Hands-On Lab
Connecting Apps with Windows Azure
Connect
Lab version:
1.0.0
Last updated:
7/29/2017
Page | 1
Contents
OVERVIEW ................................................................................................................................................... 3
EXERCISE 1: CONNECTING AN AZURE WEB ROLE TO AN EXTERNAL SQL SERVER DATABASE
WITH WINDOWS AZURE CONNECT ......................................................................................................... 6
Task 1 - Configuring the Application to run in Windows Azure with Windows Azure Connect ........... 6
Task 2 - Installing Windows Azure Connect Endpoint Software in Your External Machine to Enable
Windows Azure Connect ..................................................................................................................... 17
Task 3 - Configuring Microsoft SQL Server Express for Remote Access.............................................. 22
Task 4 - Managing Windows Azure Connect Groups .......................................................................... 30
Verification .......................................................................................................................................... 35
SUMMARY .................................................................................................................................................. 37
Page | 2
Overview
To enable IP-level network connectivity between Azure services and external resources, Windows Azure
Connect can be used. The underlying connectivity model that supports this is quite flexible. For example,
you can use Windows Azure Connect to setup networking between arbitrary groups of machines that
are distributed across the internet in a very controlled and secure manner.
The following diagram illustrates the key elements of the Windows Azure Connect model.
Windows Azure Connect creates a logical “virtual network” which can contain two types of entities:
Azure Role groups and Machine groups.
Role groups map to Azure roles, which have been enabled for Windows Azure Connect. Only the
Azure VM instances for a role are members of a role group – the admin cannot manually add or
remove members. Windows Azure Connect automatically manages the membership of role
groups – if you add or remove role instances, Windows Azure Connect will track this and update
the role group membership appropriately.
Page | 3
Machine groups are admin-defined collections of external machines, which have been enabled
for Windows Azure Connect through installation of the Windows Azure Connect Endpoint
Software. An external machine can belong to at most one machine group.
Connectivity within the Windows Azure Connect virtual network is based on the following rules:
A role group can be “linked” to a machine group – this enables connectivity between the
members of those groups. A role group can be linked to multiple machine groups – e.g. you
could have an Azure web role that is connected to your “My Servers” and “My Laptops”
machine groups as shown in the diagram above.
Members of a role group (the Azure VM instances) do not have connectivity with each other. In
addition, a role group cannot be linked to another role group. These limitations are intentional
– the Azure service model controls connectivity between roles and the Azure runtime supports
connectivity between role instances. We did not want the Windows Azure Connect model to
interfere with this behavior.
Machine groups can be linked, as mentioned above, to role groups. Machine groups can also be
linked to other machine groups to enable connectivity between members of those groups.
Links are not transitive from a connectivity perspective. For example, suppose Group A is linked
to Group B, and Group B is linked to Group C. Machines in Group A can communicate with those
in Group B, and machines in Group B can communicate with those in Group C. However,
machines in Group A cannot communicate with those in Group C.
A machine group has an “interconnected” property – if it is set to true, then all members of that
group can communicate with each other. If it is set to false, then communication between the
members is not allowed.
It is important to note that Windows Azure Connect does not affect or interfere with a
machine’s existing network connectivity.
Objectives
In this hands-on lab, you will learn how to:
Provision a Windows Azure Connect service and associate it with your Azure subscription.
Setup network connectivity between Azure Roles and external machines.
Page | 4
Prerequisites
The following is required to complete this hands-on Lab:
Microsoft .NET Framework 4
Microsoft Visual Studio 2010
IIS 7 (with ASP.NET)
Windows Azure Tools for Microsoft Visual Studio 2010 1.6
SQL Server 2008 R2 Express Edition or higher
SQL Server Management Studio 2008 R2 Express Edition or higher
Setup
In order to execute the exercises in this hands-on lab you need to set up your environment.
1. Open a Windows Explorer window and browse to the lab’s Source folder.
2. Double-click the Setup.cmd file in this folder to launch the setup process that will configure
your environment.
3. If the User Account Control dialog is shown, confirm the action to proceed.
Note: Make sure you have checked all the dependencies for this lab before running the setup.
Exercises
This hands-on lab includes the following exercise:
1. Connecting an Azure Web Role to an External SQL Server Database with Windows Azure
Connect
Estimated time to complete this lab: 60 minutes.
Note: When you first start Visual Studio, you must select one of the predefined settings collections.
