Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Running your Windows Enterprise Workloads on AWS - Technical 201

913 views

Published on

Whether it's application services or end user computing, cloud is the new normal for organisations of all sizes. In this session you will learn how to realise the benefits of running a complete Microsoft Enterprise environment securely and cost effectively within the AWS Cloud. Covering topics such as the AWS Active Directory Service, SQL Server, and remote desktops. We will also provide insight into management options including AWS Simple Systems Management (SSM). This session will set you up for success to migrate and operate your Microsoft workloads on AWS.

Speaker: Andrew Mitchell, Principal Solutions Architect, Amazon Web Services

Featured Customer - Carsales.com.au

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Running your Windows Enterprise Workloads on AWS - Technical 201

  1. 1. ©  2016,  Amazon  Web  Services,  Inc.  or  its  Affiliates.  All  rights  reserved. Andrew  Mitchell,  Principal  Enterprise  Solutions  Architect Amazon  Web  Services Dmitry  Kulshitsky,  Group  Manager,  Operations  &  Security carsales.com.au Running  your  Enterprise  Windows   Workloads  on  AWS Technical  201
  2. 2. What  Will  We  Cover  Today? • Providing  secure,  remote  administrative  access  to  your  AWS   Windows  resources • Extending your  corporate  data  network  into  AWS • Active  Directory  services • Microsoft  SQL Server  on  AWS • Management  Tools for  Windows • Customer  Success  Story  – Dmitry  Kulshitsky.   Carsales.com.au
  3. 3. Why  Run  Windows  Workloads  on  AWS? Building  and  managing  cloud  since  2006 12  regions,  33  availability  zones,  54  edge  locations Thousands  of  partners;;  2,500+  Marketplace  products Security  &  Reliability Performance Experience Scale Ecosystem Extensive  VM  and  network  performance  options Security  in  layers  approach  and  99.95%  application  SLA
  4. 4. Licensing  Options Flexibility  helps  you  optimise costs Buy  licenses  from   AWS Leverage  License   Mobility Bring  your  own   licenses  (BYOL) • Save  money  on  software   licensing • You  manage  licensing   costs  and  compliance  with   your  ISV • No  need  for  Software   Assurance • AWS  manages  Windows   Server  licensing • You  manage  licensing   costs  and  compliance   with  your  ISV • Uses  Software   Assurance • AWS  manages  licensing • Pay  as  you  go  pricing • Multi-­tenant  or   Dedicated • No  need  for  Software   Assurance • Unlimited  CALs
  5. 5. Amazon  EC2  Dedicated  Hosts • A  Dedicated  Host  is  a  physical  server  with  EC2   instance  capacity  dedicated  for  your  use • Bring  your  own  license  (BYOL)  platform • Supports  BYOL  for  Windows  Server,  Windows  SQL   Server,  and  applications  running  on  top  of  Windows   Server  (e.g.,  exchange  server)
  6. 6. How  would  you  build  a  Microsoft   Enterprise  IT  Platform  on  AWS?
