2. What We’ll Cover: Everything SharePoint on AWS
The Fundamentals
Architectural Scenarios
Best Practices
> EC2 Networking
Active Directory
Remote Access
Purchasing Options
The Fundamentals
Architectural Scenarios
Best Practices
>
Marketplace Builds
Hybrid: AWS as a DR Site
Multi-AZ SharePoint
SharePoint 2016
Quick Start
The Fundamentals
Architectural Scenarios
Best Practices >
Amazon EC2 Best
Practices
SQL Best Practices
Migration Best Practices
Going Beyond IaaS
3. Fundamentals: Single VPC Patterns
Public and Privately Routed VPC
This design pattern is used for workloads
that need to accommodate a combination
of public and private routing needs, such as
all-in Internet-facing, multi-tier web
applications supported by databases or
other privately routed backend systems.
Internal-Only VPC
This design pattern is used to create a
network environment that is only
accessible from an existing, internal
network, such as internally facing or back-
office systems.
On-Premises and Internet-
Accessible VPC
This design pattern is used to create a
network environment that has the ability to
communicate with both on-premises
(privately routed) and external (publicly
routed) resources
Internet-Accessible VPC
This design pattern is primarily used for
test, R&D, sales demo, production, and
other environments that require a network
environment that is completely isolated
from a customer’s internal network.
For more info on configuring VPCs, see AWS Answers for Networking.
4. Internet Gateway
Highly available VPC component that allows
communication between instances in your VPC and the
Internet
a
NAT Gateway
Enable instances in a private subnet to connect to the
Internet or other AWS services, but prevent the Internet
from initiating a connection with those instances
a
Virtual Private Network (VPN)
a
Virtual Private Gateway (VPG)
a
AWS Direct Connect
a
For more info on configuring external access, see Amazon
VPC for On-Premises Network Engineers, Part One.
Fundamentals: External Connectivity
5. Fundamentals: Active Directory Patterns
Directory Trusts
Extending On-Premises Directory Over Secure
Connections to AWS Using Either Active Directory or
AWS Directory Service for Microsoft AD.
Federated Trusts
Building Federated Trusts From On-Premise to AWS
Using Active Directory Federation Services or Other
SAML Compliant Software and Services.
Availability Zone
On-Premises Data Center
VPN Direct Connect
Domain
Controller
Domain
Controller
on Amazon
EC2
Either/Or
AWS
Directory
Service
On-Premises Data Center
Internet
WAP /
ADFS
Secure
Domain
Controller
on Amazon
EC2
Domain
Controller
WAP/ADFS
on Amazon
EC2
6. See the Remote Desktop Gateway on the AWS Cloud: Quick Start for additional info
The Fundamentals: Remote Access
7. The Fundamentals: Purchasing Options
For more info on licensing Windows on AWS, see Microsoft Licensing on AWS.
Options for using Microsoft software licenses on the AWS Cloud
Buy Licenses
From AWS
Bring Licenses
To AWS
2,300+ products available for
1-click deployment across 35
distinct product categories,
including several SharePoint
2013 & 2016 builds ranging
from single-server to multiple-
server builds.
If you’ve already purchased
Microsoft software, bring your
own licenses (BYOL) to the
AWS Cloud and extend the
lifecycle of your software
without additional hardware
costs.
Using license-included
instances allows you access to
fully compliant Microsoft
software licenses bundled with
Amazon EC2 and ability to pay
for them as you go with no
upfront costs or long-term
investments.
8. What We’ll Cover: Everything SharePoint on AWS
The Fundamentals
Architectural Scenarios
Best Practices
>
Marketplace Builds
Hybrid: AWS As a DR Site
Multi-AZ SharePoint
SharePoint 2016
Quick Start
9. Browse, Test, and Buy Enterprise
Software
a
Simplified Procurement Process
a
Consume as Needed Without
Overprovisioning
Architecture: Marketplace
One AWS Bill
a
Consume Hourly, Monthly, Annually
a
Customers run over 143M hours of
software per month
10. Architecture: Marketplace
SharePoint Enterprise 2016 for
AWS "All In One" for SME or Line
of Business implementation. Best
for Test or Development teams
working on short-term
development projects, to share
and collaborate on new ideas and
engage in social conversations.
