migration of microsoft workloads

27
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Wayne Saxe AWS Ecosystem Solutions Architect 29 July 2015 AWS Summit New York Migration of Microsoft Workloads

Upload: amazon-web-services

Post on 06-Aug-2015

642 views

Category:

Technology


1 download

TRANSCRIPT

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Wayne Saxe AWS Ecosystem Solutions Architect

29 July 2015

AWS Summit New York

Migration of Microsoft Workloads

Agenda

Architecture Overview Design and Deployment of Infrastructure Services Instance Migration and Upgrade Management and Maintenance

Architecture Best Practices

Design for failure and nothing fails Loose coupling sets you free Implement elasticity Build security in every layer Leverage different storage options

Design Considerations

Your VPC is Your Home •  Transition from Subnet Based Design to Security Groups and

NACLs

The Principals of Security Don’t Change Much Remember You’re Always Working Remote

Availability Zone

Private Subnet Public Subnet

NAT

10.0.0.0/24 10.0.2.0/24

DC DB APP WEB

Domain Controller

SQL Server

App Server

IIS Server

RDGW

Availability Zone

Private Subnet Public Subnet

NAT

10.0.0.0/24 10.0.2.0/24

DC DB APP WEB

Domain Controller

SQL Server

App Server

IIS Server

RDGW

Remote Users / Admins

Your VPC Is Your Home

The Principals of Security Don’t Change Much

•  Roles Based Access Control and Least Privilege Apply •  Use Security Groups

Availability Zone

Web Security Group SQL Security Group

Private Subnet Public Subnet

Accept TCP Port 80 from Internet

Accept TCP Port 1433 from Web SG

User

WEB SQL TCP 80 TCP 1433

10.0.0.0/24 10.0.1.0/24

Remember, You’re Always Working Remote

Clients can use the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection

Bastion hosts can run Windows PowerShell Web Access for remote command line administration

Deploying a bastion host in each Availability Zone can provide highly available and secure remote access over the Internet

SQL Server on AWS

Two primary deployment paths:

Amazon RDS Amazon EC2 •  You Manage Your Infrastructure •  Advanced Deployments: WSFC +

Always On Availability Groups

•  Fully Managed by AWS •  No Administrative Intervention •  Uses SQL Server Mirroring

Many Versions and Editions of SQL Server including Express, Web, Standard and Enterprise and SQL 2005, 2008 and 2012 and more

Highly Available SQL Server

Availability Zone 1

Private Subnet

Primary Replica

Availability Zone 2

Private Subnet

Secondary Replica

Synchronous-commit Synchronous-commit

Primary: 10.0.2.100 WSFC: 10.0.2.101 AG Listener: 10.0.2.102

Primary: 10.0.3.100 WSFC: 10.0.3.101 AG Listener: 10.0.3.102

AG Listener: ag.awslabs.net

Automatic Failover

SQL Server WSFC Failover: The Quorum

Availability Zone 1

Private Subnet

Primary Replica

Availability Zone 2

Private Subnet

Secondary Replica

Synchronous-commit Synchronous-commit

Automatic Failover

Witness Server

Availability Zone 1

Primary Replica

Availability Zone 2

Secondary Replica

Automatic Failover

Witness Server

Availability Zone 3

SQL Server WSFC Failover: The Witness

SQL Server HA With Read Replica

Availability Zone 1

Private Subnet

Primary Replica

Availability Zone 2

Private Subnet

Secondary Replica 1

Synchronous-commit Synchronous-commit

AG Listener: ag.awslabs.net

Automatic Failover

Asynchronous-commit

Secondary Replica 2

(Readable)

Reporting Application

Availability Zone 1

Private Subnet

Primary Replica

Availability Zone 2

Secondary Replica 1

Private Subnet

AG Listener: ag.awslabs.net

Corporate Network

VPN Automatic Failover

Secondary Replica 2

(Readable)

