View
200
Download
4
Category
Preview:
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Wayne Saxe. Ron Sunarno, Siva Padisetty
November 29, 2016
Managing and Supporting the
Windows Platform on AWS
SI Technical Track: GPSSI401
Why Are We Here?
The Challenge
Windows workloads consist of more than application
servers and solution stacks. As a consulting partner you
are responsible for the wider implications: how to support
them, manage access and deploy at scale.
Why Are We Here?
The Solution
A consistent standardized set of tools and patterns flexible
enough to fit most use cases and easily deployed. Tools
that support infrastructure managers, identity for operating
system and application owners, and developers.
Solution Stack 1:
Infrastructure Managers
Landing Zone for Windows Environments
• Based on a multi-VPC architecture
• A place to house common services
• Monitoring
• Logging
• Remote administration
Remote Desktop Gateways
Shared Services VPC
Availability Zone
Availability Zone
RDGW
RDGW Availability Zone
Admins
Web DB
Remote Desktop
Gateway
Admins
Remote Desktop
Gateway
1. Configure how
access is granted
to the RDGW
Infrastructure
2. Filter access based
on user and
computer
authorization
3. Allow tunneling all
the way through
Amazon EC2 Simple Systems Manager
• Remotely manage the configuration of your Windows
instances
• SSM is a combination of
• EC2 Config – lightweight instance configuration solution
installed as a Windows service
• EC2 Run Command – on-demand solution
• SSM documents runs with privileged credentials –
control access
User Role
Instance Role
Service Role
Centralized Logging with Amazon CloudWatch
Availability Zone
Web DB
Web
DBec2Messages.*
AWS IAM
• Windows security logs
• Performance counters like
.NET CLR, ASP.NET
applications, memory
• Windows application event
logs
• Windows system event logs
• Event tracing for windows
• Custom logs
EC2 SSM Integrates Amazon CloudWatch
Amazon S3
bucket
Centralized Logging with Amazon CloudWatch
{ "Id": "IISLogs",
"FullName":
"AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Parameters": {
"LogDirectoryPath": "C:\\inetpub\\logs\\LogFiles\\W3SVC1",
"TimestampFormat": "yyyy-MM-dd HH:mm:ss",
"Encoding": "UTF-8",
"Filter": "",
"CultureName": "en-US",
"TimeZoneKind": "UTC",
"LineCount": "5" } },
Windows Security logs
{ "Id": "SecurityEventLog",
"FullName":
“AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",
"Parameters": { "LogName": "Security",
"Levels": "7" } },
1 = Errors
2 = Warnings
4 = Information
IIS Logs
Managing Systems with PowerShell via
EC2 Run Command
SSM Service EC2 Messaging
Service
SSM EC2 AgentAdmins
User Role Instance Role
$domainJoinCommand=Send-SSMCommand -InstanceId Instance-ID -DocumentName AWS-
JoinDirectoryServiceDomain -Parameter @{'directoryId'='d-9067386b64'; 'directoryName'='ssm.test.amazon.com';
'dnsIpAddresses'=@('172.31.38.48', '172.31.55.243')} -OutputS3BucketName demo-ssm-output-bucket
Join an instance to AD
AWS IAMAWS IAM
Solution Stack 2:
Identity for Operating System
and Application Owners
Identity Management
Identity and Authorization Realms
AWS Infrastructure
Operating System
Applications
AWS Endpoints
Component
Application
AWS IAM
Active Directory
F
e
d
e
r
a
t
i
o
n
Accessed Via Authorized ByAsset
Authorization Scenarios
AWS Use Case
The deployment of
the Shared
Services VPC
Commands to AWS
endpoints are
authenticated
AD Use Case
The manual
installation of a
SharePoint farm
OS and Application
Authorization is
granted via
Kerberos
Combined Use Case
The use of S3 for
SharePoint Blob
storage
AWS endpoints for
console and AD for
authentication
Active Directory Federation Console Access
Client
Directory
Identity
Provider
(1) Browse to the Identity
Provider
(5) AssumeRoleWithSAML
(3) SAML Token
(8) Redirect
(6) Credentials
Active Directory Deployment and Design
AD Site Design Implications
Shared Services VPC
Availability Zone
Availability Zone
Microsoft
AD DC DC
Microsoft
AD DC DC
DC
Availability Zone
Microsoft
AD DC DCDC
Availability Zone
Microsoft
AD DC DCDC
Intra-site replication
Intra-site replication
• AD Sites look a lot like AZs
• The client lookup process
is AD dependent but
impacts your availability
strategy AND your VPC
design
Multi-Region Deployment Model
Shared Services VPC
Availability Zone
Availability Zone
Microsoft
AD DC DC
Microsoft
AD DC DC
DC
Availability Zone
Microsoft
AD DC DCDC
Availability Zone
Microsoft
AD DC DCDC
Intra-site replication
Intra-site replication
• Consider the placement of
Global Catalog Servers.
