aws sp white paper pdf pdf
TRANSCRIPT
-
7/29/2019 AWS SP White Paper PDF PDF
1/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page1of36
MicrosoftSharePointServer
onAWS:ReferenceArchitectureFebruary2012
(Pleaseconsulthttp://aws.amazon.com/whitepapersforthelatestversionofthispaper.)
-
7/29/2019 AWS SP White Paper PDF PDF
2/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page2of36
Abstract
AmazonWebServices(AWS)providesacompletesetofservicesandtoolsfordeployingWindowsworkloads,including
MicrosoftSharePointServer,onitshighly reliableandsecurecloudinfrastructureplatform.Thiswhitepaperdiscusse
generalconceptsregardinghowtousetheseservicesandprovidesdetailedtechnicalguidanceonhowto configure,
deploy,andrunaSharePointServerfarmonAWS.ItillustratesreferencearchitectureforcommonSharePointServerdeploymentscenariosanddiscussestheirnetwork,security,anddeploymentconfigurationssoyoucanrunSharePoint
Serverworkloadsinthecloudwithconfidence.
ThiswhitepaperistargetedtoITinfrastructuredecision-makersandadministrators.Afterreadingit,youshouldhavea
goodideaofhowtosetupanddeploythecomponentsofatypicalSharePointServerfarmonAWS.Youlearnwhich
artifactstouseandhowtoconfigurethevariousinfrastructuredetails,suchascomputeinstances,storage,security,and
networking.
-
7/29/2019 AWS SP White Paper PDF PDF
3/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page3of36
Introduction
Enterprisesneedtogrowandmanagetheirglobalcomputinginfrastructuresrapidlyandefficientlywhilesimultaneously
optimizingandmanagingcapitalcostsandexpenses.AWSscomputingandstorageservicesmeetthisneedbyproviding
aglobalcomputinginfrastructure.TheAWSinfrastructureenablescompaniestorapidlyspinupcomputecapacityor
quicklyandflexiblyextendtheirexistingon-premiseinfrastructureintothecloud.AWSprovidesarichsetofservicesandrobust,enterprise-grademechanismsforsecurity,networking,computation,andstorage.
SharePointServerisawidelydeployedapplicationplatform,commoninmanyorganizationsasthemainportalfor
teamcorporatecollaboration,contentmanagement,workflow,andaccesstocorporateapplications.Onekeybenefito
SharePointServeristhatitenablesorganizationstorapidlyrespondtochangingbusinessneeds.AWSisaperfect
complementtoSharePointServer,becauseitenablesorganizationstorapidlyprovisionthenecessarycomputing
infrastructuretopowerSharePointServersolutions.
AWSandMicrosofthavepartneredtoenablecustomerstodeployenterprise-classworkloadsinvolvingWindows
ServerandMicrosoftSQLServeronapay-as-you-go,on-demandelasticinfrastructure,therebyeliminatingthecapital
costforserverhardwareandgreatlyreducingtheprovisioningtimerequiredtocreateorextendaSharePointServer
farm.ThispartnershiphasresultedintheabilitytolicenseandrunSharePointServeronAWSunderprovisionsin
MicrosoftsLicenseMobilitythroughSoftwareAssurance program.
Asarelevantdatapointandcasestudy,theAmazonCorporateITteamhostsAmazonsowncorporateintranetrunning
SharePointServeronAWS.Theyhavepublishedawhitepaperdetailingitsevaluation,securityrequirements,
architecture,benefits,andlessonslearnedfromthedeployment.NotethatatthetimetheAmazonCorporateITteam
deployedtheirSharePointServerenvironmentandwrotethewhitepaper,anumberoftheAWSservicesdiscussed
hereinwereeithernotinplaceorlimitedintheiravailability.Thiscurrentpaperprovidesanup-to-dateandmorehigh-
leveldescriptionofhowtosupportSharePointServeronAWS.
-
7/29/2019 AWS SP White Paper PDF PDF
4/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page4of36
SharePointServerReferenceArchitectureandScenariosTounderstandhowSharePointServerandassociatedcomponentscanbehostedonAWS,letsfirstreviewthe
architectureandcomponentsofatypicalSharePointServerfarmandexplorethecommonscenariosandtopologies.
SharePointServerFarmReferenceArchitecture MicrosoftprovidesconsiderableguidanceforarchitectingSharePointServerfarmtopologiesformanyscenariosand
scales.ThissectionreviewsthetypicalSharePointServerfarmarchitectureasrecommendedbyMicrosoftandidentifies
acoupleofcommondeploymentscenariosandassociatedtopologiesthatyouwillmapontoAWSlaterinthispaper.
SharePointServerhasevolvedoverseveralversionstoprovidearichsetofcapabilitiesandservices.SharePointServer
architecturehasalsoevolvedtosupportaservice-basedarchitecture,enablingspecificservicestobescaledoutto
individualserversandservergroups.Inaddition,SharePointServerreferencearchitecturedefinesdistinctrolesand
servergroupsthatyoucancreateandscaleoutindependently.ThismodelfitsnicelywithinAWSsscale-outapproach.
TheSharePointServerreferencearchitecturetiersandservicesareillustratedinFigure1.
Source:http://technet.microsoft.com/en-us/library/ff758647.aspx
Figure1:TheSharePointServerreferencearchitecture
AdditionalinfrastructurecomponentsarerequiredorrecommendedtosupportSharePointServerfarms:
ActiveDirectoryDomainServices(ADDS).SharePointServerrequiresADDStoserveastheauthoritativeidentitystoreandauthenticationmechanism.ADDS(withoneormoredomaincontrollers)mustresidewithin
thesamenetworkastheSharePointServerfarmandbeaccessibletoSharePointServerfarminstances.
-
7/29/2019 AWS SP White Paper PDF PDF
5/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page5of36
Threatmanagementandintrusionprotection.ThiscomponentmaybeanadditionalelementforSharePointServerscenariosthatincludeexternalorpublic-facingsites.InaWindows-basedinfrastructure,thiscomponent
wouldtypicallybeprovidedbyproductssuchasMicrosoftForefrontThreatManagementGateway2010 .
CommonSharePointServerDeploymentScenarios
SharePointServercansupportavarietyofcontentandcollaborationgoals.Thispaperdiscussestwoofthemostcommonscenarios:intranethostingofacorporateSharePointServerfarmandhostingofanInternetsitebasedon
SharePointServer.
IntranetSharePointServerFarm
Inthisscenario,acompanywantstorunSharePointServerwithinitsenterprisetosupportinternalusers.Thecompany
maydeployitsentireSharePointServerfarminthecloudandscaleallthecomponentstogetadditionalcapacityor
extenditson-premisedeploymenttothecloudtoincreasecapacity,improveperformance,orscaletheresource-
intensivecomponentsinthecloud,whenneeded.Specificresource-intensiveservicessuchasMicrosoftOfficeExcelor
Wordmaybehostedindividuallytosupportspecializedworkloads.Figure2illustratesthisscenario.
Figure2:TypicalintranetSharePointServerfarmtopology
-
7/29/2019 AWS SP White Paper PDF PDF
6/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page6of36
InternetWebsiteorServiceBasedonSharePointServer
Inthisscenario,SharePointServerisusedasthebasisforhostingawebsite,publicwebapplication,orSoftwareasa
Service(SaaS)site.Thisscenarioisdifferentfromtheintranetscenariointhatpublic-facingservershavebeenadded.
TheseserversrequireenhancedsecurityandthreatmanagementaswellasADDSdomaincontrollerstosupportuser
authenticationandauthorization.Figure3depictsthisscenario.
Figure3:TypicalSharePointServerfarmtopologyforanInternet-facingpublicwebsite
Keyelementsthatdistinguishthisscenariofromthepreviousintranetscenarioare:
Ademilitarizedzone (DMZ)toprovidefirewallandthreatmanagementatthefront-lineaccesspoints ActiveDirectorydomaincontrollersresidentwithinthefarm(notassociatedwiththeuserenvironment)
-
7/29/2019 AWS SP White Paper PDF PDF
7/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page7of36
ImplementingSharePointServerArchitectureScenariosinAWS
Theremainderofthiswhitepaperprovidesstep-by-stepmappingforeachSharePointServerfarmscenariodiscussed
earliertoanequivalentsetupinAWS,includingsimilarresources,networkandsecuritysetup,andconfiguration.To
implementtheSharePointServerscenariosinAWS,thefollowingelementsarediscussed:
Networksetupandconfiguration.ThissectioncoversthesetupofthenetworkfortheSharePointServerfarmwithinAWS,includingsubnetstosupportthelogicalservergroupsfordifferenttiersandroleswithinthe
SharePointServerreferencearchitecture.
Serversetupandconfiguration.ThissectioncoverstheservicesandartifactsinvolvedinthesetupofthevariousserversforeachtierandroleintheSharePointServerfarm. Italsoincludessettingupandconfiguring
SQLServerandsupportinghighavailability.
Security.ThissectiondiscussessecuritymechanismsinAWS,includinghowtoconfigureinstanceandnetworksecuritytoenableauthorized accesstotheoverallSharePointServerfarmaswellasbetweentiersandinstances
withinthefarm.Italsocoversareassuchasdataprivacy(encryption)andthreatmanagement(inthecaseofthe
public-facingscenario).
Deploymentandmanagement.Thissectionprovidesdetailsonpackaging,deployment,monitoring,andmanagementoftheSharePointServerfarmcomponents.
NetworkSetupLetsstartwiththenetworksetuptoprovidetheenvironmentinwhichyouinstantiateandconfigureyourserversand
database.
TheMicrosoftreferencearchitectureisorganizedaroundamulti-tiered(web,application,anddatabase)approach,
allowingyoutoindependentlyscaleandconfigureeachtier.Yourfirsttaskistodefineanetworkenvironmentthat
supportsthistypeoftieredstructureandenablesyoutodeploythevariousserverrolesineachtierwithsuitablesecurityconfiguration.
AmazonVirtualPrivateCloud
AkeycomponentofAWSnetworkingistheAmazonVirtualPrivateCloud(AmazonVPC).AmazonVPCprovidesthe
abilitytoreserveanisolatedportionoftheAWScloudinwhichtodeployandmanageaSharePointServerfarm.
AmazonVPCsupportsthecreationofpublicandprivatesubnetswithinthevirtualnetwork,allowingyoutohostthe
differenttiersandroleswithintheSharePointServerarchitecture.
AmazonVPCalsosupportstheabilitytoestablishahardwarevirtualprivatenetwork(VPN)connectionbetweenaVPC
andanexternallocation,suchasacorporatedatacenter.CustomersuseahardwareorsoftwareVPNappliance(the
customergateway)andconnectthatgatewaytotheVPC(thevirtualprivategateway)toprovideseamlessintegration
betweenon-premisecomputeinfrastructureandresourceswithintheVPC.LeveragingthisVPNVPCconnectivity
extendsthecorporatenetworkdatacentertothecloud.Corporateuserscaninteractwithcloudinstancesand
applicationsinarelativelytransparentway,effectivelysupportingthenotionofanextendedenterpriseinthecloud.
TomapyourSharePointServerreferencearchitecturesandscenariostoAWS,youmustfirststructureyourVPCand
subnetstomirrorthesameorganizationaltiers,servergroups,andaccessrequirementsdefinedthere.VPCsubnetsthat
needtobeaccessiblefromtheInternetthroughtheVPCInternetgatewayneedtobepublic;otherwise,youcan
-
7/29/2019 AWS SP White Paper PDF PDF
8/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page8of36
designatethemasprivate,andtheywillnotbeaccessiblefromoutsidetheVPC.InthecaseofaVPN-connectedVPC,
connectionsthroughtheVPNoccurthroughthevirtualprivate gateway;therefore,instancescanbeinprivatesubnets
butstillreachable(aslongasthesecurityconfigurationallowsit).Thus,VPN-onlyscenariosdonotrequirepublic
subnets(e.g.,forwebserverfrontends).However,thepublic-facingSharePointServerscenariodoesneedtobe
accessiblefromoutsideofAWS,soeachfront-endinstancemustbeinapublicsubnettobereachedviatheInternet
gateway.
FaulttoleranceandscalabilityforourSharePointServerfarmscenariosiscriticaltoensuretheycanprovidesufficient
performancethroughchangesinload,andberesilienttoanyunforeseenissueswithinthefarminfrastructure.The
ElasticLoadBalancing(ELB)webservicecanbeusedtobeusedtodistributeinternet-basedrequeststointernalweb
servers,andsothisisasuitablechoiceforourinternetwebsitescenario.However,sinceELBatthispointonlyhandles
trafficcomingfromoutsidetheVPC,wecantusethatforourintranetscenario(inwhichuserrequestscomeinviathe
privateVPNconnection).Fortheintranetscenario,weneedtoutilizea3rd
partysoftwareloadbalancer(suchasthe
RiverbedStingrayTrafficManager orHAProxy)toachievesimilarfunctionality.
YoualsowanttodistributemultipleinstancestoeachAvailabilityZonetoprovideredundancyandfailoverinthecaseof
anAvailabilityZonefailure.VPCsubnetsdonotspanAvailabilityZones,soyoumustsetupaseparatebutsimilarsubnet
structurewithineachzone.Likewise,setuploadbalancingtodistributerequeststoserversinmultipleAvailabilityZones.Therefore,youshouldsetuploadbalancersineachAvailabilityZoneusedtoprovidehighavailabilitythere,as
well.
NOTE:TheIPaddressrangesfortheVPCandsubnetsaredefinedusingasingle ClasslessInter-domainRouting (CIDR)IP
addressblock,suchas10.0.0.0/16,providinganinternalIPaddressspaceof65,536uniqueIPaddresses.Subnetscan
thenbecreatedwiththeirownuniqueCIDRblockrangeswithintheoverallVPCaddressrange.
VPCSetupfortheIntranetScenario
LetslookatthespecificstepsforsettingupaVPCinstancefortheintranetscenario.
TheAWSManagementConsoleprovidesawizard-basedapproachtosettingupAmazonVPCenvironmentsforafewtypicalAmazonVPCconfigurations.ForyourSharePointServerintranetscenario,thegoalistosetuptheAWS
environmenttoenablecorporateuserstouseSharePointServerviaVPNaccess;butyoudonotneedtoallowaccess
fromthepublicInternet.TheVPCCreationWizardoption VPCwithaPrivateSubnetOnlyandHardwareVPNAccess
initiatesthesetupyouarelookingfor.
NOTE:ServerswithinthefarmmayneedtoexitofAWSforthingslikesoftwareupdates.Suchactionscanbe
accomplishedeitherbyaddinganetworkaddresstranslation(NAT)instanceintheVPCandconfiguringittobepublicor
byhavingtheserverstraversetheVPNtunneltousethecorporatedatacenterInternetaccess.AmazonVPCincludesa
defaultroutetablethatguidescommunicationstoandfrominstances,andtheVPCCreationWizardenablesthe route
tablestoallowinstancestocommunicatewitheachother(usingtheinternalVPCIPaddresses)andexternallyoutofthe
VPC(forallotherIPaddresses)throughtheNATinstance.
BasedonthespecificsofyourSharePointServerintranetscenario,youmustaddseveralcomponentsintotheresultsof
thebasicScenario4setupthattheVPCCreationWizardprovides:
OneVPCcreatedwithinaspecificAWSregionthathascomponentsspanningmultipleAvailabilityZones. YourSharePointServerinfrastructurewillbedeployedacrossmultipleAvailabilityZonestoprovidehighavailability.
-
7/29/2019 AWS SP White Paper PDF PDF
9/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page9of36
PrivatesubnetsineachAvailabilityZonetoholdyourloadbalancers. AVPCcanhavemultiplesubnetsinwhicheachsubnetresidesinaseparateAvailabilityZone.EachsubnetmustresideentirelywithinoneAvailability
Zone.
