In the last two years we have performed numerous deployments of Windows Azure Pack. Enabling the Cloud OS for Service Provider and Enterprises. We have gained serious experience with these engagements. Besides technical knowledge, we have also learned that the success of cloud services starts with the people in the organization itself. Many organizations still have different departments for the underlying fabric components. These departments work in silos, each having their own targets and priorities. ITSM tooling is in place for digital processes between the silos. In theory this sounds like a solid construction, but in reality it is slowing these departments down, forcing the internal customer to look alternative cloud services, resulting in shadow IT.
The key to a successful project is the collaboration of all the involved departments. Depending on the size of the organization you can form a team consisting of all the departments or a key user from each department. It is crucial that they start to understand the value of abstraction, self-service and automation. Normally they already have parts of that implemented within their own department, but now it spans all departments.
Don’t get me wrong. This is not easy. It is actually the hardest part of a successful cloud transformation.
I have heard a lot of folks say that Windows Azure Pack and all depending components for its cloud services are hard to implement. I felt like that when I started with Windows Azure Services for Windows Server (the predecessor of Windows Azure Pack) in 2012. But in the end it is just like learning to speak and write another language. Once you master it, it is repeatable. You can dictate the software. How different is this with people. Every person has its own language that you must get to master in some degree. But you can never dictate them.
I was asked this week: “What is the reason that you are so successful in the Netherlands with Cloud OS deployments?”
It is a small country, three and a half hours is about the longest drive you can do, without driving in circles of course or hitting traffic (the downside of a lot of people on a tiny piece of earth).
I’m convinced it comes down to this;
Since day one I have been a strong believer in the Microsoft roadmap for one consistent platform. That translates into the time I put into it (all my time) and the way I advocate this with customers, in blogs and on events. And I’m fortunate to be backed by smart folks inside Inovativ and Microsoft, that share the same mindset. If we are not convinced about the Cloud OS, how can we expect our customers to be.
Like learning a language, it can be challenging to start with the Cloud OS. The solution consists of many components that have dependencies and relations. We help Service Provides and Enterprises setting up that framework. We help them to understand the individual components and the interaction between these components. This is essential to setup a solid foundation and to keep it healthy over time.
The most important part of a the Cloud OS are the services. A solid foundation is of no use if your users are unable to deploy anything on it. Windows Azure Pack comes with a number of resource providers that allow tenants to deploy a multitude of services. In almost all engagements, the resource provider for IaaS, called VM Clouds, was the primary resource provider used.
The world is changing
Years ago a service provider that was able to provide a cheap VM with just an Operating System to their customers was running a healthy business. Today a VM with just an operating system doesn’t cut it anymore. The majority of the Service Providers I worked with are in the process of redefining their added value. Instead of providing IaaS, they are
moving to application management. Adding applications to the virtual machine, multitier applications provisioning, websites, database as a service and even operating as a single point of contact for all custom customer applications. The current base of their customer environments are specials. Onboarding new customers requires them to recruit new employees to manage those custom environments in the same pace. It’s a model that doesn’t scale anymore.
How can you adapt to changing demand and still run a business that scales. The answer seems simple. Automation. As a noun it is simple to put it here in this blog, but to translate automation to a new scalable cloud services model is another thing. An average application will probably consist of multiple tiers. A complete customer environment will definitely consists of different applications with dependencies.
We see two types of environments. Separated environments and multitenant shared services. In a separated environment each new customer is deployed as a greenfield. It contains domain controllers that form a new forest. At provisioning time the applications that are added to the environment usually do not have any customer data yet. With multitenant shared services a new customer is added to the shared services domain, that already contains customer data. We see this design in Enterprises and some Service Providers.
The Service Provider configured multi-tenancy in the shared services domain, allowing each customer to only access and manage their own resources, but still use the shared services. In this scenario the Service Provider is in control of the shared services environment.
The Cloud OS is a solid framework with a set of resource providers that allows you to deploy and operate resources. Essentially these resources are building blocks. By integration Service Management Automation (SMA) in Windows Azure Pack we can mold these building blocks into automated environment deployments with multitier applications. We will use the VM Role, DSC and SMA for this. But how?
