Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WIN201)

1,717 views

Published on

Learn how to architect fully available and scalable Microsoft solutions and environments in AWS. Find out how Microsoft solutions can leverage various AWS services to achieve more resiliency, replace unnecessary complexity, simplify architecture, provide scalability, introduce DevOps concepts, automation and repeatability. Plan authentication and authorization, various hybrid scenarios with other cloud environment and on premise solutions/infrastructure. Learn about common architecture patterns for Active Directory and business productivity solutions like SharePoint, Exchange and Skype for Business, also common scenarios for SQL deployments and System Center.

Published in: Technology
  • Be the first to comment

AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WIN201)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Zlatan Dzinic – Senior Architect November 29, 2016 Simplifying Microsoft Architectures with AWS Services WIN201
  2. 2. What to Expect from the Session • Simplicity and Automation • Microsoft Architectures on AWS and how to build them • Identity and Access Management • SQL Server • Developers • Administration
  3. 3. Developer platform and tools Corporate applications Line of business applications End-user computing
  4. 4. Information security Corporate applications End-user computingBusiness applications Amazon EC2 for Windows, Amazon RDS, AWS CloudFormation, Amazon CloudFront EC2 for Windows, AWS Directory Service, RDS, Marketplace Amazon WorkSpaces, Amazon AppStream, Marketplace, AWS Mobile Services, SaaS AWS Identity and Access Management (IAM), AWS CloudHSM, AWS Key Management Service (KMS), security groups, AWS Marketplace EC2, Amazon S3, RDS, Amazon VPC, AWS Direct Connect, Directory Service, IAM, AWS Service Catalog Infrastructure AWS service offerings for Windows workloads AWS Elastic Beanstalk, AWS CodeDeploy, CloudFormation DevOps
  5. 5. Architecture
  6. 6. Availability Zone Private SubnetPublic Subnet Availability Zone Private SubnetPublic Subnet Remote Users Sample Microsoft Architecture Virtual Private Gateway Corporate Office IIS App IIS Web IIS App IIS Web VPN AWS Direct Connect Internet Gateway RDGW VPC NAT Gateway RDGW VPC NAT Gateway AWS Directory Service AWS Directory Service MS SQL MS SQL Always On Availability Group VPC Endpoint Amazon S3 Auto Scaling
  7. 7. Secure remote administration architecture Availability Zone Gateway Security Group Web Security Group Private SubnetPublic Subnet Accept TCP Port 443 from Admin IP Accept traffic from Gateway SG AWS Administrator Corporate Data Center WEB2 TCP 443 WEB1 RDGW Requires one connection: • Connect to the RD Gateway, and the gateway proxies the RDP or PowerShell connection to the back- end instance.
  8. 8. Microsoft Enterprise Applications
  9. 9. Shared Service VPC • Best suited for: • The majority of your infrastructure is (or will be) on AWS • The required on-premises resources are easy to replicate or proxy (e.g., Active Directory, System Center, central SQL farm) • You prefer to limit VPN traffic • Strong security or compliance programs require additional application-level controls and proxy servers between their AWS and on-premises resources (e.g., application-layer firewalls)
  10. 10. CloudFormation – Infrastructure as a Code Basic standard in AWS for automating deployment of resources CloudFormation template • JSON-formatted document that describes a configuration to be deployed in an AWS account • When deployed, refers to a “stack” of resources • Bootstrapping AWS CloudFormation Windows Stacks, http://tinyurl.com/aws- win-boot AWS CloudFormation
  11. 11. How CloudFormation Works
  12. 12. AWS CloudFormation Designer • Visualize template resources • Modify template with drag- and-drop gestures • Customize sample templates
