Upload
mohamed-faizal
View
527
Download
4
Tags:
Embed Size (px)
DESCRIPTION
SharePoint on Azure IaaS and VPN
Citation preview
SharePoint on AzureK.Mohamed Faizal
www.zquad.in / @[email protected] https://www.facebook.com/kmdfaizal
Why SharePoint on Azure?
Cloud Models On Premises
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
You
man
age
Infrastructure(as a Service)
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Managed by M
icrosoft
You
man
age
Platform(as a Service)
Managed by M
icrosoft
You
man
age
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
Software(as a Service)
Managed by M
icrosoft
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
SharePoint Cloud Continuum
CONTROL
CO
ST-E
FF
ICIE
NC
Y
SharePoint (On-premises)
• SharePoint
Value Prop:• Full h/w control – size/scale• Roll-your-own HA/DR/scale
Value Prop:• 100% of API surface area• Easy migration of existing apps• Roll-your-own HA/DR/scale
SharePoint (IaaS)• Hosted SharePoint
Value Prop:• Auto HA, Fault-Tolerance• Friction-free scale• Self-provisioning, mgmt. @ scale
• SharePoint Service
Office 365 (SaaS)
Internet sites in Azure — Why?Focus on developing a great site Rather than building infrastructure
Scale out and inSize your solution for the demandOnly pay for resources you needDynamic machine allocation is not supported (auto scale)
Azure ADTake advantage of Azure AD for customer accounts
SharePoint functionality not available on Office 365Add deep reporting an web analytics
Service Level Agreements
99.9% for single role instances8.75 hours of downtime per yearWhat’s included
Compute Hardware failure (disk, cpu, memory)Datacenter failures - Network failure, power failureHardware upgrades, Software maintenance – Host OS Updates
What is not includedVM Container crashes, Guest OS Updates
99.95% for multiple role instances4.38 hours of downtime per year
Azure architecture concepts for SharePoint
Example — Hybrid on-premises and Azure
Reference architecture for a Windows Azure-based disaster recovery environment to support an on-premises SharePoint farm.
Virtual NetworkWindows Azure
VPN Gateway
Gatewaysubnet
Active VPN
Cloud Service
Availability Set
Active Directory & DNS
Cloud Service Cloud Service
Active Directory
Windows Server 2012 RRAS
Availability Set
Front End
Availability Set
Distributed Cache
Availability Set
Search Front End
Availability Set
Search Backend
Availability Set
Backend
On-premises environment
Availability Set
Database
B
Medium Internet Sites farmExample farm: ~85 Page views per second 100 Queries per second Corpus of 3,400,000 items Processes 100-200 documents per
second
Web ServerHost
Query processing
Managed metadata
To scale out: add an additional Web server to allow for an additional 28 page views per second.
Web
Servers
Paired hosts for fault tolerance
Application Server
Host
Content processing
Crawl
To scale out: add 1 Application server with a crawl component and a content processing component to process an additional 40 documents per second.
Host D
Analytics
Content processing
Crawl
Admin
Application Server
Host E
Content processing
Crawl
Admin
Application Server
Host F
Content processing
Crawl
Application Server
Application Servers
Host AWeb Server
Query processing
Managed metadata
Web ServerHost B
Web ServerHost C
Query processing
Managed metadata
Query processing
Managed metadata
Database Servers
Host H
All SharePoint Databases
Redundant copies of all databases using SQL clustering, mirroring, or SQL Server 2012 AlwaysOn
Host G
All SharePoint Databases
Crawl DB
Analytics DB
Search admin DB
Link DB
All other SharePoint Databases
Crawl DB
Index Partion 0 ReplicaReplicaReplica
Distributed cache Distributed cache Distributed cache
Distributed cache
Replica
User Profile User ProfileUser Profile
User Profile
Zoom into the model Visio version PDF version
Medium farm in Azure
VPN gateway is optional.
Active Directory can stand alone or be configured as hybrid with the VPN connection.
