Deploy, scale, and manage your Microsoft workloads on AWS. We start our session by discussing why customers want to deploy Microsoft Windows applications on AWS as a cloud platform. We talk about reference architectures and best practices for implementing Microsoft products and technologies including Active Directory, Remote Desktop Gateway, Exchange, SharePoint, and Lync in the AWS cloud. We conclude with best practices for managing and monitoring Microsoft technologies in the AWS cloud. Speaker: Andy Reay, Solutions Architect, Amazon Web Services

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andrew Reay, Solutions Architect
Amazon Web Services
Running Microsoft Workloads
on AWS

2. What will we cover today?
• Microsoft and AWS
• Why run MS workloads on AWS
• How do you start?
• MS Server Products
• Considerations for migration
• Licensing options
This is a 200 Level session. Assumes an introductory level
knowledge of AWS and Microsoft technologies.

3. Microsoft and AWS
Secure Reliable
High-
Performance
Cost-
Effective
Familiar Extensive Flexible
Optimization for Windows-based workloads
Wide range of scalable services
Alignment with business needs

4. Supportability on AWS
Microsoft workloads are supported on AWS. Amazon Web Services fully
supports Microsoft Windows Server as both infrastructure and a platform.
Our customers have successfully deployed in the AWS cloud virtually every
Microsoft application available, including Microsoft Exchange, SharePoint,
Lync, Dynamics, and Remote Desktop Services.
If you have support related issues you should contact AWS Support.

5. Every imaginable use case
Full/Partial Migration
Web / Mobile / Media
Productivity & Collaboration
CRM and ERP
Virtual Desktops
BI, Big Data and Analytics
https://aws.amazon.com/windows/case-studies/

6. Why run MS workloads on
AWS?

7. Why run workloads on AWS
Building and managing cloud since 2006
13 regions, 35 availability zones, 55 edge locations
Tens of Thousands of partners; 2,700+ Marketplace products
Security & Reliability
Performance
Experience
Scale
Ecosystem
Extensive VM and network performance options
Security in layers approach and 99.95% application SLA

8. Regions & Availability Zones
AZ
AZ
AZ AZ AZ
Transit
Transit
13 Regions (+ Ohio, UK & Canada)
35 Availability Zones
55 Edge Locations

9. Why run Microsoft workloads on AWS?
Compliance Not just of the platform… Enterprise Accelerators for NIST, NIST high-impact
and PCI DSS compliance
License management AWS Config can monitor license compliance of server-bound licenses on
Amazon Dedicated Hosts
Auditability Inspector analyses your resources for issues and at the AWS level you can
log API calls, network flows, configuration changes, consolidate system logs
and events
DevOps enabled AWS CloudFormation builds infrastructure, Microsoft PowerShell builds
applications, +CodeDeploy, +BeanStalk etc.
Reduce risk Building blocks, e.g. Region & Availability Zones, the Elastic Load Balancer,
Amazon S3 and others, make excellent durability and availability possible at
a very low cost.
Use AWS Config to Monitor License Compliance on Amazon EC2 Dedicated Hosts
https://d0.awsstatic.com/whitepapers/aws_config_dh_whitepaper_v1_editcb_editsm_final.pdf

10. Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Customers
Security: AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
AWS CloudTrail
AWS CloudHSM
AWS IAM
AWS KMS
AWS Config
Amazon Inspector

11. Reliability
Reliability starts with building blocks.
Examples: The AWS Region and Zone model, Amazon S3 & EC2, Auto-Scaling
Groups, Elastic Load Balancer
Used by AWS and customers to build low-cost, highly-available, scalable
systems.
Enable levels of reliability previously cost prohibitive or not achievable.
Questions:
• What has changed in terms of the TCO of availability?
• What should a business now expect?
• What is needed to achieve this?
• What DR/BCP plan changes might this allow with what benefits?