Every predefined collection is designed to match a particular development style and determines
window layouts, editor behavior, IntelliSense code snippets, and dialog box options. The procedures in
this lab describe the actions necessary to accomplish a given task in Visual Studio when using the
General Development Settings collection. If you choose a different settings collection for your
Page | 5
development environment, there may be differences in these procedures that you need to take into
account.
Exercise 1: Connecting an Azure Web
Role to an External SQL Server Database
with Windows Azure Connect
In this exercise, you will setup network connectivity between a simple Web Role and your local machine.
The Web Site used for sample purposes in this exercise will leverage Windows Azure Connect and
connect to your local SQL Server instance to retreive a list of customers that will be shown in a simple
table within the site.
Task 1 - Configuring the Application to run in Windows Azure with Windows Azure Connect
To use Windows Azure Connect to connect external resources with your Azure service, you need to
enable one or more of its roles. You do this by provisioning the role with the Connect plug-in that is part
of the Windows Azure SDK v1.6 release. Only roles of the service provisioned with the Connect plug-in
will be able to connect to external resources.
1. In order to make the Azure Web Role be able to connect with the database using SQL Server
credentials, open SQL Server Management Studio and connect to the local SQL Server (i.e.
.\sqlexpress).
2. Right click in the server node and select Properties.
3. Select Security and make sure SQL Server and Windows Authentication mode is selected.
Page | 6
Figure 1
SQL Server Properties - Security
4. Click OK button.
5. Restart the SQL Server instance in order to make previous configuration change to take effect.
Page | 7
Figure 2
Restart SQL Server
Note: In order to continue the exercise make sure you executed the setup.cmd as mentioned
in the Setup section of this lab.
6. Open Visual Studio 2010 as an administrator. Go to File | Open | Project menu and select the
Begin.sln located in \Source\Ex1-ConnectingToExternalSQL\Begin folder of the lab.
7. Press F5 key to run the application.
8. Notice in the connection information panel that the application is connected to the local SQL
Server SQLEXPRESS instance.
Page | 8
Figure 3
Application running locally
9. Navigate to http://windows.azure.com.
10. Click Virtual Network link on Windows Azure Portal left pane. This are the contents related to
Windows Azure Connect.
Page | 9
Figure 4
Clicking Virtual Network
11. Click {your-service-subscription-name} node located under Connect node on the upper side of
left pane.
12. Click Ok on Enable Windows Azure Connect popup. This popup appears only the first time you
need to enable Windows Azure Connect with the current subscription.
Figure 5
Enabling Windows Azure Connect
Page | 10
13. Once enabled, click Close on Enable Windows Azure Connect popup.
Figure 6
Windows Azure Connect enabled
14. Click {your-service-subscription-name} node to expand and see Windows Azure Connect
information. To do this, click Connect node on the upper side of the left pane.
Figure 7
Reviewing Windows Azure Connect information
Page | 11
15. Click the “Get Activation Token” button. You will retrieve the “client activation token” for your
Windows Azure service.
Figure 8
Getting Activation Token
16. Click Copy Token to Clipboard button on Get Activation Token for Windows Azure Roles popup
to configure your Windows Azure Service.
Figure 9
Copying Client Activation token
Page | 12
17. Click Yes if Microsoft Silverlight ask you to allow clipboard access.
Figure 10
Allowing Silverlight access clipboard
18. Click Ok to close the Get Activation Token for Windows Azure Roles popup.
Figure 11
Closing popup
19. Go back to Visual Studio 2010. Under the CustomerSearch project, open the
CustomersWebRole settings and select the Virtual Network tab. Ensure that the option labeled
Activate Windows Azure Connect is selected. Paste from the clipboard the token you have
copied in the previous step.
Page | 13
Figure 12
Filling Virtual Network tab
20. Press Ctrl-S to save config file.
21. Open the Web.config file for the CustomersWebRole project to update the SQL connection
string. Find the CustomersEntities connectionString, and replace the .\SQLEXPRESS value in the
Data Source attribute to {your-machine-name}\SQLEXPRESS,1433. The number 1433 in the
attribute represents the port number. The following snippet show the result after applying the
update, assuming that your machine name is “YourMachine” (replace this value with your
machine mane):
Note: To retrieve your computer’s name by going to Start, right-click on Computer and select
Properties. The computer name will be displayed in the middle of the Properties window.