Virtual NetworkWindows Azure
VPN Gateway
Gatewaysubnet
Active VPN
Cloud Service
Availability Set
Active Directory & DNS
Cloud Service Cloud Service
Active Directory
Windows Server 2012 RRAS
Availability Set
Front End
Availability Set
App server
On-premises environment
Availability Set
Database
Optional!
A container where you define the IP address ranges your virtual machines will use. Pls. work with customer and get range of IP address for cloud
Virtual network
Virtual NetworkWindows Azure
Active Directory
Windows Server 2012 RRAS
On-premises environment
B
1
Affinity GroupsClosely locate your compute, network and storage resources in the same datacenter
Get better performance
Get lower latency
Reduce egress costs
AffinityGroup
K
2
Windows Azure
WA Gateway
On-premises
Your datacenter
Hardware VPN or Windows RRAS
Virtual Network
<subnet 1> <subnet 2> <subnet 3>
DNS Server
Site-to-Site VPN
Virtual Networks – Site-to-Site
Windows Azure
On-premises
Your datacenter
Individual computers behind corporate firewall
Point-to-Site VPN
Remote workers
Virtual Networks – Point-to-Site
Virtual Network
<subnet 1> <subnet 2> <subnet 3>
DNS Server
Hardware VPN or Windows RRAS
Site-to-Site VPN
WA Gateway
Virtual Network and ExpressRoute
Connect via an encrypted link over public internet
Peer at an ExpressRoute location, an Exchange Provider facility
Connection from a WAN provided by Network Service Provider (e.g. telco). Azure becomes another site on the customer’s WAN network.
Scenario 1: IPSec VPN over internet
Scenario 2: Exchange Provider
Scenario 3: Network Service Provider
Windows AzureCustomer DC
Virtual Network - Compute only. ExpressRoute - Provides customer choice and include access to compute, storage, and other Azure services.
Customer site ExpressRoutepartner location
Windows Azure
Customer site 1
Customer site 2
Customer site 3 Windows Azure
WAN
Publicinternet
Publicinternet
Publicinternet
When you setup a VPN connection, the VPN service resides in a separate subnet. Windows Azure manages the primary and secondary instances of this service for high availability. You will not see the secondary instance. You do not need to configure high availability for the VPN service.
Site-to-Site VPN gateway and subnet
Virtual NetworkWindows Azure
VPN Gateway
Gatewaysubnet
Active VPN
Active Directory
Windows Server 2012 RRAS
On-premises environment
Standby VPN
Not visible. Automatically configured and managed by Azure.
B
3
http://msdn.microsoft.com/en-us/library/windowsazure/jj156075.aspx Personally tested following devicesCisco 1921 ISR router is part of 1900 family its support by Azure
Important point to take note of your procurement process, device delivery and Public IP requirements.
Cloud services are typically used to group VMs by role based on functionality that takes place at the cloud service level
Cloud services
Virtual NetworkWindows Azure
VPN Gateway
Gatewaysubnet
Active VPN
Cloud Service Cloud Service Cloud Service
Active Directory
Windows Server 2012 RRAS
On-premises environment
Active Directory and DNS
SharePoint Server roles Database servers
Plan cloud services before creating VMs!
B
4
Cloud services — best practicesKeep it simple
Start the design with one cloud serviceAdd additional cloud services to the design only if necessary
“The client application must reside on a different cloud service than the one that contains your availability group VMs. Windows Azure does not support direct server return with client and server in the same cloud service” http://msdn.microsoft.com/en-us/library/windowsazure/dn376546.aspx
Cloud Service Cloud Service Cloud Service
Active Directory and DNS
SharePoint Server roles Database servers
Starting this cloud service first helps
with IP configuration
Requirement for using a listener
with SQL availability groups
All SharePoint rolesOffice Web Apps
B
Cloud services are typically used to group VMs by role based on functionality that takes place at the cloud service level
Cloud services
B
Virtual Network
Cloud Service Cloud Service Cloud Service
Windows Azure
VPN Gateway
Gatewaysubnet
Active VPN
Active Directory
Windows Server 2012 RRAS
On-premises environment
Optional!
