AWS Services for Simplifying Microsoft Architectures

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zlatan Dzinic – Senior Architect
November 29, 2016
Simplifying Microsoft
Architectures with AWS Services
WIN201

What to Expect from the Session
• Simplicity and Automation
• Microsoft Architectures on AWS and how to build them
• Identity and Access Management
• SQL Server
• Developers
• Administration

Developer platform and tools
Corporate applications Line of business
applications
End-user computing

Information security
Corporate applications End-user computingBusiness applications
Amazon EC2 for Windows,
Amazon RDS,
AWS CloudFormation,
Amazon CloudFront
EC2 for Windows,
AWS Directory Service,
RDS, Marketplace
Amazon WorkSpaces,
Amazon AppStream,
Marketplace,
AWS Mobile Services, SaaS
AWS Identity and Access Management (IAM),
AWS CloudHSM, AWS Key Management Service (KMS),
security groups, AWS Marketplace
EC2, Amazon S3, RDS, Amazon VPC,
AWS Direct Connect, Directory Service,
IAM, AWS Service Catalog
Infrastructure
AWS service offerings for Windows workloads
AWS Elastic Beanstalk,
AWS CodeDeploy,
CloudFormation
DevOps

Availability Zone
Private SubnetPublic Subnet
Availability Zone
Remote
Users
Sample
Microsoft
Architecture
Virtual Private
Gateway
Corporate
Office
IIS
App
IIS
Web
IIS
App
IIS
Web
VPN
AWS Direct
Connect
Internet
Gateway
RDGW
VPC NAT
Gateway
RDGW
VPC NAT
Gateway
AWS
Directory
Service
AWS
Directory
Service
MS
SQL
MS
SQL
Always On
Availability
Group
VPC Endpoint Amazon S3
Auto Scaling

Secure remote administration architecture
Availability Zone
Gateway Security Group Web Security Group
Accept TCP Port
443 from Admin IP
Accept traffic from
Gateway SG
AWS Administrator
Corporate Data Center
WEB2
TCP 443 WEB1
RDGW
Requires one connection:
• Connect to the RD Gateway, and the gateway proxies the RDP or PowerShell connection to the back-
end instance.

Microsoft Enterprise Applications

Shared Service VPC
• Best suited for:
• The majority of your infrastructure is (or
will be) on AWS
• The required on-premises resources are
easy to replicate or proxy (e.g., Active
Directory, System Center, central SQL
farm)
• You prefer to limit VPN traffic
• Strong security or compliance programs
require additional application-level
controls and proxy servers between their
AWS and on-premises resources (e.g.,
application-layer firewalls)

CloudFormation – Infrastructure as a Code
Basic standard in AWS for automating
deployment of resources
CloudFormation template
• JSON-formatted document that describes a
configuration to be deployed in an AWS
account
• When deployed, refers to a “stack” of
resources
• Bootstrapping AWS CloudFormation
Windows Stacks, http://tinyurl.com/aws-
win-boot
AWS
CloudFormation

AWS CloudFormation Designer
• Visualize template
resources
• Modify template with drag-
and-drop gestures
• Customize sample
templates

The Work* Services
WorkDocs
Secure enterprise
document collaboration
WorkSpaces
Virtual desktops
Secure access from anywhere
Monthly pricing
Central sync, document feedback
Secure access from anywhere
S3
WorkSpaces Application
Manager
Virtual applications
Centralized application deployment
Monthly subscription options
WorkMail
Secure email and
calendaring
Strong security controls
Existing desktop, mobile support
Directory Service
Managed directories
Simple AD, AD Connector, Microsoft AD

Run Windows Server 2016 on Amazon EC2
• Windows Server 2016 Datacenter with Desktop
Experience
• Windows Server 2016 Nano Server
• Windows Server 2016 with Containers
• docker run microsoft/sample-dotnet
• Windows Server 2016 with SQL Server 2016

Identity and Access
Management

AWS Identity and Access Management (IAM)
Role-based
access control
Multi-factor
authentication
Integrated with all
AWS services
IAM roles

Common Approaches
• Active Directory
• AWS Directory Services
• Federation
• Federation to AWS services
• Federation to Microsoft Workloads
• Claims based access control
• SSO
• ADFS 4.0, Ping Federate, Okta
• Kerberos

Single domain extended to multiple sites
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
Cost 50
Availability Zone A
Private subnet
DC3
Cost 10
company.local
company.local
One single identity, data center extension mode
(rely on Active Directory sites, read-only or not)
VPN
AWS Direct
Connect

One subdomain per site
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
company.local
Availability Zone A
Private subnet
DC3
cloud.company.local
Isolated subset of the directory, single identity for users
(Active Directory domains in a single forest)
VPN
AWS Direct
Connect

One forest per site and trust
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2Availability Zone A
Private subnet
DC3 company.local
company.cloud
Separate directories, single identity
(Cross-forest/resource forest with trust)
AWS Directory Service
company.cloud
VPN
AWS Direct
Connect

User identity federation with AWS IAM
AD Users
Enterprise
Applications
Corporate
Systems
AWS IAM
IAM roles
EC2
Amazon
DynamoDB
S3

