aws summit auckland - running your enterprise windows workload on aws
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andrew Mitchell, Principal Enterprise Solutions Architect, Amazon Web Services
Martin Wildash, Lead Product Architect, Xero
Running your Enterprise Windows
Workloads on AWS
Technical 201
Business
101 Technical
201 Technical
301 Technical
401 Technical
Session Depth
What Will We Cover Today?
• Providing secure, remote administrative access to your AWS
Windows resources
• Extending your corporate data network into AWS
• Active Directory services
• Microsoft SQL Server on AWS
• Management Tools for Windows
• Customer Success Story – Martin Wildash. www.xero.com
Why Run Windows Workloads on AWS?
Building and managing cloud since 2006
12 regions, 33 availability zones, 54 edge locations
Thousands of partners; 2,500+ Marketplace products
Security & Reliability
Performance
Experience
Scale
Ecosystem
Extensive VM and network performance options
Security in layers approach and 99.95% application SLA
Licensing Options
Flexibility helps you optimise costs
Buy licenses from
AWS
Leverage License
Mobility
Bring your own
licenses (BYOL)
• Save money on software
licensing
• You manage licensing
costs and compliance with
your ISV
• No need for Software
Assurance
• AWS manages Windows
Server licensing
• You manage licensing
costs and compliance
with your ISV
• Uses Software
Assurance
• AWS manages licensing
• Pay as you go pricing
• Multi-tenant or
Dedicated
• No need for Software
Assurance
• Unlimited CALs
Amazon EC2 Dedicated Hosts
• A Dedicated Host is a physical server with EC2
instance capacity dedicated for your use
• Bring your own license (BYOL) platform
• Supports BYOL for Windows Server, Windows SQL
Server, and applications running on top of Windows
Server (e.g., exchange server)
How would you build a Microsoft
Enterprise IT Platform on AWS?
Lets Start Here….
Corporate
Data
Center
AWS
Cloud
Internet
Availability Zone
Private SubnetPublic Subnet
Availability Zone
Private SubnetPublic SubnetRemote
Users / Admins
Isolated VPC
in the Cloud
Secure Administration via Remote Desktop
Availability Zone
Private SubnetPublic Subnet
AWS Administrator
Corporate Data Center
TCP 443
Requires one connection:
• Connect to the RD Gateway, and the gateway proxies the RDP connection to the back-end instance.
Web Security Group
Accept TCP Port 3389
from Gateway SG
WEB2
WEB1
Gateway Security Group
Accept TCP Port
443 from Admin IP
RDGW
Availability Zone
Private SubnetPublic Subnet
DC
Domain
ControllerRDGW
Availability Zone
Private SubnetPublic Subnet
DC
Domain
ControllerRDGW
Remote
Users / Admins
Isolated VPC
in the Cloud
with RDGW
Use Route 53, Health Check &
DNS Failover
Amazon
Route 53
Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Isolated VPC
in the Cloud
with NAT
Use NAT instances to
provide access to remote
Internet services* You can use Windows Routing &
Remote Access (RRAS) NAT Service
NAT
NAT
Remote Systems
Internet
Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
NAT
NAT
Remote Systems
Internet
Isolated VPC
in the Cloud
with VPC NAT
Gateway
Use AWS Managed NAT
Gateway to reduce
administrative overhead and
optimisecosts
VPC NAT
gateway
VPC NAT
gateway
Remote Desktop Gateway Reference Architecture
Detailed instructions available in the “Deploy
Remote Desktop Gateway on the AWS
Cloud” White paper
Available from :http://aws.amazon.com/windows/resources/whitepapers/rdgateway/
Extending your Corporate
Network to AWS
Extending your Corporate Data Network to AWS
• IP SEC VPN Tunnel connects over the public Internet but has a variable performance
• Supports Static and BGP Routing
• Supports varying multi-Mbps speeds
Corporate
Data
Center
AWS
Cloud
VPN TUNNEL1
Telco
Direct Connect Link2
1• AWS Direct Connect (DX) service allows for
dedicated telco links from your location• Telco provides SLAs and predictable performance• AWS provides multiple 1 Gbps & 10 Gbps links• BGP for dynamic routing + AWS API endpoints
2
Internet
Availability Zone
Private SubnetPublic Subnet
NATDC
Domain
ControllerRDGW
Availability Zone
Private SubnetPublic Subnet
NATDC
Domain
Controller
MS
SQL
DB
SQL
Server
MS
SQL
DB
SQL
Server
APP
App
Server
APP
App
Server
WEB
IIS
Server
WEB
IIS
ServerRDGW
Remote
Users
Your
Hybrid
Cloud
virtual private
gateway
VPN
connection
corporate
data
network
AWS Direct
Connect
Microsoft Active Directory on AWS
Microsoft Active Directory
Create a new AD or Extend Existing?
