System Center 2012 R2 Explained: Managing Hybrid Cloud with App Controller

clip_image002For this topic and like many others in cloud computing, the first order of business is to know what exactly a hybrid cloud is. Cloud is a broad subject and covers very much every aspect of IT from hardware acquisition, infrastructure, deployment, management, all the way to decommission of a workload. Without first specifying what it is, there will be so many opportunities to miscommunicate, misunderstand, and misinform this subject. Clarity is critical in a cloud computing conversation.

Hybrid Cloud as Defined by NIST SP 800-145

So what is a hybrid cloud? It is officially defined in NIST SP 800-145 which states

“The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).”

This definition is however a confusing one with a rooted discrepancy. A composition of infrastructures is not a well established concept. And instead of clarifying what a hybrid cloud is, this hybrid cloud definition brings more questions than answers. Further a private cloud, a public cloud, and a community cloud are all defined according to the intended users. A hybrid cloud is however based on implementation, i.e. a composition of infrastructures. This change of criteria makes a hybrid cloud an inconsistent and disjoined concept among those defined in 800-145. A fundamental discrepancy between the definition of a hybrid cloud and the rest of the three (i.e. private, public, and community) clouds is that the former is defined on implementation of infrastructure while the latter three are according to the intended users. The definition of a hybrid cloud insufficiently addresses the fact that the intended users remain either a target group of users or the general public. The truth is that a hybrid cloud extends and remains a private cloud or a public cloud.

Hybrid Cloud as Understood by IT Professionals

A hybrid cloud is a concept of implementation and a service provider’s concern. The term, hybrid, here indicates that a cloud solution is with some resources deployed on premises and some off premises. Therefore, a hybrid cloud is an on-premises cloud with some resources deployed off premises. Similarly, an off-premises cloud with resources deployed on premises is also a hybrid cloud. Both definitions are from a resource placement’s viewpoint, and not based on the intended users.

For example, an on-premises private cloud integrated with resources deployed to Microsoft Azure (which runs off-premises in Microsoft datacenters) becomes a hybrid cloud. At the same time, an application deploys to Microsoft Azure and references corporate on-premises resources is also a hybrid cloud. In summary, a private or public cloud (application) with resources in more than one cloud deployment model makes it a hybrid cloud.

Therefore a hybrid cloud is intended for either a targeted group of users or the general public. Hence a hybrid is essentially a private cloud or a public cloud, respectively.

Managing a Hybrid Cloud

The significance of managing a hybrid cloud is due to the potential complexities and complications of operating on resources deployed across various facilities among corporate datacenters and those of 3rd party cloud service providers. Multiple management software, inconsistent UI, heterogeneous operating platforms, non- or poorly-integrated development tools, etc. can and will noticeably increase overhead and reduce productivity. A unified operating platform, highly integrated development tools, a comprehensive management suite, a consistent user experience, and simple user operations are critical needs to fundamentally minimize the TCO and accelerate the ROI of a hybrid cloud. Here, App Controller, a self-service vehicle for users with delegated authorities, is part of System Center 2012 R2 to form a comprehensive cloud management solution.

clip_image004A hybrid cloud presents many challenges of managing resources among multiple cloud service providers. With the technical complexities and administration overhead to manage individual cloud in a multi-tenant environment, IT can easily become a bottleneck of managing who can do what, where, when, and how much for each and every individual hybrid cloud deployment among on-premises and off-premises facilities. Delegating authorities to those business and technical roles responsible for an application including solution architect, release owner, application developer, and technical support for them to self-manage and maintain their deployments themselves is an effective and efficient way to manage a hybrid cloud environment. In System Center 2012 R2, both SCVMM and App Controller have the same self-service model and delegation of authority built in with User Role profiles and Run As accounts.

Delegating Authority with User Role and “Run As” Account

A user role (profile) is a set of policies and constraints which define not only who can access what, but when, where, and what operations can be operated on an authorized resource and how much can be consumed. An authorized user can create a user role and assign membership in the Settings workspace of both App Controller and SCVMM admin console to manage delegation of authority. The follow shows a few default user role profiles configured for a Stock Trader application in SCVMM 2012 R2 including Delegated Administrator, Tenant Administrator, and Self-Service User. While Alice is one with a Delegated Administrator Role which has access to specified resources comprising a number of Run Ac accounts.


In an SCVMM-based deployment, user credentials for accessing resources can be provided by a Run As account which is a container for a set of stored credentials. Only administrators and delegated administrators can create and manage Run As accounts. Read-only administrators can see the account names associated with Run As accounts that are in the scope of their user role. As shown below, Run As accounts are managed in the Settings workspace under the Security folder of an SCVMM admin console. Here, cloud admin is a Run As account configured with a specified set of user credentials.


Once a Run As account is configured for a user role, a user with the user role can then reference the Run As account for accessing and operating on objects accessible to or created by the Run As account. The user can simply reference the Run As account and does not need to actually present to the user credentials of the Run As account. In other words, a Run As account delegates the authority to a user without the need for the user to know and present the user credentials of the Run As account. Not only this is a defense-in-depth strategy, i.e. providing minimal knowledge and hence exposing minimal attack surface, but also with maximal transparency in account administration since changing the user credentials of the Run As account, should it become necessary, will be transparent to the references of (i.e. a symbolic link to) the Run As account.

