Microsoft Exchange Server on the AWS Cloud

Quick Start Reference Deployment

January 2015

Last update: January 2020 (revisions)

Dragos Madarasan, AWS Professional Services

Aaron Lima, AWS Quick Start Team

This guide is also available in HTML format at

https://docs.aws.amazon.com/quickstart/latest/exchange/.

Visit our GitHub repository for source files (including documentation files) and

to post feedback, report bugs, or submit feature ideas for this Quick Start.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 2 of 38

Contents

Quick Links ............................................................................................................................ 3

Overview ................................................................................................................................. 4

Microsoft Exchange Server on AWS .................................................................................. 4

Cost and Licenses ............................................................................................................... 5

Architecture ............................................................................................................................ 6

Architectural Considerations ............................................................................................. 6

Architecture Components .................................................................................................. 6

Prerequisites .......................................................................................................................... 9

Technical Requirements ..................................................................................................... 9

Specialized Knowledge ....................................................................................................... 9

Exchange Server 2019 Requirements .............................................................................. 10

Implementation Details ....................................................................................................... 10

Storage on the Exchange Nodes ....................................................................................... 10

IP Addresses on the Exchange Nodes .............................................................................. 12

Database Availability Group ............................................................................................ 13

Edge Transport Nodes ...................................................................................................... 14

Load Balancer ................................................................................................................... 15

Volume Encryption........................................................................................................... 15

Deployment Options ............................................................................................................ 16

Deployment Steps ................................................................................................................ 16

Step 1. Prepare Your AWS Account .................................................................................. 16

Step 2: Launch the Quick Start ........................................................................................ 17

Step 3. (Optional) Create Database Copies ..................................................................... 28

Step 4. (Optional) Create a DNS Entry for the Load Balancer ....................................... 28

Best Practices ....................................................................................................................... 32

High Availability and Disaster Recovery ......................................................................... 32

Automatic Failover ........................................................................................................... 32

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 3 of 38

Security Groups and Firewalls ......................................................................................... 33

Security ................................................................................................................................. 34

Troubleshooting ................................................................................................................... 34

GitHub Repository ............................................................................................................... 35

Additional Resources ........................................................................................................... 36

Document Revisions ............................................................................................................ 37

This Quick Start was developed by Amazon Web Services (AWS) solutions architects.

Quick Starts are automated reference deployments that use AWS CloudFormation

templates to deploy key technologies on AWS, following AWS best practices.

Quick Links The links in this section are for your convenience. Before you launch the Quick Start, please

review the architecture, configuration, network security, and other considerations discussed

in this guide.

Note You are responsible for the costs related to your use of any AWS services used

while running this Quick Start reference deployment. See the pricing pages of the

AWS services you will be using for full details.

If you have an AWS account, and you’re already familiar with AWS services and

Microsoft Exchange Server, you can launch the Quick Start to build the architecture

shown in Figure 1 in a new or existing virtual private cloud (VPC). The deployment takes

approximately 90 minutes. If you’re new to AWS or to Exchange Server, please review

the implementation details and follow the step-by-step instructions provided later in

this guide.

Launch (for new VPC)

Launch (for existing VPC)

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 4 of 38

If you want to take a look under the covers, you can view the AWS CloudFormation

templates that automate the deployment.

Overview This Quick Start reference deployment guide includes infrastructure information,

architectural considerations, and configuration steps for planning and deploying a

Microsoft Exchange Server environment on the AWS Cloud. It uses AWS CloudFormation

templates to automate the deployment.

Note This Quick Start supports Exchange Server 2016 and Exchange Server 2019.

This Quick Start is for IT infrastructure architects, administrators, and DevOps

professionals who are planning to implement or extend their Exchange Server workloads on

the AWS Cloud.

Included are best practices for configuring a highly available, fault-tolerant, and secure

Exchange environment. This guide doesn’t cover general installation and software

configuration tasks for Exchange Server. For general guidance and best practices, consult

the Microsoft Exchange Server documentation.

Microsoft Exchange Server on AWS Exchange Server is a messaging and collaboration solution that Microsoft developed, with

support for mailboxes, calendars, compliance, and e-archival. In an Exchange Server

environment, your users can collaborate and—when you deploy the environment in AWS—

you can scale your environment based on demand.

The AWS Cloud provides infrastructure services that enable you to deploy Exchange Server

in a highly available, fault-tolerant, and affordable way. By deploying on AWS, you get the

functionality of Exchange Server and the flexibility and security of AWS.

In addition to this Quick Start, we’ve published a set of Microsoft-based Quick Starts that

you can use to deploy other common Microsoft workloads on AWS, including:

Microsoft Active Directory

Remote Desktop Gateway (RD Gateway)

View template (for new VPC)

View template (for existing VPC)

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 5 of 38

Microsoft SharePoint Server

Microsoft Web Application Proxy with Active Directory Federation Services (ADFS)

Microsoft SQL Server

Windows Server Update Services

Each of those Quick Starts includes a virtual private cloud (VPC) environment, which is

deployed based on AWS best practices. To read more about deploying Microsoft workloads

by using our Quick Starts, see the Quick Starts in the Microsoft Technologies category.

Cost and Licenses You are responsible for the cost of the AWS services used while running this Quick Start

reference deployment. There is no additional cost for using the Quick Start.

The AWS CloudFormation template for this Quick Start includes configuration parameters

that you can customize. Some of these settings, such as instance type, will affect the cost of

deployment. For cost estimates, see the pricing pages for each AWS service you will be

using. Prices are subject to change.

Tip After you deploy the Quick Start, we recommend that you enable the AWS Cost

and Usage Report to track costs associated with the Quick Start. This report delivers

billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your

account. It provides cost estimates based on usage throughout each month, and

finalizes the data at the end of the month. For more information about the report,

see the AWS documentation.

Exchange Server can be deployed and licensed through the Microsoft License Mobility

through Software Assurance program. For development and test environments, you can use

your existing MSDN licenses for Exchange Server using Amazon Elastic Compute Cloud

(Amazon EC2) Dedicated Instances. For details, see the MSDN on AWS page.

This Quick Start deployment uses an evaluation copy of Exchange Server. To upgrade your

version, see the Microsoft Exchange Server website.

This Quick Start launches the Amazon Machine Image (AMI) for

Microsoft Windows Server 2016 and Windows Server 2019, and includes the license for the

Windows Server operating system. The AMI is updated on a regular basis with the latest

service pack for the operating system, so you don’t have to install any updates. The

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 6 of 38

Windows Server AMI doesn’t require client access licenses (CALs) and includes two

Microsoft Remote Desktop Services licenses. For details, see Microsoft Licensing on AWS.

Architecture Architectural Considerations Before you deploy the template in this Quick Start, decide whether to use two Availability

Zones or three, and whether to use a file share witness or a full node.

By default, the Exchange Server Quick Start uses two Availability Zones, with one Exchange

node in each zone. The file share witness is launched in the same Availability Zone as the

first Exchange node.

