aws re:invent 2016: design, deploy, and optimize microsoft sharepoint on aws (win304)

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Design, Deploy, and Optimize Microsoft SharePoint on AWS

Lou De La Torre, Solutions Architect

Zlatan Dzinic, Senior Consultant

November 30, 2016

WIN304

What We’ll Cover: Everything SharePoint on AWS

The Fundamentals

Architectural Scenarios

Best Practices

> EC2 Networking

Active Directory

Remote Access

Purchasing Options

The Fundamentals


Best Practices

>

Marketplace Builds

Hybrid: AWS as a DR Site

Multi-AZ SharePoint

SharePoint 2016

Quick Start

The Fundamentals


Best Practices >

Amazon EC2 Best Practices

SQL Best Practices

Migration Best Practices

Going Beyond IaaS

Fundamentals: Single VPC Patterns

Public and Privately Routed VPCThis design pattern is used for workloads that need to accommodate a combination of public and private routing needs, such as all-in Internet-facing, multi-tier web applications supported by databases or other privately routed backend systems.

Internal-Only VPCThis design pattern is used to create a network environment that is only accessible from an existing, internal network, such as internally facing or back-office systems.

On-Premises and Internet-Accessible VPCThis design pattern is used to create a network environment that has the ability to communicate with both on-premises (privately routed) and external (publicly routed) resources

Internet-Accessible VPCThis design pattern is primarily used for test, R&D, sales demo, production, and other environments that require a network environment that is completely isolated from a customer’s internal network.

For more info on configuring VPCs, see AWS Answers for Networking.

https://aws.amazon.com/answers/networking/

Internet GatewayHighly available VPC component that allows communication between instances in your VPC and the Interneta

NAT GatewayEnable instances in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instancesa

Virtual Private Network (VPN)a

Virtual Private Gateway (VPG)a

AWS Direct Connecta

For more info on configuring external access, see Amazon VPC for On-Premises Network Engineers, Part One.

Fundamentals: External Connectivity

https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-network-engineers-part-one/

Fundamentals: Active Directory Patterns

Directory TrustsExtending On-Premises Directory Over Secure Connections to AWS Using Either Active Directory or AWS Directory Service for Microsoft AD.

Federated TrustsBuilding Federated Trusts From On-Premise to AWS Using Active Directory Federation Services or Other SAML Compliant Software and Services.

Availability Zone

On-Premises Data Center

VPN Direct Connect

DomainController

Domain Controlleron AmazonEC2

Either/Or

AWS Directory

Service


Internet

WAP / ADFS

Secure

Domain Controlleron AmazonEC2

DomainController

WAP/ADFSon Amazon EC2

See the Remote Desktop Gateway on the AWS Cloud: Quick Start for additional info

The Fundamentals: Remote Access

http://docs.aws.amazon.com/quickstart/latest/rd-gateway/welcome.html

The Fundamentals: Purchasing Options

For more info on licensing Windows on AWS, see Microsoft Licensing on AWS.

Options for using Microsoft software licenses on the AWS Cloud

Buy LicensesFrom AWS

Bring LicensesTo AWS

2,300+ products available for 1-click deployment across 35 distinct product categories, including several SharePoint 2013 & 2016 builds ranging from single-server to multiple-server builds.

If you’ve already purchased Microsoft software, bring your own licenses (BYOL) to the AWS Cloud and extend the lifecycle of your software without additional hardware costs.

Using license-included instances allows you access to fully compliant Microsoft software licenses bundled with Amazon EC2 and ability to pay for them as you go with no upfront costs or long-term investments.

https://aws.amazon.com/windows/resources/licensing/


The Fundamentals


Best Practices

>

Marketplace Builds

Hybrid: AWS As a DR Site

Multi-AZ SharePoint

SharePoint 2016

Quick Start

Browse, Test, and Buy Enterprise Softwarea

Simplified Procurement Processa

Consume as Needed Without Overprovisioning

Architecture: Marketplace

One AWS Billa

Consume Hourly, Monthly, Annuallya

Customers run over 143M hours of software per month


SharePoint Enterprise 2016 for AWS "All In One" for SME or Line of Business implementation. Best for Test or Development teams working on short-term development projects, to share and collaborate on new ideas and engage in social conversations.

