2. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Session abstract
Deploy, scale and manage your Microsoft workloads
on AWS. We will start with why customers want to
deploy Windows applications on AWS as a cloud
platform. We will discuss reference architectures and
best practices for implementing Microsoft products
including Active Directory, Remote Desktop
Gateway, Exchange, SharePoint, and Lync on AWS.
We will conclude with best practices for managing
and monitoring Microsoft technologies on AWS.
3. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Agenda
• Why run Windows on AWS
• New Announcements
• Windows architecture
– Security and remote administration
– Active Directory Domain Services
– Microsoft SharePoint 2013
– Microsoft Exchange Server 2013
– Microsoft Lync 2013
– Microsoft SQL Server 2014
– Managing and monitoring Windows instances and applications
4. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
flexible
What is AWS for Windows?
secure reliable high-performance familiar cost-effective extensive
Optimization for Windows-based workloads
Wide range of scalable services
Alignment with business needs
5. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS for Windows is secure
“Amazon Virtual Private Cloud (Amazon
VPC) gives us a secure environment in
the AWS cloud with the flexibility and
scalability we need to manage our
SharePoint environment with zero
impact to our on-premises datacenter”
- Jeremy Fuchs, Vice President of Financial
and BI Systems, Lionsgate
Security-in-layers approach
Isolated infrastructure and workloads
Identity and access controls
Tracking and logging
Optimized for regulatory compliance
6. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS for Windows is reliable
“Before migrating to AWS, we
experienced 10 to 20 hours of downtime
a month. With AWS, our downtime is
significantly reduced. Our average
uptime increased rapidly from 98.8
percent to 99.9 percent without
re-architecting applications.”
- Augusto Rosa, Server Operations
Manager, Shaw Media
99.95% SLA (EC2, EBS, RDS)
Multi-region asynchronous replication
Uptime and performance monitoring
Low network variability
7. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS for Windows is high-performance
“Using AWS, we decreased average
network latency from 700
milliseconds to less than 50
milliseconds… Fundamentally,
running in AWS enables a 230
percent CPU consumption
efficiency in data processing.”
- Murari Gopalan, Technology
Director, Expedia.com
Enterprise-grade computing on demand
Automation for both complex and routine tasks
Dedicated, low-latency network connections
Automated scaling
Monitoring tools with user-defined thresholds
8. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS for Windows is familiar
“We didn’t have time to redesign
applications. AWS could support our
legacy 32-bit applications on Windows
Server 2003, a variety of SQL Server and
Oracle databases, and a robust Citrix
environment.”
- Jim McDonald, Lead Architect, Hess
Corporation
Windows-based application support
Your own cloud servers
Use existing VMs
License flexibility
Same tools as on-premises environments
9. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS for Windows is cost-effective
“Had we built our SharePoint 2013 farm
in our other data center, we would have
increased costs by almost 50 percent.
When you compare our SharePoint 2012
farm to our SharePoint 2013 farm, AWS
allowed us to increase our computing
power while also reducing costs by 14
percent.”
- Michael Cierkowski, Development
Manager, Slalom Consulting
No hardware procurement/deployment
costs
Improved hardware utilization
Bring your own licenses
Value-oriented culture
No long-term commitments
10. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS for Windows is extensive
“As our company continued to
grow, so did our reliance on the
AWS cloud and now, we’ve adopted
almost all of the features AWS
provides. AWS is the easy answer
for any Internet business that wants
to scale to the next level.”
- Nathan Blecharczyk, Co-founder &
CTO, Airbnb
More than 40 services available
Broad ecosystem of partners
Third-party application marketplace
Continuous service improvement
Technical certifications for multiple skill levels
11. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS for Windows is flexible
Highly customizable infrastructure
Variety of instance types
Maintain availability at the lowest cost
Wide variety of storage options
“By deploying their on premise Microsoft
solutions like SharePoint and Exchange
into the AWS platform – combined with
InfoReliance’s fully managed service
options -- our customers find the best of
both worlds and the flexibility they
require to meet their evolving
requirements.”