  7. 7. Lets  Start  Here…. Corporate   Data   Center AWS Cloud Internet
  8. 8. Availability Zone Private SubnetPublic Subnet Availability Zone Private SubnetPublic Subnet Remote Users / Admins Isolated  VPC   in  the  Cloud
  9. 9. Secure  Administration  via  Remote  Desktop Availability Zone Private SubnetPublic Subnet AWS Administrator Corporate Data Center TCP  443 Requires  one  connection: • Connect  to  the  RD  Gateway,  and  the  gateway  proxies  the  RDP  connection  to  the  back-­end  instance. Web Security Group Accept  TCP  Port  3389   from  Gateway  SG WEB2 WEB1 Gateway Security Group Accept  TCP  Port   443  from  Admin  IP RDGW
  10. 10. Availability Zone Private SubnetPublic Subnet DC Domain   Controller RDGW Availability Zone Private SubnetPublic Subnet DC Domain   Controller RDGW Remote Users / Admins Isolated  VPC   in  the  Cloud with  RDGW Use  Route  53,  Health  Check  & DNS  Failover Amazon Route 53
  11. 11. Availability Zone Private SubnetPublic Subnet DC Domain   Controller RDGW Availability Zone Private SubnetPublic Subnet DC Domain   Controller RDGW Isolated  VPC   in  the  Cloud with  NAT Use  NAT  instances  to   provide  access  to  remote   Internet  services *  You  can  use  Windows  Routing  &   Remote  Access  (RRAS)  NAT  Service NAT NAT Remote Systems Internet
  12. 12. Availability Zone Private SubnetPublic Subnet DC Domain   Controller RDGW Availability Zone Private SubnetPublic Subnet DC Domain   Controller RDGW NAT NAT Remote Systems Internet Isolated  VPC   in  the  Cloud with  VPC  NAT   Gateway Use  AWS  Managed  NAT   Gateway  to  reduce   administrative  overhead  and   optimisecosts VPC  NAT   gateway VPC  NAT   gateway
  13. 13. Remote  Desktop  Gateway  Reference  Architecture Detailed  instructions  available  in  the  “Deploy   Remote  Desktop  Gateway  on  the  AWS   Cloud”  White  paper   Available  from  : http://aws.amazon.com/windows/resources/whitepapers/rdgateway/
  14. 14. Extending  your  Corporate   Network  to  AWS
  15. 15. Extending  your  Corporate  Data  Network  to  AWS • IP SEC VPN Tunnel connects over the public Internet but has a variable performance • Supports Static and BGP Routing • Supports varying multi-Mbps speeds Corporate   Data   Center AWS Cloud VPN  TUNNEL1 Telco Direct  Connect  Link2 1 • AWS Direct Connect (DX) service allows for dedicated telco links from your location • Telco provides SLAs and predictable performance • AWS provides multiple 1 Gbps & 10 Gbps links • BGP for dynamic routing + AWS API endpoints 2 Internet
  16. 16. Availability  Zone Private  SubnetPublic  Subnet NAT DC Domain   Controller RDGW Availability  Zone Private  SubnetPublic  Subnet NAT DC Domain   Controller MS   SQL   DB SQL Server MS   SQL   DB SQL Server APP App Server APP App Server WEB IIS Server WEB IIS Server RDGW Remote   Users   Your Hybrid   Cloud virtual  private   gateway VPN   connection corporate   data   network AWS  Direct   Connect
  17. 17. Microsoft  Active  Directory  on  AWS
  18. 18. Microsoft  Active  Directory Create  a  new  AD  or  Extend  Existing? • Lots  of  customers  create  a  new  “fresh”  AD  in  AWS  on  EC2 • Extend  trusts  to  existing  AD  for  Single  Sign  On  (SSO)   experience If  you  run  your  own  AD  servers • Treat  each  Availability  Zone  as  an  AD  Site… • Read  Only  Domain  Controllers  still  need  network  connectivity
  19. 19. Availability  Zone Private  SubnetPublic  Subnet NAT RDGW Availability  Zone Private  SubnetPublic  Subnet NAT MS   SQL   DB SQL Server MS   SQL   DB SQL Server APP App Server APP App Server WEB IIS Server WEB IIS Server RDGW Your own AD on  EC2 virtual  private   gateway VPN   connection corporate   data   network AWS  Direct   Connect Domain   Controller Domain   Controller DC DC
  20. 20. AWS  can  simplify  this  for  you…...