SharePoint Enterprise 2016 All In One

Availability Zone

Subnet

Windows Server 2012R2

Active Directory Domain Services

SQL Server 2014 Enterprise

SharePoint Server 2016

Internet Gateway


Availability Zone

Subnet


Active Directory Domain Services

Internet Gateway

Subnet


SQL Server 2014 Enterprise

Subnet


SharePoint Server 2016

SharePoint Enterprise 2016 Business

SharePoint Enterprise 2016 is well suited for enterprises looking for a collaboration tool in multiple geo-locations, including support for external users.

Architecture: AWS As a DR Site

Higher RTO Lower RTO

Backup & Restore Pilot Light

Spectrum of Disaster Recovery Options

Back up to S3 with AWS Storage Gatewaya

Replace On-Premises Tape Systema

Leverage Amazon Glacier for Data Archiving

SQL Server Log Shipping over VPN or Direct Connecta

EC2 Instances in Stopped State a

Cool DR Site with Lower Costs

Warm Site

SQL Server Asynchronous Always-On Availability Group over Direct Connecta

EC2 Instances in Running State a


Minimal Amount of Running Infrastructure on AWS Keeps Costs Low

Backup & Restore

Typically Longer RTO

For more info on configuring backup and recovery, see Enterprise Backup and Recovery On-Premises to AWS.

For more info on configuring AWS Storage Gateway, see AWS Storage Gateway Documentation.

Availability Zone

Direct Connect, VPN or HTTPS


HTTPSAWS Storage Gateway VM

Storage: Direct Attached or SAN

APP Server

WFE Server SharePoint EC2 Instances in Stopped State

SQL Server EC2 Instance in Stopped State

AWS DR SharePoint Farm

APP Server

WFE Server

On-PremisesSharePoint Farm

App Server

Backup ServerSupporting iSCSI, CIFS, SMB

SQLServer

SQL Server

EBS Volume

Storage Gateway Service

S3 Bucket

WFE Server

WFE Server

https://d0.awsstatic.com/whitepapers/best-practices-for-backup-and-recovery-on-prem-to-aws.pdf

http://docs.aws.amazon.com/storagegateway/latest/userguide/WhatIsStorageGateway.html


Small Amount of Running EC2 Infrastructure on AWS

Pilot Light

SQL Log Shipping Increases Automation of Database Layer Backup and Restore Operations

For more info on configuring log shipping between on premises and AWS, see Deploying Microsoft SQL Server on Amazon Web Services.

For more info on configuring a pilot light DR environment on AWS, see Using Amazon Web Services for Disaster Recovery.

Availability Zone

TransactionLog Shipping

Direct Connect or

VPN

TransactionLog Replay

APP ServerAPP Server

WFE ServerWFE Server SharePoint EC2 Instances in a stopped state


SQL Server



WFE Server

WFE Server

App Server

App Server

SQL Server

https://d0.awsstatic.com/whitepapers/RDS/Deploying_SQLServer_on_AWS.pdf

http://d36cz9buwru1tt.cloudfront.net/AWS_Disaster_Recovery.pdf


Lower RTOs Require More Running EC2 Infrastructure on AWS

AlwaysOn Availability Group(s) Further Increase Automation of Database Synchronization/Restore

Warm Site

For more info on configuring always-on availability groups between on premises and AWS, see Deploying Microsoft SQL Server on Amazon Web Services.

Availability Zone

APP ServerAPP Server

WFE ServerWFE Server SharePoint EC2 Instances in a running state


SQLServer



WFE Server

WFE Server

App Server

App Server

SQL Server

SQL Server

Asynchronous Commit

SQL Server Always On Availability Group

Sync

Direct Connect or

VPN

https://d0.awsstatic.com/whitepapers/RDS/Deploying_SQLServer_on_AWS.pdf

Architecture: Multi-AZ SharePoint

Single Production Farm

Database Backups Shipped Offsite and/or Replicated to Alternate Data Center

Typical SharePoint DR Plan Involves a Full Farm Rebuild Followed by a Restore of Content Database Backups