SoftwareLoadBalancersineachAvailabilityZone.ThissetupestablishesprimaryandsecondaryloadbalancerswithineachoftheAvailabilityZones,wheretheprimarydistributestraffictoanyofthehealthyinstancesin
eitheroftheAvailabilityZones.Intheeventofafailureoftheprimaryloadbalancer(ortheAvailabilityZone
overall),thesecondaryloadbalancertakesoverandcontinuestodistributetraffictoremaininghealthy
instances.
PrivatesubnetsineachAvailabilityZonetoholdweb,application,anddatabaseserversaswellasADDSdomaincontrollers.Thesesubnetsarenotdirectlyaccessedbyusers(everythinggoesthroughtheload
balancers)andhencedonotneedtobeaccessibleoutsideoftheVPC.
Onevirtualprivategatewayandonecustomergateway.TheseprovideVPNconnectivitybetweenthecorporatedatacenterandtheVPC.
Puttingtogethereverythingdiscussedthusfar,Figure4showsthenetworkconfigurationdefinedfortheintranet scenario.
Figure4:Networkconfigurationfortheintranetscenario
-
7/29/2019 AWS SP White Paper PDF PDF
10/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page10of36
VPCSetupforthePublicWebsiteScenario
Forthepublicwebsite scenario,therearedifferentrequirementsandsetupconfigurations.
ThepublicwebsitescenariomostresemblestheVPCCreationWizardscenarioVPCwithPublicandPrivateSubnets.
Thedifferencesbetweenthepublicwebsitescenarioandtheintranetscenarioare:
Inthepublicwebsitescenario,youdonothaveacorporatedatacenter,sothereisnoneedtosetupaVPNconnection.
Withapublicwebsite,thereisnoneedforavirtualprivategateway(becauseyouarenotconnectingtoaVPN). Inthisscenario,AWSElasticLoadBalancersareemployed Inapublic-facingwebsite,theloadbalancersneedtobeinpublicsubnetssothatuserscanaccessthemover
theInternet.
Youstillwanttoputtheweb,application,anddatabasetiersinprivatesubnets;usersonlyneedtogetattheloadbalancers.
Thepublicwebsitescenariorequiresadditionalcomponentsatthefrontendforfirewallandthreatmanagement(moreonthistopiclater).
ThepublicwebsitescenarioaddsNATinstancesineachAvailabilityZonetofacilitateserversinprivatesubnetscommunicatingouttotheInternet(togetoperatingsystemsoftwareupdates,forexample).
Giventhesedifferences,Figure5showsthenetworksetupforthepublicwebsitescenario.
-
7/29/2019 AWS SP White Paper PDF PDF
11/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page11of36
Figure5:NetworkconfigurationfortheInternet-facingpublicwebsitescenario
ADDSSetupandDNSConfiguration
SharePointServerrequiresADDSforuserauthentication.However,youalsowanttoleverageADDStoprovideDomainNameSystem(DNS)functionalitywithintheVPCamongthevariousserverinstances.
ForyourSharePointServerfarmtooperate,youneedconnectivitytooneormoredomaincontrollerstofacilitateuser
authenticationandDNSresolutionacrossserverswithinthefarm.Intheintranetscenario,youwanttheSharePoint
Serverinstancestoauthenticatetouserscorporatecredentials(effectivelyanextensionoftheircorporatenetwork).
Therearetwodifferentwaystosupportthisbehavior:
SharePointServerinstancescouldtraversetheVPNVPCconnectionbacktothecorporatedatacenterandauthenticatetoon-premisedomaincontrollers.
DomaincontrollerscouldbehostedinAWSandreplicatedfromon-premisedomaincontrollersviatheVPNVPCconnection.Thisactionallowstheserverstoauthenticatetolocal(withinAWS)domaincontrollersbutstill
authenticatetocorporateuseridentitiesandcredentials.
Amazonrecommendsthesecondoptionforbetterperformanceandreliability.Thedomaincontrollerscanbereplicated
acrossAvailabilityZones(aswithyourotherresources)toprovidehighavailability.Microsoftprovidesguidanceon
ActiveDirectoryReplicationOverFirewalls .
-
7/29/2019 AWS SP White Paper PDF PDF
12/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page12of36
NOTE:ItisalsopossibletosupportthisscenarioforcorporateenvironmentsthatdonotuseADADbutratheranother
LightweightDirectoryAccessProtocol(LDAP)baseddirectoryservice.Youcanuse ActiveDirectoryFederationServices
(ADFS)withSharePointServerandother(non-ADDS)authenticationproviderstofacilitatefederatedauthentication.
AWSprovidesadetailedwhitepaperonhowtosetupandconfigureADFSinAWStosupportfederatedauthentication.
Figure6depictstheadditionstothehostinginfrastructureandADDSreplicationdetails.
Figure6:AdditionstothehostinginfrastructureandADDSreplicationdetailsfortheintranetscenario
Inyourpublic-facingscenario,theSharePointServerfarmisnotconnectedtoacorporateinfrastructureviaVPN.
Instead,itrequiresADDStobeinstantiatedwithintheAWSenvironmenttofacilitateuserregistrationand
authenticationfortheSharePointServerinstancesrunningthere.Asintheintranetscenario,Amazonsuggestshosting
domaincontrollersinmultipleAvailabilityZonestoprovideredundancyandhighavailability,asillustratedinFigure7.
-
7/29/2019 AWS SP White Paper PDF PDF
13/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page13of36
Figure7:HostingdomaincontrollersinmultipleAvailabilityZonestoprovideredundancyandhighavailability
ADDSistypicallyruninon-premise,staticenvironments,andtherearecertaintypicalconfigurationdetailsand
assumptionsthataredifferentwhenADDSrunsinAWS.ForADDSdomaincontrollerstobeusedforDNSinAWSand
acrossAvailabilityZones,eachneedstobeinasecuritygroupthatopensUserDatagramProtocol(UDP)ports065,535.(Securitygroupsarediscussedindetailinalatersection.)
ServerSetupandConfiguration
Nowthatyournetworkissetupinthestructureyouneed,letstacklethetaskofsettingupandinstantiatingthevarious
serverinstanceswithintheVPCtosupportyourSharePointServerreferencearchitectures.
AttheheartofAWSisthe AmazonElasticComputeCloud(AmazonEC2)webservice,acloudcomputinginfrastructure
thatsupportsavarietyofoperatingsystemsandmachineconfigurations(e.g.,CPU,RAM).AWSprovidespreconfigured
virtualmachine(VM)images(AmazonMachineImages,orAMIs)withguestoperatingsystems(Linux,Windows,etc.)
andmayhaveadditionalsoftware(e.g.,SQLServer)usedasthebasisforvirtualizedinstancesrunninginAWS.Youcan
usetheseAMIsasstartingpointstoinstantiateandinstallorconfigureadditionalsoftware,data,andmoretocreateapplication-orworkload-specificAMIs.
ToimplementthevarioustiersandrolesintheSharePointServerreferencearchitecture,startoutwithAMIsthatare
basedonWindowsServer2008R2,andlookatthesoftwarerunningeachonetodeterminewhichAMIsareapplicable
toweb,application,ordatabasetierservers.Atthistime,severalAMIssupportsomeversionofWindowsServer.Some
AMIsincludecomponentslikeMicrosoftInternetInformationServices(IIS)forthewebtierroles;othersinclude
SQLServerStandard(forthedatabasetier).
-
7/29/2019 AWS SP White Paper PDF PDF
14/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page14of36
SharePointServerisnotpreinstalledinanyoftheWindows-basedAMIsbecauseoflicensingmodelrestrictions.Theonly
supportedapproachtolicensingSharePointServeronAWSisthroughMicrosofts LicenseMobilitythroughSoftware
Assuranceprogram.CustomerscoveredbyactiveMicrosoftSoftwareAssurancecontractsmaymovecurrenton-premise
WindowsServerapplicationworkloads(suchasSharePointServer)toAWSwithoutadditionalMicrosoftsoftwarelicense
fees.
AWSprovidesacomprehensivecollectionofinformation,tools,andresourcesforrunningWindows-basedapplications
andworkloadsonAWS.Also,thereisdetailedinformationabouthowWindowsissupportedandusedonAmazonEC2.
Finally,youcanfinddetailsonthespecificAMIsthatincludeWindows,SQLServer,etc.,withinthe AmazonEC2AMI
catalog.
MappingSharePointServerRolesandServerstoAmazonEC2AMIsandInstanceTypes
AkeyaspectofimplementingyourAWSsolutionischoosingtheappropriateAMIandinstancetypeforeachrolewithin
thefarm.EachroleintheSharePointServerreferencearchitecturehasdistinctrequirementsforsoftwareand
infrastructureresources,suchasCPU,RAM,anddiskstorage.MicrosoftandAWShavepartneredtopublishanumberof
Windows-basedAMIsthatincludeadditionalsoftwarecomponentsforsupportingtypicalroles(e.g.IISforwebserver,
SQLServerfordatabaseserver,Windowscorefordomaincontroller)thatrunonavarietyofAmazonEC2instancetypes.
Intermsofmachinecapacityandsizing,Microsoftprovidesdetailedguidanceforvariouscomponentswithina
SharePointServerfarm,sothattopicisnotbecoveredinthispaper.However,thebasicdetailsof typicalsystem
requirementminimumsforvariouscomponentswithinaSharePointServerfarmaresummarizedinthetablesthat
follow.
Table1presentstheminimumsystemrequirementsMicrosoftrecommendsforthedifferenttiersandroleswithina
SharePointServerfarm.
Table1:MinimumsystemrequirementsforSharePointServerrolesandtiers
Tier/role Scenario Processor RAM HarddiskWeb/ApplicationTier All 64-bit,4core 8GB 80GB
Databaseserver Smalldeployment 64-bit,4core 8GB 80GB
Databaseserver Mediumdeployment 64-bit,8core 16GB 80GB
Domaincontroller All 64-bit,4core 8GB 80GB
Table2showshowtomaptheserequirementstoAmazonEC2AMIsandWindowsinstancetypes.
-
7/29/2019 AWS SP White Paper PDF PDF
15/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page15of36
Table2:MappingminimumsystemrequirementstoAMIsandWindowsinstancetypes
Tier ApplicableAmazonEC2instancetypeandrange AMItouse
Webfrontend ExtraLarge(m1.xl) WindowsServer2008R2+IIS
Applicationserver ExtraLarge:HighMemoryQuadExtraLarge
(m2.xlm2.4xl)
WindowsServer2008R2
Databaseserver HighMemoryQuadrupleExtraLarge(m2.4xl) OptimizedSQLServer2008R2AMIsfromMicrosoft
Domaincontroller ExtraLarge(m1.xl) WindowsServer(intheroleofadomain
controller)
TheAMIslistedinTable2includethedefaultconfigurationfor AmazonEBSvolumes(formattedasWindowsfile
systems)forbootdriveandassociateddatastorageapplicabletotherole.TheSQLServer2008R2AMIsindicatedhave
beenconfiguredwithmultipleEBSvolumestosupportdistinctSQLServerstoragecomponents(data,logs,tempfiles),
optimizingforstoragerequirementsandI/Opatternsofeachcomponent.AmazonEC2alsosupportstheabilityto
customizeaninstance,allowingyoutoattachadditionalAmazonEBSvolumesorresizeanexistingAmazonEBSvolume
bytakingasnapshot,andthencreatinganew,largervolumefromthesnapshot.Youcanthenusethiscustomized
instanceasthebasisforanew,customizedAMI.
SharePointServerConfiguration
Asmentionedearlier,SharePointServerisnotpre-installedinanypublicallyavailableAMI,soyoumustobtainsufficient
licensingfordeployingSharePointServerinAWS(throughMicrosoftLicenseMobility)andtheninstallSharePointServer
intoyourinstances.Typically,youwillcreateyourownprivateSharePointServerAMI,bycreatingaWindowsServer-
basedinstance,installingandconfiguringSharePointServer,andthenturningthatinstanceintoanAMIasdescribed
here.ThisprivateAMIwillbethebasisofthevariousSharePointServerinstancesinyourfarm.
SQLServerConfiguration
TheversionsofSQLServerthatareincludedandlicensedforusewiththeWindowsServerAMIsareSQLServerExpress
andSQLServerStandard.SQLServerEnterprise canbeinstalledinWindowsAMIsandusedinAWSaswellbutmustbe
licensedforuseinthesamewayasSharePointServer,throughprovisionsinthe MicrosoftLicenseMobilitythrough
SoftwareAssuranceprogram.
Asinon-premisedeployments,thedatatierforSharePointServerinAWSneedstobearchitectedandconfiguredto
supportsufficientperformance,highavailability,andreliabilitytoprovideagooduserexperienceandquicklyrespondto
adatabasefailurewithminimaltransactionloss.ForSQLServerinstances,AmazonrecommendstheHighMemory
QuadrupleExtraLargeAmazonEC2instancetype.Thistypeprovideshigher-performancenetworkI/O(high).Thishigher
performance,combinedwiththeothermetricssuchasCPU,yieldsagoodperformanceprofileforSQLServerrunningon
AWS.
RecommendedAmazonEBSDiskConfigurationforSQLServer
AmazonEBSvolumescanbeconfiguredinavarietyofways(redundantarrayofindependentdisks[RAID]striping,
differentvolumesizes,etc.)toyielddifferentperformancecharacteristics.TheoptimizedSQLServerStandardAMI
mentionedearlierispublishedjointlybetweenMicrosoftandAWSandisconfiguredwithseparateAmazonEBS
volumes,eachstoringkeySQLServerdatacomponentsas recommendedbyMicrosoftforoptimalperformance.
-
7/29/2019 AWS SP White Paper PDF PDF
16/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page16of36
Forhigh-I/Oscenarios,itispossibletocreateandattachadditionalAmazonEBSvolumesandtostripeusingsoftware
RAIDtoincreasethetotalnumberofI/Ooperationspersecond(IOPS).EachAmazonEBSvolumeisprotectedfrom
physicaldrivefailurethroughdrivemirroring,sousingaRAIDlevelhigherthanRAID-0isunnecessary.
ForSharePointServerinstances,itiscommontouseRemoteBLOBStorage(RBS)inconjunctionwithSQLServerfor
storageoffile-basedcontent.Thisfile-basedcontentwillresideinSQLServerinstances,andtheexistingAmazonEBS
configurationshouldbesufficientformostuses.However,itmaybedesirableornecessarytoextendthesizeoradd
moreAmazonEBSdisks(orotherassociatedstorage)forsupportinglargeRBSstores.Forfurtherdetailsregarding
AmazonEBSsetup,configurations,andtuningoptions,seethe AmazonElasticComputeCloudUserGuide.
HighAvailabilityforSQLServer
YoucanachievehighavailabilityforSQLServerinAWSbyimplementingSQLServermirroringacrossmultipleAvailability
Zones.Inthisconfiguration,SQLServerinstancesarelaunchedintwodifferentAvailabilityZones(withinaRegion),with
asmallerwitnessSQLServerinstancetomonitorandfacilitatethefailover,ifneeded.Figure8illustratesthis
configuration.
-
7/29/2019 AWS SP White Paper PDF PDF
17/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page17of36
Figure8:SQLServermirroringacrossmultipleAvailabilityZones
AWSrecentlypublishedRDBMSintheCloud:MicrosoftSQLServer2008R2, acomprehensiveresourcethatprovidesa
detaileddiscussionofconsiderations,approaches,andoptionsforoptimizingtheuseofSQLServerinAWS.Withthe
additionofyourAmazonEC2instancesandSQLServermirroring,yourintranetscenariolookslikeFigure9.
-
7/29/2019 AWS SP White Paper PDF PDF
18/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page18of36
Figure9:IntranetscenariowiththeadditionofAmazonEC2instancesandSQLServermirroring
WiththeadditionofyourAmazonEC2instancesandSQLServermirroring,yourpublicsitescenariolookslikeFigure10.
-
7/29/2019 AWS SP White Paper PDF PDF
19/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page19of36
Figure10:PublicsitescenariowiththeadditionofAmazonEC2instancesandSQLServermirroring
Security
SecuritysetupiscriticalintheimplementationofyourSharePointServerfarmtoenablepropernetworkaccess(inand
outoftheVPC,specificsubnets,andtheinstancesrunningeachsubnet)tofacilitateuserauthenticationand
appropriateauthorization,dataprivacy,andthreatmanagement(inthecaseofpublic-facingsites).Theseandotherkeyelementshavetobesetupcorrectlytoprovidethenecessarysecuritymeasuresandenableuserstoaccesstheir
SharePointServercontentandapplicationswiththecorrectidentityandauthorization.
AcornerstoneofyourscenariosistheuseofAmazonVPCforprovidingtheoverallisolationofthefarmandsegmenting
partsofthefarm(i.e.,theservergroups)tosupportthedesiredmanagementandcontrol.WithinAmazonVPCand
subnetisolation,therearesecuritydetailsthatyoumustsetuptoenableproperaccess(andrestrictions).Thetwomain
approachesatyourdisposalare:
Securitygroups. Asecuritygroupactsasafirewallthatcontrolsthetrafficallowedinandoutofagroupofinstances.WhenyoulaunchaninstanceinaVPC,youcanassigntheinstancetouptofiveVPCsecuritygroups.
Securitygroupsactattheinstancelevel,notthesubnetlevel .
o Ingeneral,itisagoodideatodefinedistinctsecuritygroupsforeachtier.Doingsoallowsyoutodefinethesettingsforeachtier(andvarythemindependently)aswellasrestrictaccesstothecallingtier
(e.g.,allowingthedatabasetiertobecalledonlyfromtheapplicationtier).
Networkaccesscontrollists(ACLs).AnetworkACLisanoptionallayerofsecuritythatactsasafirewallforcontrollingtrafficinandoutofasubnet.YoumightsetupACLswithrulessimilartoyoursecuritygroupstoadd
alayerofsecuritytoyourVPC. NetworkACLsactatthesubnetlevel,nottheinstancelevel.
-
7/29/2019 AWS SP White Paper PDF PDF
20/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page20of36
SecurityGroups
Herearethetwoapproachesdiscussedingreaterdetail:
ElasticLoadBalancing:o ElasticLoadBalancingisthepointofcontactforusers,sotheElasticLoadBalancingsecuritygroup
shouldbeconfiguredtosupportinboundclientconnectiontypesofHTTPorHTTPS(port80and
port443,respectively).YoucanconfiguretheElasticLoadBalancinginanycombination,butAmazon
recommendsusingHTTPSforbothinboundclientconnectiontypes.Youshouldcreateanoutbound
securityrulethatliststhewebtiersecuritygroupasthetarget,restrictingtheloadbalancertosending
requestsouttothewebtierinstancesonly.
Webtier:o Inthescenario,thewebtierinstancesarenotdirectlyexposedbutreceiverequestsviatheelasticload
balancer.Youcan(andshould)configurethewebinstancestoacceptrequestsonlyfromtheload
balancer.Fortunately,theloadbalancerincludesaspecialsourcesecuritygroup.Createasecurityruleforyourwebtierthatrestrictsinboundaccesstothisspecialsecuritygroup,ensuringthatonlytheload
balancersareallowedtosendtoandreceivefromthewebfront-endinstances.Youcanalsosetupan
outboundruletolimitoutgoingrequeststotheapplicationtierinstances.
Applicationtier:o Asinthewebtiercase,yourapplicationtiersecuritygroupshouldbeconfiguredwithaninboundrule
listingthewebtiersecuritygroupasanallowedsenderandanoutboundrulelistingthedatabase
securitygroupforoutgoingmessages.
Databasetier:o Asintheothercases,youshouldrequireSecureSocketsLayer(SSL)forconnectionstoandfrom
SQLServer.DoingsorequirestheuseofasecuritygroupwitharulethatallowsSSL(port443)tobe
usedonlyforthedatabaseinstances.
o Youalsowanttorestrictinboundaccesstotheapplicationtierinstances,socreateasecurityrulethatrestrictsinboundaccesstotheapplicationtiersecuritygroup.
TheAppendixincludesachartdetailingthevariousrecommendedsecuritygroupsandsettingsforyourSharePoint
Serverfarmscenarios.
NetworkACLs
NetworkACLsmirrortherulesspecifiedinsecuritygroupsandaddanextralayerofsecuritytoallowgeneralaccess
rulestobehonoredregardlessofwhichinstancesaresendingorreceiving.BecausenetworkACLsactatthenetwork
level(nottheinstancelevel),youcansetupadditionalrulestohandlecertainnetworks,IPaddresses,andaddress
rangesinaspecificway.Forinstance,youcansetupanetworkACLthatdefinesaruletodenyingresstoarangeof
sourceIPaddresses(blacklistedIPaddresses).FordetailedguidanceonsettingupAmazonVPCnetworkACLs,seethe
AmazonVirtualPrivateCloudUserGuide .
-
7/29/2019 AWS SP White Paper PDF PDF
21/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page21of36
WindowsInstanceSecurity
YoucanconfigureWindowsinstanceswithintheVPCthroughGroupPolicyobjects(GPOs)torequireIPSecurity(IPsec)
connections,furtherensuringsecureconnectivitytotheinstances.
AdministratorAccess
Inyourarchitecture,themiddletieranddatabasetierinstancesareplacedinprivatesubnets,restrictingaccessfrom
outsidetheVPC.Thisplacementreducesexposureandenhancessecurity.However,itisstillnecessarytoprovideaccess
tothoseinstancesforadministrativepurposes,suchasconfigurationupdatesandtroubleshooting.
Tohelpmanagetheinstancesintheprivatesubnet,anindirect(andsecure)methodisto setuponeormorebastion
serversinapublicsubnettoactasproxies ,andthensetupSSHportforwardersorRemoteDesktopProtocol(RDP)
gatewaystoproxyaccesstotheapplicationordatabasetierinstances.Afterbastionserversaresetup,administrators
canuseRDPtogainaccesstothebastionhost;theycanthenaccessotherinstancesusingSSHattheirVPCprivateIP
addresses.Figure11illustratesthisarrangement.
Figure11:UsingRDPtogainaccesstothebastionhost
DataPrivacy
BecausesensitivecontentanddatacanbestoredwithintheSharePointServerfarm,someorganizationsmayrequire
thatthecontentbeencrypted.TosuccessfullysupportencryptionofdatawithintheAWSenvironment,afewkey
requirementsmustbeconsideredandsupported:
-
7/29/2019 AWS SP White Paper PDF PDF
22/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page22of36
Encryptiontechnology. TheAmazonEBSvolumescontainthedataatrest,intheformofSQLServerdatabasedataandfiles.AmazonEBSvolumeencryptionisnotsupportedinAWS;however,thereareoptionsfor
encryptionthatcanbeconsidered:
o EncryptingFileSystem(EFS). WindowsincludesEFS,whichsupportstheabilitytoencryptindividualfilesorfolders.
o BitLockerDriveEncryption.WindowsServer2008R2supportsBitLocker,whichprovidestheabilitytoencryptadiskfilesystemattachedtotheserverinstance.
o SQLServerTransparentDataEncryption(TDE).SQLServerEnterpriseprovidesnativeencryptionsupportthroughTDE.
o Third-partyAmazonEBSvolumeencryption.Third-partycommercialoptionsareavailableforencryptionofAmazonEBSvolumes.
Encryptionkeymanagement.Implementingencryptionrequiressecuremanagementandauthorizeduseoftheencryptionkeys.InthecaseofAmazonEC2,instancescanbestoppedandstartedaswellasrecoveredfromAmazonEBSsnapshots.Inallthesecases,theAmazonEBSvolumeswillbeencrypted,andtheAmazonEC2
subsystemmustaccessandusetheencryptionkeytobeabletoattachanduseitonsubsequentrestarts.
