Posts tagged Windows Azure Pack

Designing VM Roles with SMA in mind

Blog by Ben Gelens who blogs at 

SMA Runbooks can be triggered by Windows Azure Pack events like VM Role creation. You can configure this by going to the VM Cloud automation tab and linking a runbook to an Azure Pack known object like “Microsoft VMRole“.

The objects have actionable event like Create, Scale, Repair and Delete. You can link one runbook per actionable event per object.

A runbook is only available to linkup with an event if it is configured with the SPF tag.

When taking this information in mind, you can see that if you are going to build a dependency between actionable events and SMA runbooks you need to develop and commit to some standards. In this blog post I’ll show you some examples of what you could think off while developing your SMA Windows Azure Pack integration strategy for VM Roles.

Background information

In my daily job I see VM Roles being used by enterprise customers as a replacement for SCVMM service templates and VM templates. Although the VM Role is meant to be disposable, scalable, recyclable and easily replaceable, they are actually being used for VMs which will have long life spans and take advantage of some of the VM Role benefits like scaling and resource extension configuration.

Windows Azure Pack Tenant Public API new cmdlets

Two months ago I published a blog on the Windows Azure Pack Tenant Public API. This API allows you to interact with your cloud services using PowerShell over the internet and certificate authentication. The Microsoft Azure PowerShell module provided cmdlets for Windows Azure Pack as well. As you might remember from that blog was the lack of VM Role cmdlets. There was a workaround that worked but was somewhat complex to configure and maintain.

A new version of the Microsoft Azure PowerShell module has been released. This new version also contains various new cmdlets  for Windows Azure Pack.

  • New-WAPackCloudService
  • Get-WAPackCloudService
  • Remove-WAPackCloudService
  • New-WAPackVMRole
  • Get-WAPackVMRole
  • Set-WAPackVMRole
  • Remove-WAPackVMRole
  • New-WAPackVNet
  • Remove-WAPackVNet
  • New-WAPackVMSubnet
  • Get-WAPackVMSubnet
  • Remove-WAPackVMSubnet
  • New-WAPackStaticIPAddressPool
  • Get-WAPackStaticIPAddressPool
  • Remove-WAPackStaticIPAddressPool
  • Get-WAPackLogicalNetwork

As you can see it also contains new cmdlets for interacting with cloud services and the VM Role.

You can download Microsoft Azure PowerShell module 0.8.6 through the Web Platform Installer with this link.

The VM Role is a custom configuration that can consist of many required and optional fields. As with the GUI wizard some values must be provided for the PowerShell cmdlet. Creating a new VM Role with the New-WAPackVMRole cmdlet requires some input.


If we take a look at the ResourceDefinition of an existing VM Role there is still some configuration requirement, but it is a huge improvement compared the previous procedure.


Windows Azure Pack configuration with a named instance and a non-default SQL port

Installing Windows Azure Pack in a lab environment is relatively easy. You control all the environment variables. Changes to operating systems, required permissions or other settings are within your own hands.

How different is this when you implement Windows Azure Pack in a Service Provider or Enterprise Organization environment. All kind of security requirements are in place. Each change in the environment is preceded by a request for change procedure. Planning, prerequisites and design documents are essential from the start of the project. If you have not invested in these upfront you will find yourself confronted with a new change each time that, in its turn, results in another RFC with accompanying handling time. Within a couple of days your teeth marks will be visible in the steering wheel of your car.

(Previously) a prerequisite for Windows Azure Pack:

  • Windows Azure Pack requires a SQL server running in mixed authentication mode and the SQL instance must be running on the default SQL port 1433

But the security policy at the Enterprise Organization or Service Provider dictates:

  • The SQL Server must be in Windows Authenticated mode only using a named instance and non-default SQL port

Most deployments start with an installation in a development environment that reflect the production environment. In the development environment the SQL configuration that is required for Windows Azure Pack is tolerated but flagged. Once we move to production the RFC can possibly block the implementation.

I contacted the folks from the Windows Azure Pack program group a couple of months ago. They provided the means to configure Windows Azure Pack with a named instance and against a non-default SQL port. It was OK to use this configuration for the development environments, but they needed some additional testing to validate that this configuration would not break in hotfix or upgrade scenarios.

Named instance and non-default SQL port

It is now supported to configure Windows Azure Pack with a named instance and a non-default SQL port. Configure the database connection in the configuration wizard with the following format.

<SQL Server>\<Instance>,<Port number>

In this example


Custom SQL port

SQL Authentication

Windows Azure Pack does still require a SQL Server in mixed authenticated mode. During the installation SQL accounts are created that are used in the encrypted part of the web.config file of each Windows Azure Pack website. But if this SQL authentication discussion comes up in a project consider this:

A long time ago, Microsoft recommended “When possible, use Windows Authentication” for SQL databases. That recommendation was not based on security issues with SQL authentication. It was a best practice for applications which would work better with pass through user authentication rather than using a service principle. That statement was interpreted by most organizations with “you should never use SQL authentication”.

