Friday, February 25, 2011

More lessons learned on Windows Azure pricing

@YaronNaveh

My Bart Simpson's guide to windows Azure has been highly successful. From Twitter to the post comments to my mail box I got a lot of good feedback.

Here are some insights you might want to know:

Extra small instances might not be included in your free Azure account.
David Pallmann was the first to notice that some of the special Azure offers (like the MSDN one) actually have some small letters:

**Extra small compute instances are available in beta and are billed separately from other compute instance sizes.

This practically means you pay for these instances from day 1! Here is my account:


So you should check your account details and determine if extra small instances work for you.

I also recommend you check out David's Hidden Costs in the Cloud series which has some important insights.

Hot news: Azure trial with extra small instances
A few days ago Microsoft has started to offer an introductory offer which includes 750 free monthly hours of x-small instances (until June). Check it out.

Also thanks to David Makogon I've fixed an error in the config sample to configure extra small instances.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

Saturday, February 19, 2011

Bart Simpson's guide to Windows Azure

@YaronNaveh

The original name of this post was "a poor developer's guide to windows azure" but then I found the Bart Simpson's Chalkboard Generator:


My Azure story begins back in PDC08 where Microsoft announced a community preview of Windows Azure which includes a free subscription for a limited period. I took advantage of this to develop the Wcf binding box (which btw got some good reviews). A few months after, the preview has ended and my account became read only. I was not too bothered by it as I had other things in mind. A few weeks ago I had a crazy idea to build a wsdl2-->wsdl1 converter. The most natural way to do it was to create an online service. But my azure trial is already in freeze, and I did not want to pay a hosting service just to host a free contribution I make for the community. What could I do? I then remembered that I (and my contest winners) have a special MSDN premium Azure offer. And this is how wsdl2wsdl came to life. Veni, vidi, vici? Oh my...

A few days after going on air I get this email from Microsoft:

Your Windows Azure Platform Usage Estimate - 75% of Base Units Consumed‏

This e-mail notification comes to you as a courtesy to update you on your Windows Azure platform usage. Our records indicate that your subscription has exceeded 75% of the compute hours amount included with your offer for your current billing period. Any hours in excess of the amount included with your offer will be charged at standard rates.

Total Consumed*: 592.000000 Compute Hours
Amount included with your offer: 750 Compute Hours
Amount over (under) your monthly average: -158.000000 Compute Hours


Let's see... I should get 750 compute hours / month, a month has 31 days (a worse case analyses), 750 / 31 > 24 which means I should have more than 24 complimentary compute hours per day. How could they run out so fast?


Bart Simpson's Azure Rule #1:


As a developer, it made too much sense to develop the binding box and wsdl2wsdl in a separate visual studio solutions. This yields two separate azure hosted services:


And this yields two separate bill items per day:


This means I was not paying for 24 compute hours per day, I was paying 24*2!


Now you may say RTFM. But nobody does it. Not when we download some open source library from the web, and not when we upload something in the other direction.

But why did the bill had 4 itmes and not two?


Bart Simpson's Azure Rule #2:


Not only did I had two hosted services online, but I also had two environments for each - staging and deployment. You pay for what you get:

2 services * 2 deployments = 4 * 24 hours a day = 96 hours a day!


Bart Simpson's Azure Rule #3:


I was on my way to a Chapter 11 when I decided to panically press the stop button on my unintended deployments:


However this does not reduce costs:

Suspending your deployment will still result in charges because the compute instances are allocated to you and cannot be allocated to another customer.

Remember: Always delete deployments you do not want to pay for. Suspending / stopping them still results in charges.


Bart Simpson's Azure Rule #4:


For applications with very small needs an extra small instance should be enough. It can save you costs by up to 60%! Configuring it is very easy:

<WebRole name="WebRole1" vmsize="ExtraSmall">


Conclusion

Homer Simpson once said "Trying is the first step towards failure." In my case it was the first step to this blog post and to my first two weeks Azure bill:


I'll end the month on around 50$ which is not too bad for a commercial site. But for a contribution to the community and my fun? Oh my...

Weather you are an independent developer or a Fortune 5000 company - know the Azure pricing model and how your account fits in.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

Sunday, February 13, 2011

Wcf: Keyset does not exist

@YaronNaveh

When using X.509 certificates with Wcf the below error may appear:

System.Security.Cryptography.CryptographicException: Keyset does not exist
ArgumentException: The certificate 'CN=MyCert' must have a private key that is capable of key exchange. The process must have access rights for the private key.

95% of the time this means that the certificate which the server/client use either does not have a private key or the Wcf host process does not have permissions to the key.

No private key
This case applies when the certificate is expected to have a private key, e.g. the server private certificate when defined on the server side, and not the server public when defined on the client. To check if the certificate has a private key follow these steps:

1. start-->run-->"mmc"

2. file-->add remove snap in...