TheAWSSolutionProvidersitelistsseveralthird-partysoftwarevendorsthatprovidesecurityinfrastructurethat
supportsAmazonEBSencryptionandkeymanagement.
DeploymentTosetupyourSharePointServerfarminAWS,youmustestablishandconfigureseveralcomplexandinterrelateddetails
toenableproperfunctionsandthecorrectsecuritysettings.Furthermore,youwillinevitablyneedtochangethe
configurationovertimetoperformsuchactionsasaddinginstancesforscaleoutorupdatinginstanceconfigurations.
AWSprovidesanumberoftoolsandapproachesforfacilitatingdeploymentinAWS:
AWSManagementConsole.TheAWSManagementConsoleisaninteractivetoolthatisgoodforstartingoutorsmallerdeployments.However,formorecomplexscenariosorautomateddeploymentsequences,considerone
oftheotheroptionsdescribedbelow.
AWSapplicationprogramminginterface(API)tools.AWSprovidesseveralcommand-lineinterface(CLI)commandsandprogrammaticwebserviceAPIsthataretypicallybuiltintoscripts;thesecommandsallowaset
ofactionstooccurinacoordinatedway.
AWSsamplecodeandlibraries.AWSprovidesaSampleCode&LibrariesCatalogtosupportapplication-basedsetupandconfiguration.Severalprogramminglanguagesaresupportedthroughsoftwaredevelopmentkits(SDKs)thatAWSprovides.
AWSCloudFormation.AWSprovidesaneasywaytocreateandmanageacollectionofrelatedAWSresources,provisioningandupdatingtheminanorderlyandpredictablefashion.WithAWSCloudFormation,youdonot
needtofigureouttheorderinwhichAWSservicesneedtobeprovisionedorthesubtletiesofhowtomake
thosedependencieswork:
-
7/29/2019 AWS SP White Paper PDF PDF
23/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page23of36
o YoucanuseatoolcalledAWSCloudFormertoreverse-engineeranexistingsetofresourcesorsettingsrunninginanAWSaccountintoanAWSCloudFormationtemplate.So,atypicalapproachforacomplex
setupistomanuallydeployorconfigurecomponentsoftheSharePointServerfarm,andthenusethis
tooltogenerateanappropriateAWSCloudFormationscript.
NOTE:AWSCloudFormationdoesnotsupportthecreationofVPCsatthistime;however,itdoes
supportthecreationoftheresourceswithinaVPC(e.g.,AmazonEC2instances,securitygroups).
Windowsand.NETDeveloperCenter.TheseWindowsandMicrosoft.NETtoolsincludetheAWSSDKfor.NETandtheAWSToolkitforVisualStudio.
AkeyapproachtoautomatingdeploymentofcomponentswithinanAWSsolutionistocreatecustomAMIsfordistinct
rolesthathaveadditionalsoftwaredependenciesandconfigurationrequirements.FortheSharePointServerreference
architecture,distinctrolesaredefined(webfrontend,applicationserver,databaseserver,andothers)forwhichyou
cancreatecustomAMIs.CustomAMIsfortheSharePointServerfarmarchitecturecanbebasedonpublicWindows-
basedAMIs(asindicatedearlier)orWindows-basedAMIsthatyoucreateasastartingpoint.
MonitoringandManagementYoumustbeabletomonitoranumberofcoredimensionswithinaSharePointServerfarmtoenablecorrectionsand
updateswhenissuesoccurorperformancesuffers.AmazonCloudWatchisanAWSservicethatmonitorsvarioushealth
metricsassociatedwithAWSresources.Youcanuseittocollect,analyze,andviewsystemandapplicationmetricsso
thatyoucanmakeoperationalandbusinessdecisionsmorequicklyandwithgreaterconfidence.AmazonCloudWatch
setsseveralpredefinedmetrics,suchasCPUUtilizationanddiskI/Operformance,thatAWSmeasuresandthatyoucan
viewandactupon.YoucanalsopublishyourownmetricsdirectlytoAmazonCloudWatchtoallowstatisticalviewingin
theAWSManagementConsoleandtoissue(andreacton)customalarms.
MicrosoftSystemCenterOperationsManager isthetypicaltoolusedtomonitorandmanageaMicrosoft-based
infrastructure.Fortunately,OperationsManagercanbeusedinAWS,too.TheWindows-basedinfrastructureonAWS
includesthestandardOperationsManageragentsforWindowsServer,SharePointServer,andSQLServer.
Intheintranetscenario,OperationsManagerworksasitdoesinanon-premisescase,becauseyourVPNVPC
arrangementeffectivelyextendstheenterprisenetworkintotheAWScloud.Inthepublicsitescenario,Operations
ManagercanbehostedinaninstanceandaccessedoverRDP(throughthebastionhostmethoddescribedearlier)and
providemonitoringandmanagementagainsttheothercomponentsoftheSharePointServerfarm.
BackupandRecoveryBusinesscontinuityisakeyrequirementintheSharePointServerfarmscenariosdiscussedhere.Downtimemeanscore
contentandcollaborationcannotoccuroryourwebsiteisdown.Asdiscussedearlier,youcanimproveavailabilityby
hostingmultipleinstancesindifferenttiersdistributedacrossAWSAvailabilityZones.However,therestillmaybe
situationsinwhichsystemfailures(e.g.,becauseofsoftwareorhardwareissues,disasters)occur,orthereisaneedto
rollbackorrecoversomeorallofthefarmdatatoapreviouspointintime.Thus,youmuststillhaveabackupand
recoverystrategytosupportrecoveryofoneormoredatacomponentsorserversortheentirefarm.
Typically,recoveryrequirementsareexpressedintermsoftwometrics:
Recoverytimeobjective(RTO).RTOisthetimeobjectiveinwhichtorestoreaprocess,service,ordataitemtorequiredfunctionalleveloraccessibility.Forexample,anRTOof4hoursmeansthatafullrecoveryisrequired
tobeupandoperationalwithin4hoursafterafailureinthesystem.
-
7/29/2019 AWS SP White Paper PDF PDF
24/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page24of36
Recoverpointobjective(RPO).TheRPOisthemaximumacceptableamountofdataloss,expressedintime.Forexample,anRPOof1hourmeansrecovereddatamaybeatmost1houroutofdatefromthemostrecent
changes.
IntermsofsupportingbackupandrecoveryofSharePointServerfarmsonAWS,thereareessentiallytwoapproachesto
consider:
Usethebuilt-inback-upandrecoverymechanismsinSharePointServerandSQLServer,withMicrosofttoolstobackupto(andrecoverfrom)Windowsfile-basedstoragelocations.
UseAWSbackupandrecoverymechanismsthatoperateagainstAWSresourcessuchasAmazonEBSvolumes.SharePointServerandSQLServerprovidetheirownbuilt-incapabilitiesforbackingupcontent,applicationdata,
metadata,andconfigurationsettings.Inaddition,youcanusetoolssuchasMicrosoftSystemCenterDataProtection
Manager(DPM)tobackupconfigurationsettingsandmetadatastoredwithinSQLServer.Microsoftprovidessignificant
guidancearoundSharePointServer backupandrecoverythatcanandshouldbeusedtoprovideback-upandrecovery
capabilities,bothatthefarmlevelandatthegranularserverorservicelevel.Inthiscase,AmazonSimpleStorage
Service(AmazonS3)providesthemostnaturallocationinwhichtostoreandretrievethisdata.AmazonS3doesnotnativelyprovideaWindowsfilesysteminterface,butopensourceandcommercialtoolsareavailablethatdoprovide
theabilitytointeractwithAmazonS3inthismanner.
