Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

AWS Workshop Series: Microsoft licensing and active directory on AWS

763 visualizaciones

Publicado el

Extend your on-premise Microsoft infrastructure to the cloud using Active Directory. In this workshop we will show you how to set up new domain controllers using Amazon EC2 instances, or create a new standalone forest with AWS Directory Services such as AWS AD Connector and AWS Microsoft AD. Easily administer and monitor your new Active Directory domains using already-familiar tools.

Publicado en: Tecnología
  • Sé el primero en comentar

AWS Workshop Series: Microsoft licensing and active directory on AWS

  1. 1. Microsoft Licensing and Active Directory on AWS Steve Shirkey Solutions Architect ASEAN Amazon Web Services
  2. 2. What to expect from the session • AWS for Microsoft Workloads • Microsoft Licensing • Microsoft Licensing Terminology • Licensing on EC2 Options (Dedicated Hosts, etc) • AWS Config • Active Directory Options • Microsoft Active Directory on AWS • How AD is used • Deployment Options • Trusts vs. Sync – Alternatives to replication
  3. 3. Why Amazon Web Services?
  4. 4. Why Customers Care? Experience & Innovation Running Windows workloads 8years Service offerings 90 Over Availability & Performance Spanning 16 geographic regions 43Availability Zones With consistency 48,000 Capable of delivering Security & Compliance IOPS/ instance FISMA, ITAR, EU Model Clauses 52Compliance Certifications SOC-1,2,3 FIPS, ISO Since 2006 61price reductions
  5. 5. CustomerAdoption 2008 Today WS 2008 & SQL Server 2008 Visual Studio Toolkit MSFT SCOM plug-in release AWS Directory Service EC2 Dedicated Hosts (BYOL) MSFT SharePoint 2016 (Marketplace) WS 2008 R2 SQL Server 2008 R2 WS 2003 .NET SDK MSFT SCVMM Plug-in WS 2012 & SQL Server 2012 AWS Tools for Windows PowerShell Amazon RDS adds SQL Server EC2 Run Command EC2 Systems Manager WS & SQL 2016 Innovation: Windows on AWS EC2 Dedicated Instances (BYOL) 41 instance type, 10 instance families 31 different AMIs for Windows workloads 300 different Windows ISV listings in AWS marketplace .NET on Lambda
  6. 6. Innovation Platforms Corp IT WorkloadsStrategic Cloud Trusted by Customers Around the World
  7. 7. Flexible Why AWS for Windows? Secure Reliable High-Performance Familiar Cost-Effective Extensive Superior Platform with Proven Experience Largest Global Reach Largest Partner Ecosystem
  8. 8. Most Comprehensive Security “Amazon Virtual Private Cloud (Amazon VPC) gives us a secure environment in the AWS Cloud with the flexibility and scalability we need to manage our SharePoint environment with zero impact to our on- premises datacenter” - Jeremy Fuchs, Vice President of Financial and BI Systems, Lionsgate § More than twice the compliance certifications of any other vendor § Broadest and deepest security management functionality § Identity and access controls § Tracking and logging
  9. 9. Most Highly Available Architecture “Before migrating to AWS, we experienced 10 to 20 hours of downtime a month. With AWS, our downtime is significantly reduced. Our average uptime increased rapidly from 98.8 percent to 99.9 percent without re-architecting applications.” - Augusto Rosa, Server Operations Manager, Shaw Media § Largest Global Reach § Most Highly Available Architecture § More Experience Running Windows Server Workloads in the Cloud § Strongest Uptime Record
  10. 10. Outstanding Performance “From the super computer-like capabilities driving every design, validation, rendering and sharing of data, to the infrastructure on which the future of Autodesk is being built, AWS has played an instrumental role.” - Amar Hanspal, SVP Products, Autodesk § Enterprise-grade computing on-demand § Automation for both complex and routine tasks § Dedicated, low-latency network connections § Automated Scaling § Capable of delivering 48,000 IOPS with consistency
  11. 11. Familiar Development Tools and Environment “We didn’t have time to re-design applications. AWS could support our legacy 32-bit applications on Windows Server 2003, a variety of SQL Server and Oracle databases, and a robust Citrix environment.” - Jim McDonald, Lead Architect, Hess Corporation § Windows-based application support § AWS Tools for PowerShell and adds-ins for Microsoft System Center, Microsoft Visual Studio, and VMware vCenter § Utilize existing VMs (32bit or 64bit) § License as you see fit
  12. 12. Cost Effective Infrastructure “When we moved our SQL Server licenses to Amazon EC2 Dedicated Instances and Dedicated Hosts, we saved 15% on SQL licensing costs. Additionally, when we move our Windows licenses to Amazon EC2 Dedicated Hosts, we will save 10% on Windows licensing. With dedicated compute offerings from AWS, we can now fully optimize our Windows and SQL licensing in the same way a company running in its own data center could..” - Cris Carlin VP Global Cloud Operations, Deltek § No hardware procurement/deployment costs § Improved hardware utilization § Bring your own licenses § Value-oriented culture § No long-term commitments
  13. 13. Broadest and Deepest Platform “AWS meets our scalability requirements and makes it easy for us to deliver our project information management solution to more and more users.” - Jamie Peloquin, DevOps Manager, Newforma § More than 90 services available § Broad ecosystem of partners § Third-party application marketplace § Continuous service improvement § Technical certifications for multiple skill levels
  14. 14. Leader in Hybrid Cloud Architecture “Our infrastructure requirements change rapidly due to the agile nature of our business. Amazon Web Services allowed us to stop worrying about infrastructure and concentrate on our business. Rapid growth was no longer a technical hurdle and we could have our important people focus on more important problems, like making our customers happy.” - Lachlan Donald, CTO, 99Designs § Seamless integration between AWS and on-premises datacenters § Amazon VPC, Direct Connect § “Single pane of glass” management for Microsoft and VMware § Amazon EC2 Systems Manager
  15. 15. Why AWS for Windows? Secure Reliable High-Performance Familiar Cost-Effective Extensive Flexible
  16. 16. Corporate Applications on AWS Corporate Applications Examples include:
  17. 17. AWS Resources for Microsoft Workloads Documentation http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide Quick Starts https://aws.amazon.com/quickstart Whitepapers Windows https://aws.amazon.com/windows/resources/whitepapers All AWS https://aws.amazon.com/whitepapers Tools .NET SDK https://aws.amazon.com/net Visual Studio Plugin https://aws.amazon.com/visualstudio PowerShell Tools https://aws.amazon.com/powershell AWS Developer Tools https://aws.amazon.com/tools DevOps https://aws.amazon.com/devops/windows Training & Certification Qwiklabs https://aws.amazon.com/windows/resources/training Training https://aws.amazon.com/training Certification https://aws.amazon.com/certification Getting Started https://aws.amazon.com/windows/getting-started Pricing & Calculators https://aws.amazon.com/ec2/pricing https://aws.amazon.com/pricing Partners https://aws.amazon.com/partners/competencies/microsoft http://www.aws-partner-directory.com Videos https://aws.amazon.com/windows/resources/#videos https://aws.amazon.com/windows/events https://www.youtube.com/AmazonWebServices https://www.youtube.com/AWSwebinars Discussion Forums EC2 https://forums.aws.amazon.com/forum.jspa?forumID=30 .NET https://forums.aws.amazon.com/forum.jspa?forumID=61 More Windows on AWS Homepage https://aws.amazon.com/windows FAQs https://aws.amazon.com/windows/faq MS Licensing https://aws.amazon.com/windows/resources/licensing SQL Server https://aws.amazon.com/windows/products/sql SharePoint https://aws.amazon.com/windows/products/sharepoint Exchange https://aws.amazon.com/windows/products/exchange System Center https://aws.amazon.com/windows/products/system-center Contact Us https://aws.amazon.com/windows/contact-us Windows Resources https://aws.amazon.com/windows/resources Support https://aws.amazon.com/premiumsupport Software Marketplace https://aws.amazon.com/marketplace
  18. 18. Licensing Terminology
  19. 19. Buy License-Included Instances from AWS Microsoft Licensing Options on AWS Bring Your Own Licenses to AWS Windows Server with SQL Server Dedicated options if you don’t have Software Assurance Default tenancy for licenses eligible for License Mobility Windows Server
  20. 20. Microsoft licensing options in Amazon EC2 Buy licenses from AWS Use License Mobility Bring your own licenses (BYOL) • Leverage existing software investments • You manage compliance with Microsoft • Software Assurance not required • Leverage existing software investments • AWS manages Windows Server licensing • Software Assurance required • AWS manages licensing • Pay as you go pricing • Default tenancy or Dedicated Instances • Software Assurance not required • Unlimited CALs Licensing flexibility helps you optimize your costs.
