SharePoint on AzureK.Mohamed Faizal

www.zquad.in / @kmdfaizalkmdfaizal@yahoo.com https://www.facebook.com/kmdfaizal

K.Mohamed Faizal

http://zquad.in

#GWAB

www.zquad.in / @kmdfaizalkmdfaizal@yahoo.com

Use the HASHTAG

#GWAB

Why SharePoint on Azure?

Cloud Models On Premises

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

You

man

age

Infrastructure(as a Service)

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

Managed by M

icrosoft

You

man

age

Platform(as a Service)

Managed by M

icrosoft

You

man

age

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data

Software(as a Service)

Managed by M

icrosoft

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data

SharePoint Cloud Continuum

CONTROL

CO

ST-E

FF

ICIE

NC

Y

SharePoint (On-premises)

• SharePoint

Value Prop:• Full h/w control – size/scale• Roll-your-own HA/DR/scale

Value Prop:• 100% of API surface area• Easy migration of existing apps• Roll-your-own HA/DR/scale

SharePoint (IaaS)• Hosted SharePoint

Value Prop:• Auto HA, Fault-Tolerance• Friction-free scale• Self-provisioning, mgmt. @ scale

• SharePoint Service

Office 365 (SaaS)

Internet sites in Azure — Why?Focus on developing a great site Rather than building infrastructure

Scale out and inSize your solution for the demandOnly pay for resources you needDynamic machine allocation is not supported (auto scale)

Azure ADTake advantage of Azure AD for customer accounts

SharePoint functionality not available on Office 365Add deep reporting an web analytics

Service Level Agreements

99.9% for single role instances8.75 hours of downtime per yearWhat’s included

Compute Hardware failure (disk, cpu, memory)Datacenter failures - Network failure, power failureHardware upgrades, Software maintenance – Host OS Updates

What is not includedVM Container crashes, Guest OS Updates

99.95% for multiple role instances4.38 hours of downtime per year

Azure architecture concepts for SharePoint

Example — Hybrid on-premises and Azure

Reference architecture for a Windows Azure-based disaster recovery environment to support an on-premises SharePoint farm.

Virtual NetworkWindows Azure

VPN Gateway

Gatewaysubnet

Active VPN

Cloud Service

Availability Set

Active Directory & DNS

Cloud Service Cloud Service

Active Directory

Windows Server 2012 RRAS

Availability Set

Front End

Availability Set

Distributed Cache

Availability Set

Search Front End

Availability Set

Search Backend

Availability Set

Backend

On-premises environment

Availability Set

Database

B

Medium Internet Sites farmExample farm: ~85 Page views per second 100 Queries per second Corpus of 3,400,000 items Processes 100-200 documents per

second

Web ServerHost

Query processing

Managed metadata

To scale out: add an additional Web server to allow for an additional 28 page views per second.

Web

Servers

Paired hosts for fault tolerance

Application Server

Host

Content processing

Crawl

To scale out: add 1 Application server with a crawl component and a content processing component to process an additional 40 documents per second.

Host D

Analytics

Content processing

Crawl

Admin

Application Server

Host E

Content processing

Crawl

Admin

Application Server

Host F

Content processing

Crawl

Application Server

Application Servers

Host AWeb Server

Query processing

Managed metadata

Web ServerHost B

Web ServerHost C

Query processing

Managed metadata

Query processing

Managed metadata

Database Servers

Host H

All SharePoint Databases

Redundant copies of all databases using SQL clustering, mirroring, or SQL Server 2012 AlwaysOn

Host G

All SharePoint Databases

Crawl DB

Analytics DB

Search admin DB

Link DB

All other SharePoint Databases

Crawl DB

Index Partion 0 ReplicaReplicaReplica

Distributed cache Distributed cache Distributed cache

Distributed cache

Replica

User Profile User ProfileUser Profile

User Profile

Zoom into the model Visio version PDF version

Medium farm in Azure

VPN gateway is optional.

Active Directory can stand alone or be configured as hybrid with the VPN connection.

