ent308 best practices for microsoft architectures on aws
TRANSCRIPT
![Page 1: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/1.jpg)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zlatan Dzinic – Senior Architect Lou De La Torre – Solutions Architect
April 19, 2017
Best Practices for Microsoft Architectures on AWS
![Page 2: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/2.jpg)
What to Expect from the Session
• Microsoft architectures on AWS and how to build them • Active Directory • SQL Server • Corp Apps • Developers • Systems management
![Page 3: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/3.jpg)
Architecture
![Page 4: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/4.jpg)
Availability Zone
Private subnet Public subnet
Availability Zone
Private subnet Public subnet
Remote users
Sample Microsoft
Architecture
Virtual private fateway
Corporate Office
IIS App
IIS Web
IIS App
IIS Web
VPN
AWS Direct Connect
Internet gateway
RDGW
VPC NAT gateway
RDGW
VPC NAT gateway
AWS Directory Service
AWS Directory Service
MS SQL
MS SQL
Always On Availability
Group
VPC endpoint Amazon S3
Auto Scaling
![Page 5: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/5.jpg)
Secure remote administration architecture
Availability Zone
Gateway security group Web security group
Private subnet Public subnet
Accept TCP Port 443 from Admin IP
Accept traffic from Gateway SG
AWS administrator
Corporate data center
WEB2
TCP 443 WEB1 RDGW
Requires one connection: • Connect to the RD Gateway, and the gateway proxies the RDP or PowerShell connection to the
backend instance.
![Page 6: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/6.jpg)
Alternative solution using Systems Manager
Availability Zone
Web security group
Private subnet
Accept traffic from SSM
WEB2
WEB1
AWS administrator
Corporate data center
EC2 Systems Manager
S3 bucket SNS topic CloudWatch metric
IAM policy
![Page 7: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/7.jpg)
Shared Service VPC
Best suited for: • The majority of your infrastructure is (or
will be) on AWS • The required on-premises resources are
easy to replicate or proxy (e.g., Active Directory, System Center, central SQL farm)
• You prefer to limit VPN traffic • Strong security or compliance programs
require additional application-level controls and proxy servers between their AWS and on-premises resources (e.g., application-layer firewalls)
![Page 8: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/8.jpg)
Active Directory
![Page 9: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/9.jpg)
Common Approaches
Active Directory • AWS Directory Services
Federation • Federation to AWS services • Federation to Microsoft Workloads • Claims based access control • SSO • ADFS 4.0, Ping Federate, Okta
Kerberos
![Page 10: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/10.jpg)
Single domain extended to multiple sites
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
Cost 50
Availability Zone A
Private subnet
DC3 Cost 10
company.local company.local
One single identity, data center extension mode (rely on Active Directory sites, read-only or not)
VPN
AWS Direct Connect
![Page 11: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/11.jpg)
One subdomain per site
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
company.local
Availability Zone A
Private subnet
DC3 cloud.company.local
Isolated subset of the directory, single identity for users (Active Directory domains in a single forest)
VPN
AWS Direct Connect
![Page 12: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/12.jpg)
One forest per site and trust
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2 Availability Zone A
Private subnet
DC3 company.local company.cloud
Separate directories, single identity (Cross-forest/resource forest with trust)
AWS Directory Service company.cloud
VPN
AWS Direct Connect
![Page 13: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/13.jpg)
User identity federation with AWS IAM
AD Users
Enterprise Applications
Corporate Systems
IAM
IAM roles
EC2
Amazon DynamoDB
S3
![Page 14: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/14.jpg)
Active Directory Deployments - Isolated domains
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2 Availability Zone A
Private subnet
DC3 company.cloud
company.local
Federation/ synchronization
Separate identities with synchronization/federation solutions such as AD FS, Okta, PingFederate
AWS Directory Service company.cloud
VPN
AWS Direct Connect
![Page 15: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/15.jpg)
AD FS Scenarios Fully implemented AD FS
• Core authentication services exposed to the Internet by AD FS proxy
Firewall-published AD FS • Firewall exposes core authentication services to the Internet by
reverse proxy Non-published AD FS
• Server farm isn't exposed to the Internet by any method. VPN-published AD FS
• Internet clients connect to and use AD FS services only through a virtual private network (VPN) connection to the on-premises network environment.
