ent308 best practices for microsoft architectures on aws
TRANSCRIPT
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zlatan Dzinic – Senior Architect Lou De La Torre – Solutions Architect
April 19, 2017
Best Practices for Microsoft Architectures on AWS
What to Expect from the Session
• Microsoft architectures on AWS and how to build them • Active Directory • SQL Server • Corp Apps • Developers • Systems management
Architecture
Availability Zone
Private subnet Public subnet
Availability Zone
Private subnet Public subnet
Remote users
Sample Microsoft
Architecture
Virtual private fateway
Corporate Office
IIS App
IIS Web
IIS App
IIS Web
VPN
AWS Direct Connect
Internet gateway
RDGW
VPC NAT gateway
RDGW
VPC NAT gateway
AWS Directory Service
AWS Directory Service
MS SQL
MS SQL
Always On Availability
Group
VPC endpoint Amazon S3
Auto Scaling
Secure remote administration architecture
Availability Zone
Gateway security group Web security group
Private subnet Public subnet
Accept TCP Port 443 from Admin IP
Accept traffic from Gateway SG
AWS administrator
Corporate data center
WEB2
TCP 443 WEB1 RDGW
Requires one connection: • Connect to the RD Gateway, and the gateway proxies the RDP or PowerShell connection to the
backend instance.
Alternative solution using Systems Manager
Availability Zone
Web security group
Private subnet
Accept traffic from SSM
WEB2
WEB1
AWS administrator
Corporate data center
EC2 Systems Manager
S3 bucket SNS topic CloudWatch metric
IAM policy
Shared Service VPC
Best suited for: • The majority of your infrastructure is (or
will be) on AWS • The required on-premises resources are
easy to replicate or proxy (e.g., Active Directory, System Center, central SQL farm)
• You prefer to limit VPN traffic • Strong security or compliance programs
require additional application-level controls and proxy servers between their AWS and on-premises resources (e.g., application-layer firewalls)
Active Directory
Common Approaches
Active Directory • AWS Directory Services
Federation • Federation to AWS services • Federation to Microsoft Workloads • Claims based access control • SSO • ADFS 4.0, Ping Federate, Okta
Kerberos
Single domain extended to multiple sites
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
Cost 50
Availability Zone A
Private subnet
DC3 Cost 10
company.local company.local
One single identity, data center extension mode (rely on Active Directory sites, read-only or not)
VPN
AWS Direct Connect
One subdomain per site
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
company.local
Availability Zone A
Private subnet
DC3 cloud.company.local
Isolated subset of the directory, single identity for users (Active Directory domains in a single forest)
VPN
AWS Direct Connect
One forest per site and trust
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2 Availability Zone A
Private subnet
DC3 company.local company.cloud
Separate directories, single identity (Cross-forest/resource forest with trust)
AWS Directory Service company.cloud
VPN
AWS Direct Connect
User identity federation with AWS IAM
AD Users
Enterprise Applications
Corporate Systems
IAM
IAM roles
EC2
Amazon DynamoDB
S3
Active Directory Deployments - Isolated domains
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2 Availability Zone A
Private subnet
DC3 company.cloud
company.local
Federation/ synchronization
Separate identities with synchronization/federation solutions such as AD FS, Okta, PingFederate
AWS Directory Service company.cloud
VPN
AWS Direct Connect
AD FS Scenarios Fully implemented AD FS
• Core authentication services exposed to the Internet by AD FS proxy
Firewall-published AD FS • Firewall exposes core authentication services to the Internet by
reverse proxy Non-published AD FS
• Server farm isn't exposed to the Internet by any method. VPN-published AD FS
• Internet clients connect to and use AD FS services only through a virtual private network (VPN) connection to the on-premises network environment.