Lookups can take a long
time globally.
• Cross-region data transfer
requires specific design for
AD Replication Traffic
• A multi-domain forest
model makes sense Region 1Region 3
Region 2
Availability Zone
Private SubnetPublic Subnet
NAT
10.0.0.0/24 10.0.2.0/24
DBAPPWEB
SQL
ServerApp
Server
IIS
Server
Availability Zone
Private SubnetPublic Subnet
NAT
10.0.1.0/24 10.0.3.0/24
DBAPPWEB
SQL
ServerApp
Server
IIS
Server
Admins
Self-managed,
replicated DCs on
EC2
Domain
Controllers
DC
Shared Services VPC
DC
Domain
Controller
DC
Domain
ControllerAD Client Communication
DC Replication
Application Traffic
AWS Microsoft AD
Shared Services VPC
Availability Zone
Availability Zone
Microsoft
AD DC DC
Microsoft
AD DC DC
Availability Zone
Private SubnetPublic Subnet
NAT
10.0.0.0/24 10.0.2.0/24
APPWEB
App
Server
IIS
Server
Availability Zone
Private SubnetPublic Subnet
NAT
10.0.1.0/24 10.0.3.0/24
APPWEB
App
Server
IIS
Server
DBRDS
SQL
Server
AWS Managed Services
DBRDS
SQL
Server
AWS Managed Services
Remote
Users / Admins
AWS Microsoft AD
Shared Services VPC
Availability Zone
Availability Zone
Microsoft
AD DC DC
Microsoft
AD DC DC
Availability Zone
Private SubnetPublic Subnet
NAT
10.0.0.0/24 10.0.2.0/24
APPWEB
App
Server
IIS
Server
Availability Zone
Private SubnetPublic Subnet
NAT
10.0.1.0/24 10.0.3.0/24
APPWEB
App
Server
IIS
Server
DBRDS
SQL
Server
AWS Managed Services
DBRDS
SQL
Server
AWS Managed Services
Remote
Users / Admins
Trusts
DCMicrosoft
AD DC
DC Microsoft
AD DC
AWS Microsoft AD
Shared Services VPC
Availability Zone
Availability Zone
Microsoft
AD DC DC
Microsoft
AD DC DC
Availability Zone
Private SubnetPublic Subnet
NAT
10.0.0.0/24 10.0.2.0/24
APPWEB
App
Server
IIS
Server
Availability Zone
Private SubnetPublic Subnet
10.0.1.0/24 10.0.3.0/24
APPWEB
App
Server
IIS
Server
DBRDS
SQL
Server
AWS Managed Services
DBRDS
SQL
Server
AWS Managed Services
Remote
Users / Admins
Auth
NAT
AD Connector
• AD Proxy for WorkSpace, WorkDocs, WorkMail• Authentication and LDAP forwarded to on-premises AD
• Applications can look up users and groups
• Users authenticate using existing corporate credentials
• Supports EC2 Seamless Domain Join• EC2 discovers domain name from AD Connector
• EC2 bypasses AD Connector for everything else
Proxy solution to use AD accounts with AWS Enterprise Applications
Solution Stack 3:
Developers
AWS CloudFormation for WindowsSpinning up Windows stacks is fast if we do it efficiently
Availability Zone
DB
Public
SubnetPrivate
Subnet
DC
RDGW
NAT
Gateway
Internet
gateway
Without user-defined order, this may never deploy
Using DependsOn fixes this problem but can be
slow – its too blunt of a tool
cfn-signal and a PowerShell loop give us the
fine-grained control we need
"'\n$output = (Get-CFNStackResources -StackName $stack -LogicalResourceId $resource -Region $region)\n", "while
(($output -eq $null) -or ($output.ResourceStatus -ne 'CREATE_COMPLETE') -and ($output.ResourceStatus -ne
'UPDATE_COMPLETE')) {\n", " Start-Sleep 5\n", " $output = (Get-CFNStackResources -StackName $stack -
LogicalResourceId $resource -Region $region)\n", "}\n",
Network DC DB RDGW
Network DC DB RDGW
Network
DC
DB
RDGW
MS Visual Studio Integration
with AWS Elastic Beanstalk
Demo
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Register for a Bootcamp
Get in-depth knowledge and
training from AWS Instructors and
Solutions Architects.
reinvent.awsevents.com/training
#AWSTraining
Get AWS Certified Onsite
Demonstrate your technical
proficiency and receive special
recognition onsite. Register today.
reinvent.awsevents.com/certification
#AWSCertified
Take Hands-on Labs
Practice with AWS in a live
environment. Choose from 100+
lab topics and attend a Spotlight
Lab session.
Free Onsite
Thank you!
Remember to complete
your evaluations!
Recommended