Windows Azure AppFabric Deep Dive

NameTitleMicrosoft Corporation

Session Objectives

Scenario Explanation ExampleEventingService remotingTunneling

Drill into Access Control ServiceTips and Tricks

Firewall ConfigurationHosting Service Bus endpoints in Windows AzureSecurity

The AppFabric Labs Environment

AppFabric Service Bus

Three Common Patterns

EventingOne-way communicationUnicast or MulticastImmediate or temporally decoupled

Service RemotingRPC-style, Request/Response or DuplexContracts, Schemas, Structured Data

TunnelingFull-Duplex Tunneling of Raw StreamsTCP, Pipes, Proxies, …

Eventing

1 : N Communications1 client transmits message to service busService bus relays message to N clients

One way messagingUnicast – broadcast to a single listenerMulticast – broadcast to multiple listeners

BufferingTransient storage for messagesSupport occasionally disconnected client

Service Bus

Access Control

Eventing

Notify remote parties of eventsSender transmits information to listeners

Events are distributed unicast or multicast

Listener

Listener

Sender

Implementing Eventing

Simple WCF Semantics1. Provide WCF Service Contract with

OneWay operations2. Create Service Impl using

MulticastService behaviour3. Authenticate each client to SB endpoint4. Create two connections to the Service

Bus1. A ServiceHost to listen for chat messages2. A client connection to send new messages

5. Send and receive messages

Relay Chat

NameTitleGroup

demo

Service Remoting

Expose Web Services Beyond the Firewall

On premise web serviceExpose to clients without firewall changes

Message distribution optionsSimple load balancing supportSupports full duplex communications

Pass through underlying security constructs

End to End AuthenticationEnd to End Encryption

Service Bus

Access Control

Service Remoting

Sender Listener

Access Web Services across the InternetPublish services and communicate bi-directionally

Implementing Remoting

Config only from Existing Service1. Take existing on premise service2. Use WCF config to authenticate and connect to

SB3. Each service has a unique SB endpoint

Simple client with supporting libraries1. Query Service Bus Registry via ATOM for list of

endpoints2. Choose endpoint at random (or other ‘smart’

algorithm)3. Establish communications with selected

endpoint4. Message is relayed to selected service

Load Balanced ServiceNameTitleGroup

demo

Tunneling

Tunnel low level protocols via Service Bus

High performance tunnel over TCP where possibleAutomatic fallback to tunnel over simple HTTP where needed

Expose Any On-Premise SecurelyTo clients over the internetTo Windows Azure services

Service Bus

Access Control

Sender Listener

Tunneling

Transport existing protocols over Service Bus

Protocol Bridge

Protocol Bridge

Implementing Tunneling

Implement Agent1. Read Configuration2. Listen on port/pipe on local machine3. Forward communications efficiently

to/from service busImplement Bridge1. Listen on service bus2. Forward communications to/from local

port/pipe

Port Bridge

NameTitleGroup

demo

Access Control Service

Why an Access Control Service?

Federate identityLeveraging multiple identity providers per applicationADFS v2, Live ID, Facebook, Yahoo, Google, …

Identity abstractionEvolve past username/passwordLeverage claims-based identity

Access Control Service

YourService

2. Request token

(pass input claims)

4. Return token

(receive output claims)

5. Send messagewith token

0. Establish trust via key exchange

Customer

1. Define access control rules for an identity provider

3. Map input claims to output claims based on access control rules

How it works

6. Processtoken

Capabilities

ACS == claims-based access controlKey features

Open to all platformsSimple rules for mapping input to output claimsOAuth WRAP & SWTIntegrates with ADFS v2

All web services can take advantage of these capabilities with a single code base

ACS Calculator

NameTitleGroup

demo

Tips and Tricks

Firewall Configuration

AppFabric is tolerant of diverse network topologiesMinimum Configuration

Enable outbound HTTP on port 80 and 443Authenticate against proxy server if any

Optimal configurationAllow outbound on port 9350 and 9351Can limit to well known IP ranges

SB Endpoints in Windows Azure1. Create Worker Role2. Create ServiceHost3. Authenticated against service bus4. Open ServiceHost

Session Takeaways

Service Bus provides topology agnostic message bridge in the cloudThree Key Service Bus Patterns

EventingRemotingTunneling

Access Control Service abstracts authentication & authorizationLabs provides early access to new features

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.