Virtual NetworkWindows Azure

VPN Gateway

Gatewaysubnet

Active VPN

Cloud Service

Availability Set

Active Directory & DNS

Cloud Service Cloud Service

Active Directory

Windows Server 2012 RRAS

Availability Set

Front End

Availability Set

App server

On-premises environment

Availability Set

Database

Optional!

A container where you define the IP address ranges your virtual machines will use. Pls. work with customer and get range of IP address for cloud

Virtual network

Virtual NetworkWindows Azure

Active Directory

Windows Server 2012 RRAS

On-premises environment

B

1

Affinity GroupsClosely locate your compute, network and storage resources in the same datacenter

Get better performance

Get lower latency

Reduce egress costs

AffinityGroup

K

2

Windows Azure

WA Gateway

On-premises

Your datacenter

Hardware VPN or Windows RRAS

Virtual Network

<subnet 1> <subnet 2> <subnet 3>

DNS Server

Site-to-Site VPN

Virtual Networks – Site-to-Site

Windows Azure

On-premises

Your datacenter

Individual computers behind corporate firewall

Point-to-Site VPN

Remote workers

Virtual Networks – Point-to-Site

Virtual Network

<subnet 1> <subnet 2> <subnet 3>

DNS Server

Hardware VPN or Windows RRAS

Site-to-Site VPN

WA Gateway

Virtual Network and ExpressRoute

Connect via an encrypted link over public internet

Peer at an ExpressRoute location, an Exchange Provider facility

Connection from a WAN provided by Network Service Provider (e.g. telco). Azure becomes another site on the customer’s WAN network.

Scenario 1: IPSec VPN over internet

Scenario 2: Exchange Provider

Scenario 3: Network Service Provider

Windows AzureCustomer DC

Virtual Network - Compute only. ExpressRoute - Provides customer choice and include access to compute, storage, and other Azure services.

Customer site ExpressRoutepartner location

Windows Azure

Customer site 1

Customer site 2

Customer site 3 Windows Azure

WAN

Publicinternet

Publicinternet

Publicinternet

When you setup a VPN connection, the VPN service resides in a separate subnet. Windows Azure manages the primary and secondary instances of this service for high availability. You will not see the secondary instance. You do not need to configure high availability for the VPN service.

Site-to-Site VPN gateway and subnet

Virtual NetworkWindows Azure

VPN Gateway

Gatewaysubnet

Active VPN

Active Directory

Windows Server 2012 RRAS

On-premises environment

Standby VPN

Not visible. Automatically configured and managed by Azure.

B

3

http://msdn.microsoft.com/en-us/library/windowsazure/jj156075.aspx Personally tested following devicesCisco 1921 ISR router is part of 1900 family its support by Azure

Important point to take note of your procurement process, device delivery and Public IP requirements.

Cloud services are typically used to group VMs by role based on functionality that takes place at the cloud service level

Cloud services

Virtual NetworkWindows Azure

VPN Gateway

Gatewaysubnet

Active VPN

Cloud Service Cloud Service Cloud Service

Active Directory

Windows Server 2012 RRAS

On-premises environment

Active Directory and DNS

SharePoint Server roles Database servers

Plan cloud services before creating VMs!

B

4

Cloud services — best practicesKeep it simple

Start the design with one cloud serviceAdd additional cloud services to the design only if necessary

“The client application must reside on a different cloud service than the one that contains your availability group VMs. Windows Azure does not support direct server return with client and server in the same cloud service” http://msdn.microsoft.com/en-us/library/windowsazure/dn376546.aspx

Cloud Service Cloud Service Cloud Service

Active Directory and DNS

SharePoint Server roles Database servers

Starting this cloud service first helps

with IP configuration

Requirement for using a listener

with SQL availability groups

All SharePoint rolesOffice Web Apps

B

Cloud services are typically used to group VMs by role based on functionality that takes place at the cloud service level

Cloud services

B

Virtual Network

Cloud Service Cloud Service Cloud Service

Windows Azure

VPN Gateway

Gatewaysubnet

Active VPN

Active Directory

Windows Server 2012 RRAS

On-premises environment

Optional!