Note Where possible, we recommend deploying the Exchange Server Quick Start

using three Availability Zones. This enables automatic failover of database

availability groups (DAGs), without the need for manual intervention.

You can deploy a full Exchange node instead of a file share witness. In addition, you can

specify whether to deploy the full node or the file share witness in a third Availability Zone.

To learn more about Exchange DAGs and quorum models, see TechNet – database

availability groups.

In addition, you can deploy an internal Application Load Balancer (ALB) to provide high

availability and distribute traffic to the Exchange nodes. In this configuration, you need to

import a Secure Sockets Layer (SSL) certificate into AWS Certificate Manager (ACM) before

you launch the template.

AWS Secrets Manager is used to securely store the Exchange administrative account

credentials. AWS Systems Manager Parameter Store is used to retrieve the latest AMI ID

for the underlying EC2 instances, to ensure that the Windows 2016 or 2019 installation is

up to date.

Architecture Components Deploying this Quick Start for a new VPC with default parameters builds the following

Exchange Server environment in the AWS Cloud.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 7 of 38

Figure 1: Exchange Server architecture on AWS

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 8 of 38

You can also choose to build an architecture with three Availability Zones, as shown in Figure 2.

Figure 2: Exchange Server architecture with Edge nodes and three Availability Zones

The Quick Start sets up the following:

A virtual private cloud (VPC) configured with public and private subnets across two

Availability Zones. This provides the network infrastructure for your Exchange Server

deployment. You can optionally choose a third Availability Zone for the file share

witness or for an additional Exchange node, as shown in Figure 2.*

In the public subnets, Windows Server–based Remote Desktop Gateway (RD Gateway)

instances and network address translation (NAT) gateways for outbound internet

access.*

Elastic IP addresses associated with the NAT gateway and RD Gateway instances.*

In the private subnets, Active Directory domain controllers.*

In the private subnets, Windows Server–based instances as Exchange nodes.

Exchange Server Enterprise Edition on each node. This architecture provides

redundancy along with a witness server to ensure that a quorum can be established. The

default architecture mirrors an on-premises architecture of two Exchange Server

instances spanning two subnets placed in two different Availability Zones, as shown in

Figure 1.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 9 of 38

Security groups to enable the secure flow of traffic between the instances deployed in the

VPC.

(Optional) In the public subnets, Exchange Edge Transport servers for routing internet

email in and out of your environment.

* The template that deploys the Quick Start into an existing VPC skips the tasks marked by

asterisks and prompts you for your existing VPC configuration.

Prerequisites Technical Requirements

You must obtain a license for Exchange Server before you deploy this Quick Start. Microsoft

Exchange Server can be deployed and licensed via the Microsoft License Mobility through

Software Assurance program. For development and test environments, you can use your

existing MSDN licenses for Exchange Server using Amazon Elastic Compute Cloud

(Amazon EC2) Dedicated Instances. For details, see the MSDN on AWS page.

This Quick Start deployment uses an evaluation copy of Exchange Server. To upgrade your

version, see the Microsoft Exchange Server website.

Specialized Knowledge

Before you deploy this Quick Start, we recommend that you become familiar with the

following AWS services. (If you are new to AWS, see Getting Started with AWS.)

Amazon Elastic Compute Cloud (Amazon EC2)

Amazon Elastic Block Store (Amazon EBS)

Amazon Virtual Private Cloud (Amazon VPC)

AWS CloudFormation

NAT gateway

AWS Identity and Access Management (IAM)

Elastic Load Balancing (ELB)

AWS Certificate Manager (ACM)

In addition, you should be familiar with the following:

Windows Server 2016 or Windows Server 2019

Microsoft Active Directory and Domain Name System (DNS)

Windows Server Failover Clustering (WSFC)

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 10 of 38

Exchange database availability groups (DAGs)

For information, see the Microsoft product documentation for these technologies.

Exchange Server 2019 Requirements

Microsoft has released Exchange Server 2019 only via Volume Licensing Service Center, so

you need to provide your own installation media. The Exchange2019Source parameter

takes as an input the full URL to the installation media (ISO file).

The Exchange2019Source parameter value should always end in an ISO file extension,

although the file name itself is not important as the scripts have built-in logic to determine

it from the URL.

Acceptable paths:

https://[yourbucket].s3-us-east-1.amazonaws.com/SW_DVD9_Exchange_Svr_2019.ISO

http://media.example.com/Exchange2019.ISO

Improper path:

https://[yourbucket].s3-us-east-1.amazonaws.com/SW_DVD9_Exchange_Svr_2019.zip

Note We recommend uploading the Exchange 2019 installation media to an S3

bucket and temporarily making the installation media public. This will ensure that

the file is quickly downloaded to the EC2 instances.

Implementation Details Storage on the Exchange Nodes

Storage capacity and performance are key aspects of any production installation. Although

capacity and performance vary from one deployment to the next, this Quick Start provides a

reference configuration that you can use as a starting point. The AWS CloudFormation

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 11 of 38

template deploys the Exchange nodes using the memory-optimized r5.xlarge instance type

by default.

To provide highly performant and durable storage, we’ve also included Amazon EBS

volumes in this reference architecture. EBS volumes are network-attached disk storage,

which you can create and attach to EC2 instances. Once these are attached, you can create a

file system on top of these volumes, run a mailbox database, or use them in any other way

you would use a block device. EBS volumes are placed in a specific Availability Zone, where

they are automatically replicated to protect you from the failure of a single component.

Provisioned IOPS EBS volumes offer storage with consistent and low-latency performance.

They are backed by solid state drives (SSDs) and are designed for applications with I/O-

intensive workloads such as databases.

Amazon EBS-optimized instances, such as the R5 instance type, deliver dedicated

throughput between Amazon EC2 and Amazon EBS. The dedicated throughput minimizes

contention between Amazon EBS I/O and other traffic from your Amazon EC2 instance,

and provides the best performance for your EBS volumes.

By default, on each Exchange node, the Quick Start deploys three 500-GiB General Purpose

(GP2) SSD volumes to store mailbox databases and transaction logs. The database and log

partitions are formatted using GUID Partition Table (GPT).

By default, partitions are created using Resilient File System (ReFS), which is the Preferred

Architecture (PA) choice for Exchange Server 2016 and Exchange Server 2019. If you set

the Enable or disable ReFS parameter to false, the partitions are formatted using NTFS.

The GP2 volume type delivers a consistent baseline of 3 IOPS/GiB, which provides a total of

1,500 IOPS per volume for Exchange database and transaction log volumes. You can

customize the volume size, and you can switch to using dedicated IOPS volumes.

If you need more IOPS per volume, consider using Provisioned IOPS SSD volumes by

changing the Exchange Server Volume Type and Exchange Server Volume IOPS

parameters, or use disk striping within Windows.

The default disk layout in this Quick Start uses the following EBS volumes:

One General Purpose SSD volume (100 GiB) for the operating system (C:)

One General Purpose SSD volume (500 GiB) to host the Exchange Server database files

(D:)

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 12 of 38

One General Purpose SSD volume (500 GiB) to host the Exchange Server transaction

log files (E:)

Figure 3 shows the disk layout on each Exchange Server node.

