View
217
Download
2
Category
Preview:
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zlatan Dzinic, Professional Services, AWS USJulien Lépine, Solutions Architect, AWS EMEA
April 12th, 2016
Best Practices for Deploying Microsoft Workloads on AWS
Main Identity Topics
• Infrastructure Identity Management• AWS Identity and Access Management
• Server / Application Identity Management• AWS Directory Services (Samba or Active Directory)
• Federation• AWS Security Token Service
AWS Identity and Access Management (IAM)Role Based
Access ControlMulti-Factor
AuthenticationIntegrated with all
AWS Services
IAM Roles
Isolated domains
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Direct Connect
Berlin
DC2Availability Zone A
Private subnet
DC3company.cloud
company.local
Federation / Synchronization
Separate identities with synchronization / Federationà Use partners such as Okta, PingFederate
AWS Directory Servicescompany.cloud
Single domain extended to multiple sites
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Direct Connect
Berlin
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
company.localcompany.local
One single identity, data center extension mode(Rely on Active Directory Sites, Read-Only or not)
One sub domain per site
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Direct Connect
Berlin
DC2
company.local
Availability Zone A
Private subnet
DC3cloud.company.local
Isolated subset of the directory, single Identity for users(Active Directory Domains in a Single Forest)
One forest per site and trust
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Direct Connect
Berlin
DC2Availability Zone A
Private subnet
DC3 company.localcompany.cloud
Separate directories, single identity(Cross-Forest / Resource Forest with trust)
AWS Directory Servicescompany.cloud
User Identity Federation with Amazon IAM
Active DirectoryAD Users
Enterprise Applications
Corporate Systems
Amazon Identity & Access Management IAM Roles
EC2
DynamoDB
S3
Federated API and CLI access using ADFS
• ADFS http://tinyurl.com/AWS-ADFS-SAML• CLI http://tinyurl.com/AWS-ADFS-CLI• AWS Tools for Windows PowerShell
SQL Server High Availability
Availability Zone 1
Private Subnet
Primary Replica
Availability Zone 2
Private Subnet
SecondaryReplica
Synchronous-commit Synchronous-commit
Automatic Failover
Primary: 10.0.2.100WSFC: 10.0.2.101AG Listener: 10.0.2.102
Primary: 10.0.3.100WSFC: 10.0.3.101AG Listener: 10.0.3.102
AG Listener:ag.awslabs.net
WSFC Quorum
Availability Zone 1
Primary Replica
Availability Zone 2
SecondaryReplica
Automatic Failover
SoftNAS / SIOS
WSFC Quorum
Availability Zone 1
Primary Replica
Availability Zone 2
SecondaryReplica
Automatic Failover
WitnessServer
Availability Zone 3
SQL Server HA with Readable Replica
Availability Zone 1
Private Subnet
Primary Replica
Availability Zone 2
Private Subnet
SecondaryReplica 1
Synchronous-commit Synchronous-commit
AG Listener:ag.awslabs.net
Automatic Failover
Asynchronous-commit
SecondaryReplica 2
(Readable)
Reporting Application
SQL Server Disaster Recovery & Backup
Availability Zone 1
Private Subnet
Primary Replica
Availability Zone 2
SecondaryReplica 1
Private Subnet
AG Listener:ag.awslabs.net
Corporate Network
VPNAutomatic Failover
SecondaryReplica 2
(Readable)
Reporting Application
Backups
Manual Failover
■ AD Integrated
■ Automated failover
■ Automated patching
■ Automated backup
■ Point-in-time recovery
Amazon RDS for SQL Server
Amazon RDS
Availability Zone 1
private subnet
NAT
10.0.32.0/20 10.0.2.0/24
DB1SP1FE1Exch1
SQLServer
10.0.0.10010.0.0.10110.0.0.102
SharePointServer
10.0.0.140
LyncServer
10.0.0.160
ExchangeServer
10.0.0.150
RDG
Availability Zone 2
private subnet
NAT
10.0.96.0/20
RDG
Remote Users / Admins
10.0.0.0/19
On-premisesdatacenter
VPNDirectConnect
DC1
10.0.2.0/24
DB2SP2FE2Exch2
SQLServer
10.0.64.10010.0.64.10110.0.64.102
SharePointServer
10.0.64.140
LyncServer
10.0.64.160
10.0.64.0/19
DC2
ActiveDirectory10.0.0.10
ActiveDirectory10.0.64.10
privatesubnet
privatesubnet
ExchangeServer
10.0.64.150
VPCCIDR10.0.0.0/16
All-in-one
Going beyond infrastructure
SharePoint BLOB storage on S3
Export mails to Amazon S3
AWS Marketplace• On-Demand, License Included or BYOL SharePoint• http://tinyurl.com/AWS-SPS-MP
Quick Starts• http://tinyurl.com/AWS-MS-QS
AWS SDK and Tools for .NET ArchitectureEX
EC
UTI
ON
PLA
TFO
RM
AWS
SDK
LOW
-LE
VE
LS
ER
VIC
EAP
IS
AWS
TOO
LSH
IGH
ER
-LE