12. Availability Zone A
Availability Zone C
Users
Reliability example
IIS
Web
IIS
Web
IIS
App
IIS
App
CloudFront
Route 53
ELB
EC2 Instance EC2 Instance RDS
ELB
NAT Gateway
IGW

13. Users
IIS
Web
IIS
App
IIS
App
CloudFront
Route 53
ELB
EC2 Instance EC2 Instance RDS
ELB
IGW
Availability Zone A
IIS
Web
Availability Zone C
NAT Gateway
Certificate
Manager
Machine
Images
S3
Auto Scaling
Group
Reliability example

14. How would you build
an MS platform on AWS?

15. Quick Starts
• Single-click deployments
• Highly-available
• Extensive documentation
• Based on customer deployments
& AWS best practices
• Fully functional, not demos
• Included:
• SQL Server with WSFC
• SharePoint, Lync, Exchange
• PowerShell DSC, RD Gateway
• Active Directory, ADFS
• NIST and NIST high-impact
• PCI-DSS
http://aws.amazon.com/quickstart

16. Let’s step back….
Corporate
Data
Center
AWS
Cloud
Internet

17. Extending your Corporate Data Network to AWS
• IP SEC VPN Tunnel connects over the public
Internet but has a variable performance
• Supports Static and BGP Routing
• Supports varying multi-Mbps speeds
Corporate
Data
Center
AWS
Cloud
VPN TUNNEL1
Telco
Direct Connect Link2
1
• AWS Direct Connect (DX) service allows for
dedicated telco links from your location
• Telco provides SLAs and predictable performance
• AWS provides multiple 1 Gbps & 10 Gbps links
• BGP for dynamic routing + AWS API endpoints
2
Internet

18. Remote Desktop Gateway Reference Architecture
Detailed instructions available in the “Deploy
Remote Desktop Gateway on the AWS
Cloud” White paper
http://aws.amazon.com/windows/resources/whitepapers/rdgateway

19. Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Availability Zone
Private SubnetPublic Subnet
DC
Domain
Controller
RDGW
Remote
Users / Admins
Isolated VPC
with RD GW
UseRoute53,HealthCheck&
DNSFailover
Amazon
Route 53

20. Use the tools available
MonitoringConfiguration
AWS CloudWatch AWS CloudTrailAWS Config
Amazon EC2
Run Command
AWS Tools for
PowerShell
Develop and Deploy
AWS
OpsWorks
AWS Toolkit for
Visual Studio
.NET SDK AWS CodeDeploy
AWS
CloudFormation
AWS Elastic
Beanstalk

21. AWS Simple Systems Manager (SSM)
Also known as, “EC2 Run Command”…
Manage: Reduce the direct access of staff to servers
Familiar: Uses the already included EC2Config Windows Service
Automate: Common admin tasks at scale. EC2Config polls every 5 minutes,
or force it through an API call.
Control: Integrates with AWS IAM – manage which users can do what.
Auditable: Visibility and tracking of configuration changes with AWS CloudTrail
Customizable: Create custom actions to automate common tasks
*NEW*: Now can manage servers outside of AWS

22. Microsoft Active Directory on AWS

23. Microsoft Active Directory
Create a new AD or extend?
• Lots of customers create a new “fresh” AD in AWS on EC2
• Extend trusts to existing AD for Single Sign On (SSO)
experience
• Bring a replica of AD into AWS for resilience
If you run your own AD servers
• Treat each Availability Zone as an AD Site…
• Read Only Domain Controllers still need network connectivity

24. A Microsoft Windows compatible directory service as a managed AWS service.
Usage options are:
1. Use the AWS AD Connector to simplify connecting to your existing on-
premises Microsoft Active Directory
2. AWS Simple AD allows you to set up and operate a new Samba-based
directory in the AWS Cloud
3. AWS Directory Service for Microsoft Active Directory (Enterprise Edition)
provides a feature-rich managed Microsoft Active Directory hosted on the
AWS Cloud.
AWS DS is easy to manage: use the standard Windows AD admin tools
Use AWS Directory Service

25. Which option should you choose?
• AD Connector :
The best option if you want to use your existing on premises AD with AWS
services without extending your domain to the cloud
• Simple AD :
In most cases, Simple AD is the least expensive option and your best choice
if you have 5,000 or less users and don’t need the more advanced Microsoft
Active Directory features.
• Directory Service for Microsoft Active Directory (Enterprise Edition) :
This is your best choice if you have more than 5,000 users and need a trust
relationship set up between an AWS hosted directory and your on-premises
directories.
Use AWS Directory Service

26. Microsoft SQL Server on AWS

27. SQL Server on AWS
Wide array of choices
Fully managed services
Enterprise-grade security
99.95% availability
Flexible and scalable

28. File Server
Witness
SQL Server High Availability – Quick Start
Availability Zone 1
Private Subnet
Primary
Replica
Availability Zone 2
Private Subnet
Secondary
Replica
Synchronous-commit Synchronous-commit
Primary: 10.0.2.100
WSFC: 10.0.2.101
AG Listener: 10.0.2.102
Primary: 10.0.3.100
WSFC: 10.0.3.101
AG Listener: 10.0.3.102
AG Listener:
ag.awslabs.net
Automatic Failover

