running microsoft workloads on aws
TRANSCRIPT
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Running Microsoft Workloads on AWS
Bill Jacobi
Manager, Solutions Architecture
June 25, 2015
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Session abstract
Deploy, scale and manage your Microsoft workloads on AWS. We will start with why customers want to deploy Windows applications on AWS as a cloud platform. We will discuss reference architectures and best practices for implementing Microsoft products including Active Directory, Remote Desktop Gateway, Exchange, SharePoint, and Lync on AWS. We will conclude with best practices for managing and monitoring Microsoft technologies on AWS.
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Agenda• Why run Windows on AWS• New Announcements• Windows architecture
– Security and remote administration– Active Directory Domain Services– Microsoft SharePoint 2013– Microsoft Exchange Server 2013– Microsoft Lync 2013– Microsoft SQL Server 2014– Managing and monitoring Windows instances and applications
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
flexible
What is AWS for Windows?
secure reliable high-performance familiar cost-effective extensive
Optimization for Windows-based workloads
Wide range of scalable services
Alignment with business needs
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS for Windows is secure
“Amazon Virtual Private Cloud (Amazon VPC) gives us a secure environment in the AWS cloud with the flexibility and scalability we need to manage our SharePoint environment with zero impact to our on-premises datacenter”
- Jeremy Fuchs, Vice President of Financial and BI Systems, Lionsgate
Security-in-layers approach
Isolated infrastructure and workloads
Identity and access controls
Tracking and logging
Optimized for regulatory compliance
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS for Windows is reliable
“Before migrating to AWS, we experienced 10 to 20 hours of downtime a month. With AWS, our downtime is significantly reduced. Our average uptime increased rapidly from 98.8 percent to 99.9 percent without re-architecting applications.”
- Augusto Rosa, Server Operations Manager, Shaw Media
99.95% SLA (EC2, EBS, RDS)
Multi-region asynchronous replication
Uptime and performance monitoring
Low network variability
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS for Windows is high-performance
“Using AWS, we decreased average network latency from 700 milliseconds to less than 50 milliseconds… Fundamentally, running in AWS enables a 230 percent CPU consumption efficiency in data processing.”
- Murari Gopalan, Technology Director, Expedia.com
Enterprise-grade computing on demand
Automation for both complex and routine tasks
Dedicated, low-latency network connections
Automated scaling
Monitoring tools with user-defined thresholds
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS for Windows is familiar
“We didn’t have time to redesign applications. AWS could support our legacy 32-bit applications on Windows Server 2003, a variety of SQL Server and Oracle databases, and a robust Citrix environment.”
- Jim McDonald, Lead Architect, Hess Corporation
Windows-based application support
Your own cloud servers
Use existing VMs
License flexibility
Same tools as on-premises environments
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS for Windows is cost-effective
“Had we built our SharePoint 2013 farm in our other data center, we would have increased costs by almost 50 percent. When you compare our SharePoint 2012 farm to our SharePoint 2013 farm, AWS allowed us to increase our computing power while also reducing costs by 14 percent.”
- Michael Cierkowski, Development Manager, Slalom Consulting
No hardware procurement/deployment costs
Improved hardware utilization
Bring your own licenses
Value-oriented culture
No long-term commitments
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS for Windows is extensive
“As our company continued to grow, so did our reliance on the AWS cloud and now, we’ve adopted almost all of the features AWS provides. AWS is the easy answer for any Internet business that wants to scale to the next level.”