Cloud Service

AD Servers SharePoint Servers

SharePoint Servers

DatabaseServers

Active Directory for SharePoint solutions

The configuration of Active Directory in this example constitutes a hybrid deployment scenario in which Windows Server AD DS is deployed both on-premises and on Windows Azure Virtual Machines.MSDN: Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual Machines

B

Virtual Network

Cloud Service Cloud Service Cloud Service

Windows Azure

VPN Gateway

Gatewaysubnet

Active VPN

Active Directory

Windows Server 2012 RRAS

On-premises environment

Optional!

Cloud Service

Availability Set

Active Directory & DNS

5

Active Directory hybrid best practices — Reference

Important — Before deploying Active Directory in Windows Azure, read Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual Machines http://msdn.microsoft.com/en-us/library/windowsazure/jj156090.aspx

Virtual Network

VPN Gateway

Cloud Service

Availability Set

Active Directory & DNS

Active Directory

On-premises environment

Hybrid on-premises and cloud

Example settings for two VMs in Azure configured as domain controllers

B

Item SettingSize Small

Operating system

Windows Server 2012

Active Directory role

Active Directory Domain Services domain controller designated as a global catalog server.

Reduces egress traffic across the VPN connection. In multi-domain environment with high rates of

change, configure domain controllers on premises to not sync with the global catalog servers in Windows Azure.

Data disks Place the Windows Server AD DS database, logs, and SYSVOL on Windows Azure data disks.

Do not place these on the Operating System disk or the Temporary Disks provided by Azure!

DNS Install and configure Windows DNS on the domain controllers.

IP addresses Use dynamic addresses

Virtual Network

Cloud Service Cloud Service Cloud Service

Windows Azure

VPN Gateway

Gatewaysubnet

Active VPN

Active Directory

Windows Server 2012 RRAS

On-premises environment

Optional!

Cloud Service

Availability Set

Active Directory & DNS

Availability Set

Front End

Web Front End Tier

Availability Set #1

Front End ServicesDistibuted Cache

Workflow Manager Query Processing

Front End ServicesDistibuted Cache

Workflow Manager Query Processing

Index Partion #0 Index Partion #0Replica

Front End ServicesDistibuted Cache

Workflow Manager Query Processing

ReplicaReplica

XL - 8 cores / 14GB

C: (System) 127GBD: (Page File, Blob Cache) 604GBE: (Log) 40GBF: (Index) 500GB

C: (System) 127GBD: (Page File, Blob Cache) 604GBE: (Log) 40GBF: (Index) 500GB

C: (System) 127GBD: (Page File, Blob Cache) 604GBE: (Log) 40GBF: (Index) 500GB

XL - 8 cores / 14GB XL - 8 cores / 14GB

K

6

App Server Tier

Availability Set #2

Content Processing

Admin

Crawl

Analytics Back End Services

Content Processing

Admin

Crawl

Analytics Back End Services

C: (System) 127GBD: (Page File) 604GBE: (Log) 40GBF: (Analytics) 300GB

C: (System) 127GBD: (Page File) 604GBE: (Log) 40GBF: (Analytics) 300GB

XL - 8 cores / 14GB XL - 8 cores / 14GB

K

Virtual Network

Cloud Service Cloud Service Cloud Service

Windows Azure

VPN Gateway

Gatewaysubnet

Active VPN

Active Directory

Windows Server 2012 RRAS

On-premises environment

Optional!

Cloud Service

Availability Set

Active Directory & DNS

Availability Set

Front End

Availability Set

App server

7

Data Server Tier

Availability Set #3

Availability Group #1

Availability Group #2

Availability Group #3

Search

Content

Content

Configuration

Service Applications

C: (System) 127GBD: (Page File) 604GBE:, F:, G:, H: (TempDB Files) 500GBI: (TempDB Logs) 500GBL: (Transaction Logs) 500GBJ:, K:, M:, N: (Content Data) 1024GBO: (Search Databases) 1024GB

XL - 8 cores / 14GB XL - 8 cores / 14GB

C: (System) 127GBD: (Page File) 604GBE:, F:, G:, H: (TempDB Files) 500GBI: (TempDB Logs) 500GBL: (Transaction Logs) 500GBJ:, K:, M:, N: (Content Data) 1024GBO: (Search Databases) 1024GB

K

Virtual Network

Cloud Service Cloud Service Cloud Service

Windows Azure

VPN Gateway

Gatewaysubnet

Active VPN

Active Directory

Windows Server 2012 RRAS

On-premises environment

Optional!