3. double click "certificates" in the list

4. Choose "My user account" if the certificate is located in the current user store, or "Computer account" if located on the local machine store. If you are unsure you can repeat the process twice each time with a different choice.

5. click Finish + Ok

6. now expand the tree to the correct store and when you see the certificate double click it. Then check if it has the little key icon on it. If it does not then you did not import it with its private key (or got the wrong cert).


No permissions
Even if the certificate has a private key, it still does not mean all users on the machine have access to it. One common gotcha is to give access to the admin (or logged in user) but forget that IIS usually runs under another user account. This may cause a code to work correctly under an interactive user but to fail under IIS or any windows service. One way to check if this is the case is אם give the user full permissions to the key (temporarily!).

How to give permissions to a key?
the hard way is using WinHttpCertCfg.exe (details ,download):

winhttpcertcfg -g -c LOCAL_MACHINE\My -s CN=WSE2QuickStartServer -a SomeUser

Another way is using some gui utility and WseCertificate2.exe is a good one:

1. install the Wse2 sdk

2. run C:\Program Files\Microsoft WSE\v2.0\Tools\Certificates\WseCertificate2.exe

3. choose the certificate using the location / store drop down lists and the "open certificate" button.

4. click the "view private key file properties..." button on the bottom.

5. depending on your OS version, grant permissions for the user you want.


If all this did not help ten make sure that when have you installed the certificate you checked the "mark this key as exportable" checkbox:


Sometimes these permissions are cached so you can also restart IIS (and maybe even the PC). And as always with certificate, when you're already pulling out your hair it's time to uninstall all certificates and start all over again.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

Saturday, February 12, 2011

Wcf support for Wsdl2

@YaronNaveh

Last time I introduced wsdl2wsdl, an online wsdl2-->wsdl1 converter.
Today I am proud to announce svcutil2 - a Wcf proxy generator for Wsdl2. svcutil2, like the original svcutil, generates Wcf proxies from Wsdl2 documents. This is a huge accelerator for web services interoperability. See related discussion here.

svcutil2 is fully open sourced in CodePlex.

How to generate Wcf clients from Wsdl2 documents?
1. Download the latest version of svcutil2.exe from CodePlex

2. Open the VS command console or otherwise make sure the original svcutil.exe is in the current path (usually located in C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin)

3. Use svcutil2 exactly like you use svcutil:

$> svcutil2.exe http://webservices20.cloudapp.net/wsdl2wsdl/wsdl/simple2.wsdl

you can also work with Wsdl's from file system or use any of the svcutil available flags.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

Saturday, February 5, 2011

Downgrade! Convert Wsdl 2.0 to Wsdl 1.1 (Wsdl2Wsdl)

@YaronNaveh


Wsdl2Wsdl is Here!

Wsdl 2.0 never fulfilled its promises: It did not replace Wsdl 1.1 and soap stacks rarely support it. It did not became the Metadata standard for Rest based web services. And in an era where a service metadata can be summed up with a resource uri, Wsdl 2.0 is barely looked at as a simplification. All this is hardly Wsdl 2.0 fault. It's the timing. The backlash against Soap/Wsdl based services was far behind its point of no return in the period where Wsdl 2.0 was expected to get high adoption. It is not too risky to bet that Wsdl 2.0 will never be implemented by existing soap stacks, and Wcf is no exception.

And the sky is blue. So?
While service authors may elegantly ignore Wsdl 2, if you're on the consumer side you might need to consume a service which metadata is a Wsdl 2 document. Most chances are that your client stack does not support code generation from this version of Wsdl. This is an annoying interoperability problem.

Wsdl2Wsdl
I have written an online Wsdl 2 --> Wsdl 1 converter. While there are a number of Wsdl1 --> Wsdl 2 converters available, I have yet to find one in the opposite direction.
Wsdl2Wsdl provides you a url which dynamically converts the Wsdl per demand. This means you always get the live version of the wsdl.


Can I run Wsdl2Wsdl on my premise?
The current version of Wsdl2Wsdl is web based so if your Wsdl has some secrets / IP you should take this into consideration. I plan to open source it and ship an on premise version. You are welcome to contact me if you need this urgently.

Where is Wsdl2Wsdl?
It's hosted on my Azure account:

http://webservices20.cloudapp.net/wsdl2wsdl.html

Drop me a mail with any issue or feedback.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

Wednesday, February 2, 2011

Utility to export X.509 certificates

@YaronNaveh

The number of X.509 formats \ stores can be overwhelming: pfx, p12, pem, jks, windows store and more. When working on multi platform projects exporting the certificate from one format \ store to the other is essential. Traditionally the way to do it was with openssl. While there is nothing wrong with that, you usually forget how to use it a minute after you do, and need to learn it again the next time.

Over a year ago travis had published a super relevant utility to export certificates. It is really easy to use and prevents that recurring learning curve with openssl.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!