© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Wayne Saxe. Ron Sunarno, Siva Padisetty

November 29, 2016

Managing and Supporting the

Windows Platform on AWS

SI Technical Track: GPSSI401

Why Are We Here?

The Challenge

Windows workloads consist of more than application

servers and solution stacks. As a consulting partner you

are responsible for the wider implications: how to support

them, manage access and deploy at scale.

Why Are We Here?

The Solution

A consistent standardized set of tools and patterns flexible

enough to fit most use cases and easily deployed. Tools

that support infrastructure managers, identity for operating

system and application owners, and developers.

Solution Stack 1:

Infrastructure Managers

Landing Zone for Windows Environments

• Based on a multi-VPC architecture

• A place to house common services

• Monitoring

• Logging

• Remote administration

Remote Desktop Gateways

Shared Services VPC

Availability Zone

Availability Zone

RDGW

RDGW Availability Zone

Admins

Web DB

Remote Desktop

Gateway

Admins

Remote Desktop

Gateway

1. Configure how

access is granted

to the RDGW

Infrastructure

2. Filter access based

on user and

computer

authorization

3. Allow tunneling all

the way through

Amazon EC2 Simple Systems Manager

• Remotely manage the configuration of your Windows

instances

• SSM is a combination of

• EC2 Config – lightweight instance configuration solution

installed as a Windows service

• EC2 Run Command – on-demand solution

• SSM documents runs with privileged credentials –

control access

User Role

Instance Role

Service Role

Centralized Logging with Amazon CloudWatch

Availability Zone

Web DB

Web

DBec2Messages.*

AWS IAM

• Windows security logs

• Performance counters like

.NET CLR, ASP.NET

applications, memory

• Windows application event

logs

• Windows system event logs

• Event tracing for windows

• Custom logs

EC2 SSM Integrates Amazon CloudWatch

Amazon S3

bucket

Centralized Logging with Amazon CloudWatch

{ "Id": "IISLogs",

"FullName":

"AWS.EC2.Windows.CloudWatch.CustomLog.CustomLogInputComponent,AWS.EC2.Windows.CloudWatch",

"Parameters": {

"LogDirectoryPath": "C:\\inetpub\\logs\\LogFiles\\W3SVC1",

"TimestampFormat": "yyyy-MM-dd HH:mm:ss",

"Encoding": "UTF-8",

"Filter": "",

"CultureName": "en-US",

"TimeZoneKind": "UTC",

"LineCount": "5" } },

Windows Security logs

{ "Id": "SecurityEventLog",

"FullName":

“AWS.EC2.Windows.CloudWatch.EventLog.EventLogInputComponent,AWS.EC2.Windows.CloudWatch",

"Parameters": { "LogName": "Security",

"Levels": "7" } },

1 = Errors

2 = Warnings

4 = Information

IIS Logs

Managing Systems with PowerShell via

EC2 Run Command

SSM Service EC2 Messaging

Service

SSM EC2 AgentAdmins

User Role Instance Role

$domainJoinCommand=Send-SSMCommand -InstanceId Instance-ID -DocumentName AWS-

JoinDirectoryServiceDomain -Parameter @{'directoryId'='d-9067386b64'; 'directoryName'='ssm.test.amazon.com';

'dnsIpAddresses'=@('172.31.38.48', '172.31.55.243')} -OutputS3BucketName demo-ssm-output-bucket

Join an instance to AD

AWS IAMAWS IAM

Solution Stack 2:

Identity for Operating System

and Application Owners

Identity Management

Identity and Authorization Realms

AWS Infrastructure

Operating System

Applications

AWS Endpoints

Component

Application

AWS IAM

Active Directory

F

e

d

e

r

a

t

i

o

n

Accessed Via Authorized ByAsset

Authorization Scenarios

AWS Use Case

The deployment of

the Shared

Services VPC

Commands to AWS

endpoints are

authenticated

AD Use Case

The manual

installation of a

SharePoint farm

OS and Application

Authorization is

granted via

Kerberos

Combined Use Case

The use of S3 for

SharePoint Blob

storage

AWS endpoints for

console and AD for

authentication

Active Directory Federation Console Access

Client

Directory

Identity

Provider

(1) Browse to the Identity

Provider

(5) AssumeRoleWithSAML

(3) SAML Token

(8) Redirect

(6) Credentials

Active Directory Deployment and Design

AD Site Design Implications

Shared Services VPC

Availability Zone

Availability Zone

Microsoft

AD DC DC

Microsoft

AD DC DC

DC

Availability Zone

Microsoft

AD DC DCDC

Availability Zone

Microsoft

AD DC DCDC

Intra-site replication

Intra-site replication

• AD Sites look a lot like AZs

• The client lookup process

is AD dependent but

impacts your availability

strategy AND your VPC

design

Multi-Region Deployment Model

Shared Services VPC

Availability Zone

Availability Zone

Microsoft

AD DC DC

Microsoft

AD DC DC

DC

Availability Zone

Microsoft

AD DC DCDC

Availability Zone

Microsoft

AD DC DCDC

Intra-site replication

Intra-site replication

• Consider the placement of

Global Catalog Servers.

