© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Design, Deploy, and Optimize Microsoft SharePoint on AWS
Lou De La Torre, Solutions Architect
Zlatan Dzinic, Senior Consultant
November 30, 2016
WIN304
What We’ll Cover: Everything SharePoint on AWS
The Fundamentals
Architectural Scenarios
Best Practices
> EC2 Networking
Active Directory
Remote Access
Purchasing Options
The Fundamentals
Architectural Scenarios
Best Practices
>
Marketplace Builds
Hybrid: AWS as a DR Site
Multi-AZ SharePoint
SharePoint 2016
Quick Start
The Fundamentals
Architectural Scenarios
Best Practices >
Amazon EC2 Best Practices
SQL Best Practices
Migration Best Practices
Going Beyond IaaS
Fundamentals: Single VPC Patterns
Public and Privately Routed VPCThis design pattern is used for workloads that need to accommodate a combination of public and private routing needs, such as all-in Internet-facing, multi-tier web applications supported by databases or other privately routed backend systems.
Internal-Only VPCThis design pattern is used to create a network environment that is only accessible from an existing, internal network, such as internally facing or back-office systems.
On-Premises and Internet-Accessible VPCThis design pattern is used to create a network environment that has the ability to communicate with both on-premises (privately routed) and external (publicly routed) resources
Internet-Accessible VPCThis design pattern is primarily used for test, R&D, sales demo, production, and other environments that require a network environment that is completely isolated from a customer’s internal network.
For more info on configuring VPCs, see AWS Answers for Networking.
Internet GatewayHighly available VPC component that allows communication between instances in your VPC and the Interneta
NAT GatewayEnable instances in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instancesa
Virtual Private Network (VPN)a
Virtual Private Gateway (VPG)a
AWS Direct Connecta
For more info on configuring external access, see Amazon VPC for On-Premises Network Engineers, Part One.
Fundamentals: External Connectivity
Fundamentals: Active Directory Patterns
Directory TrustsExtending On-Premises Directory Over Secure Connections to AWS Using Either Active Directory or AWS Directory Service for Microsoft AD.
Federated TrustsBuilding Federated Trusts From On-Premise to AWS Using Active Directory Federation Services or Other SAML Compliant Software and Services.
Availability Zone
On-Premises Data Center
VPN Direct Connect
DomainController
Domain Controlleron AmazonEC2
Either/Or
AWS Directory
Service
On-Premises Data Center
Internet
WAP / ADFS
Secure
Domain Controlleron AmazonEC2
DomainController
WAP/ADFSon Amazon EC2
See the Remote Desktop Gateway on the AWS Cloud: Quick Start for additional info
The Fundamentals: Remote Access
The Fundamentals: Purchasing Options
For more info on licensing Windows on AWS, see Microsoft Licensing on AWS.
Options for using Microsoft software licenses on the AWS Cloud
Buy LicensesFrom AWS
Bring LicensesTo AWS
2,300+ products available for 1-click deployment across 35 distinct product categories, including several SharePoint 2013 & 2016 builds ranging from single-server to multiple-server builds.
If you’ve already purchased Microsoft software, bring your own licenses (BYOL) to the AWS Cloud and extend the lifecycle of your software without additional hardware costs.
Using license-included instances allows you access to fully compliant Microsoft software licenses bundled with Amazon EC2 and ability to pay for them as you go with no upfront costs or long-term investments.
What We’ll Cover: Everything SharePoint on AWS
The Fundamentals
Architectural Scenarios
Best Practices
>
Marketplace Builds
Hybrid: AWS As a DR Site
Multi-AZ SharePoint
SharePoint 2016
Quick Start
Browse, Test, and Buy Enterprise Softwarea
Simplified Procurement Processa
Consume as Needed Without Overprovisioning
Architecture: Marketplace
One AWS Billa
Consume Hourly, Monthly, Annuallya
Customers run over 143M hours of software per month
Architecture: Marketplace
SharePoint Enterprise 2016 for AWS "All In One" for SME or Line of Business implementation. Best for Test or Development teams working on short-term development projects, to share and collaborate on new ideas and engage in social conversations.
SharePoint Enterprise 2016 All In One
Availability Zone
Subnet
Windows Server 2012R2
Active Directory Domain Services
SQL Server 2014 Enterprise
SharePoint Server 2016
Internet Gateway
Architecture: Marketplace
Availability Zone
Subnet
Windows Server 2012R2
Active Directory Domain Services
Internet Gateway
Subnet
Windows Server 2012R2
SQL Server 2014 Enterprise
Subnet
Windows Server 2012R2
SharePoint Server 2016
SharePoint Enterprise 2016 Business
SharePoint Enterprise 2016 is well suited for enterprises looking for a collaboration tool in multiple geo-locations, including support for external users.