  21. 21. License Included (AMIs from AWS) • Fully managed licensing • All versions of Windows Server, even 2003 • Supported versions of SQL Server (optional) • Hourly instance cost includes license • No need to buy Software Assurance • No need to buy Client Access Licenses (CALs) • Includes 2 Remote Desktop CALs
  22. 22. License Mobility License Mobility is a benefit of Microsoft Software Assurance allowing customers to move existing licenses from on-premises to the cloud
  23. 23. You Live Here Default Tenancy Dedicated Host Default- Tenancy Until you reboot
  24. 24. Dedicated Hosts • Primarily used for processor and core-based products • Software Assurance is not required • AWS assigns the physical host to the customer • Meets Microsoft’s 90 day reassignment rule • Best choice for customers that want to carry in many Microsoft licenses • Windows Server cannot be bought from AWS (must use ImportImage)
  25. 25. Dedicated Instances • Can BYOL without Software Assurance, or for products ineligible for License Mobility • Supports products licensed by user (e.g. Skype for Business, Exchange, and Remote Desktop Services) • Windows Server must be bought from AWS (unless you have MSDN and the workload is not “production”)
  26. 26. Microsoft Licensing on Amazon EC2 License Type Dedicated Hosts Dedicated Instances Default-Tenancy Windows Server Only with ImportImage Must Buy License Included Must Buy License Included SQL Server License Mobility or License Included Other Microsoft Products User-based License Required License Mobility Required MSDN
  27. 27. Dedicated Hosts vs. Dedicated Instances Characteristic Dedicated Instances Dedicated Hosts Enables use of dedicated physical servers First instance per region $2 per hour Per host billing Visibility of sockets, cores Affinity between host and instance Targeted instance placement Automatic instance placement Add capacity with allocation request
  28. 28. Dedicated Hosts
  29. 29. When to use Dedicated Hosts? • To leverage your existing Windows Server investments • To BYOL if you don’t have Software Assurance, or product isn’t eligible for License Mobility (e.g., Windows or Microsoft Office) • For compliance or accounting reasons • To reduce costs at scale (e.g., fill the host)
  30. 30. Bringing your licenses to Dedicated Hosts Allocate dedicated hosts3 Launch Instances onto Dedicated Hosts4Activate AWS Config 2 Import VM images with VM Import/Export1
  31. 31. Host Lifecycle 1. Allocate an “On-Demand” Host 2. (optional) Purchase a Host Reservation and Assign it to the Host 3. Launch Instances on the Host • Must be an imported and licensed Windows Server image 4. Terminate the Instances 5. Release On-Demand Host. (When reservation expires, it reverts to on-demand.)
  32. 32. Dedicated Host Allocation DH instance type sets its max capacity: For example, a c4 DH can hold: • 16 * c4.large (2 vCPUs), or • 2 * c4.4xlarge (16 vCPUs), or • 1 * c4.8xlarge (32 vCPUs) Technically there are 40 vCPUs in a c4 DH, but AWS reserves some for the host OS.
  33. 33. Dedicated Host Configurations Example: c3.xlarge host has capacity for 8 c3.xlarge instances Dedicated Host Attributes Instance Capacity Per Host by Instance Size Instance Type Sockets Physical Cores medium large xlarge 2xlarge 4xlarge 8xlarge 10xlarge 16xlarge 32xlarge c3 2 20 - 16 8 4 2 1 - - - c4 2 20 - 16 8 4 2 1 - - - p2 2 36 - - 16 - - 2 - 1 - g2 2 20 - - - 4 - 1 - - - m3 2 20 32 16 8 4 - - - - - d2 2 24 - - 8 4 2 1 - - - r3 2 20 - 16 8 4 2 1 - - - m4 2 24 - 22 11 5 2 - 1 - - i2 2 20 - - 8 4 2 1 - - - x1 4 72 - - - - - - - 2 1
  34. 34. How many licenses does a Dedicated Host require? • Microsoft: Windows Server 2012 R2 Licensing Datasheet • AWS: Amazon EC2 Dedicated Hosts
  35. 35. Two payment options for your hosts On-Demand • Per-hour host billing • Allocation initiates billing • Scale up and down • Access to hosts on-demand worldwide in seconds Reservations • Save up to 70% over On- Demand • 1-year and 3- year terms • Upfront payment options • Reservations are assigned to specific Dedicated Hosts
  36. 36. Should you BYOL or buy LI? • Create a simple spreadsheet • Grab some numbers from AWS Simple Monthly Calculator: • Dedicated Host? • Reservation? • With SQL Server? • With AWS Business Support? • Do you have a sunk cost on your licenses, or considering new licenses? • Do you plan to buy Software Assurance, and for how long? • Multiply your Enterprise Agreement Level per-proc cost by number of vCPUs.
  37. 37. Dedicated Hosts • Avoid buying extra licenses • Instances automatically fill available hosts • Can reserve your own excess capacity for DR • Can run Windows Server Standard Edition, but pay attention to the OSE terms in your agreement! • Best Practice: Ensure your workload is placed across two Availability Zones for HA.
  38. 38. Advantages of License Included • Easy to let AWS manage your license compliance • Reduce costs if you decide to consolidate workloads later • Reduce costs if you choose to stop the instances • Reduce costs if you don’t need full Dedicated Host capacity • Retain freedom to re-platform
  39. 39. SQL Server on Amazon EC2 Licensing
  40. 40. Amazon RDS for SQL Server SQL Server Options SQL Server on Amazon EC2 BYOL License Included BYOL License Included DH DI DT DI DT License Mobility Required
  41. 41. SQL Server Architecture Impacts Licensing • Network latency between AWS Availability Zones is so low that you can synchronous commit (therefore automatic failover) for most applications • Does HA == DR? • Think about potential data corruption spread • Some customers have distance requirements disallowing separate Availability Zones for DR • AWS also provides multi-region DR (RTO == a few hours) • Deploy new farm from AWS CloudFormation • Restore data from snapshots in Amazon S3
  42. 42. Multi-AZ AlwaysOn Availability Group Availability Zone 1 Private Subnet EC2 Primary Replica Availability Zone 2 Private Subnet EC2 Secondary Replica AWS Region Synchronous Commit Automatic Failover
  43. 43. Multi-Region AlwaysOn Availability Group Availability Zone 1 EC2 Primary Replica AWS Region A Availability Zone 2 EC2 Secondary Replica Availability Zone 1 EC2 Secondary Replica AWS Region B Elastic IP VPN Elastic IP Synchronous Commit Automatic Failover Asynchronous Commit Manual Failover
  44. 44. Architect SQL Server to Save Money • Is your secondary SQL Server instance completely “passive,” not a Read Replica, or even a backup source? • With License Mobility, you can eliminate licenses for each vCPU in the passive SQL Server instance
  45. 45. Amazon RDS for SQL Server Licensing
  46. 46. BYOL SQL Server in Amazon RDS • Submit a License Mobility form to Microsoft for verification of your licenses • Microsoft will verify it to you and to AWS • You may deploy your application up to ten days before submitting the form • RDS License Model: choose BYOL instead of License Included
  47. 47. SharePoint Server Licensing
  48. 48. BYOL Windows Server? BYOL Decision Tree: SharePoint Server Do you have a SharePoint Server license? 1 No AWS Marketplace Is it MSDN and your workload is not PROD?2 Yes DI or DH Do you have License Mobility?3 No Yes No Yes No BYOL Windows Server? Yes DH No 4 Yes 5 DT Notes: SharePoint Server ineligible for DI except with MSDN. Cannot BYOL on default-tenancy without License Mobility.
