Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Moving Enterprise Windows Workloads to AWS

1.441 Aufrufe

Veröffentlicht am

Technical 201: Moving Enterprise Windows Workloads to AWS

The cloud is the new norm for organizations of all sizes. In this session you will learn how to create an entire Microsoft Enterprise environment in AWS that includes AWS Active Directory Service, Simple System Management (SSM) service, MS Exchange and SharePoint. These will further integrate with new end user productivity services such as AWS WorkSpaces, AWS WorkDocs, and AWS WorkMail.

Speaker: Dr Peter Stanski, Solutions Architect, Amazon Web Services

Veröffentlicht in: Technologie
  • Get access to 16,000 woodworking plans, Download 50 FREE Plans... ●●● http://ishbv.com/tedsplans/pdf
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

Moving Enterprise Windows Workloads to AWS

  1. 1. Moving Enterprise Windows Workloads to AWS
 Peter ‘Dr Pete’ Stanski, Principal Solutions Architect Amazon Web Services
  2. 2. Business 101 Technical 201 Technical 301 Technical 401 Technical Session Grading
  3. 3. AGENDA
  4. 4. Enterprise MSFT Applications + Windows OS + AWS Services = Enterprise Grade IT Workloads in your Private Hybrid Cloud AGENDA
  5. 5. Major Companies run Microsoft Exchange, SharePoint and Lync on AWS…. – Some of the world’s largest enterprise websites run on SharePoint – .Net, ASP.Net, COM/COM+ and many other Wintel technologies – Enterprise Voice and IM are also suitable workloads – Large Enterprise Exchange email deployments Microsoft Workloads on AWS…
  6. 6. Hi!  I’m  Aaron  McKeown. Platform  Architect, Platform  Services  Team,  Xero.
  7. 7. Xero Leading small business cloud platform Vision Millions of people all over the world love doing business on Xero Mission Grow prosperity by connecting people through beautifully designed business software Goal Achieving scale and value by winning one million+ customers
  8. 8. 3 Key principles for Data • Resiliency • Availability • Security Xero is built on a SQL server foundation. Xero SQL Design Principles
  9. 9. Why Microsoft SQL Server on EC2? • Target Architecture • Uptime • Control • Maintenance Amazon RDS is always considered for use in new developments at Xero. Our Journey so far ….
  10. 10. Takeaways What did we learn and what did we consider? • Instance Sizing & IOPS • Interconnecting the regions • Operational Recovery • Security • Automation
  11. 11. Final Takeaway It is achievable to have a highly available SQL Server environment running on EC2 in AWS supporting an online and highly concurrent 24x7 system.
  12. 12. Question:
 How would you build a Microsoft Enterprise IT Platform on AWS?
  13. 13. Lets start here…. Corporate Data Center
  14. 14. Lets start here…. Corporate Data Center AWS Cloud Internet
  15. 15. Remote 
 Users / Admins Isolated VPC in the Cloud
  16. 16. Availability Zone Private SubnetPublic Subnet Availability Zone Private SubnetPublic Subnet Remote 
 Users / Admins Isolated VPC in the Cloud
  17. 17. Secure Administration via Remote Desktop Availability Zone Private SubnetPublic Subnet AWS Administrator Corporate Data Center
  18. 18. Secure Administration via Remote Desktop Availability Zone Private SubnetPublic Subnet AWS Administrator Corporate Data Center Gateway Security Group Accept TCP Port 443 from Admin IP RDGW
  19. 19. Secure Administration via Remote Desktop Availability Zone Private SubnetPublic Subnet AWS Administrator Corporate Data Center TCP 443 Requires one connection: • Connect to the RD Gateway, and the gateway proxies the RDP connection to the back-end instance. Web Security Group Accept TCP Port 3389 from Gateway SG WEB2 WEB1 TCP 3389 TCP 3389 Gateway Security Group Accept TCP Port 443 from Admin IP RDGW
  20. 20. Availability Zone Private SubnetPublic Subnet DC Domain 
 Controller Availability Zone Private SubnetPublic Subnet DC Domain 
 Controller RDGW Remote 
 Users / Admins Isolated VPC in the Cloud with RDGW
  21. 21. Availability Zone Private SubnetPublic Subnet DC Domain 