SharePoint Enterprise 2016 All In One
Availability Zone
Subnet
Windows Server
2012R2
Active Directory Domain Services
SQL Server 2014 Enterprise
SharePoint Server 2016
Internet Gateway
11. Architecture: Marketplace
Availability Zone
Subnet
Windows Server
2012R2
Active Directory Domain Services
Internet Gateway
Subnet
Windows Server
2012R2
SQL Server 2014 Enterprise
Subnet
Windows Server
2012R2
SharePoint Server 2016
SharePoint Enterprise 2016 Business
SharePoint Enterprise 2016 is well suited for enterprises looking for a
collaboration tool in multiple geo-locations, including support for external users.
12. Architecture: AWS As a DR Site
Higher RTO Lower RTO
Backup & Restore Pilot Light
Spectrum of Disaster Recovery Options
Back up to S3 with AWS Storage
Gateway
a
Replace On-Premises Tape System
a
Leverage Amazon Glacier for Data
Archiving
SQL Server Log Shipping over VPN
or Direct Connect
a
EC2 Instances in Stopped State
a
Cool DR Site with Lower Costs
Warm Site
SQL Server Asynchronous Always-
On Availability Group over Direct
Connect
a
EC2 Instances in Running State
a
13. Architecture: AWS As a DR Site
Minimal Amount of
Running Infrastructure on
AWS Keeps Costs Low
Backup & Restore
Typically Longer RTO
For more info on configuring backup
and recovery, see Enterprise Backup
and Recovery On-Premises to AWS.
For more info on configuring AWS
Storage Gateway, see AWS Storage
Gateway Documentation.
Availability Zone
Direct Connect,
VPN or HTTPS
On-Premises Data Center
HTTPS
AWS Storage
Gateway VM
Storage: Direct
Attached or SAN
APP Server
WFE Server SharePoint EC2
Instances in
Stopped State
SQL Server EC2
Instance in
Stopped State
AWS DR
SharePoint Farm
APP Server
WFE Server
On-Premises
SharePoint Farm
App
Server
Backup Server
Supporting
iSCSI, CIFS,
SMB
SQL
Server
SQL Server
EBS
Volume
Storage
Gateway
Service
S3 Bucket
WFE
Server
WFE
Server
14. Architecture: AWS As a DR Site
Small Amount of Running
EC2 Infrastructure on AWS
Pilot Light
SQL Log Shipping Increases
Automation of Database Layer
Backup and Restore Operations
For more info on configuring log
shipping between on premises and
AWS, see Deploying Microsoft SQL
Server on Amazon Web Services.
For more info on configuring a pilot
light DR environment on AWS, see
Using Amazon Web Services for
Disaster Recovery.
Availability Zone
Transaction
Log Shipping
Direct Connect
or
VPN
Transaction
Log Replay
APP ServerAPP Server
WFE ServerWFE Server SharePoint EC2
Instances in a
stopped state
AWS DR
SharePoint Farm
SQL Server
On-Premises Data Center
On-Premises
SharePoint Farm
WFE
Server
WFE
Server
App
Server
App
Server
SQL
Server
15. Architecture: AWS As a DR Site
Lower RTOs Require More
Running EC2 Infrastructure
on AWS
AlwaysOn Availability
Group(s) Further Increase
Automation of Database
Synchronization/Restore
Warm Site
For more info on configuring always-
on availability groups between on
premises and AWS, see Deploying
Microsoft SQL Server on Amazon Web
Services.