- John Sankovich, VP Cloud Solutions,
InfoReliance
12. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Why AWS for Windows?
secure reliable high-performance familiar
cost-effective extensive flexible
13. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Common AWS Services used with
Windows Applications
14. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
New Announcements
https://aws.amazon.com/quickstarts
https://aws.amazon.com/blogs/aws/now-available-sql-
server-enterprise-edition-ami-for-ec2/
15. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Windows architecture on AWS
• Place application servers in private
subnets to prevent direct access from the
Internet
• Deploy Bastion hosts, reverse proxies,
and other Internet-facing servers in public
subnets
• Install critical workloads in at least two Availability Zones to provide
high availability
16. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Availability Zone 1
private subnetpublic subnet
NAT
10.0.10.0/24 10.0.2.0/24
DCDBAPPWEB
domain
controller
SQL
Server
app
server
IIS
Server
RDG
Availability Zone 2
private subnetpublic subnet
NAT
10.0.100.0/24 10.0.2.0/24
DCDBAPPWEB
domain
controller
SQL
Server
app
server
IIS
Server
RDG
Remote
Users / Admins
Windows
architecture
on AWS
10.0.11.0/24
10.0.110.0/24
Virtual Private Cloud (VPC)
is the foundation
17. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Architectural considerations
• Amazon Virtual Private Cloud
– Configure IP ranges, public/private subnets, routing tables,
Internet or private gateway
• Security groups, network ACLs, VPC Flow Logging
• Remote administration
• The principle of least privilege
18. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Security groups
Availability Zone
web security group SQL security group
private subnetpublic subnet
accept TCP port 80
from Internet
accept TCP port 1433
from web security group
User
WEB SQL
TCP 80 TCP 1433
10.0.0.0/24 10.0.1.0/24
19. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Remote administration
• Place RD Gateway in DMZ subnet
• Clients can use the Remote Desktop Protocol (RDP)
over HTTPS to establish an encrypted connection
• Pro tip: Use Remote Desktop Connection Manager
• Bastion hosts can run Windows PowerShell Web
Access for remote command-line administration
Deploying a Bastion host (Remote Desktop Gateway) in each
Availability Zone can provide highly available and secure remote
access over the Internet
20. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Secure remote administration architecture
Availability Zone
gateway security group web security group
private subnetpublic subnet
accept TCP port 443
from admin IP address
accept TCP port 3389 from
gateway security group
AWS administrator
corporate data center
WEB2
TCP 443
Connect to the Remote Desktop Gateway over https which proxies the RDP connection to the back-end instance
WEB1
RDG
21. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Remote Desktop Connection Manager
(RDCMan 2.7)
22. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Managing Active Directory
• Use AD Domain Controllers in the cloud and/or on-premise
• No different in cloud: AD provides security boundary, IP
addressing and DNS
• AWS VPC provides DHCP and
“static” IPs for DCs and servers
• Global catalog servers
• Read-only and writeable domain controllers
23. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Directory Service
• Simple AD
Managed directory powered by Samba 4 Active
Directory Compatible Server
Supports user accounts, group memberships,
domain-joining Amazon EC2 instances
• AD Connector
Proxies directory requests to on-premises environment
Users can access AWS resources and applications with existing
corporate credentials
https://aws.amazon.com/blogs/aws/new-aws-directory-service/
24. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Active Directory hybrid deployments
• Properly define AD sites and subnets
• Configure site-link costs
• Enable domain members for Try Next Closest Site
Group Policy setting
• Connectivity from cloud to corporate data center via VPN or Direct Connect
• Security groups must allow traffic to and from DCs on-premises
25. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Availability Zone
private subnet
DC3
corporate network
New York
DC1
VPN or
Direct Connect
AD forest spanning AWS and corporate data center
Washington, D.C.
DC2
AWS region
26. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Availability Zone
private subnet
DC3
corporate network
New York
DC1
AD forest spanning AWS and corporate data center
Washington, D.C.
