Learn best practices for architecting fully available and scalable Microsoft solutions and environments on AWS. Find out how Microsoft solutions can leverage various AWS services to achieve more resiliency, replace unnecessary complexity, simplify architecture, provide scalability, introduce DevOps concepts, automation, and repeatability. Plan authentication and authorization, various hybrid scenarios with other cloud environment and on premise solutions/infrastructure. Learn about common architecture patterns for Active Directory and business productivity solutions like SharePoint, Exchange and Skype for Business, also common scenarios for SQL deployments and System Center.
2. What to Expect from the Session
• Microsoft architectures on AWS and how to build them
• Active Directory
• SQL Server
• Corp Apps
• Developers
• Systems management
4. Availability Zone
Private subnetPublic subnet
Availability Zone
Private subnetPublic subnet
Remote
users
Sample
Microsoft
Architecture
Virtual private
fateway
Corporate
Office
IIS
App
IIS
Web
IIS
App
IIS
Web
VPN
AWS Direct
Connect
Internet
gateway
RDGW
VPC NAT
gateway
RDGW
VPC NAT
gateway
AWS
Directory
Service
AWS
Directory
Service
MS
SQL
MS
SQL
Always On
Availability
Group
VPC endpoint Amazon S3
Auto Scaling
5. Secure remote administration architecture
Availability Zone
Gateway security group Web security group
Private subnetPublic subnet
Accept TCP Port
443 from Admin IP
Accept traffic from
Gateway SG
AWS administrator
Corporate data center
WEB2
TCP 443 WEB1
RDGW
Requires one connection:
• Connect to the RD Gateway, and the gateway proxies the RDP or PowerShell connection to the
backend instance.
6. Alternative solution using Systems Manager
Availability Zone
Web security group
Private subnet
Accept traffic from SSM
WEB2
WEB1
AWS administrator
Corporate data center
EC2 Systems Manager
S3 bucket SNS topic CloudWatch metric
IAM policy
7. Shared Service VPC
Best suited for:
• The majority of your infrastructure is (or
will be) on AWS
• The required on-premises resources are
easy to replicate or proxy (e.g., Active
Directory, System Center, central SQL
farm)
• You prefer to limit VPN traffic
• Strong security or compliance programs
require additional application-level
controls and proxy servers between their
AWS and on-premises resources (e.g.,
application-layer firewalls)
9. Common Approaches
Active Directory
• AWS Directory Services
Federation
• Federation to AWS services
• Federation to Microsoft Workloads
• Claims based access control
• SSO
• ADFS 4.0, Ping Federate, Okta
Kerberos
10. Single domain extended to multiple sites
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
Cost 50
Availability Zone A
Private subnet
DC3
Cost 10
company.local
company.local
One single identity, data center extension mode
(rely on Active Directory sites, read-only or not)
VPN
AWS Direct
Connect
11. One subdomain per site
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
company.local
Availability Zone A
Private subnet
DC3
cloud.company.local
Isolated subset of the directory, single identity for users
(Active Directory domains in a single forest)
VPN
AWS Direct
Connect
12. One forest per site and trust
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2Availability Zone A
Private subnet
DC3 company.local
company.cloud
Separate directories, single identity
(Cross-forest/resource forest with trust)
AWS Directory Service
company.cloud
VPN
AWS Direct
Connect
13. User identity federation with AWS IAM
AD Users
Enterprise
Applications
Corporate
Systems
IAM
IAM roles
EC2
Amazon
DynamoDB
S3
14. Active Directory Deployments - Isolated domains
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2Availability Zone A
Private subnet
DC3
company.cloud
company.local
Federation/
synchronization
Separate identities with synchronization/federation
solutions such as AD FS, Okta, PingFederate
AWS Directory Service
company.cloud
VPN
AWS Direct
Connect
15. AD FS Scenarios
Fully implemented AD FS
• Core authentication services exposed to the Internet by
AD FS proxy
Firewall-published AD FS
• Firewall exposes core authentication services to the Internet by
reverse proxy
Non-published AD FS
• Server farm isn't exposed to the Internet by any method.
VPN-published AD FS
• Internet clients connect to and use AD FS services only through a
virtual private network (VPN) connection to the on-premises network
environment.