AmazonEC2providestheabilitytotakepoint-in-timesnapshotsofAmazonEBSvolumesandsavethemtoAmazonS3
fordurablestorageandrecovery.AmazonEBSsnapshotsareincrementalbackups,meaningthatonlytheblocksonthe
devicethathavechangedsincethelastsnapshotwillbesaved.Also,whenyoudeleteasnapshot,onlythedatanot
neededforanyothersnapshotisremoved.So,regardlessofwhichpriorsnapshotshavebeendeleted,allactive
snapshotswillcontainalltheinformationneededtorestorethevolume.Inaddition,thetimetorestorethevolumeis
thesameforallsnapshots,offeringtherestoretimeoffullbackupswiththespacesavingsofincrementalbackups.
Snapshotscanalsobeusedtoinstantiatemultiplenewvolumes,expandthesizeofavolume,ormovevolumesacross
AvailabilityZones.InthecaseofyourSharePointServerfarm,theSQLServerinstanceswithinthedatatierwillholdthepersistentstate,sotakingregularsnapshotsoftheprimarySQLServerdatatierAmazonEBSvolumesprovidesbackupof
thedatabaseitselfandanyassociatedfiles(e.g.,RBSfiles,metadatafiles).
AWSrecentlypublishedAWSDisasterRecovery,awhitepaperthatprovidesextensivedetailsonthevarious
considerationsandoptionsavailablewithinAWStosupportdisasterrecovery.
-
7/29/2019 AWS SP White Paper PDF PDF
25/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page25of36
PuttingItAllTogether
Withallthekeytopicscovered,letsseehowyourSharePointServerdeploymentscenariosareultimatelysetupinan
AWSenvironment.
IntranetSharePointServerFarmThekeycomponentsoftheintranetSharePointServerfarminanAWSenvironmentscenarioareasfollows:
AmazonVPC,withVPNconnectiontothecorporatedatacenter Privatesubnetsonly,connectedtothecorporatenetworkviaVPN AtleasttwoAvailabilityZonesusedtosurvivethelowprobabilityofanAvailabilityZonefailure Elasticloadbalancersacrosswebfront-endservers
SQLServerinmirroredconfigurationacrossAvailabilityZones
Database(AmazonEBSvolume)snapshotsFigure12illustratesthisscenario.
Figure12:IntranetSharePointServerfarminAWS
-
7/29/2019 AWS SP White Paper PDF PDF
26/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page26of36
Internet-facingPublicWebsiteonSharePointServerThekeycomponentsfortheinternetwebsitehostedonSharePointServersinanAWSenvironmentscenarioareas
follows:
AmazonVPC,withpublicandprivatesubnets Threatmanagementgatewayserversinthepublicsubnet ElasticLoadBalancingacrossthethreatmanagementgatewayservers Bastionhostinapublicsubnet,hostingasoftwareVPNtoprovideadministrativeaccesstointernalinstances AtleasttwoAvailabilityZonesusedtosurvivethelowprobabilityofanAvailabilityZonefailure Multiplewebfront-endserversbehindthreatmanagementgatewayserverswithineachAvailabilityZoneina
privatesubnet
SQLServerinmirroredconfigurationacrossAvailabilityZoneprivatesubnets ADDSdomaincontrollersinAWSforuserregistrationandauthentication
Figure13illustratesthisscenario.
Figure13:Public-facingInternetwebsiteonSharePointServerinAWS
-
7/29/2019 AWS SP White Paper PDF PDF
27/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page27of36
AlthoughyoucanuseSharePointServertosupportavarietyofcontentandcollaborationgoals,thesescenariosaretwo
ofthemostcommon.Seethenextsectionforinformationaboutotherscenariosandadditionalresources.
-
7/29/2019 AWS SP White Paper PDF PDF
28/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page28of36
Conclusion
ThispaperdiscussestwocommondeploymentscenariosforSharePointServerintranetandpublicwebsiteandhow
toruntheminanAWScloudenvironment.ItdiscusseshowyoucanleveragedifferentservicesthatAWSprovides
(networksetup,serversetup,security,anddeployment)andconfigurethemspecificallytorunenterprise-classsoftware
likeSharePointServeratscaleinasecurefashionthatiseasiertomaintain.
-
7/29/2019 AWS SP White Paper PDF PDF
29/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page29of36
FurtherReading
MicrosoftonAWS:o http://www.awsmicrosite.com
AmazonEC2WindowsGuide:o http://docs.amazonwebservices.com/AWSEC2/latest/WindowsGuide/Welcome.html?r=7870
MicrosoftAMIsforWindowsandSQLServer:o http://aws.amazon.com/windowso http://aws.amazon.com/amis/Microsoft?browse=1o http://aws.amazon.com/amis/6258880392999312 (SQLServer)
AWSWindowsand.NETDeveloperCenter:o http://aws.amazon.com/net
MicrosoftLicenseMobility:o http://aws.amazon.com/windows/mslicensemobility
Whitepapers:o AmazonsCorporateITDeploysSharePoint2010totheAmazonWebServicesCloudat
http://media.amazonwebservices.com/AWS_Amazon_SharePoint_Deployment.pdf
o RelationalDatabaseManagementSystemsintheCloud:MicrosoftSQLServer2008R2athttp://aws.amazon.com/whitepapers/rdbms-in-the-cloud
o ProvidingSSOtoAmazonEC2AppsfromanOn-premisesWindowsDomainathttp://download.microsoft.com/download/6/C/2/6C2DBA25-C4D3-474B-8977-E7D296FBFE71/EC2-
Windows%20SSO%20v1%200--Chappell.pdf
-
7/29/2019 AWS SP White Paper PDF PDF
30/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page30of36
Appendix
SecurityGroupSettingsforaSharePointServerFarmThefollowingchartprovidesanexampleofthetypicalsecuritygroupsettingsrecommendedfortheSharePointServer
referencearchitecture.
IntranetSharePointServerFarm
Tier/securitygroup Protocol Port
range
Comments
ElasticLoadBalancing
Inbound Source
IPaddressrange
ofthecorporate
network
TCP 80 AllowinboundHTTPaccess
fromcorporateIPsources
IPaddressrange
ofthecorporate
network
TCP 443 AllowinboundHTTPSaccess
fromcorporateIPsources
Outbound Destination
WebTierSG TCP 80 Allowoutboundaccessto
webtierservers
WebTier
Inbound Source
ElasticLoad
Balancing
SourceSecurity
Group
TCP 80 AllowinboundHTTPfrom
ElasticLoadBalancingonly
ElasticLoad
Balancing
SourceSecurity
Group
TCP 443 AllowinboundHTTPSaccess
fromElasticLoadBalancing
only
IPaddressrange
ofcorporate
administrators
TCP 3389 RDPaccessforcorporate
administrators
ActiveDirSG TCP 49152
65535
ADDS
Outbound Destination
AppTierSG TCP 065535 Allowonlywebfront-endserverstoaccessthe
applicationtier
AppTierSG UDP 065535 Allowonlywebfront-end
serverstoaccessthe
applicationtier
-
7/29/2019 AWS SP White Paper PDF PDF
31/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page31of36
Tier/securitygroup Protocol Port
range
Comments
0.0.0.0/0 TCP 80 AllowoutboundHTTPaccess
toserversontheInternet
(e.g.,forsoftwareupdates)
0.0.0.0/0 TCP 443 AllowoutboundHTTPSaccesstoserversonthe
Internet(e.g.,forsoftware
updates)
AppTier