Cloud Service
AD Servers SharePoint Servers
SharePoint Servers
DatabaseServers
Active Directory for SharePoint solutions
The configuration of Active Directory in this example constitutes a hybrid deployment scenario in which Windows Server AD DS is deployed both on-premises and on Windows Azure Virtual Machines.MSDN: Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual Machines
B
Virtual Network
Cloud Service Cloud Service Cloud Service
Windows Azure
VPN Gateway
Gatewaysubnet
Active VPN
Active Directory
Windows Server 2012 RRAS
On-premises environment
Optional!
Cloud Service
Availability Set
Active Directory & DNS
5
Active Directory hybrid best practices — Reference
Important — Before deploying Active Directory in Windows Azure, read Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual Machines http://msdn.microsoft.com/en-us/library/windowsazure/jj156090.aspx
Virtual Network
VPN Gateway
Cloud Service
Availability Set
Active Directory & DNS
Active Directory
On-premises environment
Hybrid on-premises and cloud
Example settings for two VMs in Azure configured as domain controllers
B
Item SettingSize Small
Operating system
Windows Server 2012
Active Directory role
Active Directory Domain Services domain controller designated as a global catalog server.
Reduces egress traffic across the VPN connection. In multi-domain environment with high rates of
change, configure domain controllers on premises to not sync with the global catalog servers in Windows Azure.
Data disks Place the Windows Server AD DS database, logs, and SYSVOL on Windows Azure data disks.
Do not place these on the Operating System disk or the Temporary Disks provided by Azure!
DNS Install and configure Windows DNS on the domain controllers.
IP addresses Use dynamic addresses
Virtual Network
Cloud Service Cloud Service Cloud Service
Windows Azure
VPN Gateway
Gatewaysubnet
Active VPN
Active Directory
Windows Server 2012 RRAS
On-premises environment
Optional!
Cloud Service
Availability Set
Active Directory & DNS
Availability Set
Front End
Web Front End Tier
Availability Set #1
Front End ServicesDistibuted Cache
Workflow Manager Query Processing
Front End ServicesDistibuted Cache
Workflow Manager Query Processing
Index Partion #0 Index Partion #0Replica
Front End ServicesDistibuted Cache
Workflow Manager Query Processing
ReplicaReplica
XL - 8 cores / 14GB
C: (System) 127GBD: (Page File, Blob Cache) 604GBE: (Log) 40GBF: (Index) 500GB
C: (System) 127GBD: (Page File, Blob Cache) 604GBE: (Log) 40GBF: (Index) 500GB
C: (System) 127GBD: (Page File, Blob Cache) 604GBE: (Log) 40GBF: (Index) 500GB
XL - 8 cores / 14GB XL - 8 cores / 14GB
K
6
App Server Tier
Availability Set #2
Content Processing
Admin
Crawl
Analytics Back End Services
Content Processing
Admin
Crawl
Analytics Back End Services
C: (System) 127GBD: (Page File) 604GBE: (Log) 40GBF: (Analytics) 300GB
C: (System) 127GBD: (Page File) 604GBE: (Log) 40GBF: (Analytics) 300GB
XL - 8 cores / 14GB XL - 8 cores / 14GB
K
Virtual Network
Cloud Service Cloud Service Cloud Service
Windows Azure
VPN Gateway
Gatewaysubnet
Active VPN
Active Directory
Windows Server 2012 RRAS
On-premises environment
Optional!
Cloud Service
Availability Set
Active Directory & DNS
Availability Set
Front End
Availability Set
App server
7
Data Server Tier
Availability Set #3
Availability Group #1
Availability Group #2
Availability Group #3
Search
Content
Content
Configuration
Service Applications
C: (System) 127GBD: (Page File) 604GBE:, F:, G:, H: (TempDB Files) 500GBI: (TempDB Logs) 500GBL: (Transaction Logs) 500GBJ:, K:, M:, N: (Content Data) 1024GBO: (Search Databases) 1024GB
XL - 8 cores / 14GB XL - 8 cores / 14GB
C: (System) 127GBD: (Page File) 604GBE:, F:, G:, H: (TempDB Files) 500GBI: (TempDB Logs) 500GBL: (Transaction Logs) 500GBJ:, K:, M:, N: (Content Data) 1024GBO: (Search Databases) 1024GB
K
Virtual Network
Cloud Service Cloud Service Cloud Service
Windows Azure
VPN Gateway
Gatewaysubnet
Active VPN
Active Directory
Windows Server 2012 RRAS
On-premises environment
Optional!