Figure 3: Disk layout on Exchange Server node

Note You’ll find the installation software on each node in the

C:\Exchangeinstall folder.

Depending on the instance type selected, you might see additional drives for instance

store (ephemeral) volumes such as (Z:). Data on instance storage will be lost when

you stop your EC2 instance.

IP Addresses on the Exchange Nodes

By default, the Microsoft Exchange Quick Start template deploys two Exchange nodes with

two IP addresses each:

One IP address is used as the primary IP address for the instance.

A second IP address acts as the Failover Cluster IP resource.

When you launch the AWS CloudFormation template, you can specify the addresses for

each node, as shown in Figure 4. By default, the 10.0.0.0/19, 10.0.32.0/19, and

10.0.64.0/19 CIDR blocks are used for the private subnets.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 13 of 38

Figure 4: Configuring IP addresses on the Exchange node

Database Availability Group

A failover cluster is automatically created for the database availability group (DAG). The

AWS CloudFormation templates carry out this task when deploying the second node. If you

use the default parameter settings in the template, the Quick Start runs the following

Windows PowerShell commands to complete this task:

Install-WindowsFeature failover-clustering –IncludeManagementTools New-DatabaseAvailabilityGroup -Name DAG -WitnessServer FileServer -WitnessDirectory C:\DAG Add-DatabaseAvailabilityGroupServer -Identity DAG -MailboxServer ExchangeNode1 Add-DatabaseAvailabilityGroupServer -Identity DAG -MailboxServer ExchangeNode2

Note By default, the database availability group is created with the name DAG. To

change this value, modify the DAGName default parameter value in the Configure-

ExchangeDAG.ps1 file.

The first command runs on each instance during the bootstrapping process. It installs the

required components and management tools for the failover clustering services. The rest of

the commands run near the end of the bootstrapping process on the second node and are

responsible for creating the cluster and for defining the server nodes and IP addresses.

By default, the Quick Start configures an even number of servers in the cluster. You need a

third resource to maintain a majority vote to keep the cluster online if an individual server

fails. For this, the Quick Start uses a dedicated file share witness instance, which can be

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 14 of 38

either a domain-joined server or a third Exchange node (which cannot be part of the DAG

itself). By default, the Quick Start creates a Dedicated Instance in the first Availability Zone

to act as the file share witness. For production environments, you can also set the Third

AZ parameter to witness to create a Dedicated Instance with a file share in a third

Availability Zone.

Alternatively, you can use any domain-joined server for this task. (This isn’t included in the

Quick Start.) If you set the Third AZ parameter to full, the Quick Start keeps the quorum

settings to the default node majority and creates a third Exchange Server node in the third

Availability Zone. Note that some AWS Regions support only two Availability Zones; for a

current list, see AWS Global Infrastructure.

The Quick Start automated solution ends after creating the DAG and adding the two

Exchange nodes to the DAG. When the deployment is complete, you can create additional

databases and make them highly available by creating copies on the second nodes. This

process is covered in step 3 of the deployment instructions.

Edge Transport Nodes Edge Transport nodes relay inbound and outbound emails and provide smart host services

within the Exchange organization. The Edge nodes are installed in the public subnets and

aren’t domain-joined. However, they do require information from Active Directory, and

configuring an Edge sync subscription is needed.

Because Edge Transport role nodes aren’t required for end-to-end mail flow, by default,

Edge nodes aren’t deployed. For this to occur, you must select yes on the Deploy Edge

servers launch option, as shown in Figure 5.

Figure 5: Deploying Edge servers

A pair of Edge servers is deployed in the public subnets (which must be defined), and the

Exchange Server Edge Transport role is installed using default settings. The EC2 instances

aren’t domain-joined, but the DNS suffix that corresponds to the domain name is

configured on the network interface cards (NICs). Also, DNS records are created in

Active Directory corresponding to their hostname.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 15 of 38

The Local Administrator password is reset to the Domain Admin password, and an Edge

subscription file is created, which can be found in C:\EdgeServerSubscription.xml.

Copy the subscription file to a mailbox server, and import the subscription by running the

following command:

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\EdgeServerSubscription.xml" -Encoding Byte -ReadCount 0)) -Site "AZ1"

Load Balancer

Exchange servers running with the Client Access/Transport roles are usually situated

behind a network load balancer (NLB) with a unified Exchange namespace such as

“mail.example.com.” The namespace resolves to the load balancer, which in turns

distributes traffic to the Exchange servers.

The Exchange Server Quick Start contains an option to deploy an Application Load

Balancer that distributes the traffic to the Exchange nodes.

By default, the load balancer isn’t deployed because it requires an existing SSL certificate to

be imported in AWS Certificate Manager.

For a load balancer to be deployed, you must:

1. Import or generate a certificate in AWS Certificate Manager.

2. Specify the full Amazon Resource Name (ARN) in the CertificateARN option.

3. Select true in Deploy Load Balancer, when you launch the Quick Start.

Volume Encryption As part of the default setup, the Exchange Server Quick Start creates and attaches two EBS

volumes to each Exchange node. One EBS volume (corresponding to the D:\ drive) holds

the Exchange mailbox databases, while the other EBS volume (E:\) holds the Exchange

transaction logs.

Optionally, the Quick Start provides an option to encrypt the EBS volumes with either the

default AWS Key Management Service (AWS KMS) encryption key or a custom KMS key, as

shown in Figure 6.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 16 of 38

Figure 6: Encrypting the EBS volumes

Note The root volume of the Exchange nodes (C:\) isn’t encrypted, if Encrypt

data volumes is selected.

Deployment Options This Quick Start provides two deployment options:

Deploy Exchange Server into a new VPC (end-to-end deployment). This option

builds a new AWS environment consisting of the VPC, subnets, NAT gateways, security

groups, bastion hosts, and other infrastructure components, and then deploys

Exchange Server into this new VPC.

Deploy Exchange Server into an existing VPC. This option provisions

Exchange Server in your existing AWS infrastructure. Your AWS environment must

include a VPC with two or three Availability Zones, public and private subnets in each

Availability Zone, Remote Desktop Gateway and NAT gateways deployed into the public

subnet, and Active Directory Domain Services deployed into the private subnet.

The Quick Start also lets you configure additional settings such as CIDR blocks, instance

types, and Exchange Server settings, as discussed later in this guide.

Deployment Steps Step 1. Prepare Your AWS Account

1. If you don’t already have an AWS account, create one at https://aws.amazon.com by

following the on-screen instructions.

2. Use the Region selector in the navigation bar to choose the AWS Region where you want

to deploy the infrastructure for Microsoft Exchange Server on AWS. If you’re planning

to use a third Availability Zone for a file share witness instance or a third Exchange

Server node, choose an AWS Region that includes three or more Availability Zones; see

Regions and Availability Zones for a list.

