System Center 2012 R2 Explained: App Controller as a Single Pane of Glass for Cloud Management, A Primer

As IT architectures, methodologies, solutions, and cloud computing are rapidly converging, system management plays an increasingly critical role and has become a focal point of any cloud initiative. A system management solution now must identify and manage not only physical and virtualized resources, but those deployed as services to private cloud, public cloud, and in hybrid deployment scenarios. An integrated operating environment with secure access, self-servicing mechanism, and a consistent user experience is essential to be efficient in daily IT routines.

App Controller as a Single Pane of Glass

App Controller is a component and part of the self-service portal solution in System Center 2012 R2. By connecting to System Center Virtual Machine Manager (SCVMM) servers, Microsoft Azure subscriptions, and 3rd-party host services, App Controller offers a vehicle that enables an authorized user to administer resources deployed to private cloud, public cloud, and those in between without the need to understand the underlined fabric and physical complexities. It is a single pane of glass to manage multiple clouds and deployments in a modern datacenter where a private cloud may securely extend it boundary into Microsoft Azure, or a trusted hosting environment. The user experience and operations are consistent with those in Windows desktop and Internet Explorer. The following is a snapshot showing App Controller securely connected to both on-premise SCVMM-based private cloud and cloud services deployed to Microsoft Azure.


Delegation of Cloud Management

A key delivery of App Controller is the ability to delegate authority by allowing a user to connect to multiple resources based on user’s authorities, while hiding the underlying technical complexities.

image The security of App Controller is a role-based model by creating a user role in the Settings workspace using SCVMM admin console. The wizard in essence create a policy, or profile, of a created user role by defining the membership, scope, resource availability, tasks can be operated on authorized objects, etc. In other words, the security model not only restrict how much one can use, but also what one can operate on it. SCVMM-based cloud deployments employs this role-based security model to delegate cloud management to authorized users.

An user can then manage those authorized resources by logging in App Controller and authorized by an associated user role, i.e. profile. In App Controller, a user neither sees, nor needs to know the existence of cloud fabric, i.e. under the hood how infrastructure, storage virtualization, network virtualization, and various servers and server virtualization hosts are placed, configured, and glued together.

When first logging into App Controller, a user needs to connect with authorized datacenter resources including SCVMM servers, Microsoft Azure Subscriptions, and 3rd party host services.

Connecting with SCVMM Server

image The seamless integration within System Center family and Active Directory makes the connectivity between App Controller and SCVMM servers uneventful. Form App Controller UI, Settings/Connections is where to add a SCVMM server. Simply provide the FQDN and port to establish the connectivity. Notice 8100 is the default port employed by SCVMM as sown here. Once connected, the SCVMM VMs, cloud private services, and library resources the user is authorized to manage become visible with App Controller.

The user experience of App Controller is much the same with that of operating a Windows desktop. Connecting App Controller with a service provider on the other hand is per the provider’s instructions. However the process will be very similar with that of connecting with a Microsoft Azure subscription.

Connecting with Microsoft Azure Subscriptions

Connecting App Controller with Microsoft Azure on the other hands requires certificates and information of Microsoft Azure subscription id. This routine although may initially appear complex, it is actually quite simple and logical.

Establishing a secure channel for connecting App Controller with a Microsoft Azure subscription requires a private key/public key pair. App Controller employs a private key by installing the associated Personal Information Exchange (PFX) format of a chosen digital certificate, and the paired public key is in the binary format (.CER) of the digital certificate and uploaded to an intended Microsoft Azure subscription account. The following walks through the process.

Step 1 Acquire certificates

For those who are familiar with PKI, use Microsoft Management Console, or MMC, to directly export a digital certificate in PFX and CER formats from local computer certificate store. Those relatively new to certificate management should first take a look into what certificates IIS are employing first to better understand which certificate to use.

Optionally Review IIS Server Certificates

Since App Controller is installed with IIS, acquiring a certificate is quite simple to do. When installing App Controller with IIS, a self-signed certificate is put in place for accessing App Controller web UI with SSL.

image In IIS console, Server Certificate will list out all certificates visible to IIS. As needed, new certificates can be requested or created easily from the Actions pane of IIS Server Certificates UI, which is described elsewhere
image Here, there are two certificates listed. The self-signed certificate is created by installing App Controller, while the SSL certificate is later manually added. From Server Certificates, identify a target certificate to be used for connecting Microsoft Azure. Then use MMC to export certificates from the local computer certificate store.

Use MMC with Certificate Snap-In to Expert Certificates

The certificate store of an OS instance can be accessed with MMC.

image In a command prompt, type MMC and hit Enter to bring up MMC. Use CNTL-M or Add/Remove Snap-in from the File dropdown menu to add Certificate snap-in to manage the certificate stores of the local computer.
image From the local computer’s personal certificate store, highlight the target certificate to be employed for connecting with Microsoft Azure. Right-click and navigate to start the export process.
image Export the target certificate in PFX format with a password. The PFX one has the private key and stays with App Controller installed in the local compute.
image image
image Export the target certificate again in CER format which is the public key to be uploaded to Microsoft Azure.

The two export processes, for example, created two certificates for connecting App Controller with Microsoft Azure as the following.


Step 2 Upload CER format certificate to Microsoft Azure

image Log in Microsoft Azure with an intended account and go to SETTINGS. Click Upload from the lower task bar to upload a certificate.
image Specify the CER format certificate exported in Step 1. A CER format certificate has the public key of an associated digital certificate.
image Once uploaded, the certificate is listed.

Step 3 Record Microsoft Azure subscription ID

image To find out Microsoft Azure subscription ID, from the management portal click Subscriptions from the upper right navigation bar to access the dropdown menu. Click “Manage your subscriptions” to access subscription information. And select an intended Microsoft Azure subscription account.
image The highlighted area is where the subscription ID of the current account. This ID is needed for connecting App Controller with this Microsoft Azure subscription account.

Step 4 Connect App Controller with Microsoft Azure

image From App Controller, in the Setting workspace add a Microsoft Azure subscription. In the dialog, provide the intended Microsoft Azure subscription id recorded in Step 3. Pick the PFS format certificate and enter the password for accessing the private key. Click OK to initiate the connection.
image Once a connection is established between App Controller and an intended Microsoft Azure subscription, the connection is listed.
image In a moment upon establishing the connection, Microsoft Azure resources will become visible in App Controller. For instance, here in the Virtual Machines workspace, three Microsoft Azure VMs are listed. And now from App Controller, an authorized user can, for instance, directly manage Microsoft Azure VMs by simply right-clicking and choosing the option as shown.
image Go to Microsoft Azure portal and click to verify if App Controller correctly present what has been deployed to Microsoft Azure. In this case, examine the number of virtual machines and there are indeed three corresponding Microsoft Azure VMs deployed.

Closing Thoughts

Upon connecting to on-premise and off-premise datacenter resources, App Controller is a secure vehicle enabling a user to manage authorized resources in a self-servicing manner. Not only the technologies are fascinating, but this is about shortening go-to-market while maximizing efficiency by allocating and deploying resources based on a user’s needs. This is a key step in realizing of IT as a Service.

Additional information: