Security Considerations for Using Windows Azure Nodes in Windows HPC Server 2008 R2
Updated: December 21, 2011
Applies To: Windows HPC Server 2008 R2
This section describes security considerations for deploying and running jobs on Windows Azure nodes that have been added to a Windows HPC Server 2008 R2 cluster (a Windows Azure “burst” scenario). This section does not cover the security considerations for using the Windows Azure HPC Scheduler. For more information about the Windows Azure HPC Scheduler, see the MSDN content.
For background information about Windows Azure platform security, see Security Resources for Windows Azure.
In this section:
Firewall ports and protocols
Security model for interaction of on-premises and Windows Azure components
The domain-joined user accounts that are used to submit jobs and tasks to an on-premises HPC cluster are not used to run jobs and tasks on Windows Azure nodes. Each job that is run on a Windows Azure node creates a local user account and password. This helps ensure separation of job processes in Windows Azure.
The firewall ports and protocols that are used to deploy Windows Azure nodes and to run jobs are summarized in “Configure the Network Firewall” in Requirements for Windows Azure Nodes in Windows HPC Server 2008 R2.
|In Windows HPC Server 2008 R2 with SP3 or later, port 443 is used for all Windows Azure node deployment and job scheduling operations. This simplifies the set of ports that are required to use Windows Azure nodes in Windows HPC Server 2008 R2 with SP1 or SP2.|
|For information about the configuration of Windows Firewall in the on-premises cluster that enables internal services to run, see Appendix 1: HPC Cluster Networking.|
X.509 v3 certificates are used to help secure the communication between on-premises Windows HPC Server 2008 R2 nodes and Windows Azure. They can be signed by another trusted certificate or they can be self-signed. To deploy Windows Azure nodes to a Windows Azure hosted service and to run jobs on them, both a management certificate and service certificates must be configured.
A Windows Azure management certificate must be configured in the Windows Azure subscription, on the head node, and on any client computer that is used to connect to the Windows Azure hosted service. The client that connects to the Windows Azure subscription has the private key. For procedures to configure the management certificate, see Configure the Management Certificate for Windows Azure.
The management certificate is used to help secure the following operations:
Create a Windows Azure node template that can be used to deploy Windows Azure nodes
Upload a VHD from the image store on the head node to the Windows Azure subscription, which can be used to create VM nodes (in Windows HPC Server 2008 R2 with SP2 or later).
Provision Windows Azure nodes
Upload files to Windows Azure storage (for example, by using the hpcpack command)
|A self-signed management certificate can be used for testing purposes or proof-of-concept deployments. However, it is not recommended for production deployments.|
The following two public-key service certificates are automatically uploaded to the Windows Azure hosted service from Windows HPC Server 2008 R2 when Windows Azure nodes are provisioned. They are used to permit mutual authentication between the on-premises head node and the two Windows Azure proxy nodes that are automatically provisioned in every deployment.
- Microsoft HPC Azure Service
- Microsoft HPC Azure Client
These certificates are configured by Windows HPC Server 2008 R2 as follows:
- The on-premises head node is configured with the Microsoft HPC Azure Client certificate (with the private key) and the Microsoft HPC Azure Service certificate
- The proxy nodes in Windows Azure are configured with the Microsoft HPC Azure Service certificate (with the private key) and the Microsoft HPC Azure Client certificate
Operations on a Windows Azure storage account require an account key, which is automatically configured when the account is created. Windows HPC Server 2008 R2 automatically retrieves this key to perform storage operations during the provisioning of Windows Azure nodes.
The following figures provide details on the interactions of on-premises Windows HPC Server 2008 R2 components and those in Windows Azure that are used for running cluster jobs. The figures indicate the ports, protocols, and endpoints that are used for communication in Windows HPC Server 2008 R2 with SP1 or SP2 and in Windows HPC Server 2008 R2 with SP3. The on-premises components that are present depend on the configuration of the Windows HPC Server 2008 R2 cluster.
Windows HPC Server 2008 R2 with SP1 or SP2
|Windows Azure VM nodes can be used only in Windows HPC Server 2008 R2 with SP2 or later.|
Windows HPC Server 2008 R2 with SP3