Lookups can take a long

time globally.

• Cross-region data transfer

requires specific design for

AD Replication Traffic

• A multi-domain forest

model makes sense Region 1Region 3

Region 2

Availability Zone

Private SubnetPublic Subnet

NAT

10.0.0.0/24 10.0.2.0/24

DBAPPWEB

SQL

ServerApp

Server

IIS

Server

Availability Zone

Private SubnetPublic Subnet

NAT

10.0.1.0/24 10.0.3.0/24

DBAPPWEB

SQL

ServerApp

Server

IIS

Server

Admins

Self-managed,

replicated DCs on

EC2

Domain

Controllers

DC

Shared Services VPC

DC

Domain

Controller

DC

Domain

ControllerAD Client Communication

DC Replication

Application Traffic

AWS Microsoft AD

Shared Services VPC

Availability Zone

Availability Zone

Microsoft

AD DC DC

Microsoft

AD DC DC

Availability Zone

Private SubnetPublic Subnet

NAT

10.0.0.0/24 10.0.2.0/24

APPWEB

App

Server

IIS

Server

Availability Zone

Private SubnetPublic Subnet

NAT

10.0.1.0/24 10.0.3.0/24

APPWEB

App

Server

IIS

Server

DBRDS

SQL

Server

AWS Managed Services

DBRDS

SQL

Server

AWS Managed Services

Remote

Users / Admins

AWS Microsoft AD

Shared Services VPC

Availability Zone

Availability Zone

Microsoft

AD DC DC

Microsoft

AD DC DC

Availability Zone

Private SubnetPublic Subnet

NAT

10.0.0.0/24 10.0.2.0/24

APPWEB

App

Server

IIS

Server

Availability Zone

Private SubnetPublic Subnet

NAT

10.0.1.0/24 10.0.3.0/24

APPWEB

App

Server

IIS

Server

DBRDS

SQL

Server

AWS Managed Services

DBRDS

SQL

Server

AWS Managed Services

Remote

Users / Admins

Trusts

DCMicrosoft

AD DC

DC Microsoft

AD DC

AWS Microsoft AD

Shared Services VPC

Availability Zone

Availability Zone

Microsoft

AD DC DC

Microsoft

AD DC DC

Availability Zone

Private SubnetPublic Subnet

NAT

10.0.0.0/24 10.0.2.0/24

APPWEB

App

Server

IIS

Server

Availability Zone

Private SubnetPublic Subnet

10.0.1.0/24 10.0.3.0/24

APPWEB

App

Server

IIS

Server

DBRDS

SQL

Server

AWS Managed Services

DBRDS

SQL

Server

AWS Managed Services

Remote

Users / Admins

Auth

NAT

AD Connector

• AD Proxy for WorkSpace, WorkDocs, WorkMail• Authentication and LDAP forwarded to on-premises AD

• Applications can look up users and groups

• Users authenticate using existing corporate credentials

• Supports EC2 Seamless Domain Join• EC2 discovers domain name from AD Connector

• EC2 bypasses AD Connector for everything else

Proxy solution to use AD accounts with AWS Enterprise Applications

Solution Stack 3:

Developers

AWS CloudFormation for WindowsSpinning up Windows stacks is fast if we do it efficiently

Availability Zone

DB

Public

SubnetPrivate

Subnet

DC

RDGW

NAT

Gateway

Internet

gateway

Without user-defined order, this may never deploy

Using DependsOn fixes this problem but can be

slow – its too blunt of a tool

cfn-signal and a PowerShell loop give us the

fine-grained control we need

"'\n$output = (Get-CFNStackResources -StackName $stack -LogicalResourceId $resource -Region $region)\n", "while

(($output -eq $null) -or ($output.ResourceStatus -ne 'CREATE_COMPLETE') -and ($output.ResourceStatus -ne

'UPDATE_COMPLETE')) {\n", " Start-Sleep 5\n", " $output = (Get-CFNStackResources -StackName $stack -

LogicalResourceId $resource -Region $region)\n", "}\n",

Network DC DB RDGW

Network DC DB RDGW

Network

DC

DB

RDGW

MS Visual Studio Integration

with AWS Elastic Beanstalk

Demo

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Register for a Bootcamp

Get in-depth knowledge and

training from AWS Instructors and

Solutions Architects.

reinvent.awsevents.com/training

#AWSTraining

Get AWS Certified Onsite

Demonstrate your technical

proficiency and receive special

recognition onsite. Register today.

reinvent.awsevents.com/certification

#AWSCertified

Take Hands-on Labs

Practice with AWS in a live

environment. Choose from 100+

lab topics and attend a Spotlight

Lab session.

Free Onsite

Thank you!

Remember to complete

your evaluations!