- Nathan Blecharczyk, Co-founder & CTO, Airbnb
More than 40 services available
Broad ecosystem of partners
Third-party application marketplace
Continuous service improvement
Technical certifications for multiple skill levels
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS for Windows is flexible
Highly customizable infrastructure
Variety of instance types
Maintain availability at the lowest cost
Wide variety of storage options
“By deploying their on premise Microsoft solutions like SharePoint and Exchange into the AWS platform – combined with InfoReliance’s fully managed service options -- our customers find the best of both worlds and the flexibility they require to meet their evolving requirements.”- John Sankovich, VP Cloud Solutions, InfoReliance
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Why AWS for Windows?secure reliable high-performance familiar
cost-effective extensive flexible
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Common AWS Services used with Windows Applications
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
New Announcements
https://aws.amazon.com/quickstarts
https://aws.amazon.com/blogs/aws/now-available-sql-server-enterprise-edition-ami-for-ec2/
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Windows architecture on AWS
• Place application servers in private
subnets to prevent direct access from the
Internet
• Deploy Bastion hosts, reverse proxies,
and other Internet-facing servers in public
subnets
• Install critical workloads in at least two Availability Zones to provide
high availability
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Availability Zone 1
private subnetpublic subnet
NAT
10.0.10.0/24 10.0.2.0/24
DCDBAPPWEB
domain controller
SQLServer
appserver
IISServer
RDG
Availability Zone 2
private subnetpublic subnet
NAT
10.0.100.0/24 10.0.2.0/24
DCDBAPPWEB
domain controller
SQLServer
appserver
IISServer
RDG
Remote Users / Admins
Windows architecture on AWS
10.0.11.0/24
10.0.110.0/24
Virtual Private Cloud (VPC) is the foundation
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Architectural considerations• Amazon Virtual Private Cloud
– Configure IP ranges, public/private subnets, routing tables,
Internet or private gateway
• Security groups, network ACLs, VPC Flow Logging
• Remote administration
• The principle of least privilege
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Security groups
Availability Zone
web security group SQL security group
private subnetpublic subnet
accept TCP port 80 from Internet
accept TCP port 1433 from web security group
User
WEB SQLTCP 80 TCP 1433
10.0.0.0/24 10.0.1.0/24
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Remote administration
• Place RD Gateway in DMZ subnet
• Clients can use the Remote Desktop Protocol (RDP) over HTTPS to establish an encrypted connection
• Pro tip: Use Remote Desktop Connection Manager
• Bastion hosts can run Windows PowerShell Web Access for remote command-line administration
Deploying a Bastion host (Remote Desktop Gateway) in each Availability Zone can provide highly available and secure remote access over the Internet
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Secure remote administration architecture
Availability Zone
gateway security group
web security group
private subnetpublic subnet
accept TCP port 443 from admin IP address
accept TCP port 3389 from gateway security group
AWS administrator
corporate data center
WEB2
TCP 443TCP 3389
Connect to the Remote Desktop Gateway over https which proxies the RDP connection to the back-end instance
WEB1 RDG TCP 3389
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Remote Desktop Connection Manager (RDCMan 2.7)
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Managing Active Directory• Use AD Domain Controllers in the cloud and/or on-premise
• No different in cloud: AD provides security boundary, IP
addressing and DNS
• AWS VPC provides DHCP and
“static” IPs for DCs and servers
• Global catalog servers
• Read-only and writeable domain controllers
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Directory Service• Simple AD
Managed directory powered by Samba 4 Active Directory Compatible Server
Supports user accounts, group memberships, domain-joining Amazon EC2 instances
• AD Connector Proxies directory requests to on-premises environment Users can access AWS resources and applications with existing
corporate credentialshttps://aws.amazon.com/blogs/aws/new-aws-directory-service/
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Active Directory hybrid deployments
• Properly define AD sites and subnets
• Configure site-link costs
• Enable domain members for Try Next Closest Site Group Policy setting
• Connectivity from cloud to corporate data center via VPN or Direct Connect
• Security groups must allow traffic to and from DCs on-premises
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Availability Zone
private subnet
DC3
corporate network
New York
DC1
VPN orDirect Connect
AD forest spanning AWS and corporate data center
Washington, D.C.
DC2
AWS region
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Availability Zone
private subnet
DC3
corporate network
New York
DC1
AD forest spanning AWS and corporate data center
Washington, D.C.
DC2
XVPN or
Direct Connect
If DC1 goes down, where does NY client go to authenticate?
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
private subnet
DC3
corporate network
New York/AD site 1
DC1
VPN or DX
AD forest spanning AWS and corporate data center
Washington, D.C./AD site 2
DC2
AD site 3
Cost 100
Cost 100
Cost 50
With Try Next Closest Site policy enabled, clients use least cost path to a domain controller. Applies to on-prem and cloud sites.