  49. 49. AWS Config
  50. 50. AWS Config • Microsoft requires that you track usage of your licenses against physical resources such as sockets and cores. • AWS Config tracks configuration changes that occur on a Dedicated Host, including the instances and AMIs, Host ID, and the number of sockets and physical cores. • Also tracks instance tags (recommended).
  51. 51. AWS Config You can accept the default for all of these: • Which AWS resources do you want to track? • Which Amazon S3 bucket will hold the files? • Which Amazon SNS topic will get notifications? • Which AWS IAM role will AWS Config use?
  52. 52. VM Import/Export Service
  53. 53. AWS VM Import/Export Demo with PowerShell
  54. 54. AWS Tools for Windows PowerShell • More than 2,100 cmdlets and constantly growing • Install options • .msi with AWS SDK for .NET and AWS Visual Studio Toolkit • PowerShell Gallery • Pre-installed on EC2 Windows • Initial setup • Set credential profile(s) for local use • Set a default region
  55. 55. Active Directory on AWS
  56. 56. How AD is used – Why AD is important in the cloud
  57. 57. Why AD is important in the cloud Migration path Source: Implementing an Identity Strategy for Amazon Web Services, Gartner Group, 24 Feb 2017
  58. 58. How AD Works with Computers Domain Join/Machine AuthN/GPO/LDAP AuthN – Authentication GPO – Group Policy Object LDAP – Lightweight Directory Access Protocol
  59. 59. How AD Works with User User AuthN/Group Membership/Login Scripts Domain Join/Machine AuthN/GPO/LDAP AuthN – Authentication GPO – Group Policy Object LDAP – Lightweight Directory Access Protocol
  60. 60. How AD Works with Services User AuthN/Group Mbrshp/Login Scripts Domain Join/Machine AuthN/GPO/LDAP
  61. 61. How AD Works in Federated SaaS Solutions App DB App User AuthN/Group Mbrshp/Login Scripts Federated AuthN (SAML) Kerb AuthN Domain Join/Machine AuthN/GPO/LDAP
  62. 62. Amazon EC2 Amazon DynamoDB Amazon WorkSpaces Amazon EC2 What if You Migrate These Parts to ASW? App User AuthN/Group Mbrshp/Login Scripts Federated AuthN (SAML) Kerb AuthN Domain Join/Machine AuthN/GPO/LDAP ?RDS for SQL Server
  63. 63. Deployment Options – Supporting Windows workloads in the cloud
  64. 64. AD options – Where to run AD On-premises Windows Server DC AD You Manage 1 DC – Active Directory Domain Controller VPC – Amazon Virtual Private Cloud Endpoint – Accessed via IP address in your VPC
  65. 65. AD options – On-premises Create VPN or Amazon Direct Connect link to your VPC Manually domain join EC2 instances to on-premises Use VPC as an extension of your network • Security considerations Latency considerations? On-premises Windows Server DC AD You Manage 1 DC – Active Directory Domain Controller VPC – Amazon Virtual Private Cloud Endpoint – Accessed via IP address in your VPC
  66. 66. AD options – Where to run AD On-premises Windows Server DC AD You Manage 1 VPC EC2 for Windows Server DC AD You Manage 2 DC – Active Directory Domain Controller VPC – Amazon Virtual Private Cloud Endpoint – Accessed via IP address in your VPC
  67. 67. AD options – EC2 self-managed Your responsibilities • Availability deployment strategy • EC2 DC configuration • DNS configuration • Sites and Services configuration • Monitoring • DC recovery • Backup • Restore • Security group configuration • Manual EC2 domain joining • Patch Tuesday management AWS Directory Service required for AWS enterprise applications and services to authenticate to your self-managed AD On-premises Windows Server DC AD You Manage 1 VPC EC2 for Windows Server DC AD You Manage 2
  68. 68. AD AD options – Where to run AD On-premises Windows Server DC AD You Manage 1 VPC EC2 for Windows Server DC AD You Manage 2 VPC Endpoint AWS Managed Microsoft AD AWS Manages 3 AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. AWS Managed Microsoft AD DC – Active Directory Domain Controller VPC – Amazon Virtual Private Cloud Endpoint – Accessed via IP address in your VPC