Connecting and Forming a Hybrid Cloud

To expose resources of a hybrid cloud, an authorized user must connect App Controller with SCVMM servers where on-premises private clouds are deployed, and service providers and Microsoft Azure subscriptions hosting resources off premises, as applicable. Before initiating a connection from App Controller to either a Microsoft Azure subscription or a 3rd party cloud service provider, a corresponding x.509 certificate, i.e. the public key, must be first put in place. For instance, the following Microsoft Azure screen capture presents a list of x.509 certificates uploaded into the Setting workspace of Microsoft Azure management portal for establishing secure connections with particular subscription IDs.


clip_image010At the same time, in App Controller, an authorized user can then configure and establish secure connections with off-premises deployments in the Connections and Subscriptions pages of the Settings workspace  as illustrated here on the left.

For a secure connection, App Controller will in the process acquire a private key from a user-specified certificate in Personal Information Exchange, or pfx, format. As needed, use mmc (Microsoft Management Console) with Certificates add-in to export the private key of an intended certificate to generate the certificate in pfx format. The following presents the user experience of configuring secure connections in App Controller.




Cloud Management with a Single Pane of Glass

App Controller, a member of System Center 2012 R2, provides a self-service experience to configure, deploy, and maintain virtual machines and services across private and public clouds with secure connections. Particularly, for managing a hybrid cloud of System Center 2012 R2 Virtual Machine Manager and Microsoft Azure, App Controller offers a web-based self-service vehicle seamlessly integrating the two. The following two screen captures show an instance of App Controller managing an on-premises SCVMM-based private cloud and an off-premises deployment associated with a Microsoft Azure subscription.


App Controller is a web-based self-service portal. Once authenticated, a user will have access to and can operate upon authorized deployment instances and resources accordingly to the user role assigned to the user. The above screen capture is an example of managing a VM of a service deployed to an on-premises private cloud. And below shows a similar desktop experience while operating on a Microsoft Azure VM deployed to one of Microsoft datacenters.


Notice that with App Controller, all clouds and any clouds can be managed with a single pane of glass, a user experience consistent with that of Windows desktop operations, and in a self-servicing manner. Which is significant since it fundamentally minimizes the support cost in the long run, accelerates the user adoption, and makes it easy for an authorized user to consume resources with familiar Windows operating environment and desktop task routines.

Storing and Copying a VM

With App Controller connecting with SCVMM and Microsoft Azure, an authorized user now has an opportunity to copy a VM to Microsoft Azure or a 3rd party facility and easily extend a private cloud beyond a corporate datacenter. Copying a VM can be done with familiar desktop operations and without the knowledge of the underlying cloud infrastructures since App Controller does not reveal SCVMM fabric.

The process is to first store a candidate VM in SCVMM followed by copying the VM to Microsoft Azure as illustrated in the following schematic. In an SCVMM-based deployment, storing a VM can be initiated from either App Controller or SCVMM admin console. It essentially exports the VM instance from its current location, the default VM path specified in the Placement property of a host where the VM instance lives, to a network share specified in the Stored VM path of the associated cloud library properties. The store process encapsulates the current state of, export, and make the VM portable and redeploy-able.


One can copy a VM to Microsoft Azure with App Controller, however not SCVMM admin console which is intended for managing on-premises private clouds and fabric, and does not have a graphical user interface to directly connect with Microsoft Azure or a 3rd party cloud service provider. Depending where a VM is copied to, the process wizard will lead a user through an applicable scenario. If the destination is a storage container, copying a VM is just transmitting a set of files associated with the VM. If a VM is being copied into a cloud service, the process will copy followed by deploying the VM. A walkthrough of storing and copying a VM from a private cloud to Microsoft Azure is available at This process is an important delivery of App Controller to form a hybrid cloud.

A stored VM in SCVMM can be later redeployed and in such case a copied VM in Microsoft Azure can become a secondary or duplicated workload, or vice versa. Either way, with App Controller there can be just a few mouse-clicks away to relocate, duplicate, backup, or redeploy VMs. Many scenarios perhaps previously technically challenging or financially cost-prohibitive to implement like business continuity and disaster recovery, production simulation or duplication, transaction log reruns, training in production, etc. now all become an IT reality and practical business opportunities. This is indeed an exciting time of IT.

Closing Thoughts

Cloud levels the field and forces big corporations humble and offers small and medium businesses the same stage to act big and compete with establishments. A hybrid cloud brings many interesting scenarios and business opportunities in backup and restore, business continuity, disaster recovery, branch office deployments, remote access, development, prototyping, training, and on and on. Companies of all sizes either as service providers, consulting services, or product development now all have the opportunities to play a major role, lead, and contribute to the hybrid cloud ecosystem.

clip_image022A strategic step in realizing a hybrid cloud is to in the next opportunity instate a common management platform for deploying and managing all clouds and any clouds, on or off premises. A comprehensive solution like System Center 2012 R2 should be brought in as early as possible, specifically for virtualization and cloud computing SCVMM must be in place to form private cloud fabric. And as the private cloud fabric is formed, so grow all the clouds. And employ App Controller for delegating authorities, enabling users to consume resources in a self-servicing manner, and facilitating the development of hybrid cloud. Start with a private cloud, but always plan hybrid.

Additional information: