Technical 201: Moving Enterprise Windows Workloads to AWS
The cloud is the new norm for organizations of all sizes. In this session you will learn how to create an entire Microsoft Enterprise environment in AWS that includes AWS Active Directory Service, Simple System Management (SSM) service, MS Exchange and SharePoint. These will further integrate with new end user productivity services such as AWS WorkSpaces, AWS WorkDocs, and AWS WorkMail.
Speaker: Dr Peter Stanski, Solutions Architect, Amazon Web Services
5. Major Companies run Microsoft Exchange, SharePoint and
Lync on AWS….
– Some of the world’s largest enterprise websites run on SharePoint
– .Net, ASP.Net, COM/COM+ and many other Wintel technologies
– Enterprise Voice and IM are also suitable workloads
– Large Enterprise Exchange email deployments
Microsoft Workloads on AWS…
7. Xero
Leading small business cloud platform
Vision
Millions of people all over the
world love doing business on
Xero
Mission
Grow prosperity by connecting
people through beautifully
designed business software
Goal
Achieving scale and value by
winning one million+ customers
8. 3 Key principles for Data
• Resiliency
• Availability
• Security
Xero is built on a SQL server foundation.
Xero SQL Design Principles
9. Why Microsoft SQL Server on EC2?
• Target Architecture
• Uptime
• Control
• Maintenance
Amazon RDS is always considered for use in new
developments at Xero.
Our Journey so far ….
10. Takeaways
What did we learn and what did we consider?
• Instance Sizing & IOPS
• Interconnecting the regions
• Operational Recovery
• Security
• Automation
11. Final Takeaway
It is achievable to have a highly available SQL Server
environment running on EC2 in AWS supporting an online
and highly concurrent 24x7 system.
18. Secure Administration via Remote Desktop
Availability Zone
Private SubnetPublic Subnet
AWS Administrator
Corporate Data Center
19. Secure Administration via Remote Desktop
Availability Zone
Private SubnetPublic Subnet
AWS Administrator
Corporate Data Center
Gateway Security Group
Accept TCP Port 443
from Admin IP
RDGW
20. Secure Administration via Remote Desktop
Availability Zone
Private SubnetPublic Subnet
AWS Administrator
Corporate Data Center
TCP 443
Requires one connection:
• Connect to the RD Gateway, and the gateway proxies the RDP connection to the back-end instance.
Web Security Group
Accept TCP Port 3389
from Gateway SG
WEB2
WEB1
TCP 3389
TCP 3389
Gateway Security Group
Accept TCP Port 443
from Admin IP
RDGW
21. Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Remote
Users / Admins
Isolated VPC
in the Cloud
with RDGW
22. Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Remote
Users / Admins
Isolated VPC
in the Cloud
with RDGW
23. Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Remote
Users / Admins
Isolated VPC
in the Cloud
with RDGW
UseRoute53,HealthCheck&
DNSFailover
Amazon
Route 53
24. Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Isolated VPC
in the Cloud
with NAT
Internet
25. Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Isolated VPC
in the Cloud
with NAT
Use NATinstances to provide
access to remote Internet
services
*YoucanuseWindowsRouting&
RemoteAccess(RRAS)NATService
NAT
NAT
Remote Systems
Internet
26. Remote Desktop Gateway Reference Architecture
• Detailed instructions available in the
“Deploy Remote Desktop Gateway on the
AWS Cloud” White paper
Available from :
http://aws.amazon.com/windows/resources/whitepapers/rdgateway/
28. Microsoft DirectAccess for Client Devices
• DirectAccess is a feature that allows connectivity to organization’s
network resources without the need for traditional Virtual Private
Network (VPN) connections
• With DirectAccess, client computers are always connected to your
corporate data network
• IT administrators can manage DirectAccess client computers
whenever they are running and connected to the Internet
• Summary: Always-on light-weight VPN into your corporate network
29. Availability Zone
Private SubnetPublic Subnet
10.0.0.0/24 10.0.2.0/24
Remote Windows
Client Computer
(Users / Admins)
Isolated VPC in
the Cloud with
DirectAccess
30. Availability Zone
Private SubnetPublic Subnet
10.0.0.0/24 10.0.2.0/24
Remote Windows
Client Computer
(Users / Admins)
Isolated VPC in
the Cloud with
DirectAccess
ENI
+
EIP
Windows
NAT
