aws sp white paper pdf pdf

7/29/2019 AWS SP White Paper PDF PDF

1/36

AmazonWebServicesMicrosoftSharePointServeronAWS:ReferenceArchitecture February2012

Page1of36

MicrosoftSharePointServer

onAWS:ReferenceArchitectureFebruary2012

(Pleaseconsulthttp://aws.amazon.com/whitepapersforthelatestversionofthispaper.)


2/36


Page2of36

Abstract

AmazonWebServices(AWS)providesacompletesetofservicesandtoolsfordeployingWindowsworkloads,including

MicrosoftSharePointServer,onitshighly reliableandsecurecloudinfrastructureplatform.Thiswhitepaperdiscusse

generalconceptsregardinghowtousetheseservicesandprovidesdetailedtechnicalguidanceonhowto configure,

deploy,andrunaSharePointServerfarmonAWS.ItillustratesreferencearchitectureforcommonSharePointServerdeploymentscenariosanddiscussestheirnetwork,security,anddeploymentconfigurationssoyoucanrunSharePoint

Serverworkloadsinthecloudwithconfidence.

ThiswhitepaperistargetedtoITinfrastructuredecision-makersandadministrators.Afterreadingit,youshouldhavea

goodideaofhowtosetupanddeploythecomponentsofatypicalSharePointServerfarmonAWS.Youlearnwhich

artifactstouseandhowtoconfigurethevariousinfrastructuredetails,suchascomputeinstances,storage,security,and

networking.


3/36


Page3of36

Introduction

Enterprisesneedtogrowandmanagetheirglobalcomputinginfrastructuresrapidlyandefficientlywhilesimultaneously

optimizingandmanagingcapitalcostsandexpenses.AWSscomputingandstorageservicesmeetthisneedbyproviding

aglobalcomputinginfrastructure.TheAWSinfrastructureenablescompaniestorapidlyspinupcomputecapacityor

quicklyandflexiblyextendtheirexistingon-premiseinfrastructureintothecloud.AWSprovidesarichsetofservicesandrobust,enterprise-grademechanismsforsecurity,networking,computation,andstorage.

SharePointServerisawidelydeployedapplicationplatform,commoninmanyorganizationsasthemainportalfor

teamcorporatecollaboration,contentmanagement,workflow,andaccesstocorporateapplications.Onekeybenefito

SharePointServeristhatitenablesorganizationstorapidlyrespondtochangingbusinessneeds.AWSisaperfect

complementtoSharePointServer,becauseitenablesorganizationstorapidlyprovisionthenecessarycomputing

infrastructuretopowerSharePointServersolutions.

AWSandMicrosofthavepartneredtoenablecustomerstodeployenterprise-classworkloadsinvolvingWindows

ServerandMicrosoftSQLServeronapay-as-you-go,on-demandelasticinfrastructure,therebyeliminatingthecapital

costforserverhardwareandgreatlyreducingtheprovisioningtimerequiredtocreateorextendaSharePointServer

farm.ThispartnershiphasresultedintheabilitytolicenseandrunSharePointServeronAWSunderprovisionsin

MicrosoftsLicenseMobilitythroughSoftwareAssurance program.

Asarelevantdatapointandcasestudy,theAmazonCorporateITteamhostsAmazonsowncorporateintranetrunning

SharePointServeronAWS.Theyhavepublishedawhitepaperdetailingitsevaluation,securityrequirements,

architecture,benefits,andlessonslearnedfromthedeployment.NotethatatthetimetheAmazonCorporateITteam

deployedtheirSharePointServerenvironmentandwrotethewhitepaper,anumberoftheAWSservicesdiscussed

hereinwereeithernotinplaceorlimitedintheiravailability.Thiscurrentpaperprovidesanup-to-dateandmorehigh-

leveldescriptionofhowtosupportSharePointServeronAWS.


4/36


Page4of36

SharePointServerReferenceArchitectureandScenariosTounderstandhowSharePointServerandassociatedcomponentscanbehostedonAWS,letsfirstreviewthe

architectureandcomponentsofatypicalSharePointServerfarmandexplorethecommonscenariosandtopologies.

SharePointServerFarmReferenceArchitecture MicrosoftprovidesconsiderableguidanceforarchitectingSharePointServerfarmtopologiesformanyscenariosand

scales.ThissectionreviewsthetypicalSharePointServerfarmarchitectureasrecommendedbyMicrosoftandidentifies

acoupleofcommondeploymentscenariosandassociatedtopologiesthatyouwillmapontoAWSlaterinthispaper.

SharePointServerhasevolvedoverseveralversionstoprovidearichsetofcapabilitiesandservices.SharePointServer

architecturehasalsoevolvedtosupportaservice-basedarchitecture,enablingspecificservicestobescaledoutto

individualserversandservergroups.Inaddition,SharePointServerreferencearchitecturedefinesdistinctrolesand

servergroupsthatyoucancreateandscaleoutindependently.ThismodelfitsnicelywithinAWSsscale-outapproach.

TheSharePointServerreferencearchitecturetiersandservicesareillustratedinFigure1.

Source:http://technet.microsoft.com/en-us/library/ff758647.aspx

Figure1:TheSharePointServerreferencearchitecture

AdditionalinfrastructurecomponentsarerequiredorrecommendedtosupportSharePointServerfarms:

ActiveDirectoryDomainServices(ADDS).SharePointServerrequiresADDStoserveastheauthoritativeidentitystoreandauthenticationmechanism.ADDS(withoneormoredomaincontrollers)mustresidewithin

thesamenetworkastheSharePointServerfarmandbeaccessibletoSharePointServerfarminstances.


5/36


Page5of36

Threatmanagementandintrusionprotection.ThiscomponentmaybeanadditionalelementforSharePointServerscenariosthatincludeexternalorpublic-facingsites.InaWindows-basedinfrastructure,thiscomponent

wouldtypicallybeprovidedbyproductssuchasMicrosoftForefrontThreatManagementGateway2010 .

CommonSharePointServerDeploymentScenarios

SharePointServercansupportavarietyofcontentandcollaborationgoals.Thispaperdiscussestwoofthemostcommonscenarios:intranethostingofacorporateSharePointServerfarmandhostingofanInternetsitebasedon

SharePointServer.

IntranetSharePointServerFarm

Inthisscenario,acompanywantstorunSharePointServerwithinitsenterprisetosupportinternalusers.Thecompany

maydeployitsentireSharePointServerfarminthecloudandscaleallthecomponentstogetadditionalcapacityor

extenditson-premisedeploymenttothecloudtoincreasecapacity,improveperformance,orscaletheresource-

intensivecomponentsinthecloud,whenneeded.Specificresource-intensiveservicessuchasMicrosoftOfficeExcelor

Wordmaybehostedindividuallytosupportspecializedworkloads.Figure2illustratesthisscenario.

Figure2:TypicalintranetSharePointServerfarmtopology


6/36


Page6of36

InternetWebsiteorServiceBasedonSharePointServer

Inthisscenario,SharePointServerisusedasthebasisforhostingawebsite,publicwebapplication,orSoftwareasa

Service(SaaS)site.Thisscenarioisdifferentfromtheintranetscenariointhatpublic-facingservershavebeenadded.

TheseserversrequireenhancedsecurityandthreatmanagementaswellasADDSdomaincontrollerstosupportuser

authenticationandauthorization.Figure3depictsthisscenario.

