Best Practices for Deploying Microsoft Workloads on AWS

Best Practices for Deploying Microsoft Workloads on AWS
Julien Lépine, Solutions Architect, AWS EMEA June 16th, 2016 Best Practices for Deploying Microsoft Workloads on AWS
Identity Best Practices
Main Identity Topics • Infrastructure Identity Management • AWS Identity and Access Management • Server / Application Identity Management • AWS Directory Services (Samba or Active Directory) • Federation • AWS Security Token Service
AWS Identity and Access Management (IAM) Role Based Access Control Multi-Factor Authentication Integrated with all AWS Services IAM Roles
Isolated domains Availability Zone B Private subnet DC4 Corporate Network Tel Aviv DC1 Direct Connect Jerusalem DC2Availability Zone A Private subnet DC3 company.cloud company.local Federation / Synchronization Separate identities with synchronization / Federation  Use partners such as Okta AWS Directory Services company.cloud
Single domain extended to multiple sites Availability Zone B Private subnet DC4 Corporate Network Tel Aviv DC1 Direct Connect Jerusalem DC2 Cost 50 Availability Zone A Private subnet DC3 Cost 10 company.local company.local One single identity, data center extension mode (Rely on Active Directory Sites, Read-Only or not)
One sub domain per site Availability Zone B Private subnet DC4 Corporate Network Tel Aviv DC1 Direct Connect Jerusalem DC2 company.local Availability Zone A Private subnet DC3 cloud.company.local Isolated subset of the directory, single Identity for users (Active Directory Domains in a Single Forest)
One forest per site and trust Availability Zone B Private subnet DC4 Corporate Network Tel Aviv DC1 Direct Connect Jerusalem DC2Availability Zone A Private subnet DC3 company.local company.cloud Separate directories, single identity (Cross-Forest / Resource Forest with trust) AWS Directory Services company.cloud
User Identity Federation with Amazon IAM Active Directory AD Users Enterprise Applications Corporate Systems Amazon Identity & Access Management IAM Roles Amazon EC2 Amazon DynamoDB Amazon S3
Federated API and CLI access using ADFS • ADFS http://tinyurl.com/AWS-ADFS-SAML • CLI http://tinyurl.com/AWS-ADFS-CLI • AWS Tools for Windows PowerShell
SQL Server
SQL Server High Availability Availability Zone 1 Private Subnet Primary Replica Availability Zone 2 Private Subnet Secondary Replica Synchronous-commit Synchronous-commit Automatic Failover Primary: 10.0.2.100 WSFC: 10.0.2.101 AG Listener: 10.0.2.102 Primary: 10.0.3.100 WSFC: 10.0.3.101 AG Listener: 10.0.3.102 AG Listener: ag.awslabs.net
WSFC Quorum Availability Zone 1 Primary Replica Availability Zone 2 Secondary Replica Automatic Failover SoftNAS / SIOS
WSFC Quorum Availability Zone 1 Primary Replica Availability Zone 2 Secondary Replica Automatic Failover Witness Server Availability Zone 3
SQL Server HA with Readable Replica Availability Zone 1 Private Subnet Primary Replica Availability Zone 2 Private Subnet Secondary Replica 1 Synchronous-commit Synchronous-commit AG Listener: ag.awslabs.net Automatic Failover Asynchronous-commit Secondary Replica 2 (Readable) Reporting Application
SQL Server Disaster Recovery & Backup Availability Zone 1 Private Subnet Primary Replica Availability Zone 2 Secondary Replica 1 Private Subnet AG Listener: ag.awslabs.net Corporate Network VPN Automatic Failover Secondary Replica 2 (Readable) Reporting Application Backups Manual Failover
■ AD Integrated ■ Automated failover ■ Automated patching ■ Automated backup ■ Point-in-time recovery Amazon RDS for SQL Server Amazon RDS
Server Products
Core Infra
Exchange
SharePoint
Availability Zone 1 private subnet NAT 10.0.32.0/20 10.0.2.0/24 DB1SP1FE1Exch1 SQL Server 10.0.0.100 10.0.0.101 10.0.0.102 SharePoint Server 10.0.0.140 Lync Server 10.0.0.160 Exchange Server 10.0.0.150 RDG Availability Zone 2 private subnet NAT 10.0.96.0/20 RDG Remote Users / Admins 10.0.0.0/19 On-premises datacenter VPN Direct Connect DC1 10.0.2.0/24 DB2SP2FE2Exch2 SQL Server 10.0.64.100 10.0.64.101 10.0.64.102 SharePoint Server 10.0.64.140 Lync Server 10.0.64.160 10.0.64.0/19 DC2 Active Directory 10.0.0.10 Active Directory 10.0.64.10 private subnet private subnet Exchange Server 10.0.64.150 VPC CIDR 10.0.0.0/16 All-in-one
Going beyond infrastructure SharePoint BLOB storage on S3 Export mails to Amazon S3 AWS Marketplace • On-Demand, License Included or BYOL SharePoint • http://tinyurl.com/AWS-SPS-MP Quick Starts • http://tinyurl.com/AWS-MS-QS
Developers
AWS SDK and Tools for .NET ArchitectureEXECUTION PLATFORM AWSSDK LOW- LEVEL SERVICE APIS AWS TOOLS HIGHER- LEVEL UTILITY APIS .NET 3.5 .NET 4.5 PHONE STORE SERVICE CLIENTS AMAZON S3 TRANSFERUTILITY AMAZON DYNAMODB OBJECT PERSISTANCE VM IMPORT RESOURCE API AWS TOOLS FOR WINDOWS POWERSHELL AWS TOOLKIT FOR VISUAL STUDIO ASP.NET SESSION PROVIDER TRACE LISTENER AWS ENDPOINTS: REST API
