Running Microsoft Workloads on AWS

AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Running Microsoft Workloads on
AWS
Bill Jacobi
bjacobi@amazon.com
Manager, Solutions Architecture
June 25, 2015
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Session abstract
Deploy, scale and manage your Microsoft workloads
on AWS. We will start with why customers want to
deploy Windows applications on AWS as a cloud
platform. We will discuss reference architectures and
best practices for implementing Microsoft products
including Active Directory, Remote Desktop
Gateway, Exchange, SharePoint, and Lync on AWS.
We will conclude with best practices for managing
and monitoring Microsoft technologies on AWS.

Agenda
• Why run Windows on AWS
• New Announcements
• Windows architecture
– Security and remote administration
– Active Directory Domain Services
– Microsoft SharePoint 2013
– Microsoft Exchange Server 2013
– Microsoft Lync 2013
– Microsoft SQL Server 2014
– Managing and monitoring Windows instances and applications

flexible
What is AWS for Windows?
secure reliable high-performance familiar cost-effective extensive
Optimization for Windows-based workloads
Wide range of scalable services
Alignment with business needs

AWS for Windows is secure
“Amazon Virtual Private Cloud (Amazon
VPC) gives us a secure environment in
the AWS cloud with the flexibility and
scalability we need to manage our
SharePoint environment with zero
impact to our on-premises datacenter”
- Jeremy Fuchs, Vice President of Financial
and BI Systems, Lionsgate
 Security-in-layers approach
 Isolated infrastructure and workloads
 Identity and access controls
 Tracking and logging
 Optimized for regulatory compliance

AWS for Windows is reliable
“Before migrating to AWS, we
experienced 10 to 20 hours of downtime
a month. With AWS, our downtime is
significantly reduced. Our average
uptime increased rapidly from 98.8
percent to 99.9 percent without
re-architecting applications.”
- Augusto Rosa, Server Operations
Manager, Shaw Media
 99.95% SLA (EC2, EBS, RDS)
 Multi-region asynchronous replication
 Uptime and performance monitoring
 Low network variability

AWS for Windows is high-performance
“Using AWS, we decreased average
network latency from 700
milliseconds to less than 50
milliseconds… Fundamentally,
running in AWS enables a 230
percent CPU consumption
efficiency in data processing.”
- Murari Gopalan, Technology
Director, Expedia.com
 Enterprise-grade computing on demand
 Automation for both complex and routine tasks
 Dedicated, low-latency network connections
 Automated scaling
 Monitoring tools with user-defined thresholds

AWS for Windows is familiar
“We didn’t have time to redesign
applications. AWS could support our
legacy 32-bit applications on Windows
Server 2003, a variety of SQL Server and
Oracle databases, and a robust Citrix
environment.”
- Jim McDonald, Lead Architect, Hess
Corporation
 Windows-based application support
 Your own cloud servers
 Use existing VMs
 License flexibility
 Same tools as on-premises environments

AWS for Windows is cost-effective
“Had we built our SharePoint 2013 farm
in our other data center, we would have
increased costs by almost 50 percent.
When you compare our SharePoint 2012
farm to our SharePoint 2013 farm, AWS
allowed us to increase our computing
power while also reducing costs by 14
percent.”
- Michael Cierkowski, Development
Manager, Slalom Consulting
 No hardware procurement/deployment
costs
 Improved hardware utilization
 Bring your own licenses
 Value-oriented culture
 No long-term commitments

AWS for Windows is extensive
“As our company continued to
grow, so did our reliance on the
AWS cloud and now, we’ve adopted
almost all of the features AWS
provides. AWS is the easy answer
for any Internet business that wants
to scale to the next level.”
- Nathan Blecharczyk, Co-founder &
CTO, Airbnb
 More than 40 services available
 Broad ecosystem of partners
 Third-party application marketplace
 Continuous service improvement
 Technical certifications for multiple skill levels

AWS for Windows is flexible
 Highly customizable infrastructure
 Variety of instance types
 Maintain availability at the lowest cost
 Wide variety of storage options
“By deploying their on premise Microsoft
solutions like SharePoint and Exchange
into the AWS platform – combined with
InfoReliance’s fully managed service
options -- our customers find the best of
both worlds and the flexibility they
require to meet their evolving
requirements.”
- John Sankovich, VP Cloud Solutions,
InfoReliance

Why AWS for Windows?
secure reliable high-performance familiar
cost-effective extensive flexible

Common AWS Services used with
Windows Applications

New Announcements
https://aws.amazon.com/quickstarts
https://aws.amazon.com/blogs/aws/now-available-sql-
server-enterprise-edition-ami-for-ec2/

Windows architecture on AWS
• Place application servers in private
subnets to prevent direct access from the
Internet
• Deploy Bastion hosts, reverse proxies,
and other Internet-facing servers in public
subnets
• Install critical workloads in at least two Availability Zones to provide
high availability