instance
ENI
+
Private IP
Security
Group
Security
Group
31. Availability Zone
Private SubnetPublic Subnet
10.0.0.0/24 10.0.2.0/24
DC +
Certs
Domain
Controller
Remote Windows
Client Computer
(Users / Admins)
Isolated VPC in
the Cloud with
DirectAccess
ENI
+
EIP
Direct
Access
Windows
DirectAccess Edge
Windows
NAT
instance
ENI
+
Private IP
Security
Group
Security
Group
32. Availability Zone
Private SubnetPublic Subnet
10.0.0.0/24 10.0.2.0/24
DC +
Certs
Domain
Controller
Remote Windows
Client Computer
(Users / Admins)
Isolated VPC in
the Cloud with
DirectAccess
ENI
+
EIP
Direct
Access
Windows
DirectAccess Edge
Internet
Windows
NAT
instance
ENI
+
Private IP
Security
Group
Security
Group
33. Availability Zone
Private SubnetPublic Subnet
10.0.0.0/24 10.0.2.0/24
DC +
Certs
Domain
Controller
Remote Windows
Client Computer
(Users / Admins)
Isolated VPC in
the Cloud with
DirectAccess
Always on VPN into
Enterprise from Windows
Client(s)
ENI
+
EIP
Direct
Access
Windows
DirectAccess Edge
Internet
Windows
NAT
instance
ENI
+
Private IP
Security
Group
Security
Group
VPN
34. Microsoft DirectAccess Server Role & NAT
• Detailed instructions available in the
“Implementing Microsoft DirectAccess and
NAT in the AWS Cloud” White paper
Available from :
http://aws.amazon.com/windows/resources/whitepapers/ms-direct-access/
36. RDGW and DirectAccess Considerations
• Secure RDGW connections require SSL certificates
– Available from public Root Certificate Authority; OR
– Deployed to the client device (manually / AD GPO)
37. RDGW and DirectAccess Considerations
• Secure RDGW connections require SSL certificates
– Available from public Root Certificate Authority; OR
– Deployed to the client device (manually / AD GPO)
• DirectAccess requires a domain joined client device
– You will need to perform an offline domain join + Certs + DC + ….
38. RDGW and DirectAccess Considerations
• Secure RDGW connections require SSL certificates
– Available from public Root Certificate Authority; OR
– Deployed to the client device (manually / AD GPO)
• DirectAccess requires a domain joined client device
– You will need to perform an offline domain join + Certs + DC + ….
• Direct connectivity into the VPC simplifies setup
– Requires cooperation across a wider set of IT team members
41. Extending your Corporate Data Network to AWS
Corporate
Data
Center
AWS
Cloud
VPN TUNNEL1
1
Internet
42. Extending your Corporate Data Network to AWS
• IP SEC VPN Tunnel connects over the public
Internet but has a variable performance
• Supports Static and BGP Routing
• Supports varying multi-Mbps speeds
Corporate
Data
Center
AWS
Cloud
VPN TUNNEL1
Telco
Direct Connect Link2
1
• AWS Direct Connect (DX) service allows for
dedicated telco links from your location
• Telco provides SLAs and predictable performance
• AWS provides multiple 1 Gbps & 10 Gbps links
• BGP for dynamic routing + AWS API endpoints
2
Internet
43. Availability Zone
Private SubnetPublic Subnet
NAT
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
DC
Domain
Controller
RDGW
Remote
Users
Your
Hybrid
Cloud
44. Availability Zone
Private SubnetPublic Subnet
NAT
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
DC
Domain
Controller
RDGW
Remote
Users
Your
Hybrid
Cloud
virtual private
gateway
VPN
connection
corporate
data network
AWS Direct
Connect
45. Availability Zone
Private SubnetPublic Subnet
NAT
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
DC
Domain
Controller
MS
SQL DB
SQL
Server
MS
SQL DB
SQL
Server
APP
App
Server
APP
App
Server
WEB
IIS
Server
WEB
IIS
Server
RDGW
Remote
Users
Your
Hybrid
Cloud
virtual private
gateway
VPN
connection
corporate
data network
AWS Direct
Connect
46. Availability Zone
Private SubnetPublic Subnet
NAT
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
DC
Domain
Controller
MS
SQL DB
SQL
Server
MS
SQL DB
SQL
Server
APP
App
Server
APP
App
Server
WEB
IIS
Server
WEB
IIS
Server
RDGW
Remote
Users
Your
Hybrid
Cloud
virtual private
gateway
VPN
connection
corporate
data network
AWS Direct
Connect
48. SharePoint Reference Architectures on AWS
White Papers Available from :
• http://aws.amazon.com/windows/resources/whitepapers/sharepoint-2010/
• http://aws.amazon.com/windows/resources/whitepapers/sharepoint-2013/
SPS2010
SPS2013
50. Microsoft Active Directory
• Create a new AD or Extend Existing?