![Page 16: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/16.jpg)
Active Directory Federation Services
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2 Private subnet
DC3 company.cloud
company.local
Federation/ synchronization
AWS Directory Service company.cloud
VPN
AWS Direct Connect
ADFS ADFS
Public subnet Public subnet
Web App
Proxy
Web App
Proxy
Availability Zone A Availability Zone B
![Page 17: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/17.jpg)
SQL Server
![Page 18: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/18.jpg)
SQL Server on Amazon EC2
Licensing Options • Purchase an Amazon Machine Instance (AMI) that includes
Windows and SQL Server • Purchase a Windows AMI and install SQL Server yourself
(BYOL)
Windows or Mixed Authentication You manage the virtual machine security, storage, network ports, etc. Full SQL Server sysadmin privileges
![Page 19: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/19.jpg)
SQL Server HA/DR on EC2
• Windows clusters can span Availability Zones or regions*
• Mirroring • AlwaysOn Availability Groups • Transaction Log Shipping • Failover Cluster Instance*
* Some configurations require third-party tools.
![Page 20: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/20.jpg)
Multi-AZ AlwaysOn Availability Group
Availability Zone 1
Private Subnet
EC2 Primary Replica
Availability Zone 2
Private Subnet
EC2 Secondary
Replica
Synchronous Commit Automatic Failover
AWS Region
![Page 21: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/21.jpg)
Multi-Region AlwaysOn Availability Group
Availability Zone 1
Private Subnet
EC2 Primary Replica
Primary: 10.0.2.100 WSFC: 10.0.2.101 AG Listener: 10.0.2.102
AWS Region A
Availability Zone 2
Private Subnet
EC2 Secondary
Replica
Primary: 10.0.3.100 WSFC: 10.0.3.101 AG Listener: 10.0.3.102
Availability Zone 1
Private Subnet
EC2 Secondary
Replica
Primary: 10.1.2.100 WSFC: 10.1.2.101 AG Listener: 10.1.2.102
Synchronous Commit Automatic Failover
AWS Region B
Asynchronous Commit Manual Failover
Elastic IP Elastic IP
VPN
![Page 22: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/22.jpg)
Failover Cluster Instance
Amazon EBS Amazon EBS
Availability Zone 1
Private Subnet
EC2 Primary
Node
Availability Zone 2
Private Subnet
EC2 Secondary
Node
AWS Region
Data Replication
SoftNAS / SIOS
![Page 23: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/23.jpg)
What is Amazon RDS?
Managed database service • Automatic patching, backups, mirroring, etc. • Automatic Host Replacement protects you in the event of a
hardware failure.
6 database engines to choose from: Amazon Aurora, Oracle, PostgreSQL, MySQL, MariaDB, and SQL Server License-included and BYOL options available
![Page 24: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/24.jpg)
SQL Server on Amazon RDS
• Windows or Mixed Authentication • Optional managed Multi-AZ deployment for high
availability • Transparent Data Encryption for encryption at rest and
the use of SSL to secure data in transit • Native backup and restore for Microsoft SQL Server
databases using full backup files (.bak files) • Most tools or drivers (OLE DB, ODBC, or ADO.NET) that
connect to SQL Server can connect to an RDS instance.
![Page 25: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/25.jpg)
Multi-AZ SQL Server on Amazon RDS
Availability Zone 1
Private Subnet
Availability Zone 2
Private Subnet
Synchronous Commit Automatic Failover
AWS Region
Amazon RDS
Primary
Amazon RDS
Secondary Managed Service
![Page 26: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/26.jpg)
SQL Server EC2 vs. RDS: Which should I use?
EC2 RDS License included BYOL Full control over the instance Automated backups Self-managed AlwaysOn Availability Groups AWS-managed Multi-AZ deployment
![Page 27: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/27.jpg)
What about the rest of SQL Server?