 Controller RDGW Availability Zone Private SubnetPublic Subnet DC Domain 
 Controller RDGW Remote 
 Users / Admins Isolated VPC in the Cloud with RDGW
  22. 22. Availability Zone Private SubnetPublic Subnet DC Domain 
 Controller RDGW Availability Zone Private SubnetPublic Subnet DC Domain 
 Controller RDGW Remote 
 Users / Admins Isolated VPC in the Cloud with RDGW UseRoute53,HealthCheck& DNSFailover Amazon Route 53
  23. 23. Availability Zone Private SubnetPublic Subnet DC Domain 
 Controller RDGW Availability Zone Private SubnetPublic Subnet DC Domain 
 Controller RDGW Isolated VPC in the Cloud with NAT Internet
  24. 24. Availability Zone Private SubnetPublic Subnet DC Domain 
 Controller RDGW Availability Zone Private SubnetPublic Subnet DC Domain 
 Controller RDGW Isolated VPC in the Cloud with NAT Use NATinstances to provide access to remote Internet services *YoucanuseWindowsRouting& RemoteAccess(RRAS)NATService NAT NAT Remote Systems Internet
  25. 25. Remote Desktop Gateway Reference Architecture
 • Detailed instructions available in the “Deploy Remote Desktop Gateway on the AWS Cloud” White paper Available from : http://aws.amazon.com/windows/resources/whitepapers/rdgateway/
  26. 26. Microsoft DirectAccess for Client Devices
  27. 27. Microsoft DirectAccess for Client Devices • DirectAccess is a feature that allows connectivity to organization’s network resources without the need for traditional Virtual Private Network (VPN) connections • With DirectAccess, client computers are always connected to your corporate data network • IT administrators can manage DirectAccess client computers whenever they are running and connected to the Internet • Summary: Always-on light-weight VPN into your corporate network
  28. 28. Availability Zone Private SubnetPublic Subnet 10.0.0.0/24 10.0.2.0/24 Remote Windows Client Computer
 (Users / Admins) Isolated VPC in the Cloud with DirectAccess
  29. 29. Availability Zone Private SubnetPublic Subnet 10.0.0.0/24 10.0.2.0/24 Remote Windows Client Computer
 (Users / Admins) Isolated VPC in the Cloud with DirectAccess ENI + EIP Windows NAT instance ENI + Private IP Security Group Security Group
  30. 30. Availability Zone Private SubnetPublic Subnet 10.0.0.0/24 10.0.2.0/24 DC + Certs Domain 
 Controller Remote Windows Client Computer
 (Users / Admins) Isolated VPC in the Cloud with DirectAccess ENI + EIP Direct Access Windows DirectAccess Edge Windows NAT instance ENI + Private IP Security Group Security Group
  31. 31. Availability Zone Private SubnetPublic Subnet 10.0.0.0/24 10.0.2.0/24 DC + Certs Domain 
 Controller Remote Windows Client Computer
 (Users / Admins) Isolated VPC in the Cloud with DirectAccess ENI + EIP Direct Access Windows DirectAccess Edge Internet Windows NAT instance ENI + Private IP Security Group Security Group
  32. 32. Availability Zone Private SubnetPublic Subnet 10.0.0.0/24 10.0.2.0/24 DC + Certs Domain 
 Controller Remote Windows Client Computer
 (Users / Admins) Isolated VPC in the Cloud with DirectAccess Always on VPN into Enterprise from Windows Client(s) ENI + EIP Direct Access Windows DirectAccess Edge Internet Windows NAT instance ENI + Private IP Security Group Security Group VPN
  33. 33. Microsoft DirectAccess Server Role & NAT • Detailed instructions available in the “Implementing Microsoft DirectAccess and NAT in the AWS Cloud” White paper Available from : http://aws.amazon.com/windows/resources/whitepapers/ms-direct-access/
  34. 34. RDGW and DirectAccess Considerations
  35. 35. RDGW and DirectAccess Considerations • Secure RDGW connections require SSL certificates – Available from public Root Certificate Authority; OR – Deployed to the client device (manually / AD GPO)
  36. 36. RDGW and DirectAccess Considerations • Secure RDGW connections require SSL certificates – Available from public Root Certificate Authority; OR – Deployed to the client device (manually / AD GPO) • DirectAccess requires a domain joined client device – You will need to perform an offline domain join + Certs + DC + ….