  69. 69. AD AD options – AWS Managed Microsoft AD Windows 2012 R2 domain controllers (DC) • ~3-click setup • 2 DCs each in a different Availability Zone (AZ) Stand-alone or connected to your AD with trusts AWS apps and services integration • EC2 seamless domain join • RDS for SQL Server authentication, authorization • WorkSpaces, QuickSight Enterprise, Chime Plus/Pro provisioning and authentication VPC Endpoint AWS Managed Microsoft AD AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. AWS Managed Microsoft AD
  70. 70. AD options – AWS Managed Microsoft AD Some constraints • AWS is domain admin • You get an OU and delegated admin over the OU • AWS apps/services/EC21 must be in same VPC • Conservative delegated permissions2 to your OU admin account • Application enablement blocks some apps • Some admin functions unavailable AD VPC Endpoint AWS Managed Microsoft AD AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. AWS Managed Microsoft AD 1EC2 can domain join manually in peered VPC configurations 2Delegations are being expanded over time
  71. 71. AD options – AWS Managed Microsoft AD Amazon responsibilities - Operate • Multi-AZ deploy, patch, monitor, DC recovery, snapshot, restore Your responsibilities - Administer • Administration via Active Directory Users and Computers (ADUC) and other standard AD tools • Administer users, groups, GPOs, other AD content AD VPC Endpoint AWS Managed Microsoft AD AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. AWS Managed Microsoft AD
  72. 72. AD options – Connecting AD in cloud to on-premises AD 1 Replication Your DCs only On-premises Windows Server DC AD VPC EC2 for Windows Server DC AD On-premises Windows Server DC AD VPC EC2 for Windows Server DC AD2 1-way Trust 2-way Trust Your DCs or AWS Managed Microsoft AD On-premises Windows Server DC AD VPC EC2 for Windows Server DC AD3 Sync Users Depends (third-party sync)
  73. 73. Application Availability Zone Private Subnet 10.0.2.0/24 SQL Server App Server IIS Server Availability Zone Private Subnet 10.0.3.0/24 SQL Server App Server IIS Server Remote Users/Admins Domain Controllers Corporate data center DBAPPWEB DBAPPWEB Auth/ LDAP Auth/ LDAP VPN Direct Connect Example: On-premises AD AD
  74. 74. Availability Zone Private Subnet 10.0.2.0/24 DBAPPWEB SQL Server App Server IIS Server Availability Zone Private Subnet 10.0.3.0/24 DBAPPWEB SQL Server App Server IIS Server Remote Users/Admins Domain Controllers Corporate data center Example: AD on EC2 with replication or AD trust Domain Controller Domain Controller Trust or Replication Auth/ LDAP Auth/ LDAP Application Auth/ LDAP VPN Direct Connect AD EC2 AD EC2 AD
  75. 75. Auth/ LDAP Auth/ LDAP DB RDS for SQL Server Availability Zone Private Subnet 10.0.2.0/24 APPWEB App Server IIS Server Availability Zone Private Subnet 10.0.3.0/24 APPWEB App Server IIS Server Remote Users/Admins Domain Controllers Corporate data center Example: AWS Managed Microsoft AD trust to on-premises DB RDS SQL Server AWS Managed Services AWS Managed Services AWS Managed Microsoft AD DC AWS Managed Microsoft AD Trust Application Auth/ LDAP VPN Direct Connect AD DC DC
  76. 76. Availability Zone Private Subnet 10.0.2.0/24 DBAPPWEB SQL Server App Server IIS Server Availability Zone Private Subnet 10.0.3.0/24 DBAPPWEB SQL Server App Server IIS Server Remote Users / Admins Domain Controllers Corporate data center Example: AD on EC2 with sync Domain Controller Domain Controller Sync Auth/ LDAP Auth/ LDAP Application Auth/ LDAP Third-party sync tool Users lose single sign-on to cloud (same sign-on) VPN Direct Connect AD EC2 AD EC2 AD Sync Tool Password Changes
  77. 77. Considerations for AWS apps/services and many VPCs AWS Managed Microsoft AD requires a trust to authenticate using on-premises AD credentials, and read users to provision* WorkSpaces and RDS for SQL must be in same VPC as AWS Managed Microsoft AD, QuickSight in the same account • Option 1 – Least cost, fewest trusts • Deploy AWS Managed Microsoft AD in one VPC • Deploy all RDS for SQL and WorkSpaces instances in same VPC • Use tagging for internal billing • Option 2 – Easiest billing, complex trust configuration, high cost • Deploy AWS Managed Microsoft AD in each VPC • Deploy RDS for SQL and WorkSpaces instance(s) in each VPC *1-way trust for RDS for SQL Server, 2-way trust to provision Amazon WorkSpaces, Amazon QuickSight etc.
