This document provides best practices for deploying Microsoft workloads on AWS. It discusses identity management best practices including AWS IAM, server identity management, and federation. It also covers deploying SQL Server for high availability and disaster recovery. Additional sections discuss deploying Exchange, SharePoint, and other Microsoft server products on AWS, as well as developer best practices and DevOps automation. The document concludes with information on licensing options for Microsoft software on AWS.
3. Main Identity Topics
• Infrastructure Identity Management
• AWS Identity and Access Management
• Server / Application Identity Management
• AWS Directory Services (Samba or Active Directory)
• Federation
• AWS Security Token Service
4. AWS Identity and Access Management (IAM)
Role Based
Access Control
Multi-Factor
Authentication
Integrated with all
AWS Services
IAM Roles
5. Isolated domains
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Direct Connect
Berlin
DC2Availability Zone A
Private subnet
DC3
company.cloud
company.local
Federation /
Synchronization
Separate identities with synchronization / Federation
à Use partners such as Okta, PingFederate
AWS Directory Services
company.cloud
6. Single domain extended to multiple sites
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Direct Connect
Berlin
DC2
Cost 50
Availability Zone A
Private subnet
DC3
Cost 10
company.local
company.local
One single identity, data center extension mode
(Rely on Active Directory Sites, Read-Only or not)
7. One sub domain per site
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Direct Connect
Berlin
DC2
company.local
Availability Zone A
Private subnet
DC3
cloud.company.local
Isolated subset of the directory, single Identity for users
(Active Directory Domains in a Single Forest)
8. One forest per site and trust
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Direct Connect
Berlin
DC2Availability Zone A
Private subnet
DC3 company.local
company.cloud
Separate directories, single identity
(Cross-Forest / Resource Forest with trust)
AWS Directory Services
company.cloud
9. User Identity Federation with Amazon IAM
Active Directory
AD Users
Enterprise
Applications
Corporate
Systems
Amazon Identity & Access
Management
IAM Roles
EC2
DynamoDB
S3
10. Federated API and CLI access using ADFS
• ADFS http://tinyurl.com/AWS-ADFS-SAML
• CLI http://tinyurl.com/AWS-ADFS-CLI
• AWS Tools for Windows PowerShell
25. AWS SDK and Tools for .NET ArchitectureEXECUTION
PLATFORM
AWSSDK
LOW-
LEVEL
SERVICE
APIS
AWS
TOOLS
HIGHER-
LEVEL
UTILITY
APIS
.NET 3.5 .NET 4.5 PHONE STORE
SERVICE CLIENTS
AMAZON S3
TRANSFERUTILITY
AMAZON
DYNAMODB OBJECT
PERSISTANCE
VM IMPORT RESOURCE API
AWS TOOLS FOR
WINDOWS
POWERSHELL
AWS TOOLKIT FOR
VISUAL STUDIO
ASP.NET SESSION
PROVIDER
TRACE LISTENER
…
AWS ENDPOINTS: REST API
26. AWS Toolkit for Visual Studio
Full Integration in Visual Studio
27. Blob storage in Amazon S3
var bucketName = "<BucketName>";
var fileName = "<FileName>";
var s3Client = new Amazon.S3.AmazonS3Client();
// Write Data to Amazon S3
s3Client.PutObject(new Amazon.S3.Model.PutObjectRequest {
BucketName = bucketName,
Key = fileName,
InputStream = fileStream
});
// Read Data from Amazon S3
var s3Object = s3Client.GetObject(bucketName, fileName);
Amazon S3
28. Loose Coupling Sets You Free
var queueUrl = "https://sqs.<region>.amazonaws.com/<AcctNum>/<QueueName>";
var sqsClient = new Amazon.SQS.AmazonSQSClient();
// Send to Amazon SQS
sqsClient.SendMessage(queueUrl, "My Message Data");
// Process Amazon SQS