  37. 37. RDGW and DirectAccess Considerations • Secure RDGW connections require SSL certificates – Available from public Root Certificate Authority; OR – Deployed to the client device (manually / AD GPO) • DirectAccess requires a domain joined client device – You will need to perform an offline domain join + Certs + DC + …. • Direct connectivity into the VPC simplifies setup – Requires cooperation across a wider set of IT team members
  38. 38. Extending your Corporate Data Network to AWS Corporate Data Center AWS Cloud Internet
  39. 39. Extending your Corporate Data Network to AWS Corporate Data Center AWS Cloud Internet
  40. 40. Extending your Corporate Data Network to AWS Corporate Data Center AWS Cloud VPN TUNNEL1 1 Internet
  41. 41. Extending your Corporate Data Network to AWS • IP SEC VPN Tunnel connects over the public Internet but has a variable performance • Supports Static and BGP Routing • Supports varying multi-Mbps speeds Corporate Data Center AWS Cloud VPN TUNNEL1 Telco Direct Connect Link2 1 • AWS Direct Connect (DX) service allows for dedicated telco links from your location • Telco provides SLAs and predictable performance • AWS provides multiple 1 Gbps & 10 Gbps links • BGP for dynamic routing + AWS API endpoints 2 Internet
  42. 42. Availability Zone Private SubnetPublic Subnet NAT DC Domain 
 Controller RDGW Availability Zone Private SubnetPublic Subnet NAT DC Domain 
 Controller RDGW Remote 
 Users Your Hybrid Cloud
  43. 43. Availability Zone Private SubnetPublic Subnet NAT DC Domain 
 Controller RDGW Availability Zone Private SubnetPublic Subnet NAT DC Domain 
 Controller RDGW Remote 
 Users Your Hybrid Cloud virtual private gateway VPN connection corporate data network AWS Direct Connect
  44. 44. Availability Zone Private SubnetPublic Subnet NAT DC Domain 
 Controller RDGW Availability Zone Private SubnetPublic Subnet NAT DC Domain 
 Controller MS SQL DB SQL Server MS SQL DB SQL Server APP App
 Server APP App
 Server WEB IIS
 Server WEB IIS Server RDGW Remote 
 Users Your Hybrid Cloud virtual private gateway VPN connection corporate data network AWS Direct Connect
  45. 45. Availability Zone Private SubnetPublic Subnet NAT DC Domain 
 Controller RDGW Availability Zone Private SubnetPublic Subnet NAT DC Domain 
 Controller MS SQL DB SQL Server MS SQL DB SQL Server APP App
 Server APP App
 Server WEB IIS
 Server WEB IIS Server RDGW Remote 
 Users Your Hybrid Cloud virtual private gateway VPN connection corporate data network AWS Direct Connect
  46. 46. SharePoint Reference Architectures on AWS
  47. 47. SharePoint Reference Architectures on AWS White Papers Available from : • http://aws.amazon.com/windows/resources/whitepapers/sharepoint-2010/ • http://aws.amazon.com/windows/resources/whitepapers/sharepoint-2013/ SPS2010 SPS2013
  48. 48. Microsoft Active Directory
  49. 49. Microsoft Active Directory • Create a new AD or Extend Existing? – Lots of customers create a new “fresh” AD in AWS on EC2 – Extend trusts to existing AD for Single Sign On (SSO) experience
  50. 50. Microsoft Active Directory • Create a new AD or Extend Existing? – Lots of customers create a new “fresh” AD in AWS on EC2 – Extend trusts to existing AD for Single Sign On (SSO) experience • If you run your own AD servers – Treat each Availability Zone as an AD Site… – Read Only Domain Controllers still need network connectivity
  51. 51. Microsoft Active Directory • Create a new AD or Extend Existing? – Lots of customers create a new “fresh” AD in AWS on EC2 – Extend trusts to existing AD for Single Sign On (SSO) experience • If you run your own AD servers – Treat each Availability Zone as an AD Site… – Read Only Domain Controllers still need network connectivity • AWS can simplify this for you…..
  52. 52. Use AWS Directory Service
  53. 53. • A Microsoft Windows compatible directory service as a managed AWS service. Usage options are: A. Simplifies connecting to your existing on-premises Microsoft Active Directory via an “AD Connector”; B. Or set up and operate a new directory in the AWS cloud as a “Simple AD” Use AWS Directory Service
