Whether it's application services or end user computing, cloud is the new normal for organisations of all sizes. In this session you will learn how to realise the benefits of running a complete Microsoft Enterprise environment securely and cost effectively within the AWS Cloud. Covering topics such as the AWS Active Directory Service, SQL Server, and remote desktops. We will also provide insight into management options including AWS Simple Systems Management (SSM). This session will set you up for success to migrate and operate your Microsoft workloads on AWS. Speaker: Andrew Mitchell, Principal Solutions Architect, Amazon Web Services Featured Customer - Carsales.com.au

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andrew Mitchell, Principal Enterprise Solutions Architect
Amazon Web Services
Dmitry Kulshitsky, Group Manager, Operations & Security
carsales.com.au
Running your Enterprise Windows
Workloads on AWS
Technical 201

2. What Will We Cover Today?
• Providing secure, remote administrative access to your AWS
Windows resources
• Extending your corporate data network into AWS
• Active Directory services
• Microsoft SQL Server on AWS
• Management Tools for Windows
• Customer Success Story – Dmitry Kulshitsky.
Carsales.com.au

3. Why Run Windows Workloads on AWS?
Building and managing cloud since 2006
12 regions, 33 availability zones, 54 edge locations
Thousands of partners;; 2,500+ Marketplace products
Security & Reliability
Performance
Experience
Scale
Ecosystem
Extensive VM and network performance options
Security in layers approach and 99.95% application SLA

4. Licensing Options
Flexibility helps you optimise costs
Buy licenses from
AWS
Leverage License
Mobility
Bring your own
licenses (BYOL)
• Save money on software
licensing
• You manage licensing
costs and compliance with
your ISV
• No need for Software
Assurance
• AWS manages Windows
Server licensing
• You manage licensing
costs and compliance
with your ISV
• Uses Software
Assurance
• AWS manages licensing
• Pay as you go pricing
• Multi-­tenant or
Dedicated
• No need for Software
Assurance
• Unlimited CALs

5. Amazon EC2 Dedicated Hosts
• A Dedicated Host is a physical server with EC2
instance capacity dedicated for your use
• Bring your own license (BYOL) platform
• Supports BYOL for Windows Server, Windows SQL
Server, and applications running on top of Windows
Server (e.g., exchange server)

6. How would you build a Microsoft
Enterprise IT Platform on AWS?

7. Lets Start Here….
Corporate
Data
Center
AWS
Cloud
Internet

8. Availability Zone
Private SubnetPublic Subnet
Availability Zone
Private SubnetPublic Subnet
Remote
Users / Admins
Isolated VPC
in the Cloud

9. Secure Administration via Remote Desktop
Availability Zone
Private SubnetPublic Subnet
AWS Administrator
Corporate Data Center
TCP 443
Requires one connection:
• Connect to the RD Gateway, and the gateway proxies the RDP connection to the back-­end instance.
Web Security Group
Accept TCP Port 3389
from Gateway SG
WEB2
WEB1
Gateway Security Group
Accept TCP Port
443 from Admin IP
RDGW

10. Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Remote
Users / Admins
Isolated VPC
in the Cloud
with RDGW
Use Route 53, Health Check &
DNS Failover
Amazon
Route 53

11. Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Isolated VPC
in the Cloud
with NAT
Use NAT instances to
provide access to remote
Internet services
* You can use Windows Routing &
Remote Access (RRAS) NAT Service
NAT
NAT
Remote Systems
Internet

12. Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
NAT
NAT
Remote Systems
Internet
Isolated VPC
in the Cloud
with VPC NAT
Gateway
Use AWS Managed NAT
Gateway to reduce
administrative overhead and
optimisecosts
VPC NAT
gateway
VPC NAT
gateway

13. Remote Desktop Gateway Reference Architecture
Detailed instructions available in the “Deploy
Remote Desktop Gateway on the AWS
Cloud” White paper
Available from :
http://aws.amazon.com/windows/resources/whitepapers/rdgateway/

