Getting started with Azure Application Gateway

Finally something Ive been waiting for to arrive!  Microsoft announced yesterday something called Azure Application Gateway, which is a layer 7 HTTP based load balacing feature. Which has many more persistency features and features like SSL offloading which makes certificate management easier. And with the SSL offloading feature we can remove SSL processing from the virtual machines or applications using SSL in the backend, since Application Gateway has enhanced SSL processing.

Important to note however is that this feature is built upon IIS/AAR.

Application Gateway

Now Azure already has some load balancing capabilities, such as Traffic Manager which is a DNS based load balancing and endpoint load balancing which is more of layer 4 load balancing and has limitied capabilities but of course is a free feature, and traffic manager is billed for amount of DNS queries.

As of now it is only available using the latest Azure PowerShell version, but moving forward it will become available in the portal and the SDK as part of ARM for instance.

To get started we need to create a Application Gateway which can done with the PowerShell command

New-AzureApplicationGateway –Name AppGW –Subnets 10.0.0.0/24 –vNetname vNet01

image

And we can now see that the AppGW is created but still hasent been started

image

Next we need to do the configuration, this is by using an XML file where the declare all the speicifcs like external ports, what kind of protocol and if for instance cooke based persistency should be enabled

The XML file should look like this

<?xml version=»1.0″ encoding=»utf-8″?>
<ApplicationGatewayConfiguration xmlns:i=»http://www.w3.org/2001/XMLSchema-instance» xmlns=»http://schemas.microsoft.com/windowsazure»>
    <FrontendPorts>
        <FrontendPort>
            <Name>FrontendPort1</Name>
            <Port>80</Port>
        </FrontendPort>
    </FrontendPorts>
    <BackendAddressPools>
        <BackendAddressPool>
            <Name>BackendServers1</Name>
            <IPAddresses>
                <IPAddress>10.0.0.5</IPAddress>
                <IPAddress>10.0.0.6</IPAddress>
            </IPAddresses>
        </BackendAddressPool>
    </BackendAddressPools>
    <BackendHttpSettingsList>
        <BackendHttpSettings>
            <Name>BackendSetting1</Name>
            <Port>80</Port>
            <Protocol>Http</Protocol>
            <CookieBasedAffinity>Enabled</CookieBasedAffinity>
        </BackendHttpSettings>
    </BackendHttpSettingsList>
    <HttpListeners>
        <HttpListener>
            <Name>HTTPListener1</Name>
            <FrontendPort>FrontendPort1</FrontendPort>
            <Protocol>Http</Protocol>
        </HttpListener>
    </HttpListeners>
    <HttpLoadBalancingRules>
        <HttpLoadBalancingRule>
            <Name>HttpLBRule1</Name>
            <Type>basic</Type>
            <BackendHttpSettings>BackendSetting1</BackendHttpSettings>
            <Listener>HTTPListener1</Listener>
            <BackendAddressPool>BackendPool1</BackendAddressPool>
        </HttpLoadBalancingRule>
    </HttpLoadBalancingRules>
</ApplicationGatewayConfiguration>

Note: under HTTPLoadBalancingRules there is currently only support for Basic (Which is the equivilant of Round Robin at the moment. After we have altered our XML config we can upload it.

image

After you have uploaded the rules we can start the gateway. Note however this might take a long time before it actually starts operating!

image

Now even thou this might become a nice feature it is still pretty limited, compared to the other options we have in Azure. Hopefully we have just seen the beginning of this feature and how it will integrate with Traffic Manager in the future will make it even more awesome!

What’s new with Netscaler V11

So been a hectic couple of months, with beta testing the latest V11 of Netscaler among other things. Before I post what’s new I can also say that my book, “Implementing Netscaler VPX” is getting a V.2 release which will be updated to cover specific content in V11 also based from feedback on Amazon it will also be including more stuff around GSLB, AAA, security features, optimization and so on.

Now so what’s new in V11 ?

