This document provides a summary of a session on simplifying Microsoft architectures with AWS services. The session covered how to build Microsoft architectures like Active Directory, SQL Server, and developers platforms on AWS. It discussed identity and access management options like AWS IAM, Active Directory, and federation. For SQL Server, it covered options like running on EC2, using Amazon RDS, high availability and disaster recovery configurations. It provided examples of reference architectures for Active Directory on AWS and integrating with on-premises directories. The session aimed to provide simplicity, automation, and cost optimization for Microsoft workloads on AWS.
2. What to Expect from the Session
• Simplicity and Automation
• Microsoft Architectures on AWS and how to build them
• Identity and Access Management
• SQL Server
• Developers
• Administration
3. Developer platform and tools
Corporate applications Line of business
applications
End-user computing
4. Information security
Corporate applications End-user computingBusiness applications
Amazon EC2 for Windows,
Amazon RDS,
AWS CloudFormation,
Amazon CloudFront
EC2 for Windows,
AWS Directory Service,
RDS, Marketplace
Amazon WorkSpaces,
Amazon AppStream,
Marketplace,
AWS Mobile Services, SaaS
AWS Identity and Access Management (IAM),
AWS CloudHSM, AWS Key Management Service (KMS),
security groups, AWS Marketplace
EC2, Amazon S3, RDS, Amazon VPC,
AWS Direct Connect, Directory Service,
IAM, AWS Service Catalog
Infrastructure
AWS service offerings for Windows workloads
AWS Elastic Beanstalk,
AWS CodeDeploy,
CloudFormation
DevOps
6. Availability Zone
Private SubnetPublic Subnet
Availability Zone
Private SubnetPublic Subnet
Remote
Users
Sample
Microsoft
Architecture
Virtual Private
Gateway
Corporate
Office
IIS
App
IIS
Web
IIS
App
IIS
Web
VPN
AWS Direct
Connect
Internet
Gateway
RDGW
VPC NAT
Gateway
RDGW
VPC NAT
Gateway
AWS
Directory
Service
AWS
Directory
Service
MS
SQL
MS
SQL
Always On
Availability
Group
VPC Endpoint Amazon S3
Auto Scaling
7. Secure remote administration architecture
Availability Zone
Gateway Security Group Web Security Group
Private SubnetPublic Subnet
Accept TCP Port
443 from Admin IP
Accept traffic from
Gateway SG
AWS Administrator
Corporate Data Center
WEB2
TCP 443 WEB1
RDGW
Requires one connection:
• Connect to the RD Gateway, and the gateway proxies the RDP or PowerShell connection to the back-
end instance.
9. Shared Service VPC
• Best suited for:
• The majority of your infrastructure is (or
will be) on AWS
• The required on-premises resources are
easy to replicate or proxy (e.g., Active
Directory, System Center, central SQL
farm)
• You prefer to limit VPN traffic
• Strong security or compliance programs
require additional application-level
controls and proxy servers between their
AWS and on-premises resources (e.g.,
application-layer firewalls)
10. CloudFormation – Infrastructure as a Code
Basic standard in AWS for automating
deployment of resources
CloudFormation template
• JSON-formatted document that describes a
configuration to be deployed in an AWS
account
• When deployed, refers to a “stack” of
resources
• Bootstrapping AWS CloudFormation
Windows Stacks, http://tinyurl.com/aws-
win-boot
AWS
CloudFormation
13. The Work* Services
WorkDocs
Secure enterprise
document collaboration
WorkSpaces
Virtual desktops
Secure access from anywhere
Monthly pricing
Central sync, document feedback
Secure access from anywhere
S3
WorkSpaces Application
Manager
Virtual applications
Centralized application deployment
Monthly subscription options
WorkMail
Secure email and
calendaring
Strong security controls
Existing desktop, mobile support
Directory Service
Managed directories
Simple AD, AD Connector, Microsoft AD
14. Run Windows Server 2016 on Amazon EC2
• Windows Server 2016 Datacenter with Desktop
Experience
• Windows Server 2016 Nano Server
• Windows Server 2016 with Containers
• docker run microsoft/sample-dotnet
• Windows Server 2016 with SQL Server 2016
16. AWS Identity and Access Management (IAM)
Role-based
access control
Multi-factor
authentication
Integrated with all
AWS services
IAM roles
17. Common Approaches
• Active Directory
• AWS Directory Services
• Federation
• Federation to AWS services
• Federation to Microsoft Workloads
• Claims based access control
• SSO
• ADFS 4.0, Ping Federate, Okta
• Kerberos
18. Single domain extended to multiple sites
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
Cost 50
Availability Zone A
Private subnet
DC3
Cost 10
company.local
company.local
One single identity, data center extension mode
(rely on Active Directory sites, read-only or not)
VPN
AWS Direct
Connect
19. One subdomain per site
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
company.local
Availability Zone A
Private subnet
DC3
cloud.company.local
Isolated subset of the directory, single identity for users
(Active Directory domains in a single forest)
VPN
AWS Direct
Connect
20. One forest per site and trust
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2Availability Zone A
Private subnet
DC3 company.local
company.cloud
Separate directories, single identity
(Cross-forest/resource forest with trust)
AWS Directory Service
company.cloud
VPN
AWS Direct
Connect
21. User identity federation with AWS IAM
AD Users
Enterprise
Applications
Corporate
Systems
AWS IAM
IAM roles
EC2
Amazon
DynamoDB
S3
22. Active Directory Deployments - Isolated domains
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2Availability Zone A
Private subnet
DC3
company.cloud
company.local
Federation/
synchronization
Separate identities with synchronization/federation
solutions such as AD FS, Okta, PingFederate
AWS Directory Service
company.cloud
VPN
AWS Direct
Connect
23. AD FS Scenarios
• Fully implemented AD FS
• Core authentication services exposed to the Internet by
AD FS proxy
• Firewall-published AD FS
• Firewall exposes core authentication services to the Internet by
reverse proxy
• Non-published AD FS
• Server farm isn't exposed to the Internet by any method.