  13. 13. The Work* Services WorkDocs Secure enterprise document collaboration WorkSpaces Virtual desktops Secure access from anywhere Monthly pricing Central sync, document feedback Secure access from anywhere S3 WorkSpaces Application Manager Virtual applications Centralized application deployment Monthly subscription options WorkMail Secure email and calendaring Strong security controls Existing desktop, mobile support Directory Service Managed directories Simple AD, AD Connector, Microsoft AD
  14. 14. Run Windows Server 2016 on Amazon EC2 • Windows Server 2016 Datacenter with Desktop Experience • Windows Server 2016 Nano Server • Windows Server 2016 with Containers • docker run microsoft/sample-dotnet • Windows Server 2016 with SQL Server 2016
  15. 15. Identity and Access Management
  16. 16. AWS Identity and Access Management (IAM) Role-based access control Multi-factor authentication Integrated with all AWS services IAM roles
  17. 17. Common Approaches • Active Directory • AWS Directory Services • Federation • Federation to AWS services • Federation to Microsoft Workloads • Claims based access control • SSO • ADFS 4.0, Ping Federate, Okta • Kerberos
  18. 18. Single domain extended to multiple sites Availability Zone B Private subnet DC4 Corporate Network Munich DC1 Berlin DC2 Cost 50 Availability Zone A Private subnet DC3 Cost 10 company.local company.local One single identity, data center extension mode (rely on Active Directory sites, read-only or not) VPN AWS Direct Connect
  19. 19. One subdomain per site Availability Zone B Private subnet DC4 Corporate Network Munich DC1 Berlin DC2 company.local Availability Zone A Private subnet DC3 cloud.company.local Isolated subset of the directory, single identity for users (Active Directory domains in a single forest) VPN AWS Direct Connect
  20. 20. One forest per site and trust Availability Zone B Private subnet DC4 Corporate Network Munich DC1 Berlin DC2Availability Zone A Private subnet DC3 company.local company.cloud Separate directories, single identity (Cross-forest/resource forest with trust) AWS Directory Service company.cloud VPN AWS Direct Connect
  21. 21. User identity federation with AWS IAM AD Users Enterprise Applications Corporate Systems AWS IAM IAM roles EC2 Amazon DynamoDB S3
  22. 22. Active Directory Deployments - Isolated domains Availability Zone B Private subnet DC4 Corporate Network Munich DC1 Berlin DC2Availability Zone A Private subnet DC3 company.cloud company.local Federation/ synchronization Separate identities with synchronization/federation  solutions such as AD FS, Okta, PingFederate AWS Directory Service company.cloud VPN AWS Direct Connect
  23. 23. AD FS Scenarios • Fully implemented AD FS • Core authentication services exposed to the Internet by AD FS proxy • Firewall-published AD FS • Firewall exposes core authentication services to the Internet by reverse proxy • Non-published AD FS • Server farm isn't exposed to the Internet by any method. • VPN-published AD FS • Internet clients connect to and use AD FS services only through a virtual private network (VPN) connection to the on-premises network environment.
  24. 24. Active Directory Federation Services Private subnet DC4 Corporate Network Munich DC1 Berlin DC2 Private subnet DC3 company.cloud company.local Federation/ synchronization AWS Directory Service company.cloud VPN AWS Direct Connect ADFS ADFS Public subnetPublic subnet Web App Proxy Web App Proxy Availability Zone A Availability Zone B
  25. 25. SQL Server
  26. 26. SQL Server on Amazon EC2  Licensing Options  Purchase an Amazon Machine Instance (AMI) that includes Windows and SQL Server  Purchase a Windows AMI and install SQL Server yourself (BYOL)  Windows or Mixed Authentication  You manage the virtual machine security, storage, network ports, etc.  Full SQL Server sysadmin privileges
  27. 27. SQL Server HA/DR on EC2  Windows clusters can span Availability Zones or regions*  Mirroring  AlwaysOn Availability Groups  Transaction Log Shipping  Failover Cluster Instance* * Some configurations require third-party tools.
