Planning for a SharePoint farm is one of the most challenging parts in the entire deployment since you have to care network infrastructure, hardware resources to the farm architecture. With Microsoft Azure, planning and deploying SharePoint should not be a big challenge, but what would you still care about the cloud deployment for your SharePoint? This session will give what you should be aware when planning and deploying the latest SharePoint version – SharePoint Server 2016 on Microsoft Azure, and a few things Microsoft never told you in particular.
2. About Me
8+ years focused on Microsoft Stack
Solution Architecture, Technical Evangelism, Product
Development, Pre-sales Consulting, Security Architecture,
Public Sector
Microsoft MVP (2011 – Now)
SharePoint
Office Severs and Services
Microsoft Association of Practicing Architects
(MAPA)
Level: Associate
Twitter: @nnthuan
Blog: http://thuansoldier.net
3. Azure – a powerful cloud
platform for modern
business
10. Deployment & PoC
Quick resource provision
Quickly create a SharePoint Server 2016 farm with a
few steps
Cost saving
Turn off every time you are not using.
Azure DevTest Lab
Recommended service for building a dev/test
environment.
11. Disaster Recovery of On-premises
Cost saving with Azure hosted secondary datacenter
Instead of preparing a costly on-premises datacenter
Maintain and pay for resources you use in Azure with
scaling demand.
12. Internet facing site
On-premises deployment requires huge investment
High availability, fault tolerance hardware
Deprecation of Office 365 Public Website features
As of January 2015, SharePoint Online
External collaboration with Azure AD
(Three-zone design — separation
of internal and customer accounts)
13. Hybrid Deployment
Hybrid Identity
Active Directory on-premises to SharePoint on Azure
Azure Storage
Connect with Azure-hosted app in which data is
stored on Azure Storage
Azure Media Services
For digital asset management in SharePoint
15. Keys to SharePoint 2016 on Azure
Farm Topology
Physical
Architecture
Logical
Architecture
Capacity Planning
Compute
Memory
Storage
Identity Mangement
Authentication
Federation
Business Continuity
High
Availability
Disaster
Recovery
Security
Network
VM
Application
16. New architecture of SP 2016
MinRole is a new farm topology
based on a set of predefined
server roles
Front end role
Distributed cache role
Application role
Search role
17. MinRole Topology
Each type of SharePoint farm requires different MinRole
server roles to function properly.
Refer to the table below for the list of server roles required for each type of farm.
Server Role Required for Content
Farm?
Required for Services
Farm?
Required for
Search Farm?
Front-end Yes No No
Application Yes Yes No
Distributed
Cache
Yes Yes No
Search Yes, if hosting Search Yes, if hosting Search Yes
18. Farm Topology Planning
Type of farms (content, service, search…)
Front-End Tier Sizing
Application Tier Sizing
Search Tier Sizing
Distributed Cache Sizing
No. Item Value Remark
1 Total number of users 16,000
2 Total number of unique users per day 12,800 Would be 80% of the user population
3 Concurrency rate 0.15 15% of usage in peak hour
4 Requests per day per user 480 Assume one user having 60 requests/hour
5 Peak usage ratio 3 There are 3 peak times in a working day
6 Hours in the business day 24
7 Average peak RPS 96 (2) * (3) * (4) * (5)/(480 * 60 * 60)
8 % Low-cost request 0.25 Assume end users only perform simple tasks in
SharePoint
9 % Medium-cost requests 0.8 Assume end users request or operate in SharePoint
10 % High-cost requests 0.35 Everything else
11 Weighted peak RPS 230.4 (7) * (9) * 3 (medium-cost weight)
12 Number of WFE 3-4 3 – 4 WFE
19. Search Sizing
Search Component RAM Hard Disk Processor
Index Component (*) 32 GB for
dedicated
500 GB if large
amount of data
8 cores minimum
Analytics Processing 8 – 16 GB 200GB 4 cores minimum
Other Component 16 - 24 200 GB
(*) 20 millions item requires 1 index component, 2 analytics
processing, 1 crawl,1 query.
20. Come out your SharePoint Farm
The farm looks like?
4 x Front-End Roles Servers (12 GB RAM, 250 GB Space)
2 x Search Index Role Servers (24 GB RAM, 550 GB Space)
2 x Search Other Role Servers (16 GB RAM, 250 GB Space)
2 x Application Role Server (12 GB RAM, 200 GB Space)
3 x Distributed Cache Role Server (8 GB RAM, 100 GB Space)
4 x Database Server (24 GB RAM, 500 GB)
How many cores do you need?