  • Jumbo frames for VPX
  • Partition Administration (It now fully integrated)
  • TCP Nile congestion (Which is based upon TCP illinois
  • Support for TCP FACK forward acknowledgement
  • Media classification (feature under Front-end optimziation)
  • Web Front
  • Unified Gateway
  • More visualization and an authentication dashboard
  • EULA text in Gateway
  • Own Portal customization dashboard
  • DH Key Optimization
  • Support for TLS 1.1 and 1,2

So let us explore… first of, Jumbo frames is not new in Netscaler, but it is for VPX therefore in order to setup Jumbo frames (meaning higher MTU) you need to change the MTU on the physical adapter on the hypervisor layer as well.

image

Partition Administration is now fully integrated into the new GUI and more features are supported to be delegated using partitions. Except not Netscaler Gateway….

image

TCP Nile Congestion, is an TCP congestion protocol that Citrix has created based upon TCP illinois. Which gives performance gain on high-speed networks, this is defined using the TCP profiles.

image

TCP Fack or forward acknowledgement, is a TCP feature which is to be used with SACK, which is a feature which is used to better see how much outstanding data is from the sending end, which decreases the recovery time when packet loss occurs.

image

Media Classification is a feature which allows the Netscaler to show what kind of media is being sent via the netscaler. For instance it can be MP3, Applevideo, Windows media and so on. But it requires its own license apparently.

image

Web-front is a new web interface kinda solution, where you basically move the Storefront Website to the Netscaler is only having Stores on the Storefront server, this allows for faster SSO and authentication for native reciever users. Note it cannot be used with Unifed Gateway only native Netscaler Gateway vServers. ¨

image

The most existing part is the Unified Gateway feature, which in essence is a combination of the old Netscaler Gateway with clientless access activated and with a Content Switching vserver infront of it. This feature is used to deliver all types of apps be it (Saas, Citrix, and other load balanced vservers from within one URL) if you look at my other post about setting up unified gateway you can see more about it there –>

image

image

image

Important to note that when you are doing changes you need to be aware of that you need to change the content swtiching vserver which sits infront of the Netscaler Gateway vServer. And that the content switching vserver can only have one gateway vserver behind it.

Now there is more options to do visualizations as well for many of the services here, because frankly you can often get confused on how the different vservers are attached and how the processes are executed.

Example from a Unified Gateway visualization.

image

there is also now a authentication dashboard which shows different auth servers and the status of them, we can also drive into the syslog to see authentication attempts.

 

image

We can also now specify our own EULA text for people that login to our gateways.

image

Here I can change some of the GUI customization directly from within the managment console, but I can also still do it from within the tradisional SFTP method.

image

Also there is alot of new stuff in SSL/TLS, one of which is the ability to define DH key expiration in order to achieve perfect forward secrecy (PFS).

This can be done under SSL parameters of a vServer, by default this is set to 0 apposed to the previous value which was 500.

image

And of course TLS 1.1 and 1.2 for front end services which was also included in the latest 10.5 build.

What else is new ? There are some minor stuff, first for Image optimization which allows us to convert JPG to JXR format and from

image

Setting up Unified Gateway on Netscaler 11

So the fuzz for the last couple of months is, what is Unified Gateway ?

From what we can read from the Citrix blog

One URL: Provides consolidation of remote access infrastructure

something revolutionary ? not really.

It is however a combination of features that the Netscaler already has and some of it has been rewamped. It is a combination of bookmarks, content switching rules and clientless access to be able to give users access to all their applications using a single URL. So how to set it up?

First head on over to the management GUI, you should have your own Unified Gateway wizard there.

image

Next we have the option to choose between a regular Netscaler Gateway or a Unified Gateway deployment

image

Next we define the parameters of the Unified Gateway vServer (Note that this IP is being defined on the content switching vserver)

image

Next add the certificates, incluing the RootCA and/or intermidiate cert

image

Next we need to add a authentication method, like LDAP

image

Next we choose a portal theme, from here now I can easily choose from my own custom created from a template or choose the built-in themes.

image

Lastly we need to add our applications.

image

Now I’m going to start with adding web applications to the gateway. Now when adding a web application I have four options, either choosing (Taken from the Citrix documentation)

