running microsoft workloads on aws

AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015


Running Microsoft Workloads on AWS

Bill Jacobi

[email protected]

Manager, Solutions Architecture

June 25, 2015

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.


Session abstract

Deploy, scale and manage your Microsoft workloads on AWS. We will start with why customers want to deploy Windows applications on AWS as a cloud platform. We will discuss reference architectures and best practices for implementing Microsoft products including Active Directory, Remote Desktop Gateway, Exchange, SharePoint, and Lync on AWS. We will conclude with best practices for managing and monitoring Microsoft technologies on AWS.


Agenda• Why run Windows on AWS• New Announcements• Windows architecture

– Security and remote administration– Active Directory Domain Services– Microsoft SharePoint 2013– Microsoft Exchange Server 2013– Microsoft Lync 2013– Microsoft SQL Server 2014– Managing and monitoring Windows instances and applications


flexible

What is AWS for Windows?

secure reliable high-performance familiar cost-effective extensive

Optimization for Windows-based workloads

Wide range of scalable services

Alignment with business needs


AWS for Windows is secure

“Amazon Virtual Private Cloud (Amazon VPC) gives us a secure environment in the AWS cloud with the flexibility and scalability we need to manage our SharePoint environment with zero impact to our on-premises datacenter”

- Jeremy Fuchs, Vice President of Financial and BI Systems, Lionsgate

Security-in-layers approach

Isolated infrastructure and workloads

Identity and access controls

Tracking and logging

Optimized for regulatory compliance


AWS for Windows is reliable

“Before migrating to AWS, we experienced 10 to 20 hours of downtime a month. With AWS, our downtime is significantly reduced. Our average uptime increased rapidly from 98.8 percent to 99.9 percent without re-architecting applications.”

- Augusto Rosa, Server Operations Manager, Shaw Media

99.95% SLA (EC2, EBS, RDS)

Multi-region asynchronous replication

Uptime and performance monitoring

Low network variability


AWS for Windows is high-performance

“Using AWS, we decreased average network latency from 700 milliseconds to less than 50 milliseconds… Fundamentally, running in AWS enables a 230 percent CPU consumption efficiency in data processing.”

- Murari Gopalan, Technology Director, Expedia.com

Enterprise-grade computing on demand

Automation for both complex and routine tasks

Dedicated, low-latency network connections

Automated scaling

Monitoring tools with user-defined thresholds


AWS for Windows is familiar

“We didn’t have time to redesign applications. AWS could support our legacy 32-bit applications on Windows Server 2003, a variety of SQL Server and Oracle databases, and a robust Citrix environment.”

- Jim McDonald, Lead Architect, Hess Corporation

Windows-based application support

Your own cloud servers

Use existing VMs

License flexibility

Same tools as on-premises environments


AWS for Windows is cost-effective

“Had we built our SharePoint 2013 farm in our other data center, we would have increased costs by almost 50 percent. When you compare our SharePoint 2012 farm to our SharePoint 2013 farm, AWS allowed us to increase our computing power while also reducing costs by 14 percent.”

- Michael Cierkowski, Development Manager, Slalom Consulting

No hardware procurement/deployment costs

Improved hardware utilization

Bring your own licenses

Value-oriented culture

No long-term commitments


AWS for Windows is extensive

“As our company continued to grow, so did our reliance on the AWS cloud and now, we’ve adopted almost all of the features AWS provides. AWS is the easy answer for any Internet business that wants to scale to the next level.”

- Nathan Blecharczyk, Co-founder & CTO, Airbnb

More than 40 services available

Broad ecosystem of partners

Third-party application marketplace

Continuous service improvement

Technical certifications for multiple skill levels


AWS for Windows is flexible

Highly customizable infrastructure

Variety of instance types

Maintain availability at the lowest cost

Wide variety of storage options

“By deploying their on premise Microsoft solutions like SharePoint and Exchange into the AWS platform – combined with InfoReliance’s fully managed service options -- our customers find the best of both worlds and the flexibility they require to meet their evolving requirements.”- John Sankovich, VP Cloud Solutions, InfoReliance


Why AWS for Windows?secure reliable high-performance familiar

cost-effective extensive flexible


Common AWS Services used with Windows Applications


New Announcements

https://aws.amazon.com/quickstarts

https://aws.amazon.com/blogs/aws/now-available-sql-server-enterprise-edition-ami-for-ec2/