Figure3:TypicalSharePointServerfarmtopologyforanInternet-facingpublicwebsite

Keyelementsthatdistinguishthisscenariofromthepreviousintranetscenarioare:

Ademilitarizedzone (DMZ)toprovidefirewallandthreatmanagementatthefront-lineaccesspoints ActiveDirectorydomaincontrollersresidentwithinthefarm(notassociatedwiththeuserenvironment)


7/36


Page7of36

ImplementingSharePointServerArchitectureScenariosinAWS

Theremainderofthiswhitepaperprovidesstep-by-stepmappingforeachSharePointServerfarmscenariodiscussed

earliertoanequivalentsetupinAWS,includingsimilarresources,networkandsecuritysetup,andconfiguration.To

implementtheSharePointServerscenariosinAWS,thefollowingelementsarediscussed:

Networksetupandconfiguration.ThissectioncoversthesetupofthenetworkfortheSharePointServerfarmwithinAWS,includingsubnetstosupportthelogicalservergroupsfordifferenttiersandroleswithinthe

SharePointServerreferencearchitecture.

Serversetupandconfiguration.ThissectioncoverstheservicesandartifactsinvolvedinthesetupofthevariousserversforeachtierandroleintheSharePointServerfarm. Italsoincludessettingupandconfiguring

SQLServerandsupportinghighavailability.

Security.ThissectiondiscussessecuritymechanismsinAWS,includinghowtoconfigureinstanceandnetworksecuritytoenableauthorized accesstotheoverallSharePointServerfarmaswellasbetweentiersandinstances

withinthefarm.Italsocoversareassuchasdataprivacy(encryption)andthreatmanagement(inthecaseofthe

public-facingscenario).

Deploymentandmanagement.Thissectionprovidesdetailsonpackaging,deployment,monitoring,andmanagementoftheSharePointServerfarmcomponents.

NetworkSetupLetsstartwiththenetworksetuptoprovidetheenvironmentinwhichyouinstantiateandconfigureyourserversand

database.

TheMicrosoftreferencearchitectureisorganizedaroundamulti-tiered(web,application,anddatabase)approach,

allowingyoutoindependentlyscaleandconfigureeachtier.Yourfirsttaskistodefineanetworkenvironmentthat

supportsthistypeoftieredstructureandenablesyoutodeploythevariousserverrolesineachtierwithsuitablesecurityconfiguration.

AmazonVirtualPrivateCloud

AkeycomponentofAWSnetworkingistheAmazonVirtualPrivateCloud(AmazonVPC).AmazonVPCprovidesthe

abilitytoreserveanisolatedportionoftheAWScloudinwhichtodeployandmanageaSharePointServerfarm.

AmazonVPCsupportsthecreationofpublicandprivatesubnetswithinthevirtualnetwork,allowingyoutohostthe

differenttiersandroleswithintheSharePointServerarchitecture.

AmazonVPCalsosupportstheabilitytoestablishahardwarevirtualprivatenetwork(VPN)connectionbetweenaVPC

andanexternallocation,suchasacorporatedatacenter.CustomersuseahardwareorsoftwareVPNappliance(the

customergateway)andconnectthatgatewaytotheVPC(thevirtualprivategateway)toprovideseamlessintegration

betweenon-premisecomputeinfrastructureandresourceswithintheVPC.LeveragingthisVPNVPCconnectivity

extendsthecorporatenetworkdatacentertothecloud.Corporateuserscaninteractwithcloudinstancesand

applicationsinarelativelytransparentway,effectivelysupportingthenotionofanextendedenterpriseinthecloud.

TomapyourSharePointServerreferencearchitecturesandscenariostoAWS,youmustfirststructureyourVPCand

subnetstomirrorthesameorganizationaltiers,servergroups,andaccessrequirementsdefinedthere.VPCsubnetsthat

needtobeaccessiblefromtheInternetthroughtheVPCInternetgatewayneedtobepublic;otherwise,youcan


8/36


Page8of36

designatethemasprivate,andtheywillnotbeaccessiblefromoutsidetheVPC.InthecaseofaVPN-connectedVPC,

connectionsthroughtheVPNoccurthroughthevirtualprivate gateway;therefore,instancescanbeinprivatesubnets

butstillreachable(aslongasthesecurityconfigurationallowsit).Thus,VPN-onlyscenariosdonotrequirepublic

subnets(e.g.,forwebserverfrontends).However,thepublic-facingSharePointServerscenariodoesneedtobe

accessiblefromoutsideofAWS,soeachfront-endinstancemustbeinapublicsubnettobereachedviatheInternet

gateway.

FaulttoleranceandscalabilityforourSharePointServerfarmscenariosiscriticaltoensuretheycanprovidesufficient

performancethroughchangesinload,andberesilienttoanyunforeseenissueswithinthefarminfrastructure.The

ElasticLoadBalancing(ELB)webservicecanbeusedtobeusedtodistributeinternet-basedrequeststointernalweb

servers,andsothisisasuitablechoiceforourinternetwebsitescenario.However,sinceELBatthispointonlyhandles

trafficcomingfromoutsidetheVPC,wecantusethatforourintranetscenario(inwhichuserrequestscomeinviathe

privateVPNconnection).Fortheintranetscenario,weneedtoutilizea3rd

partysoftwareloadbalancer(suchasthe

RiverbedStingrayTrafficManager orHAProxy)toachievesimilarfunctionality.

YoualsowanttodistributemultipleinstancestoeachAvailabilityZonetoprovideredundancyandfailoverinthecaseof

anAvailabilityZonefailure.VPCsubnetsdonotspanAvailabilityZones,soyoumustsetupaseparatebutsimilarsubnet

structurewithineachzone.Likewise,setuploadbalancingtodistributerequeststoserversinmultipleAvailabilityZones.Therefore,youshouldsetuploadbalancersineachAvailabilityZoneusedtoprovidehighavailabilitythere,as

well.

NOTE:TheIPaddressrangesfortheVPCandsubnetsaredefinedusingasingle ClasslessInter-domainRouting (CIDR)IP

addressblock,suchas10.0.0.0/16,providinganinternalIPaddressspaceof65,536uniqueIPaddresses.Subnetscan

thenbecreatedwiththeirownuniqueCIDRblockrangeswithintheoverallVPCaddressrange.

VPCSetupfortheIntranetScenario

LetslookatthespecificstepsforsettingupaVPCinstancefortheintranetscenario.

TheAWSManagementConsoleprovidesawizard-basedapproachtosettingupAmazonVPCenvironmentsforafewtypicalAmazonVPCconfigurations.ForyourSharePointServerintranetscenario,thegoalistosetuptheAWS

environmenttoenablecorporateuserstouseSharePointServerviaVPNaccess;butyoudonotneedtoallowaccess

fromthepublicInternet.TheVPCCreationWizardoption VPCwithaPrivateSubnetOnlyandHardwareVPNAccess

initiatesthesetupyouarelookingfor.

NOTE:ServerswithinthefarmmayneedtoexitofAWSforthingslikesoftwareupdates.Suchactionscanbe

accomplishedeitherbyaddinganetworkaddresstranslation(NAT)instanceintheVPCandconfiguringittobepublicor

byhavingtheserverstraversetheVPNtunneltousethecorporatedatacenterInternetaccess.AmazonVPCincludesa

defaultroutetablethatguidescommunicationstoandfrominstances,andtheVPCCreationWizardenablesthe route

tablestoallowinstancestocommunicatewitheachother(usingtheinternalVPCIPaddresses)andexternallyoutofthe

VPC(forallotherIPaddresses)throughtheNATinstance.