  • Intranet Application ( Intranet applications can be any internal network resident, web-based application which needs to be made available to VPN users.
    To provide access to intranet resident applications through the Unified Gateway URL please check the option below. NetScaler creates a custom URL for HTTP transactions to switch VPN user site requests. To create this custom URL, an application’s root relative url and site strings must be provided. These strings are derived from the application’s real URL. NetScaler uses these strings to create specific Content Switching rules that filter the web requests for each application and direct the VPN user accordingly.)
  • Clientless Access (NetScaler with Unified Gateway supports clientless access to Outlook Web Access and SharePoint web sites. The full URL for these sites must be specified.
    Example:
    https://owamail.mycompany.com
  • SaaS (Software as a Service) applications are usually externally hosted web based applications that require authentication. This might be a service such as ShareFile, SalesForce, SAP, or NetSuite.
    NetScaler with Unified Gateway supports access through the VPN for these applications and facilitates the user authentication process with single sign-on (SSO) through SAML where available. If the SAML SSO is required, a SAML profile must be configured.
  • Unified Gateway supports VPN access to applications already configured locally as a NetScaler load balancing virtual server.
    The application’s URL must be given, along with the virtual server configured with the application. The URL must resolve in DNS to the virtual server’s IP address.
    Note if you want this application to be configured with the NetScaler to provide single sign-on authentication, an appropriate authentication setting needs to be created on the virtual server.

image

For instance if we were to add Office365 to the gateway, we also have the option to add SAML based authentication to the mix to allow for SSO based authentication from the Netsacler.

image

I can also choose Internal based application which are already load balancing using the Netscaler

image

Now if I want to have SSO here I need to have pre-configured the vServer with the right AAA paramteres. Now important here tha the vServer IP and the URL name resolves using DNS. And that the URL has a / at the end of the address.

Then we can also add clientless access applications like Exchange and SharePoint

image

And after we have added the other applications we can also integrate with XenApp / XenDesktop

image

(NOTE Web-front is not an option here)

Now after we are done with adding the resources, we will now be brought back to the dashboard which will show us the status of the gateway. We can also show that the applications are added under resources and bookmarks

image

You can also see that the vServer Gateway is defined in the content switching policy

image

 

and voila! more to come! :)

image_thumb25

Is Microsoft on the road to becoming the next EMM leader?

With the movement to the cloud, Microsoft has done alot of stuff right with its Office365 offering and also done a lot with Azure, the problem that has been over the last years has been their forgotten child… Intune.

Now the concept was good, built up a fully cloud based MDM/ PC management solution as an extension to Office365, the execution how ever hasn’t been all that great at first. While Office365 and Azure got most of the focus, Intune was left behind in terms of features and focus.

But now this has changed, last year Microsoft announced their EMS (Enterprise Mobility Suite) which was a combo of Identity service with Azure AD premium, data protection with Azure RMs and MDM with Intune, Microsoft got serious with their MDM/EMM solution, and one piece that Microsoft has that none of their MDM competitors has is the identity features, which is crucial in a BYO strategy, because if people wish to use their device and using their same ID and with the strong increase of SaaS applicaitons we need a common identity provider in place (Where traditional Active Directory does not cut it, because of its limitations)

This is from the latest report from Gartner on Identity and Access Management as a service

image

With their offerings from within Azure AD and with many customers already using it with Office365, Microsoft has an advantage that none of their competitors have.

Gartner also released their new report on MDM/EMM as well (Where we again see Vmware, Citrix and MobileIron) note that of these 4, Microsoft is the only one that has their own mobile hardware platform and their own personal operating system which allows them go get a bit of an advantage since Microsoft is also pushing Windows 10 as a more mobile operating system and more features will be directly integrated into Intune and Azure AD.

  • Windows Update for buisness
  • Windows Store for buisness
  • Enterprise Data Protection

Figure 1.Magic Quadrant for Enterprise Mobility Management Suites

and note its been a little bit over a year ago that Microsoft launched their EMS package (even thou Intune has been available for some time, it hasn’t been until recently that Microsoft started focusing on this, and with Microsoft pushing updates to Intune almost each month it shows their are serious with this offering.

And moving forward Microsoft will continue to create more and more direct integration between Office365 (where there are about 80 mill customers) which make it a winning combo and become the natural choice for many customers, since in most cases it will just be as any other addon to Office365.

(Crappy drawning I know..)

image

And with the integration possibilities that Microsoft has with their on-premise solution (System Center Configuration Manager) it makes sense to get access to direct manage all regular computers and mobile devices from the same solution since a device is a device and should be managed by the same staff.