while(!exit) {
var messages = sqsClient.ReceiveMessage(queueUrl);
foreach(var message in messages.Messages) {
// Process message then delete
sqsClient.DeleteMessage(queueUrl, message.ReceiptHandle);
}
}
Amazon SQS
29. AWS Also Provides Extended Support
AWS Elastic Beanstalk
• Deploy from within Visual Studio / Automatic Log Rotation to Amazon S3
AWS CodeCommit / CodePipeline / CodeDeploy
• Manage a large (on-premises and cloud-based) fleet
.NET SDK and PowerShell CmdLets
• Integration in custom build pipelines in TFS or CruiseControl.NET
AWS is the de-facto standard
• Jenkins, Bamboo have native integration to AWS
• Other IDE Support AWS (Unity, Xamarin Studio, Eclipse…)
31. Secure remote administration architecture
Availability Zone
Gateway Security Group Web Security Group
Private SubnetPublic Subnet
Accept TCP Port
443 from Admin IP
Accept traffic from
Gateway SG
AWS Administrator
Corporate Data Center
WEB2
TCP 443 WEB1
RDGW
Requires one connection:
• Connect to the RD Gateway, and the gateway proxies the RDP or PowerShell connection to the back-
end instance.
32. One step further: Go DevOps
• AWS Tools for Windows PowerShell
• Leverage AWS Simple Systems Manager
• Auto-Domain Join
• No machine access
• Full traceability
• Fine-grained control
• http://tinyurl.com/AWS-SSM-Home
34. Automation for every use case
IAAS*
Amazon EC2
AWS CloudFormation
AWS OpsWorks AWS Elastic
BeanStalk
AWS Lambda
PAAS*DEVOPS DEVOPS
AUTOMATION* Definition may vary
36. License Mobility is a Microsoft Program that allows
customers to move their existing license from on premises
to the cloud
• Leverage their Enterprise Agreement
• Must have Software Assurance
License Mobility through Software Assurance
37. Microsoft Workloads on AWS
Pay-as-you-go – AMI
pricing provides access to
software
• Windows Server
• SQL Server Standard
• SQL Server Web
• SQL Server Enterprise
Leverage Microsoft’s
License Mobility Program
(BYOL)
• SQL Server
• SharePoint Server
• Exchange
• Lync
• RDS
• Dynamics
Leveraged Dedicated
Host
• Windows Server
• SQL Server - no SA
• SharePoint – no SA
• Exchange – no SA
• Lync – no SA
• Dynamics – No SA
38. Licensing Continuum
License Included
• Amazon manages the
licenses
• Pay-as-you-go pricing
• Multi-tenant or dedicated
• No license management
overhead
Hybrid
• Baseline in BYOL
• Leverage scalability and
pay-as-you-go where
applicable
• Limit management
overhead
BYOL
• Import and use your own
software
• Reduce your spend if you
already pay an ISV for
licensing
• You manage licensing
costs and compliance
with your ISV
• Committed contracts with
your ISVs
40. Supportability on AWS
Microsoft workloads are supported on AWS. Amazon Web Services fully supports
Microsoft Windows Server as both infrastructure and a platform. Our customers
have successfully deployed in the AWS cloud virtually every Microsoft application
available, including Microsoft Exchange,SharePoint,Lync, Dynamics,and
Remote Desktop Services.
If you have support related issues you should contactAWS Support.
41. Every immaginable use case
Collaboration
Full/Partial Franchise Migration
Web / Mobile / Media
Mail
ERP
VDI
BI
44. AWS Training and Certification
Certification
aws.amazon.com/certification
Demonstrate your skills,
knowledge, and expertise
with the AWS platform
Self-Paced Labs
aws.amazon.com/training/
self-paced-labs
Try products, gain new
skills, and get hands-on
practice working with
AWS technologies
aws.amazon.com/training
Training
Skill up and gain
confidence to design,
develop, deploy and
manage your applications
on AWS