Inbound Source
WebTierSG UDP 065535 Allowonlywebfront-end
serverstoaccessthe
applicationtier
IPaddressrange
ofcorporate
administrators
TCP 3389 RDPaccessforcorporate
administrators
ActiveDirSG TCP 49152
65535
ADDS
Outbound Destination
DBTierSG TCP 1433 AllowoutboundSQLServer
accesstodatabasetier
instances
0.0.0.0/0 TCP 80 AllowoutboundHTTPaccess
toserversontheInternet
(e.g.,forsoftwareupdates)
0.0.0.0/0 TCP 443 AllowoutboundHTTPS
accesstoserversontheInternet(e.g.,forsoftware
updates)
ActiveDirSG TCP 49152
65535
ADDS
DBTier Databaseprimary,mirror,
andwitness
Inbound Source
AppTierSG TCP 1433 Allowonlywebfront-end
serverstoaccessthe
applicationtier
DBTierSG Allowdatabasemirrorandwitness
IPaddressrange
ofcorporate
administrators
TCP 3389 RDPaccessforcorporate
administrators
ActiveDirSG TCP 49152
65535
ADDS
Outbound Destination
-
7/29/2019 AWS SP White Paper PDF PDF
32/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page32of36
Tier/securitygroup Protocol Port
range
Comments
ActiveDirSG TCP 49152
65535
ADDS
0.0.0.0/0 TCP 80 AllowoutboundHTTPaccess
toserversontheInternet(e.g.,forsoftwareupdates)
0.0.0.0/0 TCP 443 AllowoutboundHTTPS
accesstoserversonthe
Internet(e.g.,forsoftware
updates)
ActiveDirSG
Inbound Source
ActiveDirSG TCP 165535 AllowADDSdomainstotalk
toeachother
ActiveDirSG UDP 165535 AllowADDSdomainstotalk
toeachother 0.0.0.0/0 TCP 53 DNSforVPCinstance
0.0.0.0/0 UDP 53 DNSforVPCinstances
0.0.0.0/0 TCP 88 Kerberosauthentication
0.0.0.0/0 UDP 88 Kerberosauthentication
0.0.0.0/0 UDP 123 NetworkNewsTransfer
Protocol(NNTP)
0.0.0.0/0 TCP 135139 RemoteProcedureCall
(RPC),NetBIOS
0.0.0.0/0 UDP 135139 RPC,NetBIOS
0.0.0.0/0 TCP 389 LDAPtodirectoryservice
0.0.0.0/0 UDP 389 LDAPtodirectoryservice
0.0.0.0/0 TCP 445 ServerMessageBlock(SMB)
0.0.0.0/0 UDP 500 IPsecInternetSecurity
AssociationandKey
ManagementProtocol
(ISAKMP)
0.0.0.0/0 TCP 636 LDAPSecureSocketsLayer
(SSL)
0.0.0.0/0 UDP 636 LDAPSSL
0.0.0.0/0 TCP 3268
3269
LDAPtoglobalcatalog
server
0.0.0.0/0 UDP 4500 NATtraversal(NAT-T)
0.0.0.0/0 TCP 49152
65535
Dynamicports
IPaddressrange
ofcorporate
administrators
TCP 3389 RDPaccessforcorporate
administrators
Outbound Destination
-
7/29/2019 AWS SP White Paper PDF PDF
33/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page33of36
Tier/securitygroup Protocol Port
range
Comments
0.0.0.0/0 TCP 80 AllowoutboundHTTPaccess
toserversontheInternet
(e.g.,forsoftwareupdates)
0.0.0.0/0 TCP 443 AllowoutboundHTTPSaccesstoserversonthe
Internet(e.g.,forsoftware
updates)
Internet-facingPublicWebsiteonSharePointServer
Tier/securitygroup Protocol Port
range
Comments
Elasticloadbalancer
Inbound Source 0.0.0.0/0 TCP 80 AllowinboundHTTPaccess
fromcorporateIPsources
0.0.0.0/0 TCP 443 AllowinboundHTTPSaccess
fromcorporateIPsources
Outbound Destination
WebTierSG TCP 80 Allowoutboundaccessto
webtierservers
BastionSG Securitygroupfor(public)
bastionhost
Inbound Source
IPaddressrangeofcorporate
administrators
TCP 3389 RDPaccessforcorporateadministrators
WebTier
Inbound Source
ElasticLoad
Balancing
sourcesecurity
group
TCP 80 AllowinboundHTTPfrom
ElasticLoadBalancingonly
ElasticLoad
Balancing
sourcesecuritygroup
TCP 443 AllowinboundHTTPSaccess
fromElasticLoadBalancing
only
BastionSG TCP 22 SSHaccessforcorporate
administrators
ActiveDirSG TCP 49152
65535
ADDS
Outbound Destination
-
7/29/2019 AWS SP White Paper PDF PDF
34/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page34of36
Tier/securitygroup Protocol Port
range
Comments
AppTierSG TCP 065535 Allowonlywebfront-end
serverstoaccessthe
applicationtier
AppTierSG UDP 065535 Allowonlywebfront-endserverstoaccessthe
applicationtier
0.0.0.0/0 TCP 80 AllowoutboundHTTPaccess
toserversontheInternet
(e.g.,forsoftwareupdates)
0.0.0.0/0 TCP 443 AllowoutboundHTTPS
accesstoserversonthe
Internet(e.g.,forsoftware
updates)
AppTier
Inbound Source WebTierSG UDP 065535 Allowonlywebfront-end
serverstoaccessthe
applicationtier
BastionSG TCP 22 SSHaccessforcorporate
administrators
ActiveDirSG TCP 49152
65535
ADDS
Outbound Destination
DBTierSG TCP 1433 AllowoutboundSQLServer
accesstodatabasetier
instances 0.0.0.0/0 TCP 80 AllowoutboundHTTPaccess
toserversontheInternet
(e.g.,forsoftwareupdates)
0.0.0.0/0 TCP 443 AllowoutboundHTTPS
accesstoserversonthe
Internet(e.g.,forsoftware
updates)
ActiveDirSG TCP 49152
65535
ADDS
DBTier DBprimary,mirror,and
witness Inbound Source
AppTierSG TCP 1433 Allowonlywebfront-end
serverstoaccessthe
applicationtier
DBTierSG Allowdatabasemirror,
witness
-
7/29/2019 AWS SP White Paper PDF PDF
35/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Page35of36
Tier/securitygroup Protocol Port
range
Comments
BastionSG TCP 22 SSHaccessforcorporate
administrators
ActiveDirSG TCP 49152
65535
ADDS
Outbound Destination
ActiveDirSG TCP 49152
65535
ADDS
0.0.0.0/0 TCP 80 AllowoutboundHTTPaccess
toserversontheInternet
(e.g.,forsoftwareupdates)
0.0.0.0/0 TCP 443 AllowoutboundHTTPS
accesstoserversonthe
Internet(e.g.,forsoftware
updates)
ActiveDirSG Inbound Source
ActiveDirSG TCP 165535 AllowADDSdomainstotalk
toeachother
ActiveDirSG UDP 165535 AllowADDSdomainstotalk
toeachother
0.0.0.0/0 TCP 53 DNSforVPCinstances
0.0.0.0/0 UDP 53 DNSforVPCinstances
0.0.0.0/0 TCP 88 Kerberosauthentication
0.0.0.0/0 UDP 88 Kerberosauthentication
0.0.0.0/0 UDP 123 NNTP
0.0.0.0/0 TCP 135139 RPC,NetBIOS
0.0.0.0/0 UDP 135139 RPC,NetBIOS
0.0.0.0/0 TCP 389 LDAPtodirectoryservice
0.0.0.0/0 UDP 389 LDAPtodirectoryservice
0.0.0.0/0 TCP 445 SMB
0.0.0.0/0 UDP 500 IPsecISAKMP
0.0.0.0/0 TCP 636 LDAPSSL
0.0.0.0/0 UDP 636 LDAPSSL
0.0.0.0/0 TCP 3268
3269
LDAPtoglobalcatalog
server
0.0.0.0/0 UDP 4500 NAT-T 0.0.0.0/0 TCP 49152
65535
Dynamicports
BastionSG TCP 3389 RDPaccessforcorporate
administratorsthrougha
bastionhost
Outbound Destination
-
7/29/2019 AWS SP White Paper PDF PDF
36/36
AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012
Tier/securitygroup Protocol Port
range
Comments
0.0.0.0/0 TCP 80 AllowoutboundHTTPaccess
toserversontheInternet
(e.g.,forsoftwareupdates)
0.0.0.0/0 TCP 443 AllowoutboundHTTPSaccesstoserversonthe
Internet(e.g.,forsoftware
updates)
FordetailedguidanceonsettingupVPCsecuritygroups,seethe AmazonVirtualPrivateCloudUserGuide.