Installing and configuring Windows Azure for Windows Server 2012 – Part 3

This blog series on enabling the Cloud OS with Windows Server and System Center for Hosting Service Providers consists of the following parts

In the previous part of this blog we prepared the Service Management Portal and API for tenant access. This part of the series covers the experience from a tenant point of view.

Signing up

When a tenant connects to the Tenant Site on the public secure URL (in our example the portal presents the login page.

A new tenant can sign up to a public plan by selecting signup in the top right.

<img src=”/images/2013-03-27/01-signup.png” width=720”>

When a new tenant selects a plan that was made public, the descriptions we specified earlier are shown. When a new tenant enters an email address, a password and clicks sign up the user account will be created in the SQL database and the tenant logs in to the Tenant Site.

It is possible to create an additional step for a new tenant by specifying an invitation code in the public plan.

<img src=”/images/2013-03-27/02-invitation-code-hosting-plan.png” width=720”>

When a new tenant selects to sign up to a public plan that has an invitation code specified the user is presented with an additional column Access Code in the portal.

<img src=”/images/2013-03-27/03-signup-access-code.png” width=400”>

If a new tenant is unable to specify the correct invitation code, the signup process will fail. This allows you to prevent anonymous users from signing up and still use a public plan, by providing new tenants with an invitation code upfront.

Create VM Network

When the initial configuration of Network Virtualization (as described in the previous part) is completed, a tenant is able to create a new network from the Tenant Site. Select New > Networks > Quick Create and specify the friendly name for the Network and select the Provider Address Space. The name of the Provider Address Space is defined in System Center VMM 2012 SP1. I this blog series I have named it “Provider Address Space” so that is clear to see what setting is displayed here. But you can define a more appropriate name for your environment.

<img src=”/images/2013-03-27/04-new-vm-network.png” width=720”>

After the tenant selects to Create a Network, a new VM Network is created in System Center Virtual Machine Manager 2012 SP1. The Address Space for the new VM Network is a fixed value in the current release of Windows Azure for Windows Server. The first VM Network a tenant creates is assigned a network address of and the tenant is unable to change these settings.

<img src=”/images/2013-03-27/05-vm-network-details.png” width=720”>

In System Center VMM 2012 SP1 it is possible to change these settings. To change the subnet for a VM Network that was created by a tenant, select the VM Networks tab in the VMs and Services menu. Select the VM Network created by the tenant, add a VM Subnet and specify an IP Pool. Delete the default 10.x.x.x IP Pool.

<img src=”/images/2013-03-27/06-change-vm-network-subnet-vmm.png” width=720”>

After refreshing the Tenant Site, the VM Network will reflect the new settings. You might call it BYOIPWALHFTSP (Bring Your Own IP with a little help from the Service Provider).

<img src=”/images/2013-03-27/07-change-vm-network-subnet-portal.png” width=720”>

Hopefully the product team will improve this feature in time for the first network virtualization gateways to be publicly available.

When the tenant creates a second VM Network in the Tenant Site a new VM Network is created in System Center VMM 2012 SP1. The second VM Network is assigned a network address of and is a dedicated routing domain. No routing is possible between the different VM Networks.

<img src=”/images/2013-03-27/08-new-vm-network-in-vmm.png” width=720”>

The VM Networks tab in the VMs and Services menu in System Center VMM 2012 SP1 displays the VM Networks from all different tenants. When different tenants use the same name for a VM Network the VM Networks tab does not show a clear distinction. I have not found a way to easily filter this overview per tenant.

<img src=”/images/2013-03-27/09-vm-networks-in-vmm.png” width=720”>

Create a virtual machine

After logging into the Tenant Site an overview is shown of all configured objects for this tenant. By clicking New > Virtual Machines in the bottom menu the tenant can choose to Quick Create or Custom Create a virtual machine.

<img src=”/images/2013-03-27/10-vm-quick-create.png” width=720”>

The biggest difference between the two is that Custom Create allows a tenant to select a VM Network at virtual machine creation time rather than adding it to the configuration after the virtual machine is created. This requires the tenant to create a VM Network before creating a new virtual machine.

<img src=”/images/2013-03-27/11-vm-custom-create-select-vm-network.png” width=720”>

Each option (Quick or Custom create) will instruct System Center VMM 2012 SP1 to create a virtual machine based on the settings defined in the VM Template created earlier.

Change VM settings

When the Virtual Machine is deployed the tenant is able to make changes to the “hardware settings” of the virtual machine. The tenant can change these settings by applying a different Hardware Profile. The tenant can choose from the Hardware Profiles created in System Center VMM 2012 SP1, that are assigned to the hosting plan. A virtual machine needs to be stopped before another Hardware Profile can be applied.

<img src=”/images/2013-03-27/12-change-hardware-configuration.png” width=720”>

Besides the predefined Hardware Profiles a tenant is also attach a VM Network, a virtual hard disks and a DVD. To attach any of these objects, select a virtual machine and select attach on the bottom menu.

<img src=”/images/2013-03-27/13-attach.png” width=500”>

A virtual machine needs to be stopped before any of these objects can be attached.

Attach VM Network

To attach a new or an additional VM Network to a virtual machine, select Attach > Network and select the VM Network that the tenant created earlier.

