming. Storage requirements for such applications grow steadily and often become a challenge for in-house IT to keep pace with. Windows Azure provides an infinite sort of non-relational storage including Blob, Table, Drive and Queue, which can be ramped up almost instantly. In addition, Azure storage has redundancy, disaster recovery and backup in place with easy to use APIs for data access. Of course one has to factor in the bandwidth charges for every request made to access the media, but Azure’s Content Delivery Network (CDN) can come in handy. So many a times it’s storage that could be your real differentiator.

A final important piece to your assessment is the effort involved in migrating your web application to Windows Azure. Depending on the current architecture of your web application this could be a serious undertaking. Components like web sessions, diagnostics, relational DB, distributed cache, COM components, operational integration, third party softwares, security, etc. would need a migration plan, feasibility check and corresponding budget approvals. Security especially is a widely discussed topic. While migrating to cloud security normally needs to be applied at 2 levels – data at rest (disk) and data in motion (wire). Security implementation can be done using encryption and related techniques. Windows Azure platform also consists of AppFabric that can allow you to take your on-premise identity investments to the cloud using Access Control Service. In case there is some sensitive data that can be stored only on your premises you can use AppFabric’s Service Bus to tunnel back from Cloud.

To summarize one needs a step based approach in assessing which applications are the ideal ones to migrate to Windows Azure. You need to balance the tradeoffs and risks while ensuring your ROI is intact. Good luck with your assessments.

The dream that you wish will come true

It’s the Cinderella song that I am talking about. At last Windows Azure ISV days in New Delhi, it was a personal lifetime experience receiving the Cloud developer award from hands of Steve Ballmer. I have no words to express my heartfelt gratitude to everybody at Microsoft, Microsoft communities, colleagues, friends and family. Below are the few pictures from the event

I wish you the success with your dreams. Keep Rocking!!!

PPTX – Leveraging Windows Azure – Virtual Tech Days

Dear All, thanks for attending my session. Hope I could do some justice to your precious time 🙂 . For my past attendees, session could have been slightly plain as VS.NET was not involved at all, but I still believe attending it should have kick started your thought process on leveraging Cloud Computing. You can download the presentation from Skydrive. A small confession – there were few demos (including EmergencyBloodBank) planned for the session, but may be during those hours Azure was getting ready for PDC and everything was quite flaky 😦 . In fact all my .NET Service Bus solutions (Namespaces) were unavailable. So, I took the decision of discussing more scenarios and in hindsight it also looks more appropiate too. You might want to keep a eye on VTD Site as session recordings would be shortly available. I will look forward to hear your thoughts on the session. Till next time, Phir milenge Chalte Chalte. Love you all!!!

Leveraging Windows Azure – @VTD

It’s becoming difficult for me to keep posting about my talks as there have been many recently 🙂 . In Last 2 – 3 weeks I gave a talk on cloud computing for a local college in Bangalore, then did WCF / WF 4.0 for Community Tech Days, and .NET Service Bus Architecture session for Microsoft Tech Days @Wipro. Today, I will be talking about leveraging Windows Azure for your enterprise @Virtual Tech Days. Allow me to provide a brief about this session. Many of us have a decent understanding of what Cloud is all about, but are still stuck on where and how we can get started with it. This session helps you build a practical approach, making you familiar with those migration patterns that other are leveraging. Session also talks about Azure practicies and challenges involved around these patterns. To catch this session live logon to VTD site. I hope this would help you with your cloud efforts.