DC2
X
VPN or
Direct Connect
If DC1 goes down, where does
NY client go to authenticate?
27. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
private subnet
DC3
corporate network
New York/AD site 1
DC1
VPN or DX
AD forest spanning AWS and corporate data center
Washington, D.C./AD site 2
DC2
AD site 3
Cost 50
With Try Next Closest Site policy enabled, clients use least cost
path to a domain controller. Applies to on-prem and cloud sites.
X
28. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
SQL Server high availability
• Amazon RDS Multi-AZ deployments
– Fully managed by AWS
– No administrative intervention
– Uses SQL Server mirroring
• SQL Server Enterprise 2012/2014
– Managed by you
– High availability achieved using Windows Server Failover Clusters
(WSFC) and AlwaysOn Availability Groups
– SQL Server Enterprise Edition AMI available (as of June 16)
29. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
SQL Server high availability
Availability Zone 1
private subnet
primary
replica
Availability Zone 2
private subnet
secondary
replica
synchronous-commit synchronous-commit
Primary: 10.0.2.100
WSFC: 10.0.2.101
AG Listener: 10.0.2.102
Primary: 10.0.3.100
WSFC: 10.0.3.101
AG Listener: 10.0.3.102
AG Listener:
ag.awslabs.net
automatic failover
30. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
WSFC Quorum
Availability Zone 1
Private Subnet
Primary
Replica
Availability Zone 2
Private Subnet
Secondary
Replica
Synchronous-commit Synchronous-commit
Automatic Failover
Witness
Server
31. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
WSFC Quorum
Availability Zone 1
Primary
Replica
Availability Zone 2
Secondary
Replica
Automatic Failover
Witness
Server
Availability Zone 3
32. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
SharePoint 2013 reference architecture
• General guidelines
– Critical workloads are placed in two Availability Zones
– Examples: AD domain controllers, SharePoint servers, RD gateways, Forefront TMG
gateways, NAT gateways
– Internal application servers are placed in private subnets
– RD gateways are deployed into public subnets in each Availability Zone
• Web tier is made highly available through load balancing
• Application-tier load balancing is native to SharePoint
(crawl servers, query servers, etc. installed cross-farm)
• High availability on database tier can be achieved with SQL Server
AlwaysOn
33. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
private subnet
private subnet
10.0.2.0/24
Availability Zone 2
Availability Zone 1
public subnet
NAT
10.0.0.0/24
DC
DB
primaryAPPWEB
domain
controller
app
server
web
front end
RDG
public subnet
NAT
10.0.0.0/24 10.0.2.0/24
DC
DB
secondaryAPPWEB
domain
controller
app
server
web
front end
RDG
Users
Internet-facing
SharePoint farm
on AWS
SQL Server
AlwaysOn
Availability
Group
SQL
Server
SQL
Server
34. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Exchange 2013 reference architecture
• Critical workloads are placed in two Availability Zones
– AD domain controllers, Exchange servers, RD gateways, Edge
Transport servers, NAT gateways
• Internal application servers are placed in private subnets
• RD gateways are deployed into public subnets in each
Availability Zone
• High availability provided within the data center with site
resilience between data centers
• Supports multiple copies of each database
• Optimize around failure domains
35. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
private subnet
private subnet
10.0.2.0/24
Availability Zone 2
Availability Zone 1
public subnet
NAT
10.0.1.0/24
DMZ
DC1Exch1
domain
controller
mailbox
server
RDG
public subnet
NAT
10.0.10.0/24
DMZ
10.0.20.0/24
DC2Exch2
domain
controller
mailbox
server
RDG
Users
Exchange 2013
reference
architecture
36. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Availability Zone 1/AD site 1
private subnetpublic subnet
10.0.0.0/24 10.0.2.0/24
DC1
domain
controller
Exchange 2013
CAS+MBX
Availability Zone 2/AD site 2
private subnetpublic subnet
10.0.1.0/24 10.0.3.0/24
DC2EXCH2
domain
controller
Exchange 2013
CAS+MBX
remote
mail server
Adding the Edge
Transport server