Cloud Service
Availability Set
Active Directory & DNS
Availability Set
Front End
Availability Set
App server
Availability Set
Database
8
Design app servers for availability sets
2 out of 3 VMs in an availability set can be on the same rack.Add additional instances of components to ensure availability.Design topologies first for scale, then fine tune server roles for availability sets.
Host D
Analytics
Content processing
Crawl
Admin
Application Server
Host E
Content processing
Crawl
Admin
Application Server
Host F
Content processing
Crawl
Application ServerBefore
AfterHost D
Analytics
Content processing
Crawl
Admin
Application Server
Host EApplication Server
Host FApplication Server
Analytics
Content processing
Crawl
Admin
Analytics
Content processing
Crawl
Admin
Zones and authenticationThree zones — Works with cross-site publishingSeparation of internal and customer accounts.
Different URLs for customer accounts and internal accounts.
Use zone policies to limit customer actions within a web application.
Extranet and Public-Facing Internet
Cloud Service
Virtual Network
Windows Azure On Premises
Active Directory
Site developers and authors
VPN Tunnel
SharePoint 2013 Farm
Web Application
Windows Azure Active Directory
Internet ZoneAnonymous
Extranet Zone Default Zone
WindowsWindows
SAML
FBA
Active DirectoryDomain Services
Partners and Customers
Visitors
Active directory• Dedicated Active Directory domain in Windows Azure?• OR, hybrid with an on-premises AD?
Accounts for site developers and authors• Add accounts to the domain in Windows Azure• Use ADFS on premises to federate the internal accounts to a separate Active
Directory environment in Windows Azure.• Or, use the hybrid design.
Accounts for customers• Windows Azure Active Directory is a good choice• Or, any SAML-based provider
Managing identity for Internet sites
Internet sites—using Azure AD for customer accounts
Separate User Accounts from Active DirectoryDoes not replace need for local Active Directory for SharePoint
Sync with on-premises for SSODirSync with on-premises Active Directory
K
SAML 1.1, WS-Fed
Azure Active Directory Tenant
SAML 2.0, WS-Fed
ACS Tenant
End Point Configuration
Cloud Service
Endpoint Configuration
K
Availability Set
Front End
Visitors and customers
End Point Monitoring
DR Setup
IaaS and Disaster Recovery
Cloud ServiceVirtual Network
Windows Azure
SQL DR1(A6)
SP DR1(Large)
AD1(X-Small)
On Premises
Web servers
Application servers
SQL DR2(A6)
SP DR2(Large)
SP DR4(Large)
SP DR5(Large)
SP DR3(Large)
Directory servers
VPN Tunel
SQL Server Log Shipping
• The Front End servers ‘cloud service’ for two farms is configured in ‘Failover’ load balancing mode• TM keeps checking the ‘online’ service based on ongoing
endpoint monitoring•Primary Farm ‘cloud service’ is the ‘first’ service in the
ordered list•A custom job keeps polling TM to check ‘Active’ service• Sends alerts when TM fails over to secondary service• Can take appropriate actions for based on type of ‘failover’
Enabling Auto-Failover – Azure Traffic Manager
BLOB Storage
1. Primary Farm goes down2. TM recognizes that farm is down and
route traffic to DR farm1. No change in URLs
3. Visitors access the site in read-only mode (from DR farm)
4. Custom Job 1. Detects TM has switched the traffic2. Pauses the restore log to avoid user
disconnection
Temporary Failover
Subnet 1
Subnet 4
Availability Set 1
Availability Set 4
Cloud Service
Subnet 2
Availability Set 2
Cloud Service