Architecture: AWS As a DR Site
Higher RTO Lower RTO
Backup & Restore Pilot Light
Spectrum of Disaster Recovery Options
Back up to S3 with AWS Storage Gatewaya
Replace On-Premises Tape Systema
Leverage Amazon Glacier for Data Archiving
SQL Server Log Shipping over VPN or Direct Connecta
EC2 Instances in Stopped State a
Cool DR Site with Lower Costs
Warm Site
SQL Server Asynchronous Always-On Availability Group over Direct Connecta
EC2 Instances in Running State a
Architecture: AWS As a DR Site
Minimal Amount of Running Infrastructure on AWS Keeps Costs Low
Backup & Restore
Typically Longer RTO
For more info on configuring backup and recovery, see Enterprise Backup and Recovery On-Premises to AWS.
For more info on configuring AWS Storage Gateway, see AWS Storage Gateway Documentation.
Availability Zone
Direct Connect, VPN or HTTPS
On-Premises Data Center
HTTPSAWS Storage Gateway VM
Storage: Direct Attached or SAN
APP Server
WFE Server SharePoint EC2 Instances in Stopped State
SQL Server EC2 Instance in Stopped State
AWS DR SharePoint Farm
APP Server
WFE Server
On-PremisesSharePoint Farm
App Server
Backup ServerSupporting iSCSI, CIFS, SMB
SQLServer
SQL Server
EBS Volume
Storage Gateway Service
S3 Bucket
WFE Server
WFE Server
Architecture: AWS As a DR Site
Small Amount of Running EC2 Infrastructure on AWS
Pilot Light
SQL Log Shipping Increases Automation of Database Layer Backup and Restore Operations
For more info on configuring log shipping between on premises and AWS, see Deploying Microsoft SQL Server on Amazon Web Services.
For more info on configuring a pilot light DR environment on AWS, see Using Amazon Web Services for Disaster Recovery.
Availability Zone
TransactionLog Shipping
Direct Connect or
VPN
TransactionLog Replay
APP ServerAPP Server
WFE ServerWFE Server SharePoint EC2 Instances in a stopped state
AWS DR SharePoint Farm
SQL Server
On-Premises Data Center
On-PremisesSharePoint Farm
WFE Server
WFE Server
App Server
App Server
SQL Server
Architecture: AWS As a DR Site
Lower RTOs Require More Running EC2 Infrastructure on AWS
AlwaysOn Availability Group(s) Further Increase Automation of Database Synchronization/Restore
Warm Site
For more info on configuring always-on availability groups between on premises and AWS, see Deploying Microsoft SQL Server on Amazon Web Services.
Availability Zone
APP ServerAPP Server
WFE ServerWFE Server SharePoint EC2 Instances in a running state
AWS DR SharePoint Farm
SQLServer
On-Premises Data Center
On-PremisesSharePoint Farm
WFE Server
WFE Server
App Server
App Server
SQL Server
SQL Server
Asynchronous Commit
SQL Server Always On Availability Group
Sync
Direct Connect or
VPN
Architecture: Multi-AZ SharePoint
Single Production Farm
Database Backups Shipped Offsite and/or Replicated to Alternate Data Center
Typical SharePoint DR Plan Involves a Full Farm Rebuild Followed by a Restore of Content Database Backups
Typical On-Premises SharePoint Setup
Data Center #1
Storage Volumes or Database Backups Synchronized/Replicated to Alternate Datacenter
Production SharePoint Farm
Data Center #2
Database Backups Located on Tape Media Transported to Offsite Facility
Architecture: Multi-AZ SharePoint
AWS Multi-AZ Design Pattern
AWS is built around Regions and Availability Zones (AZs)
Region is a physical location in the world where we have multiple Availability Zones
Availability Zones consist of one or more discrete fault tolerant data centers, each with redundant power, networking and connectivity
Availability Zones are connected to each other with private fiber-optic low-latency links
You can achieve High Availability by deploying your application that spans across multiple Availability Zones
Data Center Redundancy Achieved with Little or No Effort!