Active Directory Federation Services
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2 Private subnet
DC3 company.cloud
company.local
Federation/ synchronization
AWS Directory Service company.cloud
VPN
AWS Direct Connect
ADFS ADFS
Public subnet Public subnet
Web App
Proxy
Web App
Proxy
Availability Zone A Availability Zone B
SQL Server
SQL Server on Amazon EC2
Licensing Options • Purchase an Amazon Machine Instance (AMI) that includes
Windows and SQL Server • Purchase a Windows AMI and install SQL Server yourself
(BYOL)
Windows or Mixed Authentication You manage the virtual machine security, storage, network ports, etc. Full SQL Server sysadmin privileges
SQL Server HA/DR on EC2
• Windows clusters can span Availability Zones or regions*
• Mirroring • AlwaysOn Availability Groups • Transaction Log Shipping • Failover Cluster Instance*
* Some configurations require third-party tools.
Multi-AZ AlwaysOn Availability Group
Availability Zone 1
Private Subnet
EC2 Primary Replica
Availability Zone 2
Private Subnet
EC2 Secondary
Replica
Synchronous Commit Automatic Failover
AWS Region
Multi-Region AlwaysOn Availability Group
Availability Zone 1
Private Subnet
EC2 Primary Replica
Primary: 10.0.2.100 WSFC: 10.0.2.101 AG Listener: 10.0.2.102
AWS Region A
Availability Zone 2
Private Subnet
EC2 Secondary
Replica
Primary: 10.0.3.100 WSFC: 10.0.3.101 AG Listener: 10.0.3.102
Availability Zone 1
Private Subnet
EC2 Secondary
Replica
Primary: 10.1.2.100 WSFC: 10.1.2.101 AG Listener: 10.1.2.102
Synchronous Commit Automatic Failover
AWS Region B
Asynchronous Commit Manual Failover
Elastic IP Elastic IP
VPN
Failover Cluster Instance
Amazon EBS Amazon EBS
Availability Zone 1
Private Subnet
EC2 Primary
Node
Availability Zone 2
Private Subnet
EC2 Secondary
Node
AWS Region
Data Replication
SoftNAS / SIOS
What is Amazon RDS?
Managed database service • Automatic patching, backups, mirroring, etc. • Automatic Host Replacement protects you in the event of a
hardware failure.
6 database engines to choose from: Amazon Aurora, Oracle, PostgreSQL, MySQL, MariaDB, and SQL Server License-included and BYOL options available
SQL Server on Amazon RDS
• Windows or Mixed Authentication • Optional managed Multi-AZ deployment for high
availability • Transparent Data Encryption for encryption at rest and
the use of SSL to secure data in transit • Native backup and restore for Microsoft SQL Server
databases using full backup files (.bak files) • Most tools or drivers (OLE DB, ODBC, or ADO.NET) that
connect to SQL Server can connect to an RDS instance.
Multi-AZ SQL Server on Amazon RDS
Availability Zone 1
Private Subnet
Availability Zone 2
Private Subnet
Synchronous Commit Automatic Failover
AWS Region
Amazon RDS
Primary
Amazon RDS
Secondary Managed Service
SQL Server EC2 vs. RDS: Which should I use?
EC2 RDS License included BYOL Full control over the instance Automated backups Self-managed AlwaysOn Availability Groups AWS-managed Multi-AZ deployment
What about the rest of SQL Server?