Availability Zone 1
private subnetpublic subnet
NAT
10.0.10.0/24 10.0.2.0/24
DCDBAPPWEB
domain
controller
SQL
Server
app
server
IIS
Server
RDG
Availability Zone 2
NAT
10.0.100.0/24 10.0.2.0/24
DCDBAPPWEB
domain
controller
SQL
Server
app
server
IIS
Server
RDG
Remote
Users / Admins
Windows
architecture
on AWS
10.0.11.0/24
10.0.110.0/24
Virtual Private Cloud (VPC)
is the foundation

Architectural considerations
• Amazon Virtual Private Cloud
– Configure IP ranges, public/private subnets, routing tables,
Internet or private gateway
• Security groups, network ACLs, VPC Flow Logging
• Remote administration
• The principle of least privilege

Security groups
Availability Zone
web security group SQL security group
accept TCP port 80
from Internet
accept TCP port 1433
from web security group
User
WEB SQL
TCP 80 TCP 1433
10.0.0.0/24 10.0.1.0/24

Remote administration
• Place RD Gateway in DMZ subnet
• Clients can use the Remote Desktop Protocol (RDP)
over HTTPS to establish an encrypted connection
• Pro tip: Use Remote Desktop Connection Manager
• Bastion hosts can run Windows PowerShell Web
Access for remote command-line administration
Deploying a Bastion host (Remote Desktop Gateway) in each
Availability Zone can provide highly available and secure remote
access over the Internet

Secure remote administration architecture
Availability Zone
gateway security group web security group
accept TCP port 443
from admin IP address
accept TCP port 3389 from
gateway security group
AWS administrator
corporate data center
WEB2
TCP 443
Connect to the Remote Desktop Gateway over https which proxies the RDP connection to the back-end instance
WEB1
RDG

Remote Desktop Connection Manager
(RDCMan 2.7)

Managing Active Directory
• Use AD Domain Controllers in the cloud and/or on-premise
• No different in cloud: AD provides security boundary, IP
addressing and DNS
• AWS VPC provides DHCP and
“static” IPs for DCs and servers
• Global catalog servers
• Read-only and writeable domain controllers

AWS Directory Service
• Simple AD
 Managed directory powered by Samba 4 Active
Directory Compatible Server
 Supports user accounts, group memberships,
domain-joining Amazon EC2 instances
• AD Connector
 Proxies directory requests to on-premises environment
 Users can access AWS resources and applications with existing
corporate credentials
https://aws.amazon.com/blogs/aws/new-aws-directory-service/

Active Directory hybrid deployments
• Properly define AD sites and subnets
• Configure site-link costs
• Enable domain members for Try Next Closest Site
Group Policy setting
• Connectivity from cloud to corporate data center via VPN or Direct Connect
• Security groups must allow traffic to and from DCs on-premises

Availability Zone
private subnet
DC3
corporate network
New York
DC1
VPN or
Direct Connect
AD forest spanning AWS and corporate data center
Washington, D.C.
DC2
AWS region

Availability Zone
private subnet
DC3
corporate network
New York
DC1
Washington, D.C.
DC2
X
VPN or
Direct Connect
If DC1 goes down, where does
NY client go to authenticate?

private subnet
DC3
corporate network
New York/AD site 1
DC1
VPN or DX
Washington, D.C./AD site 2
DC2
AD site 3
Cost 50
With Try Next Closest Site policy enabled, clients use least cost
path to a domain controller. Applies to on-prem and cloud sites.
X

SQL Server high availability
• Amazon RDS Multi-AZ deployments
– Fully managed by AWS
– No administrative intervention
– Uses SQL Server mirroring
• SQL Server Enterprise 2012/2014
– Managed by you
– High availability achieved using Windows Server Failover Clusters
(WSFC) and AlwaysOn Availability Groups
– SQL Server Enterprise Edition AMI available (as of June 16)

SQL Server high availability
Availability Zone 1
private subnet
primary
replica
Availability Zone 2
private subnet
secondary
replica
synchronous-commit synchronous-commit
Primary: 10.0.2.100
WSFC: 10.0.2.101
AG Listener: 10.0.2.102
Primary: 10.0.3.100
WSFC: 10.0.3.101
AG Listener: 10.0.3.102
AG Listener:
ag.awslabs.net
automatic failover

WSFC Quorum
Availability Zone 1
Private Subnet
Primary
Replica
Availability Zone 2
Private Subnet
Secondary
Replica
Synchronous-commit Synchronous-commit
Automatic Failover
Witness
Server

WSFC Quorum
Availability Zone 1
Primary
Replica
Availability Zone 2
Secondary
Replica
Automatic Failover
Witness
Server
Availability Zone 3

