3. What Will We Cover Today?
• Providing secure, remote administrative access to your AWS
Windows resources
• Extending your corporate data network into AWS
• Active Directory services
• Microsoft SQL Server on AWS
• Management Tools for Windows
• Customer Success Story – Martin Wildash. www.xero.com
4. Why Run Windows Workloads on AWS?
Building and managing cloud since 2006
12 regions, 33 availability zones, 54 edge locations
Thousands of partners; 2,500+ Marketplace products
Security & Reliability
Performance
Experience
Scale
Ecosystem
Extensive VM and network performance options
Security in layers approach and 99.95% application SLA
5. Licensing Options
Flexibility helps you optimise costs
Buy licenses from
AWS
Leverage License
Mobility
Bring your own
licenses (BYOL)
• Save money on software
licensing
• You manage licensing
costs and compliance with
your ISV
• No need for Software
Assurance
• AWS manages Windows
Server licensing
• You manage licensing
costs and compliance
with your ISV
• Uses Software
Assurance
• AWS manages licensing
• Pay as you go pricing
• Multi-tenant or
Dedicated
• No need for Software
Assurance
• Unlimited CALs
6. Amazon EC2 Dedicated Hosts
• A Dedicated Host is a physical server with EC2
instance capacity dedicated for your use
• Bring your own license (BYOL) platform
• Supports BYOL for Windows Server, Windows SQL
Server, and applications running on top of Windows
Server (e.g., exchange server)
7. How would you build a Microsoft
Enterprise IT Platform on AWS?
10. Secure Administration via Remote Desktop
Availability Zone
Private SubnetPublic Subnet
AWS Administrator
Corporate Data Center
TCP 443
Requires one connection:
• Connect to the RD Gateway, and the gateway proxies the RDP connection to the back-end instance.
Web Security Group
Accept TCP Port 3389
from Gateway SG
WEB2
WEB1
Gateway Security Group
Accept TCP Port
443 from Admin IP
RDGW
11. Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Remote
Users / Admins
Isolated VPC
in the Cloud
with RDGW
UseRoute53,HealthCheck&
DNSFailover
Amazon
Route 53
12. Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Isolated VPC
in the Cloud
with NAT
Use NATinstancesto
provideaccessto remote
Internet services
*YoucanuseWindowsRouting&
RemoteAccess(RRAS)NATService
NAT
NAT
Remote Systems
Internet
13. Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
NAT
NAT
Remote Systems
Internet
Isolated VPC
in the Cloud
with VPC NAT
Gateway
UseAWS ManagedNAT
Gateway to reduce
administrativeoverheadand
optimisecosts
VPC NAT
gateway
VPC NAT
gateway
14. Remote Desktop Gateway Reference Architecture
Detailed instructions available in the “Deploy
Remote Desktop Gateway on the AWS
Cloud” White paper
Available from :
http://aws.amazon.com/windows/resources/whitepapers/rdgateway/
16. Extending your Corporate Data Network to AWS
• IP SEC VPN Tunnel connects over the public
Internet but has a variable performance
• Supports Static and BGP Routing
• Supports varying multi-Mbps speeds
Corporate
Data
Center
AWS
Cloud
VPN TUNNEL1
Telco
Direct Connect Link2
1
• AWS Direct Connect (DX) service allows for
dedicated telco links from your location
• Telco provides SLAs and predictable performance
• AWS provides multiple 1 Gbps & 10 Gbps links
• BGP for dynamic routing + AWS API endpoints
2
Internet
17. Availability Zone
Private SubnetPublic Subnet
NAT
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
DC
Domain
Controller
MS
SQL
DB
SQL
Server
MS
SQL
DB
SQL
Server
APP
App
Server
APP
App
Server
WEB
IIS
Server
WEB
IIS
Server
RDGW
Remote
Users
Your
Hybrid
Cloud
virtual private
gateway
VPN
connection
corporate
data
network
AWS Direct
Connect
19. Microsoft Active Directory
Create a new AD or Extend Existing?