Microsoft has also stated alot of new features which are coming to Azure AD, Intune and Office365, which can be seen here on their own roadmap –> http://www.microsoft.com/en-us/server-cloud/roadmap/Indevelopment.aspx?TabIndex=2&dropValue=AllProducts

Quick post, Netscaler Masterclass and Azure

I presented on this months masterclass from Citrix where I talked about Netscaler on Azure, the eagle has landed. Where I went trough some of the limitations and features and what other features in Azure we can use for load balancing and some guidelines on high-availability and so on.

I’ve also blogged about it earlier, which you can see here –> https://msandbu.wordpress.com/2015/05/22/when-to-use-traffic-manager-cloud-service-load-balancing-or-citrix-netscaler/

https://msandbu.wordpress.com/2015/05/15/implementing-citrix-netscaler-on-azure/

You can also view the recording on Citrix TV here –> http://www.citrix.com/tv/#videos/13689

Nutanix and .NEXT what was all the fuzz about ?


For those wandering on social media and saw some fuzz about .NEXT conference from Nutanix and wondering what that was all about, let me enlighten you.

Nutanix which is become a well known player in the hyperconverged has their first user confernce this week in Miami and has some spectacular announcements.

Nutanix Xtreme Computing Platform:

Which consists of two product familieis, Prism which is the management software and Acropolis which in essence is the core of the Nutanix fabric.

Now Acropolis consist of two things, the core fabric and the Acropolis Hypervisor, which is a custom built Hypervisor which built upon KVM. Now Nutanix has a point they want to go foward with, virtualization and storage should be invisible, which in essence is the same message that our public cloud providers are pushing out, it should just be resources and you should be able to stack them as you want (basically like lego bricks)image

So one of the coolest features I’ve ever seen was their App Mobility Fabric which is part of Acropolis. Which in essence is next generation live migration, which allows for migration of VMs between hypervisors, you can see it here (https://youtu.be/xgMNntngDeA?t=2606)

which is a one-click conversion!

they are also coming with a new build for their Controller OS –> http://myvirtualcloud.net/?p=7144 and if you want to read more about Acropolis and capabilities in the current build you can read more here –> http://myvirtualcloud.net/?p=7086

this video also goes trough some of the capabilities https://www.youtube.com/watch?v=oIltTlQf3Qc

So who is tagging along with this ?

Dell which has their own OEM version which is known as XC-series posted a blog about the upcoming features and the release of GPU based series –> http://en.community.dell.com/dell-blogs/dell4enterprise/b/dell4enterprise/archive/2015/06/09/the-dell-xc-series-train-rolls-on-with-new-offerings-that-expand-workload-possibilities

Citrix also tagged along, writing about the partnership and integrations with Nutanix –> http://blogs.citrix.com/2015/06/09/nutanix-citrix-delivering-end-to-end-validated-solutions-for-a-hyper-converged-world/

and of course Microsoft where Vijay Tewari (Which is the PM for the CPS solution as well as Private Cloud solution at Microsoft, who was one of the keynote speakers at the event. Also showing that Nutanix and Hyper-V are gaining traction –> http://blogs.technet.com/b/privatecloud/archive/2015/06/10/microsoft-and-nutanix.aspx

They also announced some new capabilities with Microsoft –> http://www.nutanix.com/2015/06/10/momentum-with-microsoft-nutanix-announces-significant-achievements-with-hybrid-cloud-and-enterprise-applications-at-next/

  • Connectivity to Microsoft Azure for backup
  • Microsoft-supported in-guest iSCSI storage adapter for Exchange Server on vSphere
  • Nutanix Acropolis Hypervisor validated for Microsoft Server Virtualization Validation Program

So you want to test this out ? Well you can now, since the Nutanix Community Edition is now free and you can download it here –> http://www.nutanix.com/products/community-edition/

I’ve been so lucky to been part of the Community beta and I can say it works really well, and with this announcements I now why it only works with KVM Smilefjes

and don’t worry you can run it nested if you want to try it out without getting the required hardware –> http://www.virtuallifestyle.nl/2015/06/nextconf-running-nutanix-community-edition-nested-on-fusion/

So will you tag along ?

(So on a side note, I asked them what type of stuff they are giving their developers ? )

image

What’s actually new in Windows 10

So far for those that have been part of the windows insider preview, most have been caught up with the GUI, which of course is an important aspect on how user friendly the operating system has become.

And some have been speculating on what Microsoft actually are doing since the GUI has been coming along pretty slow, but most haven’t looked at how much is new in Windows 10, so therefore I decided to write this post. So no I not gonna dive into Cortana and Microsoft Edge… this is pretty much covered on every windows blog.