Cloud Service

Availability Set

Active Directory & DNS

Availability Set

Front End

Availability Set

App server

Availability Set

Database

8

Design app servers for availability sets

2 out of 3 VMs in an availability set can be on the same rack.Add additional instances of components to ensure availability.Design topologies first for scale, then fine tune server roles for availability sets.

Host D

Analytics

Content processing

Crawl

Admin

Application Server

Host E

Content processing

Crawl

Admin

Application Server

Host F

Content processing

Crawl

Application ServerBefore

AfterHost D

Analytics

Content processing

Crawl

Admin

Application Server

Host EApplication Server

Host FApplication Server

Analytics

Content processing

Crawl

Admin

Analytics

Content processing

Crawl

Admin

Zones and authenticationThree zones — Works with cross-site publishingSeparation of internal and customer accounts.

Different URLs for customer accounts and internal accounts.

Use zone policies to limit customer actions within a web application.

Extranet and Public-Facing Internet

Cloud Service

Virtual Network

Windows Azure On Premises

Active Directory

Site developers and authors

VPN Tunnel

SharePoint 2013 Farm

Web Application

Windows Azure Active Directory

Internet ZoneAnonymous

Extranet Zone Default Zone

WindowsWindows

SAML

FBA

Active DirectoryDomain Services

Partners and Customers

Visitors

Active directory• Dedicated Active Directory domain in Windows Azure?• OR, hybrid with an on-premises AD?

Accounts for site developers and authors• Add accounts to the domain in Windows Azure• Use ADFS on premises to federate the internal accounts to a separate Active

Directory environment in Windows Azure.• Or, use the hybrid design.

Accounts for customers• Windows Azure Active Directory is a good choice• Or, any SAML-based provider

Managing identity for Internet sites

Internet sites—using Azure AD for customer accounts

Separate User Accounts from Active DirectoryDoes not replace need for local Active Directory for SharePoint

Sync with on-premises for SSODirSync with on-premises Active Directory

K

SAML 1.1, WS-Fed

Azure Active Directory Tenant

SAML 2.0, WS-Fed

ACS Tenant

End Point Configuration

Cloud Service

Endpoint Configuration

K

Availability Set

Front End

Visitors and customers

End Point Monitoring

DR Setup

IaaS and Disaster Recovery

Cloud ServiceVirtual Network

Windows Azure

SQL DR1(A6)

SP DR1(Large)

AD1(X-Small)

On Premises

Web servers

Application servers

SQL DR2(A6)

SP DR2(Large)

SP DR4(Large)

SP DR5(Large)

SP DR3(Large)

Directory servers

VPN Tunel

SQL Server Log Shipping

• The Front End servers ‘cloud service’ for two farms is configured in ‘Failover’ load balancing mode• TM keeps checking the ‘online’ service based on ongoing

endpoint monitoring•Primary Farm ‘cloud service’ is the ‘first’ service in the

ordered list•A custom job keeps polling TM to check ‘Active’ service• Sends alerts when TM fails over to secondary service• Can take appropriate actions for based on type of ‘failover’

