Julien Lépine, Solutions Architect, AWS EMEA

June 16th, 2016

Best Practices for Deploying

Microsoft Workloads on AWS

Identity Best Practices

Main Identity Topics

• Infrastructure Identity Management

• AWS Identity and Access Management

• Server / Application Identity Management

• AWS Directory Services (Samba or Active Directory)

• Federation

• AWS Security Token Service

AWS Identity and Access Management (IAM)

Role Based

Access ControlMulti-Factor

Authentication

Integrated with all

AWS Services

IAM Roles

Isolated domains

Availability Zone B

Private subnet

DC4

Corporate Network

Tel Aviv

DC1

Direct Connect

Jerusalem

DC2Availability Zone A

Private subnet

DC3company.cloud

company.local

Federation /

Synchronization

Separate identities with synchronization / Federation

Use partners such as Okta

AWS Directory Services

company.cloud

Single domain extended to multiple sites

Availability Zone B

Private subnet

DC4

Corporate Network

Tel Aviv

DC1

Direct Connect

Jerusalem

DC2

Cost 50

Availability Zone A

Private subnet

DC3Cost 10

company.local

company.local

One single identity, data center extension mode

(Rely on Active Directory Sites, Read-Only or not)

One sub domain per site

Availability Zone B

Private subnet

DC4

Corporate Network

Tel Aviv

DC1

Direct Connect

Jerusalem

DC2

company.local

Availability Zone A

Private subnet

DC3cloud.company.local

Isolated subset of the directory, single Identity for users

(Active Directory Domains in a Single Forest)

One forest per site and trust

Availability Zone B

Private subnet

DC4

Corporate Network

Tel Aviv

DC1

Direct Connect

Jerusalem

DC2Availability Zone A

Private subnet

DC3 company.local

company.cloud

Separate directories, single identity

(Cross-Forest / Resource Forest with trust)

AWS Directory Services

company.cloud

User Identity Federation with Amazon IAM

Active Directory

AD Users

Enterprise

Applications

Corporate

Systems

Amazon Identity & Access

ManagementIAM Roles

Amazon EC2

Amazon

DynamoDB

Amazon S3

Federated API and CLI access using ADFS

• ADFS http://tinyurl.com/AWS-ADFS-SAML

• CLI http://tinyurl.com/AWS-ADFS-CLI

• AWS Tools for Windows PowerShell

SQL Server

SQL Server High Availability

Availability Zone 1

Private Subnet

Primary

Replica

Availability Zone 2

Private Subnet

Secondary

Replica

Synchronous-commit Synchronous-commit

Automatic Failover

Primary: 10.0.2.100

WSFC: 10.0.2.101

AG Listener: 10.0.2.102

Primary: 10.0.3.100

WSFC: 10.0.3.101

AG Listener: 10.0.3.102

AG Listener:

ag.awslabs.net

WSFC Quorum

Availability Zone 1

Primary

Replica

Availability Zone 2

Secondary

Replica

Automatic Failover

SoftNAS / SIOS

WSFC Quorum

Availability Zone 1

Primary

Replica

Availability Zone 2

Secondary

Replica

Automatic Failover

Witness

Server

Availability Zone 3

SQL Server HA with Readable Replica

Availability Zone 1

Private Subnet

Primary

Replica

Availability Zone 2

Private Subnet

Secondary

Replica 1

Synchronous-commit Synchronous-commit

AG Listener:

ag.awslabs.net

Automatic Failover

Asynchronous-commit

Secondary

Replica 2

(Readable)

Reporting

Application

SQL Server Disaster Recovery & Backup

Availability Zone 1

Private Subnet

Primary

Replica

Availability Zone 2

Secondary

Replica 1

Private Subnet

AG Listener:

ag.awslabs.net

Corporate Network

VPN

Automatic Failover

Secondary

Replica 2

(Readable)

Reporting

Application

Backups

Manual Failover

■ AD Integrated

■ Automated failover

■ Automated patching

■ Automated backup

■ Point-in-time recovery

Amazon RDS for SQL Server

Amazon RDS

Server Products

Core Infra

Exchange

SharePoint

Availability Zone 1

private subnet

NAT

10.0.32.0/20 10.0.2.0/24

DB1SP1FE1Exch1

SQLServer

10.0.0.10010.0.0.101

10.0.0.102

SharePoint

Server

10.0.0.140

LyncServer

10.0.0.160

ExchangeServer

10.0.0.150

RDG

Availability Zone 2

private subnet

NAT

10.0.96.0/20

RDG

Remote

Users / Admins

10.0.0.0/19

On-premisesdatacenter

VPNDirectConnect

DC1

10.0.2.0/24

DB2SP2FE2Exch2

SQLServer

10.0.64.10010.0.64.101

10.0.64.102

SharePoint

Server

10.0.64.140

LyncServer

10.0.64.160

10.0.64.0/19

DC2

ActiveDirectory

10.0.0.10

ActiveDirectory

10.0.64.10

privatesubnet

privatesubnet

ExchangeServer

10.0.64.150

VPCCIDR10.0.0.0/16

All-in-one

Going beyond infrastructure

SharePoint BLOB storage on S3

Export mails to Amazon S3

AWS Marketplace

• On-Demand, License Included or BYOL SharePoint

• http://tinyurl.com/AWS-SPS-MP

Quick Starts

• http://tinyurl.com/AWS-MS-QS

Developers

AWS SDK and Tools for .NET ArchitectureE

XE

CU

TIO

N

PLA

TF

OR

M

AW

S S

DK

LO

W-

LE

VE

L

SE

RV

ICE

AP

IS

AW

S

TO

OLS

HIG

HE

R-

LE

VE

L

UT

ILIT

Y

AP

IS

.NET 3.5 .NET 4.5 PHONE STORE

SERVICE CLIENTS

AMAZON S3

TRANSFERUTILITY

AMAZON DYNAMODB

OBJECT PERSISTANCEVM IMPORT RESOURCE API

AWS TOOLS FOR

WINDOWS

POWERSHELL

AWS TOOLKIT FOR

VISUAL STUDIO

ASP.NET SESSION

PROVIDERTRACE LISTENER

AWS ENDPOINTS: REST API

AWS Toolkit for Visual Studio

Full Integration in Visual Studio

Blob storage in Amazon S3

var bucketName = "<BucketName>";

var fileName = "<FileName>";

var s3Client = new Amazon.S3.AmazonS3Client();

