Date post: | 01-Apr-2015 |
Category: |
Documents |
Upload: | leroy-kitchen |
View: | 219 times |
Download: | 2 times |
Architecture of the .NET Services
John ShewchukDennis Pilarinos
Microsoft Corporation
Azure™ Services Platform
A Look Inside Azure
ServiceBus
AccessControl
Workflow
…
Database
Reporting
Analytics
…
Compute Storage Manage
Identity
Devices
Contacts
…
…
…
Your Applications
Extending .NET technologies to the cloud Open and accessible
REST, SOAP, RSS, AtomPub, … Class libraries for Java, PHP, Ruby, …
Easy-to-use from .NET – skills move forward Initial focus on three key
developer challenges Application integration Access control in a federated world Application extensibility
.NET Services
Key developer challenges Want to make it easy and secure for partners to use your application Don’t always know the characteristics or scale of the integration Partners / customers / users have devices and services running behind
firewalls Approach
Provide a high-scale, high-available “Service Bus” that supports open Internet protocols
Service Bus
The Internet Service Bus pattern Service Registry Connectivity (Relay & Direct Connect) Publish/Subscribe
Nitty Gritty Bindings Ensuring connectivity Integration with Access Control
Service Bus
Service Bus Application Pattern
Service Registry
Naming
Service Orchestration
Federated Identity and
Access ControlMessaging Fabric
Clients Cloud ServicesOn-Premises
Desktop, RIA, Web
ESB Storage Compute
…Billing
Desktop, RIA, Web
Desktop, RIA, & Web Corp Service
Your Service
[http|sb]://servicebus.windows.net/services/account/svc/…
Service Registry
Rootservicebus.windows.
netservices
account
contoso
…
svc
Service Registry Root
Multi-Tenant
The service registry provides a mapping from URIs to services
Two key capabilities Relay Direct connect
Relay Ensure applications connect Available to all via the service registry
Direct connect Uses the relay to establish communication Then shortcuts for efficiency
Available via HTTP / REST / ATOM Available in .NET via WCF Bindings
Connectivity
Relay
sb://servicebus.windows.net/services/user/service/endpoint
One-Way Connection
Sender Receiver
Outbound SSL-Secured TCP 828Connection to Relay Rendezvous
Endpoint
One-Way Messagesthrough TCP Tunnel
Relay
sb://servicebus.windows.net/services/user/service/endpoint
Direct Connections
Sender Receiver
- Outbound SSL-Secured TCP 828Connection to Relay
- Out-of-Band Protocol to negotiate Direct Connection
Upgrade to Direct when possible
Publish/Subscribe
Builds on the relay and direct connect connectivity capabilities
Initial release is “connected multicast” Over time will provide additional delivery
characteristics – anycast, reliable, …
Relay
Multicast Publish/Subscribe
sb://servicebus.windows.net/services/user/service/endpoint
Sender Receiver
Outbound SSL-Secured TCP 828Connection to Relay Rendezvous
Endpoint
One-Way Messagesthrough TCP Tunnel
ReceiverReceiverReceiver
Service Bus
The Internet Service Bus pattern Service Registry Connectivity (Relay & Direct Connect) Publish/Subscribe
Nitty Gritty Bindings Ensuring connectivity Integration with Access Control
Rich Set of Connectivity Bindings
WCF Binding New Service Bus Binding
BasicHttpBinding BasicHttpRelayBinding
WebHttpBinding WebHttpRelayBinding
WSHttpBinding WSHttpRelayBinding
WS2007HttpBinding WS2007HttpRelayBinding
WSHttpContextBinding WSHttpRelayContextBinding
WS2007FederationHttpBinding WS2007FederationHttpRelayBinding
NetTcpBinding NetTcpRelayBinding
NetTcpContextBinding NetTcpRelayContextBinding
n/a NetOnewayRelayBinding
n/a NetEventRelayBinding
Relay
RFC2616-Compliance
http://servicebus.windows.net/services/user/service/endpoint
Sender ReceiverRFC2616 compliant
HTTP stack
Only 2 concurrent connections per
domain
2 concurrent polling clients starve dual
reply-to path
Relay
http://servicebus.windows.net/services/user/service/endpoint
HTTP Connection Workaround
Sender Receiver
Single-threaded polling receiver;
multiplexed message batch
retrieval; MT local dispatch and fan-out
Multiplex messages through volatile
message buffer for pickup
STA Synchronized reply-to connections
Access Control is governed by Access Control Rules Composes cleanly with SOAP-over-HTTP
SOAP 1.1, SOAP 1.2 HTTP clients able to send messages through the relay with minimal extra effort
WS-Security header can used for end-to-end application level security - optional Composes cleanly with transport-only message protection
Support any SOAP 1.2/2.0 BP compliant client
Relay Access Control Principles
Unauthenticated ‘Send’ option Client do not need to acquire tokens for
communicating through the relay Supports plain Basic Profile SOAP requests Opt-In Policy set by listening services
