Microsoft .NET Service BusConnectivity, Messaging, Events, and Discovery

Clemens VastersService Bus Technical LeadMicrosoft Corporation

BB38

Azure™ Services Platform

What is a Service Bus? Connectivity Challenges Naming Service Registry and Discovery Messaging, Connectivity and Events

Agenda

Enterprise Service Bus

Service Orchestration

Service Registry

NamingFederated Identity and

Access Control Messaging Fabric

CRM

Customers Leads

TrendsCampaigns

Supply Chain

Inventory Order Entry

PlanningPurchasing

Point Of Sale

POS Integration

Product Catalog

ReturnsWeb Store

Internet Service Bus

Service Orchestration

Service Registry

NamingFederated Identity and

Access Control Messaging Fabric

Clients MS/3rd Party ServicesOn-Premise ESB

ESBDesktop, RIA, Web

Desktop, RIA, & Web

Your Services

IPv4 Address Shortage Dynamic IP address allocation Network Address Translation (NAT)

Internet is pwn3d by the bad guys Firewalls layered over firewalls over firewalls

Connectivity Challenges

Sender Receiver?Machine Firewall

Network FirewallNetwork Address Translation

Dynamic IP

Dynamic DNS NAT Port Mappings / UPnP Open Inbound Firewall Ports

How Do People Deal With It?

Sender Receiver?Machine Firewall

Network FirewallNetwork Address Translation

Dynamic IP

Brittle, Difficult, Insecure – and sometimes – Impractical Consequence: We see recurring patterns of workarounds

Any Instant Messaging/Communication App Access Control, Relay, Direct Connect

Any Multiplayer Game Access Control, Relay, Direct Connect

Any Home Media Integration System Access Control, Relay, Direct Connect

Any Enterprise Integration System Access Control, VPN/VAN

Who needs it?

Service Bus – Naming

Service Registry

NamingFederated

Identity and Access Control

Messaging Fabric

Service Bus Naming

Federated, hierarchical, DNS-integrated, transport-neutral naming system

Root

Solution

Solution

Solution

NameB

NameC

Name1

Name2

Name3

NameA

Anything wrong with DNS?

DNS has some practical constraints: High update propagation latency Increasing pollution by ISPs (“DNS assistance”) Names hosts, not services Limited write-access model (often out-of-band)

Service Bus Naming System R/W access with access control via Registry Updates reflected instantaneously Names name endpoints, not machines

Canonical Form of URI Projections

scheme://naming-scope/name/name

Root

X

Y

Z

B

C

1

2

3

A

URI ‘Host’: Naming AuthorityURI ‘Path’: Federated Name Structure

Global Naming Structure (PDC)

scheme://servicebus.windows.net/services/solution/name/…

Root SBWN services

solution

2

3

name

Required Prefix

Global Naming Structure (Post-PDC)

Root

Solution

Solution

Solution

NameB

NameC

Name1

Name2

Name3

NameA

scheme://solution.servicebus.windows.net/name/…

Service Bus – Service Registry

Service Registry

NamingFederated

Identity and Access Control

Messaging Fabric

Service Registry

The service registry is registry for service endpoints, not a general purpose directory

Registry is layered over the naming system Provides programmatic access to naming

Discover: Atom 1.0 feed hierarchy Publish: Atom Publishing Protocol, WS-Transfer

Naming

Service RegistryClient

AtomPub

WS-Transfer

Registry Feed Structure

Accessing the root registry feed for solutions http://servicebus.windows.net/services/solution/ Root of a hierarchy of feeds

Naming Root SBWN services

svc

solution svc

solution

Client

AtomPub

WS-Transfer

Service Registry

Clemens VastersService Bus Technical Lead.NET Services

demo

Services in Registry Feeds

<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" xmlns:wsa="http://www.w3.org/2005/08/addressing"> <title>Title</title> <link href="http://servicebus.windows.net/services/my/svc" rel="self"/> <id>urn:uuid:82a76c80-d498-12d5-b91C-0103839e0ef6</id> … <entry> <title>MyEndpoint</title> <link href="http://swn/services/my/svc/ep1"/> <id>urn:uuid:1225c695-cfb8-4ebb-aaaa-80da344efa6a</id> <wsa:EndpointReference> <wsa:Address> http://servicebus.windows.net/services/my/svc/ep1 </wsa:Address> </wsa:EndpointReference> </entry> </feed>

Service Bus – Messaging

Service Registry

NamingFederated

Identity and Access Control

Messaging Fabric

Primary Programming Model: WCF Family of Bindings for the Service Bus

Service Bus - Messaging

Corresponding WCF Binding Service Bus Relay Binding

BasicHttpBinding BasicHttpRelayBinding

WebHttpBinding WebHttpRelayBinding

WSHttpBinding WSHttpRelayBinding

WS2007HttpBinding WS2007HttpRelayBinding

WSHttpContextBinding WSHttpRelayContextBinding

WS2007HttpFederationBinding WS2007HttpRelayFederationBinding

NetTcpBinding NetTcpRelayBinding

NetTcpContextBinding NetTcpRelayContextBinding

n/a [loosely related to NetMsmqBinding] NetOnewayRelayBinding

n/a [loosely related to NetTcpPeerBinding] NetEventRelayBinding

Works just like WCF: Envelopes: SOAP 1.1, SOAP 1.2, None All WS-* end-to-end security scenarios Transport-level message path protection (SSL) Reliable Messaging, Streaming Full Extensibility Model Web programming model (WebGet/-Invoke) Metadata Exchange

Not supported: (By Design) Atomic Transaction Flow (By Design) Protocol-level transport authentication (PDC Issue) WebScriptingBehavior JavaScript proxy (PDC Issue) Direct Tcp Modes with RM or WS-* Sec.