3. Create a key pair in your preferred Region.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 17 of 38

4. If necessary, request a service quota increase for the Amazon EC2 r5.xlarge instance

type. You might need to do this if you already have an existing deployment that uses this

instance type, and you think you might exceed the default limit with this deployment.

Step 2: Launch the Quick Start

Note You are responsible for the cost of the AWS services used while running this

Quick Start reference deployment. There is no additional cost for using this Quick

Start. For full details, see the pricing pages for each AWS service you will be using in

this Quick Start. Prices are subject to change.

1. Choose one of the following options to launch the AWS CloudFormation template into

your AWS account. For help choosing an option, see deployment options earlier in this

guide.

Option 1

Deploy Exchange Server into a

new VPC on AWS

Option 2

Deploy Exchange Server into an

existing VPC on AWS

Important If you’re deploying Exchange Server into an existing VPC, make sure

that your VPC has at least two private subnets in different Availability Zones. These

subnets require NAT gateways or NAT instances in their route tables, to allow the

instances to download packages and software without exposing them to the internet.

You will also need the domain name option configured in the DHCP options as

explained in the Amazon VPC documentation. You will be prompted for your VPC

settings when you launch the Quick Start.

Each deployment takes about 90 minutes to complete.

2. Check the Region that’s displayed in the upper-right corner of the navigation bar, and

change it if necessary. This is where the network infrastructure for Exchange Server will

be built. The template is launched in the US West (Oregon) Region by default.

3. On the Select Template page, keep the default setting for the template URL, and then

choose Next.

4. On the Specify Details page, change the stack name if needed. Review the parameters

for the template. Provide values for the parameters that require input. For all other

Launch Launch

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 18 of 38

parameters, review the default settings and customize them as necessary. When you

finish reviewing and customizing the parameters, choose Next.

In the following tables, parameters are listed by category and described separately for

the two deployment options:

– Parameters for deploying Microsoft Exchange Server into a new VPC

– Parameters for deploying Microsoft Exchange Server into an existing VPC

Option 1: Parameters for deploying Exchange Server into a new VPC

View template

VPC Network Configuration:

Parameter label

(name)

Default Description

Availability Zones

(AvailabilityZones)

Requires input The list of Availability Zones to use for the subnets in the VPC.

The Quick Start uses two Availability Zones from your list and

preserves the logical order you specify.

Number of Availability

Zones

(NumberOfAZs)

2 The number of Availability Zones to use in the VPC. This

number must match your selection in the list of the

Availability Zones parameter.

Third Availability

Zone

(ThirdAZ)

no Enables you to deploy three Availability Zones. The third

Availability Zone either can be used just for the witness, or can

be a full Exchange cluster node.

Note: If you use the Availability Zone for the witness, you

must set the File Server Private IP Address parameter to an IP

address in the third subnet range.

VPC CIDR

(VPCCIDR)

10.0.0.0/16 The CIDR block for the VPC.

Private Subnet 1 CIDR

(PrivateSubnet1CIDR)

10.0.0.0/19 The CIDR block for the private subnet located in Availability

Zone 1.

Private Subnet 2 CIDR

(PrivateSubnet2CIDR)

10.0.32.0/19 The CIDR block for the private subnet located in Availability

Zone 2.

Private Subnet 3 CIDR

(PrivateSubnet3CIDR)

10.0.64.0/19 (Optional) The CIDR block for optional private subnet 3

located in Availability Zone 3.

Public Subnet 1 CIDR

(PublicSubnet1CIDR)

10.0.128.0/20 The CIDR block for the public (DMZ) subnet located in

Availability Zone 1.

Public Subnet 2 CIDR

(PublicSubnet2CIDR)

10.0.144.0/20 The CIDR block for the public (DMZ) subnet located in

Availability Zone 2.

Public Subnet 3 CIDR

(PublicSubnet3CIDR)

10.0.160.0/20 (Optional) The CIDR block for the optional public (DMZ)

subnet 3 located in Availability Zone 3.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 19 of 38

Amazon EC2 Configuration:

Parameter label

(name)

Default Description

Key pair name

(KeyPairName)

Requires input The public/private key pair, which allows you to connect

securely to your instance after it launches. When you created

an AWS account, this is the key pair you created in your

preferred Region.

Microsoft Active Directory Configuration:

Parameter label

(name)

Default Description

Domain DNS name

(DomainDNSName)

example.com The fully qualified domain name (FQDN) of the forest root

domain (e.g. example.com).

Domain NetBIOS

name

(DomainNetBIOSName)

example The NetBIOS name of the domain (up to 15 characters) for

users of earlier versions of Windows (e.g. EXAMPLE).

Restore Mode

password

(RestoreModePassword)

Requires input The password for a separate Administrator account when the

domain controller is in Restore Mode. Must be at least 8

characters containing letters, numbers, and symbols. Avoid

using special characters such as @ or $.

Domain Admin user

name

(DomainAdminUser)

StackAdmin The user name for the account that will be added as Domain

Administrator. This is separate from the default Administrator

account

Domain Admin

password

(DomainAdminPassword)

Requires input The password for the domain admin user. Must be at least 8

characters containing letters, numbers, and symbols. Avoid

using special characters such as @ or $.

Domain Controller 1

instance type

(ADServer1InstanceType)

m5.xlarge The EC2 instance type for the first Active Directory instance.

Domain Controller 1

NetBIOS name

(ADServer1NetBIOSName)

DC1 The NetBIOS name of the first Active Directory server (up to 15

characters).

Domain Controller 1

private IP address

(ADServer1PrivateIP)

10.0.0.10 The private IP address for the first Active Directory server

located in Availability Zone 1.

Domain Controller 2

instance type

(ADServer2InstanceType)

m5.xlarge The EC2 instance type for the second Active Directory

instance.

Domain Controller 2

NetBIOS name

(ADServer2NetBIOSName)

DC2 The NetBIOS name of the second Active Directory server (up to

15 characters).

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 20 of 38

Parameter label

(name)

Default Description

Domain Controller 2

private IP address

(ADServer2PrivateIP)

10.0.32.10 The private IP address for the second Active Directory server

located in Availability Zone 2.

Remote Desktop Gateway Configuration:

Parameter label

(name)

Default Description

Allowed Remote

Desktop Gateway

external access CIDR

(RDGWCIDR)

Requires input The allowed CIDR block for external access to the Remote

Desktop Gateways.

Remote Desktop

Gateway instance type

(RDGWInstanceType)

t2.large The EC2 instance type for the Remote Desktop Gateway

instances.

Number of RDGW

hosts

(NumberOfRDGWHosts)

1 The number of Remote Desktop Gateway hosts to create.

Exchange Server Configuration:

Parameter label

(name)

Default Description

Exchange Server version

(ExchangeServerVersion)

2016 The version of Exchange Server to install. Options include either

2016 or 2019.

Exchange Server 2019

source (ISO)

(Exchange2019Source)

https:// Full URL (including https://) for Exchange 2019 ISO. This is

required only if the Exchange Server version selected is 2019.

Deploy Edge servers

(IncludeEdgeTransportRole)

no Setting this parameter to yes will include Exchange Edge

Transport servers in the public subnets.