Active Directory Deployments - Isolated domains
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2Availability Zone A
Private subnet
DC3
company.cloud
company.local
Federation/
synchronization
Separate identities with synchronization/federation
 solutions such as AD FS, Okta, PingFederate
company.cloud
VPN
AWS Direct
Connect

AD FS Scenarios
• Fully implemented AD FS
• Core authentication services exposed to the Internet by
AD FS proxy
• Firewall-published AD FS
• Firewall exposes core authentication services to the Internet by
reverse proxy
• Non-published AD FS
• Server farm isn't exposed to the Internet by any method.
• VPN-published AD FS
• Internet clients connect to and use AD FS services only through a
virtual private network (VPN) connection to the on-premises network
environment.

Active Directory Federation Services
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
Private subnet
DC3
company.cloud
company.local
Federation/
synchronization
company.cloud
VPN
AWS Direct
Connect
ADFS ADFS
Public subnetPublic subnet
Web
App
Proxy
Web
App
Proxy
Availability Zone A Availability Zone B

SQL Server on Amazon EC2
 Licensing Options
 Purchase an Amazon Machine Instance (AMI) that includes
Windows and SQL Server
 Purchase a Windows AMI and install SQL Server yourself
(BYOL)
 Windows or Mixed Authentication
 You manage the virtual machine security, storage,
network ports, etc.
 Full SQL Server sysadmin privileges

SQL Server HA/DR on EC2
 Windows clusters can span Availability Zones or
regions*
 Mirroring
 AlwaysOn Availability Groups
 Transaction Log Shipping
 Failover Cluster Instance*
* Some configurations require third-party tools.

Multi-AZ AlwaysOn Availability Group
Availability Zone 1
Private Subnet
EC2
Primary
Replica
Availability Zone 2
Private Subnet
EC2
Secondary
Replica
Synchronous Commit
Automatic Failover
AWS Region

Multi-Region AlwaysOn Availability Group
Availability Zone 1
Private Subnet
EC2
Primary
Replica
Primary: 10.0.2.100
WSFC: 10.0.2.101
AG Listener: 10.0.2.102
AWS Region A
Availability Zone 2
Private Subnet
EC2
Secondary
Replica
Primary: 10.0.3.100
WSFC: 10.0.3.101
Availability Zone 1
Private Subnet
EC2
Secondary
Replica
Primary: 10.1.2.100
WSFC: 10.1.2.101
Synchronous Commit
Automatic Failover
AWS Region B
Asynchronous Commit
Manual Failover
Elastic IP Elastic IP
VPN

Failover Cluster Instance
Amazon EBS Amazon EBS
Availability Zone 1
Private Subnet
EC2
Primary
Node
Availability Zone 2
Private Subnet
EC2
Secondary
Node
AWS Region
Data Replication
SoftNAS / SIOS

What is Amazon RDS?
 Managed database service
 Automatic patching, backups, mirroring, etc.
 Automatic Host Replacement protects you in the event of a
hardware failure.
 6 database engines to choose from: Amazon Aurora,
Oracle, PostgreSQL, MySQL, MariaDB, and SQL Server
 License-included and BYOL options available

SQL Server on Amazon RDS
 Up to 30 databases per instance
 Windows or Mixed Authentication
 Optional managed Multi-AZ deployment for high
availability
 Transparent Data Encryption for encryption at rest and
the use of SSL to secure data in transit
 Native backup and restore for Microsoft SQL Server
databases using full backup files (.bak files)

SQL Server HA/DR on RDS
 Spans Availability Zones
 Automatic Failover
 Automatic Host Replacement
 Automatic Backups
 Automatic Software Patching (can be disabled)

Multi-AZ SQL Server on Amazon RDS
Availability Zone 1
Private Subnet
Availability Zone 2
Private Subnet
Synchronous Commit
Automatic Failover
AWS Region
Amazon
RDS
Primary
Amazon
RDS
Secondary
Managed Service

SQL Server EC2 vs. RDS: Which should I use?
EC2 RDS
License included  
BYOL  
Full control over the instance 
Automated backups 
Self-managed AlwaysOn Availability Groups 
AWS-managed Multi-AZ deployment 

What about the rest of SQL Server?
 Integration Services (SSIS)
 Reporting Services (SSRS)
 Analysis Services (SSAS)
 SQL Agent
 Service Broker
 Data Quality Service
 Master Data Service

What about the rest of SQL Server?
 Remember: RDS is a managed database engine.
 Most tools or drivers (OLE DB, ODBC, or ADO.NET) that
connect to SQL Server can connect to an RDS instance.
 For example, SSIS running on EC2 or on-premises can
use a connection to an RDS SQL Server (or other
engine) instance as long as the network ports are
properly configured.