EDGE1
Exchange 2013
Edge Transport
EDGE2
Exchange 2013
Edge Transport
EXCH1
37. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Lync 2013 reference architecture
• Critical workloads are placed in two Availability Zones
– AD domain controllers, Lync Front End Server, RD gateways, Mediation
Server, NAT gateways
– Lync Edge Server (if needed) placed in DMZ subnets
• Internal Lync servers and supporting servers (OWA, PC, Mediation,
etc.) are placed in private subnets
• RD gateways are deployed to public subnets in each Availability
Zone
• Paired Lync Server 2013 pools in each Availability Zone support DR
and pool failover
38. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
private subnet
private subnet
10.0.2.0/24
Availability Zone 2
Availability Zone 1
public subnet
NAT
10.0.1.0/24
DMZ
DCFE01
domain
controller
front end
RDG
public subnet
NAT
10.0.10.0/24
DMZ
10.0.20.0/24
DCFE02
domain
controller
front endRDG
Users
Lync SE 2013
reference
architecture
39. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Lync Server 2013 EE architecture
VPC Content
10.0.0.0/16
AD1
Front End
Pool
ADCS
NATRDGW
DB1-FE
Mirrored
Mediation
SRV1
Mediation
SRV2
Persistent
chat pool
DB1-PC
Mirrored
Stress Test
Servers
OWA App
SRV1
OWA App
SRV2
AD2
DB2-FE
Mirror
DB2-PC
Mirror
Witness
Monitor
Elastic
IP
Elastic
IP
Internet gateway
router
LoadSim Tier App Tier DB Tier AD Tier
Public
10.0.15.0/24
DMZ
Private
10.0.14.0/24
AZ-1
40. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
49% Lower Latency with Direct
Connect versus Internet (VA-OR)
88 ms roundtrip via Internet 59 ms roundtrip via Direct Connect
East coast – West coast latency well within Lync latency envelope
41. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Managing and monitoring your Windows instances and
applications
Log types:
• Event logs
• IIS logs
• Event Tracing for Windows (ETW) logs
• Any performance counter data
• Any text-based log files
To learn more: http://amzn.to/1qVKKkI
• Recommend running Systems Center Operations Manager and
management packs for AD, Exchange, SharePoint, SQL Server, and Lync
• Amazon CloudWatch Logs enable monitoring instance activity in real time
with custom alarms on events
42. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Quick Start reference deployments
• Active Directory Domain Services
• Remote Desktop Gateway on AWS
• SharePoint 2013
• Exchange Server 2013
• Lync Server 2013
• SQL Server 2014 AlwaysOn
• PowerShell Desired State Configuration (DSC)
aws.amazon.com/quickstart
43. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Thank You.
This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Notes de l'éditeur
Amazon Web Services is a cloud computing platform optimized for Windows-based workloads. It provides a wide range of scalable services that align to ever-changing business needs.
I’d like to begin by talking about the measures that AWS takes to maintain the security of our customers’ data and infrastructure.
We understand that for most organizations, security is the chief concern associated with moving workloads to the cloud. At AWS, security is our highest priority. As such, we take a multi-layered approach to security that includes physical, operational, and technical protocol.
The locations of AWS datacenters are not publicly disclosed, and access to them is strictly limited to our employees. We have also built features into AWS that enhance the virtual security of your data.
The first way we enable users to secure their AWS environment is through isolation. Amazon Virtual Private Cloud, or VPC, allows you to create private subnets, isolating your infrastructure within the AWS Cloud. To connect to a VPC, users can leverage a traditional VPN, or utilize AWS Direct Connect for a private, dedicated network connection between their datacenter and AWS.
Additionally, the AWS Identity and Access Management service, integrates with Microsoft Active Directory, providing fine-grained access controls for your AWS resources.
Data stored in the AWS Cloud is also protected by 256-bit encryption, both while in transfer and at rest.