Edge Role instance type

(EdgeInstanceType)

t3.large The EC2 instance type for the Exchange Edge Transport servers.

Edge Node 1 NetBIOS

name

(EdgeNode1NetBIOSName)

EdgeNode1

The NetBIOS name of the first Edge server (up to 15 characters).

Edge Node 1 private IP

address

(EdgeNode1PrivateIP1)

10.0.128.12 The primary private IP address for the first Edge server located

in Availability Zone 1.

Edge Node 2 NetBIOS

name

(EdgeNode2NetBIOSName)

EdgeNode2 The NetBIOS name of the second Edge server (up to 15

characters).

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 21 of 38

Parameter label

(name)

Default Description

Edge Node 2 private IP

address

(EdgeNode2PrivateIP1)

10.0.144.12 The primary private IP address for the second Edge server

located in Availability Zone 1.

Enable or disable ReFS

(EnableReFSVolumes)

true Setting this parameter to false formats the data and log

volumes on Exchange nodes using NTFS instead of ReFS.

Encrypt data volumes

(EncryptDataVolumes)

false Setting this parameter to true encrypts the data and log

volumes on the Exchange nodes.

KMS key to encrypt

volumes

(EncryptionKmsKey)

— (Optional) The KMS encryption ARN in the following format:

arn:aws:kms:[REGION]:[ACCOUNTNUMBER]:key/[GUID]

Leave blank to use the default EBS encryption key.

Exchange Server volume

IOPS

(VolumeIops)

1000 The provisioned IOPS for the Exchange Data and Logs volumes.

This parameter is only applicable when the Exchange Server

volume type parameter is set to "io1".

Exchange Server volume

size (GiB)

(VolumeSize)

500 The volume size for the Exchange data and log volumes.

Exchange Server volume

type

(VolumeType)

gp2 The volume type for the Exchange data and log volumes.

Load Balancer Configuration:

Parameter label

(name)

Default Description

Deploy Application

Load Balancer

(DeployLoadBalancer)

false Setting this parameter to true configures an Application Load

Balancer (ALB).

Application Load

Balancer Certificate

(CertificateArn)

—

(Conditional) The certificate ARN to be used by the ALB. If true is

chosen in the Deploy Application Load Balancer option, specify the

certificate ARN to be used by the load balancer in the following

format:

arn:aws:acm:[REGION]:[ACCOUNTNUMBER]:certificate/[GUID]

Failover Cluster Configuration:

Parameter label

(name)

Default Description

Instance type

for Exchange nodes

(ExchangeNodeInstanceType)

r5.xlarge The EC2 instance type for the Exchange nodes.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 22 of 38

Parameter label

(name)

Default Description

Exchange Node 1 NetBIOS

name

(ExchangeNode1NetBIOS

Name)

ExchangeNode1 The NetBIOS name of the first Exchange node (up to 15

characters).

Exchange Node 1

private IP address 1

(ExchangeNode1PrivateIP1)

10.0.0.100 The primary private IP address for Exchange node 1 located

in Availability Zone 1.

Exchange Node 1

private IP address 2

(ExchangeNode1PrivateIP2)

10.0.0.101 The secondary private IP address for Exchange node 1.

Exchange Node 2

NetBIOS name

(ExchangeNode2NetBIOSNam

e)

ExchangeNode2 The NetBIOS name of Exchange node2 (up to 15 characters).

Exchange Node 2

private IP address 1

(ExchangeNode2PrivateIP1)

10.0.32.100 The primary private IP address for Exchange node 2.

Exchange Node 2

private IP address 2

(ExchangeNode2PrivateIP2)

10.0.32.101 The secondary private IP address for Exchange node 2.

Exchange Node 3

NetBIOS name

(ExchangeNode3NetBIOSNam

e)

ExchangeNode3 (Optional) The NetBIOS name of the optional Exchange

node 3 (up to 15 characters).

Exchange Node 3

private IP address 1

(ExchangeNode3PrivateIP1)

10.0.64.100 (Optional) The primary private IP address for the optional

Exchange node 3.

Exchange Node 3

private IP address 2

(ExchangeNode3PrivateIP2)

10.0.64.101 (Optional) The secondary private IP address for the optional

Exchange node 3.

File Server

instance type

(FileServerInstanceType)

t3.small The EC2 instance type for the file-share witness server.

File Server NetBIOS name

(FileServerNetBIOSName)

FileServer The NetBIOS name of the file-share witness server (up to 15

characters).

File Server

private IP address

(FileServerPrivateIP)

10.0.0.200 The primary private IP address for the file-share witness

server located in Availability Zone 1.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 23 of 38

AWS Quick Start Configuration:

Parameter label

(name)

Default Description

Quick Start S3 bucket

name

(QSS3BucketName)

aws-quickstart The S3 bucket you’ve created for your copy of Quick Start

assets, if you decide to customize or extend the Quick Start

for your own use. The bucket name can include numbers,

lowercase letters, uppercase letters, and hyphens, but should

not start or end with a hyphen.

Quick Start S3 key

prefix

(QSS3KeyPrefix)

quickstart-microsoft-

exchange/

The S3 key name prefix used to simulate a folder for your

copy of Quick Start assets, if you decide to customize or

extend the Quick Start for your own use. This prefix can

include numbers, lowercase letters, uppercase letters,

hyphens, and forward slashes, but should not start or end

with a forward slash (which is automatically added).

Option 2: Parameters for deploying Exchange Server into an existing VPC

View template

Network Configuration:

Parameter label

(name)

Default Description

Third Availability

Zone

(ThirdAZ)

no Enables you to deploy three Availability Zones. The third

Availability Zone either can be used just for the witness, or can

be a full Exchange node.

Note: If you use the Availability Zone for the witness, you

must set the File Server Private IP Address parameter to an IP

address in the third subnet range.

VPC for Exchange

deployment

(VPCID)

Requires input The ID of the VPC (e.g., vpc-0343606e).

CIDR block of VPC

(VPCCidrBlock)

10.0.0.0/16 The CIDR block for the VPC.

Private Subnet 1 ID

(PrivateSubnet1ID)

Requires input The ID of the private subnet 1 in Availability Zone 1 (e.g.,

subnet-a0246dcd).

Private Subnet 1 CIDR

(PrivateSubnet1CIDR)

10.0.0.0/19 The CIDR block for the private subnet 1 located in Availability

Zone 1.

Private Subnet 2 ID

(PrivateSubnet2ID)

Requires input The ID of the private subnet 2 in Availability Zone 2 (e.g.,

subnet-a0246dcd).

Private Subnet 2 CIDR

(PrivateSubnet2CIDR)

10.0.32.0/19 The CIDR block for the private subnet 2 located in Availability

Zone 2.

Private Subnet 3 ID

(PrivateSubnet3ID)

_ (Optional) The ID of the optional private subnet 3 in

Availability Zone 3 (e.g., subnet-a0246dcd).