AWS SDK and Tools for .NET ArchitectureEXECUTION
PLATFORM
AWSSDK
LOW-
LEVEL
SERVICE
APIS
AWS
TOOLS
HIGHER-
LEVEL
UTILITY
APIS
.NET 3.5 .NET 4.5 PHONE STORE
SERVICE CLIENTS
AMAZON S3
TRANSFER UTILITY
AMAZON
DYNAMODB OBJECT
PERSISTENCE
VM IMPORT RESOURCE API
AWS TOOLS FOR
WINDOWS
POWERSHELL
AWS TOOLKIT FOR
VISUAL STUDIO
ASP.NET SESSION
PROVIDER
TRACE LISTENER
…
AWS ENDPOINTS: REST API
ASP.NET 5

AWS Toolkit for Visual Studio
Full integration in Visual Studio
AWS Toolkit
for Visual
Studio
.NET SDK

AWS also provides extended support
AWS Elastic Beanstalk
• Deploy from within Visual Studio/automatic log rotation to Amazon S3
AWS CodeCommit/CodePipeline/CodeDeploy
• Manage a large fleet (on-premises and cloud-based)
.NET SDK and PowerShell cmdlets
• Integration in custom build pipelines in TFS or CruiseControl.NET
AWS native integrations
• Jenkins, Bamboo have native integration to AWS
• Other IDE support AWS (Unity, Xamarin Studio, Eclipse…)

Amazon EC2 Simple Systems Manager
• EC2 Run Commands
• AWS Tools for Windows PowerShell
• Automation, Customizable, Auditable, Delegated Administration
• Leverage Amazon EC2 Simple Systems Manager
• Auto domain join
• No machine access
• Full traceability
• Fine-grained control
• http://tinyurl.com/AWS-SSM-Home
PowerShell
Integration
Amazon EC2
Run Commands
SSM

Windows SSM with Run Commands
• AWS-JoinDirectoryServiceDomain to join an AWS Directory
• AWS-RunPowerShellScript to run PowerShell commands or scripts
• AWS-UpdateEC2Config to update the EC2Config service
• AWS-ConfigureWindowsUpdate to configure Windows Update settings
• AWS-InstallApplication to install, repair, or uninstall software using an MSI package
• AWS-InstallPowerShellModule to install PowerShell modules
• AWS-ConfigureCloudWatch to configure Amazon CloudWatch Logs to monitor applications and
systems
• AWS-ListWindowsInventory to collect information about an EC2 instance running in Windows
• AWS-FindWindowsUpdates to scan an instance and determine which updates are missing
• AWS-InstallMissingWindowsUpdates to install missing updates on your EC2 instance
• AWS-InstallSpecificWindowsUpdates to install one or more specific updates

Monitoring
• CloudWatch
• CloudTrail
• Config
• VPC Flow Logs
• Trusted Advisor Amazon
CloudWatch
AWS
CloudTrail
AWS
Config
AWS Trusted
Advisor
Flow logs
Amazon
VPC
AWS
Lambda
Amazon
Kinesis
AWS
Service Catalog
Amazon
Elasticsearch Service
Amazon
QuickSight

Customer Story – Hess Corp
Bill Rothe, VP Enterprise Systems

• Migration of multiple large Windows systems
• Including Microsoft SQL Server, SharePoint, Exchange, Active
Directory, Dynamics, and System Center with AWS MP for SCOM
• Also SAP HANA, Documentum, Oracle Hyperion
• Three phases so far
• First divestiture, 170 instances, 6 months
• Second divestiture, 90 instances, 3 months
• Now working on migrating core business
• Hybrid approach
• Integrated networking via Direct Connect
• Integrated authentication via ADFS on EC2 with AD on-premises

• The art of the possible
• “We haven't met a workload we can't migrate to AWS.”
• Not always pure lift and shift. Some take tuning, some take
re-architecting, but always able to get it to work.
• Evolving attitude about cloud adoption internally
• Now there are far more supporters than detractors
• That’s a major shift from 18mo ago
• Moving along the maturity curve
• Looking for ways to optimize and automate
• Right-sizing instances
• Building text/dev environments on demand

Remember to complete
your evaluations!

Windows Track Sessions
WIN301: Bring Microsoft Applications to AWS to Save Money and Stay Licensing Compliant
Tues, Nov 29 3:30-4:30 PM Venetian H
WIN204: How to Move 1,000 VMs and Biz Critical Apps to AWS in 6 months. Edwards Lifesciences
Tues, Nov 29 3:30-4:30 PM Venetian H
WIN303: How to launch a 100k user Microsoft back office and not break a sweat
Wed, Nov 30 5:30-6:30 PM Delfino 4004
WIN304: Design, Deploy & Optimize SharePoint on AWS
Wed Nov 30 3:30-4:30 PM Venetian H
WIN305: Best Practices for Integrating Active Directory with AWS Workloads
Wed, Nov 30 5:00-6:00 PM Venetian H
WIN306: Design, Deploy & Optimize SQL Server on AWS
Thurs, Dec 1 5:30-6:30 PM Venetian H

AWS Services for Simplifying Microsoft Architectures

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a AWS Services for Simplifying Microsoft Architectures

Semelhante a AWS Services for Simplifying Microsoft Architectures (20)

Mais de Amazon Web Services

Mais de Amazon Web Services (20)

Último

Último (20)

AWS Services for Simplifying Microsoft Architectures