Is that statement (still) true or is SQL authentication a secure choice?

The best example of using SQL authentication for databases is Microsoft itself. Microsoft Azure SQL Database (database-as-a-service) supports only SQL Server Authentication. Windows Authentication (integrated security) is not supported.

If Microsoft wasn’t comfortable using SQL authentication, they wouldn’t run a few hundred thousand SQL servers. That are on the internet!!

Image taken from the new Microsoft Azure Portal that is in preview.

Azure SQL

More Information

Windows Azure Pack, SQL Always On, Listener and Port story

Microsoft SQL Server versions supported in a Windows Azure Pack deployment

Windows Azure Pack – Active Directory Design Choices

Darryl van der Peijl wrote this great guest blog on design considerations for Active Directory in a Windows Azure Pack environment:

In this blog I will discuss different Active Directory designs, focusing on the use of Windows Azure Pack. Since Windows Azure Pack is nothing different from a regular web service, these designs can be used in a very generic way.

When talking Active Directory, we are actually talking security. The design decisions you make can have a huge impact on the vulnerability of your infrastructure.

Windows Azure Pack is offering a number of services that can be accessed from the Internet like the Tenant Portal and Tenant Public API, and don’t forget the “Remote Console” feature which will need a Remote Desktop Gateway server accessible from the Internet as well.

It is recommended to put servers in a DMZ/Perimeter network which can be accessed from the outside. Since they are reachable from the potentially ‘hostile’ external world, these servers can become subject to intrusion or hijacking by attackers. The DMZ/Perimeter network is a containment area so that a breached server does not gain immediate access to your internal infrastructure.

So, let’s get started!

I will discuss the following four different Active Directory designs and sum up the advantages and disadvantages.

  • No Active Directory in DMZ / Perimeter Network
  • Extended Forest
  • Forest with child domains
  • Isolated Forests

The following terms will be used:

ADDS Active Directory Domain Services
DMZ / Perimeter Network The zone for external facing services
Local Network The zone for internal services
Local infrastructure Infrastructure (servers) in the Local Network
Perimeter infrastructure Infrastructure (servers) in the Perimeter Network


No Active Directory in DMZ / Perimeter Network

You can implement Windows Azure Pack without the use of Active Directory, so you don’t have to create a separate domain for WAP in the perimeter. Windows Azure Pack will use the local server’s Security Accounts Manager (SAM) database to authenticate identities and will use SQL authentication for the databases.

The security risk of this design is medium.


  • No ADDS needed (Advantage?)
  • No VMs for ADDS


  • Managing of users and the servers need to be done locally on each server
  • You cannot setup Failover Clusters without ADDS (Hyper-V, SQL Always on, ..)
  • The Kerberos protocol or certificates are not available for local SAM authentication.
  • Centralized updates (WSUS) cannot be implemented
  • No ability to use ADFS

For Windows Azure Pack build-in functionality like “Console Connect” or “Network Virtualization” you will need to build a Hyper-V cluster. READ MORE »

Windows Azure Pack: Infrastructure as a Service Jump Start

Date: July 16 & 17, 2014
Time: 9am–1pm PDT
CTA(s): Registration page:

Alternative link:

IT Pros, you know that enterprises desire the flexibility and affordability of the cloud, and service providers want the ability to support more enterprise customers. Join us for an exploration of Windows Azure Pack’s (WAP’s) infrastructure services (IaaS), which bring Microsoft Azure technologies to your data center (on your hardware) and build on the power of Windows Server and System Center to deliver an enterprise-class, cost-effective solution for self-service, multitenant cloud infrastructure and application services.


Join Microsoft’s leading experts as they focus on the infrastructure services from WAP, including self-service and automation of virtual machine roles, virtual networking, clouds, plans, and more. See helpful demos, and hear examples that will help speed up your journey to the cloud. Bring your questions for the live Q&A!

Course Outline
Day 1

  • Introduction to the Windows Azure Pack
  • Install and Configure WAP
  • Integrate the Fabric
  • Deliver Self-Service

Day 2

  • Automate Services
  • Extend Services with Third Parties
  • Create Tenant Experiences

Metadescription: Free online course for IT Pros: Windows Azure Pack IaaS, including VM roles. Build and manage modern apps, unlock insights

Keywords: Windows Azure Pack, Microsoft Azure, Windows Server, System Center, SQL Server


Andrew Zeller | Microsoft Senior Technical Program Manager

Andrew Zeller is a Technical Program Manager at Microsoft, focusing on service delivery and automation with Windows Server, System Center, and the Windows Azure Pack.

