© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zlatan Dzinic – Senior Architect
November 29, 2016
Simplifying Microsoft
Architectures with AWS Services
WIN201
What to Expect from the Session
• Simplicity and Automation
• Microsoft Architectures on AWS and how to build them
• Identity and Access Management
• SQL Server
• Developers
• Administration
Developer platform and tools
Corporate applications Line of business
applications
End-user computing
Information security
Corporate applications End-user computingBusiness applications
Amazon EC2 for Windows,
Amazon RDS,
AWS CloudFormation,
Amazon CloudFront
EC2 for Windows,
AWS Directory Service,
RDS, Marketplace
Amazon WorkSpaces,
Amazon AppStream,
Marketplace,
AWS Mobile Services, SaaS
AWS Identity and Access Management (IAM),
AWS CloudHSM, AWS Key Management Service (KMS),
security groups, AWS Marketplace
EC2, Amazon S3, RDS, Amazon VPC,
AWS Direct Connect, Directory Service,
IAM, AWS Service CatalogInfrastructure
AWS service offerings for Windows workloads
AWS Elastic Beanstalk,
AWS CodeDeploy,
CloudFormationDevOps
Architecture
Availability Zone
Private SubnetPublic Subnet
Availability Zone
Private SubnetPublic Subnet
Remote
Users
Sample
Microsoft
Architecture
Virtual Private
Gateway
Corporate
Office
IIS
App
IIS
Web
IIS
App
IIS
Web
VPN
AWS Direct
Connect
Internet
Gateway
RDGW
VPC NAT
Gateway
RDGW
VPC NAT
Gateway
AWS
Directory
Service
AWS
Directory
Service
MS
SQL
MS
SQL
Always On
Availability
Group
VPC Endpoint Amazon S3
Auto Scaling
Secure remote administration architecture
Availability Zone
Gateway Security Group Web Security Group
Private SubnetPublic Subnet
Accept TCP Port
443 from Admin IP
Accept traffic from
Gateway SG
AWS Administrator
Corporate Data Center
WEB2
TCP 443 WEB1RDGW
Requires one connection:
• Connect to the RD Gateway, and the gateway proxies the RDP or PowerShell connection to the back-
end instance.
Microsoft Enterprise Applications
Shared Service VPC
• Best suited for:
• The majority of your infrastructure is (or
will be) on AWS
• The required on-premises resources are
easy to replicate or proxy (e.g., Active
Directory, System Center, central SQL
farm)
• You prefer to limit VPN traffic
• Strong security or compliance programs
require additional application-level
controls and proxy servers between their
AWS and on-premises resources (e.g.,
application-layer firewalls)
CloudFormation – Infrastructure as a Code
Basic standard in AWS for automating deployment of resources
CloudFormation template• JSON-formatted document that describes a
configuration to be deployed in an AWS account
• When deployed, refers to a “stack” of resources
• Bootstrapping AWS CloudFormation Windows Stacks, http://tinyurl.com/aws-win-boot
AWS
CloudFormation
How CloudFormation Works
AWS CloudFormation Designer
• Visualize template
resources
• Modify template with drag-
and-drop gestures
• Customize sample
templates
The Work* Services
WorkDocs
Secure enterprise
document collaboration
WorkSpaces
Virtual desktops
Secure access from anywhere
Monthly pricing
Central sync, document feedback
Secure access from anywhere
S3
WorkSpaces Application
Manager
Virtual applications
Centralized application deployment
Monthly subscription options
WorkMail
Secure email and
calendaring
Strong security controls
Existing desktop, mobile support
Directory Service
Managed directories
Simple AD, AD Connector, Microsoft AD
Run Windows Server 2016 on Amazon EC2
• Windows Server 2016 Datacenter with Desktop
Experience
• Windows Server 2016 Nano Server
• Windows Server 2016 with Containers
• docker run microsoft/sample-dotnet
• Windows Server 2016 with SQL Server 2016
Identity and Access
Management
AWS Identity and Access Management (IAM)
Role-based
access controlMulti-factor
authenticationIntegrated with all
AWS services
IAM roles
Common Approaches
• Active Directory
• AWS Directory Services
• Federation
• Federation to AWS services
• Federation to Microsoft Workloads
• Claims based access control
• SSO
• ADFS 4.0, Ping Federate, Okta
• Kerberos
Single domain extended to multiple sites
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
company.local
company.local
One single identity, data center extension mode
(rely on Active Directory sites, read-only or not)
VPN
AWS Direct
Connect
One subdomain per site
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
company.local
Availability Zone A
Private subnet
DC3cloud.company.local
Isolated subset of the directory, single identity for users
(Active Directory domains in a single forest)
VPN
AWS Direct
Connect
One forest per site and trust
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2Availability Zone A
Private subnet
DC3 company.local
company.cloud
Separate directories, single identity
(Cross-forest/resource forest with trust)
AWS Directory Service
company.cloud
VPN
AWS Direct
Connect
User identity federation with AWS IAM
AD Users
Enterprise
Applications
Corporate
Systems
AWS IAM
IAM roles
EC2
Amazon
DynamoDB
S3
Active Directory Deployments - Isolated domains
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2Availability Zone A
Private subnet
DC3company.cloud
company.local
Federation/
synchronization
Separate identities with synchronization/federation
solutions such as AD FS, Okta, PingFederate
AWS Directory Service
company.cloud
VPN
AWS Direct
Connect
AD FS Scenarios
• Fully implemented AD FS
• Core authentication services exposed to the Internet by
AD FS proxy
• Firewall-published AD FS
• Firewall exposes core authentication services to the Internet by
reverse proxy
• Non-published AD FS
• Server farm isn't exposed to the Internet by any method.