Availability Zone
APP ServerAPP Server
WFE ServerWFE Server SharePoint EC2
Instances in a
running state
AWS DR
SharePoint Farm
SQL
Server
On-Premises Data Center
On-Premises
SharePoint Farm
WFE
Server
WFE
Server
App
Server
App
Server
SQL
Server
SQL
Server
Asynchronous Commit
SQL Server Always On
Availability Group
Sync
Direct Connect
or
VPN
16. Architecture: Multi-AZ SharePoint
Single Production Farm
Database Backups Shipped Offsite and/or
Replicated to Alternate Data Center
Typical SharePoint DR Plan Involves a Full
Farm Rebuild Followed by a Restore of
Content Database Backups
Typical On-Premises SharePoint Setup
Data Center #1
Storage Volumes or
Database Backups
Synchronized/
Replicated to
Alternate Datacenter
Production SharePoint Farm
Data Center #2
Database Backups
Located on Tape
Media Transported
to Offsite Facility
17. Architecture: Multi-AZ SharePoint
AWS Multi-AZ Design Pattern
AWS is built around Regions and Availability
Zones (AZs)
Region is a physical location in the world
where we have multiple Availability Zones
Availability Zones consist of one or more
discrete fault tolerant data centers, each with
redundant power, networking and
connectivity
Availability Zones are connected to each
other with private fiber-optic low-latency
links
You can achieve High Availability by deploying
your application that spans across multiple
Availability Zones
Data Center Redundancy Achieved with Little
or No Effort!
Availability
Zone #1
Web Server
DB Server
Web Server
DB Server
Single Application Boundary Spanning Multiple AZs
Synchronous Replication / Automatic Failover
Availability
Zone #2Low Latency
18. Architecture: Multi-AZ SharePoint
VPC, Two AZs, Single Public and
Multiple Private Subnets
a
Include Remote Access, NAT
Gateways and Active Directory
a
Stretched SharePoint Farm
Spanning Multiple AZs Providing
Data Center Redundancy
a
Multi-AZ Reduces Risk Profile and
Simplifies DR Planning
AWS Multi-AZ
SharePoint 2013
Availability Zone #1
Web Tier (Subnet) App Tier (Subnet) Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
VPC NAT
Gateway
Public Tier (Subnet) Data Tier (Subnet)
Windows Server
RD Gateway
VPC NAT
Gateway
Public Tier (Subnet)
Windows Server
RD Gateway
Domain
Controller
Domain
Controller
Availability Zone #1
Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
AWS
ELB
VPC NAT
Gateway
Public Tier (Subnet) Data Tier (Subnet)
Windows Server
RD Gateway
VPC NAT
Gateway
Public Tier (Subnet)
Windows Server
RD Gateway
SQL Server
SQL Server
S SharePoint
WFE S SharePoint
APP
Web Tier (Subnet) App Tier (Subnet)
Domain
Controller
Domain
ControllerS SharePoint
APPS SharePoint
WFE
Always On
Availability Group
(Synchronous)
19. Fully Supported to Run a SharePoint DR
Farm/Two-Region DR Pattern on AWS for
SharePoint
AWS Supports Traditional Two-
Data Center Patterns
Architecture:
Multi-AZ SharePoint
Availability Zone #1
Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
AWS
ELB
VPC NAT
Gateway
Windows Server
RD Gateway
VPC NAT
Gateway
Public Tier (Subnet)
Windows Server
RD Gateway
SQL Server Domain
Controller
Domain
Controller
Region US East