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 24 of 38

Parameter label

(name)

Default Description

Private Subnet 3 CIDR

(PrivateSubnet3CIDR)

10.0.64.0/19 (Optional) The CIDR block for optional private subnet 3

located in Availability Zone 3.

Public Subnet 1 ID

(PublicSubnet1ID)

Requires input (Optional) The ID of the public subnet 1 in Availability Zone 1

(e.g., subnet-a0246dcd).

Public Subnet 2 ID

(PublicSubnet2ID)

Requires input (Optional) The ID of the public subnet 2 in Availability Zone 2

(e.g., subnet-a0246dcd).

Amazon EC2 Configuration:

Parameter label

(name)

Default Description

Key pair name

(KeyPairName)

Requires input The public/private key pair, which allows you to connect

securely to your instance after it launches. When you created an

AWS account, this is the key pair you created in your preferred

Region.

Windows Server 2016

AMI name

(WS2016FULLBASE)

/aws/service/ami-

windows-

latest/Windows_Se

rver-2016-English-

Full-Base

The image name for the Systems Manager Windows Server

2016 AMI ID lookup.

Windows Server 2019

AMI name

(WS2019FULLBASE)

/aws/service/ami-

windows-

latest/Windows_Se

rver-2019-English-

Full-Base

The image name for the Systems Manager Windows Server

2019 AMI ID lookup.

Microsoft Active Directory Configuration:

Parameter label

(name)

Default Description

Domain DNS name

(DomainDNSName)

example.com The fully qualified domain name (FQDN) of the forest root

domain (e.g. example.com).

Domain NetBIOS name

(DomainNetBIOSName)

EXAMPLE The NetBIOS name of the domain (up to 15 characters) for

users of earlier versions of Windows (e.g. EXAMPLE).

Domain Admin user

name

(DomainAdminUser)

StackAdmin The user name for the account that will be used as Domain

Administrator. This is separate from the default Administrator

account.

Domain Admin

password

(DomainAdminPassword)

Requires input The password for the domain admin user. Must be at least 8

characters containing letters, numbers, and symbols. Avoid

using special characters such as @ or $.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 25 of 38

Parameter label

(name)

Default Description

Domain Controller 1

NetBIOS name

(ADServer1NetBIOSName)

DC1 The NetBIOS name of the first Active Directory server (up to 15

characters).

Domain Controller 1

private IP address

(ADServer1PrivateIP)

10.0.0.10 The private IP address for the first Active Directory server

located in Availability Zone 1.

Domain Controller 2

NetBIOS name

(ADServer2NetBIOSName)

DC2 The NetBIOS name of the second Active Directory server (up to

15 characters).

Domain Controller 2

private IP address

(ADServer2PrivateIP)

10.0.32.10 The private IP address for the second Active Directory server

located in Availability Zone 2.

Security Group ID for

AD domain members

(DomainMemberSGID)

Requires input The ID of the Domain Member Security Group (e.g., sg-

7f16e910).

Microsoft Exchange Server Configuration:

Parameter label

(name)

Default Description

Exchange Server version

(ExchangeServerVersion)

2016 The version of Exchange Server to install. Options include

either 2016 or 2019.

Exchange Server 2019

source (ISO)

(Exchange2019Source)

https:// Full URL (including https://) for Exchange 2019 ISO. This is

required only if the Exchange Server version selected is 2019.

Deploy Edge servers

(IncludeEdgeTransportRole)

no Setting this parameter to yes will deploy Exchange Edge

Transport servers in the public subnets.

Instance type for Edge

server

(EdgeInstanceType)

t3.large The EC2 instance type for the Exchange Edge Transport

servers.

Edge Node 1 NetBIOS

name

(EdgeNode1NetBIOSName)

EdgeNode1 The NetBIOS name of the first Edge Server (up to 15

characters).

Edge Node 1 private IP

address

(EdgeNode1PrivateIP1)

10.0.128.12 The primary private IP address for the first Edge Server located

in Availability Zone 1.

Edge Node 2 NetBIOS

name

(EdgeNode2NetBIOSName)

EdgeNode2 The NetBIOS name of the second Edge Server (up to 15

characters).

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 26 of 38

Parameter label

(name)

Default Description

Edge Node 2 private IP

address

(EdgeNode2PrivateIP1)

10.0.144.12 The primary private IP address for the second Edge Server

located in Availability Zone 1

Enable or disable ReFS

(EnableReFSVolumes)

true Setting this parameter to false formats the data and log

volumes on Exchange nodes using NTFS instead of ReFS.

Encrypt data volumes

(EncryptDataVolumes)

false Setting this parameter to true encrypts the data and log

volumes on the Exchange nodes.

KMS key to encrypt

volumes

(EncryptionKmsKey)

— (Optional) The KMS encryption ARN in the following format:

arn:aws:kms:[REGION]:[ACCOUNTNUMBER]:key/[GUID]

Leave blank to use the default EBS encryption key.

Data Volume size (GiB)

(VolumeSize)

500 The volume size for the Exchange data drive.

Data Volume type

(VolumeType)

gp2 The volume type for the Exchange data drive.

Data Volume IOPS

(VolumeIops)

1000 The IOPS for the Exchange Data drive (This is only used when

the volume type is io1.)

Load Balancer Configuration:

Parameter label

(name)

Default Description

Deploy Application

Load Balancer

(DeployLoadBalancer)

false Setting this parameter to true deploys an Application Load

Balancer (ALB)

Application Load

Balancer Certificate

(CertificateArn)

—

(Conditional) The certificate ARN to be used by the ALB. If true is

chosen in the Deploy Application Load Balancer option, specify the

certificate ARN to be used by the load balancer in the following

format:

arn:aws:acm:[REGION]:[ACCOUNTNUMBER]:certificate/[GUID]

Failover Cluster Configuration:

Parameter label

(name)

Default Description

Instance type for Exchange

nodes

(ExchangeNodeInstanceType)

r5.xlarge The EC2 instance type for the Exchange nodes.

Exchange Node 1 NetBIOS

name

(ExchangeNode1NetBIOSName)

ExchangeNode1

The NetBIOS name of the first Exchange node (up to 15

characters).

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 27 of 38

Parameter label

(name)

Default Description

Exchange Node 1 private IP

address 1

(ExchangeNode1PrivateIP1)

10.0.0.100 The primary private IP address for Exchange Node 1 located

in Availability Zone 1.

Exchange Node 1 private IP

address 2

(ExchangeNode1PrivateIP2)

10.0.0.101 The secondary private IP address for Exchange node 1.

Exchange Node 2 NetBIOS

name

(ExchangeNode2NetBIOSName)

ExchangeNode

2

The NetBIOS name of Exchange node 2 (up to 15 characters).

Exchange Node 2 private IP

address 1

(ExchangeNode2PrivateIP1)

10.0.32.100 The primary private IP address for Exchange node 2 located

in Availability Zone 2.

Exchange Node 2 private IP

address 2

(ExchangeNode2PrivateIP2)

10.0.32.101 The secondary private IP address for the Exchange node 2.

Exchange Node 3 NetBIOS

name

(ExchangeNode3NetBIOSName)

ExchangeNode

3

(Optional) The NetBIOS name of the second Exchange node

(up to 15 characters).

