1 azure ™ services platform microsoft.net services a closer look clemens vasters technical lead...
TRANSCRIPT
1
Azure™ Services Platform
Microsoft .NET ServicesA Closer Look
Clemens VastersTechnical LeadMicrosoft Corporation
What is a Service Bus?Connectivity ChallengesNamingService Registry and DiscoveryMessaging, Connectivity and Events
Agenda
Internet Service Bus
Service Orchestration
Service Registry
NamingFederated Identity and
Access Control Messaging Fabric
Clients MS/3rd Party ServicesOn-Premise ESB
ESBDesktop, RIA, Web
Desktop, RIA, & Web
Your Services
IPv4 Address ShortageDynamic IP address allocationNetwork Address Translation (NAT)
Internet is pwn3d by the bad guysFirewalls layered over firewalls over firewalls
Connectivity Challenges
Sender Receiver?Machine Firewall
Network FirewallNetwork Address Translation
Dynamic IP
Dynamic DNSNAT Port Mappings / UPnPOpen Inbound Firewall Ports
How Do People Deal With It?
Sender Receiver?Machine Firewall
Network FirewallNetwork Address Translation
Dynamic IP
Brittle, Difficult, Insecure – and sometimes – Impractical Consequence: We see recurring patterns of workarounds
Any Instant Messaging/Communication App
Access Control, Relay, Direct ConnectAny Multiplayer Game
Access Control, Relay, Direct ConnectAny Home Media Integration System
Access Control, Relay, Direct ConnectAny Enterprise Integration System
Access Control, VPN/VAN
Who needs it?
Service Bus – Naming
Service Registry
NamingFederated
Identity and Access Control
Messaging Fabric
Service Bus Naming
Federated, hierarchical, DNS-integrated, transport-neutral naming system
Root
Solution
Solution
Solution
NameB
NameC
Name1
Name2
Name3
NameA
9
Anything wrong with DNS?
DNS has some practical constraints:High update propagation latencyIncreasing pollution by ISPs (“DNS assistance”)Names hosts, not servicesLimited write-access model (often out-of-band)
Service Bus Naming SystemR/W access with access control via RegistryUpdates reflected instantaneouslyNames name endpoints, not machines
10
Canonical Form of URI Projectionsscheme://naming-scope/name/name
Root
X
Y
Z
B
C
1
2
3
A
URI ‘Host’: Naming AuthorityURI ‘Path’: Federated Name Structure
11
Global Naming Structure (PDC)
scheme://servicebus.windows.net/services/solution/name/…
Root SBWN services
solution
2
3
name
Required Prefix
Global Naming Structure (Post-PDC)
Root
Solution
Solution
Solution
NameB
NameC
Name1
Name2
Name3
NameA
scheme://solution.servicebus.windows.net/name/…
Service Bus – Service Registry
Service Registry
NamingFederated
Identity and Access Control
Messaging Fabric
14
Service Registry
The service registry is registry for service endpoints, not a general purpose directoryRegistry is layered over the naming systemProvides programmatic access to naming
Discover: Atom 1.0 feed hierarchyPublish: Atom Publishing Protocol, WS-Transfer
Naming
Service RegistryClient
AtomPub
WS-Transfer
15
Registry Feed Structure
Accessing the root registry feed for solutionshttp://servicebus.windows.net/services/solution/Root of a hierarchy of feeds
Naming Root SBWN services
svc
solution svc
solution
Client
AtomPub
WS-Transfer
Services in Registry Feeds<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" xmlns:wsa="http://www.w3.org/2005/08/addressing"> <title>Title</title> <link href="http://connect.biztalk.net/services/my/svc" rel="self"/> <id>urn:uuid:82a76c80-d498-12d5-b91C-0103839e0ef6</id> … <entry> <title>MyEndpoint</title> <link href="http://cbn/services/my/svc/ep1"/> <id>urn:uuid:1225c695-cfb8-4ebb-aaaa-80da344efa6a</id> <wsa:EndpointReference> <wsa:Address> http://servicebus.windows.net/services/my/svc/ep1 </wsa:Address> </wsa:EndpointReference> </entry> </feed>
17
.NET Service Bus Registry
demo
Service Bus – Messaging
Service Registry
NamingFederated
Identity and Access Control
Messaging Fabric
Primary Programming Model: WCFFamily of Bindings for the Service Bus
Service Bus - Messaging
Corresponding WCF Binding Service Bus Relay Binding
BasicHttpBinding BasicHttpRelayBinding
WebHttpBinding WebHttpRelayBinding
WSHttpBinding WSHttpRelayBinding
WS2007HttpBinding WS2007HttpRelayBinding
WSHttpContextBinding WSHttpRelayContextBinding
WS2007HttpFederationBinding WS2007HttpRelayFederationBinding
NetTcpBinding NetTcpRelayBinding
NetTcpContextBinding NetTcpRelayContextBinding
n/a [loosely related to NetMsmqBinding] NetOnewayRelayBinding
n/a [loosely related to NetTcpPeerBinding] NetEventRelayBinding
Works just like WCF:Envelopes: SOAP 1.1, SOAP 1.2, NoneAll WS-* end-to-end security scenariosTransport-level message path protection (SSL)Reliable Messaging, StreamingFull Extensibility ModelWeb programming model (WebGet/-Invoke)Metadata Exchange
Not supported:(By Design) Atomic Transaction Flow(By Design) Protocol-level transport authentication(PDC Issue) WebScriptingBehavior JavaScript proxy(PDC Issue) Direct Tcp Modes with RM or WS-* Sec.
