Best Practices for Securing System Center App Controller

How to Deploy and Manage Clouds with System Center App ControllerSystem Center App Controller (App Controller) provides a unified web-based console to deploy, monitor and manage private and public cloud resources. It sits alongside other System Center components (notably Virtual Machine Manager and Configuration Manager) and enables cloud administrators and application owners to work with virtual machines (VMs), services and templates across SCVMM-managed private clouds and supported public clouds (historically Windows Azure / Microsoft Azure). This guide explains planning, deploying, and daily management tasks for clouds with App Controller, and offers practical tips and troubleshooting pointers.

---

Who should read this

• Cloud administrators managing System Center environments.
• IT operations staff responsible for hybrid cloud deployments.
• Application owners who deploy and manage services using System Center tooling.

---

Planning and prerequisites

Before deploying App Controller, confirm the following:

• Supported OS and System Center versions: check compatibility with your versions of Windows Server, System Center components (VMM, Configuration Manager) and Microsoft Azure.
• Required accounts and permissions:
  • A service account for App Controller with local admin rights on the App Controller server and proper rights in SCVMM.
  • RBAC roles in SCVMM for cloud owners and tenants.
• Network and firewall configuration:
  • Ensure the App Controller server can reach SCVMM management servers, SQL Server used by SCVMM/App Controller, and any public cloud endpoints (e.g., Azure management endpoints).
• Certificates:
  • For HTTPS access to the App Controller web console, prepare an SSL certificate trusted by users.
• SQL Server:
  • App Controller stores its configuration in a SQL Server database. Prepare an instance and account with rights to create and manage the App Controller database.

Concrete checklist:

• Windows Server (supported version) ready.
• Service account for App Controller.
• SQL Server instance accessible.
• SCVMM available and networked.
• SSL certificate for HTTPS.
• Appropriate firewall rules.

---

Installing System Center App Controller

1. Prepare the server:
   • Join to domain and apply Windows updates.
   • Install server roles/IE prerequisites if needed.
2. Run the App Controller installer:
   • Launch setup on the server.
   • Provide the SQL Server instance and credentials for the App Controller database.
   • Specify the service account and configure the service to run under that account.
3. Configure HTTPS:
   • Bind the issued SSL certificate to the App Controller site in IIS.
   • Ensure the certificate’s CN/SAN matches the URL users will browse.
4. Connect to SCVMM:
   • From the App Controller console, add the SCVMM server by providing the management server name and appropriate credentials (usually a user with SCVMM administrator role).
   • App Controller will synchronize cloud, VM, and template data from SCVMM.
5. (Optional) Connect to Azure:
   • Add your Azure subscription credentials (management certificate or service principal, depending on Azure model and App Controller version).
6. Validate installation:
   • Sign in via the web UI, verify status of connected clouds, and confirm ability to view VMs and templates.

---

Integrating App Controller with SCVMM and Azure

• SCVMM integration allows App Controller to list private clouds, services, templates, and VMs managed by SCVMM. Ensure the account used by App Controller has the necessary SCVMM roles so it can read and manage tenant resources.
• For Azure, App Controller supports classic Azure subscription models in older versions and may require a management certificate or service principal. Verify which authentication model your App Controller version requires.
• Once connected, App Controller provides a consistent catalog of services and templates that application owners can deploy to either private or public clouds.

---

Organizing clouds and resources

• Use SCVMM clouds to group resources by capacity, location, or purpose (e.g., Production, Test, Development).
• In App Controller, present clouds to business users with clear naming and descriptions.
• Implement RBAC to restrict who can deploy to specific clouds. Define roles such as cloud owner, service owner, and tenant user in SCVMM and map those roles within App Controller where appropriate.
• Maintain a template catalog: store service templates and VM templates in SCVMM and ensure they are published and visible in App Controller for users to consume.

---

Deploying services and VMs from App Controller

1. Choose target cloud (private or Azure) from the App Controller portal.
2. Select a service template or VM template from the catalog.
3. Configure deployment parameters:
   • VM size, network assignments, storage locations.
   • Service parameters and application settings for multi-tier services.
   • Credentials and certificates required by the deployed application.
4. Set deployment options:
   • Whether to deploy immediately or stage in a reserved environment.
   • Placement policies (e.g., preferred host groups).
5. Deploy and monitor:
   • App Controller submits deployment requests to SCVMM or Azure and returns status.
   • Monitor deployment progress, view events and logs, and access VM consoles if needed.