Windows 8

image

Windows 10

image

 

Now lets start with some of the pretty known facts:

Universal Applications

Which is modern type appliations (which started in Windows 8) but is rewamped in Windows 10 which pretty much allows developers to create the same application for all Windows 10 platforms, so like Office Preview which is in the Windows Store will appear the same on mobile as on a desktop computer. Since the universal apps are from the modern application framework they are bound to the same lifecycle which I will cover in a bit.

Now problem with modern applications when it came in Windows 8 was that the ones that microsoft created werent that great, now they made some other examples which actually shows how great they are!

Microsoft has already created some examples like

Mail & Calender
Skype
Office
Microsoft Edge (Which will be the standard Browser in Windows 10)

Also announced that Dropbox will be created a universal appliation which will be released late this year as well.

Now modern applications are actually a pretty good idea, problem is that it was “forced” upon us in Windows 8 but for those that aren’t familiar with it, the applications are bound within a lifecycle which defines how an app applications is going to happen. They don’t do any registry writes and therefore do not clutter your registry, they are isolated and run within a container.

you cannot run an modern application as administrator so you cannot elevate the level of integrity of the application. The applications need to be signed and can only be installed either via the Store or sideloaded using for instance System Center.

Problem is that most buisnesses still use regular Win32 based applications, which cannot be pushed via the Store. Microsoft is working on a solution which is called Project Centennial which allows us to convert Win32 based application and force them to work within the boundaries of a modern application, kinda like a app-v based application. Which will in essence allow Microsoft to bridge existing applications to modern applications, read more here –> https://dev.windows.com/en-us/uwp-bridges

 

Windows update for buisness & Windows As a Service

One of the most known factors is that Windows 10 will be the last Windows desktop version, since the last 30 years, Windows has been shipped in the same way. Microsoft creates a new operating system ships it with OEM, sells physical media like floppy, cd, dvd and so on. With Windows 10 all with be with Windows 10 and Microsoft will be constantly created new builds of it and shipping it using Windows update. Which will be like most mobile users are familiar with on Android and IOs.

And also with this Microsoft also created a cloud based update solution called Windows update for buisness which is in essence a smaller cloud based WSUS. Which will allow buisnesses to control updates and builds going to their computers.

Moving forward all new builds will be first tested internally in Microsoft, then it will be moved out to those who have signed up on the Windows Insider program and then be pushed out to the consumers using Windows update and then come to the first branch on Windows Update for Buisness.

 

image

 So I essence Windows As a Service is a pretty nifty Update sequence set in motion actually. And Windows Update for Buisness is a cloud based service to actually control it. Now it will have some other features as well such as.

Peer-to-Peer seeding (Meaning that a client can share binaries with other clients within a network for instance)

Maintance time (When can we ship updates)

Deployment Rings (Who gets the builds first for instance, based on Computer Groups)

Important to note that this will be offered as a free service, but will be most likely aimed at users of Windows Enterprise.

Also as a part of this Microsoft is also releasing a new private store which as aimed at the same type of buisnesses, called Windows Store for Buisness.

 

Windows Store for Buisness

 

Now this will be a private section within the Microsoft Store where users can authenticate with their Azure Active Directory user and get access to LoB application which for instance their IT-guy have published. This is also a free service which can eventually be accessed from https://businessstore.microsoft.com

At first release it will only support Azure Active Directory users, but it will also allow for licens management and offlice access meaning that users dont have to download large applications from the internet, but be redirected to a internal network share to get an application, and with the coming of project centennial we can also eventually published Win32 applications within the store as well. But as with all the other stuff it will be possible to manage it using System Center or Intune.

 

Security features

Now this is where things get interesting, and where many have actually havent paid attention on what Microsoft has been doing with Windows 10.

There are many new enhancements here but Im going to name some of them and what they can do.¨

 

VSM (Virtual Secure Mode)

Im guesing that most have heard about pass-the-hash and Mimikats ? NTLM has some known security issues which allows some fortune ones to get access to a NTLM hash of a administrator user.

image 

When a hacker has access to this hash well, we can pretty much enter everyone. This is because of the LSA service. In Windows 10 Microsoft did something creative, with VSA what they actually do is isolate the LSA service within a virtual machine running a coreOS subset on Hyper-V. This means that a regular Windows user is not able to gain access to the hash of a user since they arent allowed to communicate with the LSA service.

image

Windows Defender

Now this is the same engine as Security Essentials, Endpoint Protection and so on. This is not a new feature in Windows 10 but it has a huge number of improvements.