Availability Zone #1
Web Server
DB Server
Web Server
DB Server
Single Application Boundary Spanning Multiple AZs
Synchronous Replication / Automatic Failover
Availability Zone #2Low Latency
Architecture: Multi-AZ SharePoint
VPC, Two AZs, Single Public and Multiple Private Subnetsa
Include Remote Access, NAT Gateways and Active Directorya
Stretched SharePoint Farm Spanning Multiple AZs Providing Data Center Redundancy a
Multi-AZ Reduces Risk Profile and Simplifies DR Planning
AWS Multi-AZ SharePoint 2013
Availability Zone #1
Web Tier (Subnet) App Tier (Subnet) Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
VPC NAT Gateway
Public Tier (Subnet) Data Tier (Subnet)
Windows Server RD Gateway
VPC NAT Gateway
Public Tier (Subnet)
Windows Server RD Gateway
DomainController
DomainController
Availability Zone #1
Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
AWS ELB
VPC NAT Gateway
Public Tier (Subnet) Data Tier (Subnet)
Windows Server RD Gateway
VPC NAT Gateway
Public Tier (Subnet)
Windows Server RD Gateway
SQL Server
SQL Server
S SharePointWFE S SharePoint
APP
Web Tier (Subnet) App Tier (Subnet)
DomainController
DomainControllerS SharePoint
APPS SharePointWFE
Always OnAvailability Group
(Synchronous)
Fully Supported to Run a SharePoint DR Farm/Two-Region DR Pattern on AWS for SharePoint
AWS Supports Traditional Two-Data Center Patterns
Architecture:Multi-AZ SharePoint
Availability Zone #1
Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
AWS ELB
VPC NAT Gateway
Windows Server RD Gateway
VPC NAT Gateway
Public Tier (Subnet)
Windows Server RD Gateway
SQL Server DomainController
DomainController
Region US East
Region US West
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #1
VPC NAT Gateway
Public Tier (Subnet)
Windows Server RD Gateway
DomainController
Always OnAvailability Group (Asynchronous)
SQL Server
Data Tier (Subnet)
VPN
DR Farm
S SharePointAPPS SharePoint
WFE
Public Tier (Subnet) Web Tier (Subnet) App Tier (Subnet)
S SharePointAPPS SharePoint
WFE
S SharePointAPPS SharePoint
WFE
Data Tier (Subnet)
SQL Server
Always OnAvailability Group
(Synchronous)
Production Farm
Availability Zone #1
Architecture: SharePoint 2016
Minimum Size SharePoint 2016 MinRole Farma
Does Not Provide HA
MinRole SharePoint
Availability Zone #1
Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
AWS ELB
VPC NAT Gateway
Public Tier (Subnet) Data Tier (Subnet)
Windows Server RD Gateway
VPC NAT Gateway
Public Tier (Subnet)
Windows Server RD Gateway
SQL Server
S SharePointFront-end S SharePoint
Search
Web Tier (Subnet) App Tier (Subnet)
DomainControllerS SharePoint
ApplicationS
SharePointDistributedCache
Architecture: SharePoint 2016
HA SharePoint 2016 MinRole Farma
Supports No Downtime Patching
MinRole SharePoint
Availability Zone #1
Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
AWS ELB
VPC NAT Gateway
Public Tier (Subnet) Data Tier (Subnet)
Windows Server RD Gateway
VPC NAT Gateway
Public Tier (Subnet)
Windows Server RD Gateway
SQL Server
SQL Server
Web Tier (Subnet) App Tier (Subnet)
DomainController
DomainController
S SharePointApplication
Always OnAvailability Group
(Synchronous)
S SharePointFront-end
SSharePointDistributedCache
S SharePointSearch
SSharePointDistributedCache
SSharePointDistributedCache
S SharePointApplication
S SharePointSearch
S SharePointFront-end
Architecture: SharePoint 2016
HA SharePoint 2016 MinRole Farma
Supports No Downtime Patching
Add Office Online Server and Workflow Manager
MinRole SharePoint
Availability Zone #1
Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
AWS ELB
VPC NAT Gateway
Public Tier (Subnet) Data Tier (Subnet)
Windows Server RD Gateway
VPC NAT Gateway
Public Tier (Subnet)
Windows Server RD Gateway
SQL Server
SQL Server
Web Tier (Subnet) App Tier (Subnet)
DomainController
DomainController
S SharePointApplication
Always OnAvailability Group
(Synchronous)
S SharePointFront-end
SSharePointDistributedCache
S SharePointSearch
SSharePointDistributedCache
SSharePointDistributedCache
S SharePointApplication
S SharePointSearch
S SharePointFront-end
OfficeOnline Server
OfficeOnline Server
Workflow Manager
Workflow Manager
Workflow Manager
Architecture: SharePoint 2016
MinRole Enhancementsa
Supports Shared Rolesa
Minimum Number of Farm Servers for HA = 4
SharePoint 2016 Feature Pack1
Availability Zone #1
Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
AWS ELB
VPC NAT Gateway
Public Tier (Subnet) Data Tier (Subnet)
Windows Server RD Gateway
VPC NAT Gateway
Public Tier (Subnet)
Windows Server RD Gateway
SQL Server
SQL Server
Web Tier (Subnet) App Tier (Subnet)
DomainController
DomainController
Always OnAvailability Group
(Synchronous)