  21. 21. Availability  Zone Private  SubnetPublic  Subnet NAT RDGW Availability  Zone Private  SubnetPublic  Subnet NAT MS   SQL   DB SQL Server MS   SQL   DB SQL Server APP App Server APP App Server WEB IIS Server WEB IIS Server RDGW virtual  private   gateway VPN   connection corporate   data   network AWS  Direct   Connect Domain   Controller Domain   Controller DC DC
  22. 22. Availability  Zone Private  SubnetPublic  Subnet NAT AWS Directory Service RDGW Availability  Zone Private  SubnetPublic  Subnet NAT AWS Directory Service MS   SQL   DB SQL Server MS   SQL   DB SQL Server APP App Server APP App Server WEB IIS Server WEB IIS Server RDGW Replaced With AWS DS virtual  private   gateway VPN   connection corporate   data   network AWS  Direct   Connect
  23. 23. A  Microsoft  Windows  compatible  directory  service  as  a  managed  AWS  service.   Usage  options  are: 1. Use  the  AWS  AD  Connector to  simplify  connecting  to  your  existing  on-­ premises  Microsoft  Active  Directory   2. AWS Simple  AD allows  you  to  set  up  and  operate  a  new  Samba-­based   directory  in  the  AWS  Cloud 3. AWS  Directory  Service  for  Microsoft  Active  Directory  (Enterprise  Edition)   provides  a  feature-­rich  managed  Microsoft  Active  Directory  hosted  on  the   AWS  Cloud. AWS  DS  is  easy  to  manage:  use  the  standard  Windows  AD  admin  tools Use  AWS  Directory  Service
  24. 24. Which  option  should  you  choose? • AD  Connector: The  best  option  if  you  want  to  use  your  existing  on  premises  AD  with  AWS   services  without  extending  your  domain  to  the  cloud • Simple  AD: In  most  cases,  Simple  AD  is  the  least  expensive  option  and  your  best  choice   if  you  have  5,000  or  less  users  and  don’t  need  the  more  advanced  Microsoft   Active  Directory  features. • Directory  Service  for  Microsoft  Active  Directory  (Enterprise  Edition): This  is  your  best  choice  if  you  have  more  than  5,000  users  and  need  a  trust   relationship  set  up  between  an  AWS  hosted  directory  and  your  on-­premises   directories. Use  AWS  Directory  Service
  25. 25. Domain  Joining  to  AWS  Directory  Service From  the  AWS  Console  GUI • Launch  Instance  Wizard
  26. 26. Instance  Boot  Status
  27. 27. Instance  Dom  Join  Status  to  AWS  Directory  Service Computer  Name Domain  Details
  28. 28. AWS  Directory  Service  (Console) DNS  IPs  for  your  Domain  Controllers  in  each  AZ Enabled  Services
  29. 29. Microsoft  SQL  Server  on  AWS
  30. 30. SQL  Server  on  AWS • Wide  array  of  choices • Fully  managed  services • Enterprise-­grade  security • 99.95%  availability • Flexible  and  scalable
  31. 31. SQL  Server  on  Amazon  EC2 Availability Zone 1 Private Subnet Primary   DB • Deploy  in  minutes.   Simple  provisioning   via  AWS-­provided  AMI • Wide  range  of   versions  and   performance  options
  32. 32. SQL  Server  High  Availability Availability Zone 1 Private Subnet Primary   DB Availability Zone 2 Secondary Replica  1 Private Subnet AG  Listener: ag.awslabs.net Automatic Failover • QuickStart reference   architecture  and   CloudFormation provided.   • Scale  up  to  8   instances • 99.95%  availability
  33. 33. Or…...