First of it now has an network IDS feature which will analyze the network traffic, because if your system is already infected and defender cannot spot it, the only way it can is to check the traffic.

Windows Defender will also now become an isolated process, because in the previous versions, defender was a regular service which if a system was defected it could be turned off. Now as an isolated service a virus/malware or something cannot turn of the service.

Also Microsoft has stated that if a user has another type of security software installed like Symantec or trend for instance and that software expires, after 3 days Microsoft will activate Windows defender again. Also Defender has been included in WinRE (Recovery Enviroment) which allows us to run malware scans without starting the actuall operatingsystem.

Windows Hello

Which is a builtin biometric authentication system, this allows us to authenticate using who we are, for instance it can be facial recognition, iris scan or fingerprint. This is not something new, but this is the first time that Microsoft has built-in this features into the operatingsystem. This is also a framework which will allow users to authenticate to other resources using biometric.

Next-Generation Credentials

Now the problem with todays infrastructure is that authentications are based upon username and passwords. Where it can be easy for hackers or someone else to be able to snif out the username and password and use it to gain access to resources.

image

With Next-generation credentials, Microsoft is creating a two-factor authentication system, where YOU is one of the factors (Windows Hello) and another factor might be the device itself, using either an asymmetric key which is stored in the TPM or can be a traditional certificate on the device. This essentially means that in order for a hacker to get your info he needs to steal your device and yourself…

This will also be allowed to be used as a SSO provider against different services, but will be first implemented in Azure AD where this will allow for a secure authentication process.

Enterprise Data Protection

Which is a security feature which will be able to sort between buisness data and private data. It allows for data to be automatically be encrypted on a end users device. And yes this is a feature which is coming for mobile and desktops

image

We will be able to define 4 different levels of security.

  • Block (We can say that users are NOT allowed to share data from a buisness file to for instance social media)
  • Override (Users get a warning but are allowed to override, events are logged)
  • Audit (Everything is logged)
  • Off

So this in coop with for instance Azure RMS opens to some pretty interesting stuff.

Device Guard

Ever tried Applocker ? Is was a good idea to be able to lock down what kind of applications a user were able to execute, problem was that is was only running in software meaning that you could bypass it, shut down the service and so on. Therefore Microsofot decided to take it to the next level by creating Device guard, which is a hardware assisted application locker, which only allows signed applications to run on a system. This feature will only be in Windows Enterprise and requires UEFI and Intel VT-X or AMD-V and also requires some specific hardware but many OEM partners like Lenovo, Dell and HP are creating new devices which will support this feature. Microsoft is also creating tools which allow us to sign application to be trusted with Device guard.

Health Attestation Service

This is a feature that came with Windows 8.1 but is improved vastly in Windows 10, this is a feature which allows Windows 10 to do a health check to the cloud before gaining access to internal resources. This will check features like SecureBoot, DEP, Bitlocker, AV status, Patch level and so on. You can see the OMA URL CSP set here –> https://msdn.microsoft.com/en-us/library/windows/hardware/dn920025(v=vs.85).aspx

image

And regarding MDM, Microsoft has done alot already in preperation for Windows 10, and for those wondering, yes Intune supports Windows 10 now and can already now push OMA URI settings for Windows 10, all the settings can be found in the same list –> https://msdn.microsoft.com/en-us/library/windows/hardware/dn920025(v=vs.85).aspx

So what else is new that isn’t that known ?

DirectX 12 support
MKV support
Print to PDF support
Azure AD Domain join support
Packet Manager with Powershell v5

Here is also an upgrade Matrix for those that are wondering what options you have

image

When to use Traffic Manager, Cloud Service Load balancing or Citrix Netscaler

Now that Citrix released their Netscaler appliance on Azure we have a huge option to do load balancing within the Azure platform. It is also important to think about the other options we have in Azure to do load balancing outside of Netscaler.

Traffic Manager is one of the first options which acts kinda like GSLB which is a DNS based load balancing feature. Which allow us to load balance between endpoints on a cloud service

1. Performance Load-Balancing

These services can be spread across different regions. This can either be load balanced based upon performance, round robin or failover.

