Deploy, scale, and manage your Microsoft workloads on AWS. We start our session by discussing why customers want to deploy Microsoft Windows applications on AWS as a cloud platform. We talk about reference architectures and best practices for implementing Microsoft products and technologies including Active Directory, Remote Desktop Gateway, Exchange, SharePoint, and Lync in the AWS cloud. We conclude with best practices for managing and monitoring Microsoft technologies in the AWS cloud.
2. Why Run Microsoft Servers on AWS?
Amazon’s Migration to AWS
Demo of Windows Architecture on AWS
Cost, Licensing, & Performance
Architecture and Technology
Agenda
3. Why Run Microsoft Servers on AWS?
Cloud Benefits
Agility Vertical and horizontal scaling takes place in minutes.
Experiment, optimize with simple clicks or CLI commands
Cost You pay only for what you use, and you can turn up/down
resources elastically according to demand or schedules
Elasticity Resources are provisioned according to demand. Horizontal
and vertical scalability are programs, clicks or CLI commands.
Breadth of functionality Compute, Storage, Database, Networking, Dev Tools,
Management tools, Security/Identity, Analytics, Mobile, App
Services, Enterprise Apps
Go global 12 Regions across Americas, Europe, Asia, Australia, South
America. 33 Availability Zones.
4. Why Run Microsoft Servers on AWS?
AWS-specific Benefits
Add-On Compatibility ISV add-ons supported by Infrastructure as a Service
platform
Enabled for compliance Applications can run under NIST, PCI, or HIPAA
Accelerators that provide baseline regulatory controls
License management AWS Config can monitor license compliance of server-
bound licenses on Amazon Dedicated Hosts
Auditability enabled Every API call, network packet in/out, and
infrastructure change is audited, both ALLOWS/DENIES
DevOps enabled AWS CloudFormation builds infrastructure while
Microsoft PowerShell builds applications, automating
Windows on AWS deployments
Optimization Monitor and optimize the specific resources needed
5. In 2013, Amazon IT decided to
migrate the Microsoft stack to AWS
Over 200K Amazon users access
Exchange, SharePoint, and Lync
through the corporate image
Exchange data points:
• There are 26 Exchange servers
(4 per AZ)
• 7,600 users per server
• DAG Architecture for HA
• Supports users in Americas,
EMEA, and Asia
Amazon’s Migration to AWS
6. Demo: SharePoint Pushbutton Launch
SharePoint Deploys SharePoint
Foundation running on
Windows Server
View View in
Designer
Launch
Stack
8. Accelerator for
Microsoft Servers
• Single VPC for integrated
cross-server experience
• Multiple AZs for high
availability across all servers
• DMZ subnet for
management
• Private subnet for app
servers
• 2 AD sites mapped to the 2
AZs for high availability
• Connect to on-premises
through AWS Direct
Connect (not part of
QuickStart)
9. • Exchange DAG
architecture
• Lync Paired Pool
architecture
• SQL Server Always On
architecture for SharePoint
• Brick architecture
represents a 10 K modular
pod
• Add n pods for n-scale
• Use the Microsoft capacity
calculators and load-
testing tools to validate
Accelerator for
Microsoft Servers
11. • Exchange, SharePoint, Lync, SQL
Server, and Active Directory on AWS
• Deployed from single Master template
• 14 Servers, 2 AZs, 10 K Users
• Exchange users have 5 GB mailboxes
• Lync users have VOIP, video, web
conferencing, and desktop sharing
• SharePoint Blog and Team Sites are
“Everyone”-enabled
• ~$14/hour to operate
Demo: Microsoft Servers on AWS
17. Licensing Microsoft Products on AWS
BYOL: Support for Microsoft servers
• Exchange, Skype for Business,
SharePoint, Systems Center
• See AWS Microsoft Licensing page for
details
License-included: Windows Server and
SQL Server AMIs available from AWS
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2008
• Windows Server 2008 R2
• Windows Server 2003
• SQL Server 2012
• SQL Server 2014 http://aws.amazon.com/windows/resources/amis/
18. Architecture and Technology
• Architectural Considerations
• SharePoint and SQL Server on AWS
• Performance and Latency
• DevOps
• Enabled for Compliance
• Auditability
19. Architectural Considerations
Amazon VPC
• Configure IP ranges, public/private subnets, routing tables,
Internet or private gateway
Security groups, network ACLs, VPC flow logging
Remote administration
The principle of least privilege
21. SQL Server High Availability - link
Availability Zone 1
Private Subnet
Primary
Replica
Availability Zone 2
Private Subnet
Secondary
Replica
Synchronous-commit Synchronous-commit
Automatic Failover
Primary: 10.0.2.100
WSFC: 10.0.2.101
AG Listener: 10.0.2.102
Primary: 10.0.3.100
WSFC: 10.0.3.101
AG Listener: 10.0.3.102
AG Listener:
ag.awslabs.net
22. Performance and Latency: Wash DC–Portland, OR
88 ms round trip via Internet 59 ms round trip via Direct Connect
23. Basic standard in AWS for automating
deployment of resources
CloudFormation template
− JSON-formatted document which describes
a configuration to be deployed in an AWS
account
− When deployed, refers to a “stack” of
resources
PowerShell can be slipstreamed into
UserData and run at instance start up
AWS
CloudFormation
DevOps–CloudFormation
Log into the AWS Console and refresh EC2 and S3 so that it is fast on the demo on slide 10
The first is agility. AWS lets customers quickly spin up resources as they need them, deploying hundreds or even thousands of servers in minutes. This means they can very quickly develop and roll out new applications, and it means teams can experiment and innovate more quickly and frequently. If an experiment fails, you can always de-provision those servers without risk.