  34. 34. Amazon  RDS  for  SQL  Server • Deploy  in  minutes • Automated    backups • Push  button  scaling • Automatic  host  replacement  and  multi  AZ   deployments  for  high  availability  
  35. 35. Amazon  RDS  for  SQL  Server • Consider  RDS  first • Focus  on: • Business  value  tasks • High-­level  tuning  tasks • Schema  optimization • No  in-­house  database  expertise Choosing  the  right  solution • Need  full  control  over: • DB  instance • Backups • Replication • Clustering • Use  options  not  in  Amazon  RDS SQL  Server  on  Amazon  EC2
  36. 36. Migrating  data  to  and  from  Amazon  RDS Microsoft  SQL  Server  Database   Publishing  Wizard Export  to  T-­SQL  files,  load  using  sqlcmd NEW  LAUNCH!   AWS  Database  Migration  Service Minimize  downtime  during  migrations,  migrate  between   different  DB  platforms,  Schema  Conversion  Tool AWS  Marketplace Third-­party  data  import  and  export  tools  and   solutions 1 2 3
  37. 37. Management  tools  for  Windows
  38. 38. AWS  Simple  Systems  Manager  (SSM) Simple  Systems  Manager  (SSM)  facilitates  the  automatic  configuration  of  AWS  Elastic   Compute  Cloud  (EC2)  instances  running  Windows  Server  OS SSM  is  implemented  through  the  EC2Config  windows  service  already  included  in   Windows  Server  AMIs EC2-­Config  service  polls  SSM  every  5  minutes  for  configuration  documents    (in  JSON   format)  containing  system  configurations  OR  force  it  from  CLI   SSM  currently  supports  configuration  documents  that  allow  for: • Automated  Domain  Join • MSI  Package  Installation/Repair/Uninstallation • PowerShell  Module  Installation • Delivery  of  Performance  Monitor,  Event  Log,  IIS  Log,  and  custom  log  file  data  to  CloudWatch and   CloudWatch Logs
  39. 39. SSM  Document  Example { "schemaVersion": "1.0", "description": "MSI Install Script", "runtimeConfig": { "aws:applications": { "properties": [ { "action": "Install", "source": "https://S3region.amazonaws.com/mybucketname/MSIs/CustomApp-x64.msi" }, { "action": "Install", "source": "http://location.s3.amazonaws.com/Firefox/Firefox-33.0.2/Firefox-33.0.2-en-US.msi", "parameters" : "INSTALLEVEL=1000 custompath="c:foldername"" } ] } } }
  40. 40. Dmitry  Kulshitsky Group  Manager  – Operations  &  Security  at  carsales.com.au
  41. 41. It  has  all  started  here….   Office Internet Data  Center Isolated  VPC  for  a  small  project No  VPN No  AD  in  the  cloud Management  via  Bastion  hosts  (RDP)
  42. 42. VPN First  Steps Office Internet Data  Center Multiple  accounts  in  AWS.  Peering VPN No  AD  in  the  cloud Management  via  VPN  (backend  IPs)
  43. 43. Next  Phase  – DR  Project Data  Center Office Multiple  accounts  in  AWS.  Peering Direct  Connect  (speed,  predictable  SLAs) • Required  to  support  near  real  time  replication AD  in  the  cloud.  Separate  Forest One-­way  trust  between  domains Telco Direct  Connect  Link Domain  Trust
  44. 44. WEB IIS Server WEB IIS Server MS   SQL   DB SQL Server MS   SQL   DB SQL Server APP App Server APP App Server Data  Centre  – active AWS  – passive/DR Need  to  be  able  to  switch   between  DCs Data  replication? data  centre WEB IIS Server APP App Server MS   SQL   DB SQL  Server Cluster CDN
  45. 45. Architectural  Considerations  and  Data  Replication Latency  considerations • Avoid  crossing  the  link  for  synchronous  calls • OK  in  failover  scenarios • Retry/failover  mechanisms  when  making  API  calls Decided  to  rely  on  2  types  of  data  replication • Queue  level • RabbitMQ Shovel  Plugin • Moves  messages  between  brokers  in  different  administrative  domains • Resilient  – tolerates  intermittent  connectivity  issues • Database  level • Microsoft  SQL  2012  Enterprise  – HA  – AlwaysOn • Async replication • Listener  (read/write  copy)  in  the  data  centre