Region US West
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #1
VPC NAT
Gateway
Public Tier (Subnet)
Windows Server
RD Gateway
Domain
Controller
Always On
Availability Group
(Asynchronous)
SQL Server
Data Tier (Subnet)
VPN
DR Farm
S SharePoint
APPS SharePoint
WFE
Public Tier (Subnet) Web Tier (Subnet) App Tier (Subnet)
S SharePoint
APPS SharePoint
WFE
S SharePoint
APPS SharePoint
WFE
Data Tier (Subnet)
SQL Server
Always On
Availability Group
(Synchronous)
Production Farm
Availability Zone #1
20. Architecture: SharePoint 2016
Minimum Size SharePoint 2016
MinRole Farm
a
Does Not Provide HA
MinRole SharePoint
Availability Zone #1
Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
AWS
ELB
VPC NAT
Gateway
Public Tier (Subnet) Data Tier (Subnet)
Windows Server
RD Gateway
VPC NAT
Gateway
Public Tier (Subnet)
Windows Server
RD Gateway
SQL Server
S SharePoint
Front-end S SharePoint
Search
Web Tier (Subnet) App Tier (Subnet)
Domain
ControllerS SharePoint
Application
S
SharePoint
Distributed
Cache
21. Architecture: SharePoint 2016
HA SharePoint 2016 MinRole
Farm
a
Supports No Downtime
Patching
MinRole SharePoint
Availability Zone #1
Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
AWS
ELB
VPC NAT
Gateway
Public Tier (Subnet) Data Tier (Subnet)
Windows Server
RD Gateway
VPC NAT
Gateway
Public Tier (Subnet)
Windows Server
RD Gateway
SQL Server
SQL Server
Web Tier (Subnet) App Tier (Subnet)
Domain
Controller
Domain
Controller
S SharePoint
Application
Always On
Availability Group
(Synchronous)
S SharePoint
Front-end
S
SharePoint
Distributed
Cache
S SharePoint
Search
S
SharePoint
Distributed
Cache
S
SharePoint
Distributed
Cache
S SharePoint
Application
S SharePoint
Search
S SharePoint
Front-end
22. Architecture: SharePoint 2016
HA SharePoint 2016 MinRole
Farm
a
Supports No Downtime
Patching
Add Office Online Server and
Workflow Manager
MinRole SharePoint
Availability Zone #1
Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
AWS
ELB
VPC NAT
Gateway
Public Tier (Subnet) Data Tier (Subnet)
Windows Server
RD Gateway
VPC NAT
Gateway
Public Tier (Subnet)
Windows Server
RD Gateway
SQL Server
SQL Server
Web Tier (Subnet) App Tier (Subnet)
Domain
Controller
Domain
Controller
S SharePoint
Application
Always On
Availability Group
(Synchronous)
S SharePoint
Front-end
S
SharePoint
Distributed
Cache
S SharePoint
Search
S
SharePoint
Distributed
Cache
S
SharePoint
Distributed
Cache
S SharePoint
Application
S SharePoint
Search
S SharePoint
Front-end
Office
Online Server
Office
Online Server
Workflow
Manager
Workflow
Manager
Workflow
Manager
23. Architecture: SharePoint 2016
MinRole Enhancements
a
Supports Shared Roles
a
Minimum Number of Farm
Servers for HA = 4
SharePoint 2016
Feature Pack1
Availability Zone #1
Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
AWS
ELB
VPC NAT
Gateway
Public Tier (Subnet) Data Tier (Subnet)
Windows Server
RD Gateway
VPC NAT
Gateway
Public Tier (Subnet)
Windows Server
RD Gateway
SQL Server
SQL Server
Web Tier (Subnet) App Tier (Subnet)
Domain
Controller
Domain
Controller
Always On
Availability Group
(Synchronous)