AWS CloudTrail logs your API call history, providing visibility into who has requested access to encryption keys, when they requested it, and the response elements returned by AWS, to ensure that users are only accessing what they are supposed to. These logs are safely stored in the AWS Cloud, enabling compliance audits and internal security analysis at a moment’s notice.
The AWS infrastructure is also optimized for compliance with regulations across a multitude of industries. AWS currently has 18 independently-validated security certifications.
Downtime is incredibly expensive for most organizations, which is why we have designed the AWS cloud to be highly reliable. Amazon has spent over a decade building one of the world’s most reliable enterprise IT infrastructures to run Amazon.com, and AWS has extended that experience to over a million active customers in 190 countries.
Our service level agreement is 99.95% for each region.
Each region is comprised of at least two physically isolated facilities known as Availability Zones (AZs). AWS currently features 28 AZs in 11 regions, providing you the reassurance that your business’s mission-critical data and applications will be available worldwide, even in the face of natural disasters and other rare events that might cause systems failures.
You’ll also have access to a Service Health Dashboard that shows the current operational status of each active service in real-time, so that uptime and performance are fully transparent.
The AWS Cloud can handle very high packets per second with very low network variability, enabling reliable, high speed data transfers, even for massive workloads. Many of our instance, or virtual machine, types can be connected together on a fast, non-blocking network. This configuration is ideal for applications which require a lot of communication between instances for reliable, high-performance computing tasks.
The AWS Cloud is reliable, as evidenced by the large number of startups, enterprises, and government organizations that are running mission critical applications on AWS – including large web sites, e-commerce applications, SAP deployments, scientific analysis, and financial services risk simulations. AWS has provided them with dependable operational performance over many years – and in many cases higher uptime than they achieved in their own datacenters with the same applications.
Security and reliability are important considerations when going to the cloud, and we take them very seriously. But it is important to remember the agility and innovation that the high-performance of AWS cloud provides.
Amazon Elastic Compute Cloud gives you enterprise-class computing power on-demand, allowing you to provision one server, hundreds of servers, or even thousands of servers in minutes or hours instead of weeks or months.
We also provide several automation tools which allow you to spend less time carrying out time-consuming tasks, and more time on strategic business initiatives. AWS CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources. With CloudFormation, you can automate the creation of entire server farms. Third- party automation solutions such as Chef and Puppet are also supported.
I mentioned using dedicated connections with AWS Direct Connect in the context of security, but Direct Connect can also increase the throughout and reduce the latency of your connection to the AWS Cloud for improved performance.
AWS also provides superior auto-scaling capabilities that are flexible enough to scale manually, by schedule, by policy, or by auto-rebalance. Your instances can be automatically launched or terminated to ensure applications are balanced across multiple Availability Zones.
To help you keep track of your resource usage on AWS, Amazon CloudWatch provides custom metrics and allows you to set automated alarms when you cross your self-determined threshold for any metric.
You may be thinking: “Great. But my organization can’t afford the lost time associated with adopting new platforms, tools, and processes.” You may be surprised at how familiar an experience AWS provides.
With the understanding that many of our customers have cut their teeth in on-premises environments, we have configured AWS to provide a familiar administrative and user experience for Windows IT pros.
In addition to Windows Server and SQL Server, AWS is compatible with other server applications you may already use, such as Microsoft System Center and VMware vCenter. Add-ins have been developed to provide seamless integration between these traditional applications and the AWS Cloud, allowing you to use your existing tools to manage your on-premises virtual machines and workloads in the cloud from a single, familiar console.
With Dedicated Instances, you can provision a server or group of servers dedicated to running your business’s workloads exclusively. Combined with a VPN or AWS Direct Connect, Dedicated Instances can act as an extension of your datacenter, allowing you to take advantage of more flexible software licensing terms.
Our VM Import/Export feature enables you to easily import virtual machine images from your existing environment to AWS and export them back.
You can also choose from several licensing options depending on your preference. Microsoft Windows Server and SQL Server licenses are available directly from AWS via Amazon Machine Images (AMIs). They are well documented, optimized, and configured based on best practices, making it easy to start and manage your Windows-based instances, or virtual machines. You can also bring eligible licenses purchased for on-premises servers with you.