Example: Deploy a three-tier service to a private cloud

• Select the three-tier service template in App Controller.
• Choose the Production cloud, map networks (web front-end to DMZ subnet, app tier to internal subnet).
• Provide service-specific configuration (DB connection string, admin password).
• Start the deployment and watch the service reach “running” state in the portal.

---

Managing running clouds and workloads

• Day-to-day tasks in App Controller:
  • Start, stop, pause, and delete VMs and services.
  • Scale out/in services if templates support scaling.
  • Migrate VMs between hosts or clouds (using SCVMM orchestration for private clouds).
  • Configure or reassign network and storage resources via SCVMM.
• Monitoring:
  • Use built-in status dashboards for quick health checks.
  • Integrate with System Center Operations Manager (SCOM) for deeper monitoring, alerts, and performance data.
• Backup and recovery:
  • Ensure VM backup and recovery policies are managed through the backup solution integrated with SCVMM (e.g., DPM or third-party).
  • Test restore of VMs and services regularly.
• Change management:
  • Use versioned templates and maintain a registry of changes to service templates.
  • Test template updates in a staging cloud before promoting to production.

---

Security and compliance considerations

• Secure the App Controller web portal with HTTPS and strong authentication.
• Enforce least privilege: grant only necessary SCVMM roles to service accounts and users.
• Use RBAC to control deployment targets and operations available to tenants.
• Audit and logging:
  • Enable auditing in SCVMM and collect App Controller logs for forensic analysis.
  • Retain logs according to compliance requirements.
• Network security:
  • Use network isolation and ACLs to separate tenant networks.
  • Protect management networks and limit access to the App Controller server.

---

Automation and advanced operations

• PowerShell integration:
  • Use App Controller and SCVMM PowerShell cmdlets to automate common tasks: bulk deployments, scheduled scale operations, template propagation.
  • Example tasks suitable for scripting: mass VM provisioning, periodic scaling based on schedule, automated decommissioning.
• Orchestration with Service Templates:
  • Create service templates that codify deployment topology, dependencies and configuration scripts to enable reproducible deployments.
• Self-service portals:
  • Combine App Controller with Service Manager or a custom portal for catalog-driven provisioning workflows, approvals, and chargeback.

---

Troubleshooting common issues

• App Controller cannot connect to SCVMM:
  • Verify network connectivity, firewall rules, and that the SCVMM management service is running.
  • Ensure the service account has the correct SCVMM role and that credentials are not expired.
• Deployments stuck or failing:
  • Check SCVMM job history for errors; review template configuration and networking mappings.
  • Confirm resource availability (compute, storage, IP addresses).
• Certificate or SSL errors:
  • Ensure the SSL certificate is correctly bound in IIS, valid, and trusted by clients.
• Performance problems:
  • Monitor App Controller server resource usage; scale up CPU/RAM or distribute load if necessary.
  • Check SQL Server performance and indexing for the App Controller database.

---

Decommissioning and upgrades

• Upgrades:
  • Follow System Center upgrade paths; patch SCVMM and App Controller in a compatible sequence.
  • Test upgrades in a lab before production. Backup the App Controller database prior to upgrade.
• Decommissioning App Controller:
  • Remove cloud and subscription connections, export templates and configurations, and revoke service accounts.
  • Uninstall via Control Panel and drop the App Controller database after verifying no dependencies remain.

---

Useful tips and best practices

• Keep service templates and VM templates well-documented and version-controlled.
• Limit the number of administrative accounts; prefer group-based RBAC.
• Use tagging and consistent naming conventions for clouds, networks, and templates for easier discovery.
• Regularly validate disaster recovery procedures for VMs and services.
• Automate repeatable tasks with PowerShell to reduce human error.

---

Summary

System Center App Controller is a useful portal for deploying and managing workloads across private and supported public clouds when integrated with SCVMM and Azure. Proper planning, secure configuration, template management, RBAC, and automation are the keys to a successful hybrid-cloud lifecycle using App Controller.