SharePoint 2013 reference architecture
• General guidelines
– Critical workloads are placed in two Availability Zones
– Examples: AD domain controllers, SharePoint servers, RD gateways, Forefront TMG
gateways, NAT gateways
– Internal application servers are placed in private subnets
– RD gateways are deployed into public subnets in each Availability Zone
• Web tier is made highly available through load balancing
• Application-tier load balancing is native to SharePoint
(crawl servers, query servers, etc. installed cross-farm)
• High availability on database tier can be achieved with SQL Server
AlwaysOn

private subnet
private subnet
10.0.2.0/24
Availability Zone 2
Availability Zone 1
public subnet
NAT
10.0.0.0/24
DC
DB
primaryAPPWEB
domain
controller
app
server
web
front end
RDG
public subnet
NAT
10.0.0.0/24 10.0.2.0/24
DC
DB
secondaryAPPWEB
domain
controller
app
server
web
front end
RDG
Users
Internet-facing
SharePoint farm
on AWS
SQL Server
AlwaysOn
Availability
Group
SQL
Server
SQL
Server

Exchange 2013 reference architecture
• Critical workloads are placed in two Availability Zones
– AD domain controllers, Exchange servers, RD gateways, Edge
Transport servers, NAT gateways
• Internal application servers are placed in private subnets
• RD gateways are deployed into public subnets in each
Availability Zone
• High availability provided within the data center with site
resilience between data centers
• Supports multiple copies of each database
• Optimize around failure domains

private subnet
private subnet
10.0.2.0/24
Availability Zone 2
Availability Zone 1
public subnet
NAT
10.0.1.0/24
DMZ
DC1Exch1
domain
controller
mailbox
server
RDG
public subnet
NAT
10.0.10.0/24
DMZ
10.0.20.0/24
DC2Exch2
domain
controller
mailbox
server
RDG
Users
Exchange 2013
reference
architecture

Availability Zone 1/AD site 1
10.0.0.0/24 10.0.2.0/24
DC1
domain
controller
Exchange 2013
CAS+MBX
Availability Zone 2/AD site 2
10.0.1.0/24 10.0.3.0/24
DC2EXCH2
domain
controller
Exchange 2013
CAS+MBX
remote
mail server
Adding the Edge
Transport server
EDGE1
Exchange 2013
Edge Transport
EDGE2
Exchange 2013
Edge Transport
EXCH1

Lync 2013 reference architecture
• Critical workloads are placed in two Availability Zones
– AD domain controllers, Lync Front End Server, RD gateways, Mediation
Server, NAT gateways
– Lync Edge Server (if needed) placed in DMZ subnets
• Internal Lync servers and supporting servers (OWA, PC, Mediation,
etc.) are placed in private subnets
• RD gateways are deployed to public subnets in each Availability
Zone
• Paired Lync Server 2013 pools in each Availability Zone support DR
and pool failover

private subnet
private subnet
10.0.2.0/24
Availability Zone 2
Availability Zone 1
public subnet
NAT
10.0.1.0/24
DMZ
DCFE01
domain
controller
front end
RDG
public subnet
NAT
10.0.10.0/24
DMZ
10.0.20.0/24
DCFE02
domain
controller
front endRDG
Users
Lync SE 2013
reference
architecture

Lync Server 2013 EE architecture
VPC Content
10.0.0.0/16
AD1
Front End
Pool
ADCS
NATRDGW
DB1-FE
Mirrored
Mediation
SRV1
Mediation
SRV2
Persistent
chat pool
DB1-PC
Mirrored
Stress Test
Servers
OWA App
SRV1
OWA App
SRV2
AD2
DB2-FE
Mirror
DB2-PC
Mirror
Witness
Monitor
Elastic
IP
Elastic
IP
Internet gateway
router
LoadSim Tier App Tier DB Tier AD Tier
Public
10.0.15.0/24
DMZ
Private
10.0.14.0/24
AZ-1

49% Lower Latency with Direct
Connect versus Internet (VA-OR)
88 ms roundtrip via Internet 59 ms roundtrip via Direct Connect
East coast – West coast latency well within Lync latency envelope

Managing and monitoring your Windows instances and
applications
Log types:
• Event logs
• IIS logs
• Event Tracing for Windows (ETW) logs
• Any performance counter data
• Any text-based log files
To learn more: http://amzn.to/1qVKKkI
• Recommend running Systems Center Operations Manager and
management packs for AD, Exchange, SharePoint, SQL Server, and Lync
• Amazon CloudWatch Logs enable monitoring instance activity in real time
with custom alarms on events

Quick Start reference deployments
• Active Directory Domain Services
• Remote Desktop Gateway on AWS
• SharePoint 2013
• Exchange Server 2013
• Lync Server 2013
• SQL Server 2014 AlwaysOn
• PowerShell Desired State Configuration (DSC)
aws.amazon.com/quickstart

Thank You.
This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices

Running Microsoft Workloads on AWS

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Running Microsoft Workloads on AWS

Similaire à Running Microsoft Workloads on AWS (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

Dernier

Dernier (20)

Running Microsoft Workloads on AWS

Notes de l'éditeur