16. Active Directory Federation Services
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
Private subnet
DC3
company.cloud
company.local
Federation/
synchronization
AWS Directory Service
company.cloud
VPN
AWS Direct
Connect
ADFS ADFS
Public subnetPublic subnet
Web
App
Proxy
Web
App
Proxy
Availability Zone A Availability Zone B
18. SQL Server on Amazon EC2
Licensing Options
• Purchase an Amazon Machine Instance (AMI) that includes
Windows and SQL Server
• Purchase a Windows AMI and install SQL Server yourself
(BYOL)
Windows or Mixed Authentication
You manage the virtual machine security, storage, network
ports, etc.
Full SQL Server sysadmin privileges
19. SQL Server HA/DR on EC2
• Windows clusters can span Availability Zones or
regions*
• Mirroring
• AlwaysOn Availability Groups
• Transaction Log Shipping
• Failover Cluster Instance*
* Some configurations require third-party tools.
20. Multi-AZ AlwaysOn Availability Group
Availability Zone 1
Private Subnet
EC2
Primary
Replica
Availability Zone 2
Private Subnet
EC2
Secondary
Replica
Synchronous Commit
Automatic Failover
AWS Region
21. Multi-Region AlwaysOn Availability Group
Availability Zone 1
Private Subnet
EC2
Primary
Replica
Primary: 10.0.2.100
WSFC: 10.0.2.101
AG Listener: 10.0.2.102
AWS Region A
Availability Zone 2
Private Subnet
EC2
Secondary
Replica
Primary: 10.0.3.100
WSFC: 10.0.3.101
AG Listener: 10.0.3.102
Availability Zone 1
Private Subnet
EC2
Secondary
Replica
Primary: 10.1.2.100
WSFC: 10.1.2.101
AG Listener: 10.1.2.102
Synchronous Commit
Automatic Failover
AWS Region B
Asynchronous Commit
Manual Failover
Elastic IP Elastic IP
VPN
22. Failover Cluster Instance
Amazon EBS Amazon EBS
Availability Zone 1
Private Subnet
EC2
Primary
Node
Availability Zone 2
Private Subnet
EC2
Secondary
Node
AWS Region
Data Replication
SoftNAS / SIOS
23. What is Amazon RDS?
Managed database service
• Automatic patching, backups, mirroring, etc.
• Automatic Host Replacement protects you in the event of a
hardware failure.
6 database engines to choose from: Amazon Aurora,
Oracle, PostgreSQL, MySQL, MariaDB, and SQL Server
License-included and BYOL options available
24. SQL Server on Amazon RDS
• Windows or Mixed Authentication
• Optional managed Multi-AZ deployment for high
availability
• Transparent Data Encryption for encryption at rest and
the use of SSL to secure data in transit
• Native backup and restore for Microsoft SQL Server
databases using full backup files (.bak files)
• Most tools or drivers (OLE DB, ODBC, or ADO.NET) that
connect to SQL Server can connect to an RDS instance.