  28. 28. Multi-AZ AlwaysOn Availability Group Availability Zone 1 Private Subnet EC2 Primary Replica Availability Zone 2 Private Subnet EC2 Secondary Replica Synchronous Commit Automatic Failover AWS Region
  29. 29. Multi-Region AlwaysOn Availability Group Availability Zone 1 Private Subnet EC2 Primary Replica Primary: 10.0.2.100 WSFC: 10.0.2.101 AG Listener: 10.0.2.102 AWS Region A Availability Zone 2 Private Subnet EC2 Secondary Replica Primary: 10.0.3.100 WSFC: 10.0.3.101 AG Listener: 10.0.3.102 Availability Zone 1 Private Subnet EC2 Secondary Replica Primary: 10.1.2.100 WSFC: 10.1.2.101 AG Listener: 10.1.2.102 Synchronous Commit Automatic Failover AWS Region B Asynchronous Commit Manual Failover Elastic IP Elastic IP VPN
  30. 30. Failover Cluster Instance Amazon EBS Amazon EBS Availability Zone 1 Private Subnet EC2 Primary Node Availability Zone 2 Private Subnet EC2 Secondary Node AWS Region Data Replication SoftNAS / SIOS
  31. 31. What is Amazon RDS?  Managed database service  Automatic patching, backups, mirroring, etc.  Automatic Host Replacement protects you in the event of a hardware failure.  6 database engines to choose from: Amazon Aurora, Oracle, PostgreSQL, MySQL, MariaDB, and SQL Server  License-included and BYOL options available
  32. 32. SQL Server on Amazon RDS  Up to 30 databases per instance  Windows or Mixed Authentication  Optional managed Multi-AZ deployment for high availability  Transparent Data Encryption for encryption at rest and the use of SSL to secure data in transit  Native backup and restore for Microsoft SQL Server databases using full backup files (.bak files)
  33. 33. SQL Server HA/DR on RDS  Spans Availability Zones  Automatic Failover  Automatic Host Replacement  Automatic Backups  Automatic Software Patching (can be disabled)
  34. 34. Multi-AZ SQL Server on Amazon RDS Availability Zone 1 Private Subnet Availability Zone 2 Private Subnet Synchronous Commit Automatic Failover AWS Region Amazon RDS Primary Amazon RDS Secondary Managed Service
  35. 35. SQL Server EC2 vs. RDS: Which should I use? EC2 RDS License included   BYOL   Full control over the instance  Automated backups  Self-managed AlwaysOn Availability Groups  AWS-managed Multi-AZ deployment 
  36. 36. What about the rest of SQL Server?  Integration Services (SSIS)  Reporting Services (SSRS)  Analysis Services (SSAS)  SQL Agent  Service Broker  Data Quality Service  Master Data Service
  37. 37. What about the rest of SQL Server?  Remember: RDS is a managed database engine.  Most tools or drivers (OLE DB, ODBC, or ADO.NET) that connect to SQL Server can connect to an RDS instance.  For example, SSIS running on EC2 or on-premises can use a connection to an RDS SQL Server (or other engine) instance as long as the network ports are properly configured.
