This blog series on enabling the Cloud OS with Windows Server and System Center for Hosting Service Providers consists of the following parts
- Installing and configuring System Center Service Provider Foundation
- Installing and configuring Windows Azure for Windows Server – Part 1
- Installing and configuring Windows Azure for Windows Server – Part 2
- Installing and configuring Windows Azure for Windows Server – Part 3
- Installing and connecting System Center 2012 SP1 App Controller to System Center 2012 SP1 Service Provider Foundation – 2 Scenarios
In the previous part of this blog we installed the Service Management Portal and API. This part of the series covers the post-installation steps to prepare your environment for tenant access. Some of these steps are optional but recommended.
Configuring System Center Virtual Machine Manager 2012 SP1 components
The Service Management Portal and API maps its IAAS objects to components in System Center VMM 2012 SP1. Before we can create the required objects in the Service Management Portal we need to configure some components in System Center VMM 2012 SP1.
An offering in the Service Management Portal is defined by a hosting plan. A plan has a one to one mapping to a cloud in System Center VMM 2012 SP1. The minimum requirements for a cloud in System Center VMM 2012 SP1 is a Host Group. To create a cloud open the System Center VMM 2012 SP1 management console. Select VMs and Services in the left bottom menu.
<img src=”/images/2013-03-24/01-vms-and-services.png” width=200”>
In the top menu select Create Cloud.
<img src=”/images/2013-03-24/02-create-cloud.png” width=720”>
In the Create Cloud wizard give a description (for example Gold, Silver or Bronze), select a Host Group and finish the wizard. It is possible to configure additional settings in the Create Cloud wizard, but we will skip these for now.
The tenant can change the “hardware” properties of a virtual machine. You can define these settings in Hardware Profiles. To create a Hardware Profile in System Center VMM 2012 SP1 open the Library in the left bottom menu.
<img src=”/images/2013-03-24/03-library.png” width=200”>
In the left menu select Profile > Hardware Profiles. On the top menu select Create and select Hardware Profile.
<img src=”/images/2013-03-24/04-new-hardware-profile.png” width=720”>
|Give the Hardware Profile a description (for example 2 Procs||2Gb Memory)|
<img src=”/images/2013-03-24/05-hardware-profile.png” width=720”>
Configure the hardware settings to match the template you would like to provide to your tenants.
A Virtual Machine Template is used to define the settings for a Virtual Machine that can be deployed. You can create a VM Template with a sysprepped virtual hard disk and define all other settings manually or you can create a VM Template from a running virtual machine. To create a VM Template open the Library node from the left bottom menu and select Templates > VM Templates from the left menu.
<img src=”/images/2013-03-24/06-create-vm-template.png” width=200”>
Create a new VM Template. In the wizard specify a description for the VM Template (for example Windows Server 2012 Standard Edition). Select the source for the VM Template. I will use a sysprepped VHDX that I have already placed in the library.
<img src=”/images/2013-03-24/07-vm-template-source.png” width=720”>
In the Wizard select a Hardware Profile that we have created earlier. This Hardware Profile will be the default profile used when a tenant creates a new virtual machine from this VM Template.
System Center VMM 2012 SP1 enables new networking management features. In the pre SP1 environment you needed to attach a virtual machine to a Logical Network for network connectivity. In System Center VMM 2012 SP1 an extra layer has been added called VM Networks. If you want a virtual machine to have network connectivity it must be connected to a VM Network. System Center VMM 2012 SP1 provides four types of VM Networks.
- No Isolation
- Network Virtualization
The Service Management Portal requires a minimum of one VM Network based on No Isolation or VLAN that you use for mapping to a plan. You can decide for yourself what type of VM Network you would like to use.
For most service provides the most scalable option is VM Networks based on Network Virtualization. The Service Management Portal does not allow you to create a hosting plan with a VM Network based on Network Virtualization. This is quite logical since each tenant should use their own VM Network based on network virtualization and not a shared one for all tenants. I will describe the combination of Network Virtualization and Windows Azure for Windows Server in the next part of this series. For more information on the inner workings of Network Virtualization read my previous blog here.
The only downside to this type of VM Network is that a Network Virtualization Gateway is required for connectivity outside the VM Network and the availability of gateways is scarce at this moment. Some vendors are scheduling a public release of a Network Virtualization Gateway in Q2 of 2013. I spoke with Greg Cusanza at TechDays 2013 who used a Microsoft sample Network Virtualization gateway in his demo. He assured me that this sample gateway will be up for grabs on codeplex before MMS 2013 (within a couple of weeks).
Configuring Windows Azure for Windows Server objects
When the required components in System Center VMM 2012 SP1 are configured we can create the objects in the Service Management Portal and map to the objects in System Center VMM 2012 SP1.
A hosting plan is an offering in Windows Azure for Windows Server. You can create a private plan and assign it to a single customer or you can publish a plan and make it publicly available so a new tenant can sign up to the plan. It is recommended to use Network Virtualization for publicly available plans. When you use a different type of VM Network new tenants will get the same VM Network assigned.
You can create a plan and assign it to a single tenant. This allows you to create specific components in System Center VMM 2012 SP1 and make them only available to one tenant. If VM Networks based on VLANs are required a Private Plan is the most obvious choice. To create a Private Plan login to the Admin Site on https://localhost:30091, select new in the bottom menu and click create on the plans section.
<img src=”/images/2013-03-24/08-new-hosting-plan.png” width=720”>
Give the hosting plan a name (for example the name of the tenant). Select the services accessible for the tenant. Select Virtual Machine Clouds and complete the wizard.
