Skip navigation

Understanding App Controller 2012

It's all about the apps and services

Microsoft System Center App Controller is a new member of the System Center family of products. Although other products in this suite can be implemented independently of one another (with the ability to integrate, of course), App Controller is highly dependent on System Center Virtual Machine Manager (VMM) or Windows Azure. In case you aren't familiar with App Controller's purpose, let me make a brief introduction.

App Controller is a product for managing applications and services that are deployed in private or public cloud infrastructures, mostly from the application owner's perspective. It provides a unified self-service experience that lets you configure, deploy, and manage virtual machines (VMs) and services. Some people mistakenly think that App Controller is simply the replacement for the VMM Self-Service Portal. Although App Controller does indeed serve this function, and in some way can replace the Self-Service Portal, its focus is different. VMM Self-Service portal was used primarily for creating and managing VMs, based on predefined templates; App Controller also focuses on services and applications. App Controller lets users focus on what is deployed in the VM, rather than being limited to the VM itself.

To understand this concept, you need to be familiar with System Center 2012 VMM 2012. Although this article is not about VMM, I must mention some important things so you can get the full picture. VMM 2012 has significantly changed from VMM 2008 R2. VMM 2012 still manages and deploys hosts and VMs, but its main focus is on private clouds and service templates. The end result is that an administrator or end user can deploy a service or application to a private cloud even without knowing exactly what lies beneath it.

I mentioned earlier that you can use App Controller to connect to both private and public clouds. Connecting to a private cloud means establishing a connection to a VMM 2012 Management Server. However, you can also add a Windows Azure subscription to App Controller.

Target users for App Controller are not administrators, although some admin tasks can be performed through the App Controller console. App Controller is intended to be used by application or service owners: the people that deploy and manage an application or service. (Don't confuse these folks with the end users that actually use a service or application. End users should not be doing anything with App Controller.) An owner might be an administrator, or an owner might be a developer that needs a platform to test an application. The key point is self-servicing: App Controller enables application owners to deploy new instances of a service or application without requiring them to deal with jobs such as creating VMs, Virtual Hard Disks (VHDs), or networks or installing OSs. To achieve that level of automation, administrators should do a lot of work in VMM.

App Controller can't create or manage building blocks for VMs or services. Nor can it be used to create new objects from scratch (except for service instances). Anything you work with in App Controller must first be prepared in VMM. That means creating VM templates, guest OS profiles, hardware profiles, application profiles and packages, and logical networks, as well as providing Sysprepped .vhd files, ISO images, and private cloud objects. To deploy services through App Controller, a VMM administrator must create a service template and deployment configuration. Self-service user roles also should be created in VMM and associated with one or more private clouds and quotas.

App Controller doesn't have its own security infrastructure: It relies completely on security settings in VMM, so available options for a user in App Controller depend directly on the rights and permissions that are assigned to the user in VMM. Authentication is performed by using a web-based form, but you can opt to use Windows Authentication in Microsoft IIS to achieve single sign-on (SSO).

Installation and Initial Configuration

App Controller is a lightweight product. The installation image is only 30MB and runs as a Microsoft Silverlight web application. You can install it on any domain-joined Windows Server 2008 R2 machine with the Web Server role installed. You'll also need Microsoft .NET Framework 4.0, as well as Microsoft SQL Server for creating the App Controller database. (You can safely reuse the same SQL Server instance that you used for VMM installation.) Optionally, you can also install the PowerShell Module for App Controller if you want to manage it in that way.

App Controller can be installed on the same machine as VMM Management Server, which is probably one of the most common scenarios. However, if you decide to deploy App Controller as a standalone server, you'll need to install VMM Management Console as a prerequisite. To access App Controller, you need a web browser with the Silverlight client installed. For more information about these requirements, see the Microsoft System Center App Controller System Requirements page.




Installation of App Controller is a fairly simple procedure. After selecting the installation path, you should configure an account for the App Controller service to use. You can use the Network Service account, which is the default, or you can specify a domain account (consider using Managed Service accounts) that you create for this purpose. You can also change the port that App Controller uses for its internal communication (the default is 18622). Because App Controller is a web-based application, HTTP traffic is not allowed and you should also select an SSL certificate. App Controller setup can create a self-signed certificate, or you can use another certificate, such as one that your private Certification Authority (CA) issues. Finally, you should select the SQL Server instance that will be used and choose a database name. After a minute or two, you're done.

The first thing to do after installing App Controller is to log on to it and connect to the private or public cloud. Open the App Controller website, log on as an administrator, and enter the Overview page. Click the option Connect to a Virtual Machine Manager server and clouds and a new window will open to let you add new VMM connections. You can add as many as five VMM connections. You should type the Fully Qualified Domain Name (FQDN) of the VMM server, as well as a connection name (which can be whatever you want). Port value should be left at the default value (8100) if you didn't change it on the VMM side. There is also an option to automatically import SSL certificates from the VMM server, which is needed to import files and templates from VMM to App Controller. If you don't have any security issue with this option, then you can leave it enabled.

Besides connecting App Controller to VMM, you can also make a connection to Windows Azure if you subscribe to that service. This step is optional but recommended if you use Windows Azure. Adding Windows Azure is a bit tricky: You should also provide a connection name and type to your Subscriber ID. However, because you can't automatically import certificates from Windows Azure, you should first go to Windows Azure Management Portal, click the Hosted Services, Storage Accounts & CDN tab, and then select Management Certificate in the navigation pane. There, you should add a certificate to your Windows Azure subscription. Windows Azure allows you to create your own management certificates, either self-signed or by using their preferred CA. Whatever you choose, export the .pfx file and then select it in App Controller as a management certificate when configuring the connection to Azure. App Controller stores this certificate in the App Controller database. Because the certificate contains the private key, you must provide the password so that App Controller can use the private key. (For a step-by-step discussion of this procedure, see the article, "Q: How do I create a certificate to enable System Center App Controller to manage Windows Azure?")

Certificates are used to set up the trust between the Windows Azure management API and App Controller. This trust allows App Controller to call on the Windows Azure API when tasks such as deploying services or changing configuration properties are performed in the App Controller console. The management certificate (.cer file) contains only the public key, which is kept in Windows Azure for accessing the API. By giving Windows Azure the public key and keeping the private key local, the authentication can be completed.

Browsing the App Controller Console

After you finish the initial configuration of App Controller, you can start to use the App Controller console. If you log on to App Controller as an administrator, you can perform all available tasks. But as I said at the beginning, there is not much point in using App Controller as an administrator, except for during initial configuration. Administrators can perform all App Controller tasks (and much more) through the VMM console. To enable other users (i.e., application and service owners) to use the App Controller console, you should first add them to the Self Service user role in VMM. You should then define the scope and available resources (e.g., private clouds, VM templates, storage) for that user role. Also, define quotas for self-service users so that you can keep resource usage under control. (If you don't properly complete these steps, you can easily run into a situation in which App Controller users quickly fill all available resources on your VM hosts -- probably a scenario that you don't want.) When a self-service user logs on to App Controller, that user will see only the resources and actions that you configured inside VMM.




The first thing that you see when you log on to App Controller is the Overview pane, which Figure 1 shows. It gives you status information about available private and public clouds, as well as about services and VMs to which you have access. You can also find quick links to deploy new services or VMs. And if an Internet connection is available, the Overview pane shows the most recent System Center–related blog posts, as well as any forum posts from the VMM Forum on Microsoft TechNet. This information can be useful so it's great that Microsoft included it. You can also find how-to links for some common tasks, which is great for new users. If you log on as an administrator, you can make new VMM or Azure connections from this pane, as well as create new user roles and add network file shares.

