Architecture of the .NET Services

John ShewchukDennis Pilarinos

Microsoft Corporation

Azure™ Services Platform

A Look Inside Azure

ServiceBus

AccessControl

Workflow

…

Database

Reporting

Analytics

…

Compute Storage Manage

Identity

Devices

Contacts

…

…

…

Your Applications

Extending .NET technologies to the cloud Open and accessible

REST, SOAP, RSS, AtomPub, … Class libraries for Java, PHP, Ruby, …

Easy-to-use from .NET – skills move forward Initial focus on three key

developer challenges Application integration Access control in a federated world Application extensibility

.NET Services

Key developer challenges Want to make it easy and secure for partners to use your application Don’t always know the characteristics or scale of the integration Partners / customers / users have devices and services running behind

firewalls Approach

Provide a high-scale, high-available “Service Bus” that supports open Internet protocols

Service Bus

The Internet Service Bus pattern Service Registry Connectivity (Relay & Direct Connect) Publish/Subscribe

Nitty Gritty Bindings Ensuring connectivity Integration with Access Control

Service Bus

Service Bus Application Pattern

Service Registry

Naming

Service Orchestration

Federated Identity and

Access ControlMessaging Fabric

Clients Cloud ServicesOn-Premises

Desktop, RIA, Web

ESB Storage Compute

…Billing

Desktop, RIA, Web

Desktop, RIA, & Web Corp Service

Your Service

[http|sb]://servicebus.windows.net/services/account/svc/…

Service Registry

Rootservicebus.windows.

netservices

account

contoso

…

svc

Service Registry Root

Multi-Tenant

The service registry provides a mapping from URIs to services

Two key capabilities Relay Direct connect

Relay Ensure applications connect Available to all via the service registry

Direct connect Uses the relay to establish communication Then shortcuts for efficiency

Available via HTTP / REST / ATOM Available in .NET via WCF Bindings

Connectivity

Relay

sb://servicebus.windows.net/services/user/service/endpoint

One-Way Connection

Sender Receiver

Outbound SSL-Secured TCP 828Connection to Relay Rendezvous

Endpoint

One-Way Messagesthrough TCP Tunnel

Relay

sb://servicebus.windows.net/services/user/service/endpoint

Direct Connections

Sender Receiver

- Outbound SSL-Secured TCP 828Connection to Relay

- Out-of-Band Protocol to negotiate Direct Connection

Upgrade to Direct when possible

Publish/Subscribe

Builds on the relay and direct connect connectivity capabilities

Initial release is “connected multicast” Over time will provide additional delivery

characteristics – anycast, reliable, …

Relay

Multicast Publish/Subscribe

sb://servicebus.windows.net/services/user/service/endpoint

Sender Receiver

Outbound SSL-Secured TCP 828Connection to Relay Rendezvous

Endpoint

One-Way Messagesthrough TCP Tunnel

ReceiverReceiverReceiver

Service Bus

The Internet Service Bus pattern Service Registry Connectivity (Relay & Direct Connect) Publish/Subscribe

Nitty Gritty Bindings Ensuring connectivity Integration with Access Control

Rich Set of Connectivity Bindings

WCF Binding New Service Bus Binding

BasicHttpBinding BasicHttpRelayBinding

WebHttpBinding WebHttpRelayBinding

WSHttpBinding WSHttpRelayBinding

WS2007HttpBinding WS2007HttpRelayBinding

WSHttpContextBinding WSHttpRelayContextBinding

WS2007FederationHttpBinding WS2007FederationHttpRelayBinding

NetTcpBinding NetTcpRelayBinding

NetTcpContextBinding NetTcpRelayContextBinding

n/a NetOnewayRelayBinding

n/a NetEventRelayBinding

Relay

RFC2616-Compliance

http://servicebus.windows.net/services/user/service/endpoint

Sender ReceiverRFC2616 compliant

HTTP stack

Only 2 concurrent connections per

domain

2 concurrent polling clients starve dual

reply-to path

Relay

http://servicebus.windows.net/services/user/service/endpoint

HTTP Connection Workaround

Sender Receiver

Single-threaded polling receiver;

multiplexed message batch

retrieval; MT local dispatch and fan-out

Multiplex messages through volatile

message buffer for pickup

STA Synchronized reply-to connections

Access Control is governed by Access Control Rules Composes cleanly with SOAP-over-HTTP

SOAP 1.1, SOAP 1.2 HTTP clients able to send messages through the relay with minimal extra effort

WS-Security header can used for end-to-end application level security - optional Composes cleanly with transport-only message protection