• VPN-published AD FS
• Internet clients connect to and use AD FS services only through a
virtual private network (VPN) connection to the on-premises network
environment.
24. Active Directory Federation Services
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
Private subnet
DC3
company.cloud
company.local
Federation/
synchronization
AWS Directory Service
company.cloud
VPN
AWS Direct
Connect
ADFS ADFS
Public subnetPublic subnet
Web
App
Proxy
Web
App
Proxy
Availability Zone A Availability Zone B
26. SQL Server on Amazon EC2
Licensing Options
Purchase an Amazon Machine Instance (AMI) that includes
Windows and SQL Server
Purchase a Windows AMI and install SQL Server yourself
(BYOL)
Windows or Mixed Authentication
You manage the virtual machine security, storage,
network ports, etc.
Full SQL Server sysadmin privileges
27. SQL Server HA/DR on EC2
Windows clusters can span Availability Zones or
regions*
Mirroring
AlwaysOn Availability Groups
Transaction Log Shipping
Failover Cluster Instance*
* Some configurations require third-party tools.
28. Multi-AZ AlwaysOn Availability Group
Availability Zone 1
Private Subnet
EC2
Primary
Replica
Availability Zone 2
Private Subnet
EC2
Secondary
Replica
Synchronous Commit
Automatic Failover
AWS Region
29. Multi-Region AlwaysOn Availability Group
Availability Zone 1
Private Subnet
EC2
Primary
Replica
Primary: 10.0.2.100
WSFC: 10.0.2.101
AG Listener: 10.0.2.102
AWS Region A
Availability Zone 2
Private Subnet
EC2
Secondary
Replica
Primary: 10.0.3.100
WSFC: 10.0.3.101
AG Listener: 10.0.3.102
Availability Zone 1
Private Subnet
EC2
Secondary
Replica
Primary: 10.1.2.100
WSFC: 10.1.2.101
AG Listener: 10.1.2.102
Synchronous Commit
Automatic Failover
AWS Region B
Asynchronous Commit
Manual Failover
Elastic IP Elastic IP
VPN
30. Failover Cluster Instance
Amazon EBS Amazon EBS
Availability Zone 1
Private Subnet
EC2
Primary
Node
Availability Zone 2
Private Subnet
EC2
Secondary
Node
AWS Region
Data Replication
SoftNAS / SIOS
31. What is Amazon RDS?
Managed database service
Automatic patching, backups, mirroring, etc.
Automatic Host Replacement protects you in the event of a
hardware failure.
6 database engines to choose from: Amazon Aurora,
Oracle, PostgreSQL, MySQL, MariaDB, and SQL Server
License-included and BYOL options available
32. SQL Server on Amazon RDS
Up to 30 databases per instance
Windows or Mixed Authentication
Optional managed Multi-AZ deployment for high
availability
Transparent Data Encryption for encryption at rest and
the use of SSL to secure data in transit
Native backup and restore for Microsoft SQL Server
databases using full backup files (.bak files)
33. SQL Server HA/DR on RDS
Spans Availability Zones
Automatic Failover
Automatic Host Replacement
Automatic Backups
Automatic Software Patching (can be disabled)
34. Multi-AZ SQL Server on Amazon RDS
Availability Zone 1
Private Subnet
Availability Zone 2
Private Subnet
Synchronous Commit
Automatic Failover
AWS Region
Amazon
RDS
Primary
Amazon
RDS
Secondary
Managed Service
35. SQL Server EC2 vs. RDS: Which should I use?
EC2 RDS
License included
BYOL
Full control over the instance
Automated backups
Self-managed AlwaysOn Availability Groups
AWS-managed Multi-AZ deployment
36. What about the rest of SQL Server?
Integration Services (SSIS)
Reporting Services (SSRS)
Analysis Services (SSAS)
SQL Agent
Service Broker
Data Quality Service
Master Data Service
37. What about the rest of SQL Server?
Remember: RDS is a managed database engine.