Next we will need to map the plan to the components we created in System Center VMM 2012 SP1 earlier. Select plans in the left menu and open the plan you just created.
<img src=”/images/2013-03-24/09-configure-hosting-plan-1.png” width=720”>
Select Virtual Machine Clouds in the plan services section. In the basic section of the virtual machine clouds page select the cloud provider we configured in our previous blog and select the cloud we configured in System Center VMM 2012 SP1. Each Private Plan is mapped to its own cloud in System Center VMM 2012 SP1.
<img src=”/images/2013-03-24/10-configure-hosting-plan-2.png” width=720”>
In the usage limit section specify the available capacity for the tenant. Next specify the templates you would like to make available for the tenant.
<img src=”/images/2013-03-24/11-configure-hosting-plan-3.png” width=720”>
Select the Hardware Profiles and VM Networks you would like to provide to the tenant. The advanced operations sections allows you to specify additional management operations for the tenant administrator. I have not found any of these advanced operations in the Tenant Site so this is probably a future investment.
In a larger scale environment is would be more feasible to define a couple of SLA’s and map each SLA to a published Plan. You can, for example, create three plans (Gold, Silver and Bronze) and map these plans to three clouds in System Center VMM 2012 SP1. As specified earlier it is recommended to use VM Networks based on Network Virtualization for multi-tenancy and scalability. A new tenant is able to sign up to a plan that is made public.
It is recommended to give a plan a good description. This allows a new tenant to select the correct plan based on the additional information in the tenant portal. To specify the description open a plan and select the advertise tab.
<img src=”/images/2013-03-24/12-specify-plan-specifics.png” width=720”>
Specify the descriptions. We will see these later on when a new tenant signs up.
There are some specific configurations that must be taken care of for Network Virtualization in combination with a Public Plan. Jeff Graves describes an excellent walkthrough on his blog.
After implementing Jeff’s walkthrough I have made some minor adjustments in my environment to make the configuration completely multitenant. When I specified a default VM Network in the VM Template, new virtual machines created by different tenants were able to communicate with each other. I adjusted the connectivity settings of the network adapter in the VM Template to not connected.
<img src=”/images/2013-03-24/13-vm-template-not-connected.png” width=720”>
When a new hosting plan is created, you are required to select one or more VM Networks. Since each tenant will create and use its own VM Network you are not able to select a VM Network based on Network Virtualization when you create a hosting plan. When a tenant creates a new virtual machine through the custom create feature in the Tenant Site or adds a VM Network to an existing virtual machine, the tenant can choose from the VM Networks based on Network Virtualization he created in the Tenant Site. But he also has the ability to select the VM Network that was specified when the hosting plan was created.
As noted earlier, a VM Network based on VLAN or No Isolation is required when configuring a hosting plan. These VM Networks are not multitenant. I found a workaround by creating a temporary VM Network based on VLAN or No Isolation in System Center VMM 2012 SP1 before configuring the hosting plan.
<img src=”/images/2013-03-24/14-temp-vm-network.png” width=720”>
Create and configure a new hosting plan and select the Temporary VM Network based on VLAN as the required VM Network.
<img src=”/images/2013-03-24/15-temp-vm-network-in-hosting-plan.png” width=720”>
Save the hosting plan and make it public. To make a plan publicly available select plans in the left menu of the Admin Site and select the plan. In the bottom menu select make public. Then delete the temporary VM Network based on VLAN in System Center 2012 SP1. Probably not supported, but it allows the creation of a hosting plan with Network Virtualization and prevents a tenant from selecting a non-multitenant network.
User accounts will be created in the SQL database that was created by the Windows Azure for Windows Server installer. There are some ASP.NET tables in the Microsoft.MgmtSvc.PortalConfigStore database. The user account are created in the aspnet_Users table and the aspnet_Membership table.
<img src=”/images/2013-03-24/16-aspnet_users.png” width=720”>
The Service Management Portal also references Users table from the Microsoft.MgmtSvc.Store database.
<img src=”/images/2013-03-24/17-sql-users.png” width=720”>
A new tenant can be created by the administrator in the Service Management Portal Admin Site. This allows the administrator to assign a private plan to the new tenant.
Login to the Admin Site, select New in the bottom menu and click Quick Create on the user account tab.
<img src=”/images/2013-03-24/18-new-user-in-admin-site.png” width=720”>
Please note that it is required to assign the new user account to a plan.
A new tenant will also be created when a user signs up to a public plan in the Service Management Portal Tenant Site.
Ports and Certificates
Before we allow access to tenants it is recommended to change the ports and certificates used by the Service Management Portal Tenant Site and Service Management Portal Tenant Public API.
After the installation of the Service Management Portal and API the tenant portal is accessible on https://localhost :30081. A self-signed certificate is assigned to the website. You can replace the self-signed certificate with a web server certificated issued by a public Certificate Authority. It is also recommended to change port 30081 to the default SSL port 443.
To change the ports and certificates open Internet Information Services (IIS) Manager on the Windows Server 2012 machine where the Service Management Portal Tenant Site was installed. Right click the MgmtSvc-TenantSite website and select edit bindings.
<img src=”/images/2013-03-24/19-iis-tenant-site.png” width=720”>
Change port 30081 to 443 and select the public certificate you requested from a public Certificate Authority.
<img src=”/images/2013-03-24/20-iis-edit-bindings.png” width=500”>
After publishing port 443 in your firewall tenants can now access the Tenant Site by entering the secure URL. In our example https://portal.hyper-v.nu
In the next part of this series we will look at the tenant experience and the possibilities with Network Virtualization in Windows Azure for Windows Server.