Enabling Auto-Failover – Azure Traffic Manager

BLOB Storage

1. Primary Farm goes down2. TM recognizes that farm is down and

route traffic to DR farm1. No change in URLs

3. Visitors access the site in read-only mode (from DR farm)

4. Custom Job 1. Detects TM has switched the traffic2. Pauses the restore log to avoid user

disconnection

Temporary Failover

Subnet 1

Subnet 4

Availability Set 1

Availability Set 4

Cloud Service

Subnet 2

Availability Set 2

Cloud Service

Subnet 3

Availability Set 3

Cloud Service

Subnet 1

Subnet 4

Availability Set 1

Availability Set 4

...SQL

Server AlwaysONAvailability

Group

Cloud Service

Subnet 2

Availability Set 2

Cloud Service

Subnet 3

Availability Set 3

Cloud Service

Read Only

Primary DR

A

1

2

3

4

1. Primary Farm does not come back 1. Permanent Failover is decided (e.g. based on time window)2. Service Disruption expected (for some time)

2. Databases are brought online (DR farm)1. Tail log backups are taken from Primary farm (if possible)2. All pending logs are applied (both instances)3. DBs are brought to RECOVERY (both instances)4. DBs are added to AlwaysOn Availability Group

3. SharePoint Servers Configured (DR Farm)1. SQL Aliases are configured to point to AG Listener2. Site becomes Read Write3. Search Decision – Backup/Restore or Continue as is

4. TM – DR farm is made as Primary Endpoint

Permanent Failover

BLOB Storage

Subnet 1

Subnet 4

Availability Set 1

Availability Set 4

Cloud Service

Subnet 2

Availability Set 2

Cloud Service

Subnet 3

Availability Set 3

Cloud Service

Subnet 1

Subnet 4

Availability Set 1

Availability Set 4

...SQL

Server AlwaysONAvailability

Group

Cloud Service

Subnet 2

Availability Set 2

Cloud Service

Subnet 3

Availability Set 3

Cloud Service

Read Only

Primary DR

A

…

2.1 2.2

2.3,4

34

1

Highly Available TemplateAD/DC/DNSLB WEB SQLAPP

80

20000Cloud Service

Virtual Network

Windows Azure

AVSETSPWEB

AVSETSPAPP

AVSETSQLHA

AVSETDCSET

Web Tier2 x Large(4 Cores & 7 GB)

App Tier2 x Large(4 Cores & 7 GB)

Data Tier2 x A6(4 Cores & 28 GB)1 x Small (Quorum)(1 Core & 1.75 GB)

Identity Tier2 Small(1 Core & 1.75 GB)

K

SharePoint 2013 Automation Scripts

PowerShell Scripts that use Remote PowerShell for automated deployment of Active Directory, SQL Server and SharePoint 2013.

Two Sample Configurations AvailableHighlyAvailable and SingleVMs

Download from GitHubhttps://github.com/windowsazure/azure-sdk-tools-samples

K

Internet sites — lessons learnedCustom DNS and CNAMEsCNAMEs for <cloud service name>.cloudapp.net

Cannot add additional NICsSingle web application, host header site collections

Multiple web applications, use SNI in IIS8

Default zone as HTTP, Windows ClaimsExtend to HTTPS (extending HTTPS doesn’t work)

Multiple zones with HNSC requires Set-SPSiteURL

Default zone must be Windows claims for Search crawler

Cross Site Publishing default zone onlyCatalog being published must have only one zone

Consuming site collection may have multiple zones

SQL DB and Data disk

Internet Sites — Content Solution modelcopy and modify architecture diagrams for your solutions

Solution articles on TechNetInternet Sites in Windows Azure using SharePoint Server 2013http://technet.microsoft.com/en-us/library/dn635307(v=office.15).aspx

Windows Azure Architectures for SharePoint 2013 http://technet.microsoft.com/en-us/library/dn635309(v=office.15).aspx

Configure Windows Azure Active Directory with SharePoint 2013http://technet.microsoft.com/en-us/library/dn635311(v=office.15).aspx

Design samplestart your own design for sites, services, zones, authentication, and URLsVisio version

PDF version Visio version PDF version

Reference

SharePoint Solutions and Architectures on Windows Azure Infrastructure Services

http://channel9.msdn.com/Events/SharePoint-Conference/2014/SPC3992

Introduction to SharePoint and Windows Azure IaaS

http://channel9.msdn.com/Events/SharePoint-Conference/2014/SPC298

We are here to help.Thank you,By Mohamed Faizal

Questions?