  54. 54. • A Microsoft Windows compatible directory service as a managed AWS service. Usage options are: A. Simplifies connecting to your existing on-premises Microsoft Active Directory via an “AD Connector”; B. Or set up and operate a new directory in the AWS cloud as a “Simple AD” • AWS DS is easy to manage: use the standard Windows AD admin tools Use AWS Directory Service
  55. 55. • A Microsoft Windows compatible directory service as a managed AWS service. Usage options are: A. Simplifies connecting to your existing on-premises Microsoft Active Directory via an “AD Connector”; B. Or set up and operate a new directory in the AWS cloud as a “Simple AD” • AWS DS is easy to manage: use the standard Windows AD admin tools • Your directory users and groups can access the AWS Management Console, and AWS applications, such as Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail, using their existing credentials Use AWS Directory Service
  56. 56. Simple AWS Directory Service Supports • Microsoft Internet Information Services (IIS) on: – Windows Server 2003 R2 – Windows Server 2008 R1 & R2 – Windows Server 2012 & R2 • Microsoft SQL Server: – SQL Server 2005 R2 (Express, Web, and Standard editions) – SQL Server 2008 R2 (Express, Web, and Standard editions) – SQL Server 2012 (Express, Web, and Standard editions) – SQL Server 2014 (Express, Web, and Standard editions) • Microsoft SharePoint: – SharePoint 2010 Foundation – SharePoint 2010 Enterprise – SharePoint 2013 Enterprise
  57. 57. Availability Zone Private SubnetPublic Subnet NAT RDGW Availability Zone Private SubnetPublic Subnet NAT MS SQL DB SQL Server MS SQL DB SQL Server APP App
 Server APP App
 Server WEB IIS
 Server WEB IIS Server RDGW Your own AD on EC2 virtual private gateway VPN connection corporate data network AWS Direct Connect Domain 
 Controller Domain 
 Controller DC DC
  58. 58. Availability Zone Private SubnetPublic Subnet NAT AWS Directory Service RDGW Availability Zone Private SubnetPublic Subnet NAT AWS Directory Service MS SQL DB SQL Server MS SQL DB SQL Server APP App
 Server APP App
 Server WEB IIS
 Server WEB IIS Server RDGW Replaced With AWS DS virtual private gateway VPN connection corporate data network AWS Direct Connect
  59. 59. Domain Joining to AWS Directory Service From the AWS Console GUI – Launch Instance Wizard
  60. 60. Instance Boot Status
  61. 61. Instance Dom Join Status to AWS Directory Service Computer Name Domain Details
  62. 62. AWS Directory Service (Console)
  63. 63. AWS Directory Service (Console) DNS IPs for your Domain Controllers in each AZ Enabled Services
  64. 64. AWS Simple Systems Manager (SSM)
  65. 65. AWS Simple Systems Manager (SSM) • Simple Systems Manager (SSM) facilitates the automatic configuration of AWS Elastic Compute Cloud (EC2) instances running Windows Server OS • SSM is implemented through the EC2Config windows service already included in Windows Server AMIs • EC2-Config service polls SSM every 5 minutes for configuration documents (in JSON format) containing system configurations OR force it from CLI • SSM currently supports configuration documents that allow for: – Automated Domain Join – MSI Package Installation/Repair/Uninstallation – PowerShell Module Installation – Delivery of Performance Monitor, Event Log, IIS Log, and custom log file data to CloudWatch and CloudWatch Logs
  66. 66. SSM Document Example { "schemaVersion": "1.0", "description": "MSI Install Script", "runtimeConfig": { "aws:applications": { "properties": [ { "action": "Install", "source": "https://S3region.amazonaws.com/mybucketname/MSIs/CustomApp-x64.msi" }, { "action": "Install", "source": "http://location.s3.amazonaws.com/Firefox/Firefox-33.0.2/Firefox-33.0.2-en-US.msi", "parameters" : "INSTALLEVEL=1000 custompath="c:foldername"" } ] } } }
  67. 67. SSM Configuration & EC2Config Service Setup & Config Tasks • Domain Join • Package Installations • Deploy PowerShell Modules • Logs & Performance Monitor integration with CloudWatch