25. Multi-AZ SQL Server on Amazon RDS
Availability Zone 1
Private Subnet
Availability Zone 2
Private Subnet
Synchronous Commit
Automatic Failover
AWS Region
Amazon
RDS
Primary
Amazon
RDS
Secondary
Managed Service
26. SQL Server EC2 vs. RDS: Which should I use?
EC2 RDS
License included
BYOL
Full control over the instance
Automated backups
Self-managed AlwaysOn Availability Groups
AWS-managed Multi-AZ deployment
27. What about the rest of SQL Server?
• Integration Services (SSIS)
• Reporting Services (SSRS)
• Analysis Services (SSAS)
• SQL Agent
• Service Broker
• Data Quality Service
• Master Data Service
29. Architecture: Multi-AZ SharePoint
Each AWS Region contains multiple Availability Zones
Availability Zones contain a data center (or multiple data
centers) with low-latency links to other zones in the
region
Achieve high availability by deploying your application
across multiple zones
Easily achieve transparent data center redundancy
AWS Multi-AZ Design Pattern
Availabilty
Zone #1
Web Server
DB Server
Web Server
DB Server
Single Application Boundary Spanning AZ’s
Syncronis Replication / Automatic Failover
Low Latency
Availabilty
Zone #2
30. Architecture: SharePoint 2016
HA SharePoint 2016
MinRole Farm
a
Supports no downtime
patching
Add Office Online Server
and Workflow Manager
MinRole
SharePoint
Availability Zone #1
Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
AWS
ELB
VPC NAT
Gateway
Public Tier (Subnet) Data Tier (Subnet)
Windows Server
RD Gateway
VPC NAT
Gateway
Public Tier (Subnet)
Windows Server
RD Gateway
SQL Server
SQL Server
Web Tier (Subnet) App Tier (Subnet)
Domain
Controller
Domain
Controller
S SharePoint
Application
Always On
Availability Group
(Synchronous)
S SharePoint
Front-end
S
SharePoint
Distributed
Cache
S SharePoint
Search
S
SharePoint
Distributed
Cache
S
SharePoint
Distributed
Cache
S SharePoint
Application
S SharePoint
Search
S SharePoint
Front-end
Office
Online Server
Office
Online Server
Workflow
Manager
Workflow
Manager
Workflow
Manager
31. Architecture: All Farms Welcome
From single server farms…
To multiple farm / multiple region DR
architectures
AWS supports all SharePoint setups
Multi-Region HA + DR
AZ 1AZ 2AZ 1
Region 1 Region 2
53
33. AWS SDK and Tools for .NET ArchitectureEXECUTION
PLATFORM
AWSSDK
LOW-
LEVEL
SERVICE
APIS
AWS
TOOLS
HIGHER-
LEVEL
UTILITY
APIS
.NET 3.5 .NET 4.5 PHONE STORE
SERVICE CLIENTS
AMAZON S3
TRANSFER UTILITY
AMAZON
DYNAMODB OBJECT
PERSISTENCE
VM IMPORT RESOURCE API
AWS TOOLS FOR
WINDOWS
POWERSHELL
AWS TOOLKIT FOR
VISUAL STUDIO
ASP.NET SESSION
PROVIDER
TRACE LISTENER
…
AWS ENDPOINTS: REST API
ASP.NET 5
34. AWS Toolkit for Visual Studio
Full integration in Visual Studio
AWS Toolkit
for Visual
Studio
.NET SDK
35. AWS also provides extended support
AWS Elastic Beanstalk
• Deploy from within Visual Studio/automatic log rotation to Amazon S3
AWS CodeCommit/CodePipeline/CodeDeploy
• Manage a large fleet (on-premises and cloud-based)
.NET SDK and PowerShell cmdlets
• Integration in custom build pipelines in TFS or CruiseControl.NET
AWS native integrations
• Jenkins, Bamboo have native integration to AWS
• Other IDE support AWS (Unity, Xamarin Studio, Eclipse…)
36. Build Serverless Applications with C#
.NET Core 1.0
www.microsoft.com/net/download/core
Visual Studio 2015 Update 3
Visual Studio 2015 Tools (Preview 2)
Target Framework netcoreapp1.0
Package with .NET Core CLI “dotnet publish”
Upload as a zip file
37. CloudFormation
Basic standard in AWS for automating
deployment of resources
CloudFormation template
• JSON-formatted document that describes a
configuration to be deployed in an AWS
account
• When deployed, refers to a “stack” of
resources
• Bootstrapping AWS CloudFormation
Windows Stacks, http://tinyurl.com/aws-
win-boot
AWS
CloudFormation
40. Amazon EC2 Systems Manager
A set of capabilities that enable automated configuration and
ongoing management of systems at scale, across all your
Windows and Linux workloads, running in Amazon EC2 or
on-premises
41. Systems Manager Capabilities
Run Command Maintenance
Window
Inventory
State Manager Parameter Store
Patch Manager
Automation
Deploy, Configure,
and Administer
Track and
Update
Shared
Capabilities
42. Auditability
Infrastructure
• AWS CloudTrail
• AWS Config (see whitepaper for license auditing)
• Amazon Inspector
Network
• VPC flow logs
• Elastic Load Balancing access logs
Application
• Amazon CloudWatch Logs can integrate
• IIS logs
• Event logs
• Event Tracing for Windows (ETW) logs
• Any performance counter data
• Exchange, Lync, SharePoint logs
• Any text-based log files
Dedicated Hosts
Visibility of sockets, cores, host ID