• Lots of customers create a new “fresh” AD in AWS on EC2
• Extend trusts to existing AD for Single Sign On (SSO)
experience
If you run your own AD servers
• Treat each Availability Zone as an AD Site…
• Read Only Domain Controllers still need network connectivity
20. Availability Zone
Private SubnetPublic Subnet
NAT
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
MS
SQL
DB
SQL
Server
MS
SQL
DB
SQL
Server
APP
App
Server
APP
App
Server
WEB
IIS
Server
WEB
IIS
Server
RDGW
Your
own
AD
on EC2
virtual private
gateway
VPN
connection
corporate
data
network
AWS Direct
Connect
Domain
Controller
Domain
Controller
DC
DC
22. Availability Zone
Private SubnetPublic Subnet
NAT
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
MS
SQL
DB
SQL
Server
MS
SQL
DB
SQL
Server
APP
App
Server
APP
App
Server
WEB
IIS
Server
WEB
IIS
Server
RDGW
virtual private
gateway
VPN
connection
corporate
data
network
AWS Direct
Connect
Domain
Controller
Domain
Controller
DC
DC
23. Availability Zone
Private SubnetPublic Subnet
NAT
AWS
Directory
Service
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
AWS
Directory
Service
MS
SQL
DB
SQL
Server
MS
SQL
DB
SQL
Server
APP
App
Server
APP
App
Server
WEB
IIS
Server
WEB
IIS
Server
RDGW
Replaced
With
AWS
DS
virtual private
gateway
VPN
connection
corporate
data
network
AWS Direct
Connect
24. A Microsoft Windows compatible directory service as a managed AWS service.
Usage options are:
1. Use the AWS AD Connector to simplify connecting to your existing on-
premises Microsoft Active Directory
2. AWS Simple AD allows you to set up and operate a new Samba-based
directory in the AWS Cloud
3. AWS Directory Service for Microsoft Active Directory (Enterprise Edition)
provides a feature-rich managed Microsoft Active Directory hosted on the
AWS Cloud.
AWS DS is easy to manage: use the standard Windows AD admin tools
Use AWS Directory Service
25. Which option should you choose?
• AD Connector:
The best option if you want to use your existing on premises AD with AWS
services without extending your domain to the cloud
• Simple AD:
In most cases, Simple AD is the least expensive option and your best choice
if you have 5,000 or less users and don’t need the more advanced Microsoft
Active Directory features.
• Directory Service for Microsoft Active Directory (Enterprise Edition):
This is your best choice if you have more than 5,000 users and need a trust
relationship set up between an AWS hosted directory and your on-premises
directories.
Use AWS Directory Service
26. Domain Joining to AWS Directory Service
From the AWS Console GUI
• Launch Instance Wizard
31. SQL Server on AWS
• Wide array of choices
• Fully managed services
• Enterprise-grade security
• 99.95% availability
• Flexible and scalable
32. SQL Server on Amazon EC2
Availability Zone 1
Private Subnet
Primary
DB
• Deploy in minutes.
Simple provisioning
via AWS-provided AMI
• Wide range of
versions and
performance options
33. SQL Server High Availability
Availability Zone 1
Private Subnet
Primary
DB
Availability Zone 2
Secondary
Replica 1
Private Subnet
AG Listener:
ag.awslabs.net
Automatic Failover
• QuickStart reference
architecture and
CloudFormation
provided.
• Scale up to 8
instances
• 99.95% availability
35. Amazon RDS for SQL Server
• Deploy in minutes
• Automated backups
• Push button scaling
• Automatic host replacement and multi AZ
deployments for high availability
36. Amazon RDS for SQL Server
• Consider RDS first
• Focus on:
• Business value tasks
• High-level tuning tasks
• Schema optimization
• No in-house database expertise
Choosing the right solution
• Need full control over:
• DB instance
• Backups
• Replication
• Clustering
• Use options not in Amazon RDS
SQL Server on Amazon EC2
37. Migrating data to and from Amazon RDS
Microsoft SQL Server Database
Publishing Wizard
Export to T-SQL files, load using sqlcmd
NEW LAUNCH!