• VPN-published AD FS
• Internet clients connect to and use AD FS services only through a
virtual private network (VPN) connection to the on-premises network
environment.
Active Directory Federation Services
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2Private subnet
DC3company.cloud
company.local
Federation/
synchronization
AWS Directory Service
company.cloud
VPN
AWS Direct
Connect
ADFS ADFS
Public subnetPublic subnet
Web
App
Proxy
Web
App
Proxy
Availability Zone A Availability Zone B
SQL Server
SQL Server on Amazon EC2
Licensing Options
Purchase an Amazon Machine Instance (AMI) that includes
Windows and SQL Server
Purchase a Windows AMI and install SQL Server yourself
(BYOL)
Windows or Mixed Authentication
You manage the virtual machine security, storage,
network ports, etc.
Full SQL Server sysadmin privileges
SQL Server HA/DR on EC2
Windows clusters can span Availability Zones or
regions*
Mirroring
AlwaysOn Availability Groups
Transaction Log Shipping
Failover Cluster Instance*
* Some configurations require third-party tools.
Multi-AZ AlwaysOn Availability Group
Availability Zone 1
Private Subnet
EC2
Primary
Replica
Availability Zone 2
Private Subnet
EC2
Secondary
Replica
Synchronous Commit
Automatic Failover
AWS Region
Multi-Region AlwaysOn Availability Group
Availability Zone 1
Private Subnet
EC2
Primary
Replica
Primary: 10.0.2.100
WSFC: 10.0.2.101
AG Listener: 10.0.2.102
AWS Region A
Availability Zone 2
Private Subnet
EC2
Secondary
Replica
Primary: 10.0.3.100
WSFC: 10.0.3.101
AG Listener: 10.0.3.102
Availability Zone 1
Private Subnet
EC2
Secondary
Replica
Primary: 10.1.2.100
WSFC: 10.1.2.101
AG Listener: 10.1.2.102
Synchronous Commit
Automatic Failover
AWS Region B
Asynchronous Commit
Manual Failover
Elastic IP Elastic IP
VPN
Failover Cluster Instance
Amazon EBS Amazon EBS
Availability Zone 1
Private Subnet
EC2
Primary
Node
Availability Zone 2
Private Subnet
EC2
Secondary
Node
AWS Region
Data Replication
SoftNAS / SIOS
What is Amazon RDS?
Managed database service
Automatic patching, backups, mirroring, etc.
Automatic Host Replacement protects you in the event of a
hardware failure.
6 database engines to choose from: Amazon Aurora,
Oracle, PostgreSQL, MySQL, MariaDB, and SQL Server
License-included and BYOL options available
SQL Server on Amazon RDS
Up to 30 databases per instance
Windows or Mixed Authentication
Optional managed Multi-AZ deployment for high
availability
Transparent Data Encryption for encryption at rest and
the use of SSL to secure data in transit
Native backup and restore for Microsoft SQL Server
databases using full backup files (.bak files)
SQL Server HA/DR on RDS
Spans Availability Zones
Automatic Failover
Automatic Host Replacement
Automatic Backups
Automatic Software Patching (can be disabled)
Multi-AZ SQL Server on Amazon RDS
Availability Zone 1
Private Subnet
Availability Zone 2
Private Subnet
Synchronous Commit
Automatic Failover
AWS Region
Amazon
RDS
Primary
Amazon
RDS
SecondaryManaged Service
SQL Server EC2 vs. RDS: Which should I use?
EC2 RDS
License included
BYOL
Full control over the instance
Automated backups
Self-managed AlwaysOn Availability Groups
AWS-managed Multi-AZ deployment
What about the rest of SQL Server?
Integration Services (SSIS)
Reporting Services (SSRS)
Analysis Services (SSAS)
SQL Agent
Service Broker
Data Quality Service
Master Data Service
What about the rest of SQL Server?
Remember: RDS is a managed database engine.
Most tools or drivers (OLE DB, ODBC, or ADO.NET) that
connect to SQL Server can connect to an RDS instance.
For example, SSIS running on EC2 or on-premises can
use a connection to an RDS SQL Server (or other
engine) instance as long as the network ports are
properly configured.
