door
Ronald
14-11-2010
Some people asked me after my previous post, how we could move Provisior into the cloud. As some of you may (or may not) know, Provisior is a user provisioning portal that uses Microsoft Active Directory (AD) extensively. This AD is usually a very valuable organizational asset that lives inside a DMZ behind a number of firewalls. This forces us to also install Provisior inside the DMZ. Provisior as a cloud-based service seems impossible.
However, Bob Muglia announced two new Windows Azure features in the PDC 2010 keynote that may make this possible: Windows Azure Virtual Machine Worker Role and Windows Azure Virtual Network (the links actually take you right to the announcements inside the keynote, pretty cool).
With the VM Worker Role it will become possible to migrate completely configured Windows Server 2008 R2 into the cloud. You can run any application you like inside this VM.
Virtual Network is the umbrella name for all Windows Azure networking functionality. One of its features will be the possibility to join a cloud-based VM directly to a customer domain. Perhaps now you can see where we’re going…
The picture below gives a general overview of the idea. Provisior will become a cloud-based web application running inside Azure Web Role. There can of course be different skins for different customers, some customers may have specific functionality enabled but every customer essentially connects to the same application. For every customer a VM is configured inside Windows Azure that joins the customer Active Directory domain. The picture shows three VM’s that correspond to three customer domains. Code running inside each VM uses a sufficiently privileged domain account to be able to access the customer AD.
There are of course some challenges to be resolved:
- How do we make sure that every user request is directed to the correct VM?
- How do we authenticate users? Currently, Provisior uses Windows authentication. Can we still use this somehow, given that users from different domains access the same cloud application. I haven’t looked into that yet.
- And a more practical question: how difficult is it to transform Provisior into a cloud application?
When the CTP for Windows Azure Virtual Network is released, I’ll surely take a look to see what is possible.
EDIT: If you want to know more about Windows Azure Virtual Network, there is a pre-recorded PDC session that goes into the details: http://player.microsoftpdc.com/Session/3a93d6a3-e52e-4613-b18b-a49754203d09.