BasedonthespecificsofyourSharePointServerintranetscenario,youmustaddseveralcomponentsintotheresultsof

thebasicScenario4setupthattheVPCCreationWizardprovides:

OneVPCcreatedwithinaspecificAWSregionthathascomponentsspanningmultipleAvailabilityZones. YourSharePointServerinfrastructurewillbedeployedacrossmultipleAvailabilityZonestoprovidehighavailability.


9/36


Page9of36

PrivatesubnetsineachAvailabilityZonetoholdyourloadbalancers. AVPCcanhavemultiplesubnetsinwhicheachsubnetresidesinaseparateAvailabilityZone.EachsubnetmustresideentirelywithinoneAvailability

Zone.

SoftwareLoadBalancersineachAvailabilityZone.ThissetupestablishesprimaryandsecondaryloadbalancerswithineachoftheAvailabilityZones,wheretheprimarydistributestraffictoanyofthehealthyinstancesin

eitheroftheAvailabilityZones.Intheeventofafailureoftheprimaryloadbalancer(ortheAvailabilityZone

overall),thesecondaryloadbalancertakesoverandcontinuestodistributetraffictoremaininghealthy

instances.

PrivatesubnetsineachAvailabilityZonetoholdweb,application,anddatabaseserversaswellasADDSdomaincontrollers.Thesesubnetsarenotdirectlyaccessedbyusers(everythinggoesthroughtheload

balancers)andhencedonotneedtobeaccessibleoutsideoftheVPC.

Onevirtualprivategatewayandonecustomergateway.TheseprovideVPNconnectivitybetweenthecorporatedatacenterandtheVPC.

Puttingtogethereverythingdiscussedthusfar,Figure4showsthenetworkconfigurationdefinedfortheintranet scenario.

Figure4:Networkconfigurationfortheintranetscenario


10/36


Page10of36

VPCSetupforthePublicWebsiteScenario

Forthepublicwebsite scenario,therearedifferentrequirementsandsetupconfigurations.

ThepublicwebsitescenariomostresemblestheVPCCreationWizardscenarioVPCwithPublicandPrivateSubnets.

Thedifferencesbetweenthepublicwebsitescenarioandtheintranetscenarioare:

Inthepublicwebsitescenario,youdonothaveacorporatedatacenter,sothereisnoneedtosetupaVPNconnection.

Withapublicwebsite,thereisnoneedforavirtualprivategateway(becauseyouarenotconnectingtoaVPN). Inthisscenario,AWSElasticLoadBalancersareemployed Inapublic-facingwebsite,theloadbalancersneedtobeinpublicsubnetssothatuserscanaccessthemover

theInternet.

Youstillwanttoputtheweb,application,anddatabasetiersinprivatesubnets;usersonlyneedtogetattheloadbalancers.

Thepublicwebsitescenariorequiresadditionalcomponentsatthefrontendforfirewallandthreatmanagement(moreonthistopiclater).

ThepublicwebsitescenarioaddsNATinstancesineachAvailabilityZonetofacilitateserversinprivatesubnetscommunicatingouttotheInternet(togetoperatingsystemsoftwareupdates,forexample).

Giventhesedifferences,Figure5showsthenetworksetupforthepublicwebsitescenario.


11/36


Page11of36

Figure5:NetworkconfigurationfortheInternet-facingpublicwebsitescenario

ADDSSetupandDNSConfiguration

SharePointServerrequiresADDSforuserauthentication.However,youalsowanttoleverageADDStoprovideDomainNameSystem(DNS)functionalitywithintheVPCamongthevariousserverinstances.

ForyourSharePointServerfarmtooperate,youneedconnectivitytooneormoredomaincontrollerstofacilitateuser

authenticationandDNSresolutionacrossserverswithinthefarm.Intheintranetscenario,youwanttheSharePoint

Serverinstancestoauthenticatetouserscorporatecredentials(effectivelyanextensionoftheircorporatenetwork).

Therearetwodifferentwaystosupportthisbehavior:

SharePointServerinstancescouldtraversetheVPNVPCconnectionbacktothecorporatedatacenterandauthenticatetoon-premisedomaincontrollers.

DomaincontrollerscouldbehostedinAWSandreplicatedfromon-premisedomaincontrollersviatheVPNVPCconnection.Thisactionallowstheserverstoauthenticatetolocal(withinAWS)domaincontrollersbutstill

authenticatetocorporateuseridentitiesandcredentials.

Amazonrecommendsthesecondoptionforbetterperformanceandreliability.Thedomaincontrollerscanbereplicated

acrossAvailabilityZones(aswithyourotherresources)toprovidehighavailability.Microsoftprovidesguidanceon

ActiveDirectoryReplicationOverFirewalls .


12/36


Page12of36

NOTE:ItisalsopossibletosupportthisscenarioforcorporateenvironmentsthatdonotuseADADbutratheranother

LightweightDirectoryAccessProtocol(LDAP)baseddirectoryservice.Youcanuse ActiveDirectoryFederationServices

(ADFS)withSharePointServerandother(non-ADDS)authenticationproviderstofacilitatefederatedauthentication.

AWSprovidesadetailedwhitepaperonhowtosetupandconfigureADFSinAWStosupportfederatedauthentication.

Figure6depictstheadditionstothehostinginfrastructureandADDSreplicationdetails.

Figure6:AdditionstothehostinginfrastructureandADDSreplicationdetailsfortheintranetscenario

Inyourpublic-facingscenario,theSharePointServerfarmisnotconnectedtoacorporateinfrastructureviaVPN.

Instead,itrequiresADDStobeinstantiatedwithintheAWSenvironmenttofacilitateuserregistrationand

authenticationfortheSharePointServerinstancesrunningthere.Asintheintranetscenario,Amazonsuggestshosting

domaincontrollersinmultipleAvailabilityZonestoprovideredundancyandhighavailability,asillustratedinFigure7.


13/36


Page13of36

Figure7:HostingdomaincontrollersinmultipleAvailabilityZonestoprovideredundancyandhighavailability

ADDSistypicallyruninon-premise,staticenvironments,andtherearecertaintypicalconfigurationdetailsand

assumptionsthataredifferentwhenADDSrunsinAWS.ForADDSdomaincontrollerstobeusedforDNSinAWSand

acrossAvailabilityZones,eachneedstobeinasecuritygroupthatopensUserDatagramProtocol(UDP)ports065,535.(Securitygroupsarediscussedindetailinalatersection.)

ServerSetupandConfiguration

Nowthatyournetworkissetupinthestructureyouneed,letstacklethetaskofsettingupandinstantiatingthevarious

serverinstanceswithintheVPCtosupportyourSharePointServerreferencearchitectures.

AttheheartofAWSisthe AmazonElasticComputeCloud(AmazonEC2)webservice,acloudcomputinginfrastructure

thatsupportsavarietyofoperatingsystemsandmachineconfigurations(e.g.,CPU,RAM).AWSprovidespreconfigured

virtualmachine(VM)images(AmazonMachineImages,orAMIs)withguestoperatingsystems(Linux,Windows,etc.)

andmayhaveadditionalsoftware(e.g.,SQLServer)usedasthebasisforvirtualizedinstancesrunninginAWS.Youcan

usetheseAMIsasstartingpointstoinstantiateandinstallorconfigureadditionalsoftware,data,andmoretocreateapplication-orworkload-specificAMIs.

