NIST Service Delivery Models

Separation of Responsibilities

“X as a Service” is commonly used to describe different types of cloud provisioning allowing different levels of developer/support control of the cloud setup.

Developers are most likely (but not exclusively) to use PaaS.

this is what we are using in the labs/coursework with Microsoft Azure WebApps (or Cloud Services) and Azure Storage

The cloud vendor typically provides a web-based management console for client administration purposes.

or there could be a RESTful API (or some other API)

or a remote ssh/PowerShell interface

Infrastructure as a Service (IaaS)

The cloud vendor provides a rentable infrastructure to support virtualization of OSs and network.

vendor outsources the equipment used to support operations, including storage, hardware, servers and networking components

the service provider owns the equipment and is responsible for housing, running and maintaining it

i.e. it provides a mechanism to provision physical or virtual machines

Typically the customer provides virtual machine images and installs any software dependencies thereon themselves.

cloud APIs, necessary software APIs, databases...

this is more work than PaaS but offers more flexibility can provide own OS images (or again pick from library) and installed software

the customer will administer the VM operating system

sometimes an easier transition to the cloud for complex legacy systems

Customer has full control to virtualise a network set-up.

also to configure firewalls, load balancers

Amazon EC2, Microsoft Azure Virtual Machines, Rackspace, Google Compute Engine, IBM SoftLayer

📷 Gartner 2016 - Cloud IaaS Players

Platform as a Service (PaaS)

The cloud vendor provides and manages a set of preconfigured VMs which the customer selects from.

Typically the preconfigured VM OS images will be mainstream offerings with pre-installed software to run cloud applications.

cloud APIs e.g. to access cloud storage, databases, service bus, performance metrics, security, application services...

optionally also a web server e.g. IIS or Apache

developed software is uploaded to VM from local development tools

customer has initial choice of OS image, VM location, scalability parameters, security but this is high level and at start

the customer will not administer the VM operating system nor deal with hardware

much simpler and faster to setup than IaaS

in the order of minutes...

Network set-up virtualised but typically abstracted and customer has no control.

better control is gradually being introduced (e.g. VPN control)

AWS Elastic BeanStalk, Microsoft Azure Cloud Services and Web Apps, IBM BlueMix, Google App Engine...

The practical work in this module is using PaaS i.e. Microsoft Web Apps in a public cloud.

PaaS in context...

From IBM BlueMix but generally applicable to PaaS offerings

Software as a Service (SaaS)

The cloud vendor provides packaged software applications running in the cloud aimed at end-users.

customer has no visibility of software, OS nor hardware underneath

Especially productivity and collaboration applications.

Google Apps, Office 365, Visual Studio Online, cloud-based file sharing....

Available on an on-demand basis.

Usually accessed through a web browser.

NIST Deployment Models

Deployment Models

Public cloud

owned by an organization selling cloud services

cloud infrastructure is available to the general public

Private clouds

owned or leased by a single organisation

no public access

cloud infrastructure for a single organization only, may be managed by the organisation or a 3rd party, on or off premise

A virtual private cloud is a logical subdivision of another cloud (public or private) which looks like an independent private entity.

has its own virtualised private network

Called a managed cloud if on-premise but managed by a 3rd party.

Community clouds

shared by several organisations

supports a specific community that has shared concerns

cloud infrastructure shared by several organisations that have shared concerns, managed by organisations or 3rd party

Hybrid clouds

composition of 2 or more clouds bound by a standard or proprietary technology

e.g. to enable data & application portability

e.g. to handle cloud bursting: bursts of data and computing surges

the application scales from the private to another cloud (typically a public cloud), utilising additional resources of the other cloud type during peak periods

2015 RightScale survey suggests 55% of enterprises planning for hybrid cloud.

Why?

functionality offered by different cloud platforms varies - need mix and match of “best of breed”

tools now exist to control provisioning and scaling in hybrid setups

in some cases less expensive to use and also accelerates product time to market

Some resource has to be kept local...

security and governance restrictions on location of workloads so some has to remain in private cloud

legal compliance issues with some types of data e.g. financial/healthcare so some data has to remain in private cloud

Security always remains a key concern.

Hybrid Cloud Architectures

Migration

split and port existing data and workloads

needs manual planning, porting and testing in new location

Interoperability

APIs and services allowing communication to integrate clouds and services

each cloud may invoke another cloud vendor’s management APIs

needs some sort of secure cloud gateway technology

manual setup and/or coding of connection technology needed

Abstraction

automated control of hybridisation and the whole hybrid cloud from a higher level which abstracts away from detail of a particular cloud platform technology

fully unified view of provisioning and scaling

dynamic migration of data and workloads

the future really...

Hybrid Cloud Gateways

Hybrid cloud interoperability technologies.

Built at low level using IaaS e.g. VPN gateways.

AWS Direct Connect

or use PaaS facility which will transparently map endpoints through a secure channel

Azure service bus a good example relaying communication across firewalls and NAT

can be used as both a relay and a queue

Azure Service Bus Relay

🔗 What is Azure Service Bus?

Taxonomy of Deployment Models

1 Management includes: operations, security, compliance, etc ...

2 Infrastructure implies physical infrastructure such as facilities, compute, network & storage equipment

3 Infrastructure Location is both physical and relative to an Organisation's management umbrella

4 Trusted consumers of service are those who are considered part of an organisation's legal/contractual umbrella including employees, contractors & business partners. Untrusted consumers are those that may be authorised to consume some/all services but are not logical extensions of the organisation.