  46. 46. WEB IIS Server WEB IIS Server MS  SQL RDS MS  SQL   EC2  Instance APP App Server APP App Server • Queue  level  sync  (shovel) • Databases  in  AWS  and  DC  are  not  aware  of   each  other • Can  be  out  of  sync  (depends  on  queue  item   processing  speed/backlog  etc) • Various  combinations  of  SQL   replication/mirroring  in  AWS  (combinations  of   SQL  RDS  and  MS  SQL  EC2  instances)  for   redundancy • Can  use  MS  SQL  Standard  Edition data  centre WEB IIS Server APP App Server MS   SQL   DB SQL  Server Cluster
  47. 47. WEB IIS Server WEB IIS Server MS  SQL EC2 MS  SQL   EC2 APP App Server APP App Server • Database  level  sync • AlwaysOn Availability  Group  is  an  Enterprise   Edition  feature • Allows  you  to  fail  over  a  group  of  databases  as   a  single  entity  (unlike  database  mirroring) • Databases  in  AWS  and  DC  are  aware  of  each   other • Can  use  sync  and/or  async replication • Automatic  failover  (listener  moves  to  a  different   IP  address) • Single  master  but  secondary  replicas  can  be   used  for  read-­only  workloads data  centre WEB IIS Server APP App Server SQL  Server Cluster
  48. 48. WEB IIS Server WEB IIS Server MS   SQL   DB SQL Server MS   SQL   DB SQL Server APP App Server APP App Server Migration  to  AWS • Context  switching  rule   at  the  LB  (portion  of   traffic) data  centre WEB IIS Server APP App Server MS   SQL   DB SQL  Server Cluster CDN
  49. 49. WEB IIS Server WEB IIS Server MS   SQL   DB SQL Server MS   SQL   DB SQL Server APP App Server APP App Server Migration  to  AWS • Once  happy  – change   the  Origin  IP  address • “Failover”  the   AlwaysOn SQL  to   move  listener  to  AWS • Very  simple  -­ only  took   minutes  to  complete • Swapped  roles  – DC  is   now  DR data  centre WEB IIS Server APP App Server MS   SQL   DB SQL  Server Cluster CDN
  50. 50. Dmitry  Kulshitsky Group  Manager  – Operations  &  Security  at  carsales.com.au
  51. 51. Further  reading Microsoft  Workloads  on  AWS  Whitepapers: https://aws.amazon.com/windows/resources/whitepapers/ AWS  Quick  Launches Try  Enterprise  Microsoft  products  on  AWS  before  you   deploy  them  into  production: https://aws.amazon.com/quickstart/quick-­launch/
  52. 52. Summary You  can  readily  and  securely  run  Enterprise  Microsoft  and   many  other  mission  critical  workloads  on  AWS AWS  provides  customers  with  the  flexibility  to  run  Microsoft   workloads  the  way  they  want.   • Run  them  as  you  do  now,  but  on  EC2   or   • Simplify  management  by  replacing  them  with  native   AWS  services • Directory  Services,  RDS  for  SQL  Server,  Managed  NAT  etc.
  53. 53. AWS  Training  &  Certification Intro  Videos  &  Labs   Free  videos  and  labs  to   help  you  learn  to  work   with  30+  AWS  services   – in  minutes! Training  Classes In-­person  and  online   courses  to  build   technical  skills  – taught  by  accredited   AWS  instructors Online  Labs   Practice  working  with   AWS  services  in  live   environment  – Learn  how  related   services  work   together AWS  Certification Validate  technical   skills  and  expertise  – identify  qualified  IT   talent  or  show  you   are  AWS  cloud  ready Learn  more:  aws.amazon.com/training
  54. 54. Your  Training  Next  Steps: ü Visit  the  AWS  Training  &  Certification  pod  to  discuss  your   training  plan  &  AWS  Summit  training  offer ü Register  &  attend  AWS  instructor  led  training ü Get  Certified AWS  Certified?  Visit  the  AWS  Summit  Certification  Lounge  to  pick  up  your  swag Learn  more:  aws.amazon.com/training
  55. 55. Thank  you!

×