Figure 1: The App Controller Overview pane
Figure 1: The App Controller Overview pane 

The second pane is the Clouds pane, which Figure 2 shows. In this pane, self-service users can see the private and public clouds to which they have access. Users can start deployment of a new VM or service into the cloud and can manage Run As accounts. If a user chooses to deploy a new VM or service from this point, then that user is presented with a new deployment diagram, as Figure 3 shows, and can choose a VM or service template and start deployment. From the Clouds pane, an administrator can see all available private and public clouds.

Figure 2: The App Controller Clouds pane
Figure 2: The App Controller Clouds pane 


Figure 3: A new deployment diagram
Figure 3: A new deployment diagram 

On the Services pane, which Figure 4 shows, users can see the services and service instances that they've deployed. From here, users can also deploy a new service; open a diagram of an existing service; and start, stop, resume, suspend, or shut down existing services. Be aware that these actions apply to a service, not to a specific VM. In fact, when you perform an action on a service, one or more VMs are indirectly affected by that action. For example, if you decide to shut down a service, all the VMs that are associated to that service will shut down. Actions that are available to a user here directly depend on the allowed actions in the VMM Self-Service user role settings. From this pane, you can also initiate a service upgrade (if available), fix errors, and delete service instances. Administrators can see all services that users have deployed, with a full set of available actions.

Figure 4: The App Controller Services pane
Figure 4: The App Controller Services pane 

The Virtual Machines tab shows the existing VMs. For a self-service user, only VMs that are in the scope of the user's role are shown, as well as VMs that are used for any services that user deployed. From this pane, users can perform similar actions as on the Services tab, but on a VM basis. Besides regular actions, such as start, turn off, shutdown, and so on, you can also mount an ISO image into a VM and connect to a VM desktop by using RDP, as well as see VM properties.

The Library pane, which Figure 5 shows, gives self-service users access to VMM Library resources. Users can use this pane to see templates that are shared with them, as well as to access shared folders. Regular self-service users can't make any changes here but can use available resources to deploy new VMs or services and to access some shared files. Administrators can use the Library pane to create new shares that are available to App Controller and to perform some modifications on existing resources. The Library pane also shows available resources in the public cloud (Azure) and lets administrators create new storage accounts and browse image repositories.

Figure 5: The App Controller Library pane
Figure 5: The App Controller Library pane 

The final pane in the App Controller console is the Jobs pane, which Figure 6 shows. This pane has primarily the same functionality as the Jobs pane in VMM. Each self-service user can browse through jobs that the user initiated; administrators can see all jobs that have been performed through App Controller. You can also see details for each job.

Figure 6: The App Controller Jobs pane
Figure 6: The App Controller Jobs pane 

One more pane is available in the App Controller console, but only for administrators. The Settings pane lets administrators manage connections to private clouds and connections and subscriptions for public clouds. Also, administrators can use the Settings pane to create User roles. However, unlike other options, these roles aren't connected to VMM. User roles that are created here are not synced to VMM, nor can you see VMM User roles on this pane. The purpose of user roles in App Controller is to provide users with access to the public cloud infrastructure. Because self-service users can't add connections to a public cloud or directly use connections that administrators make, this pane is the only way to provide those users with access to public cloud resources. However, the use of the same terminology for both VMM user roles and App Controller user roles can be a bit confusing.

Ready When You Are

App Controller is no doubt a useful product. It isn't for everyone, but if you want to enable self-servicing and have users with an appropriate level of knowledge to use App Controller, it can be beneficial. (Companies with such scenarios will probably also want to consider System Center Service Manager as an additional layer for managing, requesting, and approving new virtual environments.) The transition to the concept of services and applications has started, but a full conversion won't happen quickly. From that perspective, App Controller is definitely a next-generation product. However, you can still use it now as a replacement for the VMM Self-Service Portal, even if you don't yet want to make the transition to services.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.