We will guide you through the best practices associated with Microsoft products and services on AWS. You will discover how to address the questions (technical, licensing, pricing) associated with migrating existing platforms (such as Exchange or Sharepoint) and satisfy your core the requirements (AD authentication, monitoring, patching). From hybrid architectures, where the AWS cloud as an extension of your data center, to innovative DevOps centric approaches, we will cover the main use cases seen by our customers.

1. Julien Lépine, Solutions Architect, AWS EMEA
June 16th, 2016
Best Practices for Deploying
Microsoft Workloads on AWS

2. Identity Best Practices

3. Main Identity Topics
• Infrastructure Identity Management
• AWS Identity and Access Management
• Server / Application Identity Management
• AWS Directory Services (Samba or Active Directory)
• Federation
• AWS Security Token Service

4. AWS Identity and Access Management (IAM)
Role Based
Access Control
Multi-Factor
Authentication
Integrated with all
AWS Services
IAM Roles

5. Isolated domains
Availability Zone B
Private subnet
DC4
Corporate Network
Tel Aviv
DC1
Direct Connect
Jerusalem
DC2Availability Zone A
Private subnet
DC3
company.cloud
company.local
Federation /
Synchronization
Separate identities with synchronization / Federation
 Use partners such as Okta
AWS Directory Services
company.cloud

6. Single domain extended to multiple sites
Availability Zone B
Private subnet
DC4
Corporate Network
Tel Aviv
DC1
Direct Connect
Jerusalem
DC2
Cost 50
Availability Zone A
Private subnet
DC3
Cost 10
company.local
company.local
One single identity, data center extension mode
(Rely on Active Directory Sites, Read-Only or not)

7. One sub domain per site
Availability Zone B
Private subnet
DC4
Corporate Network
Tel Aviv
DC1
Direct Connect
Jerusalem
DC2
company.local
Availability Zone A
Private subnet
DC3
cloud.company.local
Isolated subset of the directory, single Identity for users
(Active Directory Domains in a Single Forest)

8. One forest per site and trust
Availability Zone B
Private subnet
DC4
Corporate Network
Tel Aviv
DC1
Direct Connect
Jerusalem
DC2Availability Zone A
Private subnet
DC3 company.local
company.cloud
Separate directories, single identity
(Cross-Forest / Resource Forest with trust)
AWS Directory Services
company.cloud

9. User Identity Federation with Amazon IAM
Active Directory
AD Users
Enterprise
Applications
Corporate
Systems
Amazon Identity & Access
Management
IAM Roles
Amazon EC2
Amazon
DynamoDB
Amazon S3

10. Federated API and CLI access using ADFS
• ADFS http://tinyurl.com/AWS-ADFS-SAML
• CLI http://tinyurl.com/AWS-ADFS-CLI
• AWS Tools for Windows PowerShell

11. SQL Server

12. SQL Server High Availability
Availability Zone 1
Private Subnet
Primary
Replica
Availability Zone 2
Private Subnet
Secondary
Replica
Synchronous-commit Synchronous-commit
Automatic Failover
Primary: 10.0.2.100
WSFC: 10.0.2.101
AG Listener: 10.0.2.102
Primary: 10.0.3.100
WSFC: 10.0.3.101
AG Listener: 10.0.3.102
AG Listener:
ag.awslabs.net

13. WSFC Quorum
Availability Zone 1
Primary
Replica
Availability Zone 2
Secondary
Replica
Automatic Failover
SoftNAS / SIOS

14. WSFC Quorum
Availability Zone 1
Primary
Replica
Availability Zone 2
Secondary
Replica
Automatic Failover
Witness
Server
Availability Zone 3

15. SQL Server HA with Readable Replica
Availability Zone 1
Private Subnet
Primary
Replica
Availability Zone 2
Private Subnet
Secondary
Replica 1
Synchronous-commit Synchronous-commit
AG Listener:
ag.awslabs.net
Automatic Failover
Asynchronous-commit
Secondary
Replica 2
(Readable)
Reporting
Application

