When Free Is Not Enough

Beginning today, Microsoft is offering developers free access to Windows Azure through the end of June.  The offer includes compute time, storage space, SQL Azure database and AppFabric features for Access Control and Service Bus.  See the announcement for details.

This offer should be very appealing to many, many developers and ISVs.  Interestingly, it is not a compelling offer for us.  Why not?  Well, I think the answer is worth passing on.

Microsoft’s free Azure offer is not valuable to those already developing on Azure.  Two perspectives on this fact are:

  • Microsoft has carefully crafted the offer in order to keep paying customers paying
  • Cloud computing is so cheap that the transition cost to “free” is too expensive

I don’t see much value in arguing one way or another about the first point.  Our speculation on this point is no more (or less) valuable than anyone else’s.  We are living proof of the second point, however.  Our monthly Azure expenses are so low, that it’s not work the effort to temporarily switch to “free” and switch back when it runs out.  In this case, the opportunity cost (of lost development work, etc.) is far higher than “free.”

Sometimes free just isn’t enough!

What’s New in Azure Guest OS 2.2?

This Azure Guest OS release come two months after the previous (v. 2.1).  Does this release provide minor changes, or does it include patches for substantial security issues?  Let’s dig and find out.

Microsoft announced Windows Azure Guest OS 2.2 (Release 201101-01) which contains 11 specified security patches.  More specifically, this Azure Guest OS is comprised of:

  • Windows Server 2008 R2, plus
  • All security patches through December, 2010, and
  • 2 updates to previous security patches

The 11 specified patches specified in the bulletin fall in to a few vulnerability categories.  9 of the patches were included in December’s Security Bulletin; the 3 marked with ‘*’ are patch updates.  The bulletin IDs, ‘MS10-…’ gives away that they originated in 2010.

Vulnerability Bulletins
Elevation of Privilege MS10-092, MS10-098, MS10-100
Remote Code Execution MS10-077*, MS10-091, MS10-095, MS10-096
Denial of Service MS10-101, MS10-102
IE Cumulative Updates MS10-090*
ASP.NET, Information Disclosure MS10-070*

MS10-070 & MS10-077 were originally released last year in September and October, respectively.  MS10-090 was originally released in December, 2010, but was update in early January, 2011.

Even though most of these were in December’s Security Bulletin, we should take a look at the criticality and exploitability ratings for each (relative to Windows Server 2008 R2 for x64 only; impacts to Itanium-based systems my differ slightly)

Bulletin Severity Rating Exploitability Rating
MS10-090 Critical Consistent Exploit Code Likely
MS10-091 Critical Consistent Exploit Code Likely
MS10-092 Important Consistent Exploit Code Likely
MS10-095 Important Consistent Exploit Code Likely
MS10-096 Important Consistent Exploit Code Likely
MS10-098 Important Consistent Exploit Code Likely
MS10-100 Important Consistent Exploit Code Likely
MS10-101 Important Functioning exploit code unlikely
MS10-102 Important Functioning exploit code unlikely

So, I think it’s safe to assess that this new Azure Guest OS includes some very significant security patches.  Agree? Don’t agree?  Leave a comment for us below.

Better Management Certificates for Azure

As I wrote earlier this week, the Silverlight-based Management Portal may be the best feature of Azure’s 1.3 release.  It is a handsome UI, Azure components are far easier to access, and (most importantly) the amount of time required for common tasks is sharply reduced.

This post is only partly about the Management Portal, however.  The certificate generating code in the Azure Tools for VS 2010 is also involved.

The Problem

Although it’s nice to be able to create the necessary management certificate from within Visual Studio, the resulting certificate naming is confusing.  The following dialog shows an existing certificate and the selection for creating a new certificate.

AzVSTools - Certificate Selection

When this tool creates a certificate, it sets the Friendly Name you entered and sets Issued By to Windows Azure Tools.  No big deal, right?  Right – until you add the certificate via the Azure Portal….

Azure Mgmt - Mgmt Certs with Comments

This view of the portal shows the Management Certificates, but you can’t really tell which is which.  For example, which of the two certificates corresponds to the one with Friendly Name: Deployment Credentials in the Azure Tools dialog?  You really can’t tell unless you are able to distinguish them by their thumbprints or validity dates.  Why doesn’t Deployment Credentials  appear in one of the fields?  Well, let’s take a quick look at the certificate in Certificate Manager (certmgr.msc).

