Best Practices for Deploying Microsoft Workloads on AWS
0 likes172 views
This document provides best practices for deploying Microsoft workloads on AWS. It discusses identity management best practices including AWS IAM, server identity management, and federation. It also covers deploying SQL Server for high availability and disaster recovery. Additional sections discuss deploying Exchange, SharePoint, and other Microsoft server products on AWS, as well as developer best practices and DevOps automation. The document concludes with information on licensing options for Microsoft software on AWS.
Best Practices for Deploying Microsoft Workloads on AWS
- 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Zlatan Dzinic, Professional Services, AWS US Julien Lépine, Solutions Architect, AWS EMEA April 12th , 2016 Best Practices for Deploying Microsoft Workloads on AWS
- 3. Main Identity Topics • Infrastructure Identity Management • AWS Identity and Access Management • Server / Application Identity Management • AWS Directory Services (Samba or Active Directory) • Federation • AWS Security Token Service
- 4. AWS Identity and Access Management (IAM) Role Based Access Control Multi-Factor Authentication Integrated with all AWS Services IAM Roles
- 5. Isolated domains Availability Zone B Private subnet DC4 Corporate Network Munich DC1 Direct Connect Berlin DC2Availability Zone A Private subnet DC3 company.cloud company.local Federation / Synchronization Separate identities with synchronization / Federation à Use partners such as Okta, PingFederate AWS Directory Services company.cloud
- 6. Single domain extended to multiple sites Availability Zone B Private subnet DC4 Corporate Network Munich DC1 Direct Connect Berlin DC2 Cost 50 Availability Zone A Private subnet DC3 Cost 10 company.local company.local One single identity, data center extension mode (Rely on Active Directory Sites, Read-Only or not)
- 7. One sub domain per site Availability Zone B Private subnet DC4 Corporate Network Munich DC1 Direct Connect Berlin DC2 company.local Availability Zone A Private subnet DC3 cloud.company.local Isolated subset of the directory, single Identity for users (Active Directory Domains in a Single Forest)
- 8. One forest per site and trust Availability Zone B Private subnet DC4 Corporate Network Munich DC1 Direct Connect Berlin DC2Availability Zone A Private subnet DC3 company.local company.cloud Separate directories, single identity (Cross-Forest / Resource Forest with trust) AWS Directory Services company.cloud
- 9. User Identity Federation with Amazon IAM Active Directory AD Users Enterprise Applications Corporate Systems Amazon Identity & Access Management IAM Roles EC2 DynamoDB S3
- 10. Federated API and CLI access using ADFS • ADFS http://tinyurl.com/AWS-ADFS-SAML • CLI http://tinyurl.com/AWS-ADFS-CLI • AWS Tools for Windows PowerShell
- 11. SQL Server
- 12. SQL Server High Availability Availability Zone 1 Private Subnet Primary Replica Availability Zone 2 Private Subnet Secondary Replica Synchronous-commit Synchronous-commit Automatic Failover Primary: 10.0.2.100 WSFC: 10.0.2.101 AG Listener: 10.0.2.102 Primary: 10.0.3.100 WSFC: 10.0.3.101 AG Listener: 10.0.3.102 AG Listener: ag.awslabs.net
- 13. WSFC Quorum Availability Zone 1 Primary Replica Availability Zone 2 Secondary Replica Automatic Failover SoftNAS / SIOS
- 14. WSFC Quorum Availability Zone 1 Primary Replica Availability Zone 2 Secondary Replica Automatic Failover Witness Server Availability Zone 3
- 15. SQL Server HA with Readable Replica Availability Zone 1 Private Subnet Primary Replica Availability Zone 2 Private Subnet Secondary Replica 1 Synchronous-commit Synchronous-commit AG Listener: ag.awslabs.net Automatic Failover Asynchronous-commit Secondary Replica 2 (Readable) Reporting Application
- 16. SQL Server Disaster Recovery & Backup Availability Zone 1 Private Subnet Primary Replica Availability Zone 2 Secondary Replica 1 Private Subnet AG Listener: ag.awslabs.net Corporate Network VPN Automatic Failover Secondary Replica 2 (Readable) Reporting Application Backups Manual Failover
- 17. ■ AD Integrated ■ Automated failover ■ Automated patching ■ Automated backup ■ Point-in-time recovery Amazon RDS for SQL Server Amazon RDS
- 18. Server Products
- 20. Exchange
- 21. SharePoint
- 22. Availability Zone 1 private subnet NAT 10.0.32.0/20 10.0.2.0/24 DB1SP1FE1Exch1 SQL Server 10.0.0.100 10.0.0.101 10.0.0.102 SharePoint Server 10.0.0.140 Lync Server 10.0.0.160 Exchange Server 10.0.0.150 RDG Availability Zone 2 private subnet NAT 10.0.96.0/20 RDG Remote Users / Admins 10.0.0.0/19 On-premises datacenter VPN Direct Connect DC1 10.0.2.0/24 DB2SP2FE2Exch2 SQL Server 10.0.64.100 10.0.64.101 10.0.64.102 SharePoint Server 10.0.64.140 Lync Server 10.0.64.160 10.0.64.0/19 DC2 Active Directory 10.0.0.10 Active Directory 10.0.64.10 private subnet private subnet Exchange Server 10.0.64.150 VPC CIDR 10.0.0.0/16 All-in-one
- 23. Going beyond infrastructure SharePoint BLOB storage on S3 Export mails to Amazon S3 AWS Marketplace • On-Demand,License Included or BYOL SharePoint • http://tinyurl.com/AWS-SPS-MP Quick Starts • http://tinyurl.com/AWS-MS-QS