– Lots of customers create a new “fresh” AD in AWS on EC2
– Extend trusts to existing AD for Single Sign On (SSO) experience
51. Microsoft Active Directory
• Create a new AD or Extend Existing?
– Lots of customers create a new “fresh” AD in AWS on EC2
– Extend trusts to existing AD for Single Sign On (SSO) experience
• If you run your own AD servers
– Treat each Availability Zone as an AD Site…
– Read Only Domain Controllers still need network connectivity
52. Microsoft Active Directory
• Create a new AD or Extend Existing?
– Lots of customers create a new “fresh” AD in AWS on EC2
– Extend trusts to existing AD for Single Sign On (SSO) experience
• If you run your own AD servers
– Treat each Availability Zone as an AD Site…
– Read Only Domain Controllers still need network connectivity
• AWS can simplify this for you…..
54. • A Microsoft Windows compatible directory service as a managed AWS
service. Usage options are:
A. Simplifies connecting to your existing on-premises Microsoft Active Directory
via an “AD Connector”;
B. Or set up and operate a new directory in the AWS cloud as a “Simple AD”
Use AWS Directory Service
55. • A Microsoft Windows compatible directory service as a managed AWS
service. Usage options are:
A. Simplifies connecting to your existing on-premises Microsoft Active Directory
via an “AD Connector”;
B. Or set up and operate a new directory in the AWS cloud as a “Simple AD”
• AWS DS is easy to manage: use the standard Windows AD admin tools
Use AWS Directory Service
56. • A Microsoft Windows compatible directory service as a managed AWS
service. Usage options are:
A. Simplifies connecting to your existing on-premises Microsoft Active Directory
via an “AD Connector”;
B. Or set up and operate a new directory in the AWS cloud as a “Simple AD”
• AWS DS is easy to manage: use the standard Windows AD admin tools
• Your directory users and groups can access the AWS Management Console,
and AWS applications, such as Amazon WorkSpaces, Amazon WorkDocs, and
Amazon WorkMail, using their existing credentials
Use AWS Directory Service
57. Simple AWS Directory Service Supports
• Microsoft Internet Information Services (IIS) on:
– Windows Server 2003 R2
– Windows Server 2008 R1 & R2
– Windows Server 2012 & R2
• Microsoft SQL Server:
– SQL Server 2005 R2 (Express, Web, and Standard editions)
– SQL Server 2008 R2 (Express, Web, and Standard editions)
– SQL Server 2012 (Express, Web, and Standard editions)
– SQL Server 2014 (Express, Web, and Standard editions)
• Microsoft SharePoint:
– SharePoint 2010 Foundation
– SharePoint 2010 Enterprise
– SharePoint 2013 Enterprise
58. Availability Zone
Private SubnetPublic Subnet
NAT
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
MS
SQL DB
SQL
Server
MS
SQL DB
SQL
Server
APP
App
Server
APP
App
Server
WEB
IIS
Server
WEB
IIS
Server
RDGW
Your
own
AD
on EC2
virtual private
gateway
VPN
connection
corporate
data network
AWS Direct
Connect
Domain
Controller
Domain
Controller
DC
DC
59. Availability Zone
Private SubnetPublic Subnet
NAT
AWS
Directory
Service
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
AWS
Directory
Service
MS
SQL DB
SQL
Server
MS
SQL DB
SQL
Server
APP
App
Server
APP
App
Server
WEB
IIS
Server
WEB
IIS
Server
RDGW
Replaced
With
AWS
DS
virtual private
gateway
VPN
connection
corporate
data network
AWS Direct
Connect
60. Domain Joining to AWS Directory Service
From the AWS Console GUI
– Launch Instance Wizard
66. AWS Simple Systems Manager (SSM)
• Simple Systems Manager (SSM) facilitates the automatic configuration of AWS Elastic
Compute Cloud (EC2) instances running Windows Server OS