ToimplementthevarioustiersandrolesintheSharePointServerreferencearchitecture,startoutwithAMIsthatare

basedonWindowsServer2008R2,andlookatthesoftwarerunningeachonetodeterminewhichAMIsareapplicable

toweb,application,ordatabasetierservers.Atthistime,severalAMIssupportsomeversionofWindowsServer.Some

AMIsincludecomponentslikeMicrosoftInternetInformationServices(IIS)forthewebtierroles;othersinclude

SQLServerStandard(forthedatabasetier).


14/36


Page14of36

SharePointServerisnotpreinstalledinanyoftheWindows-basedAMIsbecauseoflicensingmodelrestrictions.Theonly

supportedapproachtolicensingSharePointServeronAWSisthroughMicrosofts LicenseMobilitythroughSoftware

Assuranceprogram.CustomerscoveredbyactiveMicrosoftSoftwareAssurancecontractsmaymovecurrenton-premise

WindowsServerapplicationworkloads(suchasSharePointServer)toAWSwithoutadditionalMicrosoftsoftwarelicense

fees.

AWSprovidesacomprehensivecollectionofinformation,tools,andresourcesforrunningWindows-basedapplications

andworkloadsonAWS.Also,thereisdetailedinformationabouthowWindowsissupportedandusedonAmazonEC2.

Finally,youcanfinddetailsonthespecificAMIsthatincludeWindows,SQLServer,etc.,withinthe AmazonEC2AMI

catalog.

MappingSharePointServerRolesandServerstoAmazonEC2AMIsandInstanceTypes

AkeyaspectofimplementingyourAWSsolutionischoosingtheappropriateAMIandinstancetypeforeachrolewithin

thefarm.EachroleintheSharePointServerreferencearchitecturehasdistinctrequirementsforsoftwareand

infrastructureresources,suchasCPU,RAM,anddiskstorage.MicrosoftandAWShavepartneredtopublishanumberof

Windows-basedAMIsthatincludeadditionalsoftwarecomponentsforsupportingtypicalroles(e.g.IISforwebserver,

SQLServerfordatabaseserver,Windowscorefordomaincontroller)thatrunonavarietyofAmazonEC2instancetypes.

Intermsofmachinecapacityandsizing,Microsoftprovidesdetailedguidanceforvariouscomponentswithina

SharePointServerfarm,sothattopicisnotbecoveredinthispaper.However,thebasicdetailsof typicalsystem

requirementminimumsforvariouscomponentswithinaSharePointServerfarmaresummarizedinthetablesthat

follow.

Table1presentstheminimumsystemrequirementsMicrosoftrecommendsforthedifferenttiersandroleswithina

SharePointServerfarm.

Table1:MinimumsystemrequirementsforSharePointServerrolesandtiers

Tier/role Scenario Processor RAM HarddiskWeb/ApplicationTier All 64-bit,4core 8GB 80GB

Databaseserver Smalldeployment 64-bit,4core 8GB 80GB

Databaseserver Mediumdeployment 64-bit,8core 16GB 80GB

Domaincontroller All 64-bit,4core 8GB 80GB

Table2showshowtomaptheserequirementstoAmazonEC2AMIsandWindowsinstancetypes.


15/36


Page15of36

Table2:MappingminimumsystemrequirementstoAMIsandWindowsinstancetypes

Tier ApplicableAmazonEC2instancetypeandrange AMItouse

Webfrontend ExtraLarge(m1.xl) WindowsServer2008R2+IIS

Applicationserver ExtraLarge:HighMemoryQuadExtraLarge

(m2.xlm2.4xl)

WindowsServer2008R2

Databaseserver HighMemoryQuadrupleExtraLarge(m2.4xl) OptimizedSQLServer2008R2AMIsfromMicrosoft

Domaincontroller ExtraLarge(m1.xl) WindowsServer(intheroleofadomain

controller)

TheAMIslistedinTable2includethedefaultconfigurationfor AmazonEBSvolumes(formattedasWindowsfile

systems)forbootdriveandassociateddatastorageapplicabletotherole.TheSQLServer2008R2AMIsindicatedhave

beenconfiguredwithmultipleEBSvolumestosupportdistinctSQLServerstoragecomponents(data,logs,tempfiles),

optimizingforstoragerequirementsandI/Opatternsofeachcomponent.AmazonEC2alsosupportstheabilityto

customizeaninstance,allowingyoutoattachadditionalAmazonEBSvolumesorresizeanexistingAmazonEBSvolume

bytakingasnapshot,andthencreatinganew,largervolumefromthesnapshot.Youcanthenusethiscustomized

instanceasthebasisforanew,customizedAMI.

SharePointServerConfiguration

Asmentionedearlier,SharePointServerisnotpre-installedinanypublicallyavailableAMI,soyoumustobtainsufficient

licensingfordeployingSharePointServerinAWS(throughMicrosoftLicenseMobility)andtheninstallSharePointServer

intoyourinstances.Typically,youwillcreateyourownprivateSharePointServerAMI,bycreatingaWindowsServer-

basedinstance,installingandconfiguringSharePointServer,andthenturningthatinstanceintoanAMIasdescribed

here.ThisprivateAMIwillbethebasisofthevariousSharePointServerinstancesinyourfarm.

SQLServerConfiguration

TheversionsofSQLServerthatareincludedandlicensedforusewiththeWindowsServerAMIsareSQLServerExpress

andSQLServerStandard.SQLServerEnterprise canbeinstalledinWindowsAMIsandusedinAWSaswellbutmustbe

licensedforuseinthesamewayasSharePointServer,throughprovisionsinthe MicrosoftLicenseMobilitythrough

SoftwareAssuranceprogram.

Asinon-premisedeployments,thedatatierforSharePointServerinAWSneedstobearchitectedandconfiguredto

supportsufficientperformance,highavailability,andreliabilitytoprovideagooduserexperienceandquicklyrespondto

adatabasefailurewithminimaltransactionloss.ForSQLServerinstances,AmazonrecommendstheHighMemory

QuadrupleExtraLargeAmazonEC2instancetype.Thistypeprovideshigher-performancenetworkI/O(high).Thishigher

performance,combinedwiththeothermetricssuchasCPU,yieldsagoodperformanceprofileforSQLServerrunningon

AWS.

RecommendedAmazonEBSDiskConfigurationforSQLServer

AmazonEBSvolumescanbeconfiguredinavarietyofways(redundantarrayofindependentdisks[RAID]striping,

differentvolumesizes,etc.)toyielddifferentperformancecharacteristics.TheoptimizedSQLServerStandardAMI

mentionedearlierispublishedjointlybetweenMicrosoftandAWSandisconfiguredwithseparateAmazonEBS

volumes,eachstoringkeySQLServerdatacomponentsas recommendedbyMicrosoftforoptimalperformance.


16/36


Page16of36

Forhigh-I/Oscenarios,itispossibletocreateandattachadditionalAmazonEBSvolumesandtostripeusingsoftware

RAIDtoincreasethetotalnumberofI/Ooperationspersecond(IOPS).EachAmazonEBSvolumeisprotectedfrom

physicaldrivefailurethroughdrivemirroring,sousingaRAIDlevelhigherthanRAID-0isunnecessary.