Windows architecture on AWS

• Place application servers in private

subnets to prevent direct access from the

Internet

• Deploy Bastion hosts, reverse proxies,

and other Internet-facing servers in public

subnets

• Install critical workloads in at least two Availability Zones to provide

high availability


Availability Zone 1

private subnetpublic subnet

NAT

10.0.10.0/24 10.0.2.0/24

DCDBAPPWEB

domain controller

SQLServer

appserver

IISServer

RDG

Availability Zone 2


NAT

10.0.100.0/24 10.0.2.0/24

DCDBAPPWEB

domain controller

SQLServer

appserver

IISServer

RDG

Remote Users / Admins

Windows architecture on AWS

10.0.11.0/24

10.0.110.0/24

Virtual Private Cloud (VPC) is the foundation


Architectural considerations• Amazon Virtual Private Cloud

– Configure IP ranges, public/private subnets, routing tables,

Internet or private gateway

• Security groups, network ACLs, VPC Flow Logging

• Remote administration

• The principle of least privilege


Security groups

Availability Zone

web security group SQL security group


accept TCP port 80 from Internet

accept TCP port 1433 from web security group

User

WEB SQLTCP 80 TCP 1433

10.0.0.0/24 10.0.1.0/24


Remote administration

• Place RD Gateway in DMZ subnet

• Clients can use the Remote Desktop Protocol (RDP) over HTTPS to establish an encrypted connection

• Pro tip: Use Remote Desktop Connection Manager

• Bastion hosts can run Windows PowerShell Web Access for remote command-line administration

Deploying a Bastion host (Remote Desktop Gateway) in each Availability Zone can provide highly available and secure remote access over the Internet

https://www.microsoft.com/en-us/download/details.aspx?id=44989


Secure remote administration architecture

Availability Zone

gateway security group

web security group


accept TCP port 443 from admin IP address

accept TCP port 3389 from gateway security group

AWS administrator

corporate data center

WEB2

TCP 443TCP 3389

Connect to the Remote Desktop Gateway over https which proxies the RDP connection to the back-end instance

WEB1 RDG TCP 3389


Remote Desktop Connection Manager (RDCMan 2.7)


Managing Active Directory• Use AD Domain Controllers in the cloud and/or on-premise

• No different in cloud: AD provides security boundary, IP

addressing and DNS

• AWS VPC provides DHCP and

“static” IPs for DCs and servers

• Global catalog servers

• Read-only and writeable domain controllers


AWS Directory Service• Simple AD

Managed directory powered by Samba 4 Active Directory Compatible Server

Supports user accounts, group memberships, domain-joining Amazon EC2 instances

• AD Connector Proxies directory requests to on-premises environment Users can access AWS resources and applications with existing

corporate credentialshttps://aws.amazon.com/blogs/aws/new-aws-directory-service/


Active Directory hybrid deployments

• Properly define AD sites and subnets

• Configure site-link costs

• Enable domain members for Try Next Closest Site Group Policy setting

• Connectivity from cloud to corporate data center via VPN or Direct Connect

• Security groups must allow traffic to and from DCs on-premises


Availability Zone

private subnet

DC3

corporate network

New York

DC1

VPN orDirect Connect

AD forest spanning AWS and corporate data center

Washington, D.C.

DC2

AWS region


Availability Zone

private subnet

DC3

corporate network

New York

DC1


Washington, D.C.

DC2

XVPN or

Direct Connect

If DC1 goes down, where does NY client go to authenticate?


private subnet

DC3

corporate network

New York/AD site 1

DC1

VPN or DX


Washington, D.C./AD site 2

DC2

AD site 3

Cost 100

Cost 100

Cost 50

With Try Next Closest Site policy enabled, clients use least cost path to a domain controller. Applies to on-prem and cloud sites.

X


SQL Server high availability• Amazon RDS Multi-AZ deployments

– Fully managed by AWS

– No administrative intervention

– Uses SQL Server mirroring

• SQL Server Enterprise 2012/2014

– Managed by you

– High availability achieved using Windows Server Failover Clusters (WSFC) and AlwaysOn Availability Groups

– SQL Server Enterprise Edition AMI available (as of June 16)


SQL Server high availability

Availability Zone 1

private subnet

primary replica

Availability Zone 2

private subnet

secondaryreplica

synchronous-commit synchronous-commit

Primary: 10.0.2.100WSFC: 10.0.2.101AG Listener: 10.0.2.102

Primary: 10.0.3.100WSFC: 10.0.3.101AG Listener: 10.0.3.102

AG Listener:ag.awslabs.net

automatic failover


WSFC Quorum

Availability Zone 1

Private Subnet

Primary Replica

Availability Zone 2

Private Subnet

SecondaryReplica

Synchronous-commit Synchronous-commit

Automatic Failover

WitnessServer


WSFC Quorum

Availability Zone 1

Primary Replica

Availability Zone 2

SecondaryReplica

Automatic Failover

WitnessServer

Availability Zone 3


SharePoint 2013 reference architecture

• General guidelines– Critical workloads are placed in two Availability Zones

– Examples: AD domain controllers, SharePoint servers, RD gateways, Forefront TMG gateways, NAT gateways