S
SharePointFront-end with Distributed Cache
SSharePointApplication with Search
S
SharePointFront-end with Distributed Cache
SSharePointApplication with Search
Architecture: SharePoint Quick Start
AWS CloudFormation Automated Build
Extensible JSON AWS CloudFormation
Templates Available on GitHub
Creates “Stacks” of AWS Resources
Bring Your Own License for SharePoint
DevOps for SharePoint
Architecture: SharePoint Quick Start
1. Prepare an AWS Account.
2. Configure and Launch the Stack.
3. Configure Availability Group(s).
4. Done!
Deployment Steps
Template takes about 3 hours to complete
Default template will cost about $12 per hour
What We’ll Cover: Everything SharePoint on AWS
The Fundamentals
Architectural Scenarios
Best Practices >
EC2 Best Practices
SQL Best Practices
Migration Best Practices
Going Beyond IaaS
Best Practices: EC2 Networking Security
Network ACLs
• Optional Layer of Security
• Subnet Level (Second Layer of Defense)
• ALLOW and DENY Rules
• Stateless (Return Traffic NotAutomatically Allowed)
• Rules Evaluated in Order
• Automatically Applies to All Instances in Subnet
Security Groups
• Instance Level (First Layer of Defense)
• Instances Can Associate to MultipleSecurity Groups
• ALLOW Rules Only
• Stateful (Return Traffic Automatically Allowed)
• Security Group Must be Specified for an Instance Group Availabilty Zone
Data Tier(10.0.32.0/20)
Web Tier(10.0.64.0/20)
Public Tier (10.0.96.0/20)
acl-2020 (SQL Traffic)
Directory Tier (10.0.0.0/19)
VPC (10.0.0.0/16)
acl-1010 (Domain Traffic)
ELB
acl-2222 (SQL Traffic) acl-1111 (Domain Traffic)
Inbound Rules:
Rule # Type Protocol Port Range Source Allow/Deny
100 DNS (TCP) (53) TCP (6) 53 10.0.32.0/20 ALLOW
300 LDAP (389) TCP (6) 389 10.0.32.0/20 ALLOW
Inbound Rules:
Rule # Type Protocol Port Range Source Allow/Deny
100 MS SQL (1433) TCP (1433) 1433 10.0.64.0/16 ALLOW
...
S SharePointFront-end
S SharePointFront-end
sg-3030, sg-4040
sg-3030, sg-4040
SQL Server
sg-2020
DomainController
sg-1010
Availabilty Zone
Data Tier(10.0.32.0/20)
S SharePointFront-end
Web Tier(10.0.64.0/20)
Public Tier (10.0.96.0/20)
S SharePointFront-end
sg-3030, sg-4040
sg-2020 (SQL Traffic)
Directory Tier (10.0.0.0/19)
VPC (10.0.0.0/16)
sg-3030, sg-4040
sg-1010 (Domain Traffic)sg-3030 (HTTP Traffic)
Inbound Rules:
Type Protocol Port Range Source
DNS (TCP) (53) TCP (6) 53 10.0.32.0/20
DNS (TCP) (53) TCP (6) 53 sg-2020
LDAP (389) TCP (6) 389 10.0.32.0/20
LDAP (389) TCP (6) 389 sg-2020
Inbound Rules:
Type Protocol Port Range Source
MS SQL (1433) TCP (1433) 1433 10.0.64.0/16
MS SQL (1433) TCP (1433) 1433 sg-4040
Inbound Rules:
Type Protocol Port Range Source
HTTP (80) TCP (6) 80 10.0.96.0/20
HTTP (443) TCP (6) 443 10.0.96.0/20
Inbound Rules:
Type Protocol Port Range Source
Custom TCP TCP (6) 808 10.0.64.0/20
Custom TCP TCP (6) 32843 10.0.64.0/20
Custom TCP TCP (6) 32844 10.0.64.0/20
Custom TCP TCP (6) 22233-22236 10.0.64.0/20 ......