14. Extending your Corporate
Network to AWS

15. Extending your Corporate Data Network to AWS
• IP SEC VPN Tunnel connects over the public
Internet but has a variable performance
• Supports Static and BGP Routing
• Supports varying multi-Mbps speeds
Corporate
Data
Center
AWS
Cloud
VPN TUNNEL1
Telco
Direct Connect Link2
1
• AWS Direct Connect (DX) service allows for
dedicated telco links from your location
• Telco provides SLAs and predictable performance
• AWS provides multiple 1 Gbps & 10 Gbps links
• BGP for dynamic routing + AWS API endpoints
2
Internet

16. Availability Zone
Private SubnetPublic Subnet
NAT
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
DC
Domain
Controller
MS
SQL
DB
SQL
Server
MS
SQL
DB
SQL
Server
APP
App
Server
APP
App
Server
WEB
IIS
Server
WEB
IIS
Server
RDGW
Remote
Users
Your
Hybrid
Cloud
virtual private
gateway
VPN
connection
corporate
data
network
AWS Direct
Connect

17. Microsoft Active Directory on AWS

18. Microsoft Active Directory
Create a new AD or Extend Existing?
• Lots of customers create a new “fresh” AD in AWS on EC2
• Extend trusts to existing AD for Single Sign On (SSO)
experience
If you run your own AD servers
• Treat each Availability Zone as an AD Site…
• Read Only Domain Controllers still need network connectivity

19. Availability Zone
Private SubnetPublic Subnet
NAT
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
MS
SQL
DB
SQL
Server
MS
SQL
DB
SQL
Server
APP
App
Server
APP
App
Server
WEB
IIS
Server
WEB
IIS
Server
RDGW
Your
own
AD
on EC2
virtual private
gateway
VPN
connection
corporate
data
network
AWS Direct
Connect
Domain
Controller
Domain
Controller
DC
DC

20. AWS can simplify this for you…...

21. Availability Zone
Private SubnetPublic Subnet
NAT
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
MS
SQL
DB
SQL
Server
MS
SQL
DB
SQL
Server
APP
App
Server
APP
App
Server
WEB
IIS
Server
WEB
IIS
Server
RDGW
virtual private
gateway
VPN
connection
corporate
data
network
AWS Direct
Connect
Domain
Controller
Domain
Controller
DC
DC

22. Availability Zone
Private SubnetPublic Subnet
NAT
AWS
Directory
Service
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
AWS
Directory
Service
MS
SQL
DB
SQL
Server
MS
SQL
DB
SQL
Server
APP
App
Server
APP
App
Server
WEB
IIS
Server
WEB
IIS
Server
RDGW
Replaced
With
AWS
DS
virtual private
gateway
VPN
connection
corporate
data
network
AWS Direct
Connect

23. A Microsoft Windows compatible directory service as a managed AWS service.
Usage options are:
1. Use the AWS AD Connector to simplify connecting to your existing on-­
premises Microsoft Active Directory
2. AWS Simple AD allows you to set up and operate a new Samba-­based
directory in the AWS Cloud
3. AWS Directory Service for Microsoft Active Directory (Enterprise Edition)
provides a feature-­rich managed Microsoft Active Directory hosted on the
AWS Cloud.
AWS DS is easy to manage: use the standard Windows AD admin tools
Use AWS Directory Service

24. Which option should you choose?
• AD Connector:
The best option if you want to use your existing on premises AD with AWS
services without extending your domain to the cloud
• Simple AD:
In most cases, Simple AD is the least expensive option and your best choice
if you have 5,000 or less users and don’t need the more advanced Microsoft
Active Directory features.
• Directory Service for Microsoft Active Directory (Enterprise Edition):
This is your best choice if you have more than 5,000 users and need a trust
relationship set up between an AWS hosted directory and your on-­premises
directories.
Use AWS Directory Service

25. Domain Joining to AWS Directory Service
From the AWS Console GUI
• Launch Instance Wizard

26. Instance Boot Status

27. Instance Dom Join Status to AWS Directory Service
Computer Name
Domain Details

28. AWS Directory Service (Console)
DNS IPs for your Domain Controllers in each AZ
Enabled Services

29. Microsoft SQL Server on AWS

30. SQL Server on AWS
• Wide array of choices
• Fully managed services
• Enterprise-­grade security
• 99.95% availability
• Flexible and scalable