Support any SOAP 1.2/2.0 BP compliant client

Relay Access Control Principles

Unauthenticated ‘Send’ option Client do not need to acquire tokens for

communicating through the relay Supports plain Basic Profile SOAP requests Opt-In Policy set by listening services

Enables services to choose between Relay-based access control and locally-enforced end-to-end access control

Unauthenticated Senders

Service Registry Relay and direct connect connectivity Publish/Subscribe Integrated with Access Control services

Service Bus Summary

Key developer challenges Many identity providers, many vendors, many protocols, complex semantics – tricky to get right Application strewn with one-off access logic Hard to get right, not agile, not compliant, many dead ends

Approach Automate federation for a wide-range of identity providers and technologies Factor the access control logic from the application into manageable collection of rules Easy-to-use framework that ensures correct

token processing

Access Control

Access Control Interactions

Your Access Control Project(a hosted STS)

Relying Party(Your App)

2. Send Claims

4. Send Token

(output claims from

3)

5. Send Messagew/token

0. Certificate exchange; periodically refreshed

Requestor(Your Customer)

1. Define access control rules for a customer

6.Claims checked in

Relying Party

3. Map input claims to output claims based on access control rules

Use the web site or web APIs… Define and manage application scopes

Delegate access to scopes Define and manage access control rules

Rules are defined within an application scope Rules can be chained; e.g. bob manager and manager

allowed Simple model: the output security token is a collection

of claims based on the claims in the incoming token Define and manage claim types Define and manage signing and encryption keys Standards compliant – works with Java, Ruby, …

Hosted Security Token Service

demo

Target Service

AC.W.NSTS

Client

RST/RSTR

AC.W.N Credential appliesTo: Target Endpoint

Relay And End-to-End Security

Relay

P P

Requires AC.W.N Token

AC.W.N Credential appliesTo: Relay Endpoint

WS-Sec Hdr

P

AC.W.N CredentialappliesTo: Relay Endpoint

relayToken

WS-Sec Hdr

Flexible, rules-driven access control Rich support for a wide range of

identity providers The Geneva framework is the .NET

developer experience Easy to incorporate into

existing applications Works with lots of other environments; e.g.

Sun’s Java Metro 1.3, …

Access Control Summary

Key developer challenges Want to easily describe long-running processes Want modularity and nesting Easy to describe but in practice harder to run

Hosting and scaling can be challenging Setup and installing, define scale-out approach, ensure long-running availability, manage upgrades, …

Approach .NET 3.0/3.5/4.0 addresses key developer requests .NET Services makes it easy to deploy, manage and run Workflows

Workflow

WF Runtime

Easily describe coordinated work with minimal ceremony

Tools/Designers Activity Library Runtime Hosts

Windows Workflow Foundation

Tooling

VS Designer VS Debugger Rehosted Designer

Workflow

Activity Library

IIS/WAS+“Dublin”

WorkflowService

your.exe“Direct”

Hosts

A portal at workflow.ex.azure.microsoft.com New activities for the Azure Services Platform APIs that allow you to deploy, manage, and run your workflows on the cloud Enables you to orchestrate services

Connect to services in your enterprise anywhere on the Internet – uses the connectivity services Give you partners and customer access – uses the access control services

Workflow Service – Overview

A reliable, scalable off-premises host for workflows

1. Design Workflows Choose WF Model Use a WF Designer Use new Azure activities and a subset of WF out-of-the box activities

2. Deploy Workflows Upload and validate

3. Manage Workflow Types Add, delete, update, view instances

4. Manage Workflow Instances Create, run, control, track execution

Workflow Service – Basic Usage

Workflow Service – Design Flow

Workflow & Rules XAML

1Visual Studio WF Designer

Your Apps & Services

http://

ServiceBus•Workflow Portal•WorkflowClient API•SOAP Web Service

2 3 4

Design Workflows1

Deploy Workflows2

Manage Workflow Instances4

Manage Workflow Types32

VS – one click deploy

Execute Workflows with high availability Design Workflows using exiting tools Easily deploy and manage Workflows Portal for easy access Management APIs for rich automation

Workflow Service Summary

Register for a .NET Services account & download the SDK http://www.azure.com

Try out the .NET Services in the HOLs area HOLs for Service Bus, Access Control, Workflow,

SQL Services, and Live Services Attend one of the many breakout sessions

Call to Action

Evals & Recordings

Please fill

out your

evaluation for

this session at:

This session will be available as a recording at:

www.microsoftpdc.com

Please use the microphones provided

Q&A

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.