And, on AWS, you have access to the same tools that have been available to you in traditional on-premises environments, including a .NET Developer Center and toolkits for Visual Studio and Windows PowerShell. Additional third-party applications from our network of partners are available in the AWS Marketplace as Amazon Machine Images (AMIs) or as Software as a Service (SaaS).
Whether your goal is to expand your organization’s website capabilities, develop and deploy custom applications quickly and efficiently, or build a responsive database structure, AWS for Windows has the tools, templates, and resources to help you get started quickly and see improvements immediately.
Typically, improvements in IT performance are associated with greater IT expenses. However, with AWS, most customers are actually able to improve performance AND lower costs. AWS is designed to offer you unparalleled value by enabling elastic consumption that scales with your needs, pay-as-you-go pricing models, and no long-term service commitments. Simply put, AWS can help you lower your IT expenses and trade cap-ex for op-ex.
With traditional on-premises approaches, you need to plan for and invest in infrastructure that can handle what you predict to be your peak needs in the future. Then, you have to deploy, maintain ,and secure that infrastructure regardless of how much, or how little, your resources are actually utilized. Inevitably, this leads to either excessive spending on unnecessary capacity, or downtime for critical applications and databases if resource demand exceeds your predictions. With AWS, you can access precisely the computing resources you need, without any upfront costs or wasted money on unused capacity.
Because you can pick precisely the instance type you want, scale it up and down on demand, and replace it with another instance at any time, you can improve your hardware utilization.
And as I stated before, AWS also offers ways to move your Windows-based workloads to the cloud without incurring any additional Microsoft software licensing fees. With Microsoft License Mobility through Software Assurance, eligible Microsoft server products can be deployed on AWS using existing Microsoft software licenses. Not only will License Mobility make the transition to AWS easier for you, it provides the ability to continue using perpetual licensing while still taking advantage of the efficiencies of the cloud.
This value-orientation is engrained into the AWS culture. Amazon is committed to providing the greatest value possible to our customers, and that is reflected through AWS. AWS has lowered prices for customers 47 times in six years leading to 2015, and the AWS Trusted Advisor has proactively recommended over $350 million in cost reductions for our customers over the last two years.
And unlike investing in your own server hardware, there are no long-term commitments with AWS—you can downsize or discontinue service whenever you’d like.
The AWS Cloud is very cost-effective, but it is still quite extensive in its’ functionality.
AWS has continually expanded the its services to support virtually any cloud workload. As of now, we offer an extensive line of more than 40 services– from compute, storage, networking, database, analytics, application services, and more.
A key component of this has been establishing a broad ecosystem of thousands of partners who specialize in both technology and consulting services. These partners include systems integrators who offer consulting services, independent software vendors who develop custom software solutions, and security services vendors who specialize in advanced protection of your data and AWS environment.
Our AWS Marketplace is an online store that helps you find, buy, and start using the software and services developed by our partners. You can use AWS Marketplace’s 1-Click deployment to quickly launch pre-configured software for Windows and pay only for what you use, by the hour or month.
We also offer associate and professional level technical certifications available for Solutions Architects, Developers and SysOps Administrators. These certifications recognize individuals that possess the skills and technical knowledge necessary for designing, deploying, and operating applications and infrastructure on AWS. Earning certifications helps you gain visibility and credibility for your proven experience working with AWS, as well as contributes to your organization’s proficiency with AWS-based workloads.
And we expand and improve our services continually, with over 500 significant improvements in 2014 alone.
Our line of cloud services, coupled with the tools developed by our network of partners give AWS users extensive functionality
Our extensive line of platform and cloud services offerings are designed to meet the needs of nearly any organization’s unique infrastructure requirements; unique being the key word here. With AWS, you have the flexibility to choose the computing, storage, and networking capacity you need, which services to use, and how you want to use them. Elastic service capabilities allow you to scale resources up or down in real-time as your needs change, enabling a lean, adaptable infrastructure for your business.