Symon Perriman | Microsoft Senior Technical Evangelist |@SymonPerriman

​As Microsoft Senior Technical Evangelist and worldwide technical lead covering virtualization (Hyper-V), infrastructure (Windows Server), management (System Center), and cloud (Microsoft Azure), Symon Perriman is an internationally recognized industry expert, author, keynote presenter, executive briefing specialist, and technology personality. He started in the technology industry in 2002 and has been at Microsoft for seven years, working with multiple teams, including engineering, evangelism, and technical marketing. Symon holds several patents and more than two dozen industry certifications, including Microsoft Certified Trainer (MCT), MCSE Private Cloud, and VMware Certified Professional (VCP). In 2013, he co-authored Introduction to System Center 2012 R2 for IT Professionals (Microsoft Press) and he has contributed to five other technical books. Symon co-hosts the weekly Edge Show for IT Professionals, and his technologies have been featured in PC Magazine, Reuters News, and The Wall Street Journal. He graduated from Duke University with degrees in Computer Science, Economics, and Film & Digital Studies, and he also serves as the technical lead for several startups and entertainment production companies.

Register today!

You can help shape the future of Windows Azure Pack

Windows Azure Pack delivers Microsoft Azure technologies for you to run inside your datacenter. It offers rich, self-service, multi-tenant services and experiences that are consistent with Microsoft’s public cloud offering.

You can help shape the future of Windows Azure Pack. The Windows Azure Pack team has created a user voice site where you can post feature suggestions and vote on the suggestions of others.

You can find the Azure Pack user voice site here

01 General

Sign in to track your submitted ideas and comments.

When you would like to submit a new suggestion, type in one or more relevant keyword. This will automatically filter the already submitted items. If somebody else already submitted the same suggestion, it allows you to vote on that suggestion. As a signed in user you will have a total of 10 votes. With these votes you can submit new suggestions or vote on existing ones.

Vote for existing suggestions

When you vote for existing items, you can choose to give 1, 2, or 3 votes for more weight. You are able to change your assigned votes afterwards. When suggestions are closed, the votes you assigned to that suggestion are available again.

02 Vote for exisiting idea

Submit a new suggestion

To submit a new suggestion, provide the title for the suggestion and optionally enter a description and category. Select to attach a file if that helps to explain the suggestion and choose how many votes you would like to put on this suggestion.

03 Post new idea

Help shape Windows Azure Pack with the user voice site

Windows Azure Pack Tenant Public API

Microsoft Azure and Windows Azure Pack are like two circles. These circles are moving towards each other and are already overlapping on certain parts. The CloudOS vision is those two circles completely merged into one.


So, when you work with Windows Azure Pack it is very interesting to keep an eye on Microsoft Azure, the public cloud solution from Microsoft. This gives a good idea of the features that are coming to Windows Azure Pack, but also gives more insight in the features that are already available in Windows Azure Pack today. In this blog we will cover a feature that is not very well known but can be very useful. The Windows Azure Pack Tenant Public API.

Most Windows Azure Pack deployments we see in production are in one way or another related to IaaS. Windows Azure Pack provides a powerful web portal that enables tenants to interact with their IaaS services. They can create, edit and delete Virtual Machines and Virtual Networks with just a few clicks.

The tenant portal experience is awesome, but there are scenarios where other methods are required. Take for example regression testing. A tenant want to schedule a deployment for a set of virtual machines with applications. When the virtual machines are deployed, an automated procedure runs tests against the applications, which logs the performed steps to a location for evaluation. After the tests are completed the virtual machines are decommissioned again. The regression tests are scheduled by the tenants and they make changes to the tests frequently.

The first thing that comes to mind with this example is a combination of the VM Role and Service Management Automation. The VM Role allows you to deploy a virtual machine with an application. Service Management Automation enables scheduling of PowerShell workflows that can deploy the VM Roles for the tenant and run the regression tests as well.

Unfortunately in this release of Windows Azure Pack you need access to the Windows Azure Pack Admin Site to edit or schedule an SMA runbook. This requires Admin interaction for each change in the runbook or each change in the schedule, which is not an option.

Microsoft Azure provides a powerful scripting environment with Azure PowerShell. It allows tenants to interact with the services in their Microsoft Azure subscription with PowerShell cmdlets. These cmdlets can be run from a remote client. The client authenticates to the services in the subscription by using certificates. As you expect from Microsoft Azure it works after some easy steps to get the certificates configured correctly.