ForSharePointServerinstances,itiscommontouseRemoteBLOBStorage(RBS)inconjunctionwithSQLServerfor

storageoffile-basedcontent.Thisfile-basedcontentwillresideinSQLServerinstances,andtheexistingAmazonEBS

configurationshouldbesufficientformostuses.However,itmaybedesirableornecessarytoextendthesizeoradd

moreAmazonEBSdisks(orotherassociatedstorage)forsupportinglargeRBSstores.Forfurtherdetailsregarding

AmazonEBSsetup,configurations,andtuningoptions,seethe AmazonElasticComputeCloudUserGuide.

HighAvailabilityforSQLServer

YoucanachievehighavailabilityforSQLServerinAWSbyimplementingSQLServermirroringacrossmultipleAvailability

Zones.Inthisconfiguration,SQLServerinstancesarelaunchedintwodifferentAvailabilityZones(withinaRegion),with

asmallerwitnessSQLServerinstancetomonitorandfacilitatethefailover,ifneeded.Figure8illustratesthis

configuration.


17/36


Page17of36

Figure8:SQLServermirroringacrossmultipleAvailabilityZones

AWSrecentlypublishedRDBMSintheCloud:MicrosoftSQLServer2008R2, acomprehensiveresourcethatprovidesa

detaileddiscussionofconsiderations,approaches,andoptionsforoptimizingtheuseofSQLServerinAWS.Withthe

additionofyourAmazonEC2instancesandSQLServermirroring,yourintranetscenariolookslikeFigure9.


18/36


Page18of36

Figure9:IntranetscenariowiththeadditionofAmazonEC2instancesandSQLServermirroring

WiththeadditionofyourAmazonEC2instancesandSQLServermirroring,yourpublicsitescenariolookslikeFigure10.


19/36


Page19of36

Figure10:PublicsitescenariowiththeadditionofAmazonEC2instancesandSQLServermirroring

Security

SecuritysetupiscriticalintheimplementationofyourSharePointServerfarmtoenablepropernetworkaccess(inand

outoftheVPC,specificsubnets,andtheinstancesrunningeachsubnet)tofacilitateuserauthenticationand

appropriateauthorization,dataprivacy,andthreatmanagement(inthecaseofpublic-facingsites).Theseandotherkeyelementshavetobesetupcorrectlytoprovidethenecessarysecuritymeasuresandenableuserstoaccesstheir

SharePointServercontentandapplicationswiththecorrectidentityandauthorization.

AcornerstoneofyourscenariosistheuseofAmazonVPCforprovidingtheoverallisolationofthefarmandsegmenting

partsofthefarm(i.e.,theservergroups)tosupportthedesiredmanagementandcontrol.WithinAmazonVPCand

subnetisolation,therearesecuritydetailsthatyoumustsetuptoenableproperaccess(andrestrictions).Thetwomain

approachesatyourdisposalare:

Securitygroups. Asecuritygroupactsasafirewallthatcontrolsthetrafficallowedinandoutofagroupofinstances.WhenyoulaunchaninstanceinaVPC,youcanassigntheinstancetouptofiveVPCsecuritygroups.

Securitygroupsactattheinstancelevel,notthesubnetlevel .

o Ingeneral,itisagoodideatodefinedistinctsecuritygroupsforeachtier.Doingsoallowsyoutodefinethesettingsforeachtier(andvarythemindependently)aswellasrestrictaccesstothecallingtier

(e.g.,allowingthedatabasetiertobecalledonlyfromtheapplicationtier).

Networkaccesscontrollists(ACLs).AnetworkACLisanoptionallayerofsecuritythatactsasafirewallforcontrollingtrafficinandoutofasubnet.YoumightsetupACLswithrulessimilartoyoursecuritygroupstoadd

alayerofsecuritytoyourVPC. NetworkACLsactatthesubnetlevel,nottheinstancelevel.


20/36


Page20of36

SecurityGroups

Herearethetwoapproachesdiscussedingreaterdetail:

ElasticLoadBalancing:o ElasticLoadBalancingisthepointofcontactforusers,sotheElasticLoadBalancingsecuritygroup

shouldbeconfiguredtosupportinboundclientconnectiontypesofHTTPorHTTPS(port80and

port443,respectively).YoucanconfiguretheElasticLoadBalancinginanycombination,butAmazon

recommendsusingHTTPSforbothinboundclientconnectiontypes.Youshouldcreateanoutbound

securityrulethatliststhewebtiersecuritygroupasthetarget,restrictingtheloadbalancertosending

requestsouttothewebtierinstancesonly.

Webtier:o Inthescenario,thewebtierinstancesarenotdirectlyexposedbutreceiverequestsviatheelasticload

balancer.Youcan(andshould)configurethewebinstancestoacceptrequestsonlyfromtheload

balancer.Fortunately,theloadbalancerincludesaspecialsourcesecuritygroup.Createasecurityruleforyourwebtierthatrestrictsinboundaccesstothisspecialsecuritygroup,ensuringthatonlytheload

balancersareallowedtosendtoandreceivefromthewebfront-endinstances.Youcanalsosetupan

outboundruletolimitoutgoingrequeststotheapplicationtierinstances.

Applicationtier:o Asinthewebtiercase,yourapplicationtiersecuritygroupshouldbeconfiguredwithaninboundrule

listingthewebtiersecuritygroupasanallowedsenderandanoutboundrulelistingthedatabase

securitygroupforoutgoingmessages.

Databasetier:o Asintheothercases,youshouldrequireSecureSocketsLayer(SSL)forconnectionstoandfrom

SQLServer.DoingsorequirestheuseofasecuritygroupwitharulethatallowsSSL(port443)tobe

usedonlyforthedatabaseinstances.

o Youalsowanttorestrictinboundaccesstotheapplicationtierinstances,socreateasecurityrulethatrestrictsinboundaccesstotheapplicationtiersecuritygroup.

TheAppendixincludesachartdetailingthevariousrecommendedsecuritygroupsandsettingsforyourSharePoint

Serverfarmscenarios.

NetworkACLs

NetworkACLsmirrortherulesspecifiedinsecuritygroupsandaddanextralayerofsecuritytoallowgeneralaccess

rulestobehonoredregardlessofwhichinstancesaresendingorreceiving.BecausenetworkACLsactatthenetwork

level(nottheinstancelevel),youcansetupadditionalrulestohandlecertainnetworks,IPaddresses,andaddress

rangesinaspecificway.Forinstance,youcansetupanetworkACLthatdefinesaruletodenyingresstoarangeof

sourceIPaddresses(blacklistedIPaddresses).FordetailedguidanceonsettingupAmazonVPCnetworkACLs,seethe

AmazonVirtualPrivateCloudUserGuide .


21/36


Page21of36

WindowsInstanceSecurity

YoucanconfigureWindowsinstanceswithintheVPCthroughGroupPolicyobjects(GPOs)torequireIPSecurity(IPsec)

connections,furtherensuringsecureconnectivitytotheinstances.

AdministratorAccess

Inyourarchitecture,themiddletieranddatabasetierinstancesareplacedinprivatesubnets,restrictingaccessfrom

outsidetheVPC.Thisplacementreducesexposureandenhancessecurity.However,itisstillnecessarytoprovideaccess

tothoseinstancesforadministrativepurposes,suchasconfigurationupdatesandtroubleshooting.