Subnet 3
Availability Set 3
Cloud Service
Subnet 1
Subnet 4
Availability Set 1
Availability Set 4
...SQL
Server AlwaysONAvailability
Group
Cloud Service
Subnet 2
Availability Set 2
Cloud Service
Subnet 3
Availability Set 3
Cloud Service
Read Only
Primary DR
A
1
2
3
4
1. Primary Farm does not come back 1. Permanent Failover is decided (e.g. based on time window)2. Service Disruption expected (for some time)
2. Databases are brought online (DR farm)1. Tail log backups are taken from Primary farm (if possible)2. All pending logs are applied (both instances)3. DBs are brought to RECOVERY (both instances)4. DBs are added to AlwaysOn Availability Group
3. SharePoint Servers Configured (DR Farm)1. SQL Aliases are configured to point to AG Listener2. Site becomes Read Write3. Search Decision – Backup/Restore or Continue as is
4. TM – DR farm is made as Primary Endpoint
Permanent Failover
BLOB Storage
Subnet 1
Subnet 4
Availability Set 1
Availability Set 4
Cloud Service
Subnet 2
Availability Set 2
Cloud Service
Subnet 3
Availability Set 3
Cloud Service
Subnet 1
Subnet 4
Availability Set 1
Availability Set 4
...SQL
Server AlwaysONAvailability
Group
Cloud Service
Subnet 2
Availability Set 2
Cloud Service
Subnet 3
Availability Set 3
Cloud Service
Read Only
Primary DR
A
…
2.1 2.2
2.3,4
34
1
Highly Available TemplateAD/DC/DNSLB WEB SQLAPP
80
20000Cloud Service
Virtual Network
Windows Azure
AVSETSPWEB
AVSETSPAPP
AVSETSQLHA
AVSETDCSET
Web Tier2 x Large(4 Cores & 7 GB)
App Tier2 x Large(4 Cores & 7 GB)
Data Tier2 x A6(4 Cores & 28 GB)1 x Small (Quorum)(1 Core & 1.75 GB)
Identity Tier2 Small(1 Core & 1.75 GB)
K
SharePoint 2013 Automation Scripts
PowerShell Scripts that use Remote PowerShell for automated deployment of Active Directory, SQL Server and SharePoint 2013.
Two Sample Configurations AvailableHighlyAvailable and SingleVMs
Download from GitHubhttps://github.com/windowsazure/azure-sdk-tools-samples
K
Internet sites — lessons learnedCustom DNS and CNAMEsCNAMEs for <cloud service name>.cloudapp.net
Cannot add additional NICsSingle web application, host header site collections
Multiple web applications, use SNI in IIS8
Default zone as HTTP, Windows ClaimsExtend to HTTPS (extending HTTPS doesn’t work)
Multiple zones with HNSC requires Set-SPSiteURL
Default zone must be Windows claims for Search crawler
Cross Site Publishing default zone onlyCatalog being published must have only one zone
Consuming site collection may have multiple zones
SQL DB and Data disk
Internet Sites — Content Solution modelcopy and modify architecture diagrams for your solutions
Solution articles on TechNetInternet Sites in Windows Azure using SharePoint Server 2013http://technet.microsoft.com/en-us/library/dn635307(v=office.15).aspx
Windows Azure Architectures for SharePoint 2013 http://technet.microsoft.com/en-us/library/dn635309(v=office.15).aspx
Configure Windows Azure Active Directory with SharePoint 2013http://technet.microsoft.com/en-us/library/dn635311(v=office.15).aspx
Design samplestart your own design for sites, services, zones, authentication, and URLsVisio version
PDF version Visio version PDF version
Reference
SharePoint Solutions and Architectures on Windows Azure Infrastructure Services
http://channel9.msdn.com/Events/SharePoint-Conference/2014/SPC3992
Introduction to SharePoint and Windows Azure IaaS
http://channel9.msdn.com/Events/SharePoint-Conference/2014/SPC298
We are here to help.Thank you,By Mohamed Faizal
Questions?