• Lots of customers create a new “fresh” AD in AWS on EC2
• Extend trusts to existing AD for Single Sign On (SSO)
experience
If you run your own AD servers
• Treat each Availability Zone as an AD Site…
• Read Only Domain Controllers still need network connectivity
Availability Zone
Private SubnetPublic Subnet
NAT
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
MS
SQL
DB
SQL
Server
MS
SQL
DB
SQL
Server
APP
App
Server
APP
App
Server
WEB
IIS
Server
WEB
IIS
ServerRDGW
Your
own
AD
on EC2virtual private
gateway
VPN
connection
corporate
data
network
AWS Direct
Connect
Domain
Controller
Domain
Controller
DC
DC
AWS can simplify this for you…...
Availability Zone
Private SubnetPublic Subnet
NAT
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
MS
SQL
DB
SQL
Server
MS
SQL
DB
SQL
Server
APP
App
Server
APP
App
Server
WEB
IIS
Server
WEB
IIS
ServerRDGW
virtual private
gateway
VPN
connection
corporate
data
network
AWS Direct
Connect
Domain
Controller
Domain
Controller
DC
DC
Availability Zone
Private SubnetPublic Subnet
NAT
AWS
Directory
Service
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
AWS
Directory
Service
MS
SQL
DB
SQL
Server
MS
SQL
DB
SQL
Server
APP
App
Server
APP
App
Server
WEB
IIS
Server
WEB
IIS
ServerRDGW
Replaced
With
AWS
DS
virtual private
gateway
VPN
connection
corporate
data
network
AWS Direct
Connect
A Microsoft Windows compatible directory service as a managed AWS service.
Usage options are:
1. Use the AWS AD Connector to simplify connecting to your existing on-
premises Microsoft Active Directory
2. AWS Simple AD allows you to set up and operate a new Samba-based
directory in the AWS Cloud
3. AWS Directory Service for Microsoft Active Directory (Enterprise Edition)
provides a feature-rich managed Microsoft Active Directory hosted on the
AWS Cloud.
AWS DS is easy to manage: use the standard Windows AD admin tools
Use AWS Directory Service
Which option should you choose?
• AD Connector:
The best option if you want to use your existing on premises AD with AWS
services without extending your domain to the cloud
• Simple AD:
In most cases, Simple AD is the least expensive option and your best choice
if you have 5,000 or less users and don’t need the more advanced Microsoft
Active Directory features.
• Directory Service for Microsoft Active Directory (Enterprise Edition):
This is your best choice if you have more than 5,000 users and need a trust
relationship set up between an AWS hosted directory and your on-premises
directories.
Use AWS Directory Service
Domain Joining to AWS Directory Service
From the AWS Console GUI
• Launch Instance Wizard
Instance Boot Status
Instance Dom Join Status to AWS Directory Service
Computer Name
Domain Details
AWS Directory Service (Console)
DNS IPs for your Domain Controllers in each AZ
Enabled Services
Microsoft SQL Server on AWS
SQL Server on AWS
• Wide array of choices
• Fully managed services
• Enterprise-grade security
• 99.95% availability
• Flexible and scalable
SQL Server on Amazon EC2
Availability Zone 1
Private Subnet
Primary
DB
• Deploy in minutes.
Simple provisioning
via AWS-provided AMI
• Wide range of
versions and
performance options
SQL Server High Availability
Availability Zone 1
Private Subnet
Primary
DB
Availability Zone 2
Secondary
Replica 1
Private Subnet
AG Listener:
ag.awslabs.net
Automatic Failover
• QuickStart reference
architecture and
CloudFormation
provided.
• Scale up to 8
instances
• 99.95% availability
Or…...
Amazon RDS for SQL Server
• Deploy in minutes
• Automated backups
• Push button scaling
• Automatic host replacement and multi AZ
deployments for high availability
Amazon RDS for SQL Server
• Consider RDS first
• Focus on:
• Business value tasks
• High-level tuning tasks
• Schema optimization
• No in-house database expertise
Choosing the right solution
• Need full control over:
• DB instance
• Backups
• Replication
• Clustering
• Use options not in Amazon RDS
SQL Server on Amazon EC2
Migrating data to and from Amazon RDS
Microsoft SQL Server Database
Publishing WizardExport to T-SQL files, load using sqlcmd
NEW LAUNCH!