XML
<connectionStrings>
...
<add name="CustomersEntities"
connectionString="metadata=res://*/Customers.csdl|res://*/Customers.ssdl|res://*/C
ustomers.msl;provider=System.Data.SqlClient;provider connection string="Data
Source=YourMachine\SQLEXPRESS,1433;Initial Catalog=Customers;Persist Security
Info=True;User ID=labUser;Password=Passw0rd!;MultipleActiveResultSets=True""
providerName="System.Data.EntityClient" />
</connectionStrings>
Page | 14
Note: Once you deploy the application to Windows Azure, the Web Role will connect to the
SQL Server running in your machine through the machine name. That is the reason why you
need to change the .\SQLExpress value to use explicitly your machine name. Notice also that
you need to explicitly specify the default port as part of the data source because the
connection will be set using TCP/IP as the protocol.
22. You need to deploy the solution to Windows Azure. You can deploy the application using the
Windows Azure Tools for Visual Studio, or create a service package and use the portal to deploy
it. For more information on deployment options, see the “Windows Azure Deployment” handson lab.
23. Once the deployment completed successfully you should see information about the roles in
Virtual Network. To do this, click Connect node on the left pane.
Figure 13
Roles information
24. Click Hosted Services, Storage Account CDN link on the left pane to review your role
information. If Hosted Services is not already selected, click Hosted Services to select it.
Page | 15
Figure 14
Selecting Compute, Storage & CDN
25. Click your service located on the center pane to review your service information. Once selected,
click the DNS Name link on the right pane. This opens the published Web site.
Figure 15
Clicking on Web Site URL
26. Verify that the application is running in Windows Azure, without being able to connect to the
external SQL server machine. You should see an exception saying that the connection to SQL
Server could not be established.
Page | 16
Figure 16
Application running in Azure, showing an exception saying that the connection to SQL Server
could not be established
Task 2 - Installing Windows Azure Connect Endpoint Software in Your External Machine to Enable
Windows Azure Connect
1. Click back on Virtual Network.
2. Click the Install Local Endpoint button.
Figure 17
Getting Install link
3. Click Copy Link to Clipboard button on the Install Windows Azure Connect Endpoint Software
popup.
Page | 17
Figure 18
Client Installation Link
4. Click Yes if Microsoft Silverlight ask you to allow clipboard access.
Figure 19
Allowing Silverlight access clipboard
5. Click Ok to close the popup.
6. Paste the copied link in the Internet Explorer navigation bar and press enter to download the
client.
7. Click Run button to install the Windows Azure Connect Endpoint software.
Page | 18
Figure 20
Downloading the Windows Azure Connect Endpoint software
8. Click Run button in the Security Warning dialog.
9. Click Yes button if the UAC dialog appears.
10. Follow the steps in the Windows Azure Connect Endpoint software installation wizard.
Page | 19
Figure 21
Windows Azure Connect Endpoint software installation wizard
11. To verify that the Windows Azure Connect Endpoint software installed successfully, right click
the icon in the tray.
Figure 22
Windows Azure Connect Endpoint software icon
12. Click Open Windows Azure Connect.
Page | 20
Figure 23
Windows Azure Connect Endpoint software context menu
13. The Windows Azure Connect dialog box will show the current status.
Figure 24
Windows Azure Connect status
Note: In case you cannot get Windows Azure Connect endpoint configured check the Windows
Service “IKE and AuthIP IPsec Keying Modules” is running.
14. We are able to create groups. To do this, go back to browser. Click Virtual Network on left
pane.
15. Once the Windows Azure Connect Endpoint software is running locally, our external machine is
shown in the center pane. To review this, click Groups and Roles node on the left pane.
Figure 25
Page | 21
Windows Azure Connect, your external machine added
Task 3 - Configuring Microsoft SQL Server Express for Remote Access
Microsoft SQL Server Express needs to be accessible from the machines in our local network. If your SQL
Server Express instance is already enabled for remote access, you will notice that many of the
instructions below are not necessary, in either case, we recommend you go through the steps below to
confirm.
1. To enable remote connections, Open SQL Server Management Studio and connect to the local
SQL Server.
