Learn how to architect fully available and scalable Microsoft solutions and environments in AWS. Find out how Microsoft solutions can leverage various AWS services to achieve more resiliency, replace unnecessary complexity, simplify architecture, provide scalability, and introduce DevOps concepts, automation and repeatability. Plan authentication and authorization, various hybrid scenarios with other cloud environment and on premise solutions/infrastructure. Learn about common architecture patterns for Active Directory and business productivity solutions like SharePoint, Exchange and Skype for Business, also common scenarios for SQL deployments and System Center.
2. What to Expect from the Session
• Simplicity and Automation
• Microsoft Architectures on AWS and how to build them
• Identity and Access Management
• SQL Server
• Developers
• Administration
3. Developer platform and tools
Corporate applications Line of business
applications
End-user computing
4. Information security
Corporate applications End-user computingBusiness applications
Amazon EC2 for Windows,
Amazon RDS,
AWS CloudFormation,
Amazon CloudFront
EC2 for Windows,
AWS Directory Service,
RDS, Marketplace
Amazon WorkSpaces,
Amazon AppStream,
Marketplace,
AWS Mobile Services, SaaS
AWS Identity and Access Management (IAM),
AWS CloudHSM, AWS Key Management Service (KMS),
security groups, AWS Marketplace
EC2, Amazon S3, RDS, Amazon VPC,
AWS Direct Connect, Directory Service,
IAM, AWS Service Catalog
Infrastructure
AWS service offerings for Windows workloads
AWS Elastic Beanstalk,
AWS CodeDeploy,
CloudFormation
DevOps
6. Availability Zone
Private SubnetPublic Subnet
Availability Zone
Private SubnetPublic Subnet
Remote
Users
Sample
Microsoft
Architecture
Virtual Private
Gateway
Corporate
Office
IIS
App
IIS
Web
IIS
App
IIS
Web
VPN
AWS Direct
Connect
Internet
Gateway
RDGW
VPC NAT
Gateway
RDGW
VPC NAT
Gateway
AWS
Directory
Service
AWS
Directory
Service
MS
SQL
MS
SQL
Always On
Availability
Group
VPC Endpoint Amazon S3
Auto Scaling
8. Shared Service VPC
• Best suited for:
• The majority of your infrastructure on AWS
• Required on-premises resources are easy to
replicate or proxy (e.g., Active Directory,
System Center, central SQL farm)
• You prefer to limit VPN traffic
• Strong security or compliance programs
require additional application-level controls
and proxy servers between their AWS and
on-premises resources (e.g., application-
layer firewalls)
9. CloudFormation – Infrastructure as a Code
Basic standard in AWS for automating
deployment of resources
CloudFormation template
• JSON-formatted document that describes a
configuration to be deployed in an AWS
account
• When deployed, refers to a “stack” of
resources
• Bootstrapping AWS CloudFormation
Windows Stacks, http://tinyurl.com/aws-
win-boot
AWS
CloudFormation
12. The Work* Services
WorkDocs
Secure enterprise
document collaboration
WorkSpaces
Virtual desktops
Secure access from anywhere
Monthly pricing
Central sync, document feedback
Secure access from anywhere
S3
WorkSpaces Application
Manager
Virtual applications
Centralized application deployment
Monthly subscription options
WorkMail
Secure email and
calendaring
Strong security controls
Existing desktop, mobile support
Directory Service
Managed directories
Simple AD, AD Connector, Microsoft AD
13. Run Windows Server 2016 on Amazon EC2
• Windows Server 2016 Datacenter with Desktop
Experience
• Windows Server 2016 Nano Server
• Windows Server 2016 with Containers
• docker run microsoft/sample-dotnet
• Windows Server 2016 with SQL Server 2016
15. AWS Identity and Access Management (IAM)
Role-based
access control
Multi-factor
authentication
Integrated with all
AWS services
IAM roles
16. Active Directory Deployments - Isolated domains
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2Availability Zone A
Private subnet
DC3
company.cloud
company.local
Federation/
synchronization
Separate identities with synchronization/federation
à solutions such as AD FS, Okta, PingFederate
AWS Directory Service
company.cloud
VPN
AWS Direct
Connect
17. Single domain extended to multiple sites
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
Cost 50
Availability Zone A
Private subnet
DC3
Cost 10
company.local
company.local
One single identity, data center extension mode
(rely on Active Directory sites, read-only or not)
VPN
AWS Direct
Connect
18. One subdomain per site
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2
company.local
Availability Zone A
Private subnet
DC3
cloud.company.local
Isolated subset of the directory, single identity for users
(Active Directory domains in a single forest)
VPN
AWS Direct
Connect
19. One forest per site and trust
Availability Zone B
Private subnet
DC4
Corporate Network
Munich
DC1
Berlin
DC2Availability Zone A
Private subnet
DC3 company.local
company.cloud
Separate directories, single identity
(Cross-forest/resource forest with trust)
AWS Directory Service
company.cloud
VPN
AWS Direct
Connect
20. User identity federation with AWS IAM
AD Users
Enterprise
Applications
Corporate
Systems
AWS IAM
IAM roles
EC2
Amazon
DynamoDB
S3
22. SQL Server on Amazon EC2
§ Licensing Options
§ Purchase an Amazon Machine Instance (AMI) that includes
Windows and SQL Server
§ Purchase a Windows AMI and install SQL Server yourself
(BYOL)
§ Windows or Mixed Authentication
§ You manage the virtual machine security, storage,
network ports, etc.
