Microsoft System Center 2012 App Controller is a brand new addition to the management product. Whereas all the other System Center 2012 components are upgrades to existing products, App Controller has been written from scratch. The component provides a rich, web-based environment that end users can use to create, manage, and connect to services and virtual machines (VMs). These VMs can be in private clouds that are managed with System Center 2012 Virtual Machine Manager (VMM), in Windows Azure Infrastructure as a Service (IaaS), or hosting partners' Microsoft Service Provider Framework (SPF). Azure IaaS and SPF support were added to App Controller in System Center 2012 Service Pack 1 (SP1). You might be wondering when to use the VMM self-service portal and when to use App Controller. The answer is to always use App Controller. The VMM self-service portal has been removed in VMM 2012 SP1.

Related Articles:
"What’s New with System Center 2012 Service Manager SP1"
"Understanding Microsoft System Center 2012 Licensing"
"Understanding System Center 2012 Configuration Manager"
"Getting Started with System Center 2012 Orchestrator"
"Learn What System Center 2012 Operations Manager Can Do for You"

This article focuses on App Controller in System Center 2012 SP1, which broadens the component's capabilities and adds support for Windows Server 2012 (via the VMM component). I definitely recommend deploying SP1. Also make sure to download and apply the Update Rollup 1 for VMM and App Controller. This update addresses some significant issues.

App Controller is supported on Windows Server 2012 and Windows Server 2008 R2 SP1. However, if you are installing App Controller on the same server as the most recent version of VMM, then you must use Windows Server 2012. (VMM no longer supports Windows Server 2008 R2.) App Controller leverages its own database to store configuration information; this database can be SQL Server 2012, SQL Server 2008 R2, or SQL Server 2008 SP2.

As previously noted, App Controller is often deployed on the same server as VMM. The components work together closely. But in large environments that require greater scalability, App Controller can be deployed on its own OS instance. App Controller can be made highly available or can be load-balanced by using any of several available mechanisms. First make sure that the SQL Server database is part of a highly available SQL Server cluster. For the App Controller server, either make the App Controller VM highly available or deploy multiple App Controller instances that use the same SQL Server database and share a common encryption key.

Installing App Controller

The installation of App Controller is simple. Most of the actual configuration, in terms of users and available resources, comes from VMM. This means that before deploying App Controller, it's important to deploy VMM and create clouds of resources and defined tenants (i.e., groups of users with various rights and quotas for those clouds). These fundamental building blocks enable App Controller to integrate with on-premises virtual environments. It's also necessary to create VM templates (and, optionally, to create service templates), because these are how users deploy environments through App Controller.

Your App Controller administrators must also be VMM administrators. The account you use to install App Controller must be a member of the local Administrators group on the server and will become the first App Controller administrator.

The actual installation of App Controller is documented in the TechNet article "Installing App Controller" and is intuitive because there are so few installation options. As long as your SQL Server deployment is available for use by App Controller and your server meets requirements, the only change that you might want to make to the standard installation is to use a trusted SSL certification. This option is preferred over a self-signed certificate generated by the install process, so that users don't get warnings that the certificate is not trusted. I definitely recommend against using the self-signed certificate, unless you're using App Controller in a limited test environment.

After the App Controller installation is complete, make sure to install the Update Rollup 1 for App Controller (and for VMM). Then run Windows Update to check for any post-rollup hotfixes.

The only configuration that you must perform is to connect App Controller to the VMM instance. To do so, log on to the App Controller website, which takes the form https://<App Controller Server>. Next, choose the Settings navigation node and the Connections child navigation node. Choose the Connect, SCVMM action, as shown in Figure 1.

Figure 1: Connecting App Controller to VMM

This action launches the Add a new VMM connection screen. Enter a name for the new VMM connection, a description, and the VMM server name. (Remember, you should be logged on as an administrator for both App Controller and VMM.)

You'll notice that a Windows Azure connection exists by default. This connection allows the addition of Windows Azure subscriptions to App Controller. Also note the option to add a Service Provider, which can be a company that offers VM hosting and has implemented the SPF so that it can be managed via App Controller. Think of the SPF as exposing the hoster's own VMM deployment to your on-premises App Controller. The hoster must give you the Uniform Resource Identifier (URI) for your tenant ID in their environment to complete the connection from App Controller.