• SSM is implemented through the EC2Config windows service already included in
Windows Server AMIs
• EC2-Config service polls SSM every 5 minutes for configuration documents (in JSON
format) containing system configurations OR force it from CLI
• SSM currently supports configuration documents that allow for:
– Automated Domain Join
– MSI Package Installation/Repair/Uninstallation
– PowerShell Module Installation
– Delivery of Performance Monitor, Event Log, IIS Log, and custom log file data to CloudWatch and
CloudWatch Logs
70. Simple System Manager
SSM Configuration & EC2Config Service
Configuration
Document
Associated with
Instance ID(s)
Setup & Config Tasks
• Domain Join
• Package Installations
• Deploy PowerShell Modules
• Logs & Performance Monitor
integration with CloudWatch
Definition
71. Simple System Manager
SSM Configuration & EC2Config Service
Configuration
Document
Associated with
Instance ID(s)
72. Simple System Manager
SSM Configuration & EC2Config Service
Configuration
Document
Associated with
Instance ID(s)
EC2Config
Windows
Service
Windows Instance
73. Simple System Manager
SSM Configuration & EC2Config Service
Configuration
Document
Associated with
Instance ID(s)
EC2Config
Windows
Service
Windows Instance
AWS Directory Service
74. Simple System Manager
SSM Configuration & EC2Config Service
Configuration
Document
Associated with
Instance ID(s)
EC2Config
Windows
Service
CloudWatch & Cloudwatch Logs
Windows Instance
AWS Directory Service
75. Simple System Manager
SSM Configuration & EC2Config Service
Configuration
Document
Associated with
Instance ID(s)
EC2Config
Windows
Service
CloudWatch & Cloudwatch Logs
Windows Instance
AWS Directory Service
80. Elastic Block Storage (EBS) Updates
Max EBS volume size up from: 1TiB to 16TiB & 4,000 to 20,000 PIOPS
EBS
snapshots
Amazon
EC2
16TiB
81. MS Exchange Reference Architectures on AWS
Both White Papers & Case Studies Available from :
• http://aws.amazon.com/windows/products/exchange/
2010 2013
82. MS Exchange Reference Architectures on AWS
Both White Papers & Case Studies Available from :
• http://aws.amazon.com/windows/products/exchange/
2010 2013
Use AWS
SES as a
Send
Connector
84. Amazon WorkMail
• WorkMail is a secure, managed business email and calendaring service
with support for existing desktop and mobile email clients
• WorkMail gives seamless access to email, contacts, and calendars
using native Microsoft Outlook Client, a web browser, or native iOS and
Android email applications
• You can integrate Amazon WorkMail with existing corporate directory
and control both the keys that encrypt your data and the location in
which your data is stored
• Useful when you would like a managed Exchange as a service
86. Amazon Workspaces
• AWS managed desktop computing service in the cloud
– virtual desktop infrastructure (VDI)
• Cloud-based desktops that allow end-users to access
their documents, applications and resources they need
with the device of their choice
• Accessed from laptops, iPad, Kindle Fire, Android tablets,
and zero clients
92. Compelling Windows Event (Don’t Forget)
• Microsoft is ending support for Windows Server 2003 on
July 14, 2015
• Options include:
– Keep running it but do it on AWS
– Migrate to the newer versions of Windows
– Do both….
• Find more info at: http://aws.amazon.com/windows/products/ec2/
server2003/
93. Summary
• You can readily run Enterprise Microsoft and many
other mission critical workloads on AWS….
• You can run your own Workloads on EC2; or
• Replace them with native AWS services
– Directory Services, WorkSpaces, WorkMail, WorkDocs, SQL Server
RDS, SES for bulk email sending….