WCF Relay Bindings For WCF Pros
NetOnewayRelayBinding
Service Bus
Sender Receiver
sb://servicebus.windows.net/services/solution/a/b/
outb
ound
conn
ect o
ne-w
ay n
et.tc
p TCP/SSL 828
BackendNamingRoutingFabric
Frontend Nodes
TCP/SSL 808/828
outbound connect bidi socket
Msg Msg
NATFirewallDynamic IP
SubscribeRoute
NLB
NetEventRelayBinding
Service Bus
Sender Receiver
sb://servicebus.windows.net/services/solution/a/b/
outbound connect bidi socketoutb
ound
conn
ect o
ne-w
ay n
et.tc
p TCP/SSL 828
BackendNamingRoutingFabric
Frontend Nodes
TCP/SSL 808/828
Msg Msg
SubscribeRoute
Receiver
outbound connect bidi socketTCP/SSL
828
Msg
23
One-Way Messaging and Events
demo
NetTcpRelayBinding / Relayed
Service Bus
Sender Receiver
sb://servicebus.windows.net/services/solution/a/b/BackendNamingRoutingFabric
Frontend Nodes
Ctrl
1
2
3
4
Socket-SocketForwarderoutbound
socke
t
connect
outbound socket
rendezvous
Ctrl
TCP/SSL 818
OnewayRendezvous
Ctrl Msg
NLB
NetTcpRelayBinding / Hybrid
Service Bus
Sender Receiver
sb://servicebus.windows.net/services/solution/a/b/BackendNamingRoutingFabric
Frontend Nodes
Ctrl
rela
yed
conn
ect
OnewayRendezvous
Ctrl Msg
relayed
rendezvous
TCP/SSL 818, 819
NAT
Prob
ing NAT
Probing
NAT Traversal Connection
upgr
ade
upgrade
26
TCP-based Connections
demo
[WS|Basic|Web]HttpRelayBinding
Service Bus
Sender Receiver
sb://servicebus.windows.net/services/solution/a/b/BackendNamingRoutingFabric
Frontend Nodes
Ctrl
1
2
3
4
HTTP-SocketForwarder
HTTP
HTTPS
request
outbound socket
rendezvous
Ctrl
HTTP/S80/443
OnewayRendezvous
Ctrl Msg
NLB
28
HTTP Based Connections
demo
Service Bus – Access Control Integration
Service Registry
NamingFederated
Identity and Access Control
Messaging Fabric
30
Receiver
Access Control
STS
Service BusRelay
RST/RSTR
AcTk
Token Header
AcTk
#Listen
Relay Access Control Model - ListenerAcquire
Access Token#Listen
Pass Access Token with
Subscription
1
2
Token Evaluated
3
31
ReceiverSender
Access Control
STS
RST/RSTR
Service BusRelay
AcTk
Token Header
AcTk
#Send
Relay Access Control Model - SenderAcquire
Access Token#Send
Pass Access Token with Message
Token Evaluated and
Removed
Message Passed on to
Receiver
1
23
4
32
Integrated Access Control
Access Control Governed by RulesManaged in the Access Control ServiceServices must be authorized to listen in namespaceEvaluation of all claims in the cloudNo notion of “identity” in the relayed service
Service can turn off client access controlLocal evaluation of end-to-end claimsFull control over authN/Z model (but less protection)
Clean composition w/ standard SOAP/HTTP model
WS-Security Header reserved for E2E Message SecurityTransparent to HTTP-Header AuthN/AuthZ schemes
33
.NET Access Control
demo
34
Notes on Security
We encourage you to hide your payloadsUse WS-Security to protect end-to-end pathYou own all keys used to protect payloads
Transport securitySSL channels terminate in the Service BusSocket connections relayed on-machineOneway/Event relayed on backend fabric
What do we look at in the Service Bus?SOAP: Action/wsa:Action, wsa:To, wsa:ActionHTTP: Method, URIAccess Tokens
Service Bus – Workflow Integration
Service Registry
NamingFederated
Identity and Access Control
Messaging Fabric
Workflow
36
.NET Workflow Services
demo
37
Q & A
38
Summary
Pervasive, Secure Connectivity for ServicesSecure NAT Traversal, “DMZ in the sky”
WCF-Integrated Programming Model