VE
LU
TILI
TYAP
IS
.NET 3.5 .NET 4.5 PHONE STORE
SERVICE CLIENTS
AMAZON S3 TRANSFERUTILITY
AMAZONDYNAMODB OBJECT
PERSISTANCEVM IMPORT RESOURCE API
AWS TOOLS FORWINDOWS
POWERSHELL
AWS TOOLKIT FORVISUAL STUDIO
ASP.NET SESSIONPROVIDER
TRACE LISTENER
…
AWS ENDPOINTS: REST API
Blob storage in Amazon S3
var bucketName = "<BucketName>";var fileName = "<FileName>";var s3Client = new Amazon.S3.AmazonS3Client();
// Write Data to Amazon S3s3Client.PutObject(new Amazon.S3.Model.PutObjectRequest {
BucketName = bucketName,Key = fileName,InputStream = fileStream
});
// Read Data from Amazon S3var s3Object = s3Client.GetObject(bucketName, fileName);
Amazon S3
Loose Coupling Sets You Free
var queueUrl = "https://sqs.<region>.amazonaws.com/<AcctNum>/<QueueName>";var sqsClient = new Amazon.SQS.AmazonSQSClient();
// Send to Amazon SQSsqsClient.SendMessage(queueUrl, "My Message Data");
// Process Amazon SQSwhile(!exit) {
var messages = sqsClient.ReceiveMessage(queueUrl);foreach(var message in messages.Messages) {
// Process message then deletesqsClient.DeleteMessage(queueUrl, message.ReceiptHandle);
}}
Amazon SQS
AWS Also Provides Extended Support
AWS Elastic Beanstalk• Deploy from within Visual Studio / Automatic Log Rotation to Amazon S3
AWS CodeCommit / CodePipeline / CodeDeploy• Manage a large (on-premises and cloud-based) fleet
.NET SDK and PowerShell CmdLets• Integration in custom build pipelines in TFS or CruiseControl.NET
AWS is the de-facto standard• Jenkins, Bamboo have native integration to AWS• Other IDE Support AWS (Unity, Xamarin Studio, Eclipse…)
Secure remote administration architecture
Availability Zone
Gateway Security Group Web Security Group
Private SubnetPublic Subnet
Accept TCP Port 443 from Admin IP
Accept traffic from Gateway SG
AWS Administrator
Corporate Data Center
WEB2
TCP 443 WEB1RDGW
Requires one connection:• Connect to the RD Gateway, and the gateway proxies the RDP or PowerShell connection to the back-
end instance.
One step further: Go DevOps
• AWS Tools for Windows PowerShell
• Leverage AWS Simple Systems Manager• Auto-Domain Join• No machine access• Full traceability• Fine-grained control• http://tinyurl.com/AWS-SSM-Home
Automation for every use case
IAAS*
Amazon EC2
AWS CloudFormation
AWS OpsWorks AWS ElasticBeanStalk
AWS Lambda
PAAS*DEVOPS DEVOPS
AUTOMATION* Definition may vary
License Mobility is a Microsoft Program that allows customers to move their existing license from on premises to the cloud
• Leverage their Enterprise Agreement• Must have Software Assurance
License Mobility through Software Assurance
Microsoft Workloads on AWS
Pay-as-you-go – AMI pricing provides access to
software
• Windows Server• SQL Server Standard• SQL Server Web • SQL Server Enterprise
Leverage Microsoft’s License Mobility Program
(BYOL)
• SQL Server• SharePoint Server• Exchange• Lync• RDS• Dynamics
Leveraged Dedicated Host
• Windows Server• SQL Server - no SA• SharePoint – no SA• Exchange – no SA• Lync – no SA• Dynamics – No SA
Licensing Continuum
License Included
• Amazon manages the licenses
• Pay-as-you-go pricing
• Multi-tenant or dedicated
• No license management overhead
Hybrid
• Baseline in BYOL
• Leverage scalability and pay-as-you-go where applicable
• Limit management overhead
BYOL
• Import and use your own software
• Reduce your spend if you already pay an ISV for licensing
• You manage licensing costs and compliance with your ISV
• Committed contracts with your ISVs
Supportability on AWS
Microsoft workloads are supported on AWS. Amazon Web Services fully supports Microsoft Windows Server as both infrastructure and a platform. Our customers have successfully deployed in the AWS cloud virtually every Microsoft application available, including Microsoft Exchange, SharePoint, Lync, Dynamics, and Remote Desktop Services.
If you have support related issues you should contact AWS Support.
Every immaginable use case
CollaborationFull/Partial Franchise MigrationWeb / Mobile / MediaMailERPVDIBI
AWS Training and Certification
Certification
aws.amazon.com/certification
Demonstrate your skills, knowledge, and expertise
with the AWS platform
Self-Paced Labs
aws.amazon.com/training/self-paced-labs
Try products, gain new skills, and get hands-on
practice working with AWS technologies
aws.amazon.com/training
Training
Skill up and gain confidence to design, develop, deploy and
manage your applications on AWS
Recommended