AWS Toolkit for Visual Studio Full Integration in Visual Studio
Blob storage in Amazon S3 var bucketName = "<BucketName>"; var fileName = "<FileName>"; var s3Client = new Amazon.S3.AmazonS3Client(); // Write Data to Amazon S3 s3Client.PutObject(new Amazon.S3.Model.PutObjectRequest { BucketName = bucketName, Key = fileName, InputStream = fileStream }); // Read Data from Amazon S3 var s3Object = s3Client.GetObject(bucketName, fileName); Amazon S3
Loose Coupling Sets You Free var queueUrl = "https://sqs.<region>.amazonaws.com/<AcctNum>/<QueueName>"; var sqsClient = new Amazon.SQS.AmazonSQSClient(); // Send to Amazon SQS sqsClient.SendMessage(queueUrl, "My Message Data"); // Process Amazon SQS while(!exit) { var messages = sqsClient.ReceiveMessage(queueUrl); foreach(var message in messages.Messages) { // Process message then delete sqsClient.DeleteMessage(queueUrl, message.ReceiptHandle); } } Amazon SQS
AWS Also Provides Extended Support AWS Elastic Beanstalk • Deploy from within Visual Studio / Automatic Log Rotation to Amazon S3 AWS CodeCommit / CodePipeline / CodeDeploy • Manage a large (on-premises and cloud-based) fleet .NET SDK and PowerShell CmdLets • Integration in custom build pipelines in TFS or CruiseControl.NET AWS is the de-facto standard • Jenkins, Bamboo have native integration to AWS • Other IDE Support AWS (Unity, Xamarin Studio, Eclipse…)
DevOps
Secure remote administration architecture Availability Zone Gateway Security Group Web Security Group Private SubnetPublic Subnet Accept TCP Port 443 from Admin IP Accept traffic from Gateway SG AWS Administrator Corporate Data Center WEB2 TCP 443 WEB1 RDGW Requires one connection: • Connect to the RD Gateway, and the gateway proxies the RDP or PowerShell connection to the back- end instance.
One step further: Go DevOps • AWS Tools for Windows PowerShell • Leverage AWS Simple Systems Manager • Auto-Domain Join • No machine access • Full traceability • Fine-grained control • http://tinyurl.com/AWS-SSM-Home
Automated Log Management Amazon CloudWatch Logs AWS Lambda Amazon Kinesis Amazon EC2 Amazon Elasticsearch Service Amazon S3
Automation for every use case IAAS* Amazon EC2 AWS CloudFormation AWS OpsWorks AWS Elastic BeanStalk AWS Lambda PAAS*DEVOPS DEVOPS AUTOMATION* Definition may vary
Licensing
License Mobility is a Microsoft Program that allows customers to move their existing license from on premises to the cloud • Leverage their Enterprise Agreement • Must have Software Assurance License Mobility through Software Assurance
Microsoft Workloads on AWS Pay-as-you-go – AMI pricing provides access to software • Windows Server • SQL Server Standard • SQL Server Web • SQL Server Enterprise Leverage Microsoft’s License Mobility Program (BYOL) • SQL Server • SharePoint Server • Exchange • Lync • RDS • Dynamics Leveraged Dedicated Host • Windows Server • SQL Server - no SA • SharePoint – no SA • Exchange – no SA • Lync – no SA • Dynamics – No SA
Licensing Continuum License Included • Amazon manages the licenses • Pay-as-you-go pricing • Multi-tenant or dedicated • No license management overhead Hybrid • Baseline in BYOL • Leverage scalability and pay-as-you-go where applicable • Limit management overhead BYOL • Import and use your own software • Reduce your spend if you already pay an ISV for licensing • You manage licensing costs and compliance with your ISV • Committed contracts with your ISVs
MSDN
Supportability on AWS Microsoft workloads are supported on AWS. Amazon Web Services fully supports Microsoft Windows Server as both infrastructure and a platform. Our customers have successfully deployed in the AWS cloud virtually every Microsoft application available, including Microsoft Exchange, SharePoint, Lync, Dynamics, and Remote Desktop Services. If you have support related issues you should contact AWS Support.
Every immaginable use case Collaboration Full/Partial Franchise Migration Web / Mobile / Media Mail ERP VDI BI
We are here to help
AWS Resources Solution Architects Professional Services Premium Support AWS Partner Network (APN)
AWS Training and Certification Certification aws.amazon.com/certification Demonstrate your skills, knowledge, and expertise with the AWS platform Self-Paced Labs aws.amazon.com/training/ self-paced-labs Try products, gain new skills, and get hands-on practice working with AWS technologies aws.amazon.com/training Training Skill up and gain confidence to design, develop, deploy and manage your applications on AWS
lepine@amazon.com

Check these out next

Best Practices for Deploying Microsoft Workloads on AWS

Recomendados

Mais conteúdo relacionado

Apresentações para você(20)

Similar a Best Practices for Deploying Microsoft Workloads on AWS(20)

Mais de Amazon Web Services(20)

Último(20)

Best Practices for Deploying Microsoft Workloads on AWS

Notas do Editor