2. Right click in the server node and select Properties.
3. Select Connections and make sure Allow remote connections to this server option is checked.
Figure 26
Server Properties - Connections
Page | 22
4. Open SQL Server Configuration Manager.
5. Make sure the SQL Server Browser service is disabled or stopped.
Figure 27
SQL Server Browser stopped
6. Enable TCP/IP Protocol in the SQL Server Network Configuration / Protocols for SQLEXPRESS.
Figure 28
Enabling TCP/IP protocol
7. Edit TCP/IP protocol Properties. Select the IP Addresses tab. Scroll to the bottom of the form
until you locate the IP All entry, and make sure the TCP Dynamic Ports is set to blank. Then set
the TCP Port to 1433.
Page | 23
Figure 29
TCP/IP Protocol properties
Note: The SQL Browser service is only required when using dynamic ports for remote
connections, in our scenario, we simply want to expose the default TCP port: 1433. The benefit
of having this service running is that users connecting remotely do not have to specify the port
in the connection string, but on the other hand, it is a security best practice to not run the SQL
Browser service as it reduces the attack surface area by eliminating the need to listen on a
UDP port.
8. Click OK.
9. Restart the SQL Service. To do this right click SQL Server and click Restart.
Page | 24
Figure 30
SQL Server service running
10. To allow TCP connections to go throw the firewall we need to add a new rule. Open Windows
Firewall with Advanced Security.
11. Select Inbound Rules. Create a New Rule.
Figure 31
Windows Firewall – Inbound Rules – New Rule
12. In the New Inbound Rule Wizard select Port for the rule type.
Page | 25
Figure 32
New Inbound Rule Wizard – Rule Type step
13. Set the TCP port to 1433.
Page | 26
Figure 33
New Inbound Rule Wizard – Protocols and Ports step
14. Select Allow the Connection in the Action step.
Page | 27
Figure 34
New Inbound Rule Wizard – Action step
15. Apply the rule to all the profiles in the Profile step.
Page | 28
Figure 35
New Inbound Rule Wizard – Profile step
16. Set the name to SQLPort in the Name step and click Finish.
Page | 29
Figure 36
New Inbound Rule Wizard – Name step
Task 4 - Managing Windows Azure Connect Groups
To allow access between the external machines and the Windows Azure Roles a group linking the Azure
Roles and the external machines should be created. The following steps are the instructions to do this.
1. Go back to the browser. Click Virtual Network link on left pane.
2. Click Create Group button.
Page | 30
Figure 37
Creating a Group
3. In the Create a New Endpoint Group popup add a Group Name, a Description, and optionally
check Allow connections between endpoints in group to enable connectivity between external
machines of the group.
Figure 38
Filling Create a New Endpoint Group popup
Page | 31
4. Click Add button on Connect from.
Figure 39
Adding local endpoints
5. Select your local endpoint from the available endpoints.
Figure 40
Page | 32
Adding local endpoints
6. Click Ok button.
7. Click Add button on Connect to.
Figure 41
Adding Azure roles
8. Select your roles from the available groups and roles.
Page | 33
Figure 42
Adding Azure roles
9. Click Ok button to close popup.
10. Click Create button in order to create a new endpoint group.
Figure 43
Page | 34
Creating a new endpoint group
11. Your new group is now set. Make sure the new group policies were updated in the external
machine. To do this, right click the Windows Azure Connect endpoint software Refresh Policy
the tray.
Figure 44
Refreshing local policies
12. Once the policies are updated, Open Windows Azure Connect and verify you are in an endpoint
group.
Figure 45
Local status
Verification
At this point, you should have network connectivity between the Azure Role and your local machine.
Let’s run the application again and verify this by repeating the steps used in task 1.
1. Click Hosted Services, Storage Account & CDN link on the left pane to review your role
information.
Page | 35
Figure 46
Selecting Compute, Storage & CDN
2. Click your service located on the center pane to review your service information. Once selected,
click the DNS Name link to navigate to the Web role.
Figure 47
Clicking on Web Site URL
3. We can verify that our application is running in Windows Azure, and retrieving the date from
the external SQL server machine.
Page | 36
Figure 48
Application running in Azure with Windows Azure Connect
Note: Take into account that the endpoint may take several minutes to be added to the new
group. You will get “the underlying provider failed to open” errors until the endpoint is ready.
Summary
In this lab, you have learned how to establish network connectivity between an Azure Web Role and an
external SQL Server machine. By using Windows Azure Connect, you enabled IP-level network
connectivity between Azure services and external resources.
Page | 37
© Copyright 2026 Paperzz