16. SQL Server Disaster Recovery & Backup
Availability Zone 1
Private Subnet
Primary
Replica
Availability Zone 2
Secondary
Replica 1
Private Subnet
AG Listener:
ag.awslabs.net
Corporate Network
VPN
Automatic Failover
Secondary
Replica 2
(Readable)
Reporting
Application
Backups
Manual Failover

17. ■ AD Integrated
■ Automated failover
■ Automated patching
■ Automated backup
■ Point-in-time recovery
Amazon RDS for SQL Server
Amazon RDS

18. Server Products

19. Core Infra

20. Exchange

21. SharePoint

22. Availability Zone 1
private subnet
NAT
10.0.32.0/20 10.0.2.0/24
DB1SP1FE1Exch1
SQL
Server
10.0.0.100
10.0.0.101
10.0.0.102
SharePoint
Server
10.0.0.140
Lync
Server
10.0.0.160
Exchange
Server
10.0.0.150
RDG
Availability Zone 2
private subnet
NAT
10.0.96.0/20
RDG
Remote
Users / Admins
10.0.0.0/19
On-premises datacenter
VPN
Direct
Connect
DC1
10.0.2.0/24
DB2SP2FE2Exch2
SQL
Server
10.0.64.100
10.0.64.101
10.0.64.102
SharePoint
Server
10.0.64.140
Lync
Server
10.0.64.160
10.0.64.0/19
DC2
Active
Directory
10.0.0.10
Active
Directory
10.0.64.10
private subnet
private subnet
Exchange
Server
10.0.64.150
VPC CIDR 10.0.0.0/16
All-in-one

23. Going beyond infrastructure
SharePoint BLOB storage on S3
Export mails to Amazon S3
AWS Marketplace
• On-Demand, License Included or BYOL SharePoint
• http://tinyurl.com/AWS-SPS-MP
Quick Starts
• http://tinyurl.com/AWS-MS-QS

24. Developers

25. AWS SDK and Tools for .NET ArchitectureEXECUTION
PLATFORM
AWSSDK
LOW-
LEVEL
SERVICE
APIS
AWS
TOOLS
HIGHER-
LEVEL
UTILITY
APIS
.NET 3.5 .NET 4.5 PHONE STORE
SERVICE CLIENTS
AMAZON S3
TRANSFERUTILITY
AMAZON DYNAMODB
OBJECT PERSISTANCE
VM IMPORT RESOURCE API
AWS TOOLS FOR
WINDOWS
POWERSHELL
AWS TOOLKIT FOR
VISUAL STUDIO
ASP.NET SESSION
PROVIDER
TRACE LISTENER
AWS ENDPOINTS: REST API

26. AWS Toolkit for Visual Studio
Full Integration in Visual Studio

27. Blob storage in Amazon S3
var bucketName = "<BucketName>";
var fileName = "<FileName>";
var s3Client = new Amazon.S3.AmazonS3Client();
// Write Data to Amazon S3
s3Client.PutObject(new Amazon.S3.Model.PutObjectRequest {
BucketName = bucketName,
Key = fileName,
InputStream = fileStream
});
// Read Data from Amazon S3
var s3Object = s3Client.GetObject(bucketName, fileName);
Amazon S3

28. Loose Coupling Sets You Free
var queueUrl = "https://sqs.<region>.amazonaws.com/<AcctNum>/<QueueName>";
var sqsClient = new Amazon.SQS.AmazonSQSClient();
// Send to Amazon SQS
sqsClient.SendMessage(queueUrl, "My Message Data");
// Process Amazon SQS
while(!exit) {
var messages = sqsClient.ReceiveMessage(queueUrl);
foreach(var message in messages.Messages) {
// Process message then delete
sqsClient.DeleteMessage(queueUrl, message.ReceiptHandle);
}
}
Amazon SQS