First let’s start with the building blocks.
VM Role. Windows Azure Pack allows you to deploy a virtual machine in two different ways. You can deploy a Stand Alone VM or a VM Role.
- The stand alone VM is a direct mapping to a VM Template in System Center Virtual Machine Manager. The stand alone VM provides a basic wizard in Windows Azure Pack that allows a tenant to deploy an Operating System.
- The VM Role allows you to integrate the installation of applications in the deployment process. Additional capabilities of the VM Role allows a tenant to scale instances within a single tier by using a simple slider bar in the tenant portal. A VM Role can be versioned, enabling a tenant to interact and update versions within the boundaries set by the admin. The VM Role consists of two components.
- The Resource Definition which is imported in Windows Azure Pack and provides a customizable end user wizard for the gallery item.
- Resource Extension which is imported in System Center Virtual Machine Manager and uses the Service Templates engine to deploy applications on top of the Operating System.
DSC. Why use DSC if the VM Role allows you to deploy applications as integral part of the virtual machine deployment process? Microsoft is moving to more consistency between their public cloud offering and the capabilities in your datacenter. The deployment model in Microsoft Azure is shifting towards a declarative model instead of imperative. When you invest time, effort and resources in your Windows Azure Pack deployment it is important that these investments are future proof. DSC is declarative and available in Microsoft Azure as an add in for a virtual machine. We recommend to use DSC for the application installation magic for the VM Role. Moving forward you can transform these investments while the platform is transitioning to more consistency. My fellow blogger, fellow MVP and colleague Ben Gelens has posted an excellent series on how to integrate DSC with the VM Role.
SMA. Over the last years Microsoft has made serious steps in their automation strategy. This area was one of the first where consistency between on prem and Microsoft Azure was achieved. SMA can be managed in Windows Azure Pack. It provides the admin with an authoring and management experiencing for PowerShell workflows. A tenant cannot start a runbook manually or author runbooks themselves. But it is possible to set triggers on certain actions that a tenant performs in Windows Azure Pack. When an action is triggered the specified runbook is executed.
We have configured the Cloud Platform for a lot of organizations. It provides them with the building blocks, but we see them struggling to combine these building blocks to enable an optimized deployment experience for tenant environment deployments.
The deployment process can be performed completely in serial. But by performing certain steps in parallel you can improve the time it takes to deploy a new environment. For example, deploy all the VM Roles in parallel. Do not join them to the domain. Create the first domain controller, while installing the application prerequisites on the individual workgroup VM Roles. After the domain is created on the first domain controller, add the other VMs to the domain. Add the second domain controller while the applications are configured on the other VMs.
In the blog I’ll discuss the following approaches to get more value out of your Windows Azure Pack environment.
- Admin Provisioned
- VM Role
- 3rd Party Resource Provider
- Custom Resource Provider
Windows Azure Pack has a clear separation of Admins and Tenants. The even have their own portal. Service Management Automation is completely admin facing. A tenant cannot create runbooks or manually start them. In this approach the admin provisions a tenant environment by manually starting a runbook. The runbook can contain parameters that allows for customization for the tenant while still using the same runbook, VM role and DSC. Resulting in custom environments with a reusable deployment model that scales.
Although the trigger and input for the runbook is easy to enable, it requires an admin to provision an environment for a tenant. This can be a great solution for a hoster that wants to provide full managed services to their customers, but for larger service providers this doesn’t fit the their model of self-service abstraction. And for tenants that require a self-service deployment experience this is not a feasible solution either.
Within the VM Clouds resource provider (IaaS) in Windows Azure Pack you can configure triggers for starting a SMA runbook. A trigger is an action that is performed by tenant. It is possible to start a runbook when a tenant creates a subscription.
Although this allows a tenant to start a runbook, he is not able to input any parameters. The runbook can be configured to retrieve context information, like the tenantid and subscriptionid, which can be used in the runbook.