The second reason is cost savings. AWS allows customers to trade capital expense for variable expense, paying for IT as they consume it. And, the variable expense is much lower than what customers can do for themselves because of AWS’s economies of scale. For example, Dow Jones has estimated that migrating its data centers to AWS will contribute to a global savings of $100 million in infrastructure costs. Or the Commonwealth Bank of Australia, which has halved its storage costs and is estimating it will save hundreds of millions of dollars. Another example is the US Navy, which is moving workloads to AWS and is saving as much as 60% over on-premises or hosting.
The third reason is elasticity. Customers used to over provision to ensure they had enough capacity to handle their business operations at the peak level of activity. Now, they can provision the number of resources that they actually need, knowing they can instantly scale up or down along with the needs of their business, which also reduces cost and improves the customer’s ability to meet their user’s demands.
The fourth reason is the breadth of functionality that exists in AWS. We have more than any other platform. And, we continue to add new capabilities and new services at an accelerating pace. In 2011, we released over 80 significant services and features; in 2012, nearly 160; in 2013, 280, and in 2014, we launched 516. In 2015, we launched 722 new services, up nearly 40% year-over-year. Customers benefit from this continual evolution, innovation and iteration, because they get the newest/latest features or enhancements instantly. No need to upgrade, deploy, or to migrate.
The fifth reason is that AWS enables customers to deploy globally in minutes. AWS has the concept of a Region, which is a physical location around the world where we cluster datacenters. We call each group of logical datacenters an Availability Zone. Using AWS, customers can leverage 33 Availability Zones across 12 geographic regions worldwide. And, we don’t plan to stop there.
Add-on Compatibility: We are running the servers that Microsoft built for on-premises on the AWS Infrastructure-as-a-service platform. All addons and customizations should run. If you have records management, expense report, workflow, HR, data classifaction addons or others, they should all work.
Enabled for compliance: We provide NIST, PCI, and HIPAA sandboxes (though Accelerators) that are locked down and documented against the required regulatory controls
License management: With AWS Config, we can track and prove that licenses that need to be server-bound are in fact used exclusively on dedicated servers. We have a feature called Dedicated Hosts for this requirement. AWS Config lets us monitor and report that software never roams beyond the assigned hosts.
Auditability built in: AWS CloudTrail monitors every API call. VPC Flow Logs every network packet, AWS Config every change in infrastructure, AWS Inspector lets you to analyze the behavior of AWS resources, including instances, network, file system, and process activity, and identify potential security issues.
DevOps built in. My favorite feature. CFN consistently, predictably, reliably builds infrastructure such as networks, instances, gateways, firewalls, etc., and PowerShell lets you build the Microsoft servers. PowerShell is embedded into CFN so that they run together.
Optimization – Great example. I’m using regular SSDs in the demo that I’ll show you. If I want to, I can use Provisioned IOPS which guarantee a level of performance above and beyond standard SSDs. If I decide I want more IOPS for Exchange, I can turn on this feature. Same for # of processors, speed of processors, amount of RAM, etc., etc. You have nearly infinite dials, levers, and knobs to optimize the user experience. BTW, the Microsoft tools like SCOM all apply.
The Accelerator that I’m about to show you is based on lessons learned in moving Amazon users to the Microsoft workloads.
Our drivers were similar to the ones on my Benefits slide: Cost optimization, Performance, Elasticity (we have a seasonal workforce), and improving the experience of Amazon users
Elasticity was crucial for us. If we add thousands of workers in Q4, we don’t want to be stuck all year with the costs of supporting the high water mark. By the way, Microsoft makes our job easier with what they call their “brick architecture”. More on this to come. You can think of the Microsoft servers and AWS as chocolate and peanut butter.
Rob Francis, Senior Manager, Corporate Infrastructure, gave a talk about the Amazon deployment of Microsoft servers on AWS. Email me if you would like this presentation.
We’ll kick this off and come back to it later. I want everyone to see a stack being built and deployed in this session.
Someone remind me if I don’t come back to show you this SharePoint fully up & running in today’s session.
Add n pods for n-scale. I’m going to show you 10K users today. If you would like to see 100k users at Re:Invent, please include this feedback in your eval forms. Customer feedback drives the limited number of sessions that we get at ReInvent.
Just flash this slide. Customers already saw it live in the Console.
Would anyone like to see a demo?
