1 Using vCloud Express and Infrastructure as a Service (IaaS) By Dave Peru, May 2012 (www.dperu.com, [email protected]) 1.0 – Introduction, Cloud Services Defined What is a Infrastructure as a Service (IaaS) ? IaaS is using internet based services to host our web application. The diagram below will help you better understand the cloud service model: * This is a modified version of a diagram taken from “Windows Azure” by Roberto Brunetti Examples of IaaS: Terremark vCloud Express, Amazon EC2 Examples of PaaS: Microsoft Azure, Google Apps, Amazon AWS Examples of SaaS: Salesforce.com, Facebook.com Application Data Additional Installations Operating System On-premises Data Center Server Disk Network Application Data Additional Installations Operating System (Updates) Infrastructure as a Service (IaaS) Server Disk Network Application Data Framework (Requires Rewrite) Operating System Platform as a Service (PaaS) Server Disk Network Application (Less Control) Data Additional Whatever Operating System Software as a Service (SaaS) Server Disk Network
37
Embed
Using vCloud Express and Infrastructure as a Service (IaaS ... · ... Terremark’s shares,which closed today at $14.05, are still about half the price of ... for IaaS. Their “Enterprise
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Using vCloud Express and Infrastructure as a Service (IaaS)
2.3 – Terremark vCloud Express versus Terremark Enterprise Cloud Services
The architectures are identical. With vCloud Express the business model is a pay-as-you-go. You provision and
consume resources paying on a per use basis. With Enterprise Cloud Services, you enter into a contract agreement
where you pay a fixed dollar amount per month for a fixed set of resources you can then allocate from. If you exceed
your allocations, then you will be billed surcharges for what you consume.
The other nice thing about Enterprise Cloud is Terremark will install large data devices like NAS drives within their
network to be made accessible to your instances. You can also arrange for a VPN router configuration so your Enterprise
Cloud instances are part of your internal enterprise network namespace. Essentially, this is extending the security
perimeter with IP firewall tunneling. Dedicated lines can also be arranged to increase bandwidth capabilities. Of course,
extending the enterprise perimeter will require a number of security audits and approvals. The best approach is the get
your own company’s security people to talk with Terremark’s security people. Even then, guard dogs and blast proof
walls may not be enough to overcome corporate politics!
Terremark also provides a number of other services to the enterprise customer so check with their website for your needs.
3.0 – Security Issues
Marketing information from Terremark:
Terremark understands that assuring the confidentiality, integrity and availability of
mission critical information is a top priority for enterprises and government agencies. Our multi-layer approach to delivering security services enables our customers to purchase appropriate risk
reduction services in order to achieve a desired state of protection at all levels within their Enterprise Cloud
environment. Multi-layer security services can be delivered in the cloud to defend your web sites, applications and
data from malicious attacks by combining the most advanced state-of-the-art tools, services and instrumentation,
all managed by a team of trained, experienced and certified security professionals. Terremark’s ability to deliver
advanced security services on the Enterprise Cloud has significantly differentiated it from other platforms, as well
as made it the cloud of choice for government customers such as Data.gov and USA.gov.
Our managed security services can be overlaid in the cloud and can address the following areas of protection and
These addresses are only visible to virtual machine instances within the same virtual firewall zone. Other tenants in the
pod cannot “ping” machine instances having these addresses. They are totally inaccessible to other tenants.
4.0 – Using Terremark vCloud Express, Getting Started
We will talk more about security in section 6. For now, here’s a screen shot of Terremark’s vCloud Express web portal:
After you log in, you see the following control panel:
This is the “Environment” tab in the upper right. You can click on “MY ACCOUNT” for account stuff. And “SIGN OUT” to
sign out or just kill the browser.
Below the vCloud Express title, there are three tabs. The first tab titled “Resources” shows your environment’s resources
in use. The second tab “Servers” allows you create and modify resources. The third tab, “Network” allows you to expose
your servers to the public, configure the virtual firewall, and setup which server instances will be grouped together in load
balancing.
4.1 – Creating a Server Instance
Click on the “Servers” tab, you will see the “Servers” page:
The upper right side button control the way the servers are listed:
6
Servers are organized in rows. But the rows here are just informational and used to help you organize your server
instances. You may want to have a row for each application. Or, you may want a row for each tier in your application.
Most likely you will have a row for development, testing, staging, and production.
The first step in creating a new server is to create a new row (unless you want to use an existing row):
Fill out the dialog and click on the “Save” button:
Here is the result:
Next, click the “Create Group” button. Just like rows, groups are just another way of organizing your server instances:
After clicking on the “Save” button you should see the following:
We are now ready to create a new server instance. Click on the “Test2 Group” to select it:
7
Next, click on the “Create Server” button:
Select “OS Only”, “Windows”, and “Windows 2008 Web R2 (64-bit)” as shown above. Then click on the “Next” button to
continue:
Fill out VPU count and memory size, click “Next” button.
Fill out server name, admin password, and click “Next”.
Select row and group to place server instance.
8
Fill out the checkboxes agreeing with TOS.
You will see this animation for a bit.
Then this will be shown:
This screen says 30-45 minutes but it really only takes 5 to 10 minutes come up.
Now you see more information on the server instance being show. It’s not ready until the IP shows up.
Now our server is ready to be used. Before showing how to use RDP to your virtual machine instance, we are going to
cover two additional topics below.