Tohelpmanagetheinstancesintheprivatesubnet,anindirect(andsecure)methodisto setuponeormorebastion

serversinapublicsubnettoactasproxies ,andthensetupSSHportforwardersorRemoteDesktopProtocol(RDP)

gatewaystoproxyaccesstotheapplicationordatabasetierinstances.Afterbastionserversaresetup,administrators

canuseRDPtogainaccesstothebastionhost;theycanthenaccessotherinstancesusingSSHattheirVPCprivateIP

addresses.Figure11illustratesthisarrangement.

Figure11:UsingRDPtogainaccesstothebastionhost

DataPrivacy

BecausesensitivecontentanddatacanbestoredwithintheSharePointServerfarm,someorganizationsmayrequire

thatthecontentbeencrypted.TosuccessfullysupportencryptionofdatawithintheAWSenvironment,afewkey

requirementsmustbeconsideredandsupported:


22/36


Page22of36

Encryptiontechnology. TheAmazonEBSvolumescontainthedataatrest,intheformofSQLServerdatabasedataandfiles.AmazonEBSvolumeencryptionisnotsupportedinAWS;however,thereareoptionsfor

encryptionthatcanbeconsidered:

o EncryptingFileSystem(EFS). WindowsincludesEFS,whichsupportstheabilitytoencryptindividualfilesorfolders.

o BitLockerDriveEncryption.WindowsServer2008R2supportsBitLocker,whichprovidestheabilitytoencryptadiskfilesystemattachedtotheserverinstance.

o SQLServerTransparentDataEncryption(TDE).SQLServerEnterpriseprovidesnativeencryptionsupportthroughTDE.

o Third-partyAmazonEBSvolumeencryption.Third-partycommercialoptionsareavailableforencryptionofAmazonEBSvolumes.

Encryptionkeymanagement.Implementingencryptionrequiressecuremanagementandauthorizeduseoftheencryptionkeys.InthecaseofAmazonEC2,instancescanbestoppedandstartedaswellasrecoveredfromAmazonEBSsnapshots.Inallthesecases,theAmazonEBSvolumeswillbeencrypted,andtheAmazonEC2

subsystemmustaccessandusetheencryptionkeytobeabletoattachanduseitonsubsequentrestarts.

TheAWSSolutionProvidersitelistsseveralthird-partysoftwarevendorsthatprovidesecurityinfrastructurethat

supportsAmazonEBSencryptionandkeymanagement.

DeploymentTosetupyourSharePointServerfarminAWS,youmustestablishandconfigureseveralcomplexandinterrelateddetails

toenableproperfunctionsandthecorrectsecuritysettings.Furthermore,youwillinevitablyneedtochangethe

configurationovertimetoperformsuchactionsasaddinginstancesforscaleoutorupdatinginstanceconfigurations.

AWSprovidesanumberoftoolsandapproachesforfacilitatingdeploymentinAWS:

AWSManagementConsole.TheAWSManagementConsoleisaninteractivetoolthatisgoodforstartingoutorsmallerdeployments.However,formorecomplexscenariosorautomateddeploymentsequences,considerone

oftheotheroptionsdescribedbelow.

AWSapplicationprogramminginterface(API)tools.AWSprovidesseveralcommand-lineinterface(CLI)commandsandprogrammaticwebserviceAPIsthataretypicallybuiltintoscripts;thesecommandsallowaset

ofactionstooccurinacoordinatedway.

AWSsamplecodeandlibraries.AWSprovidesaSampleCode&LibrariesCatalogtosupportapplication-basedsetupandconfiguration.Severalprogramminglanguagesaresupportedthroughsoftwaredevelopmentkits(SDKs)thatAWSprovides.

AWSCloudFormation.AWSprovidesaneasywaytocreateandmanageacollectionofrelatedAWSresources,provisioningandupdatingtheminanorderlyandpredictablefashion.WithAWSCloudFormation,youdonot

needtofigureouttheorderinwhichAWSservicesneedtobeprovisionedorthesubtletiesofhowtomake

thosedependencieswork:


23/36


Page23of36

o YoucanuseatoolcalledAWSCloudFormertoreverse-engineeranexistingsetofresourcesorsettingsrunninginanAWSaccountintoanAWSCloudFormationtemplate.So,atypicalapproachforacomplex

setupistomanuallydeployorconfigurecomponentsoftheSharePointServerfarm,andthenusethis

tooltogenerateanappropriateAWSCloudFormationscript.

NOTE:AWSCloudFormationdoesnotsupportthecreationofVPCsatthistime;however,itdoes

supportthecreationoftheresourceswithinaVPC(e.g.,AmazonEC2instances,securitygroups).

Windowsand.NETDeveloperCenter.TheseWindowsandMicrosoft.NETtoolsincludetheAWSSDKfor.NETandtheAWSToolkitforVisualStudio.

AkeyapproachtoautomatingdeploymentofcomponentswithinanAWSsolutionistocreatecustomAMIsfordistinct

rolesthathaveadditionalsoftwaredependenciesandconfigurationrequirements.FortheSharePointServerreference

architecture,distinctrolesaredefined(webfrontend,applicationserver,databaseserver,andothers)forwhichyou

cancreatecustomAMIs.CustomAMIsfortheSharePointServerfarmarchitecturecanbebasedonpublicWindows-

basedAMIs(asindicatedearlier)orWindows-basedAMIsthatyoucreateasastartingpoint.

MonitoringandManagementYoumustbeabletomonitoranumberofcoredimensionswithinaSharePointServerfarmtoenablecorrectionsand

updateswhenissuesoccurorperformancesuffers.AmazonCloudWatchisanAWSservicethatmonitorsvarioushealth

metricsassociatedwithAWSresources.Youcanuseittocollect,analyze,andviewsystemandapplicationmetricsso

thatyoucanmakeoperationalandbusinessdecisionsmorequicklyandwithgreaterconfidence.AmazonCloudWatch

setsseveralpredefinedmetrics,suchasCPUUtilizationanddiskI/Operformance,thatAWSmeasuresandthatyoucan

viewandactupon.YoucanalsopublishyourownmetricsdirectlytoAmazonCloudWatchtoallowstatisticalviewingin

theAWSManagementConsoleandtoissue(andreacton)customalarms.

MicrosoftSystemCenterOperationsManager isthetypicaltoolusedtomonitorandmanageaMicrosoft-based

infrastructure.Fortunately,OperationsManagercanbeusedinAWS,too.TheWindows-basedinfrastructureonAWS

includesthestandardOperationsManageragentsforWindowsServer,SharePointServer,andSQLServer.

Intheintranetscenario,OperationsManagerworksasitdoesinanon-premisescase,becauseyourVPNVPC

arrangementeffectivelyextendstheenterprisenetworkintotheAWScloud.Inthepublicsitescenario,Operations

ManagercanbehostedinaninstanceandaccessedoverRDP(throughthebastionhostmethoddescribedearlier)and

providemonitoringandmanagementagainsttheothercomponentsoftheSharePointServerfarm.

BackupandRecoveryBusinesscontinuityisakeyrequirementintheSharePointServerfarmscenariosdiscussedhere.Downtimemeanscore

contentandcollaborationcannotoccuroryourwebsiteisdown.Asdiscussedearlier,youcanimproveavailabilityby

hostingmultipleinstancesindifferenttiersdistributedacrossAWSAvailabilityZones.However,therestillmaybe

situationsinwhichsystemfailures(e.g.,becauseofsoftwareorhardwareissues,disasters)occur,orthereisaneedto

rollbackorrecoversomeorallofthefarmdatatoapreviouspointintime.Thus,youmuststillhaveabackupand

recoverystrategytosupportrecoveryofoneormoredatacomponentsorserversortheentirefarm.