  38. 38. Developers
  39. 39. AWS SDK and Tools for .NET ArchitectureEXECUTION PLATFORM AWSSDK LOW- LEVEL SERVICE APIS AWS TOOLS HIGHER- LEVEL UTILITY APIS .NET 3.5 .NET 4.5 PHONE STORE SERVICE CLIENTS AMAZON S3 TRANSFER UTILITY AMAZON DYNAMODB OBJECT PERSISTENCE VM IMPORT RESOURCE API AWS TOOLS FOR WINDOWS POWERSHELL AWS TOOLKIT FOR VISUAL STUDIO ASP.NET SESSION PROVIDER TRACE LISTENER … AWS ENDPOINTS: REST API ASP.NET 5
  40. 40. AWS Toolkit for Visual Studio Full integration in Visual Studio AWS Toolkit for Visual Studio .NET SDK
  41. 41. AWS also provides extended support AWS Elastic Beanstalk • Deploy from within Visual Studio/automatic log rotation to Amazon S3 AWS CodeCommit/CodePipeline/CodeDeploy • Manage a large fleet (on-premises and cloud-based) .NET SDK and PowerShell cmdlets • Integration in custom build pipelines in TFS or CruiseControl.NET AWS native integrations • Jenkins, Bamboo have native integration to AWS • Other IDE support AWS (Unity, Xamarin Studio, Eclipse…)
  42. 42. Administration
  43. 43. Amazon EC2 Simple Systems Manager • EC2 Run Commands • AWS Tools for Windows PowerShell • Automation, Customizable, Auditable, Delegated Administration • Leverage Amazon EC2 Simple Systems Manager • Auto domain join • No machine access • Full traceability • Fine-grained control • http://tinyurl.com/AWS-SSM-Home PowerShell Integration Amazon EC2 Run Commands SSM
  44. 44. Windows SSM with Run Commands • AWS-JoinDirectoryServiceDomain to join an AWS Directory • AWS-RunPowerShellScript to run PowerShell commands or scripts • AWS-UpdateEC2Config to update the EC2Config service • AWS-ConfigureWindowsUpdate to configure Windows Update settings • AWS-InstallApplication to install, repair, or uninstall software using an MSI package • AWS-InstallPowerShellModule to install PowerShell modules • AWS-ConfigureCloudWatch to configure Amazon CloudWatch Logs to monitor applications and systems • AWS-ListWindowsInventory to collect information about an EC2 instance running in Windows • AWS-FindWindowsUpdates to scan an instance and determine which updates are missing • AWS-InstallMissingWindowsUpdates to install missing updates on your EC2 instance • AWS-InstallSpecificWindowsUpdates to install one or more specific updates
  45. 45. Monitoring • CloudWatch • CloudTrail • Config • VPC Flow Logs • Trusted Advisor Amazon CloudWatch AWS CloudTrail AWS Config AWS Trusted Advisor Flow logs Amazon VPC AWS Lambda Amazon Kinesis AWS Service Catalog Amazon Elasticsearch Service Amazon QuickSight
  46. 46. Customer Story – Hess Corp Bill Rothe, VP Enterprise Systems
  47. 47. Customer Story – Hess Corp • Migration of multiple large Windows systems • Including Microsoft SQL Server, SharePoint, Exchange, Active Directory, Dynamics, and System Center with AWS MP for SCOM • Also SAP HANA, Documentum, Oracle Hyperion • Three phases so far • First divestiture, 170 instances, 6 months • Second divestiture, 90 instances, 3 months • Now working on migrating core business • Hybrid approach • Integrated networking via Direct Connect • Integrated authentication via ADFS on EC2 with AD on-premises
  48. 48. Customer Story – Hess Corp • The art of the possible • “We haven't met a workload we can't migrate to AWS.” • Not always pure lift and shift. Some take tuning, some take re-architecting, but always able to get it to work. • Evolving attitude about cloud adoption internally • Now there are far more supporters than detractors • That’s a major shift from 18mo ago • Moving along the maturity curve • Looking for ways to optimize and automate • Right-sizing instances • Building text/dev environments on demand
  49. 49. Thank you!
  50. 50. Remember to complete your evaluations!
  51. 51. Windows Track Sessions WIN301: Bring Microsoft Applications to AWS to Save Money and Stay Licensing Compliant Tues, Nov 29 3:30-4:30 PM Venetian H WIN204: How to Move 1,000 VMs and Biz Critical Apps to AWS in 6 months. Edwards Lifesciences Tues, Nov 29 3:30-4:30 PM Venetian H WIN303: How to launch a 100k user Microsoft back office and not break a sweat Wed, Nov 30 5:30-6:30 PM Delfino 4004 WIN304: Design, Deploy & Optimize SharePoint on AWS Wed Nov 30 3:30-4:30 PM Venetian H WIN305: Best Practices for Integrating Active Directory with AWS Workloads Wed, Nov 30 5:00-6:00 PM Venetian H WIN306: Design, Deploy & Optimize SQL Server on AWS Thurs, Dec 1 5:30-6:30 PM Venetian H

×