AWS has a number of services that help enterprise customers deploy solutions that meet high performance, security, and reliability requirements. SQL Server is no exception. In this session, we will explore the different options that exist today to help enterprises meet those types of requirements. Another key capability in AWS is flexibility. Multiple options exist for how enterprises can deploy SQL Server in AWS. We will talk in detail about how to choose between a managed database model like Relational Database Service (RDS) or core compute model like Elastic Compute Cloud (EC2). Finally, we’ll wrap up with an exploration of different operational aspects of SQL Server in AWS.
6. Delivery Models for SQL Server
Amazon RDS for SQL Server
• Fully managed service
• Easy to set up, operate, scale
• Managed high availability solution
• Automated provisioning, patching,
backup and recovery
• Failed instance replacement
SQL Server on EC2 Instances
• Resizable computing capacity
• Preconfigured SQL Server AMIs
• Full control over the instances
• You are responsible for tuning,
patching, backup and recovery, HA,
management, security, etc.
7. Overview of Features
Amazon RDS for SQL Server SQL Server on Amazon EC2
Versions Supported: 2008 R2, 2012 2005*, 2008*, 2008 R2, 2012, 2014
Editions Supported: Express, Web, Standard, Enterprise
High Availability: Automated failover, Multi-AZ Self-managed (AlwaysOn, Mirroring,
Log Shipping)
Encryption: Encrypted Storage using Amazon KMS (all editions); TDE Support
Authentication: SQL Server Authentication only Windows and SQL Server Auth.
Backups: Managed Automated Backups Leverage Maintenance Plans, or 3rd
party
Patching and
Maintenance:
Automatic Software Patching Self-managed
* Self installed
8. Control vs. Cost Comparison
Cost
Control
• We recommend you consider RDS first
• Focus on tasks that bring value to your
customers/users
• Focus on high level tuning and optimizations
• Remove your dependency on special
clustering, replication, and backup
techniques
• There are still always going to be reasons to
run with full control but make sure they’re
worth it!
SQL Server on RDS
SQL Server on EC2
9. Amazon RDS SQL Server Tooling Support
• Most things still work:
• SQL Server Management
Studio
• SQL Server Tuning Advisor
• SQL Server Agent (partial)
• SQL Server Logs (agent,error)
• Not available:
• SSAS
• SSIS
• SSRS
• Not supported:
• Maintenance Plans
• Database Mail
• Linked Servers
• MSDTC
• Windows Integrated
Security
• > 4 TB DB
• 30 db per instance
11. Amazon RDS for SQL Server
• Multi-AZ Mode (high safety or high performance):
• Primary and secondary DB nodes in different Availability
Zones (AZ)
• Leverages SQL Server Mirroring
• Automatic failover (1-2 min. typically)
High Availability (HA)
12. High Availability (HA)
SQL Server on Amazon EC2
• Native SQL Server Features:
• Log Shipping: typically used for DR, increases availability
• Database Mirroring: mirrors principal to secondary
• AlwaysOn Availability Groups: failover of database group
13. Amazon RDS Built-in Management Features
• Automated backup and recovery
Max. Retention: 35 days
Restore to any second, typically up to the last 5 minutes
• Push-button DB instance class scaling
• Automatic host replacement
14. Amazon RDS Built-in Management Features
• Automatic minor version upgrade
• Pre-configured parameters and options
• Configurable administrative windows of time:
Backup Window: at least 30min once a day
Maintenance Window: at least 30min once a week
15. SQL Server Disaster Recovery (DR)
• AWS is designed to protect you from regional events
• Replicating across regions is an option
• On-Premise DR in AWS very popular
• Store Backup Data
• Pilot-Light using log shipping
16. Manage Your SQL Server Resources on AWS
Amazon
EC2 & RDS
Management
Console
AWS Command
Line Tools (CLI)
or
AWS Tools for
PowerShell
AWS SDKs AWS
CloudFormation
templates
Multiple ways to start and manage your AWS SQL Server resources
18. Elasticity
• Range of DB instance type
– From: 1 vCPU and 1 GB of RAM
– To: 36 vCPUs and 244 GB of RAM
• Grouped in instance families
• Not all editions available for all classes in Amazon
RDS
• Scale up/down by changing instance type/class
• Scale out/in by adding/removing read replicas (not in
RDS)
20. Broad Set of Compute Instance Types
M3
General
purpose
M1
Compute
optimized
C3
C1
CC2
Storage and IO
optimized
HS1
I2
HI1
G2
GPU
enabled
CG1
Memory
optimized
R3
M2
CR1
C4
D2
M4
21. Amazon EBS
• Network attached block device
– Independent data lifecycle
– Virtual disks
– Multiple volumes per EC2 instance
– Only one EC2 instance per volume
• POSIX-compliant file systems
– Virtual disk ideal for: OS boot device; file systems
• Raw block devices
– Ideal for databases
– Other raw block devices
22. Storage System I/O Performance
Amazon RDS Amazon EC2
Type Size Performance Size Performance Burst Capacity Pricing Model
Magnetic
Storage
20 GiB – 1 TiB ~ 100 IOPS 1 GiB – 1 TiB ~ 100 IOPS Yes, several
hundred IOPS
Allocated
storage; I/O
operations
General
Purpose
(SSD)
20 GiB – 6 TiB
(min. 100 GiB
recommended)
3 IOPS/GiB 1 GiB – 16 TiB 3 IOPS/GiB for
volumes 1 TiB
or less, up to
10,000 IOPS
for larger
volumes
Yes, up to
3000 IOPS per
volume,
subject to
credits (< 1 TiB
in size)
Allocated
storage
Provisioned
IOPS
(SSD)
100 GiB – 6 TiB
(min. 200 GiB
for Standard
ed.)