  68. 68. SSM Configuration & EC2Config Service Configuration Document Setup & Config Tasks • Domain Join • Package Installations • Deploy PowerShell Modules • Logs & Performance Monitor integration with CloudWatch Definition
  69. 69. Simple System Manager SSM Configuration & EC2Config Service Configuration Document Associated with Instance ID(s) Setup & Config Tasks • Domain Join • Package Installations • Deploy PowerShell Modules • Logs & Performance Monitor integration with CloudWatch Definition
  70. 70. Simple System Manager SSM Configuration & EC2Config Service Configuration Document Associated with Instance ID(s)
  71. 71. Simple System Manager SSM Configuration & EC2Config Service Configuration Document Associated with Instance ID(s) EC2Config Windows Service Windows Instance
  72. 72. Simple System Manager SSM Configuration & EC2Config Service Configuration Document Associated with Instance ID(s) EC2Config Windows Service Windows Instance AWS Directory Service
  73. 73. Simple System Manager SSM Configuration & EC2Config Service Configuration Document Associated with Instance ID(s) EC2Config Windows Service CloudWatch & Cloudwatch Logs Windows Instance AWS Directory Service
  74. 74. Simple System Manager SSM Configuration & EC2Config Service Configuration Document Associated with Instance ID(s) EC2Config Windows Service CloudWatch & Cloudwatch Logs Windows Instance AWS Directory Service
  75. 75. new existing EC2 Instance Options Increasing customer choice introduced
  76. 76. Elastic Block Storage (EBS) Updates
  77. 77. Elastic Block Storage (EBS) Updates Amazon EC2
  78. 78. Elastic Block Storage (EBS) Updates EBS snapshots Amazon EC2
  79. 79. Elastic Block Storage (EBS) Updates Max EBS volume size up from: 1TiB to 16TiB & 4,000 to 20,000 PIOPS EBS snapshots Amazon EC2 16TiB
  80. 80. MS Exchange Reference Architectures on AWS Both White Papers & Case Studies Available from : • http://aws.amazon.com/windows/products/exchange/ 2010 2013
  81. 81. MS Exchange Reference Architectures on AWS Both White Papers & Case Studies Available from : • http://aws.amazon.com/windows/products/exchange/ 2010 2013 Use AWS SES as a Send Connector
  82. 82. Amazon WorkMail
  83. 83. Amazon WorkMail • WorkMail is a secure, managed business email and calendaring service with support for existing desktop and mobile email clients • WorkMail gives seamless access to email, contacts, and calendars using native Microsoft Outlook Client, a web browser, or native iOS and Android email applications • You can integrate Amazon WorkMail with existing corporate directory and control both the keys that encrypt your data and the location in which your data is stored • Useful when you would like a managed Exchange as a service
  84. 84. Amazon Workspaces
  85. 85. Amazon Workspaces • AWS managed desktop computing service in the cloud – virtual desktop infrastructure (VDI) • Cloud-based desktops that allow end-users to access their documents, applications and resources they need with the device of their choice • Accessed from laptops, iPad, Kindle Fire, Android tablets, and zero clients
  86. 86. The Services Landscape on AWS
  87. 87. The Services Landscape on AWS AWS Directory Service
  88. 88. The Services Landscape on AWS AWS Management Console Amazon WorkSpaces Amazon WorkDocs AWS Directory Service Amazon WorkMail
  89. 89. • Single Sign On (SSO) & MFA is supported….
  90. 90. Compelling Windows Event (Don’t Forget) • Microsoft is ending support for Windows Server 2003 on July 14, 2015 • Options include: – Keep running it but do it on AWS – Migrate to the newer versions of Windows – Do both…. • Find more info at: http://aws.amazon.com/windows/products/ec2/ server2003/
  91. 91. Summary • You can readily run Enterprise Microsoft and many other mission critical workloads on AWS…. • You can run your own Workloads on EC2; or • Replace them with native AWS services – Directory Services, WorkSpaces, WorkMail, WorkDocs, SQL Server RDS, SES for bulk email sending….

×