Developers
AWS SDK and Tools for .NET ArchitectureE
XE
CU
TIO
N
PLA
TF
OR
M
AW
S S
DK
LO
W-
LE
VE
L
SE
RV
ICE
AP
IS
AW
S
TO
OLS
HIG
HE
R-
LE
VE
L
UT
ILIT
Y
AP
IS
.NET 3.5 .NET 4.5 PHONE STORE
SERVICE CLIENTS
AMAZON S3
TRANSFER UTILITY
AMAZON
DYNAMODB OBJECT
PERSISTENCE
VM IMPORT RESOURCE API
AWS TOOLS FOR
WINDOWS
POWERSHELL
AWS TOOLKIT FOR
VISUAL STUDIO
ASP.NET SESSION
PROVIDERTRACE LISTENER
…
AWS ENDPOINTS: REST API
ASP.NET 5
AWS Toolkit for Visual Studio
Full integration in Visual StudioAWS Toolkit
for Visual
Studio
.NET SDK
AWS also provides extended support
AWS Elastic Beanstalk• Deploy from within Visual Studio/automatic log rotation to Amazon S3
AWS CodeCommit/CodePipeline/CodeDeploy• Manage a large fleet (on-premises and cloud-based)
.NET SDK and PowerShell cmdlets• Integration in custom build pipelines in TFS or CruiseControl.NET
AWS native integrations• Jenkins, Bamboo have native integration to AWS
• Other IDE support AWS (Unity, Xamarin Studio, Eclipse…)
Administration
Amazon EC2 Simple Systems Manager
• EC2 Run Commands
• AWS Tools for Windows PowerShell
• Automation, Customizable, Auditable, Delegated Administration
• Leverage Amazon EC2 Simple Systems Manager
• Auto domain join
• No machine access
• Full traceability
• Fine-grained control
• http://tinyurl.com/AWS-SSM-Home
PowerShell
Integration
Amazon EC2
Run Commands
SSM
Windows SSM with Run Commands
• AWS-JoinDirectoryServiceDomain to join an AWS Directory
• AWS-RunPowerShellScript to run PowerShell commands or scripts
• AWS-UpdateEC2Config to update the EC2Config service
• AWS-ConfigureWindowsUpdate to configure Windows Update settings
• AWS-InstallApplication to install, repair, or uninstall software using an MSI package
• AWS-InstallPowerShellModule to install PowerShell modules
• AWS-ConfigureCloudWatch to configure Amazon CloudWatch Logs to monitor applications and
systems
• AWS-ListWindowsInventory to collect information about an EC2 instance running in Windows
• AWS-FindWindowsUpdates to scan an instance and determine which updates are missing
• AWS-InstallMissingWindowsUpdates to install missing updates on your EC2 instance
• AWS-InstallSpecificWindowsUpdates to install one or more specific updates
Monitoring
• CloudWatch
• CloudTrail
• Config
• VPC Flow Logs
• Trusted Advisor Amazon
CloudWatch
AWS
CloudTrail
AWS
Config
AWS Trusted
Advisor
Flow logs
Amazon
VPC
AWS
Lambda
Amazon
Kinesis
AWS
Service Catalog
Amazon
Elasticsearch Service
Amazon
QuickSight
Customer Story – Hess CorpBill Rothe, VP Enterprise Systems
Customer Story – Hess Corp
• Migration of multiple large Windows systems
• Including Microsoft SQL Server, SharePoint, Exchange, Active
Directory, Dynamics, and System Center with AWS MP for SCOM
• Also SAP HANA, Documentum, Oracle Hyperion
• Three phases so far
• First divestiture, 170 instances, 6 months
• Second divestiture, 90 instances, 3 months
• Now working on migrating core business
• Hybrid approach
• Integrated networking via Direct Connect
• Integrated authentication via ADFS on EC2 with AD on-premises
Customer Story – Hess Corp
• The art of the possible
• “We haven't met a workload we can't migrate to AWS.”
• Not always pure lift and shift. Some take tuning, some take
re-architecting, but always able to get it to work.
• Evolving attitude about cloud adoption internally
• Now there are far more supporters than detractors
• That’s a major shift from 18mo ago
• Moving along the maturity curve
• Looking for ways to optimize and automate
• Right-sizing instances
• Building text/dev environments on demand
Thank you!
Remember to complete
your evaluations!
Windows Track Sessions
WIN301: Bring Microsoft Applications to AWS to Save Money and Stay Licensing Compliant
Tues, Nov 29 3:30-4:30 PM Venetian H
WIN204: How to Move 1,000 VMs and Biz Critical Apps to AWS in 6 months. Edwards Lifesciences
Tues, Nov 29 3:30-4:30 PM Venetian H
WIN303: How to launch a 100k user Microsoft back office and not break a sweat
Wed, Nov 30 5:30-6:30 PM Delfino 4004
WIN304: Design, Deploy & Optimize SharePoint on AWS
Wed Nov 30 3:30-4:30 PM Venetian H
WIN305: Best Practices for Integrating Active Directory with AWS Workloads
Wed, Nov 30 5:00-6:00 PM Venetian H
WIN306: Design, Deploy & Optimize SQL Server on AWS
Thurs, Dec 1 5:30-6:30 PM Venetian H