Typical On-Premises SharePoint Setup

Data Center #1

Storage Volumes or Database Backups Synchronized/Replicated to Alternate Datacenter

Production SharePoint Farm

Data Center #2

Database Backups Located on Tape Media Transported to Offsite Facility


AWS Multi-AZ Design Pattern

AWS is built around Regions and Availability Zones (AZs)

Region is a physical location in the world where we have multiple Availability Zones

Availability Zones consist of one or more discrete fault tolerant data centers, each with redundant power, networking and connectivity

Availability Zones are connected to each other with private fiber-optic low-latency links

You can achieve High Availability by deploying your application that spans across multiple Availability Zones

Data Center Redundancy Achieved with Little or No Effort!

Availability Zone #1

Web Server

DB Server

Web Server

DB Server

Single Application Boundary Spanning Multiple AZs

Synchronous Replication / Automatic Failover

Availability Zone #2Low Latency


VPC, Two AZs, Single Public and Multiple Private Subnetsa

Include Remote Access, NAT Gateways and Active Directorya

Stretched SharePoint Farm Spanning Multiple AZs Providing Data Center Redundancy a

Multi-AZ Reduces Risk Profile and Simplifies DR Planning

AWS Multi-AZ SharePoint 2013


Web Tier (Subnet) App Tier (Subnet) Directory Tier (Subnet)

Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)


VPC NAT Gateway

Public Tier (Subnet) Data Tier (Subnet)

Windows Server RD Gateway

VPC NAT Gateway

Public Tier (Subnet)


DomainController

DomainController


Directory Tier (Subnet)



AWS ELB

VPC NAT Gateway



VPC NAT Gateway



SQL Server

SQL Server

S SharePointWFE S SharePoint

APP

Web Tier (Subnet) App Tier (Subnet)

DomainController

DomainControllerS SharePoint

APPS SharePointWFE

Always OnAvailability Group

(Synchronous)

Fully Supported to Run a SharePoint DR Farm/Two-Region DR Pattern on AWS for SharePoint

AWS Supports Traditional Two-Data Center Patterns

Architecture:Multi-AZ SharePoint



Web Tier (Subnet) App Tier (Subnet) Directory Tier (Subnet)


AWS ELB

VPC NAT Gateway


VPC NAT Gateway



SQL Server DomainController

DomainController

Region US East

Region US West



VPC NAT Gateway



DomainController

Always OnAvailability Group (Asynchronous)

SQL Server

Data Tier (Subnet)

VPN

DR Farm

S SharePointAPPS SharePoint

WFE

Public Tier (Subnet) Web Tier (Subnet) App Tier (Subnet)


WFE


WFE

Data Tier (Subnet)

SQL Server


(Synchronous)

Production Farm


Architecture: SharePoint 2016

Minimum Size SharePoint 2016 MinRole Farma

Does Not Provide HA

MinRole SharePoint





AWS ELB

VPC NAT Gateway



VPC NAT Gateway



SQL Server

S SharePointFront-end S SharePoint

Search


DomainControllerS SharePoint

ApplicationS

SharePointDistributedCache


HA SharePoint 2016 MinRole Farma

Supports No Downtime Patching

MinRole SharePoint





AWS ELB

VPC NAT Gateway



VPC NAT Gateway



SQL Server

SQL Server


DomainController

DomainController

S SharePointApplication


(Synchronous)

S SharePointFront-end

SSharePointDistributedCache

S SharePointSearch




S SharePointSearch



HA SharePoint 2016 MinRole Farma

Supports No Downtime Patching

Add Office Online Server and Workflow Manager

MinRole SharePoint





AWS ELB

VPC NAT Gateway



VPC NAT Gateway



SQL Server

SQL Server


DomainController

DomainController



(Synchronous)



S SharePointSearch




S SharePointSearch


OfficeOnline Server

OfficeOnline Server

Workflow Manager

Workflow Manager

Workflow Manager


MinRole Enhancementsa

Supports Shared Rolesa

Minimum Number of Farm Servers for HA = 4

SharePoint 2016 Feature Pack1





AWS ELB

VPC NAT Gateway



VPC NAT Gateway



SQL Server

SQL Server


DomainController

DomainController


(Synchronous)