If your organization uses Windows Azure, then add those subscriptions to App Controller by navigating to the Clouds view and using the Connect, Windows Azure Subscription action (or use Settings, Connections, Add). To link to Windows Azure, you must have created a management certificate, which must be imported into the Windows Azure subscription and be available for importing into App Controller as part of the process of connecting App Controller to Windows Azure. I detail the whole process, including how to create and use the certificate, in the FAQ "How do I create a certificate to enable System Center App Controller to manage Windows Azure?"

Under the Settings navigation node is the User Roles child node. In User Roles view, you can configure additional App Controller administrators by adding members to the Administrators built-in user role. If you added Windows Azure subscriptions or connections to SPF hosters, then additional user roles can also be created to control App Controller user access to those subscriptions and services. Otherwise, these subscriptions and services can't be controlled through your on-premises VMM instance, which only manages the on-premises private cloud infrastructure.

Consider what you now have with App Controller: a single pane of glass that has access to your on-premises private clouds as defined and managed in VMM, to your Windows Azure subscriptions, and to your services at hosting partners that leverage SPF. Initially, most organizations will use App Controller for their on-premises private cloud management only. But the ability to grow App Controller's reach can help organizations to embrace a hybrid cloud approach.

Some customization of App Controller is possible. Changing the graphics for App Controller, as you can see in Figure 1, is easy. The logos are simply two image files (SC2012_WebHeaderLeft_AC.png and SC2012_WebHeaderRight_AC.png) in the \%PROGRAMFILES%\Microsoft System Center 2012\App Controller\wwwroot folder. Just back up and replace these images. Be sure that your replacement graphics are the same dimensions as the originals—287×44 and 108×16, respectively—or they won't work.

All App Controller configurations are performed through the website; there is no separate management tool. Because the App Controller web interface is based on Microsoft Silverlight, the browser used must be a 32-bit browser that supports Silverlight 5. Therefore, you need to use Internet Explorer (IE) 8 or later. Other browsers don't work at this time. If you are embracing Windows PowerShell, the PowerShell module for App Controller enables all the related key configurations. Run the following PowerShell command to see the available cmdlets:

Get-Command –Module AppController

Using App Controller

App Controller is ready to use immediately after being connected to your cloud services. Users navigate to https://<App Controller Server> and log on using their domain credentials in a Forms Based Authentication (FBA) interface. You can also enable single sign-on (SSO), which removes FBA completely.

After authentication, users see the clouds that have been defined in VMM and to which they have access, as well as their Windows Azure subscriptions and SPF services, in the Overview window. If a user is not a tenant (i.e., not part of any role that has rights) of a cloud that is defined in VMM, then the user does not see any private clouds in App Controller. Think of App Controller as an interface into the VMM configurations for the private cloud. The actual granting of rights is all performed through VMM.

The App Controller interface is highly intuitive. Users can typically pick up its use very easily. Figure 2 shows a default view for users when they log on.

Figure 2: Overview Screen for a Standard User

In this example, you can see that the user has access to one on-premises cloud and one Windows Azure subscription. For the on-premises cloud, App Controller shows the user's current resource usage and remaining quota. Anytime a user deploys a new VM or service, App Controller shows the quota impact and ensures that the user cannot exceed the quota. Notice that for standard users, the Settings navigation node is not shown. Also, standard users' recommended Next Steps are different from an administrator's and are limited to deploying a new service or VM.

Clicking a cloud in the Overview window opens the Clouds view, which allows the deployment of services via the Deploy button. The deployment experience is one of the highlights of App Controller.

When the deployment is initiated, the New Deployment page opens. By default, this page shows the cloud that was selected when the Deploy button was clicked. Initially, the only possible configuration is to select a template, as shown in Figure 3.

Figure 3: New Deployment Screen

This template is a composite view of all the initial options, depending on the selected cloud. The available templates depend on which cloud is being deployed to and which templates the user has access to. If I deploy to Windows Azure, I get the standard list of Azure templates and any custom ones that I might have added. If I deploy to my on-premises private cloud, I see the templates and services available for my user role.

After a VM is selected, configuration is possible. For example, you can name the VM and perhaps perform some customization, depending on the selected template. If you have defined service templates—scalable, multi-tiered complete services that are designed within VMM—and made them available to the tenant, then selecting a service results in a rich view in App Controller, as shown in Figure 4.

Figure 4: Sample Deployment of a Three-Tiered Service

This view allows all the VMs for the initial service deployment to be configured and deployed. However, no configuration is necessary. Default VM and computer names are automatically generated for all the VMs that are deployed as part of the service.

