© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Zlatan Dzinic, Professional Services, AWS USJulien Lépine, Solutions Architect, AWS EMEA

April 12th, 2016

Best Practices for Deploying Microsoft Workloads on AWS

Identity Best Practices

Main Identity Topics

• Infrastructure Identity Management• AWS Identity and Access Management

• Server / Application Identity Management• AWS Directory Services (Samba or Active Directory)

• Federation• AWS Security Token Service

AWS Identity and Access Management (IAM)Role Based

Access ControlMulti-Factor

AuthenticationIntegrated with all

AWS Services

IAM Roles

Isolated domains

Availability Zone B

Private subnet

DC4

Corporate Network

Munich

DC1

Direct Connect

Berlin

DC2Availability Zone A

Private subnet

DC3company.cloud

company.local

Federation / Synchronization

Separate identities with synchronization / Federationà Use partners such as Okta, PingFederate

AWS Directory Servicescompany.cloud

Single domain extended to multiple sites

Availability Zone B

Private subnet

DC4

Corporate Network

Munich

DC1

Direct Connect

Berlin

DC2

Cost 50

Availability Zone A

Private subnet

DC3Cost 10

company.localcompany.local

One single identity, data center extension mode(Rely on Active Directory Sites, Read-Only or not)

One sub domain per site

Availability Zone B

Private subnet

DC4

Corporate Network

Munich

DC1

Direct Connect

Berlin

DC2

company.local

Availability Zone A

Private subnet

DC3cloud.company.local

Isolated subset of the directory, single Identity for users(Active Directory Domains in a Single Forest)

One forest per site and trust

Availability Zone B

Private subnet

DC4

Corporate Network

Munich

DC1

Direct Connect

Berlin

DC2Availability Zone A

Private subnet

DC3 company.localcompany.cloud

Separate directories, single identity(Cross-Forest / Resource Forest with trust)

AWS Directory Servicescompany.cloud

User Identity Federation with Amazon IAM

Active DirectoryAD Users

Enterprise Applications

Corporate Systems

Amazon Identity & Access Management IAM Roles

EC2

DynamoDB

S3

Federated API and CLI access using ADFS

• ADFS http://tinyurl.com/AWS-ADFS-SAML• CLI http://tinyurl.com/AWS-ADFS-CLI• AWS Tools for Windows PowerShell

SQL Server

SQL Server High Availability

Availability Zone 1

Private Subnet

Primary Replica

Availability Zone 2

Private Subnet

SecondaryReplica

Synchronous-commit Synchronous-commit

Automatic Failover

Primary: 10.0.2.100WSFC: 10.0.2.101AG Listener: 10.0.2.102

Primary: 10.0.3.100WSFC: 10.0.3.101AG Listener: 10.0.3.102

AG Listener:ag.awslabs.net

WSFC Quorum

Availability Zone 1

Primary Replica

Availability Zone 2

SecondaryReplica

Automatic Failover

SoftNAS / SIOS

WSFC Quorum

Availability Zone 1

Primary Replica

Availability Zone 2

SecondaryReplica

Automatic Failover

WitnessServer

Availability Zone 3

SQL Server HA with Readable Replica

Availability Zone 1

Private Subnet

Primary Replica

Availability Zone 2

Private Subnet

SecondaryReplica 1

Synchronous-commit Synchronous-commit

AG Listener:ag.awslabs.net

Automatic Failover

Asynchronous-commit

SecondaryReplica 2

(Readable)

Reporting Application

SQL Server Disaster Recovery & Backup

Availability Zone 1

Private Subnet

Primary Replica

Availability Zone 2

SecondaryReplica 1

Private Subnet

AG Listener:ag.awslabs.net

Corporate Network

VPNAutomatic Failover

SecondaryReplica 2

(Readable)

Reporting Application

Backups

Manual Failover

■ AD Integrated

■ Automated failover

■ Automated patching

■ Automated backup

■ Point-in-time recovery

Amazon RDS for SQL Server

Amazon RDS

Server Products

Core Infrastructure

Exchange

SharePoint

Availability Zone 1

private subnet

NAT

10.0.32.0/20 10.0.2.0/24

DB1SP1FE1Exch1

SQLServer

10.0.0.10010.0.0.10110.0.0.102

SharePointServer

10.0.0.140

LyncServer

10.0.0.160

ExchangeServer

10.0.0.150

RDG

Availability Zone 2

private subnet

NAT

10.0.96.0/20

RDG

Remote Users / Admins

10.0.0.0/19

On-premisesdatacenter

VPNDirectConnect

DC1

10.0.2.0/24

DB2SP2FE2Exch2

SQLServer

10.0.64.10010.0.64.10110.0.64.102

SharePointServer

10.0.64.140

LyncServer

10.0.64.160

10.0.64.0/19

DC2

ActiveDirectory10.0.0.10

ActiveDirectory10.0.64.10

privatesubnet

privatesubnet

ExchangeServer

10.0.64.150

VPCCIDR10.0.0.0/16

All-in-one

Going beyond infrastructure

SharePoint BLOB storage on S3

Export mails to Amazon S3

AWS Marketplace• On-Demand, License Included or BYOL SharePoint• http://tinyurl.com/AWS-SPS-MP