S

SharePointFront-end with Distributed Cache

SSharePointApplication with Search

S

SharePointFront-end with Distributed Cache

SSharePointApplication with Search

Architecture: SharePoint Quick Start

AWS CloudFormation Automated Build

Extensible JSON AWS CloudFormation

Templates Available on GitHub

Creates “Stacks” of AWS Resources

Bring Your Own License for SharePoint

DevOps for SharePoint

Architecture: SharePoint Quick Start

1. Prepare an AWS Account.

2. Configure and Launch the Stack.

3. Configure Availability Group(s).

4. Done!

Deployment Steps

Template takes about 3 hours to complete

Default template will cost about $12 per hour


The Fundamentals


Best Practices >

EC2 Best Practices

SQL Best Practices

Migration Best Practices

Going Beyond IaaS

Best Practices: EC2 Networking Security

Network ACLs

• Optional Layer of Security

• Subnet Level (Second Layer of Defense)

• ALLOW and DENY Rules

• Stateless (Return Traffic NotAutomatically Allowed)

• Rules Evaluated in Order

• Automatically Applies to All Instances in Subnet

Security Groups

• Instance Level (First Layer of Defense)

• Instances Can Associate to MultipleSecurity Groups

• ALLOW Rules Only

• Stateful (Return Traffic Automatically Allowed)

• Security Group Must be Specified for an Instance Group Availabilty Zone

Data Tier(10.0.32.0/20)

Web Tier(10.0.64.0/20)

Public Tier (10.0.96.0/20)

acl-2020 (SQL Traffic)

Directory Tier (10.0.0.0/19)

VPC (10.0.0.0/16)

acl-1010 (Domain Traffic)

ELB

acl-2222 (SQL Traffic) acl-1111 (Domain Traffic)

Inbound Rules:

Rule # Type Protocol Port Range Source Allow/Deny

100 DNS (TCP) (53) TCP (6) 53 10.0.32.0/20 ALLOW

300 LDAP (389) TCP (6) 389 10.0.32.0/20 ALLOW

Inbound Rules:

Rule # Type Protocol Port Range Source Allow/Deny

100 MS SQL (1433) TCP (1433) 1433 10.0.64.0/16 ALLOW

...



sg-3030, sg-4040

sg-3030, sg-4040

SQL Server

sg-2020

DomainController

sg-1010

Availabilty Zone

Data Tier(10.0.32.0/20)


Web Tier(10.0.64.0/20)

Public Tier (10.0.96.0/20)


sg-3030, sg-4040

sg-2020 (SQL Traffic)

Directory Tier (10.0.0.0/19)

VPC (10.0.0.0/16)

sg-3030, sg-4040

sg-1010 (Domain Traffic)sg-3030 (HTTP Traffic)

Inbound Rules:

Type Protocol Port Range Source

DNS (TCP) (53) TCP (6) 53 10.0.32.0/20

DNS (TCP) (53) TCP (6) 53 sg-2020

LDAP (389) TCP (6) 389 10.0.32.0/20

LDAP (389) TCP (6) 389 sg-2020

Inbound Rules:


MS SQL (1433) TCP (1433) 1433 10.0.64.0/16

MS SQL (1433) TCP (1433) 1433 sg-4040

Inbound Rules:


HTTP (80) TCP (6) 80 10.0.96.0/20

HTTP (443) TCP (6) 443 10.0.96.0/20

Inbound Rules:


Custom TCP TCP (6) 808 10.0.64.0/20

Custom TCP TCP (6) 32843 10.0.64.0/20

Custom TCP TCP (6) 32844 10.0.64.0/20

Custom TCP TCP (6) 22233-22236 10.0.64.0/20 ......

sg-4040 (SharePoint Traffic)

ELB

sg-5050

SQL Server

sg-2020

DomainController

sg-1010

sg-5050 (ELB Traffic)

Inbound Rules:


HTTP (80) TCP (6) 80 0.0.0.0/0

HTTP (443) TCP (6) 443 0.0.0.0/0

Select an AMI with Adequate CPU and Memory for Your Workload

Select an EBS-optimized AMI if Possible

Optimize TempDB Just Like On-Premises (Use Instance Storage if Possible or Fast EBS Otherwise)