• Integration Services (SSIS) • Reporting Services (SSRS) • Analysis Services (SSAS) • SQL Agent • Service Broker • Data Quality Service • Master Data Service
![Page 28: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/28.jpg)
Corporate Apps SharePoint Example
![Page 29: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/29.jpg)
Architecture: Multi-AZ SharePoint
Each AWS Region contains multiple Availability Zones Availability Zones contain a data center (or multiple data centers) with low-latency links to other zones in the region Achieve high availability by deploying your application across multiple zones Easily achieve transparent data center redundancy
AWS Multi-AZ Design Pattern
Availabilty Zone #1
Web Server
DB Server
Web Server
DB Server
Single Application Boundary Spanning AZ’s
Syncronis Replication / Automatic Failover
Low LatencyAvailabilty
Zone #2
![Page 30: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/30.jpg)
Architecture: SharePoint 2016
HA SharePoint 2016 MinRole Farm a
Supports no downtime patching Add Office Online Server and Workflow Manager
MinRole SharePoint
Availability Zone #1
Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
AWS ELB
VPC NAT Gateway
Public Tier (Subnet) Data Tier (Subnet)
Windows Server RD Gateway
VPC NAT Gateway
Public Tier (Subnet)
Windows Server RD Gateway
SQL Server
SQL Server
Web Tier (Subnet) App Tier (Subnet)
DomainController
DomainController
S SharePointApplication
Always OnAvailability Group
(Synchronous)
S SharePointFront-end
SSharePointDistributedCache
S SharePointSearch
SSharePointDistributedCache
SSharePointDistributedCache
S SharePointApplication
S SharePointSearch
S SharePointFront-end
OfficeOnline Server
OfficeOnline Server
Workflow Manager
Workflow Manager
Workflow Manager
![Page 31: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/31.jpg)
Architecture: All Farms Welcome
From single server farms… To multiple farm / multiple region DR architectures
AWS supports all SharePoint setups
Multi-Region HA + DR
AZ 1AZ 2AZ 1
Region 1 Region 2
53
![Page 32: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/32.jpg)
Developers
![Page 33: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/33.jpg)
AWS SDK and Tools for .NET Architecture E
XEC
UTI
ON
PL
ATFO
RM
AW
S S
DK
LOW
-LE
VEL
SER
VIC
E A
PIS
AWS
TOO
LS
HIG
HER
-LE
VEL
UTI
LITY
A
PIS
.NET 3.5 .NET 4.5 PHONE STORE
SERVICE CLIENTS
AMAZON S3 TRANSFER UTILITY
AMAZON DYNAMODB OBJECT
PERSISTENCE VM IMPORT RESOURCE API
AWS TOOLS FOR WINDOWS
POWERSHELL
AWS TOOLKIT FOR VISUAL STUDIO
ASP.NET SESSION PROVIDER TRACE LISTENER
…
AWS ENDPOINTS: REST API
ASP.NET 5
![Page 34: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/34.jpg)
AWS Toolkit for Visual Studio
Full integration in Visual Studio AWS Toolkit for Visual
Studio
.NET SDK
![Page 35: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/35.jpg)
AWS also provides extended support
AWS Elastic Beanstalk • Deploy from within Visual Studio/automatic log rotation to Amazon S3
AWS CodeCommit/CodePipeline/CodeDeploy
• Manage a large fleet (on-premises and cloud-based)
.NET SDK and PowerShell cmdlets • Integration in custom build pipelines in TFS or CruiseControl.NET
AWS native integrations
• Jenkins, Bamboo have native integration to AWS • Other IDE support AWS (Unity, Xamarin Studio, Eclipse…)
![Page 36: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/36.jpg)
Build Serverless Applications with C#
.NET Core 1.0 www.microsoft.com/net/download/core Visual Studio 2015 Update 3 Visual Studio 2015 Tools (Preview 2) Target Framework netcoreapp1.0 Package with .NET Core CLI “dotnet publish” Upload as a zip file
![Page 37: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/37.jpg)
CloudFormation
Basic standard in AWS for automating deployment of resources CloudFormation template
• JSON-formatted document that describes a configuration to be deployed in an AWS account
• When deployed, refers to a “stack” of resources
• Bootstrapping AWS CloudFormation Windows Stacks, http://tinyurl.com/aws-win-boot
AWS CloudFormation
![Page 38: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/38.jpg)
How CloudFormation Works
![Page 39: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/39.jpg)
Systems Management
![Page 40: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/40.jpg)
Amazon EC2 Systems Manager
A set of capabilities that enable automated configuration and ongoing management of systems at scale, across all your Windows and Linux workloads, running in Amazon EC2 or
on-premises
![Page 41: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/41.jpg)
Systems Manager Capabilities
Run Command Maintenance Window
Inventory
State Manager Parameter Store
Patch Manager
Automation
Deploy, Configure, and Administer
Track and Update
Shared Capabilities
![Page 42: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/42.jpg)
Auditability Infrastructure
• AWS CloudTrail • AWS Config (see whitepaper for license auditing) • Amazon Inspector
Network • VPC flow logs • Elastic Load Balancing access logs
Application • Amazon CloudWatch Logs can integrate
• IIS logs • Event logs • Event Tracing for Windows (ETW) logs • Any performance counter data • Exchange, Lync, SharePoint logs • Any text-based log files
Dedicated Hosts
Visibility of sockets, cores, host ID
![Page 43: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/43.jpg)
Monitoring
Amazon CloudWatch
AWS CloudTrail
AWS Config
AWS Trusted Advisor
Flow logs Amazon VPC
AWS Lambda
Amazon Elasticsearch Service
Amazon QuickSight
Amazon EC2
Amazon Kinesis
![Page 44: ENT308 Best Practices for Microsoft Architectures on AWS](https://reader031.vdocuments.site/reader031/viewer/2022022412/58f9b39d1a28ab90538b45a3/html5/thumbnails/44.jpg)
Thank you!