S
SharePoint
Front-end
with
Distributed
Cache
S
SharePoint
Application
with Search
S
SharePoint
Front-end
with
Distributed
Cache
S
SharePoint
Application
with Search
24. Architecture: SharePoint Quick Start
AWS CloudFormation Automated Build
Extensible JSON AWS CloudFormation
Templates Available on GitHub
Creates “Stacks” of AWS Resources
Bring Your Own License for SharePoint
DevOps for SharePoint
25. Architecture: SharePoint Quick Start
1. Prepare an AWS Account.
2. Configure and Launch the Stack.
3. Configure Availability Group(s).
4. Done!
Deployment Steps
Template takes about 3
hours to complete
Default template will cost
about $12 per hour
26. What We’ll Cover: Everything SharePoint on AWS
The Fundamentals
Architectural Scenarios
Best Practices >
EC2 Best Practices
SQL Best Practices
Migration Best Practices
Going Beyond IaaS
27. Best Practices: EC2 Networking Security
Network ACLs
• Optional Layer of Security
• Subnet Level (Second Layer of Defense)
• ALLOW and DENY Rules
• Stateless (Return Traffic Not
Automatically Allowed)
• Rules Evaluated in Order
• Automatically Applies to All Instances in
Subnet
Security Groups
• Instance Level (First Layer of Defense)
• Instances Can Associate to Multiple
Security Groups
• ALLOW Rules Only
• Stateful (Return Traffic Automatically
Allowed)
• Security Group Must be Specified for an
Instance Group Availabilty Zone
Data Tier
(10.0.32.0/20)
Web Tier
(10.0.64.0/20)
Public Tier
(10.0.96.0/20)
acl-2020 (SQL Traffic)
Directory Tier
(10.0.0.0/19)
VPC (10.0.0.0/16)
acl-1010 (Domain Traffic)
ELB
acl-2222 (SQL Traffic) acl-1111 (Domain Traffic)
Inbound Rules:
Rule # Type Protocol Port Range Source Allow/Deny
100 DNS (TCP) (53) TCP (6) 53 10.0.32.0/20 ALLOW
300 LDAP (389) TCP (6) 389 10.0.32.0/20 ALLOW
Inbound Rules:
Rule # Type Protocol Port Range Source Allow/Deny
100 MS SQL (1433) TCP (1433) 1433 10.0.64.0/16 ALLOW
...
S SharePoint
Front-end
S SharePoint
Front-end
sg-3030, sg-4040
sg-3030, sg-4040
SQL Server
sg-2020
Domain
Controller
sg-1010
Availabilty Zone
Data Tier
(10.0.32.0/20)
S SharePoint
Front-end
Web Tier
(10.0.64.0/20)
Public Tier
(10.0.96.0/20)
S SharePoint
Front-end
sg-3030, sg-4040
sg-2020 (SQL Traffic)
Directory Tier
(10.0.0.0/19)
VPC (10.0.0.0/16)
sg-3030, sg-4040
sg-1010 (Domain Traffic)sg-3030 (HTTP Traffic)
Inbound Rules:
Type Protocol Port Range Source
DNS (TCP) (53) TCP (6) 53 10.0.32.0/20
DNS (TCP) (53) TCP (6) 53 sg-2020
LDAP (389) TCP (6) 389 10.0.32.0/20
LDAP (389) TCP (6) 389 sg-2020
Inbound Rules:
Type Protocol Port Range Source
MS SQL (1433) TCP (1433) 1433 10.0.64.0/16
MS SQL (1433) TCP (1433) 1433 sg-4040
Inbound Rules:
Type Protocol Port Range Source
HTTP (80) TCP (6) 80 10.0.96.0/20
HTTP (443) TCP (6) 443 10.0.96.0/20
Inbound Rules:
Type Protocol Port Range Source
Custom TCP TCP (6) 808 10.0.64.0/20
Custom TCP TCP (6) 32843 10.0.64.0/20
Custom TCP TCP (6) 32844 10.0.64.0/20
Custom TCP TCP (6) 22233-22236 10.0.64.0/20
...
...