• Integration Services (SSIS) • Reporting Services (SSRS) • Analysis Services (SSAS) • SQL Agent • Service Broker • Data Quality Service • Master Data Service
Corporate Apps SharePoint Example
Architecture: Multi-AZ SharePoint
Each AWS Region contains multiple Availability Zones Availability Zones contain a data center (or multiple data centers) with low-latency links to other zones in the region Achieve high availability by deploying your application across multiple zones Easily achieve transparent data center redundancy
AWS Multi-AZ Design Pattern
Availabilty Zone #1
Web Server
DB Server
Web Server
DB Server
Single Application Boundary Spanning AZ’s
Syncronis Replication / Automatic Failover
Low LatencyAvailabilty
Zone #2
Architecture: SharePoint 2016
HA SharePoint 2016 MinRole Farm a
Supports no downtime patching Add Office Online Server and Workflow Manager
MinRole SharePoint
Availability Zone #1
Directory Tier (Subnet)
Web Tier (Subnet) App Tier (Subnet) Data Tier (Subnet) Directory Tier (Subnet)
Availability Zone #2
AWS ELB
VPC NAT Gateway
Public Tier (Subnet) Data Tier (Subnet)
Windows Server RD Gateway
VPC NAT Gateway
Public Tier (Subnet)
Windows Server RD Gateway
SQL Server
SQL Server
Web Tier (Subnet) App Tier (Subnet)
DomainController
DomainController
S SharePointApplication
Always OnAvailability Group
(Synchronous)
S SharePointFront-end
SSharePointDistributedCache
S SharePointSearch
SSharePointDistributedCache
SSharePointDistributedCache
S SharePointApplication
S SharePointSearch
S SharePointFront-end
OfficeOnline Server
OfficeOnline Server
Workflow Manager
Workflow Manager
Workflow Manager
Architecture: All Farms Welcome
From single server farms… To multiple farm / multiple region DR architectures
AWS supports all SharePoint setups
Multi-Region HA + DR
AZ 1AZ 2AZ 1
Region 1 Region 2
53
Developers
AWS SDK and Tools for .NET Architecture E
XEC
UTI
ON
PL
ATFO
RM
AW
S S
DK
LOW
-LE
VEL
SER
VIC
E A
PIS
AWS
TOO
LS
HIG
HER
-LE
VEL
UTI
LITY
A
PIS
.NET 3.5 .NET 4.5 PHONE STORE
SERVICE CLIENTS
AMAZON S3 TRANSFER UTILITY
AMAZON DYNAMODB OBJECT
PERSISTENCE VM IMPORT RESOURCE API
AWS TOOLS FOR WINDOWS
POWERSHELL
AWS TOOLKIT FOR VISUAL STUDIO
ASP.NET SESSION PROVIDER TRACE LISTENER
…
AWS ENDPOINTS: REST API
ASP.NET 5
AWS Toolkit for Visual Studio
Full integration in Visual Studio AWS Toolkit for Visual
Studio
.NET SDK
AWS also provides extended support
AWS Elastic Beanstalk • Deploy from within Visual Studio/automatic log rotation to Amazon S3
AWS CodeCommit/CodePipeline/CodeDeploy
• Manage a large fleet (on-premises and cloud-based)
.NET SDK and PowerShell cmdlets • Integration in custom build pipelines in TFS or CruiseControl.NET
AWS native integrations
• Jenkins, Bamboo have native integration to AWS • Other IDE support AWS (Unity, Xamarin Studio, Eclipse…)
Build Serverless Applications with C#
.NET Core 1.0 www.microsoft.com/net/download/core Visual Studio 2015 Update 3 Visual Studio 2015 Tools (Preview 2) Target Framework netcoreapp1.0 Package with .NET Core CLI “dotnet publish” Upload as a zip file
CloudFormation
Basic standard in AWS for automating deployment of resources CloudFormation template
• JSON-formatted document that describes a configuration to be deployed in an AWS account
• When deployed, refers to a “stack” of resources
• Bootstrapping AWS CloudFormation Windows Stacks, http://tinyurl.com/aws-win-boot
AWS CloudFormation
How CloudFormation Works
Systems Management
Amazon EC2 Systems Manager
A set of capabilities that enable automated configuration and ongoing management of systems at scale, across all your Windows and Linux workloads, running in Amazon EC2 or
on-premises
Systems Manager Capabilities
Run Command Maintenance Window
Inventory
State Manager Parameter Store
Patch Manager
Automation
Deploy, Configure, and Administer
Track and Update
Shared Capabilities
Auditability Infrastructure
• AWS CloudTrail • AWS Config (see whitepaper for license auditing) • Amazon Inspector
Network • VPC flow logs • Elastic Load Balancing access logs
Application • Amazon CloudWatch Logs can integrate
• IIS logs • Event logs • Event Tracing for Windows (ETW) logs • Any performance counter data • Exchange, Lync, SharePoint logs • Any text-based log files
Dedicated Hosts
Visibility of sockets, cores, host ID
Monitoring
Amazon CloudWatch
AWS CloudTrail
AWS Config
AWS Trusted Advisor
Flow logs Amazon VPC
AWS Lambda
Amazon Elasticsearch Service
Amazon QuickSight
Amazon EC2
Amazon Kinesis
Thank you!