- 24. Developers
- 25. AWS SDK and Tools for .NET ArchitectureEXECUTION PLATFORM AWSSDK LOW- LEVEL SERVICE APIS AWS TOOLS HIGHER- LEVEL UTILITY APIS .NET 3.5 .NET 4.5 PHONE STORE SERVICE CLIENTS AMAZON S3 TRANSFERUTILITY AMAZON DYNAMODB OBJECT PERSISTANCE VM IMPORT RESOURCE API AWS TOOLS FOR WINDOWS POWERSHELL AWS TOOLKIT FOR VISUAL STUDIO ASP.NET SESSION PROVIDER TRACE LISTENER … AWS ENDPOINTS: REST API
- 26. AWS Toolkit for Visual Studio Full Integration in Visual Studio
- 27. Blob storage in Amazon S3 var bucketName = "<BucketName>"; var fileName = "<FileName>"; var s3Client = new Amazon.S3.AmazonS3Client(); // Write Data to Amazon S3 s3Client.PutObject(new Amazon.S3.Model.PutObjectRequest { BucketName = bucketName, Key = fileName, InputStream = fileStream }); // Read Data from Amazon S3 var s3Object = s3Client.GetObject(bucketName, fileName); Amazon S3
- 28. Loose Coupling Sets You Free var queueUrl = "https://sqs.<region>.amazonaws.com/<AcctNum>/<QueueName>"; var sqsClient = new Amazon.SQS.AmazonSQSClient(); // Send to Amazon SQS sqsClient.SendMessage(queueUrl, "My Message Data"); // Process Amazon SQS while(!exit) { var messages = sqsClient.ReceiveMessage(queueUrl); foreach(var message in messages.Messages) { // Process message then delete sqsClient.DeleteMessage(queueUrl, message.ReceiptHandle); } } Amazon SQS
- 29. AWS Also Provides Extended Support AWS Elastic Beanstalk • Deploy from within Visual Studio / Automatic Log Rotation to Amazon S3 AWS CodeCommit / CodePipeline / CodeDeploy • Manage a large (on-premises and cloud-based) fleet .NET SDK and PowerShell CmdLets • Integration in custom build pipelines in TFS or CruiseControl.NET AWS is the de-facto standard • Jenkins, Bamboo have native integration to AWS • Other IDE Support AWS (Unity, Xamarin Studio, Eclipse…)
- 30. DevOps
- 31. Secure remote administration architecture Availability Zone Gateway Security Group Web Security Group Private SubnetPublic Subnet Accept TCP Port 443 from Admin IP Accept traffic from Gateway SG AWS Administrator Corporate Data Center WEB2 TCP 443 WEB1 RDGW Requires one connection: • Connect to the RD Gateway, and the gateway proxies the RDP or PowerShell connection to the back- end instance.
- 32. One step further: Go DevOps • AWS Tools for Windows PowerShell • Leverage AWS Simple Systems Manager • Auto-Domain Join • No machine access • Full traceability • Fine-grained control • http://tinyurl.com/AWS-SSM-Home
- 33. Automated Log Management and Analysis Amazon CloudWatch Logs AWS Lambda Amazon Kinesis Amazon EC2
- 34. Automation for every use case IAAS* Amazon EC2 AWS CloudFormation AWS OpsWorks AWS Elastic BeanStalk AWS Lambda PAAS*DEVOPS DEVOPS AUTOMATION* Definition may vary
- 35. Licensing
- 36. License Mobility is a Microsoft Program that allows customers to move their existing license from on premises to the cloud • Leverage their Enterprise Agreement • Must have Software Assurance License Mobility through Software Assurance
- 37. Microsoft Workloads on AWS Pay-as-you-go – AMI pricing provides access to software • Windows Server • SQL Server Standard • SQL Server Web • SQL Server Enterprise Leverage Microsoft’s License Mobility Program (BYOL) • SQL Server • SharePoint Server • Exchange • Lync • RDS • Dynamics Leveraged Dedicated Host • Windows Server • SQL Server - no SA • SharePoint – no SA • Exchange – no SA • Lync – no SA • Dynamics – No SA
- 38. Licensing Continuum License Included • Amazon manages the licenses • Pay-as-you-go pricing • Multi-tenant or dedicated • No license management overhead Hybrid • Baseline in BYOL • Leverage scalability and pay-as-you-go where applicable • Limit management overhead BYOL • Import and use your own software • Reduce your spend if you already pay an ISV for licensing • You manage licensing costs and compliance with your ISV • Committed contracts with your ISVs
- 39. MSDN
- 40. Supportability on AWS Microsoft workloads are supported on AWS. Amazon Web Services fully supports Microsoft Windows Server as both infrastructure and a platform. Our customers have successfully deployed in the AWS cloud virtually every Microsoft application available, including Microsoft Exchange,SharePoint,Lync, Dynamics,and Remote Desktop Services. If you have support related issues you should contactAWS Support.
- 41. Every immaginable use case Collaboration Full/Partial Franchise Migration Web / Mobile / Media Mail ERP VDI BI
- 42. We are here to help
- 43. AWS Resources Solution Architects Professional Services Premium Support AWS Partner Network (APN)
- 44. AWS Training and Certification Certification aws.amazon.com/certification Demonstrate your skills, knowledge, and expertise with the AWS platform Self-Paced Labs aws.amazon.com/training/ self-paced-labs Try products, gain new skills, and get hands-on practice working with AWS technologies aws.amazon.com/training Training Skill up and gain confidence to design, develop, deploy and manage your applications on AWS