Microsoft Servers Demo
Context: What is running
Background: We have a pod supporting 10K users with access to Exchange, SharePoint, SQL Server, Lync and Active Directory
Show AWS Console: These are running in us-west-2 in Portland and I and the clients are in Washington, DC—a distance of over 2000 miles
AWS console: Describe the 14 servers that support these workloads for this user count
Let’s look at the user count
RDP in to DC1
Load PowerShell: Import-module ActiveDirectory
Get-Module to show that the AD module is loaded
Show all users: Powershell: Get-ADUser – filter *
Show user count: (Get-ADUser –filter *).count
Show ISE with all AD Commands on the right frame
Ping exch2
Ping fe2
Ping spwfe2
Point out that the ‘2’ servers are in different AZs
DevOps/Automation – Fill in the MS Servers template but don’t run it. Point to what is already up & running.
CloudFormation: Show the 6 stacks, events, and parameters that have built this configuration. Explain the layering
AD is base. SQL and Exchange sit on AD. SharePoint sits on SQL. Lync sits on Exchange
Dependencies are important hence the layering
Use the AD stack, and show event creation of the VPC, Security Groups, Attaching VGW, etc.
End User Demo – Use the video for this part of the demo. Video is easier since it shows screens from two laptops at IAD21. You probably only have 1 laptop.
Olive Workman emails Pat Perry. Subj: Discuss Electric Vehicle Trends
Pat replies: Many companies doing interesting stuff.
Olive sees Pat is online. Olive IMs Pat. You able to chat? Pat IMs: Sure thing
Olive IMs: Did you see the analyst report from earlier this month?
Olive IMs the link to the SharePoint Blog to look at the latest post on GM
Pat IMs: You OK to video chat? Olive invites Pat to Video Chat (Provides tour of UI first)
Pat Accepts Video Invite. Wave hands and show smooth video.
Turn off laptop mics to avoid feedback
This shows all of the business productivity servers running in an integrated fashion as you would expect
Clients are 2000 miles away from servers (IAD21 us-west-2)
Server Consoles
Show SharePoint Central,
Manage Web Applications, SharePoint:80, Application Management, View Site Collections, Back, Create Site Collection
Exchange Admin Center,
Click Mailboxes, User Mailboxes, +, Browse, double-click on a name
Lync Control Panel,
Home, Enable Users for Lync Server, Add, Find, Enable a user
AD User and Computers
Show what’s been configured in terms of Site Collections, mailboxes/policies, Lync conferencing, voice, etc., and AD user properties
Performance and latency
RDP to the RDGW
We are going to download a 1GB file
Just to be clear, I’m not talking about a 1MB or 10MB email attachment
Let’s download a 1GB ISO (Lync ISO) of one of the servers to see how fast performance is. About 5s. Exchange (4GB) is about 20s.
From the RDGW, download the ISO and calculate the throughput to the Instance.
Flash this slide because you showed them this template in the Console.
What do we have on AWS Platform
Microsoft and Amazon have jointly developed a set of Amazon Machine Images (AMIs) .
They are well documented, optimized, and configured based on best practices.
They are available in all regions that AWS supports to provide a consistent global experience.
AWS provides updated, fully patched Windows AMIs within 5 business days of Microsoft’s patch Tuesday (second Tuesday of each month).
When publishing new Windows AMIs, AWS follows a consistent naming scheme. For example, server and date stamp tagged to the end of the name
Look for the date stamp in the AMI name. You find the date stamp (last 8 digits) at the end of the AMI name.
Large collection of operating systems , with language support
Large collection of databases including SQL Express and Standard editions.
This is what we built and proposed to BAE.
Virtual Private Cloud is what you saw on the earlier slide that laid out two public and two private subnets. Note that the application is only aware of subnets and that VPC maps subnets to Availability Zones.
Security groups are firewalls that are enforced at the instance level.
Network ACLs are firewalls that are enforced at the subnet level
VPC flow logging is the logging and auditing of all ingress/egress packets
Remote administration is the notion of a bastian host in the public or management subnet
Principle of least privilege is the notion of enabling the minimum security settings that will allow the application to work correctly without any additional capabilities
This slide represents the QuickStart for an HA deployment of SharePoint 2016
Let’s come back to the SharePoint instance that I kicked off.
Get the password, browse into the EIP, and login to show a team site.
WSFC clusters and AlwaysOn Availability Groups
Underpin many enterprise-class solutions including Microsoft SharePoint and .NET applications.
Again we provide reference models for this.
HA, MAZ – sync replica over 1-2 ms link.
-------I would cover this slide quickly because there are other sessions on SQL Server including Joe Spiezio Hybrid IT tomorrow. They will demo this solution live.
5,000 mile radius between users and servers to support ALL workloads including LyncLync is the most latency sensitive. Other workloads can be supported much greater than 5,000 milesLync is only sensitive for video operations. IM, etc., works over greater distances
This Accelerator will set up the VPC for an application and turn on the right features such as AWS Config for continuous monitoring.
Accelerator gives you the ability to build an application on AWS in which we have hardened and documented the infrastructure to be compliance-ready.