CertMgr - Personal Certs - Windows Azure Tools-Deployment Credentials

When Azure Tools created the certificate, it set Windows Azure Tools in the Issued To and Issued By fields.  The name I provided the tool appears in the Friendly Name field.  I’m glad that I can distinguish the certificate in my local store with the friendly name, but it’s only known in my local store.  That’s the problem: Friendly Name is not part of the certificate; it’s metadata associated with the certificate, and only locally.

What’s A Better Way?

Instead of using the Azure Tools to create a certificate, use the MakeCert tool.  Azure only accepts certain certificates (X.509, 2k-bits, SHA1, etc.), so you have to provide a few specific parameters.  Here’s a sample command line:

makecert -sky exchange -r -n “CN=<CertName>” -pe –a sha1 -len 2048 -ss My “<CertFileName>”

where CertName specifies the name you want to appear in Name field in Management Certificates of the management portal, and CertFileName specifies where to store the certificate file on your local drive.

Now, when you upload the certificate to the management portal, you can easily distinguish the certificates.

Azure Mgmt - Mgmt Certs - Better Names2

Then, when you Publish from Visual Studio, simply choose the appropriate certificate from the list.

AzVSTools - Certificate Selection2

Admittedly, the Friendly Name isn’t set, but you have no trouble distinguishing between certificates in either Visual Studio or Azure’s Management Portal.

BIG Release of Azure Components This Week!

Windows Azure SDK 1.3 (a.k.a., November release) has just been released.  You can download just the SDK, but if you’re using Visual Studio, use the Windows Azure Tools for Visual Studio instead.  This package, VSCloudService.exe, includes the SDK package.

The major features / benefits of this release include:

  • Management Portal – the new Silverlight-based portal may be the most significant improvement of this release.  Managing Roles, Storage, Service Bus, Access Control, etc. are so much easier to access, and the portal’s performance improvements make a substantial impact on management tasks.
  • Full IIS – Finally! Each Web Role can host multiple sites – web apps, services.  Additionally, developers can now install IIS modules as well (some apps haven’t been migrated due to dependence on 3rd party or custom modules)
  • Remote Desktop – I’ve been looking forward to this for a while!  Being able to connect to Azure Roles and VMs via RDP is going to make a huge difference in so many ways – configuration, deployment, debugging, etc.
  • Windows Server 2008 R2 – Azure Roles and VMs can now be based on R2 which brings in IIS 7.5, ability to restrict what apps can run via AppLocker, PowerShell 2.0 for better administration and automation.
  • Elevated Role Privileges – I’m not so sure this is a really good idea, but it’s in now.  Azure Roles allow running with administrator privileges (sounds like “running with scissors”).  I can imaging some scenarios in which a Worker Role does a bit of admin level work, or a Web Role hosting a custom administrative portal.  But, in general, devs need to be very careful with this “feature.”
  • Multiple Admins – Multiple Live IDs can be assigned admin privileges in an Azure account.  This provides better traceability when you’re doing around-the-clock administration.  But it may also introduce risk of “stepping on each other’s toes” problems.

Also in this round of updates are a couple of betas and CTP.

  • Extra Small Instance – in BETA – at just 5 cents per compute hour, the Extra Small Instance is less than half the cost of the Small Instance (12 cents per compute hour). At the time of this writing, the Extra Small Instance is comprised of 1.0 GHz CPU, 768 MB RAM, 20 GB local storage and “low” I/O Performance.
  • Virtual Machine Role – in BETA – Now you can define and manage your own virtual machine. Based on the (very) little info I have right now, the VM is based on a differencing disk over a Windows 2008 Server R2 VM.  That limits the options of what to run in the VM.  IMO, this is the last check-box for Azure qualifying as Infrastructure as a Service (IaaS).
  • Azure Connect – in CTP – Connect provides the ability to create a virtual network between multiple devices. For example, if companies A & B want two of their systems to communicate with each other, those systems connect to Azure, establish the private network, and then communicate directly between A & B.  I really want to test this one out!