Enables services to choose between Relay-based access control and locally-enforced end-to-end access control
Unauthenticated Senders
Service Registry Relay and direct connect connectivity Publish/Subscribe Integrated with Access Control services
Service Bus Summary
Key developer challenges Many identity providers, many vendors, many protocols, complex semantics – tricky to get right Application strewn with one-off access logic Hard to get right, not agile, not compliant, many dead ends
Approach Automate federation for a wide-range of identity providers and technologies Factor the access control logic from the application into manageable collection of rules Easy-to-use framework that ensures correct
token processing
Access Control
Access Control Interactions
Your Access Control Project(a hosted STS)
Relying Party(Your App)
2. Send Claims
4. Send Token
(output claims from
3)
5. Send Messagew/token
0. Certificate exchange; periodically refreshed
Requestor(Your Customer)
1. Define access control rules for a customer
6.Claims checked in
Relying Party
3. Map input claims to output claims based on access control rules
Use the web site or web APIs… Define and manage application scopes
Delegate access to scopes Define and manage access control rules
Rules are defined within an application scope Rules can be chained; e.g. bob manager and manager
allowed Simple model: the output security token is a collection
of claims based on the claims in the incoming token Define and manage claim types Define and manage signing and encryption keys Standards compliant – works with Java, Ruby, …
Hosted Security Token Service
demo
Target Service
AC.W.NSTS
Client
RST/RSTR
AC.W.N Credential appliesTo: Target Endpoint
Relay And End-to-End Security
Relay
P P
Requires AC.W.N Token
AC.W.N Credential appliesTo: Relay Endpoint
WS-Sec Hdr
P
AC.W.N CredentialappliesTo: Relay Endpoint
relayToken
WS-Sec Hdr
Flexible, rules-driven access control Rich support for a wide range of
identity providers The Geneva framework is the .NET
developer experience Easy to incorporate into
existing applications Works with lots of other environments; e.g.
Sun’s Java Metro 1.3, …
Access Control Summary
Key developer challenges Want to easily describe long-running processes Want modularity and nesting Easy to describe but in practice harder to run
Hosting and scaling can be challenging Setup and installing, define scale-out approach, ensure long-running availability, manage upgrades, …
Approach .NET 3.0/3.5/4.0 addresses key developer requests .NET Services makes it easy to deploy, manage and run Workflows
Workflow
WF Runtime
Easily describe coordinated work with minimal ceremony
Tools/Designers Activity Library Runtime Hosts
Windows Workflow Foundation
Tooling
VS Designer VS Debugger Rehosted Designer
Workflow
Activity Library
IIS/WAS+“Dublin”
WorkflowService
your.exe“Direct”
Hosts
A portal at workflow.ex.azure.microsoft.com New activities for the Azure Services Platform APIs that allow you to deploy, manage, and run your workflows on the cloud Enables you to orchestrate services
Connect to services in your enterprise anywhere on the Internet – uses the connectivity services Give you partners and customer access – uses the access control services
Workflow Service – Overview
A reliable, scalable off-premises host for workflows
1. Design Workflows Choose WF Model Use a WF Designer Use new Azure activities and a subset of WF out-of-the box activities
2. Deploy Workflows Upload and validate
3. Manage Workflow Types Add, delete, update, view instances
4. Manage Workflow Instances Create, run, control, track execution
Workflow Service – Basic Usage
Workflow Service – Design Flow
Workflow & Rules XAML
1Visual Studio WF Designer
Your Apps & Services
http://
ServiceBus•Workflow Portal•WorkflowClient API•SOAP Web Service
2 3 4
Design Workflows1
Deploy Workflows2
Manage Workflow Instances4
Manage Workflow Types32
VS – one click deploy
Execute Workflows with high availability Design Workflows using exiting tools Easily deploy and manage Workflows Portal for easy access Management APIs for rich automation
Workflow Service Summary
Register for a .NET Services account & download the SDK http://www.azure.com
Try out the .NET Services in the HOLs area HOLs for Service Bus, Access Control, Workflow,
SQL Services, and Live Services Attend one of the many breakout sessions
Call to Action
Evals & Recordings
Please fill
out your
evaluation for
this session at:
This session will be available as a recording at:
www.microsoftpdc.com
Please use the microphones provided
Q&A
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.