31. SQL Server on Amazon EC2
Availability Zone 1
Private Subnet
Primary
DB
• Deploy in minutes.
Simple provisioning
via AWS-­provided AMI
• Wide range of
versions and
performance options

32. SQL Server High Availability
Availability Zone 1
Private Subnet
Primary
DB
Availability Zone 2
Secondary
Replica 1
Private Subnet
AG Listener:
ag.awslabs.net
Automatic Failover
• QuickStart reference
architecture and
CloudFormation
provided.
• Scale up to 8
instances
• 99.95% availability

33. Or…...

34. Amazon RDS for SQL Server
• Deploy in minutes
• Automated backups
• Push button scaling
• Automatic host replacement and multi AZ
deployments for high availability

35. Amazon RDS for SQL Server
• Consider RDS first
• Focus on:
• Business value tasks
• High-­level tuning tasks
• Schema optimization
• No in-­house database expertise
Choosing the right solution
• Need full control over:
• DB instance
• Backups
• Replication
• Clustering
• Use options not in Amazon RDS
SQL Server on Amazon EC2

36. Migrating data to and from Amazon RDS
Microsoft SQL Server Database
Publishing Wizard
Export to T-­SQL files, load using sqlcmd
NEW LAUNCH!
AWS Database Migration Service
Minimize downtime during migrations, migrate between
different DB platforms, Schema Conversion Tool
AWS Marketplace
Third-­party data import and export tools and
solutions
1
2
3

37. Management tools for Windows

38. AWS Simple Systems Manager (SSM)
Simple Systems Manager (SSM) facilitates the automatic configuration of AWS Elastic
Compute Cloud (EC2) instances running Windows Server OS
SSM is implemented through the EC2Config windows service already included in
Windows Server AMIs
EC2-­Config service polls SSM every 5 minutes for configuration documents (in JSON
format) containing system configurations OR force it from CLI
SSM currently supports configuration documents that allow for:
• Automated Domain Join
• MSI Package Installation/Repair/Uninstallation
• PowerShell Module Installation
• Delivery of Performance Monitor, Event Log, IIS Log, and custom log file data to CloudWatch and
CloudWatch Logs

39. SSM Document Example
{
"schemaVersion": "1.0",
"description": "MSI Install Script",
"runtimeConfig": {
"aws:applications": {
"properties": [
{
"action": "Install",
"source": "https://S3region.amazonaws.com/mybucketname/MSIs/CustomApp-x64.msi"
},
{
"action": "Install",
"source":
"http://location.s3.amazonaws.com/Firefox/Firefox-33.0.2/Firefox-33.0.2-en-US.msi",
"parameters" : "INSTALLEVEL=1000 custompath="c:foldername""
}
]
}
}
}

40. Dmitry Kulshitsky
Group Manager – Operations & Security at carsales.com.au

41. It has all started here….
Office Internet
Data Center
Isolated VPC for a small project
No VPN
No AD in the cloud
Management via Bastion hosts (RDP)

42. VPN
First Steps
Office Internet
Data Center
Multiple accounts in AWS. Peering
VPN
No AD in the cloud
Management via VPN (backend IPs)

43. Next Phase – DR Project
Data Center
Office
Multiple accounts in AWS. Peering
Direct Connect (speed, predictable SLAs)
• Required to support near real time replication
AD in the cloud. Separate Forest
One-­way trust between domains
Telco
Direct Connect Link
Domain Trust

44. WEB
IIS
Server
WEB
IIS
Server
MS
SQL
DB
SQL
Server
MS
SQL
DB
SQL
Server
APP
App
Server
APP
App
Server
Data Centre – active
AWS – passive/DR
Need to be able to switch
between DCs
Data replication?
data centre
WEB
IIS
Server
APP
App
Server
MS
SQL
DB
SQL Server
Cluster
CDN