21. Draw your own the topology
Search Index Search Index
Other Other
SA Roles SA Roles
Search DB Search DB
Main DB Main DB
Active Directory
Federation
Email Messaging
23. What to map initially?
Map logical component first for base infrastructure
Virtual machine, storage, network…
Deep into Azure perspective with non-functional
requirement
Resource group, subnet, network security group, availability set, premium
storage
Farm Component Azure Category Azure Service
Virtual machine Compute Azure Virtual Machine
Storage Storage Storage, Disk Storage
Network Networking Virtual Network
VPN Networking VPN Gateway
24. Planning for Compute & Memory
Mapping your required hardware capacity to what is
available in Azure
This is not 1-1 mapping
The memory size is fixed per instance size
What if you need X cores with Y GB?
Pick the size that is the closest match with your requirement
26. Compute for SharePoint
Use A3 or A4 for front-end role
Notes the Max NICs supported.
A5 only support 1 NIC
Use DS4 or DS13 for Search role, Application role
Minimum requirement for IOPS of Search Index is 200 MB/s (*)
Premium Storage is required for Search role
Use A3 for Distributed Cache role
40% of the total RAM is used for cache if using MinRole (**)
(*)https://technet.microsoft.com/en-us/library/dn342836.aspx
(**) http://www.harbar.net/archive/2016/04/15/SharePoint-2016-Nugget-2-Distributed-Cache-Size-in-
MinRole-Farms.aspx
27. Planning for Storage
Azure Premium Storage required for
production development
High-performance, low-latency disk support for virtual
machines (VMs) running I/O-intensive workloads
Available in DS, DSv2, GS and Fs series
Take benefit from Azure Managed Disk
Simplify disk management for your VM without creating
many storage accounts
Separate storage accounts for high
performance workloads
SharePoint only supports LRS
28. Planning for Network
Determine your hybrid model if any
If connecting to on-prem infrastructure (e.g OWA), site-to-site is required
Use static IP addresses, assign to appropriate virtual network subnet
Avoid IP change every reboot
If security is a concern
Use NSG and different subnet for different tier
Speed up with ExpressRoute if nessessary
29. ARM or ASM?
Must understand characteristics & differences between
ARM & ASM
Different concept, supported migration approach, region availability (**)
If you are an MSPA customer, you only have ARM in the pocket
As of February 1, 2017, MPSA customers purchasing Azure for the first time
will be guided to CSP for pay-as-you-go Azure. (*)
Azure Resource Manager is the way to go
Better management, migration and automation but somewhat complicated
(*) Source: https://blogs.technet.microsoft.com/volume-licensing/2017/01/10/modern-licensing-for-digital-transformation/
(**) Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-supported-services
30. Resource Group
Classify resource group per tier
Simplify the migration and troubleshooting
Put Availability Set, Storage Account, NIC, VM
Plan for naming conversion
It’s hard to change name later
Recommendation: dw2017-prod-wfe-rg-sea
Use tags for your resource groups
Environment: Production
Tier: Search
Project Code: DW2017
Contact: thuan@outlook.com
31. Identity Management
What is the primary identity provider of your farm?
On-premises Active Directory
Azure-hosted Active Directory
Azure Active Directory Domain Services
Is there a requirement of federation trust?
SharePoint users from On-premises Active Directory having access to fully Azure-
hosted SharePoint farm
Office 365 users
Partner authentication in extranet collaboration scenario
33. Business Continuity
Availability, Scalability, and fault
tolerance
Key requirements of any business continuity
and disaster recovery plan
To have availability, you need
scalability
To handle the workload as the needs of the
workload increase
Scalability
Availability
Fault
Tolerance
34. Availability Set
An availability set (SLA of
99.95%) helps keep your VM
available during downtime
Fault Domain
Update Domain
Create availability set for tier and
role (Web, App, Database,
Search…)
35. HA for Front-End Role
Azure Load Balancer
Distributes incoming traffic among virtual machines
defined in a load-balancer set.