Exchange Node 3 private IP

address 1

(ExchangeNode3PrivateIP1)

10.0.64.100 (Optional) The primary private IP address for Exchange node

3 located in Availability Zone 3.

Exchange Node 3 private IP

address 2

(ExchangeNode3PrivateIP2)

10.0.64.101 (Optional) The secondary private IP address for Exchange

node 3 located in Availability Zone 3.

File Server instance type

(FileServerInstanceType)

t3.small The EC2 instance type for the file-share witness server.

File Server NetBIOS name

(FileServerNetBIOSName)

FileServer The NetBIOS name of the file-share witness server (up to 15

characters).

File Server private IP

address

(FileServerPrivateIP)

10.0.0.200 The primary private IP address for the file-share witness

server located in Availability Zone 1.

AWS Quick Start Configuration:

Parameter label

(name)

Default Description

Quick Start S3 Bucket

Name

(QSS3BucketName)

aws-quickstart The S3 bucket you’ve created for your copy of Quick Start

assets, if you decide to customize or extend the Quick Start for

your own use. The bucket name can include numbers,

lowercase letters, uppercase letters, and hyphens, but should

not start or end with a hyphen.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 28 of 38

Parameter label

(name)

Default Description

Quick Start S3 Key

Prefix

(QSS3KeyPrefix)

quickstart-

microsoft-

exchange/

The S3 key name prefix used to simulate a folder for your copy

of Quick Start assets, if you decide to customize or extend the

Quick Start for your own use. This prefix can include numbers,

lowercase letters, uppercase letters, hyphens, and forward

slashes, but should not start or end with a forward slash (which

is automatically added).

5. On the Options page, you can specify tags (key-value pairs) for resources in your stack

and set advanced options. When you’re done, choose Next.

6. On the Review page, review and confirm the template settings. Under Capabilities,

select the check box to acknowledge that the template will create IAM resources.

7. Choose Create to deploy the stack.

Monitor the status of the stack. When the status is CREATE_COMPLETE, the

Exchange Server cluster is ready.

Step 3. (Optional) Create Database Copies The Quick Start creates a database availability group (DAG) and adds the Exchange nodes

to the DAG. As part of the Exchange installation, each Exchange node contains a mailbox

database. The first node contains a database called DB1, and the second node contains a

database called DB2.

As part of configuring high availability for the mailbox roles, you can add mailbox database

copies on the other Exchange nodes. Alternatively, you can create entirely new databases

and only then create additional copies.

To create a second copy for the initial databases, use the following commands:

Add-MailboxDatabaseCopy -Identity DB1 –MailboxServer ExchangeNode2 -ActivationPreference 2 Add-MailboxDatabaseCopy -Identity DB2 –MailboxServer ExchangeNode1 -ActivationPreference 2

Step 4. (Optional) Create a DNS Entry for the Load Balancer 1. If you chose the option to deploy a load balancer, the Application Load Balancer (ALB)

will have an endpoint address such as [elb.amazonaws.com].

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 29 of 38

2. To use the load balancer with your Exchange namespace, create a CNAME record in

Active Directory that points to the ALB.

3. Before proceeding, go to the Amazon EC2 console and, under Load balancer, select

the load balancer that the Quick Start created.

4. Copy the value listed under the DNS name, as shown in Figure 7.

Figure 7: Creating a DNS entry for the load balancer

5. To create the DNS record, connect using Remote Desktop to one of the domain

controllers using domain credentials, and open the DNS console by going to the Start

menu and typing “DNS”.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 30 of 38

6. In the DNS console, navigate to the Active Directory zone, right-click, and select New

Alias (CNAME), as shown in Figure 8.

Figure 8: Selecting New Alias (CNAME)

7. Create the DNS entry such as “mail” and in fully qualified domain name (FQDN)

for target host, paste the value of the Application Load Balancer endpoint, as shown

in Figure 9.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 31 of 38

Figure 9: Creating the DNS entry (“mail”)

8. Verify that the DNS entry is resolved successfully by performing an nslookup. Go to

Start and type “cmd”. In the command line window, type the following:

Nslookup mail.example.com

Where mail is the name of the CNAME record you created, and “example.com” is your

Active Directory domain name.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 32 of 38

9. Ensure that the record resolves to the load balancer DNS record, such as shown in

Figure 10.

Figure 10: Verifying the DNS record

Best Practices The architecture built by this Quick Start supports AWS best practices for high availability

and security.

High Availability and Disaster Recovery Amazon EC2 provides the ability to place instances in multiple locations composed of AWS

Regions and Availability Zones. Regions are dispersed and located in separate geographic

areas. Availability Zones are distinct locations within a Region that are engineered to be

isolated from failures in other Availability Zones and that provide inexpensive, low-latency

network connectivity to other Availability Zones in the same Region.

By launching your instances in separate Regions, you can design your application to be

closer to specific customers or to meet legal or other requirements. By launching your

instances in separate Availability Zones, you can protect your applications from the failure

of a single location. Exchange provides infrastructure features that complement the high

availability and disaster recovery scenarios supported in the AWS Cloud.

Automatic Failover Deploying the Quick Start with the default parameters configures a two-node database

availability group (DAG) with a file share witness. The DAG uses Windows Server Failover

Clustering for automatic failover.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 33 of 38

The Quick Start implementation supports the following scenarios:

Protection from the failure of a single instance

Automatic failover between the cluster nodes

Automatic failover between Availability Zones

However, the Quick Start default implementation doesn’t provide automatic failover in

every case. For example, the loss of Availability Zone 1, which contains the primary node

and file share witness, would prevent automatic failover to Availability Zone 2. This is

because the cluster would fail as it loses quorum. In this scenario, you could follow manual

disaster recovery steps that include restarting the cluster service and forcing quorum on the

second cluster node (e.g., ExchangeNode2) to restore application availability.

The Quick Start also provides an option to deploy into three Availability Zones. This

deployment option can mitigate the loss of quorum in the case of a failure of a single node.

However, you can select this option only in AWS Regions that include three or more

Availability Zones; for a current list, see AWS Global Infrastructure.

We recommend that you consult the Microsoft Exchange Server documentation and

customize some of the steps described in this guide or add ones (e.g., deploy additional

cluster nodes and configure mailbox database copies) to deploy a solution that best meets

your business, IT, and security requirements.

Security Groups and Firewalls When the EC2 instances are launched, they must be associated with a security group, which

acts as a stateful firewall. You have complete control over the network traffic entering or

leaving the security group, and you can build granular rules that are scoped by protocol,

port number, and source or destination IP address or subnet. By default, all traffic

egressing a security group is permitted. Ingress traffic, on the other hand, must be

configured to allow the appropriate traffic to reach your instances.

The Securing the Microsoft Platform on Amazon Web Services whitepaper discusses the

different methods for securing your AWS infrastructure. Recommendations include

providing isolation between application tiers using security groups. We recommend that

you tightly control ingress traffic, so that you reduce the attack surface of your EC2

instances.