I say the initial deployment because the whole point of service templates is that each tier can have a variable number of VMs, depending on load. App Controller deploys the initial number of VMs that are defined for each tier, but that number can grow or shrink as the service runs. App Controller allows the addition of VMs for a deployed service via the Scale Out action, which is available from the diagram view of a deployed service. (To scale in a tier of a service, manually delete VMs; there is no specific Scale In action.)

After all customization is complete, click the Deploy button to create a deployment job. If the deployment is to a private cloud, then the job is created in VMM. If the deployment is to Windows Azure, then the job is created in Windows Azure. Deployments to an SPF hosted cloud are created on the SPF infrastructure. Whatever the target, the user's deployment experience is the same, and the deployment progress can be seen in the Jobs view. The actual deployment time depends entirely on the size and number of VMs that make up the deployment and the service being deployed to, but the progress can be tracked in detail by using the Jobs view.

After the services and VMs are deployed, they can be viewed by using either the Services or Virtual Machines view. For now, I will focus on the Virtual Machines view, which is the primary way that most companies will use App Controller in the near term. (I do strongly encourage you to look at service templates in VMM, because they provide some amazing capabilities in terms of scalability and manageability.) The Virtual Machines view shows all the provisioned VMs, the VMs that are stored in the library that the current user owns, and the VMs to which the user has been given access. Default actions for VMs—Startup, Shutdown, Pause, Turn Off, Save, Store, Mount image, Remote Desktop, and Console—are available, as Figure 5 shows.

Figure 5: Available Actions for VMs

If the Properties option is selected, then additional options, such as configuring access for other users and creating and applying snapshots, are available. Remember that the available actions depend on which actions are granted to the user. Take some time to look around the App Controller interface, both as an administrator and as a regular user. Be sure to look at the information and options for the Library and Jobs views.

Although App Controller provides huge benefits from a single view for all virtualization services that an organization uses, it also opens up some great hybrid capabilities. You can deploy VM templates stored on-premises in VMM to Windows Azure. You can take a VM that is stored in the VMM library and deploy it to Windows Azure; this is how you migrate a VM from on-premises Windows Hyper-V to Windows Azure. There is no live migration functionality. You must stop the VM running on-premises and save it in the library, using the Store action, before it can be deployed to Windows Azure by using the Copy action. To bring a VM back from Windows Azure, you must copy the virtual hard disks (VHDs) from Windows Azure into your VMM library, then redeploy. Another option for VM migration between on-premises and Windows Azure is to use System Center 2012 Orchestrator, which offers more flexibility and power to the migrations.

One important point to note is that at the time of writing, Windows Azure does not support the VHDX format. Therefore, the only VMs that you can move to Windows Azure or templates that you can deploy to Windows Azure from on-premises libraries are those that exclusively use VHD. If there are any VHDX files in the VM or template, then the option to deploy or copy to Windows Azure is unavailable.

Management Made Easy

I've focused on end-user self-service, but the reality is that you might not want to enable end-user self-service yet. App Controller is still useful as a tool for administrators to deploy and perform web-based management of VMs, although administrators have other options, such as the VMM console and Orchestrator. I've created a short video to quickly walk you through the key App Controller experience.

One question often comes up when discussing App Controller: How can you enable workflows within the VM provisioning process? For example, suppose you want users to be able to request a VM, but you want a manager to approve the request first. There is no workflow or approval capability in App Controller. Its goal is to allow users to create and manage within the confines of the resources and quotas that have been assigned to them. This is enough for many organizations. If you require workflow authorization, then you should use the System Center 2012 Service Manager Service Catalog capability, which I cover in the article "What's New with Service Manager 2012 SP1." In that case, the Service Manager web portal is used to request new VMs and even new clouds (along with any other type of resources in the organization). App Controller is then used to manage and interact with the created VMs. The use of two web interfaces is not ideal, but there is a clear distinction when you use Service Manager to request resources and App Controller to manage and interact with them.

App Controller is a great web interface for consistently managing all types of cloud services in your organization. It's important to remember that for private clouds, App Controller simply surfaces the clouds that are created in VMM, so the back-end virtualization is not limited to Hyper-V. VMM also provides private cloud capabilities to VMware ESX and Citrix XenServer, so you can gain the private cloud capabilities of VMM, App Controller, and the entire System Center 2012 suite, even when you don't use Hyper-V.