Problem with DNS based load balancing is that is never gets a full overview of how the traffic is balanced since it basically just spreads the DNS responses. + at Traffic Manager has limited monitoring capabilities since it can only see on HTTP or HTTPS protocol.

We also now have support for nested profiles within Traffic Manager — http://azure.microsoft.com/blog/2014/10/29/new-azure-traffic-manager-nested-profiles/

2. Nested Load-Balancing, Performance   Weights

Now on the other side we have load balancing endpoints on Cloud Services.

image

When setting up Cloud Services Load balancing we have more option depending on load balancing distribution, ref https://msdn.microsoft.com/library/azure/dn495300

We can have persistency based upon sourceIP or destionationIP for instance, and that we have more monitoring endbpoint based options. This is a more L4 based load balancing approach, which is also a free option to in Azure.

While Netscaler is a complete L4 – L7 load balancing platform which can be used to load balanced based upon many different parameters. Now you can also combine the Netscaler appliance with a HA setup to get the best from both worlds. With also giving you a active/active Netscaler setup within a cloud service http://support.citrix.com/proddocs/topic/netscaler-vpx-10-5/vpx-azure-ha-config-con.html

So when do use the different services ?

If you have a simple web-service which does not require a advanced monitor capabilities and are setup on many different cloud services, use Traffic Manager

If you have a service which are setup within a cloud service which you need to setup a simple load balancing capability on while having low cost, use Load Balanced Endpoints

If you have a service which requires a more advanced service monitoring capabilities and special demand to distribute traffic use Netscaler within a Cloud Serivce.

Getting started with Azure Resource Manager and visual studio

So for the few observant IT-pros, there has been a large fuzz around Azure and the new Azure Resource Manager, which is a new way to manage resources in Azure. In essence in a new architectutal design from Microsoft on how to manage IaaS resources.

Now to think about resource manager, it is a simple thing to think about different components that create a service which we want to deliver.

For instance if we want to deliver a e-commerce webshop using Azure, we would have multiple components like a DB-tier, Web-tier and maybe an application-tier. So instead of creating these components within a cloud service, we would create them inside a resource group in Azure.

image

Now Microsoft announced during Build a huge list of different templates that can get us started with ARM. These templates contain different JSON files that describe how a resource should be setup. This is essentially the version 2 of IaaS resources in Azure, instead of being managed within a cloud services we instead have all the different resources which are attached together without thinking about the cloud services, which has always been there because of the early days of PaaS.

You can find the different JSON templates here — https://github.com/Azure/azure-quickstart-templates

Which has a template for most of the different services included in Azure. Now we can also deploy resources directly from the GitHub repository, but this blog post will focus on using Visual Studio. (The templates will be able to be used directly in the management portal and you can just enter the paramteres as needed. )

image

This makes it easy to create a custom template for a deployment and reuse it for other customers for instance. You can also attach script which need to be run on a virtual machine instnances that are created after provisioning.

Now you can download the templates from Microsoft either using the GitHub client for versioning or you can download using a Zip option site. Using GitHub option allows to always have the templates in sync, if there are changes and so on.

Now in order to use Visual Studio and be able to use it with Resource manager you need a supported version of VS (2012, 2013 or 2015 RC, ill be using RC 2015) and you also need a copy of the latest Azure SDK which can be found here http://azure.microsoft.com/blog/2015/04/29/announcing-the-azure-sdk-2-6-for-net/

Now after you have installed both you should have a new option when creating a new project

image

If this is not appearing, it might be that you need to repair the installtion of the Azure SDK. Now after you create a new project you will have the option to choose from different templates that is provided with the SDK

image

But i’m going to choose a blank template and add some resources and then use some of the different templates that Microsoft has created.