In addition to being able to use your own VMs, we offer a wide selection of instance, or VM types, each with a different performance characteristic across compute, memory, and storage. Each instance type is available in different sizes, allowing you to select and optimize your resources to the requirements of your target workload. Individual instances support up to 36 cores and 60 GB of RAM.
For many businesses, Infrastructure needs can change dramatically in minutes. Auto Scaling allows you to define the conditions by which your Amazon EC2 instances scale up and down, enabling application availability during demand spikes and cost-savings during capacity lulls.
We also offer a wide variety of storage types for different use cases. Whether you need general-purpose, high-performance, or low cost storage, AWS has you covered.
The AWS Cloud is flexible enough to meet the needs of your organization. You can access precisely the combination of IaaS, PaaS, and SaaS solutions you want, when you want them, and change your configuration in minutes.
Today, I’ve told you about a few of the reasons that we feel AWS should be the cloud platform of choice for businesses looking to adopt a modern IT infrastructure:
Our multi-layered approach to security includes virtual isolation, 256 bit encryption, and tracking features.
We have a 99.95% SLA, and most of our customers experience significantly less downtime than with their on-premises environments. This reliability is grounded in our proven experience building enterprise scale, datacenter infrastructure.
This experience has also allowed us to build an agile, high-performance cloud platform.
But this performance doesn’t mean much unless it can be easily configured and delivered, which is why we have designed AWS to feel familiar for IT pros who are used to on-premises environments.
Even with the performance increases that AWS provides, it is also substantially cheaper than buying and maintaining on-premises infrastructure in most cases.
We offer an extensive line of features and services, and continually expand them with the goal of supporting virtually any cloud workload.
And with AWS, you have the flexibility to choose which services to use, how you want to use them, and for how long.
Critical workloads: DCs in 2 AZs.
App servers in private subnets shields from the Internet. Public subnets are like a DMZ
DMZ holds bastian, proxy, etc.
VPC lets you build out network environment like on-prem scenario.
Pick network address range you want
Expand VPC across AZs. Create subnets.
2 key concepts: Security & Eliminate SPOF
Least Privilege and Bastian hosts
Remote Admin: VPC/DX or over the Internet.
Security groups are Instance level firewall.
ACLs: control traffic at subnet level.
Control flow of network connectivity through environment
1 AZ.
SG for port 80. Same SG becomes a target for ingress SG on SQL Server
Ingress rules sourced on IP ranges and named security groups
May not need to do this if you are coming in from your Corp Network.
If admin over Internet, great capability: Remote Desktop Services
Encryption is benefit of architecture
RDGW gives you ability of least principle: Who can RDP, and through GW where can they connect to.
Command line integration. PowerShell has become powerful. Both options on RDGW/Jumpboxes
RDGW is a jumpbox. Certificate setup. Can bypass logging in twice.
Admin comes over the Internet
Tunneling over SSL
SGs permit traffic
RDGW proxies to multiple backend connections
Single endpoint for the RDGW and all connections get proxied through single access point
HA: Put one RDGW in each AZ
Server farms: Client affinity, farms need to be domain joined. Not ideal
HA: Use Rt53 health checks. Active-active record set. Or Active-passive
Ping if running. If not, Rt 53 will substitute the other.
We can put RDGWs in separate AZs and use Route53 health checks and DNS failover. Can use active-active gives roundrobin. Active-passive is always going through one unless we need to fail over.
For real-world implementations, RDCMan is your friend
VPC is the basis for managing AD.
VPN or DX to get to corportate
VPC subnets hand out DHCP IP addresses
AMZN provided DNS
You should use your own DNS
DHCP Option Sets lets you hand DNS from AD to your instances
For domain name, let’s you assign IPs of DCs, NTPs, NbT IPs, etc.
Sites become Availability Zones.
Assign subnets. VPC hands out IP addresses. Amazon DNS lets instances resolve Internet names and talk to Amazon resources.