Increase idle connection timeout to
handle long duration connections from
SharePoint clients
Set-AzureLoadBalancedEndpoint –IdleTimeoutInMinutes 15
3rd party Load Balancer with advanced
feature
SSL Termination (*)
(*)https://kemptechnologies.com/solutions/microsoft-load-balancing/loadmaster-azure/
36. HA for Application Role
Not too much of what Azure could do
MinRole would almost do for you
Application Discovery and Load Balancer Service works internally
Does depend on how your services are associated (MinRole, Custome Role)
HA for Search is required
Redundant Search components
37. HA + DR for Database Role
SQL Server AlwaysOn Availability Group
SQL Server Database Mirroring
Log Shipping
Backup & Restore
Azure Site Recovery
SQL Server AlwaysOn FCI
38. HA with SQL Server AlwaysOn AG
Fully supported on
Microsoft Azure for HA
Require AD Domain Controller
to use Windows FC
39. DR with Log Shipping
Log Shipping is supported in Azure IaaS for DR scenario
Two SQL Server VMs with Azure File Storage
Better to set up a File Share VM to avoid latency
Only used if required
40. DR with Database Mirroring
Database Mirroring is fully supported for DR scenario
Using server certificates because an active directory domain cannot span multiple
datacenters.
Consider alternative DR strategy
Database Mirroring is deprecated (SQL Server 2016)
Use AlwaysOn Availability Group with FileSh
41. DR with Backup and Restore
While RTO is not so important
Back up production database to Azure Blob Storage for further recovery
Automate the backup with Agent Service.
42. Sample Planning Report
Role vm name resource group
name
static IP subnet availability
set
size
1st DC dw-prod-dc01 dw-prod-ad-rg-sea 192.168.1.4 snet-ad prod-as-ad Standard_D2
2nd DC dw-prod-dc02 dw-prod-ad-rg-sea 192.168.1.5 snet-ad prod-as-ad Standard_D2
1st Database dw-prod-db01 dw-prod-data-rg-sea 192.168.2.5 snet-dataprod-as-data Standard_DS4
2nd Database dw-prod-db02 dw-prod-data-rg-sea 192.168.2.6 snet-dataprod-as-data Standard_DS4
Witness majority dw-prod-mn01 dw-prod-data-rg-sea 192.168.2.7 snet-dataprod-as-data Standard_D2
1st App & Search dw-prod-app01 dw-prod-app-rg-sea 192.168.3.4 snet-app prod-as-app Standard_DS4
2nd App & Search dw-prod-app02 dw-prod-app-rg-sea 192.168.3.5 snet-app prod-as-app Standard_DS4
1st Web & D-Cache dw-prod-wfe01 dw-prod-wfe-rg-sea 192.168.4.5 snet-wfe prod-as-wfe Standard_D4
2nd Web & D-Cache dw-prod-wfe02 dw-prod-wfe-rg-sea 192.168.4.6 snet-wfe prod-as-wfe Standard_D4
43. How does it look like?
Availability set
Front-End
4 x
Subnet
Availability set
D-Cache
3 x
Availability set
Search
4 x
Subnet
Subnet
Availability set
DB
4 x
Subnet
Virtual Network
Microsoft
Azure
Azure VPN
Gateway
VPN
Gateway
On-Premises
Domain
controller
Client PC
Storage Storage Storage Storage Storage Storage
46. What to secure on Azure IaaS?
Storage
Data
Identity
Virtual
Machine
Resource
Group
47. What is your responsibility?
Apply Security By Default rule
Network isolation, 3-tier architecture…
Apply security feature on each resource type
Microsoft provides several security feature for each resource (RABC, Encryption,
Monitoring, Anomoly Prevention…)
Apply Security By Design for SharePoint
Validation, regression, OWASP….
48. My Security Mantra
Security must come firstly from your awareness
Security By Default before Security By Design
No Pain No Gain
49. Security on Azure
Security is still your responsibility
Security Compliance needs your awareness
No guarantee if your VM is compromised
SharePoint Security is your responsibility
Azure IaaS Security
Role-based Access Control
VM Access
Storage Encryption
Security Monitoring Center
50. Come to discuss more security!
Topic - Design A Secure Azure IaaS - Lesson Learnt from Government Cloud
Event - Singapore AzureBootcamp 2017 – Aprial 22nd 2017 - Microsoft Singapore
Website: http://sgazurebootcamp.azurewebsites.net/
51. Monitoring and Diagnostic
Service Metrics
All Azure services track key metrics for monitoring health, performance and availability
Can be viewed in the port or via REST API
Configurable via ARM
Operational Insights
Single pane of glass for monitoring VMs
Big data solution for logs
Interact with log data via Search and Solutions
Customizable dashboard
Near real-time log monitoring
Solution
Gallery
53. SharePoint on Azure gotcha
AlwaysOn Failover Cluster Instances (FCI) with Azure File Storage is not
supported currently
Attached storage using WS 2016 Storage Space Direct (S2D)
SIOS DataKeeper
iSCSI Target shared block with NetApp Private Storage via ExpressRoute
Microsoft does not provide warranty of 3rd party with FCI.