AWS Database Migration Service
Minimize downtime during migrations, migrate between
different DB platforms, Schema Conversion Tool
AWS Marketplace
Third-party data import and export tools and
solutions
1
2
3
39. AWS Simple Systems Manager (SSM)
Simple Systems Manager (SSM) facilitates the automatic configuration of AWS Elastic
Compute Cloud (EC2) instances running Windows Server OS
SSM is implemented through the EC2Config windows service already included in
Windows Server AMIs
EC2-Config service polls SSM every 5 minutes for configuration documents (in JSON
format) containing system configurations OR force it from CLI
SSM currently supports configuration documents that allow for:
• Automated Domain Join
• MSI Package Installation/Repair/Uninstallation
• PowerShell Module Installation
• Delivery of Performance Monitor, Event Log, IIS Log, and custom log file data to CloudWatch and
CloudWatch Logs
45. Invest Early in Network and Security
• Clean and scalable network design
• CDN
• Route 53
• Direct Connect
• Careful use of VPCs
• AWS has excellent security controls
• Clean account design
• Security Groups
• Threat Protection Zone
• WAF
47. Shards and Cells
• Shards
• SQL Server database containing a group of subscriptions
• Cells
• Group of Shards
• All infrastructure supporting these shards
50. Transfer Methods
• SQL Server Publishing tool
• Logshipping (direct or via S3)
• Availability Groups
• Database Migration Tool (New)
• Custom Migration Tool + SQL Server Data Tools
(SSDT)
54. RDS vs EC2
• Fine grain support of availability and DR Configuration
• Ability to upgrade on our own schedule
• Excellent In-house SQL Server Team
• SQL Server 2014 Enterprise Specific Features
• EC2=More work but more control required for our
current workloads….
55. Move from Physical SQL to EC2
• EC2 Instance Configuration
• Dedicated mount points for data files with individual EBS
Volumes
• Target “middle-sized” R3 Server Class
• Phased Migration Plan
• By Application
• By Customer
• Load Testing and Query Blaster
56. Key Learnings
• SQL Server on EC2 can support very high volume
workloads
• High availability for SQL Server works very well in AWS
• Rich options for data migration to AWS
• Infrastructure as Code
• Elastic infrastructure
58. Further reading
Microsoft Workloads on AWS Whitepapers:
https://aws.amazon.com/windows/resources/whitepapers/
AWS Quick Launches
Try Enterprise Microsoft products on AWS before you
deploy them into production:
https://aws.amazon.com/quickstart/quick-launch/
59. Summary
You can readily and securely run Enterprise Microsoft and
many other mission critical workloads on AWS
AWS provides customers with the flexibility to run Microsoft
workloads the way they want.
• Run them as you do now, but on EC2
OR
• Simplify management by replacing them with native
AWS services
• Directory Services, RDS for SQL Server, Managed NAT etc.
60. AWS Training & Certification
Intro Videos & Labs
Free videos and labs to
help you learn to work
with 30+ AWS services
– in minutes!
Training Classes
In-person and online
courses to build
technical skills –
taught by accredited
AWS instructors
Online Labs
Practice working with
AWS services in live
environment –
Learn how related
services work
together
AWS Certification
Validate technical
skills and expertise –
identify qualified IT
talent or show you
are AWS cloud ready
Learn more: aws.amazon.com/training
61. Your Training Next Steps:
Visit the AWS Training & Certification pod to discuss your
training plan & AWS Summit training offer
Register & attend AWS instructor led training
Get Certified
AWS Certified? Visit the AWS Summit Certification Lounge to pick up your swag
Learn more: aws.amazon.com/training