<img src=”/images/2013-03-27/14-attach-vm-network_thumb.png” width=400”>

Before we can add a virtual hard disk or an ISO file, the tenant should have access to a library where these objects are located. First create a read-only library share where all the objects will be saved. You can define a single share for all clouds or create a dedicated share for each cloud. Future updates will probably provide access to more types of objects (for example service templates).

When the read-only library share is created, select the cloud that is associated with the public hosting plan, open the properties, select libraries and add the read-only library share that you created for this plan.

<img src=”/images/2013-03-27/15-readonly-library.png” width=720”>

Attach Disks

After the read-only library has been attached to the cloud that maps to the hosting plan, a tenant can add a virtual hard disk to a virtual machine. Select the virtual machine in the Tenant Site. Verify that the virtual machine is in a stopped state. Select Attach > Disk in the bottom menu.

<img src=”/images/2013-03-27/16-attach-disks.png” width=400”>

The public Cloud OS Windows Azure limits you to add a maximum of 16 disks to a virtual machine. Adding disks in Windows Azure for Windows Server is limited to 64 disks per virtual machine specified by the amount of disks that can be attached to a SCSI controller in Hyper-V.

<img src=”/images/2013-03-27/17-attached-20-disks-portal.png” width=720”>

All disks are attached by System Center Virtual Machine Manager 2012 SP1 to the virtual machine SCSI controller.

<img src=”/images/2013-03-27/18-attached-20-disks-hyperv.png” width=720”>

Attach ISO

It is also possible for the tenant to attach an ISO file to a virtual machine. The prerequisites for attaching an ISO are identical to attaching a virtual hard disk. A read-only library share must be specified in the System Center 2012 SP1 cloud that is mapped to the Hosting Plan.

<img src=”/images/2013-03-27/19-attach-iso.png” width=400”>

Remote access

Remote access is probably the biggest challenge with the current release. A virtual machine is not much of use when you are unable to access it. Without a NVGRE gateway available Network Virtualization is completely isolated, the only thing we can do here is wait for a public release of a NVGRE gateway. With VM Networks based on VLANs we have some possibilities in place. Besides routing and VPN policies managed by the Service Provider there is also a connect button for every virtual machine in the Tenant Site. By default the IP address of the virtual machine is injected into an RDP file that is presented to the tenant when he clicks the connect button. No additional settings are specified in this RDP file. Without a VPN tunnel in place the connection to the virtual machine will fail.

The product team created an extension in the web.config file that allows you to specify a custom HTTP endpoint location where these RDP files can be placed. I have played with the idea of creating a RD Gateway accessible for all tenants that will only allow a single tenant to route to his VLAN without access to other VLANs. This would mean a lot of work, but it can be functional.

Besides the configuration of the RD Gateway, the custom HTTP endpoint needs to be created. To change these settings we must first decrypt the web.config file. The web.config file can be decrypted by running the following PowerShell command.

Unprotect-MgmtSvcConfiguration –Namespace <namespace>

Where is one of the following:

  • TenantPublicAPI
  • TenantAPI
  • AdminAPI
  • AdminSite
  • TenantSite

<img src=”/images/2013-03-27/20-unprotect-tenantsite.png” width=720”>

After decrypting the Tenant Site open the web.config file in c:\intetpubMgmtSvc-TenantSite

<img src=”/images/2013-03-27/21-webconfig-file-location.png” width=720”>

Locate the following lines

<add key="Microsoft.SystemCenter.RDPPlugin.Enabled" value="False"/>
<add key="Microsoft.SystemCenter.RDPPlugin.BaseUri" value="http://localhost:5656/"/> 
<add key="Microsoft.SystemCenter.RDPPlugin.UriTemplate" value="Rdp/{subscriptionId}/{stampId}/{vmId}.rdp"/>

Change the RDPPlugin.Enabled to True and specify the URL and relative path where the custom RDP file can be downloaded from when a tenant clicks the connect button on a virtual machine. You might then use something like System Center Orchestrator to get the IP addresses when a virtual machine is created or changed, inject this together with the RD Gateway into a text file and save it as a RDP file on the specified location.

When the changes has been made, save the web.config file and encrypt it again by running the PowerShell command

Unprotect-MgmtSvcConfiguration –Namespace TenantSite

Finally perform an IISReset.exe and your new settings are applied.

I’m still struggling to get this remote access part working properly. To be honest I do not consider this usable for a production environment of any considerable size.


Windows Azure for Windows Server (formerly known as Katal) is a huge step in the right direction by Microsoft to embrace Service Providers with an end to end solution. Surely some features still require some development and network virtualization is playing its part as well, but the product has gained interest from most serious Service Providers and this will only result in more effort into the product.

In the next part we will look at connecting App Controller to a Service Provider Foundation. But not before I displayed two tweets by two guys who are also working with this product extensively and experiencing all kind of challenges and questions from Service Providers who are interested in Windows Azure for Windows Server. I’d would like to add TCP Endpoints to their list.

<img src=”/images/2013-03-27/22-hans-vredevoort.png” width=350”> <img src=”/images/2013-03-27/23-kristian-nese.png” width=350”>