X
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
SQL Server high availability• Amazon RDS Multi-AZ deployments
– Fully managed by AWS
– No administrative intervention
– Uses SQL Server mirroring
• SQL Server Enterprise 2012/2014
– Managed by you
– High availability achieved using Windows Server Failover Clusters (WSFC) and AlwaysOn Availability Groups
– SQL Server Enterprise Edition AMI available (as of June 16)
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
SQL Server high availability
Availability Zone 1
private subnet
primary replica
Availability Zone 2
private subnet
secondaryreplica
synchronous-commit synchronous-commit
Primary: 10.0.2.100WSFC: 10.0.2.101AG Listener: 10.0.2.102
Primary: 10.0.3.100WSFC: 10.0.3.101AG Listener: 10.0.3.102
AG Listener:ag.awslabs.net
automatic failover
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
WSFC Quorum
Availability Zone 1
Private Subnet
Primary Replica
Availability Zone 2
Private Subnet
SecondaryReplica
Synchronous-commit Synchronous-commit
Automatic Failover
WitnessServer
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
WSFC Quorum
Availability Zone 1
Primary Replica
Availability Zone 2
SecondaryReplica
Automatic Failover
WitnessServer
Availability Zone 3
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
SharePoint 2013 reference architecture
• General guidelines– Critical workloads are placed in two Availability Zones
– Examples: AD domain controllers, SharePoint servers, RD gateways, Forefront TMG gateways, NAT gateways
– Internal application servers are placed in private subnets
– RD gateways are deployed into public subnets in each Availability Zone
• Web tier is made highly available through load balancing
• Application-tier load balancing is native to SharePoint(crawl servers, query servers, etc. installed cross-farm)
• High availability on database tier can be achieved with SQL Server AlwaysOn
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
private subnet
private subnet
10.0.2.0/24
Availability Zone 2
Availability Zone 1
public subnet
NAT
10.0.0.0/24
DCDB
primaryAPPWEB
domain controller
appserver
web front end
RDG
public subnet
NAT
10.0.0.0/24 10.0.2.0/24
DCDB
secondaryAPPWEB
domain controller
appserver
web front end
RDG
Users
Internet-facing SharePoint farm on AWS
SQL ServerAlwaysOn
AvailabilityGroup
SQLServer
SQLServer
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Exchange 2013 reference architecture• Critical workloads are placed in two Availability Zones
– AD domain controllers, Exchange servers, RD gateways, Edge Transport servers, NAT gateways
• Internal application servers are placed in private subnets• RD gateways are deployed into public subnets in each Availability
Zone• High availability provided within the data center with site resilience
between data centers• Supports multiple copies of each database• Optimize around failure domains
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
private subnet
private subnet
10.0.2.0/24
Availability Zone 2
Availability Zone 1
public subnet
NAT
10.0.1.0/24DMZ
DC1Exch1
domaincontroller
mailboxserver
RDG
public subnet
NAT
10.0.10.0/24DMZ
10.0.20.0/24
DC2Exch2
domaincontroller
mailboxserver
RDG
Users
Exchange 2013reference architecture
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Availability Zone 1/AD site 1
private subnetpublic subnet
10.0.0.0/24 10.0.2.0/24
DC1
domain controller
Exchange 2013CAS+MBX
Availability Zone 2/AD site 2
private subnetpublic subnet
10.0.1.0/24 10.0.3.0/24
DC2EXCH2
domain controller
Exchange 2013CAS+MBX
remote mail server
Adding the Edge Transport server
EDGE1
Exchange 2013Edge Transport
EDGE2
Exchange 2013Edge Transport
EXCH1
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Lync 2013 reference architecture• Critical workloads are placed in two Availability Zones
– AD domain controllers, Lync Front End Server, RD gateways, Mediation Server, NAT gateways
– Lync Edge Server (if needed) placed in DMZ subnets
• Internal Lync servers and supporting servers (OWA, PC, Mediation, etc.) are placed in private subnets
• RD gateways are deployed to public subnets in each Availability Zone
• Paired Lync Server 2013 pools in each Availability Zone support DR and pool failover
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
private subnet
private subnet
10.0.2.0/24
Availability Zone 2
Availability Zone 1
public subnet
NAT
10.0.1.0/24DMZ
DCFE01
domaincontroller
front endRDG
public subnet
NAT
10.0.10.0/24DMZ
10.0.20.0/24
DCFE02
domaincontroller
front endRDG
Users
Lync SE 2013reference architecture
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Lync Server 2013 EE architecture
VPC Content10.0.0.0/16
AD1Front End
Pool
ADCS
NATRDGW
DB1-FEMirrored
Mediation SRV1
MediationSRV2
Persistent chat pool
DB1-PCMirrored
Stress Test Servers
OWA App SRV1
OWA App SRV2
AD2
DB2-FEMirror
DB2-PCMirror
Witness
Monitor
Elastic I P
Elastic I P
I nternet gateway
router
LoadSim Tier App Tier DB Tier AD Tier
Public10.0.15.0/24
DMZ
Private10.0.14.0/24
AZ-1
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
49% Lower Latency with Direct Connect versus Internet (VA-OR)
88 ms roundtrip via Internet 59 ms roundtrip via Direct Connect
East coast – West coast latency well within Lync latency envelope
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Managing and monitoring your Windows instances and applications
Log types:• Event logs• IIS logs• Event Tracing for Windows (ETW) logs• Any performance counter data• Any text-based log files
To learn more: http://amzn.to/1qVKKkI
• Recommend running Systems Center Operations Manager and management packs for AD, Exchange, SharePoint, SQL Server, and Lync
• Amazon CloudWatch Logs enable monitoring instance activity in real time with custom alarms on events
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Quick Start reference deployments
• Active Directory Domain Services• Remote Desktop Gateway on AWS• SharePoint 2013• Exchange Server 2013 • Lync Server 2013 • SQL Server 2014 AlwaysOn• PowerShell Desired State Configuration (DSC)
aws.amazon.com/quickstart
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Thank You.This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015