WAN Deployment is not supported.
Metalogix Replicator is an alternative
OWA Server is not supported in Azure IaaS due to licensing model
Deploy Hybrid model
55. SP Server 2016 Quick Deployment
Create a single SharePoint Server 2016 Farm
http://bit.ly/azuresp2016ps
56. Azure Resource Manager Template
Create a template with declarative representation of the
solution
The template consists of JSON and expressions
Use Azure Visualize to design your
template
URL: http://armviz.io/
Azure Quick Template
URL: http://bit.ly/azurequicktemplate
57. Azure DSC with xSharePoint
Install prerequisites and binaries
Create a farm and join servers to it
Create web apps and site collections
Create some service applications, and provision instances of services
Manage logging, managed accounts, and other configuration settings
58. Manual Deployment Step
Create resource
group
Create virtual
network
Create different
subnet
Create network
security group
Create Azure
Internal LBs
Create different
storage account
Create Active
Directory VM
Configure Active
Directory DC
Create SQL
Server VM
Join SQL Server
to AD DC
Create
SharePoint VM
Join SharePoint
to AD DC
Add more extra
disk on each VM
Create
SharePoint farm
Configure
AlwaysOn AG
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6 Step 7 Step 8 Step 9 Step 10
Step 15
Advanced
Configuration…
Step 11 Step 12 Step 13 Step 14
60. Active Directory Deployment
Deploy a site-to-site VPN connections between workloads
On-premises Active Directory and Azure-hosted SharePoint farm
Setup replica domain controllers using Azure virtual
machines
Increase proximity and improve authentication
Deploy a stand-alone domain controllers in Azure
Not common in real-world scenario
61. Active Directory Deployment
Use D2 for domain controller VM
DNS configuration and deployment
Use reserved IP address
DCs need static IPs but VMs use DHCP
In a hybrid scenario - for replication
Configure the AD Sites and services to ensure that you are not incurring additional network traffic due to
bad routes
Data Allocation
Place the Active Directory database, logs, and SYSVOL on additional Azure data disks.
Do not place these on the operating system disk (C drive) or the temporary disks (D drive) provided by
Azure.
62. SQL Server Deployment
Go with SQL Server on Azure IaaS
Azure SQL Database (PaaS) works with SharePoint 2016 for testing purpose
Run TempDB on Non-Persistent Drive
Consider using P30 (Premium Storage) to store TempDB
Need to ensure folder structure is re-created on VM start-up
Data and File Allocation
Do not put data and files you care about on D: drive
Do not put data and files you care about OS performance on C:
Disk Stripping when you need more IOPS on Standard Storage
Manage disk inside the VM with Storage Spaces
63. Finally!
SharePoint on Azure is not SharePoint on cloud
SharePoint on cloud is SharePoint Online (Office 365)
Carefully plan for SharePoint farm before the deployment
Some things you must convert or migrate if wrongly deploying
Try to automate your deployment as much as possible
Take to the next level of DevOps
Keep calm if something still went wrong!
64. Additional Resources
High availability and disaster recovery for SQL Server in Azure Virtual Machines
http://bit.ly/hadrsqlsazure
Understanding Windows Azure Storage Billing – Bandwidth, Transactions, and
Capacity
http://bit.ly/azurestoragepricing
Microsoft Azure Cost Estimator Tool
http://bit.ly/azurecostestimator
Deploying SharePoint Server 2016 with SQL Server AlwaysOn Availability Groups in
Azure
http://bit.ly/sp2016farmazure (must read but some variables & configuration
mistake)
65. Q & A
Feel free to discuss with me via thuan@outlook.com or @nnthuan (Twitter)
SharePoint Internet facing deployment in an on-premises environment requires huge investment in infrastructure.
Microsoft deprecated Public Website features in Office 365/SharePoint Online in January 2015.
External collaboration with Azure AD.
(*)Based on Microsoft Load Test for SharePoint 2013 which is optimized at WFE tier.
300 IOPS for 64 KB random reads.
100 IOPS for 256 KB random writes.
200 MB/s for sequential reads.
200 MB/s for sequential writes.
Microsoft cannot migrate everything. The following resources cannot be migrated:
Un-associated virtual hard disks
Images of virtual machines
Unreserved IP addresses
Un-associated network security groups
Endpoint ACLs
Virtual network gateways – you’ll need to recreate your ExpressRoute or VPN configurations which might cause accessibility downtime for some customers.
Site Recovery Azure to Azure is only supported for migration, NO DR as of 1/12/2016