Provision Enough IOPs for Your Workload

Best Practices: SQL Server

General Purpose SSD

Max Throughput per Volume: 160 MB/s

Max IOPS per Volume: 10,000

Volume Size: 1 GB to 16 TB

Burst: 3,000 IOPS (for volumes up to 1 TB)

Great for boot volumes, low-latency applications, and bursty databases

Max Throughput per Volume: 320 MB/s

Max IOPS per Volume: 20,000

Volume Size: 4 GB to 16 TB

Ideal for critical applications and databases with sustained IOPS

Provisioned IOPS SSD

Availability Zone 1

Private Subnet

Primary Replica

Availability Zone 2

Private Subnet

SecondaryReplica

Synchronous-commit Synchronous-commit

Automatic Failover

Primary: 10.0.2.100

WSFC: 10.0.2.101

AG Listener: 10.0.2.102

Primary: 10.0.3.100

WSFC: 10.0.3.101


AG Listener:ag.awslabs.net


Availability Zone 1

Private Subnet

EC2Primary Replica

Primary: 10.0.2.100

WSFC: 10.0.2.101


AWS Region A

Availability Zone 2

Private Subnet

EC2Secondary

Replica

Primary: 10.0.3.100

WSFC: 10.0.3.101


Availability Zone 1

Private Subnet

EC2Secondary

Replica

Primary: 10.1.2.100

WSFC: 10.1.2.101


Synchronous CommitAutomatic Failover

AWS Region B

Asynchronous CommitManual Failover

Elastic IP Elastic IP

VPN


1. Understand Your On-Premises SharePoint Environment (Customizations, Most Used Sites, etc.)

2. Devise Your Migration Strategy (URL Strategy, Timeline, User Communication Plan, etc.)

3. Prepare for What’s New in AWS (Security, IAM, Train Your Staff, etc.)

4. Embrace Automation (DevOPs, PowerShell for Windows, etc.)

5. Run Trial for Upgrades (Build, Trial, and Test Upgrade Runs, Establish UAT Group, Feedback Loops, etc.)

6. Plan for Rollback

Best Practices: Migration

Going Beyond IaaS

CloudWatch &

CloudWatch Logs

Monitor EC2 Metrics (CPU, Disk

Usage, etc.) and Other AWS

Resources (EBS Volumes, Elastic

Load Balancers, etc.)a

Enhanced Log Support for Windows

with EC2Config (IIS Logs, Perfmon

Logs, etc.)

a

Monitor Logs and Configure Alerts

a

Store Logs and Perform Analytics

Region US West

Availability Zone



CloudWatch /CloudWatch Logs

Email

Amazon

SMS

Workflow

CloudWatch

Alarms

Region US West

Availability Zone



CloudWatch /CloudWatch Logs

Amazon Kinesis

Amazon

S3

Amazon

Redshift

AWS

Lambda

Going Beyond IaaS

Thank you!

Remember to complete your evaluations!

Windows Track Sessions

WIN301: Bring Microsoft Applications to AWS to Save Money and Stay Licensing Compliant

Tues, Nov 29 3:30-4:30 PM Venetian H

WIN204: How to Move 1,000 VMs and Biz Critical Apps to AWS in 6 months. Edwards

Lifesciences

Tues, Nov 29 3:30-4:30 PM Venetian H

WIN303: How to Launch a 100k User Microsoft Back Office and Not Break a Sweat

Wed, Nov 30 5:30-6:30 PM Delfino 4004

WIN304: Design, Deploy & Optimize SharePoint on AWS

Wed Nov 30 12:30-1:30 PM Venetian, Level 3, San Polo 3403

WIN305: Best Practices for Integrating Active Directory with AWS Workloads

Wed, Nov 30 5:00-6:00 PM Venetian H

WIN306: Design, Deploy & Optimize SQL Server on AWS

Thurs, Dec 1 5:30-6:30 PM Venetian H

aws re:invent 2016: design, deploy, and optimize microsoft sharepoint on aws (win304)

Technology