– Internal application servers are placed in private subnets

– RD gateways are deployed into public subnets in each Availability Zone

• Web tier is made highly available through load balancing

• Application-tier load balancing is native to SharePoint(crawl servers, query servers, etc. installed cross-farm)

• High availability on database tier can be achieved with SQL Server AlwaysOn


private subnet

private subnet

10.0.2.0/24

Availability Zone 2

Availability Zone 1

public subnet

NAT

10.0.0.0/24

DCDB

primaryAPPWEB

domain controller

appserver

web front end

RDG

public subnet

NAT

10.0.0.0/24 10.0.2.0/24

DCDB

secondaryAPPWEB

domain controller

appserver

web front end

RDG

Users

Internet-facing SharePoint farm on AWS

SQL ServerAlwaysOn

AvailabilityGroup

SQLServer

SQLServer


Exchange 2013 reference architecture• Critical workloads are placed in two Availability Zones

– AD domain controllers, Exchange servers, RD gateways, Edge Transport servers, NAT gateways

• Internal application servers are placed in private subnets• RD gateways are deployed into public subnets in each Availability

Zone• High availability provided within the data center with site resilience

between data centers• Supports multiple copies of each database• Optimize around failure domains


private subnet

private subnet

10.0.2.0/24

Availability Zone 2

Availability Zone 1

public subnet

NAT

10.0.1.0/24DMZ

DC1Exch1

domaincontroller

mailboxserver

RDG

public subnet

NAT

10.0.10.0/24DMZ

10.0.20.0/24

DC2Exch2

domaincontroller

mailboxserver

RDG

Users

Exchange 2013reference architecture


Availability Zone 1/AD site 1


10.0.0.0/24 10.0.2.0/24

DC1

domain controller

Exchange 2013CAS+MBX

Availability Zone 2/AD site 2


10.0.1.0/24 10.0.3.0/24

DC2EXCH2

domain controller

Exchange 2013CAS+MBX

remote mail server

Adding the Edge Transport server

EDGE1

Exchange 2013Edge Transport

EDGE2

Exchange 2013Edge Transport

EXCH1


Lync 2013 reference architecture• Critical workloads are placed in two Availability Zones

– AD domain controllers, Lync Front End Server, RD gateways, Mediation Server, NAT gateways

– Lync Edge Server (if needed) placed in DMZ subnets

• Internal Lync servers and supporting servers (OWA, PC, Mediation, etc.) are placed in private subnets

• RD gateways are deployed to public subnets in each Availability Zone

• Paired Lync Server 2013 pools in each Availability Zone support DR and pool failover


private subnet

private subnet

10.0.2.0/24

Availability Zone 2

Availability Zone 1

public subnet

NAT

10.0.1.0/24DMZ

DCFE01

domaincontroller

front endRDG

public subnet

NAT

10.0.10.0/24DMZ

10.0.20.0/24

DCFE02

domaincontroller

front endRDG

Users

Lync SE 2013reference architecture


Lync Server 2013 EE architecture

VPC Content10.0.0.0/16

AD1Front End

Pool

ADCS

NATRDGW

DB1-FEMirrored

Mediation SRV1

MediationSRV2

Persistent chat pool

DB1-PCMirrored

Stress Test Servers

OWA App SRV1

OWA App SRV2

AD2

DB2-FEMirror

DB2-PCMirror

Witness

Monitor

Elastic I P

Elastic I P

I nternet gateway

router

LoadSim Tier App Tier DB Tier AD Tier

Public10.0.15.0/24

DMZ

Private10.0.14.0/24

AZ-1


49% Lower Latency with Direct Connect versus Internet (VA-OR)

88 ms roundtrip via Internet 59 ms roundtrip via Direct Connect

East coast – West coast latency well within Lync latency envelope


Managing and monitoring your Windows instances and applications

Log types:• Event logs• IIS logs• Event Tracing for Windows (ETW) logs• Any performance counter data• Any text-based log files

To learn more: http://amzn.to/1qVKKkI

• Recommend running Systems Center Operations Manager and management packs for AD, Exchange, SharePoint, SQL Server, and Lync

• Amazon CloudWatch Logs enable monitoring instance activity in real time with custom alarms on events

http://amzn.to/1qVKKkI




Quick Start reference deployments

• Active Directory Domain Services• Remote Desktop Gateway on AWS• SharePoint 2013• Exchange Server 2013 • Lync Server 2013 • SQL Server 2014 AlwaysOn• PowerShell Desired State Configuration (DSC)

aws.amazon.com/quickstart


Thank You.This presentation will be loaded to SlideShare the week following the Symposium.

http://www.slideshare.net/AmazonWebServices


running microsoft workloads on aws

Technology

aws government

aws cloud

aws bill jacobi

nonprofit symposium

microsoft workloads

windows applications

microsoft lync

monitoring windows instances