sg-4040 (SharePoint Traffic)
ELB
sg-5050
SQL Server
sg-2020
DomainController
sg-1010
sg-5050 (ELB Traffic)
Inbound Rules:
Type Protocol Port Range Source
HTTP (80) TCP (6) 80 0.0.0.0/0
HTTP (443) TCP (6) 443 0.0.0.0/0
Select an AMI with Adequate CPU and Memory for Your Workload
Select an EBS-optimized AMI if Possible
Optimize TempDB Just Like On-Premises (Use Instance Storage if Possible or Fast EBS Otherwise)
Provision Enough IOPs for Your Workload
Best Practices: SQL Server
General Purpose SSD
Max Throughput per Volume: 160 MB/s
Max IOPS per Volume: 10,000
Volume Size: 1 GB to 16 TB
Burst: 3,000 IOPS (for volumes up to 1 TB)
Great for boot volumes, low-latency applications, and bursty databases
Max Throughput per Volume: 320 MB/s
Max IOPS per Volume: 20,000
Volume Size: 4 GB to 16 TB
Ideal for critical applications and databases with sustained IOPS
Provisioned IOPS SSD
Availability Zone 1
Private Subnet
Primary Replica
Availability Zone 2
Private Subnet
SecondaryReplica
Synchronous-commit Synchronous-commit
Automatic Failover
Primary: 10.0.2.100
WSFC: 10.0.2.101
AG Listener: 10.0.2.102
Primary: 10.0.3.100
WSFC: 10.0.3.101
AG Listener: 10.0.3.102
AG Listener:ag.awslabs.net
Best Practices: SQL Server
Availability Zone 1
Private Subnet
EC2Primary Replica
Primary: 10.0.2.100
WSFC: 10.0.2.101
AG Listener: 10.0.2.102
AWS Region A
Availability Zone 2
Private Subnet
EC2Secondary
Replica
Primary: 10.0.3.100
WSFC: 10.0.3.101
AG Listener: 10.0.3.102
Availability Zone 1
Private Subnet
EC2Secondary
Replica
Primary: 10.1.2.100
WSFC: 10.1.2.101
AG Listener: 10.1.2.102
Synchronous CommitAutomatic Failover
AWS Region B
Asynchronous CommitManual Failover
Elastic IP Elastic IP
VPN
Best Practices: SQL Server
1. Understand Your On-Premises SharePoint Environment (Customizations, Most Used Sites, etc.)
2. Devise Your Migration Strategy (URL Strategy, Timeline, User Communication Plan, etc.)
3. Prepare for What’s New in AWS (Security, IAM, Train Your Staff, etc.)
4. Embrace Automation (DevOPs, PowerShell for Windows, etc.)
5. Run Trial for Upgrades (Build, Trial, and Test Upgrade Runs, Establish UAT Group, Feedback Loops, etc.)
6. Plan for Rollback
Best Practices: Migration
Going Beyond IaaS
CloudWatch &
CloudWatch Logs
Monitor EC2 Metrics (CPU, Disk
Usage, etc.) and Other AWS
Resources (EBS Volumes, Elastic
Load Balancers, etc.)a
Enhanced Log Support for Windows
with EC2Config (IIS Logs, Perfmon
Logs, etc.)
a
Monitor Logs and Configure Alerts
a
Store Logs and Perform Analytics
Region US West
Availability Zone
S SharePointFront-end
SQL Server DomainController
CloudWatch /CloudWatch Logs
Amazon
SMS
Workflow
CloudWatch
Alarms
Region US West
Availability Zone
S SharePointFront-end
SQL Server DomainController
CloudWatch /CloudWatch Logs
Amazon Kinesis
Amazon
S3
Amazon
Redshift
AWS
Lambda
Going Beyond IaaS
Thank you!
Remember to complete your evaluations!
Windows Track Sessions
WIN301: Bring Microsoft Applications to AWS to Save Money and Stay Licensing Compliant
Tues, Nov 29 3:30-4:30 PM Venetian H
WIN204: How to Move 1,000 VMs and Biz Critical Apps to AWS in 6 months. Edwards
Lifesciences
Tues, Nov 29 3:30-4:30 PM Venetian H
WIN303: How to Launch a 100k User Microsoft Back Office and Not Break a Sweat
Wed, Nov 30 5:30-6:30 PM Delfino 4004
WIN304: Design, Deploy & Optimize SharePoint on AWS
Wed Nov 30 12:30-1:30 PM Venetian, Level 3, San Polo 3403
WIN305: Best Practices for Integrating Active Directory with AWS Workloads
Wed, Nov 30 5:00-6:00 PM Venetian H
WIN306: Design, Deploy & Optimize SQL Server on AWS
Thurs, Dec 1 5:30-6:30 PM Venetian H