It is possible to create a clear experience for a new tenant. When a new tenant logs on to the Tenant Site he does not have any resource providers. To create resources the first thing he needs to do is subscribe to a plan. The admin can create a plan for each base environment type (for example a typical developer environment and a typical office environment), assign the required VM Roles for that environment to it and make it public. When a tenant subscribes to a plan, the trigger executes a runbook. You will need to build logic into your runbook to define which plan was subscribed to (in this example developer), to ensure the correct runbook steps for that environment are performed.
For example if the tenant subscribes to a developer environment plan, which contains VM Roles for Web Servers, Applications servers and a developer client with Visual Studio, the runbook for configuring those roles to a complete environment should be executed (and not the runbook for adding Exchange and RD Servers to the environment, which is used in the office plan).
In the previous approach we configured a trigger on the creation of a subscription. It is also possible to configure a trigger on the creation on a VM Role. This seems contradictory, but if we drill into this, it can be a very interesting approach. The VM Role is the only object in Windows Azure Pack OOTB that allows you to customize the gallery item wizard with your own parameters. The values the user inputs for the parameters in a VM Role deployment wizard are passed through SPF to VMM, which uses these parameters in the Resource Extension of the VM Role. In the runbook that is executed from this trigger it is possible to retrieve the user input (except passwords).
Essentially we can use the customizable wizard of a VM Role deployment as a under friendly input wizard for the parameters of the runbook. There are a couple of caveats, but if you are willing to take the tradeoff it provides you with some powerful capabilities.
The VM Role authoring tool allows you to create a custom fields for the gallery item deployment wizard. I have created an extensive article that is published on the Building Clouds blog, which describes the process in detail. Each parameters in the Resource Definition that is not mapped to a field in the resource configuration, must be present in the Resource Extension. An easy way to address that is to execute a cmdlet in the Resource Extension with an echo off that excepts all parameters from the Resource Definition.
All VM Roles surface in the same gallery. The tenant is able to select the individual VM Roles (that are also used as building blocks for the complete environment). But the tenant is also able to select a VM Role that creates a complete environment using the other VM Roles as building blocks. I advise to name the environment VM Roles accordingly so a tenant understand the difference between them.
When the tenant deploys an environment VM Role, a single VM Role is deployed and a runbook is triggered. Based on the logic in the parent runbook, a child runbook for the corresponding environment is executed, using the values submitted by the tenant in the gallery item deployment wizard.
3rd Party Resource Provider
There is a solid ecosystem for Windows Azure Pack. If you want to have a more advanced gallery item experience you might consider a 3rd Party Resource Provider. These 3rd parties offer a wide variety of different resource providers that add value to the Cloud OS. For this particular scenario you might consider a solution called Request Management for Windows Azure Pack provided by GridPro.
The solution by GridPro connects a new resource provider to Service Manager. You can submit requests as a tenant in Windows Azure Pack. These requests are submitted to Service Manager, which in its return can execute a runbook (with an SMA connector also provided by GridPro). The customization options are much more advanced than you can get with the VM Role. The tenants will also see status updates for the requests and the runbook. Of course the benefits of Service Manager has more advantages, but if you already have an ITSM solution in place you might consider this combination a bit of an overkill if you are only looking at automating an environment deployment.
I’m only focusing on this particular scenario, which does not do justice to the complete solution that GridPro has built. Please contact them for a complete overview of their offering.
Custom Resource Provider
Although I don’t see many organizations taking this step, I would still like to mention it here. It is possible to develop your own custom resource provider. If you are an IT Pro it might be a bit challenging, but if you have developers in your organization you might seriously consider looking at this scenario. The advantage of creating a custom resource provider is that you can configure it completely to you requirements. You could for example create a custom resource provider that accepts user input for a runbook.
This has overlap with the solution from GridPro. Although it does not require Service Manager, it does require you to do all the work they have already done. So either you invest time and resources yourself (also consider support for the solution over time) or buy the solution and the support and start directly.
Windows Azure Pack offers solid framework for cloud services. It provides multi-tenancy, self-service and fabric resources abstraction. Whether you are running Windows Azure Pack today or you are considering it, making investments in smart areas will bring real value today. Moving forward you can transform your investments while the platform is transitioning to cloud consistency.