Your own DNS servers can forward queries to AMZN DNS (resolve ELB,etc)
Tangent: CNAME records for DNS
AWS Directory Service – announced at Re:Invent 2014
Simple AD (build your own DS based on Samba, users/groups, join EC2 instances to directory. However, you might have AD already)
AD Connector proxies directory service calls to your DCs in VPC or on-prem environment
Domain controllers
Need a static IP – whacky stuff in Windows if not
Use “Private IP Address field”
Reservation in AMZN provided DHCP. Will always get those IPs. Statically assign to OS
Run DNS and Global Catalog servers. Full redundancy if lose an AZ
RO vs RW domain controllers. Wayne Saxe gave guidance not to use RO
Passwords are not stored on RO DC. Exchange needs a writable DC/GC
If don’t want to use RW DCs, use AD Connector
Sites = Availability Zone
MS workloads are tightly coupled with AD architecture
VPN and DX to bridge networking gap
SGs for DCs to talk to DCs on prem. Lots of ports.
AD sites and subnets. Match AZ
Domain join servers and workstations should talk to closest DC
Site link costs ensure talking to closest domain controller
AD forest spanning corp data center and AWS
Basic configuration
Corp location: 2 physical locations
Add DC to AWS VPC
If this were all 1 site, the DC Locator service would locate a DC anywhere in the site. Could be authentication sites going anywhere.
Make more sense to have workstation in NY talk to DC if DC1 goes down
Where should workstation go
Sites
I’ve created a site for each physical location
Assigned site link costs
What’s the lowest value to connect to DC
SharePoint and Lync use SQL Server
Many other applications use SQL Server so lets’ start there…
Amazon RDS is different than Remote Desktop Services!
RDS
No admin needed for failover
SQL Server EE – As of June 16 (10 days ago), it’s available on AWS per hour
Benefits of SQL EE
HA: AlwaysOn Availability Groups with up to 4 active readable secondary DBs
Self-service BI: You can use Power View to explore and visualize data
Data Quality Services: You can use reference data to profile, cleanse, match data
Online changes: You can restore files, alter schemas, make index changes while DB is online
Availability groups do not require a shared storage model.
Concept of AGs applies to Exchange and Lync. Failover clustering.
App handles data replication.
Simple 2 node cluster
3 IPs per instance. IP for OS. IP for Win Server Failover cluster. Listener
Fully qualified domain name for listener so you don’t have to hardcode a server name
In failover, don’t need to know that server names have changed.
Not showing how WSFC manages all this
Traditionally worked off shared storage
AGs don’t require that. DB replication is done by SQL Server itself
Same concept in Exch 10, 13, Lync. Don’t need shared storage model
WSFC uses Quorum concept. If even # of servers, Need a 3rd voter
Witness server. File share. Tie breaker
Primary fails. Secondary replica still talks to witness. Have node majority
Activate secondary as primary.
Witness doesn’t have to be a witness. Could be a SQL or DC server
If lose all of AZ, should put witness (or third SQL) in AZ3.
Quorum concepts apply to Exch and Lync EE
SharePoint HA is easy b/c it follows general and SQL HA
Similar concepts to on-prem
Load balancing for web tier
App tier has native load balancing (service apps installed on app servers)
SQL AlwaysOn Avail Group adds HA for database.
Use SQL Client alias to point to individual SQL server.
Install Sharepoint. Configure service apps.
Configure database. Hop into SQL Server. Make Availability Group. Make databases HA. Change SQL client alias to point to listener DNS instead of a single server. Good to go.
* Web tier, LB distributes http
CloudWatch logs – If you use EC2Config service, provides support for CloudWatch. Send all data to CloudWatch including custom logs, ex, CFNInit logs
Single pane of glass to look at logs.
In SQL Server, we download all of the bits from Microsoft
Powershell DSC: Microsoft’s configuration management platform. Plugs in great for CloudFormatoin. Declarative model. Declarative scripts that you can check into source control. We’ll be leveraging DSC for Windows builds going forward.
Other sessions:
Hybrid IT
DR
AWS as a Data Platform
That’s my time. Really appreciate you guys coming and listening