4.2 – Scaling Up
There are two ways to scale an application. You can “scale up” by increasing the power of a single machine (or virtual
machine instance). Or, you can “scale out” by using a load balancer with multiple machines (or virtual machine
instances). Terremark allows you to scale up to a virtual machine instance to one having “8 x VPU”s and a total of 16 GB
9
of RAM. That is a pretty big honking machine instance!!! Having 8 VPUs is kind of like having a server farm within one
instance. Before you can change these parameters you first have to power down the virtual machine instance:
Virtual machine instances are also known as “nodes”. Later in this presentation you will see how to setup and configure a
load balancing solution.
4.3 – Deploying a Blank Server
The “Create Blank Server” button allows you to create a template of information for a server instance you build from
scratch:
“Deploying a blank server allows you to build a server using the operating system of your choice with an ISO
image or other install package. This gives you freedom to build servers that are not available among the standard
vCloud Express server images. It also allows you to manage your own licensing for commercial operating
systems. “
This topic is outside the scope of this presentation. Consult Terremark’s support pages for more information on how to
create your own server instances from scratch.
5.0 – Using RDP to Connect to Your Instances
Click on the “VPN Connect…” button to establish a VPN connection to Terremark. This will ask you to install components
needed for the Cicso VPN software. It may try to install Java. Be careful because the Java installer dialog box may be
hidden behind browser window and there is no indication as to what it is doing.
Assuming you install everything correctly, when you click on the “VPN Connect” button, you will see the following dialog
popup for a few seconds. Do not fill it out. Just wait a 10 seconds:
This crazy dialog box pops up, just ignore it. But you must first select a server before you click on
the “VPN Connect” button. Otherwise, this dialog box will pop-up and just sit there.
10
Run RDP:
Don’t let the session timeout. If the Cisco VPN session times out you may have to restart your machine.
5.1 – Configure RDP to Have Local Drive Access
When you pull up file explorer within your virtual machine instance, you should see your local drives. You can use your
local drives to copy software into the cloud.
If your local files do not show up, you have to manually configure RDP to allow local drive access:
Click on the “Local Resources” tab:
11
Click on the “More” button:
Make sure all the local drives are checked.
5.2 – Gotchas:
1. Cisco VPN, Java installer dialog box may be hidden behind window.
2. Once you have the Cisco VPN installed, you click on the “VPN Connection” button. The auto-login will not work if
you do not first select a server instance. Before clicking on the “VPN Connect” button, make sure you select a
running instance. This way it will automatically fill out the Cisco VPN login dialog box. Once you see the icon in
the tray you can close the window browser tab window.
3. RDP, local resources, more-button, allow local disk drive access.
4. After power up, it may take 5 to 10 minutes before the IP address gets assigned.
5. Make sure to “Log off” the instance. Do NOT hit the close window “X” to kill RDP. This will leave a logged in
session. Windows Server only allows a maximum of two open terminal sessions.
Click on the “Log off” button when exiting your RDP session.
5.3 – Using RDP through the Public Internet
Since the Cisco VPN timeout is difficult to recover from and may require you to reboot your laptop, you may want to
expose port 3389 over a public IP address. This will bypass using a VPN connection but it will open up your server to a
password attack.
You first have to associate a public IP address with your running instance. Click on the “Network” tab within the vCloud
Express control panel:
Click on the “Create Service” button and fill out the
form as shown below. Click the “Save” button to continue:
12
Next, click on the newly created IP address, in our example, “204.51.124.137”. You should see “Edit Service”, “Delete
Service”, and “Create Node” buttons:
Next, click on the newly created IP address, in our example, “204.51.124.137”. You should see “Edit Service”, “Delete
Service”, and “Create Node” buttons:
Fill out the form as shown and click on the “Save” button to continue. This will create a
virtual firewall entry allowing port 3389 traffic to go to the “Test2-M1” virtual machine instance.
When you select the “Test2-M1” server, click on the “Nodes” tab, you will see the service listed:
You can now RDP directly to the public internet IP address listed: 204.51.124.137
6.0 – More on Security
Make sure to use strong passwords for the “Administrator” account. Many people even suggest changing the
“Administrator” account name to something different than “Administrator”. You can decide what you want to support.
You can change your “Administrator” password the usual way from the Control Panel:
If the password policy is too stringent, you can relax it by doing the following:
You can help protect your computer by customizing your password policy settings, including requiring users to change their password regularly, specifying a minimum length for passwords, and requiring passwords to meet certain complexity requirements.
1. Open Local Security Policy by clicking the Start button , typing secpol.msc into the Search box, and then clicking secpol. If you are
prompted for an administrator password or confirmation, type the password or provide confirmation.
13
2. In the Navigation pane, double-click Account Policies, and then click Password Policy. 3. Double-click the item in the Policy list that you want to change.
6.1 – Listening Ports and Local O/S Firewalls
Since our machine instances are going to be running in a multi-tenant environment, it is important to understand TCP/IP
port vulnerabilities. When running your Windows instances, each open TCP/IP port with a listening agent is a security
risk. To see all the “listening ports”, use the “netstat –a” command:
6.2 – Configuring Windows Firewall
In addition to the Terremark virtual firewall, it’s probably a good idea to configure the Windows operating system firewall.
However, you have to be careful how you do this. If you turn the firewall on before you configuring it, you will not be able
to RDP back into your running instance! Guess how I figured out this little tidbit!?! Half the time I learn by making
mistakes and the other half of the time I just get lucky!
Here’s a script that will allow you to setup and turn on the firewall without destroying your ability to connect to your