Typically,recoveryrequirementsareexpressedintermsoftwometrics:

Recoverytimeobjective(RTO).RTOisthetimeobjectiveinwhichtorestoreaprocess,service,ordataitemtorequiredfunctionalleveloraccessibility.Forexample,anRTOof4hoursmeansthatafullrecoveryisrequired

tobeupandoperationalwithin4hoursafterafailureinthesystem.


24/36


Page24of36

Recoverpointobjective(RPO).TheRPOisthemaximumacceptableamountofdataloss,expressedintime.Forexample,anRPOof1hourmeansrecovereddatamaybeatmost1houroutofdatefromthemostrecent

changes.

IntermsofsupportingbackupandrecoveryofSharePointServerfarmsonAWS,thereareessentiallytwoapproachesto

consider:

Usethebuilt-inback-upandrecoverymechanismsinSharePointServerandSQLServer,withMicrosofttoolstobackupto(andrecoverfrom)Windowsfile-basedstoragelocations.

UseAWSbackupandrecoverymechanismsthatoperateagainstAWSresourcessuchasAmazonEBSvolumes.SharePointServerandSQLServerprovidetheirownbuilt-incapabilitiesforbackingupcontent,applicationdata,

metadata,andconfigurationsettings.Inaddition,youcanusetoolssuchasMicrosoftSystemCenterDataProtection

Manager(DPM)tobackupconfigurationsettingsandmetadatastoredwithinSQLServer.Microsoftprovidessignificant

guidancearoundSharePointServer backupandrecoverythatcanandshouldbeusedtoprovideback-upandrecovery

capabilities,bothatthefarmlevelandatthegranularserverorservicelevel.Inthiscase,AmazonSimpleStorage

Service(AmazonS3)providesthemostnaturallocationinwhichtostoreandretrievethisdata.AmazonS3doesnotnativelyprovideaWindowsfilesysteminterface,butopensourceandcommercialtoolsareavailablethatdoprovide

theabilitytointeractwithAmazonS3inthismanner.

AmazonEC2providestheabilitytotakepoint-in-timesnapshotsofAmazonEBSvolumesandsavethemtoAmazonS3

fordurablestorageandrecovery.AmazonEBSsnapshotsareincrementalbackups,meaningthatonlytheblocksonthe

devicethathavechangedsincethelastsnapshotwillbesaved.Also,whenyoudeleteasnapshot,onlythedatanot

neededforanyothersnapshotisremoved.So,regardlessofwhichpriorsnapshotshavebeendeleted,allactive

snapshotswillcontainalltheinformationneededtorestorethevolume.Inaddition,thetimetorestorethevolumeis

thesameforallsnapshots,offeringtherestoretimeoffullbackupswiththespacesavingsofincrementalbackups.

Snapshotscanalsobeusedtoinstantiatemultiplenewvolumes,expandthesizeofavolume,ormovevolumesacross

AvailabilityZones.InthecaseofyourSharePointServerfarm,theSQLServerinstanceswithinthedatatierwillholdthepersistentstate,sotakingregularsnapshotsoftheprimarySQLServerdatatierAmazonEBSvolumesprovidesbackupof

thedatabaseitselfandanyassociatedfiles(e.g.,RBSfiles,metadatafiles).

AWSrecentlypublishedAWSDisasterRecovery,awhitepaperthatprovidesextensivedetailsonthevarious

considerationsandoptionsavailablewithinAWStosupportdisasterrecovery.


25/36


Page25of36

PuttingItAllTogether

Withallthekeytopicscovered,letsseehowyourSharePointServerdeploymentscenariosareultimatelysetupinan

AWSenvironment.

IntranetSharePointServerFarmThekeycomponentsoftheintranetSharePointServerfarminanAWSenvironmentscenarioareasfollows:

AmazonVPC,withVPNconnectiontothecorporatedatacenter Privatesubnetsonly,connectedtothecorporatenetworkviaVPN AtleasttwoAvailabilityZonesusedtosurvivethelowprobabilityofanAvailabilityZonefailure Elasticloadbalancersacrosswebfront-endservers

SQLServerinmirroredconfigurationacrossAvailabilityZones

Database(AmazonEBSvolume)snapshotsFigure12illustratesthisscenario.

Figure12:IntranetSharePointServerfarminAWS


26/36


Page26of36

Internet-facingPublicWebsiteonSharePointServerThekeycomponentsfortheinternetwebsitehostedonSharePointServersinanAWSenvironmentscenarioareas

follows:

AmazonVPC,withpublicandprivatesubnets Threatmanagementgatewayserversinthepublicsubnet ElasticLoadBalancingacrossthethreatmanagementgatewayservers Bastionhostinapublicsubnet,hostingasoftwareVPNtoprovideadministrativeaccesstointernalinstances AtleasttwoAvailabilityZonesusedtosurvivethelowprobabilityofanAvailabilityZonefailure Multiplewebfront-endserversbehindthreatmanagementgatewayserverswithineachAvailabilityZoneina

privatesubnet

SQLServerinmirroredconfigurationacrossAvailabilityZoneprivatesubnets ADDSdomaincontrollersinAWSforuserregistrationandauthentication

Figure13illustratesthisscenario.

Figure13:Public-facingInternetwebsiteonSharePointServerinAWS


27/36


Page27of36

AlthoughyoucanuseSharePointServertosupportavarietyofcontentandcollaborationgoals,thesescenariosaretwo

ofthemostcommon.Seethenextsectionforinformationaboutotherscenariosandadditionalresources.


28/36


Page28of36

Conclusion

ThispaperdiscussestwocommondeploymentscenariosforSharePointServerintranetandpublicwebsiteandhow

toruntheminanAWScloudenvironment.ItdiscusseshowyoucanleveragedifferentservicesthatAWSprovides

(networksetup,serversetup,security,anddeployment)andconfigurethemspecificallytorunenterprise-classsoftware

likeSharePointServeratscaleinasecurefashionthatiseasiertomaintain.


29/36


Page29of36

FurtherReading

MicrosoftonAWS:o http://www.awsmicrosite.com

AmazonEC2WindowsGuide:o http://docs.amazonwebservices.com/AWSEC2/latest/WindowsGuide/Welcome.html?r=7870

MicrosoftAMIsforWindowsandSQLServer:o http://aws.amazon.com/windowso http://aws.amazon.com/amis/Microsoft?browse=1o http://aws.amazon.com/amis/6258880392999312 (SQLServer)

AWSWindowsand.NETDeveloperCenter:o http://aws.amazon.com/net

MicrosoftLicenseMobility:o http://aws.amazon.com/windows/mslicensemobility

Whitepapers:o AmazonsCorporateITDeploysSharePoint2010totheAmazonWebServicesCloudat

http://media.amazonwebservices.com/AWS_Amazon_SharePoint_Deployment.pdf

o RelationalDatabaseManagementSystemsintheCloud:MicrosoftSQLServer2008R2athttp://aws.amazon.com/whitepapers/rdbms-in-the-cloud

o ProvidingSSOtoAmazonEC2AppsfromanOn-premisesWindowsDomainathttp://download.microsoft.com/download/6/C/2/6C2DBA25-C4D3-474B-8977-E7D296FBFE71/EC2-

Windows%20SSO%20v1%200--Chappell.pdf


30/36


Page30of36

Appendix

SecurityGroupSettingsforaSharePointServerFarmThefollowingchartprovidesanexampleofthetypicalsecuritygroupsettingsrecommendedfortheSharePointServer

referencearchitecture.