29. AWS Also Provides Extended Support
AWS Elastic Beanstalk
• Deploy from within Visual Studio / Automatic Log Rotation to Amazon S3
AWS CodeCommit / CodePipeline / CodeDeploy
• Manage a large (on-premises and cloud-based) fleet
.NET SDK and PowerShell CmdLets
• Integration in custom build pipelines in TFS or CruiseControl.NET
AWS is the de-facto standard
• Jenkins, Bamboo have native integration to AWS
• Other IDE Support AWS (Unity, Xamarin Studio, Eclipse…)

30. DevOps

31. Secure remote administration architecture
Availability Zone
Gateway Security Group Web Security Group
Private SubnetPublic Subnet
Accept TCP Port
443 from Admin IP
Accept traffic from
Gateway SG
AWS Administrator
Corporate Data Center
WEB2
TCP 443 WEB1
RDGW
Requires one connection:
• Connect to the RD Gateway, and the gateway proxies the RDP or PowerShell connection to the back-
end instance.

32. One step further: Go DevOps
• AWS Tools for Windows PowerShell
• Leverage AWS Simple Systems Manager
• Auto-Domain Join
• No machine access
• Full traceability
• Fine-grained control
• http://tinyurl.com/AWS-SSM-Home

33. Automated Log Management
Amazon
CloudWatch Logs
AWS Lambda
Amazon Kinesis
Amazon EC2
Amazon Elasticsearch
Service
Amazon S3

34. Automation for every use case
IAAS*
Amazon EC2
AWS CloudFormation
AWS OpsWorks AWS Elastic
BeanStalk
AWS Lambda
PAAS*DEVOPS DEVOPS
AUTOMATION* Definition may vary

35. Licensing

36. License Mobility is a Microsoft Program that allows
customers to move their existing license from on premises
to the cloud
• Leverage their Enterprise Agreement
• Must have Software Assurance
License Mobility through Software Assurance

37. Microsoft Workloads on AWS
Pay-as-you-go – AMI
pricing provides access to
software
• Windows Server
• SQL Server Standard
• SQL Server Web
• SQL Server Enterprise
Leverage Microsoft’s
License Mobility Program
(BYOL)
• SQL Server
• SharePoint Server
• Exchange
• Lync
• RDS
• Dynamics
Leveraged Dedicated
Host
• Windows Server
• SQL Server - no SA
• SharePoint – no SA
• Exchange – no SA
• Lync – no SA
• Dynamics – No SA

38. Licensing Continuum
License Included
• Amazon manages the
licenses
• Pay-as-you-go pricing
• Multi-tenant or dedicated
• No license management
overhead
Hybrid
• Baseline in BYOL
• Leverage scalability and
pay-as-you-go where
applicable
• Limit management
overhead
BYOL
• Import and use your own
software
• Reduce your spend if you
already pay an ISV for
licensing
• You manage licensing
costs and compliance
with your ISV
• Committed contracts with
your ISVs

39. MSDN

40. Supportability on AWS
Microsoft workloads are supported on AWS. Amazon Web Services fully supports
Microsoft Windows Server as both infrastructure and a platform. Our customers
have successfully deployed in the AWS cloud virtually every Microsoft application
available, including Microsoft Exchange, SharePoint, Lync, Dynamics, and
Remote Desktop Services.
If you have support related issues you should contact AWS Support.

41. Every immaginable use case
Collaboration
Full/Partial Franchise Migration
Web / Mobile / Media
Mail
ERP
VDI
BI

42. We are here to help

43. AWS Resources
Solution
Architects
Professional
Services
Premium
Support
AWS Partner
Network (APN)

44. AWS Training and Certification
Certification
aws.amazon.com/certification
Demonstrate your skills,
knowledge, and expertise
with the AWS platform
Self-Paced Labs
aws.amazon.com/training/
self-paced-labs
Try products, gain new
skills, and get hands-on
practice working with
AWS technologies
aws.amazon.com/training
Training
Skill up and gain
confidence to design,
develop, deploy and
manage your applications
on AWS

46. lepine@amazon.com