Clemens Vasters’ Scheduler-Agent-Supervisor Pattern

Microsoft’s Clemens Vasters published a pattern the Azure team is using which he calls the Scheduler-Agent-Supervisor pattern (http://blogs.msdn.com/b/clemensv/archive/2010/09/27/cloud-architecture-the-scheduler-agent-supervisor-pattern.aspx)

This pattern is reminiscent of the solution we architected and implemented a few years ago (at a much smaller scale, obviously).  We used SQL Server for persistent storage of pipelines of step-wise tasks, .NET-based agents and a good ol’ Windows Service to execute the pipelines.  The service polled for pipelines waiting for work to execute, instantiate the appropriate agents for the work and provide context and threads for agent execution.  After quite a bit of rigorous stress and negative testing, the system proved to be very efficient.  Separately, it was actually very adaptable to other purposes since the agents implemented the business logic — new agents or agents used in different ways could implement different functionality.

Ok, enough of what we did before.  Clemens’ post builds on the Scheduler-Agent pattern by adding a Supervisor.  This Supervisor appears to be a sort of über-agent which is scheduled to check for problems in the pipelines (i.e., lists of tasks) and attempt to correct them.  Clemens writes,

“If the agent keels over and dies as it is processing the step [pipeline task] (or right before or right after), it is obviously no longer in a position to let the scheduler know about its fate.”

In these cases, the pipeline is likely in an indeterminate state.  The scheduler has handed off the responsibility to the agent, but the agent hasn’t reported that it has finished its work (or even that it encountered an error).  Enter the Supervisor.  Just look for incomplete work and start over, right?  Well, it’s not a simple as it seems at first.  What if the agent had calculated and added tax to a total amount and then died just before reporting that it was done?  The Supervisor shouldn’t trigger this agent to execute again because the tax would be added a second time.  This particular case is very simple, but you get the point.  The entire Schedule-Agent-Supervisor pattern requires a level of atomicity in various areas to reduce these risks.

In case anyone is curious to know how we dealt with this in our solution a few years ago, we used a “supervisor,” too:  a developer who found the broken agent in the database and reset it!  How’s that for sophisticated? 😉

Amazon’s Free Usage Tier

Yesterday Amazon announced its new AWS Free Usage Tier.  The announcement says that this tier will include:

  • 750 hrs / month of compute instance
  • 750 hrs / month of Elastic Load Balancer
  • 10 GB Elastic Block Storage
  • 5 GB of S3 Storage
  • 30 GB data transfer (caveats: 15 GB each for ingress & egress; CloudFront excluded)

Additional caveats or restrictions include:

  • Availability is limited to new AWS customers only
  • Ends one year after registration
  • Requires a valid credit card during registration
  • Only available with the smallest compute instance, micro Linux ECS

So, is this a really big deal?  Is it reshaping cloud computing?  Well, not really.  Some quick calculations indicate that the offering is worth about $450 over 12 months, but that assumes leveraging each aspect to its full free level (e.g., using 5 GB of S3 Storage each month).

That’s no small amount for many individual developers.  Developers working in companies or on teams will probably find the limitations too tight to be useful in their environment.

From a competitive stand-point, Amazon’s new offer isn’t much different than Microsoft Azure’s Introductory Special offering.  Azure also has additional month-to-month plans and developer subscriptions.  (Full disclosure: I haven’t researched AWS developer pricing options)

UPDATE: Also see PK’s post on this topic

Technorati Tags: ,,

Azure’s Global DNS changes coming tonight!

If you have any production Azure systems or cloud components you depend on (overnight testing, etc.), you should keep an eye on tonight’s DNS switch-over.

As the blog posting on 9/24 announced, Azure’s DNS is “…moving to a new globally distributed infrastructure…” to “…increase performance and improve reliability….”  This change is set to occur at midnight UTC on 9/5.

Midnight UTC on 9/5 maps to:

8:00 PM today (9/4) in Atlanta, New York, Boston, etc.

5:00 PM today (9/4) in Redmond, Silicon Valley, etc.

Technorati Tags: ,,

No Swimming for 30 Minutes After Azure DNS Changes

The Windows Azure team recently published Windows Azure Domain Name System Improvements.  If you only saw this on Twitter, or just took a cursory glance the announcement, you probably just thought, “Good.  Azure’s DNS will be faster.” and moved on to something else.  It’s important to note, however, that the announcement also includes some gotchas.