Now the project will be created with some files. You have the deploy azureresourcegroup powershell script which is used to actually create and deploy a resourcegroup using the templates files. Azcopy is used within the script to upload the template to a storage container.

image

Now by default the template is of course empty, so we need to add some resources to it.

image

image

Now this also gives a list of resources that can be added to the template.

image

So these templates also verify what prerequisites are needed to the tempalte

image

We can now also see that when we added a storage account, virtual network and a virtual machine a bunch of paramteres are added to the JSON template

image

If we drill into some of the paramteres we can see what kind of values are allowed. For instance on StorageAccountType

image

We can see that the default value for the Storage Account is Locally redundant in the template, we can change the value if we want to. These we need to chage before deploying it. For instance also VM username and password are not set and we need to define those values before deploying it or else the deployment will fail.,

Then we also have some variables that we can alter, for instance vNet subnet prefix and IP prenix.

image

After we are done adding our components and defining our variables and paramteres to the project we can deploy it by right clicking on the resource group in the solution explorer and choosing new deployment

image

Then choose a Microsoft Azure account and a valid subscription

image

And then choose Deploy, make sure to follow on the output window in Visual Studio to make sure that you dont get any error messages. Because it will validate the paramteres that are inserted to see if they comply or if you hare missing any information.

NOTE: you will also get this dialog box if there are some paramters that are not entered

image

Now after we have deployed the resource group template we can verify that it is there by going into the Azure Portal and looking into the resource group

image

Now that the resource group is there, if we need to do any updates like for instance change a virtual machine instance size we can just update the project and re-deplopy it, it will then update the virtual machine.

But note that this is still under preview and should not be used in production stuff in Azure quite yet, and using templates from GitHub for some reason the JSON outline view does not appear.

Implementing Citrix Netscaler on Azure

So this week, Citrix finally launched Netscaler on Azure. The reason why they couldnt do this before well there has been alot of limitations on Azure and there still are so therefore the appliance itself is also a bit limited, but ill get to that.

So whats important to know about Netscaler on Azure, is that

  • Its bring your own license
  • Runs as a A2 Linux instance (Which costs about 44$ a month) by default, this can be changed.
  • Runs in single IP mode (meaning that VIP – SNIP and NSIP run using the same IP
  • Bandwidth is also an extra cost on Azure (Meaning traffic that is going out of Microsofts datacentres)
  • Since it runs a single IP mode you do not need to enter a SNIP address (even thou the welcome configuration wizard will bug you about it)
  • Runs a custom firmware build Build 51.1048.e, and you we cannot upgrade it.
  • Adding a Azure DNS server should be done using TCP not UDP’’
  • IP is given using the DHCP service of Azure
  • Use the Static IP address feature in Azure to avoid changing IP address in case of reboots and so on.
  • There are some features which are not supported

Clustering
IPv6
Gratuitous ARP (GARP)
L2 Mode
Tagged VLAN
Dynamic Routing
Virtual MAC (VMAC)
USIP
GSLB
CloudBridge Connector

Note that we can also use multiple NICs within Azure, this allows to have multiple NICs on a Netscaler intance, but Citrix does not recommend using this feature, and therefore the regular Netscaler VPX in Azure has 1 NIC.

VPX 10, 200 and 1000 is supported in Azure. If you need to have the VPX 1000 you need to scale up the virtual machine in order to support the amount of bandwidth. Since a medium machine A2 instance only supports up to 200 mbps of bandwidth

So now that we know some about how do we set it up ? The easiest way is by using the Marketplace feature in Azure (This requires an active subscription, but can also be setup if you have for instance an MSDN partner sub)

image

Just search for Citrix and you can find it there.

Now you need to enter a password (or public key) for SSH for the nsroot user. Make sure that by default it is a A2 istance, which I mentioned has limits for bandwidth.

image

Now we nee to alter some networking configurations as well, before we can create the VPX. By default IP is set by DHCP in Azure, but this can changed to static by using the new portal

image

And we have two options, one for VIP (Which is the external public IP address) and the Private IP internal address. You should change them both (VIP to Reserved) and Private range to static to be sure that the IP is static on the VPX in case of reboot and such.

Also be sure to add other endspoints if you for instance want to manage the VPX using HTTP/HTTPS, by default only SSH is added as an endpoint

image

After the provisioning is done you can now access the VPX using the public DNS address.

image

And voila!

image

Important to remember when setting up public services that you cannot use the following ports for external services

The following ports are reserved by the NetScaler virtual machine. You cannot define these as private ports when using the cloud service IP address for requests from the Internet.

Ports 21, 22, 80, 443, 8080, 67, 161, 179, 500, 520, 3003, 3008, 3009, 3010, 3011, 4001, 5061, 9000, 7000.

Følg meg

Få nye innlegg levert til din innboks.

Bli med 62 andre følgere