sg-4040 (SharePoint Traffic)
ELB
sg-5050
SQL Server
sg-2020
Domain
Controller
sg-1010
sg-5050 (ELB Traffic)
Inbound Rules:
Type Protocol Port Range Source
HTTP (80) TCP (6) 80 0.0.0.0/0
HTTP (443) TCP (6) 443 0.0.0.0/0
28. Select an AMI with Adequate CPU and
Memory for Your Workload
Select an EBS-optimized AMI if Possible
Optimize TempDB Just Like On-Premises
(Use Instance Storage if Possible or Fast EBS
Otherwise)
Provision Enough IOPs for Your Workload
Best Practices: SQL Server
General Purpose SSD
Max Throughput per Volume: 160 MB/s
Max IOPS per Volume: 10,000
Volume Size: 1 GB to 16 TB
Burst: 3,000 IOPS (for volumes up to 1 TB)
Great for boot volumes, low-latency applications,
and bursty databases
Max Throughput per Volume: 320 MB/s
Max IOPS per Volume: 20,000
Volume Size: 4 GB to 16 TB
Ideal for critical applications and databases
with sustained IOPS
Provisioned IOPS SSD
29. Availability Zone 1
Private Subnet
Primary
Replica
Availability Zone 2
Private Subnet
Secondary
Replica
Synchronous-commit Synchronous-commit
Automatic Failover
Primary: 10.0.2.100
WSFC: 10.0.2.101
AG Listener: 10.0.2.102
Primary: 10.0.3.100
WSFC: 10.0.3.101
AG Listener: 10.0.3.102
AG Listener:
ag.awslabs.net
Best Practices: SQL Server
30. Availability Zone 1
Private Subnet
EC2
Primary
Replica
Primary: 10.0.2.100
WSFC: 10.0.2.101
AG Listener: 10.0.2.102
AWS Region A
Availability Zone 2
Private Subnet
EC2
Secondary
Replica
Primary: 10.0.3.100
WSFC: 10.0.3.101
AG Listener: 10.0.3.102
Availability Zone 1
Private Subnet
EC2
Secondary
Replica
Primary: 10.1.2.100
WSFC: 10.1.2.101
AG Listener: 10.1.2.102
Synchronous Commit
Automatic Failover
AWS Region B
Asynchronous Commit
Manual Failover
Elastic IP Elastic IP
VPN
Best Practices: SQL Server
31. 1. Understand Your On-Premises SharePoint
Environment (Customizations, Most Used Sites, etc.)
2. Devise Your Migration Strategy (URL Strategy,
Timeline, User Communication Plan, etc.)
3. Prepare for What’s New in AWS (Security, IAM, Train
Your Staff, etc.)
4. Embrace Automation (DevOPs, PowerShell for
Windows, etc.)
5. Run Trial for Upgrades (Build, Trial, and Test Upgrade
Runs, Establish UAT Group, Feedback Loops, etc.)
6. Plan for Rollback
Best Practices: Migration
32. Going Beyond IaaS
CloudWatch &
CloudWatch Logs
Monitor EC2 Metrics (CPU, Disk
Usage, etc.) and Other AWS
Resources (EBS Volumes, Elastic
Load Balancers, etc.)
a
Enhanced Log Support for Windows
with EC2Config (IIS Logs, Perfmon
Logs, etc.)
a
Monitor Logs and Configure Alerts
a
Store Logs and Perform Analytics
Region US West
Availability Zone
S SharePoint
Front-end
SQL Server Domain
Controller
CloudWatch /
CloudWatch Logs
Email
Amazon
SMS
Workflow
CloudWatch
Alarms
Region US West
Availability Zone
S SharePoint
Front-end
SQL Server Domain
Controller
CloudWatch /
CloudWatch Logs
Amazon Kinesis
Amazon
S3
Amazon
Redshift
AWS
Lambda
36. Windows Track Sessions
WIN301: Bring Microsoft Applications to AWS to Save Money and Stay Licensing Compliant
Tues, Nov 29 3:30-4:30 PM Venetian H
WIN204: How to Move 1,000 VMs and Biz Critical Apps to AWS in 6 months. Edwards
Lifesciences
Tues, Nov 29 3:30-4:30 PM Venetian H
WIN303: How to Launch a 100k User Microsoft Back Office and Not Break a Sweat
Wed, Nov 30 5:30-6:30 PM Delfino 4004
WIN304: Design, Deploy & Optimize SharePoint on AWS
Wed Nov 30 12:30-1:30 PM Venetian, Level 3, San Polo 3403
WIN305: Best Practices for Integrating Active Directory with AWS Workloads
Wed, Nov 30 5:00-6:00 PM Venetian H
WIN306: Design, Deploy & Optimize SQL Server on AWS
Thurs, Dec 1 5:30-6:30 PM Venetian H