29. File Server
Witness
SQL Server HA with Readable Replica
Availability Zone 1
Private Subnet
Primary
Replica
Availability Zone 2
Private Subnet
Secondary
Replica 1
Synchronous-commit Synchronous-commit
AG Listener:
ag.awslabs.net
Automatic Failover
Asynchronous-commit
Secondary
Replica 2
(Readable)
Reporting
Application

30. ■ Automated failover across Availability Zones
■ and host replacement
■ Automated patching
■ Automated backups
■ Point-in-time recovery
■ Managed encryption
■ Import and Export with
SQL Backup *NEW*
■ Integrated Windows Authentication
Amazon RDS for SQL Server
Amazon RDS

31. Amazon RDS for SQL Server
• Consider RDS first
• Focus on:
• Business value tasks
• High-level tuning tasks
• Schema optimization
• No in-house database expertise
Choosing the right solution
• Need full control over:
• DB instance
• Backups
• Replication
• Clustering
• Use options not in Amazon RDS
SQL Server on Amazon EC2

32. Putting it all together…

33. Availability Zone
Private SubnetPublic Subnet
Availability Zone
Private SubnetPublic Subnet
Remote
Users
Virtual Private
Gateway
Corporate
Office
IIS
App
IIS
Web
IIS
App
IIS
Web
VPN
AWS Direct
Connect
Internet
Gateway
RDGW
VPC NAT
Gateway
RDGW
VPC NAT
Gateway
AWS
Directory
Service
AWS
Directory
Service
MS
SQL
MS
SQL
Always On
Availability
Group
VPC Endpoint Amazon S3

34. Server Products

35. Corporate Apps in AWS
Deploy highly available applications
BYOL or pay per use
Security in layers approach helps with
compliance
Leverage multi-AZ architectures for
reliability & availability

36. MS Server – Enterprise Accelerator
• Exchange, SharePoint, Lync, SQL Server, and
Active Directory on AWS
• Deployed from single master template
• 14 Servers, 2 AZs, 10K Users
• Exchange users have 5 GB mailboxes
• 1 TB SSD Storage for
User Profiles
• Lync users have VOIP, video, web conferencing
and desktop sharing
• SharePoint Blog and Team Sites are “Everyone”-enabled
• ~$14/hour (Oregon Region Pricing) to operate

37. Amazon’s Migration to AWS
In 2013, Amazon IT decided to migrate its
Microsoft stack to AWS
Over 200K Amazon users access Exchange,
SharePoint, and Lync
Exchange data points:
• There are 26 Exchange servers (4 per AZ)
• 7,600 users per server
• DAG Architecture for HA
• Supports users in Americas, EMEA, and Asia

38. Migration Considerations

39. Windows Server 2003: Options on AWS
Import and stay with Windows Server 2003 – until…
• You upgrade, when you are ready
• You re-write the application
• You replace, possibly with an AWS managed service
OR
Keep a replica of a legacy environment

40. Migration Options
• AWS VM Import/Export
• AWS Import/Export Snowball
• AWS Database Migration
Service
• AWS Management Portal for
vCenter
• AWS Systems Manager for
Microsoft System Center VMM
• AWS Data Pipeline
Partner Tools

41. AWS Cloud Adoption Framework
Planning, creation, management,
and support for your cloud
environment.
Guidance for establishing,
developing and running AWS
environments.
Structure where business and IT can
work together toward a common
strategy and vision.
People
Perspective
Process
Perspective
Security
Perspective
Maturity
Perspective
Platform
Perspective
Operations
Perspective
Business
Perspective
AWS Cloud Adoption Framework: https://d0.awsstatic.com/whitepapers/aws_cloud_adoption_framework.pdf

42. AWS Migration Patterns (Path to Cloud)
Discover,
Assess (Enterprise
Architecture and
Applications)
Lift and Shift
(Minimal
Change)
Migration and
UAT Testing Operate
Refactor
for AWS
Application
Lift and Shift
Move the App
Infrastructure
Plan Migration
and Sequencing
Determine
Migration Path
Decommission
Do Not Move
Design, Build AWS
Environment
Move the
Application
Determine
Migration
Process
Manually Move
App and Data
3rd Party Tools
AWS VM Import
Refactor
for AWS
Rebuild Application
Architecture
Vendor
S/PaaS
(if available)
3rd Party Migration Tool
Manually Move App and Data
Determine
Migration Process
Replatform
(typically legacy
applications)
Recode App
Components
Rearchitect
Application
Recode
Application
Architect AWS Environment
and Deploy App, Migrate Data
Signoff
Tuning Cutover
Org/Ops
Impact
Analysis
Identify
Ops Changes
Change
Management
Plan

43. MS Licensing on AWS

44. EC2 Dedicated Host
• A physical EC2 server dedicated to your use
• Specified in terms of physical processors and
cores
• Allocate and Release On-Demand
• Reserve capacity for a term
What is it?