DNS Entry Propagation

Although DNS entry propagation delays are not new, you’ll need to keep the following issues in mind regarding Azure’s DNS infrastructure:

  1. New DNS entries may take up to 2 minutes to propagate through all of Azure’s global DNS system
  2. Systems that cache responses to DNS queries (such as web browsers, DNS Client, etc.), typically cache responses for about 15 minutes.

So, What’s the Problem?

These issues can add up to significant pain when you are launching a new Azure application, service, etc.  The end users of the application or service may receive errors due to these timing issues, and first impressions are often lasting impressions.

The problem due to the first item above is the more obvious: When you create a new entry in Azure’s DNS, you should wait at least two minutes before expecting DNS queries will receive the right answer.  Any DNS queries occurring inside this two minute window may encounter an “entry not found,” “DNS Not Found” or similar error.  When this error situation occurs, it can be compounded by the second problem…

Most systems which query DNS (e.g., Windows’ DNS Client) will also cache the response for a period of time – typically 15 minutes.  If a system queries DNS inside the 2 minute window and then caches the resulting error, subsequent queries for that entry will typically be resolved by the cache and will respond with the error.  If you try to use the name in your web browser, for example, it may take as much as 15 minutes until you stop getting the cached error and actually get the right answer.

You can manually flush the local DNS cache on Windows systems using ipconfig /flushdns, but be aware that this method does not impact other caching systems along the DNS resolution route.

Theoretically, an additional 15 minutes could be incurred if the route for DNS resolution changes between queries.  But the incidence of this scenario is very rare.

Risk Reduction

The best practice for reducing the risk of these errors occurring – and the resulting negative impressions – is to get your DNS house in order in advance.  Simply registering the appropriate names (DNS entries) well in advance of publishing the application or system should eliminate these issues.  Early registration also gives your team an opportunity to verify / test the name resolutions in advance.

In a situation in which we were forced to “live on the edge” and quick-publish software, we would wait at least 30 minutes before announcing that the software was ready to access.

OAuth & WRAP for Development Teams

We posted some code to CodePlex which smooths OAuth integration for development teams.

Enable Multiple Action Claims in AppFabric WRAP/SWT Sample

If you’re using the ASPNETSimpleService sample for investigating Azure’s August release of AppFabric (currently in AppFabric Labs), you might like to know a simple change to enable more action claims.

The sample provides instructions for creating the necessary ‘reverse’ value for the ‘action’ claim in an ACS Rule Group.  But what happens if you have more than one ‘action’ claim in the rule group (either by adding or by reusing an existing rule group)?  The sample breaks and renders WebException, (401) Unauthorized.  What gives?

The client app retrieves a SWT from AppFabric’s ACS and passes it to the web service.  The web service (implemented in the sample’s default.aspx) verifies that the SWT contains the ‘reverse’ value of the ‘action’ claim.  Unfortunately, the sample expects the SWT to look like:

“action=reverse&Audience=http://localhost:8000/Service/&ExpiresOn=1281474685&Issuer=https://<your-namespace>.accesscontrol.appfabriclabs.com/&HMACSHA256=muXlPgsuZkO9BHNAZqA97TZj4gz4NLKc0Ut58Y=”

This SWT will work fine.  Notice the claim “action=reverse” at the beginning.  If you aren’t aware (I wasn’t), multiple values of an claim are combined and separated by commas.  So, if you have another value ‘translate’ for the ‘action’ claim, the SWT will look like this:

“action=reverse,translate&Audience=http://localhost:8000/Service/&ExpiresOn=1281474685&Issuer=https://<your-namespace>.accesscontrol.appfabriclabs.com/&HMACSHA256=muXlPgsuZkO9BHNAZqA97TZj4gz4NLKc0Ut58Y=”

And that makes sense.  Why include multiple ‘action=<value>’ sections?  One simple change to the sample enables it to handle this situation.  Around line 90 of the sample’s default.aspx you’ll see

// check for the correct action claim value
if (!actionClaimValue.Equals(this.requiredClaimValue))
{
this.ReturnUnauthorized();
return;
}

This bit of code is requiring that the actionClaimValue (which comes from the SWT) EQUALS the expected value (requiredClaimValue which set to ‘reverse’).  In the second SWT above, the value of actionClaimValue will be “reverse,translate” which do not equal “reverse”

Simply changing Equals to use the Contains method fixes the sample.  Based on this situation, I don’t think using Equals is a good idea for your apps.  Contains is a reasonable alternative, but you may want to use a more rigorous practice.