// Write Data to Amazon S3

s3Client.PutObject(new Amazon.S3.Model.PutObjectRequest {

BucketName = bucketName,

Key = fileName,

InputStream = fileStream

});

// Read Data from Amazon S3

var s3Object = s3Client.GetObject(bucketName, fileName);

Amazon S3

Loose Coupling Sets You Free

var queueUrl = "https://sqs.<region>.amazonaws.com/<AcctNum>/<QueueName>";

var sqsClient = new Amazon.SQS.AmazonSQSClient();

// Send to Amazon SQS

sqsClient.SendMessage(queueUrl, "My Message Data");

// Process Amazon SQS

while(!exit) {

var messages = sqsClient.ReceiveMessage(queueUrl);

foreach(var message in messages.Messages) {

// Process message then delete

sqsClient.DeleteMessage(queueUrl, message.ReceiptHandle);

}

}

Amazon SQS

AWS Also Provides Extended Support

AWS Elastic Beanstalk• Deploy from within Visual Studio / Automatic Log Rotation to Amazon S3

AWS CodeCommit / CodePipeline / CodeDeploy• Manage a large (on-premises and cloud-based) fleet

.NET SDK and PowerShell CmdLets• Integration in custom build pipelines in TFS or CruiseControl.NET

AWS is the de-facto standard• Jenkins, Bamboo have native integration to AWS

• Other IDE Support AWS (Unity, Xamarin Studio, Eclipse…)

DevOps

Secure remote administration architecture

Availability Zone

Gateway Security Group Web Security Group

Private SubnetPublic Subnet

Accept TCP Port

443 from Admin IP

Accept traffic from

Gateway SG

AWS Administrator

Corporate Data Center

WEB2

TCP 443 WEB1RDGW

Requires one connection:

• Connect to the RD Gateway, and the gateway proxies the RDP or PowerShell connection to the back-

end instance.

One step further: Go DevOps

• AWS Tools for Windows PowerShell

• Leverage AWS Simple Systems Manager

• Auto-Domain Join

• No machine access

• Full traceability

• Fine-grained control

• http://tinyurl.com/AWS-SSM-Home

Automated Log Management

Amazon

CloudWatch Logs

AWS Lambda

Amazon Kinesis

Amazon EC2

Amazon Elasticsearch

Service

Amazon S3

Automation for every use case

IAAS*

Amazon EC2

AWS CloudFormation

AWS OpsWorks AWS Elastic

BeanStalk

AWS Lambda

PAAS*DEVOPS DEVOPS

AUTOMATION* Definition may vary

Licensing

License Mobility is a Microsoft Program that allows

customers to move their existing license from on premises

to the cloud

• Leverage their Enterprise Agreement

• Must have Software Assurance

License Mobility through Software Assurance

Microsoft Workloads on AWS

Pay-as-you-go – AMI pricing provides access to

software

• Windows Server

• SQL Server Standard

• SQL Server Web

• SQL Server Enterprise

Leverage Microsoft’s License Mobility Program

(BYOL)

• SQL Server

• SharePoint Server

• Exchange

• Lync

• RDS

• Dynamics

Leveraged Dedicated Host

• Windows Server

• SQL Server - no SA

• SharePoint – no SA

• Exchange – no SA

• Lync – no SA

• Dynamics – No SA

Licensing Continuum

License Included

• Amazon manages the licenses

• Pay-as-you-go pricing

• Multi-tenant or dedicated

• No license management overhead

Hybrid

• Baseline in BYOL

• Leverage scalability and pay-as-you-go where applicable

• Limit management overhead

BYOL

• Import and use your own software

• Reduce your spend if you already pay an ISV for licensing

• You manage licensing costs and compliance with your ISV

• Committed contracts with your ISVs

MSDN

Supportability on AWS

Microsoft workloads are supported on AWS. Amazon Web Services fully supports Microsoft Windows Server as both infrastructure and a platform. Our customers have successfully deployed in the AWS cloud virtually every Microsoft application available, including Microsoft Exchange, SharePoint, Lync, Dynamics, and Remote Desktop Services.

If you have support related issues you should contact AWS Support.

Every immaginable use case

Collaboration

Full/Partial Franchise Migration

Web / Mobile / Media

Mail

ERP

VDI

BI

We are here to help

AWS Resources

Solution

Architects

Professional

Services

Premium

Support

AWS Partner

Network (APN)

AWS Training and Certification

Certification

aws.amazon.com/certification

Demonstrate your skills,

knowledge, and expertise

with the AWS platform

Self-Paced Labs

aws.amazon.com/training/

self-paced-labs

Try products, gain new

skills, and get hands-on

practice working with

AWS technologies

aws.amazon.com/training

Training

Skill up and gain

confidence to design,

develop, deploy and

manage your applications

on AWS

lepine@amazon.com