Domain controllers and member servers require several security group rules to allow traffic

for services such as AD DS replication, user authentication, Windows Time service, and

Distributed File System (DFS), among others. The nodes running Exchange Server permit

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 34 of 38

full communication between each other, as recommended by Microsoft best practices. For

more information, see Exchange, Firewalls, and Support.

Edge node servers (if configured to be deployed) allow port 25 TCP (SMTP) from the entire

internet.

The Quick Start creates certain security groups and rules for you. For a detailed list of port

mappings, see the Security section of the Active Directory Domain Services Quick Start

deployment guide, and the Security section of this guide.

Security AWS provides a set of building blocks (for example, Amazon EC2 and Amazon VPC) that

you can use to provision infrastructure for your applications. In this model, some security

capabilities, such as physical security, are the responsibility of AWS and are highlighted in

the AWS security whitepaper. Other areas, such as controlling access to applications, fall on

the application developer and the tools provided in the Microsoft platform.

This Quick Start configures the following security groups for Exchange Server:

Security group Associated with Inbound source Ports

DomainMemberSGID Exchange nodes

FileServer

RD Gateway

Domain controllers

VPC CIDR Standard AD

ports

EXCHClientSecurityGroup Exchange nodes

FileServer

VPC CIDR 25, 80, 443,

143, 993, 110,

995, 587

ExchangeSecurityGroup Exchange nodes ExchangeSecurityGroup All ports

EXCHEdgeSecurityGroup EXCHEdgeSecurityGroup Private subnets CIDR

0.0.0.0/0

50636

25

LoadBalancerSecurityGroup Load balancer 0.0.0.0/0 0.0.0.0/0

Troubleshooting Q. I encountered a CREATE_FAILED error when I launched the Quick Start. What should

I do?

A. If AWS CloudFormation fails to create the stack, we recommend that you relaunch the

template with Rollback on failure set to No. (This setting is under Advanced in the

AWS CloudFormation console, Options page.) With this setting, the stack’s state will be

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 35 of 38

retained and the instance will be left running, so you can troubleshoot the issue. (You'll

want to look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)

Important When you set Rollback on failure to No, you will continue to incur

AWS charges for this stack. Please make sure to delete the stack when you’ve

finished troubleshooting.

The following table lists specific CREATE_FAILED error messages you might encounter.

Error message Possible cause What to do

We currently do not have

sufficient r5.xlarge

capacity in the AZ you

requested

Insufficient instance

capacity

If you get an InsufficientInstanceCapacity error (ICE),

AWS might not have enough on-demand capacity for

the selected instance type. Switch to a different

instance type (such as m5.xlarge, r4.xlarge), use

different Availability Zones if possible, or retry in a few

minutes.

Instance ID did not

stabilize

You have exceeded your

IOPS for the Region

Request a quota increase by completing the request

form in the Service Quotas console.

System Administrator

password must contain at

least 8 characters

The master password

contains $ or other

special characters

Change the master password (DomainAdminPassword

parameter in the template), and then relaunch the

Quick Start. The password must be at least 8

characters, consisting of uppercase and lowercase

letters and numbers. Avoid using special characters

such as @ or $.

For additional information, see Troubleshooting AWS CloudFormation on the AWS

website.

Q. I encountered a size limitation error when I deployed the AWS CloudFormation

templates.

A. We recommend that you launch the Quick Start templates from the location we’ve

provided or from another S3 bucket. If you deploy the templates from a local copy on your

computer or from a non-S3 location, you might encounter template size limitations when

you create the stack. For more information about AWS CloudFormation quotas, see the

AWS documentation.

GitHub Repository You can visit our GitHub repository to download the templates, scripts, and documentation

files for this Quick Start, to provide feedback including documentation feedback, and to

share your customizations with others.

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 36 of 38

Additional Resources

AWS services

AWS CloudFormation

https://docs.aws.amazon.com/cloudformation/index.html

Amazon EBS

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html

Amazon EC2

https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/concepts.html

Amazon VPC

https://docs.aws.amazon.com/vpc/index.html

Microsoft Exchange Server documentation

Exchange Server 2016

https://docs.microsoft.com/en-us/Exchange/exchange-server?view=exchserver-2019

Database availability groups (DAGs)

https://docs.microsoft.com/en-us/Exchange/high-availability/database-availability-

groups/database-availability-groups?view=exchserver-2019

Deploying Microsoft software on AWS

Windows Server on AWS

https://aws.amazon.com/windows/

Secure the Microsoft platform on AWS

https://d1.awsstatic.com/whitepapers/aws-microsoft-platform-security.pdf

Microsoft License Mobility

https://aws.amazon.com/windows/resources/licensemobility/

MSDN on AWS

https://aws.amazon.com/windows/resources/msdn/

AWS Windows and .NET Developer Center

https://aws.amazon.com/developer/language/net/

Quick Start reference deployments

AWS Quick Start home page

https://aws.amazon.com/quickstart/

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 37 of 38

Microsoft Active Directory Domain Services on the AWS Cloud

https://docs.aws.amazon.com/quickstart/latest/active-directory-ds/welcome.html

Microsoft Remote Desktop Gateway on the AWS Cloud

https://docs.aws.amazon.com/quickstart/latest/rd-gateway/welcome.html

Microsoft SharePoint on the AWS Cloud

https://docs.aws.amazon.com/quickstart/latest/sharepoint/welcome.html

Document Revisions Date Change In sections

January 2020 Added support for Exchange Server 2019 and

removed support for Exchange Server 2013.

Removed support for BYOL due to Microsoft

licensing changes.

Throughout document;

template updates

September 2019 Updated storage section and references to other

Microsoft Quick Starts

Throughout document

October 2018 Added support for Exchange Server 2016; added

Exchange Edge Transport nodes.

Throughout document;

architecture diagram and

template updates

March 2018 Updated Active Directory to use the Windows

Server 2016 AMI; updated template parameters.

Template updates

September 2015 In the sample templates, changed the default type

for Active Directory and RD Gateway instances

from m3.xlarge to m4.xlarge for better

performance and price.

Template updates

August 2015 Updated DAG guidance and deployment

scenarios.

Deployment Options

March 2015 Optimized the underlying Amazon VPC design to

support expansion and to reduce complexity.

Architecture diagram and

template updates

January 2015 Initial publication —

Amazon Web Services – Microsoft Exchange Server on the AWS Cloud January 2020

Page 38 of 38

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings

and practices as of the date of issue of this document, which are subject to change without notice. Customers

are responsible for making their own independent assessment of the information in this document and any

use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether

express or implied. This document does not create any warranties, representations, contractual

commitments, conditions or assurances from AWS, its affiliates, suppliers or licensors. The responsibilities

and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of,

nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, Version 2.0 (the "License"). You

may not use this file except in compliance with the License. A copy of the License is located at

http://aws.amazon.com/apache2.0/ or in the "license" file accompanying this file. This code is distributed on

an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and limitations under the License.