Reporting Application

Backups

Manual Failover

SQL Server HA With Disaster Recovery

Web tier is made highly available through load balancing

Application-tier load balancing is native to SharePoint

•  Database-tier high availability can be achieved with SQL AlwaysOn

•  Install SharePoint using SQL Client Alias

•  Update alias after making DBs highly available, and point to an Availability Group Listener fully qualified domain name (FQDN)

SharePoint 2013 on AWS

10.0.2.0/24

Availability Zone

Availability Zone

Public Subnet

NAT

10.0.0.0/24

DC DB Primary APP WEB

Domain Controller

App Server

Web Front-End

RDGW

Public Subnet

NAT

10.0.0.0/24 10.0.2.0/24

DC DB Secondary APP WEB

Domain Controller

App Server

Web Front-End

RDGW

Users

Availability Group

SQL Server

SQL Server

Private Subnet

Private Subnet

SharePoint 2013 on AWS: Example Architecture

SharePoint Migration Strategies

Create SharePoint

Farm • Create the New Target Farm to Spec

Copy Database to the Target

Farm

• Place Source Farm and Database in Read-Only Mode • Backup Content and Service Application Database • Restore the Databases to the Target Farm

Upgrade Service

Applications

• Configure Service Applications for the Target Farm

• Create New Web Applications matching the Source Farm

Upgrade Content

Databases • Upgrade and Mount the

New Content Databases

Upgrade Site Collections

• Site Owners Responsibility

Active Directory on AWS

Two High Level Deployment Paths

Amazon EC2 AWS Directory Services

•  Fully Managed by You •  Isolated, Stretched or Federated

•  Managed By AWS •  Simple AD and AD Connector

AD Connector

Connect to your on-premises Active Directory •  Via existing VPC VPN connection, or AWS Direct Connect

Users access AWS applications with existing credentials Administrators can access AWS Management Console with existing credentials Integrate with existing RADIUS MFA solutions

Simple AD

Launch managed stand-alone directories Powered by Samba 4 Active Directory Compatible Server Supports common AD features

•  User accounts/group memberships/domain-joining EC2 instances running Windows, Kerberos based SSO, and Group Policies

Use existing AD management tools with Simple AD Simple AD accounts can access AWS applications

•  Amazon WorkSpaces •  Amazon Zocalo

Directories Managed For You

AWS does the heavy lifting directory management tasks •  Patch management •  Host monitoring

Simple AD includes snapshot backups and point-in-time recovery Directories are deployed multi-AZ for availability

Hybrid Active Directory

•  Connectivity via VPN or Direct Connect

•  Security groups must allow traffic to and from DCs on-premises

•  Properly define AD sites and subnets

•  Configure site-link costs

•  Enable domain members for "Try Next Closest Site“ group policy setting

Hybrid Active Directory Architecture

Availability Zone

Private Subnet

DC3

Corporate Network

Virginia

DC1

VPN

Washington DC

DC2

Instance Migration and Upgrade

•  Two primary paths: Migrate and Upgrade •  A fleet migration is a more complex task that may take

longer but better for a complex production environment •  A variety of Technology Partner tools and techniques can

help here

•  A system upgrade is suitable for a smaller number of instances or to get moving quickly

•  EC2: OS Upgrade •  http://tinyurl.com/potrqxu

Management and Maintenance: CloudWatch

Log Types: •  Event Logs •  IIS Logs •  Any Event Tracing for

Windows(ETW) Logs •  Any Performance Counter data •  Any text-based log files

Enables customers to easily monitor instance activity in real time and create alarms on these events

Management and Maintenance: Simple Systems Manager

Simple Systems Manager provides native AWS tools to manage your Windows EC2 Instances •  Join an AWS Directory •  Install software using MSI packages •  Run PowerShell Scripts •  Configure CloudWatch Logs

Management and Maintenance: Simple Systems Manager

Simple Systems Manger manages instances while they are running •  Create a configuration document describing tasks (install

software) •  Attach document to instance and either run it manually

or schedule a task •  Disassociate a document when you no longer need it –

but the configuration doesn’t go away!

Thank you!

Wayne Saxe AWS Ecosystem Solutions Architect

[email protected]