45. EC2 Dedicated Hosts
Benefits: Licensing and Compliance
Host ID = h-123abc
Sockets = 2
Physical Cores = 20
• Use per-socket or per-core licenses
• AWS Config: data source for license reporting
• Tagging your instances helps
• Enable compliance through controlling instance
placement on hosts over time
• Enables BYOL Microsoft licenses without
Software Assurance

46. Licensing Microsoft Products on AWS
BYOL: Support for Microsoft Servers
• Exchange, Skype for Business, SharePoint,
• Systems Center etc.
• See AWS Microsoft Licensing page for details
http://aws.amazon.com/windows/resources/licensing
License-included Amazon Machine Images:
• Windows Server 2012 R2
• Windows Server 2012
• Windows Server 2008 R2
• Windows Server 2008
• Windows Server 2003 R2
• SQL Server 2016
• SQL Server 2014
• SQL Server 2012
http://aws.amazon.com/windows/resources/amis/

47. Microsoft Products on Amazon EC2
AWS provided
License costs included in EC2
costs
Leverage MS License Mobility
Program
Leverage EC2 Dedicated Host
- Software Assurance & License
Mobility not required
AWS Provides:
Microsoft Windows Server (various)
BYOL:
Microsoft SQL Server
Microsoft Remote Desktop Services (CALs)
Microsoft Exchange Server
Microsoft SharePoint Server
Microsoft System Center
Microsoft Dynamics products
Plus others **
Microsoft Windows Server
2003R2,
2008,
2008R2
2012,
2012 R2
Microsoft SQL Server
- 2012, 2014, 2016
- Standard, Web
- Enterprise*
* Some AWS Regions and SQL Server versions only
** See the licensing section of aws.amazon.com/windows/faq for full details
Microsoft Windows Server
Microsoft Windows Desktop (7, 10 etc.)
Microsoft Office Pro Plus
MSDN
Microsoft SQL Server
Microsoft Remote Desktop Services CALs
Microsoft Exchange Server
Microsoft SharePoint Server
Microsoft System Center
Microsoft Dynamics products
Plus others **
AWS + BYOL Full BYOL

48. Licensing Continuum
AWS Provided AWS + BYOL Full BYOL
• Import and use your own
MS software
• Software Assurance &
License Mobility not needed
• Use Dedicated Hosts
• You manage all licensing
costs and compliance
• Save through re-use of
existing licenses
• EC2 manages Windows Server
licensing and compliance
• PAYG or reserved pricing
• Import and use your own MS
licenses & CALs
• Requires active Software
Assurance and License Mobility
• You manage licensing costs and
compliance for your software
• Save through re-use of existing
licenses
• EC2 manages licensing
compliance & cost
• No CALs required
• PAYG or reserved pricing
• Save with right-sizing
• Save with variable workloads
• Save with efficiencies
• Save on transient
Customers always retain responsibility for managing compliance with the terms of their licenses.

49. We are here to help

50. Resources
Solution
Architects
Professional
Services
Premium
Support
AWS Partner
Network (APN)

51. AWS Training & Certification
Intro Videos & Labs
Free videos and labs to
help you learn to work with
30+ AWS services –
in minutes!
Training Classes
In-person and online
courses to build
technical skills –
taught by accredited
AWS instructors
Online Labs
Practice working with
AWS services in live
environment –
Learn how related
services work together
AWS Certification
Validate technical skills
and expertise - identify
qualified IT talent or show
you are AWS cloud ready
Learn more: aws.amazon.com/training

52. Next Steps
Contact your AWS Account Team.
Schedule a follow-up assessment for
your organization.
Determine the most important
outcomes for your business.
Visit the AWS Marketplace to see
whether software you’re using today is
available for immediate deployment in
the AWS cloud.
Contact us: microsoft@amazon.com
Learn more at
http://aws.amazon.com/windows
Take a free Test Drive
http://aws.amazon.com/testdrive
Use Free Tier for a Year
http://aws.amazon.com/free
Sign up for free at
http://aws.amazon.com/getting-started