  78. 78. How to choose – Considerations for selection
  79. 79. Deployment differences AWS Managed Microsoft AD EC2 AD instances On-premises AD Operation management +AWS managed in the cloud -Customer managed in the cloud -Customer managed own hardware Availability +Built-in redundancy and replication -Customer must design for high availability -Customer must design for high availability Networking Trust1 ports from cloud to on-premises (least exposed) Trust1 or replication2 ports from cloud to on-premises AD -Open ports to support cloud to on-premises AD3 (most exposed) Admin control Designated OU control; some apps unsupported +Full control +Full control 1 If trust to on-premises is used, open ports from DCs to on-premises DCs are needed 2 AD replication requires more open ports than forest trusts, but limited to DC-to-DC communications 3 Ports for domain joining, AD interactions, LDAP etc., plus other firewall decisions for cloud to on-premises access
  80. 80. How to select an Active Directory option AWS Managed Microsoft AD EC2 AD instances On-premises AD • Minimize cost, effort to run AD • RDS for SQL Server1 • AWS Enterprise Applications1 • Windows workloads on EC22 E.g. SharePoint, SQL Server AlwaysOn Availability Groups, .NET applications • Require a replicated, multi- region AD solution • Need NetBIOS name resolution support • Require permissions not yet delegated by AWS Microsoft AD3 E.g. Exchange, ADFS • Minimal EC2 instances require access to AD • Latency to AD over on-premises link is acceptable • Comfortable with connectivity availability to on-premises AD 1RDS for SQL, WorkSpaces, QuickSight, and Chime require trusts only if users are on-premises via trust 2Subject to delegation constraints (e.g. password sync, special AD containers) 3AWS adding more delegations and application enablement over time
  81. 81. Deployment differences – Which connection model? AWS Managed Microsoft AD with Sync AWS Managed Microsoft AD with Trust EC2 AD with Sync EC2 AD with Trust EC2 AD Replicated On- premises App Access SSO to cloud No Yes No Yes Yes Yes Complexity/Effort EC2 seamless domain join Yes Yes No No No No DC configuration Medium Low Highest High High None Incremental maintenance High Low Highest Low Medium None Incremental system Medium Low Highest High High None Incremental entitlement High Low High Low None None Sites and Services No No No No Yes None Untested Recommended If necessary
  82. 82. Trusts vs. Sync – Alternatives to replication
  83. 83. Customer Feedback: Why sync vs. trusts Trusts seem scary • Many admins are unfamiliar with the model and how to secure • Perception that a trust gives all cloud resources access to on-premises • Perception that trusts give cloud admins control over on-premises directory • Trusts require setup coordination (security review, firewall ports, trust setup) • “Breaks principle” of communication initiation only from on-premises to the cloud “We are isolating our on-premises from the cloud and need a few users sync’d” • Only deploying SaaS applications in cloud (built on Windows) • Only need subset of Windows users with “same sign-on” to manage AWS resources via AD
  84. 84. Considerations for syncing identities to the cloud Do your on-premises users need access to cloud resources that use AD group-based authorization? • If yes, will users object to having to log out of on-premises and log in to the cloud? (Same sign-on, not single sign-on) Requires third-party sync tool • Special configuration for what gets synced • Must map from on-premises directory to AD structure in the cloud With AWS Managed Microsoft AD, the tool must not require domain admin • User creations must be in your OU Sync adds configuration complexity and latency for managing users • Incremental entitlements for sync • What about security groups? How does sync map them to the cloud?