NIST Definition of Cloud Computing

Visual Model of NIST Working Definition of Cloud Computing

Web and Worker Roles Pattern

A good example of an application architecture suitable for the cloud.

scalable multi-tier application

front facing web application

separately scaled and independent background processing connected asynchronously with a queue

separate scalable data repository

Web role: front facing with IIS; can perform simple tasks synchronously, but whenever any complex processing is required it will create a message and drop it into a queue. (Consists of 1 or more instances.)

One or more Azure queues (a type of cloud storage) which support asynchronous communication between the web role and the worker role.

Worker role: (consisting of 1 or more instances) which pull messages off the queue and perform slow or complex processing tasks.

Cloud Storage (such as non-relational Azure tables and blobs) that stores the system’s state and typically includes the result of the worker role’s processing tasks.

Queue-Based Load Levelling Pattern

In fact the worker and web role pattern incorporates this pattern.

A service might experience peaks in demand that cause it to become overloaded and unable to respond to requests in a timely manner.

Solution is to introduce a queue between the producer and the service acting as a buffer.

This can help to maximize availability because delays arising in services will not have an immediate and direct impact on the application, which can continue to post messages to the queue even when the service is not available or is not currently processing messages.

It can help to maximize scalability because both the number of queues and the number of services can be varied to meet demand.

MS Azure offers several queue/topic options with different characteristics.

Worker Roles and Web Roles

Worker Roles

hosted in Windows Server OS to carry out background tasks

standard .NET API libraries and any 3rd party APIs you add

Web Roles

all features of a worker role + IIS

really a modified and specialised worker role

ASP.NET

good news as standard .NET Web Applications can be deployed without modification

HTTP(S)

Cloud Services in VS

Cloud service maps to VS solution.

Roles map to VS projects.

meta-data control of deployment to Azure

e.g. connection strings values for cloud storage

There is also additional metadata about each role defined in XML.

includes VM size

we do not edit the XML – use the menu in VS to alter the properties!

different property configurations for emulation and cloud deployment

The cloud service can be locally emulated (see video).

uses a storage emulator (for cloud storage) and a compute emulator (for role instances) which come with the SDK

both started automatically

App Services - Lab 2

Basically deployment to a shared, multi-tenanted, already running VM instance hosting IIS.

exactly the same access to cloud storage

IIS features to “containerise” i.e. isolate each web application from one another.

little admin control (but do you need it?)

Very fast deployment (seconds) and much lower resource demands as the hosting VMs are already running.

App Services

Background processing available with WebJobs.

again “containerised”

architecturally simple - looks like a console app if developed in VS

can also be uploaded .jar, .php, .js and others

event driven e.g. can be woken up when a message appears in a queue

default is 1:1 relationship between app service instances and WebJob instances and both may be on same server, but each can also be scaled independently

web and worker role pattern still applicable –although entities have changed names...

WebJobs run continuously or at certain times or when a URL is accessed.

we will stick to continuous WebJobs and C#

Originally 3 different types:-

Web Apps

API Apps

Mobile Apps

As of 2017 there is no difference with respect to hosting them in the cloud and they are differentiated only by the API libraries used in the different types.

We are using a Web App which is basically a normal ASP.NET web application that has been coded to access Azure cloud storage.

so this is deployed as an “App Service”

BLOB = Binary Large Object

storage of binary data in a bucket which is opaque to the storage service

often contains metadata (label on the bucket) that allows one blob to be distinguished from another

example of content: videos, songs, pictures…

Queues

a classic first-in, first-out data storage structure

primarily used for passing data from one role to another in a loosely-coupled fashion

generally not used for long-term storage

scale really well

Non-Relational Tables

schema-less tables containing records (entities) with variable fields with max. size of whole record 1MB

database-like features but no referential integrity

all has to be handled by programmer

scale really well

All three:-

are a Microsoft product

have RESTful APIs

are not part of an app service or role instance but are separate entities

A bit like a “file system for the cloud”.

More about cloud storage in a later lecture.

The Fabric Controller (FC)

The “kernel” of the cloud operating system.

manages datacenter hardware

manages Azure cloud service and app service deployment

Four main responsibilities:-

data-center resource allocation

data-center resource provisioning

service lifecycle management

service health management

Inputs:-

description of the hardware and network resources it will control

published cloud service or app service

Microsoft Azure Tooling

Azure SDKs, see: 🔗 Get started with Azure

The thumbnails example is presented as an app service.

for you to try out...

there is video support

The coursework will use an app service (Web App) and the three types of storage.

The coursework Part A is very similar to this so make sure you have invested sufficient time and have gained a proper understanding. The coursework is aWebApp/WebJob.

App Services in VS

Web App maps to VS solution.

Web App and the WebJob each map to VS projects within the solution.

WebJob very similar to a console application

both are run locally as normal local applications

The app service storage can be locally emulated (see video).

all you need is the current version of the storage emulator (which needs to be started manually beforehand)

same storage emulator as cloud services

need to start the WebJob separately first

debug it locally before deploying it!

Deployment (see video):-

in the portal create a resource group, storage account and app service

change the connection strings in your solution

edit web.config and app.config XML directly

publish to cloud (10 secs...)

the WebJob starts automatically (runs continuously or at set times)

Thumbnails Data Flow