If you have a closer look at the cmdlets within the Azure PowerShell module you will notice that there are also cmdlets that contain WAPack in their name. This looks promising. READ MORE »

Windows Azure Pack High Availability – Lessons Learned

Exactly one year ago I published a blog on configuring high availability for Windows Azure Services for Windows Server. A lot has happened since then. Windows Azure Pack was released shortly after that and we did numerous implementations of Windows Azure Pack for Service Providers and Enterprise Organizations. And boy, did we learn… I promised back then that if any changes to the procedure were required I’d update that blog. I decided to create a new blog altogether since there is a lot to discuss.

Windows Azure Pack is an application that consists of a web tier and a database tier. The web tier can be installed in a distributed configuration and allows for high availability through the use of load balancing. The database tier leverages clustering for high availability (with SQL AlwaysOn or SQL WFC). This has not changed compared to Windows Azure Services for Windows Server.

Authentication in Windows Azure Pack was subject to some serious changes. A lot has been blogged on updating the URLs for four Windows Azure Pack components:

  • Tenant Site
  • Tenant Authentication Site
  • Admin Site
  • Admin Authentication Site

Besides changes to the IIS configuration for these sites, they also have references in the database that need to be updated. We found out that there are more Windows Azure Pack components that need to be updated for high availability. If you only update these four components and you shut down the first configured admin server in the environment your services are still unavailable, despite the load balancing of these four components.

This blog is a guide for configuring load balancing and high availability for Windows Azure Pack. It will describe the steps to configure Windows Azure Pack after a default installation. It also describes the step to take on the data tier configured with SQL AlwaysOn after a default installation. If you need guidance to setup a SQL AlwaysOn Cluster you can use this blog.

1. Design

In this presentation at TechEd I described a distributed configuration scenario for Windows Azure Pack. In this design the Tenant roles and the Admin roles were divided.

WAP Design

The following components where installed on the roles.

The Tenant Roles

  • Tenant Site
  • Tenant Authentication Site
  • Tenant Public API

The Admin Role

  • Admin Site
  • Admin Authentication Site
  • Admin API
  • Tenant API
  • PowerShell API
  • Best Practice Analyzer

Although I will describes the steps to configure the Tenant Authentication Site and the Admin Authentication Site, please consider to drop the two authentication sites for production environments and use ADFS instead. The configuration steps in for ADFS are similar, so you can use the scripts from this blog for both scenarios.

2. High Availability

Windows Azure Pack stores its information in SQL databases, which can be made high available with clustering.  Load balancers can be used to enable load balancing and high availability for the web server tier.

After the initial configuration the following steps must be performed to prepare Windows Azure Pack for load balancing.

  1. Create DNS records
  2. Import trusted web server certificate
  3. Change the virtual directory bindings
  4. Define variables for PowerShell scripts
  5. Update the database with the new endpoints
  6. Update the federation endpoints for the authentication sites
  7. Update the resource provider endpoints
  8. Optional- Configure a webpage for the load balancer validation process


Offline Update of Windows Azure Pack and 3rd Party Components

Recently I needed to update a Windows Azure Pack installation from RTM to Update 2. Because the servers had no Internet access, I needed an offline approach.

One way is to download the Windows Azure Pack 2013 Update 2 components, extract the files and install them one by one, thereby carefully checking that only the installed components are updated. It is very easy to make a mistake and add unwanted ones on a WAP portal server.


Because this approach only works for the WAP 2013 Update 2 components and doesn’t give you the partner components such as Gridpro and Cloud Cruiser, the offline Web Platform Installer approach is the best choice. In fact WebPI has been upgraded from version 4.6 to 5.0 containing Update 2 plus the 3rd party components.

  READ MORE » Speakers at TechEd 2014 NA and HASMUG

Fellow blogger at Marc van Eijk did an amazing job. At his first TechEd he delivered no less than three presentations. I went to every single one of them and was really proud to see him be so successful. Great job Marc!

Lessons Learned: Designing and Deploying the Windows Azure Pack in the Real World

Effortless Migration from VMware to Windows Server 2012 R2 Hyper-V

Transforming Bare Metal into Logical Switches Using Microsoft System Center 2012 R2 Virtual Machine Manager

Cameron Fuller and Maarten Goet realized that there was still a full day available and many MVPs were still hanging around in Houston on Friday. In cooperation with the Houston Area System Management User Group (HASMUG) they found enough sponsors to organize #TE14D5 or an informal community event offering two tracks: Enterprise Client Management (ECM) and Cloud and Datacenter Management (CDM).

Both Marc van Eijk and Hans Vredevoort delivered a presentation:

Windows Azure Pack Usage Service and the System Center Components that it depends on
by Hans Vredevoort

WAP showdown – VM Template vs. VM Role
by Marc van Eijk

Our Sponsors

Powered by