WCF Relay Bindings For WCF Pros

NetOnewayRelayBinding

Service Bus

Sender Receiver

sb://servicebus.windows.net/services/solution/a/b/

outb

ound

conn

ect o

ne-w

ay n

et.tc

p TCP/SSL 828

BackendNamingRoutingFabric

Frontend Nodes

TCP/SSL 808/828

outbound connect bidi socket

Msg Msg

NATFirewallDynamic IP

SubscribeRoute

NLB

NetOnewayRelayBinding

Clemens VastersService Bus Technical Lead.NET Services

demo

NetEventRelayBinding

Service Bus

Sender Receiver

sb://servicebus.windows.net/services/solution/a/b/

outbound connect bidi socketoutb

ound

conn

ect o

ne-w

ay n

et.tc

p TCP/SSL 828

BackendNamingRoutingFabric

Frontend Nodes

TCP/SSL 808/828

Msg Msg

SubscribeRoute

Receiver

outbound connect bidi socketTCP/SSL

828

Msg

NetEventRelayBinding

Clemens VastersService Bus Technical Lead.NET Services

demo

NetTcpRelayBinding / Relayed

Service Bus

Sender Receiver

sb://servicebus.windows.net/services/solution/a/b/BackendNamingRoutingFabric

Frontend Nodes

Ctrl

1

2

3

4

Socket-SocketForwarderoutbound

socke

t

connect

outbound socket

rendezvous

Ctrl

TCP/SSL 818

OnewayRendezvous

Ctrl Msg

NLB

NetTcpRelayBinding / Relayed

Clemens VastersService Bus Technical Lead.NET Services

demo

NetTcpRelayBinding / Hybrid

Service Bus

Sender Receiver

sb://servicebus.windows.net/services/solution/a/b/BackendNamingRoutingFabric

Frontend Nodes

Ctrl

rela

yed

conn

ect

OnewayRendezvous

Ctrl Msg

relayed

rendezvous

TCP/SSL 818, 819

NAT

Prob

ing NAT

Probing

NAT Traversal Connection

upgr

ade

upgrade

NetTcpRelayBinding / Hybrid

Clemens VastersService Bus Technical Lead.NET Services

demo

[WS|Basic|Web]HttpRelayBinding

Service Bus

Sender Receiver

sb://servicebus.windows.net/services/solution/a/b/BackendNamingRoutingFabric

Frontend Nodes

Ctrl

1

2

3

4

HTTP-SocketForwarder

HTTP

HTTPS

request

outbound socket

rendezvous

Ctrl

HTTP/S80/443

OnewayRendezvous

Ctrl Msg

NLB

WSHttpRelayBinding (WS-*)WebHttpRelayBinding

(REST) Clemens Vasters

Service Bus Technical Lead.NET Services

demo

Service Bus – Access Control Integration

Service Registry

NamingFederated

Identity and Access Control

Messaging Fabric

Receiver

Access Control

STS

Service BusRelay

RST/RSTR

AcTk

Token Header

AcTk

#Listen

Relay Access Control Model - Listener

Acquire Access Token

#Listen

Pass Access Token with

Subscription

1

2

Token Evaluated

3

ReceiverSender

Access Control

STS

RST/RSTR

Service BusRelay

AcTk

Token Header

AcTk

#Send

Relay Access Control Model - Sender

Acquire Access Token

#Send

Pass Access Token with Message

Token Evaluated and

Removed

Message Passed on to

Receiver

1

23

4

Integrated Access Control

Access Control Governed by Rules Managed in the Access Control Service Services must be authorized to listen in namespace Evaluation of all claims in the cloud No notion of “identity” in the relayed service

Service can turn off client access control Local evaluation of end-to-end claims Full control over authN/Z model (but less protection)

Clean composition w/ standard SOAP/HTTP model WS-Security Header reserved for E2E Message Security Transparent to HTTP-Header AuthN/AuthZ schemes

Notes on Security

We encourage you to hide your payloads Use WS-Security to protect end-to-end path You own all keys used to protect payloads

Transport security SSL channels terminate in the Service Bus Socket connections relayed on-machine Oneway/Event relayed on backend fabric

What do we look at in the Service Bus? SOAP: Action/wsa:Action, wsa:To, wsa:Action HTTP: Method, URI Access Tokens

Summary

Pervasive, Secure Connectivity for Services Secure NAT Traversal, “DMZ in the sky”

WCF-Integrated Programming Model Attend Session BB12: Thu 10:15am / 408A

Messaging Services: Protocols, Protection, and How We Scale

Protocol Details, Drilldown into all Modes Cross-Platform Support More Security Details A Look Under The Hood

Evals & Recordings

Please fill

out your

evaluation for

this session at:

This session will be available as a recording at:

www.microsoftpdc.com

Please use the microphones provided

Q&A

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.