IntranetSharePointServerFarm

Tier/securitygroup Protocol Port

range

Comments

ElasticLoadBalancing

Inbound Source

IPaddressrange

ofthecorporate

network

TCP 80 AllowinboundHTTPaccess

fromcorporateIPsources

IPaddressrange

ofthecorporate

network

TCP 443 AllowinboundHTTPSaccess


Outbound Destination

WebTierSG TCP 80 Allowoutboundaccessto

webtierservers

WebTier

Inbound Source

ElasticLoad

Balancing

SourceSecurity

Group

TCP 80 AllowinboundHTTPfrom

ElasticLoadBalancingonly

ElasticLoad

Balancing

SourceSecurity

Group


fromElasticLoadBalancing

only

IPaddressrange

ofcorporate

administrators

TCP 3389 RDPaccessforcorporate

administrators

ActiveDirSG TCP 49152

65535

ADDS


AppTierSG TCP 065535 Allowonlywebfront-endserverstoaccessthe

applicationtier

AppTierSG UDP 065535 Allowonlywebfront-end

serverstoaccessthe

applicationtier


31/36


Page31of36


range

Comments

0.0.0.0/0 TCP 80 AllowoutboundHTTPaccess

toserversontheInternet

(e.g.,forsoftwareupdates)

0.0.0.0/0 TCP 443 AllowoutboundHTTPSaccesstoserversonthe

Internet(e.g.,forsoftware

updates)

AppTier

Inbound Source

WebTierSG UDP 065535 Allowonlywebfront-end

serverstoaccessthe

applicationtier

IPaddressrange

ofcorporate

administrators


administrators


65535

ADDS


DBTierSG TCP 1433 AllowoutboundSQLServer

accesstodatabasetier

instances




0.0.0.0/0 TCP 443 AllowoutboundHTTPS

accesstoserversontheInternet(e.g.,forsoftware

updates)


65535

ADDS

DBTier Databaseprimary,mirror,

andwitness

Inbound Source

AppTierSG TCP 1433 Allowonlywebfront-end

serverstoaccessthe

applicationtier

DBTierSG Allowdatabasemirrorandwitness

IPaddressrange

ofcorporate

administrators


administrators


65535

ADDS



32/36


Page32of36


range

Comments


65535

ADDS


toserversontheInternet(e.g.,forsoftwareupdates)


accesstoserversonthe


updates)

ActiveDirSG

Inbound Source

ActiveDirSG TCP 165535 AllowADDSdomainstotalk

toeachother

ActiveDirSG UDP 165535 AllowADDSdomainstotalk

toeachother 0.0.0.0/0 TCP 53 DNSforVPCinstance

0.0.0.0/0 UDP 53 DNSforVPCinstances

0.0.0.0/0 TCP 88 Kerberosauthentication

0.0.0.0/0 UDP 88 Kerberosauthentication

0.0.0.0/0 UDP 123 NetworkNewsTransfer

Protocol(NNTP)

0.0.0.0/0 TCP 135139 RemoteProcedureCall

(RPC),NetBIOS

0.0.0.0/0 UDP 135139 RPC,NetBIOS

0.0.0.0/0 TCP 389 LDAPtodirectoryservice

0.0.0.0/0 UDP 389 LDAPtodirectoryservice

0.0.0.0/0 TCP 445 ServerMessageBlock(SMB)

0.0.0.0/0 UDP 500 IPsecInternetSecurity

AssociationandKey

ManagementProtocol

(ISAKMP)

0.0.0.0/0 TCP 636 LDAPSecureSocketsLayer

(SSL)

0.0.0.0/0 UDP 636 LDAPSSL

0.0.0.0/0 TCP 3268

3269

LDAPtoglobalcatalog

server

0.0.0.0/0 UDP 4500 NATtraversal(NAT-T)

0.0.0.0/0 TCP 49152

65535

Dynamicports

IPaddressrange

ofcorporate

administrators


administrators



33/36


Page33of36


range

Comments






updates)

Internet-facingPublicWebsiteonSharePointServer


range

Comments

Elasticloadbalancer

Inbound Source 0.0.0.0/0 TCP 80 AllowinboundHTTPaccess


0.0.0.0/0 TCP 443 AllowinboundHTTPSaccess



WebTierSG TCP 80 Allowoutboundaccessto

webtierservers

BastionSG Securitygroupfor(public)

bastionhost

Inbound Source

IPaddressrangeofcorporate

administrators

TCP 3389 RDPaccessforcorporateadministrators

WebTier

Inbound Source

ElasticLoad

Balancing

sourcesecurity

group

TCP 80 AllowinboundHTTPfrom

ElasticLoadBalancingonly

ElasticLoad

Balancing

sourcesecuritygroup


fromElasticLoadBalancing

only

BastionSG TCP 22 SSHaccessforcorporate

administrators


65535

ADDS



34/36


Page34of36


range

Comments


serverstoaccessthe

applicationtier

AppTierSG UDP 065535 Allowonlywebfront-endserverstoaccessthe

applicationtier







updates)

AppTier

Inbound Source WebTierSG UDP 065535 Allowonlywebfront-end

serverstoaccessthe

applicationtier


administrators


65535

ADDS


DBTierSG TCP 1433 AllowoutboundSQLServer

accesstodatabasetier

instances 0.0.0.0/0 TCP 80 AllowoutboundHTTPaccess






updates)


65535

ADDS

DBTier DBprimary,mirror,and

witness Inbound Source


serverstoaccessthe

applicationtier

DBTierSG Allowdatabasemirror,

witness


35/36


Page35of36


range

Comments


administrators


65535

ADDS



65535

ADDS







updates)

ActiveDirSG Inbound Source

ActiveDirSG TCP 165535 AllowADDSdomainstotalk

toeachother

ActiveDirSG UDP 165535 AllowADDSdomainstotalk

toeachother

0.0.0.0/0 TCP 53 DNSforVPCinstances

0.0.0.0/0 UDP 53 DNSforVPCinstances

0.0.0.0/0 TCP 88 Kerberosauthentication

0.0.0.0/0 UDP 88 Kerberosauthentication

0.0.0.0/0 UDP 123 NNTP

0.0.0.0/0 TCP 135139 RPC,NetBIOS

0.0.0.0/0 UDP 135139 RPC,NetBIOS

0.0.0.0/0 TCP 389 LDAPtodirectoryservice

0.0.0.0/0 UDP 389 LDAPtodirectoryservice

0.0.0.0/0 TCP 445 SMB

0.0.0.0/0 UDP 500 IPsecISAKMP

0.0.0.0/0 TCP 636 LDAPSSL

0.0.0.0/0 UDP 636 LDAPSSL

0.0.0.0/0 TCP 3268

3269

LDAPtoglobalcatalog

server

0.0.0.0/0 UDP 4500 NAT-T 0.0.0.0/0 TCP 49152

65535

Dynamicports

BastionSG TCP 3389 RDPaccessforcorporate

administratorsthrougha

bastionhost



36/36



range

Comments






updates)

FordetailedguidanceonsettingupVPCsecuritygroups,seethe AmazonVirtualPrivateCloudUserGuide.

aws sp white paper pdf pdf

Documents