§ Full SQL Server sysadmin privileges
23. Multi-AZ AlwaysOn Availability Group
Availability Zone 1
Private Subnet
EC2
Primary
Replica
Availability Zone 2
Private Subnet
EC2
Secondary
Replica
Synchronous Commit
Automatic Failover
AWS Region
24. Multi-Region AlwaysOn Availability Group
Availability Zone 1
Private Subnet
EC2
Primary
Replica
Primary: 10.0.2.100
WSFC: 10.0.2.101
AG Listener: 10.0.2.102
AWS Region A
Availability Zone 2
Private Subnet
EC2
Secondary
Replica
Primary: 10.0.3.100
WSFC: 10.0.3.101
AG Listener: 10.0.3.102
Availability Zone 1
Private Subnet
EC2
Secondary
Replica
Primary: 10.1.2.100
WSFC: 10.1.2.101
AG Listener: 10.1.2.102
Synchronous Commit
Automatic Failover
AWS Region B
Asynchronous Commit
Manual Failover
Elastic IP Elastic IP
VPN
25. What is Amazon RDS?
§ Managed database service
§ Automatic patching, backups, mirroring, etc.
§ Automatic Host Replacement protects you in the event of a
hardware failure.
§ 6 database engines to choose from: Amazon Aurora,
Oracle, PostgreSQL, MySQL, MariaDB, and SQL Server
§ License-included and BYOL options available
26. SQL Server on Amazon RDS
§ Up to 30 databases per instance
§ Windows or Mixed Authentication
§ Optional managed Multi-AZ deployment for high
availability
§ Transparent Data Encryption for encryption at rest and
the use of SSL to secure data in transit
§ Native backup and restore for Microsoft SQL Server
databases using full backup files (.bak files)
27. SQL Server HA/DR on RDS
§ Spans Availability Zones
§ Automatic Failover
§ Automatic Host Replacement
§ Automatic Backups
§ Automatic Software Patching (can be disabled)
28. Multi-AZ SQL Server on Amazon RDS
Availability Zone 1
Private Subnet
Availability Zone 2
Private Subnet
Synchronous Commit
Automatic Failover
AWS Region
Amazon
RDS
Primary
Amazon
RDS
Secondary
Managed Service
29. SQL Server EC2 vs. RDS: Which should I use?
EC2 RDS
License included ü ü
BYOL ü ü
Full control over the instance ü
Automated backups ü
Self-managed AlwaysOn Availability Groups ü
AWS-managed Multi-AZ deployment ü
30. What about the rest of SQL Server?
§ Integration Services (SSIS)
§ Reporting Services (SSRS)
§ Analysis Services (SSAS)
§ SQL Agent
§ Service Broker
§ Data Quality Service
§ Master Data Service
31. What about the rest of SQL Server?
§ Remember: RDS is a managed database engine.
§ Most tools or drivers (OLE DB, ODBC, or ADO.NET) that
connect to SQL Server can connect to an RDS instance.
§ For example, SSIS running on EC2 or on-premises can
use a connection to an RDS SQL Server (or other
engine) instance as long as the network ports are
properly configured.
33. AWS SDK and Tools for .NET ArchitectureEXECUTION
PLATFORM
AWSSDK
LOW-
LEVEL
SERVICE
APIS
AWS
TOOLS
HIGHER-
LEVEL
UTILITY
APIS
.NET 3.5 .NET 4.5 PHONE STORE
SERVICE CLIENTS
AMAZON S3
TRANSFER UTILITY
AMAZON
DYNAMODB OBJECT
PERSISTENCE
VM IMPORT RESOURCE API
AWS TOOLS FOR
WINDOWS
POWERSHELL
AWS TOOLKIT FOR
VISUAL STUDIO
ASP.NET SESSION
PROVIDER
TRACE LISTENER
…
AWS ENDPOINTS: REST API
ASP.NET 5
34. AWS Toolkit for Visual Studio
Full integration in Visual Studio
AWS Toolkit
for Visual
Studio
.NET SDK
35. AWS also provides extended support
AWS Elastic Beanstalk
• Deploy from within Visual Studio/automatic log rotation to Amazon S3
AWS CodeCommit/CodePipeline/CodeDeploy
• Manage a large fleet (on-premises and cloud-based)
.NET SDK and PowerShell cmdlets
• Integration in custom build pipelines in TFS or CruiseControl.NET
AWS native integrations
• Jenkins, Bamboo have native integration to AWS
• Other IDE support AWS (Unity, Xamarin Studio, Eclipse…)
37. Secure remote administration architecture
Availability Zone
Gateway Security Group Web Security Group
Private SubnetPublic Subnet
Accept TCP Port
443 from Admin IP
Accept traffic from
Gateway SG
AWS Administrator
Corporate Data Center
WEB2
TCP 443 WEB1
RDGW
Requires one connection:
• Connect to the RD Gateway, and the gateway proxies the RDP or PowerShell connection to the back-
end instance.
38. Amazon EC2 Systems Manager
• EC2 Run Commands
• AWS Tools for Windows PowerShell
• Automation, Customizable, Auditable, Delegated Administration
• Leverage Amazon EC2 Systems Manager
• Auto domain join
• No machine access
• Full traceability
• Fine-grained control
• http://tinyurl.com/AWS-SSM-Home
PowerShell
Integration
Amazon EC2
Run Commands
SSM