Most tools or drivers (OLE DB, ODBC, or ADO.NET) that
connect to SQL Server can connect to an RDS instance.
For example, SSIS running on EC2 or on-premises can
use a connection to an RDS SQL Server (or other
engine) instance as long as the network ports are
properly configured.
39. AWS SDK and Tools for .NET ArchitectureEXECUTION
PLATFORM
AWSSDK
LOW-
LEVEL
SERVICE
APIS
AWS
TOOLS
HIGHER-
LEVEL
UTILITY
APIS
.NET 3.5 .NET 4.5 PHONE STORE
SERVICE CLIENTS
AMAZON S3
TRANSFER UTILITY
AMAZON
DYNAMODB OBJECT
PERSISTENCE
VM IMPORT RESOURCE API
AWS TOOLS FOR
WINDOWS
POWERSHELL
AWS TOOLKIT FOR
VISUAL STUDIO
ASP.NET SESSION
PROVIDER
TRACE LISTENER
…
AWS ENDPOINTS: REST API
ASP.NET 5
40. AWS Toolkit for Visual Studio
Full integration in Visual Studio
AWS Toolkit
for Visual
Studio
.NET SDK
41. AWS also provides extended support
AWS Elastic Beanstalk
• Deploy from within Visual Studio/automatic log rotation to Amazon S3
AWS CodeCommit/CodePipeline/CodeDeploy
• Manage a large fleet (on-premises and cloud-based)
.NET SDK and PowerShell cmdlets
• Integration in custom build pipelines in TFS or CruiseControl.NET
AWS native integrations
• Jenkins, Bamboo have native integration to AWS
• Other IDE support AWS (Unity, Xamarin Studio, Eclipse…)
43. Amazon EC2 Simple Systems Manager
• EC2 Run Commands
• AWS Tools for Windows PowerShell
• Automation, Customizable, Auditable, Delegated Administration
• Leverage Amazon EC2 Simple Systems Manager
• Auto domain join
• No machine access
• Full traceability
• Fine-grained control
• http://tinyurl.com/AWS-SSM-Home
PowerShell
Integration
Amazon EC2
Run Commands
SSM
44. Windows SSM with Run Commands
• AWS-JoinDirectoryServiceDomain to join an AWS Directory
• AWS-RunPowerShellScript to run PowerShell commands or scripts
• AWS-UpdateEC2Config to update the EC2Config service
• AWS-ConfigureWindowsUpdate to configure Windows Update settings
• AWS-InstallApplication to install, repair, or uninstall software using an MSI package
• AWS-InstallPowerShellModule to install PowerShell modules
• AWS-ConfigureCloudWatch to configure Amazon CloudWatch Logs to monitor applications and
systems
• AWS-ListWindowsInventory to collect information about an EC2 instance running in Windows
• AWS-FindWindowsUpdates to scan an instance and determine which updates are missing
• AWS-InstallMissingWindowsUpdates to install missing updates on your EC2 instance
• AWS-InstallSpecificWindowsUpdates to install one or more specific updates
47. Customer Story – Hess Corp
• Migration of multiple large Windows systems
• Including Microsoft SQL Server, SharePoint, Exchange, Active
Directory, Dynamics, and System Center with AWS MP for SCOM
• Also SAP HANA, Documentum, Oracle Hyperion
• Three phases so far
• First divestiture, 170 instances, 6 months
• Second divestiture, 90 instances, 3 months
• Now working on migrating core business
• Hybrid approach
• Integrated networking via Direct Connect
• Integrated authentication via ADFS on EC2 with AD on-premises
48. Customer Story – Hess Corp
• The art of the possible
• “We haven't met a workload we can't migrate to AWS.”
• Not always pure lift and shift. Some take tuning, some take
re-architecting, but always able to get it to work.
• Evolving attitude about cloud adoption internally
• Now there are far more supporters than detractors
• That’s a major shift from 18mo ago
• Moving along the maturity curve
• Looking for ways to optimize and automate
• Right-sizing instances
• Building text/dev environments on demand
51. Windows Track Sessions
WIN301: Bring Microsoft Applications to AWS to Save Money and Stay Licensing Compliant
Tues, Nov 29 3:30-4:30 PM Venetian H
WIN204: How to Move 1,000 VMs and Biz Critical Apps to AWS in 6 months. Edwards Lifesciences
Tues, Nov 29 3:30-4:30 PM Venetian H
WIN303: How to launch a 100k user Microsoft back office and not break a sweat
Wed, Nov 30 5:30-6:30 PM Delfino 4004
WIN304: Design, Deploy & Optimize SharePoint on AWS
Wed Nov 30 3:30-4:30 PM Venetian H
WIN305: Best Practices for Integrating Active Directory with AWS Workloads
Wed, Nov 30 5:00-6:00 PM Venetian H
WIN306: Design, Deploy & Optimize SQL Server on AWS
Thurs, Dec 1 5:30-6:30 PM Venetian H