10 IOPS/GiB,
up to max.
20,000 IOPS
4 GiB – 16 TiB Up to 20,000
IOPS; ratio: 3
to 30 IOPS per
GiB
No, fixed
allocation
Allocated
storage;
Provisioned
IOPS
23. I/O Performance Planning
• Amazon RDS maximum channel bandwidth: 1000 Mbps full
duplex
• Amazon EBS maximum volume throughput: 320 MiB/s
• IOPS provisioning: each I/O up to 256 KiB = 1 IOPS (SQL
Server Default: 4K)
• Average Queue Depth: I/O requests waiting to be serviced
• First touch penalty for EBS volumes
• Consider Instance Storage with strong backup strategy for high
performance databases
• Amazon EC2: Consider striping multiple EBS volumes
• Amazon RDS: Storage cannot scale once deployed
25. AWS Shared Responsibility Model
• Moving IT infrastructure to AWS creates a shared responsibility
model between the customer and AWS.
• Scope of responsibility depends on the type of service offered by
AWS:
– Infrastructure
– Container
– Abstracted Services
• Understanding who is responsible for what is critical to
ensuring your AWS data and systems are secure!
26. Securing SQL Server on AWS
Network Layer
Controls
DB Instance Access
Controls
Data Access
Controls
Encryption
Security layers to consider when deploying SQL Server workloads on AWS:
27. Securing SQL Server on AWS: Network
• Networking Platform: EC2-VPC is recommended
• Private, isolated section of the AWS Cloud
• Subnets and AZ specificity (RDS: DB Subnet Groups)
• Route Tables and NACLs
Security Groups:
• Restrict inbound traffic to database-related traffic only
• Leverage security group references
Public Access:
• Limit access to known sources
• Potential for more frequent patching
28. Securing SQL Server on AWS: Instance Access
Amazon Identity and Access Management (IAM)
• Control create, modify, delete DB instance rights
• Multi-Factor Authentication (MFA)
• Grant least privileges to IAM users, groups roles
• Use strong password policies
• Rotate credentials
• Lock away root account credentials
• Federated access from Active Directory
Amazon CloudTrail
• Log AWS API invocations for audit purposes
29. Securing SQL Server on AWS: Data Access
• Least Privileges logins for workloads, applications
and end users
Amazon RDS for SQL Server
• SQL Server Authentication only
• Use master user login ID only for administrative
purposes
SQL Server on Amazon EC2
• Windows and SQL Server Authentication
• Active Directory integration
30. Securing SQL Server on AWS: Encryption
Data-At-Rest Protection:
• Encrypted DB instances using Amazon KMS
• SQL Server Transparent Data Encryption (TDE)
• SQL Server column-level
• Encrypting data in the application before it is
saved to the database instance.
Data-In-Transit Protection:
• Support for encrypted connections via SSL
31. How AWS Services Integrate with AWS Key
Management Service
• Two-tiered key hierarchy using envelope
encryption
• Unique data key encrypt customer data
• AWS KMS master keys encrypt data keys
• Benefits of envelope encryption:
• Limits risk of a compromised data key
• Better performance for encrypting large data
• Easier to manage a small number of master keys
than millions of data keys
Customer Master
Key(s)
Data Key 1
Amazon
S3 Object
Amazon
EBS
Volume
Amazon
Redshift
Cluster
Data Key 2 Data Key 3 Data Key 4
Custom
Application
AWS KMS
32. AWS Key Management Service
Reference Architecture
Application or
AWS Service
+
Data Key Encrypted Data Key
Encrypted
Data
Master Key(s) in
Customer’s Account
AWS
Key Management Service
1. Application or AWS service client requests an encryption key to use to encrypt data, and passes a
reference to a master key under the account.
2. Client request is authenticated based on whether they have access to use the master key.
3. A new data encryption key is created and a copy of it is encrypted under the master key.
4. Both data key and encrypted data key are returned to the client. Data key is used to encrypt
customer data and then deleted as soon as is practical.
5. Encrypted data key is stored for later use and sent back to AWS KMS when the source data
needs to be decrypted.
33. AWS Key Management Service
Providing security for your keys
• Plaintext keys are never stored in persistent memory on runtime
systems
• Automatically rotate your keys for you
• Separation of duties between systems that use master keys and data
keys
• Multi-party controls for all maintenance on systems that use your
master keys
• See public white papers and Service Organization Control (SOC 1)
compliance package
35. Cost Optimization
SQL Server operational cost depends on:
• region selected
• instance class/type
• storage type and size
• runtime
• Multi-AZ mode
• pricing model
• licensing model
36. Cost Optimization
On-Demand
Pay by the hour
No term commitment
EC2 Reserved Instances
No-upfront
Partial-upfront
All-upfront RIs
RDS Reserved Instances
No-upfront
Partial-upfront
All-upfront RIs
Reserved Instances (RIs) available for 1 and 3 year terms
Save up to 60% over on-demand costs
38. Monitoring Your SQL Server Workloads
• Set Alarms & Notifications for
abnormal conditions
• Default metrics for Amazon
EC2 & Amazon RDS
• Add custom metrics (Amazon
EC2)
Monitor performance using Amazon CloudWatch
39. System Center Ops Manager on AWS
• Management Pack for System Center
2012 / 2007 R2
• Resource Pool uses IAM Key for
connectivity
• Monitor all of the following:
• EC2 Instances
• EBS Volumes
• ELB load balancers
• Auto scaling groups
• Elastic beanstalk applications
• CloudFormation Stacks
• CloudWatch Alarms
• CloudWatch Custom Metrics
40. Summary
1. RDS can be for production workloads
2. You have choices
3. Understand the cost vs. control aspects of your
choice
4. Always remember that AWS is flexible … your
decision is not frozen in time!