45. Architectural Considerations and Data Replication
Latency considerations
• Avoid crossing the link for synchronous calls
• OK in failover scenarios
• Retry/failover mechanisms when making API calls
Decided to rely on 2 types of data replication
• Queue level
• RabbitMQ Shovel Plugin
• Moves messages between brokers in different administrative domains
• Resilient – tolerates intermittent connectivity issues
• Database level
• Microsoft SQL 2012 Enterprise – HA – AlwaysOn
• Async replication
• Listener (read/write copy) in the data centre

46. WEB
IIS
Server
WEB
IIS
Server
MS SQL
RDS
MS SQL
EC2 Instance
APP
App
Server
APP
App
Server
• Queue level sync (shovel)
• Databases in AWS and DC are not aware of
each other
• Can be out of sync (depends on queue item
processing speed/backlog etc)
• Various combinations of SQL
replication/mirroring in AWS (combinations of
SQL RDS and MS SQL EC2 instances) for
redundancy
• Can use MS SQL Standard Edition
data centre
WEB
IIS
Server
APP
App
Server
MS
SQL
DB
SQL Server
Cluster

47. WEB
IIS
Server
WEB
IIS
Server
MS SQL
EC2
MS SQL
EC2
APP
App
Server
APP
App
Server
• Database level sync
• AlwaysOn Availability Group is an Enterprise
Edition feature
• Allows you to fail over a group of databases as
a single entity (unlike database mirroring)
• Databases in AWS and DC are aware of each
other
• Can use sync and/or async replication
• Automatic failover (listener moves to a different
IP address)
• Single master but secondary replicas can be
used for read-­only workloads
data centre
WEB
IIS
Server
APP
App
Server
SQL Server
Cluster

48. WEB
IIS
Server
WEB
IIS
Server
MS
SQL
DB
SQL
Server
MS
SQL
DB
SQL
Server
APP
App
Server
APP
App
Server
Migration to AWS
• Context switching rule
at the LB (portion of
traffic)
data centre
WEB
IIS
Server
APP
App
Server
MS
SQL
DB
SQL Server
Cluster
CDN

49. WEB
IIS
Server
WEB
IIS
Server
MS
SQL
DB
SQL
Server
MS
SQL
DB
SQL
Server
APP
App
Server
APP
App
Server
Migration to AWS
• Once happy – change
the Origin IP address
• “Failover” the
AlwaysOn SQL to
move listener to AWS
• Very simple -­ only took
minutes to complete
• Swapped roles – DC is
now DR
data centre
WEB
IIS
Server
APP
App
Server
MS
SQL
DB
SQL Server
Cluster
CDN

50. Dmitry Kulshitsky
Group Manager – Operations & Security at carsales.com.au

51. Further reading
Microsoft Workloads on AWS Whitepapers:
https://aws.amazon.com/windows/resources/whitepapers/
AWS Quick Launches
Try Enterprise Microsoft products on AWS before you
deploy them into production:
https://aws.amazon.com/quickstart/quick-­launch/

52. Summary
You can readily and securely run Enterprise Microsoft and
many other mission critical workloads on AWS
AWS provides customers with the flexibility to run Microsoft
workloads the way they want.
• Run them as you do now, but on EC2
or
• Simplify management by replacing them with native
AWS services
• Directory Services, RDS for SQL Server, Managed NAT etc.

53. AWS Training & Certification
Intro Videos & Labs
Free videos and labs to
help you learn to work
with 30+ AWS services
– in minutes!
Training Classes
In-­person and online
courses to build
technical skills –
taught by accredited
AWS instructors
Online Labs
Practice working with
AWS services in live
environment –
Learn how related
services work
together
AWS Certification
Validate technical
skills and expertise –
identify qualified IT
talent or show you
are AWS cloud ready
Learn more: aws.amazon.com/training

54. Your Training Next Steps:
ü Visit the AWS Training & Certification pod to discuss your
training plan & AWS Summit training offer
ü Register & attend AWS instructor led training
ü Get Certified
AWS Certified? Visit the AWS Summit Certification Lounge to pick up your swag
Learn more: aws.amazon.com/training

55. Thank you!