AWS Database Migration ServiceMinimize downtime during migrations, migrate between
different DB platforms, Schema Conversion Tool
AWS MarketplaceThird-party data import and export tools and
solutions
1
2
3
Management tools for Windows
AWS Simple Systems Manager (SSM)
Simple Systems Manager (SSM) facilitates the automatic configuration of AWS Elastic Compute Cloud (EC2) instances running Windows Server OS
SSM is implemented through the EC2Config windows service already included in Windows Server AMIs
EC2-Config service polls SSM every 5 minutes for configuration documents (in JSON format) containing system configurations OR force it from CLI
SSM currently supports configuration documents that allow for:• Automated Domain Join
• MSI Package Installation/Repair/Uninstallation
• PowerShell Module Installation
• Delivery of Performance Monitor, Event Log, IIS Log, and custom log file data to CloudWatch and CloudWatch Logs
SSM Document Example
{
"schemaVersion": "1.0",
"description": "MSI Install Script",
"runtimeConfig": {
"aws:applications": {
"properties": [
{
"action": "Install",
"source": "https://S3region.amazonaws.com/mybucketname/MSIs/CustomApp-x64.msi"
},
{
"action": "Install",
"source":
"http://location.s3.amazonaws.com/Firefox/Firefox-33.0.2/Firefox-33.0.2-en-US.msi",
"parameters" : "INSTALLEVEL=1000 custompath=\"c:\\foldername\""
}
]
}
}
}
Beautiful accounting software
Martin Wildash – Lead Product Architect
Xero AWS Migration
Beautiful cloud-based
accounting softwareConnecting people with the right numbers
anytime, anywhere, on any device
2009 2010 2011 2012 2013 2014 2015 2016
700,000+
Subscribers globally
First Steps
• Static Content
• Security + Network Infrastructure
• Tactical + Standalone Services
• Core Product
Invest Early in Network and Security
• Clean and scalable network design
• CDN
• Route 53
• Direct Connect
• Careful use of VPCs
• AWS has excellent security controls
• Clean account design
• Security Groups
• Threat Protection Zone
• WAF
Core Product Migration
Shards and Cells
• Shards
• SQL Server database containing a group of subscriptions
• Cells
• Group of Shards
• All infrastructure supporting these shards
Setup
Phase 1
New
Transfer Methods
• SQL Server Publishing tool
• Logshipping (direct or via S3)
• Availability Groups
• Database Migration Tool (New)
• Custom Migration Tool + SQL Server Data Tools
(SSDT)
Phase 2
Phase 3
Phase 4
RDS vs EC2
• Fine grain support of availability and DR Configuration
• Ability to upgrade on our own schedule
• Excellent In-house SQL Server Team
• SQL Server 2014 Enterprise Specific Features
• EC2=More work but more control required for our
current workloads….
Move from Physical SQL to EC2
• EC2 Instance Configuration
• Dedicated mount points for data files with individual EBS
Volumes
• Target “middle-sized” R3 Server Class
• Phased Migration Plan
• By Application
• By Customer
• Load Testing and Query Blaster
Key Learnings
• SQL Server on EC2 can support very high volume
workloads
• High availability for SQL Server works very well in AWS
• Rich options for data migration to AWS
• Infrastructure as Code
• Elastic infrastructure
Beautiful accounting software
www.xero.com
Further reading
Microsoft Workloads on AWS Whitepapers:
https://aws.amazon.com/windows/resources/whitepapers/
AWS Quick Launches
Try Enterprise Microsoft products on AWS before you
deploy them into production:
https://aws.amazon.com/quickstart/quick-launch/
Summary
You can readily and securely run Enterprise Microsoft and many other mission critical workloads on AWS
AWS provides customers with the flexibility to run Microsoft workloads the way they want.
• Run them as you do now, but on EC2 OR
• Simplify management by replacing them with native AWS services• Directory Services, RDS for SQL Server, Managed NAT etc.
AWS Training & Certification
Intro Videos & Labs
Free videos and labs to
help you learn to work
with 30+ AWS services
– in minutes!
Training Classes
In-person and online
courses to build
technical skills –
taught by accredited
AWS instructors
Online Labs
Practice working with
AWS services in live
environment –
Learn how related
services work
together
AWS Certification
Validate technical
skills and expertise –
identify qualified IT
talent or show you
are AWS cloud ready
Learn more: aws.amazon.com/training
Your Training Next Steps:
Visit the AWS Training & Certification pod to discuss your
training plan & AWS Summit training offer
Register & attend AWS instructor led training
Get Certified
AWS Certified? Visit the AWS Summit Certification Lounge to pick up your swag
Learn more: aws.amazon.com/training
Thank you!