Quick Starts• http://tinyurl.com/AWS-MS-QS

Developers

AWS SDK and Tools for .NET ArchitectureEX

EC

UTI

ON

PLA

TFO

RM

AWS

SDK

LOW

-LE

VE

LS

ER

VIC

EAP

IS

AWS

TOO

LSH

IGH

ER

-LE

VE

LU

TILI

TYAP

IS

.NET 3.5 .NET 4.5 PHONE STORE

SERVICE CLIENTS

AMAZON S3 TRANSFERUTILITY

AMAZONDYNAMODB OBJECT

PERSISTANCEVM IMPORT RESOURCE API

AWS TOOLS FORWINDOWS

POWERSHELL

AWS TOOLKIT FORVISUAL STUDIO

ASP.NET SESSIONPROVIDER

TRACE LISTENER

…

AWS ENDPOINTS: REST API

AWS Toolkit for Visual Studio

Full Integration in Visual Studio

Blob storage in Amazon S3

var bucketName = "<BucketName>";var fileName = "<FileName>";var s3Client = new Amazon.S3.AmazonS3Client();

// Write Data to Amazon S3s3Client.PutObject(new Amazon.S3.Model.PutObjectRequest {

BucketName = bucketName,Key = fileName,InputStream = fileStream

});

// Read Data from Amazon S3var s3Object = s3Client.GetObject(bucketName, fileName);

Amazon S3

Loose Coupling Sets You Free

var queueUrl = "https://sqs.<region>.amazonaws.com/<AcctNum>/<QueueName>";var sqsClient = new Amazon.SQS.AmazonSQSClient();

// Send to Amazon SQSsqsClient.SendMessage(queueUrl, "My Message Data");

// Process Amazon SQSwhile(!exit) {

var messages = sqsClient.ReceiveMessage(queueUrl);foreach(var message in messages.Messages) {

// Process message then deletesqsClient.DeleteMessage(queueUrl, message.ReceiptHandle);

}}

Amazon SQS

AWS Also Provides Extended Support

AWS Elastic Beanstalk• Deploy from within Visual Studio / Automatic Log Rotation to Amazon S3

AWS CodeCommit / CodePipeline / CodeDeploy• Manage a large (on-premises and cloud-based) fleet

.NET SDK and PowerShell CmdLets• Integration in custom build pipelines in TFS or CruiseControl.NET

AWS is the de-facto standard• Jenkins, Bamboo have native integration to AWS• Other IDE Support AWS (Unity, Xamarin Studio, Eclipse…)

DevOps

Secure remote administration architecture

Availability Zone

Gateway Security Group Web Security Group

Private SubnetPublic Subnet

Accept TCP Port 443 from Admin IP

Accept traffic from Gateway SG

AWS Administrator

Corporate Data Center

WEB2

TCP 443 WEB1RDGW

Requires one connection:• Connect to the RD Gateway, and the gateway proxies the RDP or PowerShell connection to the back-

end instance.

One step further: Go DevOps

• AWS Tools for Windows PowerShell

• Leverage AWS Simple Systems Manager• Auto-Domain Join• No machine access• Full traceability• Fine-grained control• http://tinyurl.com/AWS-SSM-Home

Automated Log Management and Analysis

Amazon CloudWatch Logs

AWS Lambda

Amazon Kinesis

Amazon EC2

Automation for every use case

IAAS*

Amazon EC2

AWS CloudFormation

AWS OpsWorks AWS ElasticBeanStalk

AWS Lambda

PAAS*DEVOPS DEVOPS

AUTOMATION* Definition may vary

Licensing

License Mobility is a Microsoft Program that allows customers to move their existing license from on premises to the cloud

• Leverage their Enterprise Agreement• Must have Software Assurance

License Mobility through Software Assurance

Microsoft Workloads on AWS

Pay-as-you-go – AMI pricing provides access to

software

• Windows Server• SQL Server Standard• SQL Server Web • SQL Server Enterprise

Leverage Microsoft’s License Mobility Program

(BYOL)

• SQL Server• SharePoint Server• Exchange• Lync• RDS• Dynamics

Leveraged Dedicated Host

• Windows Server• SQL Server - no SA• SharePoint – no SA• Exchange – no SA• Lync – no SA• Dynamics – No SA

Licensing Continuum

License Included

• Amazon manages the licenses

• Pay-as-you-go pricing

• Multi-tenant or dedicated

• No license management overhead

Hybrid

• Baseline in BYOL

• Leverage scalability and pay-as-you-go where applicable

• Limit management overhead

BYOL

• Import and use your own software

• Reduce your spend if you already pay an ISV for licensing

• You manage licensing costs and compliance with your ISV

• Committed contracts with your ISVs

MSDN

Supportability on AWS

Microsoft workloads are supported on AWS. Amazon Web Services fully supports Microsoft Windows Server as both infrastructure and a platform. Our customers have successfully deployed in the AWS cloud virtually every Microsoft application available, including Microsoft Exchange, SharePoint, Lync, Dynamics, and Remote Desktop Services.

If you have support related issues you should contact AWS Support.

Every immaginable use case

CollaborationFull/Partial Franchise MigrationWeb / Mobile / MediaMailERPVDIBI

We are here to help

AWS Resources

Solution Architects

Professional Services

Premium Support

AWS Partner Network (APN)

AWS Training and Certification

Certification

aws.amazon.com/certification

Demonstrate your skills, knowledge, and expertise

with the AWS platform

Self-Paced Labs

aws.amazon.com/training/self-paced-labs

Try products, gain new skills, and get hands-on

practice working with AWS technologies

aws.amazon.com/training

Training

Skill up and gain confidence to design, develop, deploy and

manage your applications on AWS