  85. 85. Amazon EC2 Amazon DynamoDB Amazon EC2 Appropriate for sync – Admins’ user names for RDP App Federated AuthN (SAML) Kerb AuthN Domain Join/Machine AuthN/GPO/LDAP AD On-premises or Internet Cloud User AuthN/Group Membership/Login Scripts AWS Resource Admin Sync only admin users
  86. 86. Amazon EC2 Amazon DynamoDB Amazon EC2 Complex for sync – Many users to many cloud services App Federated AuthN (SAML) Kerberos AuthZ Domain Join/Machine AuthN/GPO/LDAP AD On-premises or Internet Cloud SQL Server AlwaysOn SharePoint Exchange .NET
  87. 87. Forest trusts Time tested, secure model The trusting forest has no admin control over the trusted forest Trusted users have cloud resource access, only if entitled by trusting admins (you control both sides) Resources in the cloud have no access to on-premises resources unless on- premises trusts the cloud AND on- premises admins grant permissions to user identities in the cloud AD AD On-premises network VPC Trust AWS Managed Microsoft AD DC Windows AD DC Access Security group (access entitlements here) Security group Trusting Trusted Cloud On-premises
  88. 88. No trust vs. 1-way vs. 2-way trusts Do you need users from one forest to access resources in another forest? • If no, use no trust Can you use only a 1-way trust? • If yes, only use 1-way • RDS for SQL Server with on-premises users requires at least 1-way Is a 2-way trust required? • If yes, use 2-way trust • WorkSpaces, QuickSight Enterprise Edition, and Chime use 2-way trusts • On-premises to AWS Managed Microsoft AD trust used only to read users/groups to provision them into the application Always Secure Your Trust
  89. 89. Securing trusts Leave SID filtering on when setting up the on-premises side of a trust Turn on selective authentication on the on-premises side of a trust • https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx#w2k3tr_trust_security_zyzk Only permit AD trust ports to the DCs in the cloud • https://technet.microsoft.com/en-us/library/cc756944(v=ws.10).aspx For cloud-client-to-AD, only permit AD authentication ports to on-premises AD; minimize all other ports from cloud to on-premises (e.g., WorkSpaces login using on-premises credentials) • https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts Don’t grant groups in the cloud access to on-premises resources
  90. 90. Recap AD is used in many ways and is often required in the cloud • Where AD-dependent systems exist affect where you place AD AD on EC2 and AWS Microsoft AD have advantages over using on-premises AD domain controllers AD on EC2 is appropriate when you require full domain admin permissions or a replicated AD in the cloud AWS Microsoft AD is • Appropriate to support resources in the cloud • Required to support AWS applications and services with on-premises users Trusts are secure and appropriate when you need SSO from on-premises to AD-dependent workloads in the cloud Synchronization may be appropriate for isolation with a small set of users • Sync requires a compatible 3rd party solution and has many considerations
  91. 91. References Documentation • AWS Directory Service – aws.amazon.com/directoryservice • AWS Microsoft AD – aws.amazon.com/documentation/directory-service/ • RDS for SQL Server – aws.amazon.com/documentation/rds/ AWS Quick Starts – aws.amazon.com/quickstart/ • Active Directory Domain Services • Exchange Server 2013 • SharePoint Server 2016 Enterprise • Lync Server 2013 • SQL Server 2014 AlwaysOn • Windows PowerShell DSC
  92. 92. Questions?

×