Upload
amazon-web-services
View
903
Download
0
Embed Size (px)
Citation preview
Julien Lépine, Solutions Architect, AWS EMEA
June 16th, 2016
Best Practices for Deploying
Microsoft Workloads on AWS
Main Identity Topics
• Infrastructure Identity Management
• AWS Identity and Access Management
• Server / Application Identity Management
• AWS Directory Services (Samba or Active Directory)
• Federation
• AWS Security Token Service
AWS Identity and Access Management (IAM)
Role Based
Access ControlMulti-Factor
Authentication
Integrated with all
AWS Services
IAM Roles
Isolated domains
Availability Zone B
Private subnet
DC4
Corporate Network
Tel Aviv
DC1
Direct Connect
Jerusalem
DC2Availability Zone A
Private subnet
DC3company.cloud
company.local
Federation /
Synchronization
Separate identities with synchronization / Federation
Use partners such as Okta
AWS Directory Services
company.cloud
Single domain extended to multiple sites
Availability Zone B
Private subnet
DC4
Corporate Network
Tel Aviv
DC1
Direct Connect
Jerusalem
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
company.local
company.local
One single identity, data center extension mode
(Rely on Active Directory Sites, Read-Only or not)
One sub domain per site
Availability Zone B
Private subnet
DC4
Corporate Network
Tel Aviv
DC1
Direct Connect
Jerusalem
DC2
company.local
Availability Zone A
Private subnet
DC3cloud.company.local
Isolated subset of the directory, single Identity for users
(Active Directory Domains in a Single Forest)
One forest per site and trust
Availability Zone B
Private subnet
DC4
Corporate Network
Tel Aviv
DC1
Direct Connect
Jerusalem
DC2Availability Zone A
Private subnet
DC3 company.local
company.cloud
Separate directories, single identity
(Cross-Forest / Resource Forest with trust)
AWS Directory Services
company.cloud
User Identity Federation with Amazon IAM
Active Directory
AD Users
Enterprise
Applications
Corporate
Systems
Amazon Identity & Access
ManagementIAM Roles
Amazon EC2
Amazon
DynamoDB
Amazon S3
Federated API and CLI access using ADFS
• ADFS http://tinyurl.com/AWS-ADFS-SAML
• CLI http://tinyurl.com/AWS-ADFS-CLI
• AWS Tools for Windows PowerShell
SQL Server High Availability
Availability Zone 1
Private Subnet
Primary
Replica
Availability Zone 2
Private Subnet
Secondary
Replica
Synchronous-commit Synchronous-commit
Automatic Failover
Primary: 10.0.2.100
WSFC: 10.0.2.101
AG Listener: 10.0.2.102
Primary: 10.0.3.100
WSFC: 10.0.3.101
AG Listener: 10.0.3.102
AG Listener:
ag.awslabs.net
WSFC Quorum
Availability Zone 1
Primary
Replica
Availability Zone 2
Secondary
Replica
Automatic Failover
SoftNAS / SIOS
WSFC Quorum
Availability Zone 1
Primary
Replica
Availability Zone 2
Secondary
Replica
Automatic Failover
Witness
Server
Availability Zone 3
SQL Server HA with Readable Replica
Availability Zone 1
Private Subnet
Primary
Replica
Availability Zone 2
Private Subnet
Secondary
Replica 1
Synchronous-commit Synchronous-commit
AG Listener:
ag.awslabs.net
Automatic Failover
Asynchronous-commit
Secondary
Replica 2
(Readable)
Reporting
Application
SQL Server Disaster Recovery & Backup
Availability Zone 1
Private Subnet
Primary
Replica
Availability Zone 2
Secondary
Replica 1
Private Subnet
AG Listener:
ag.awslabs.net
Corporate Network
VPN
Automatic Failover
Secondary
Replica 2
(Readable)
Reporting
Application
Backups
Manual Failover
■ AD Integrated
■ Automated failover
■ Automated patching
■ Automated backup
■ Point-in-time recovery
Amazon RDS for SQL Server
Amazon RDS
Availability Zone 1
private subnet
NAT
10.0.32.0/20 10.0.2.0/24
DB1SP1FE1Exch1
SQLServer
10.0.0.10010.0.0.101
10.0.0.102
SharePoint
Server
10.0.0.140
LyncServer
10.0.0.160
ExchangeServer
10.0.0.150
RDG
Availability Zone 2
private subnet
NAT
10.0.96.0/20
RDG
Remote
Users / Admins
10.0.0.0/19
On-premisesdatacenter
VPNDirectConnect
DC1
10.0.2.0/24
DB2SP2FE2Exch2
SQLServer
10.0.64.10010.0.64.101
10.0.64.102
SharePoint
Server
10.0.64.140
LyncServer
10.0.64.160
10.0.64.0/19
DC2
ActiveDirectory
10.0.0.10
ActiveDirectory
10.0.64.10
privatesubnet
privatesubnet
ExchangeServer
10.0.64.150
VPCCIDR10.0.0.0/16
All-in-one
Going beyond infrastructure
SharePoint BLOB storage on S3
Export mails to Amazon S3
AWS Marketplace
• On-Demand, License Included or BYOL SharePoint
• http://tinyurl.com/AWS-SPS-MP
Quick Starts
• http://tinyurl.com/AWS-MS-QS
AWS SDK and Tools for .NET ArchitectureE
XE
CU
TIO
N
PLA
TF
OR
M
AW
S S
DK
LO
W-
LE
VE
L
SE
RV
ICE
AP
IS
AW
S
TO
OLS
HIG
HE
R-
LE
VE
L
UT
ILIT
Y
AP
IS
.NET 3.5 .NET 4.5 PHONE STORE
SERVICE CLIENTS
AMAZON S3
TRANSFERUTILITY
AMAZON DYNAMODB
OBJECT PERSISTANCEVM IMPORT RESOURCE API
AWS TOOLS FOR
WINDOWS
POWERSHELL
AWS TOOLKIT FOR
VISUAL STUDIO
ASP.NET SESSION
PROVIDERTRACE LISTENER
AWS ENDPOINTS: REST API
Blob storage in Amazon S3
var bucketName = "<BucketName>";
var fileName = "<FileName>";
var s3Client = new Amazon.S3.AmazonS3Client();
// Write Data to Amazon S3
s3Client.PutObject(new Amazon.S3.Model.PutObjectRequest {
BucketName = bucketName,
Key = fileName,
InputStream = fileStream
});
// Read Data from Amazon S3
var s3Object = s3Client.GetObject(bucketName, fileName);
Amazon S3
Loose Coupling Sets You Free
var queueUrl = "https://sqs.<region>.amazonaws.com/<AcctNum>/<QueueName>";
var sqsClient = new Amazon.SQS.AmazonSQSClient();
// Send to Amazon SQS
sqsClient.SendMessage(queueUrl, "My Message Data");
// Process Amazon SQS
while(!exit) {
var messages = sqsClient.ReceiveMessage(queueUrl);
foreach(var message in messages.Messages) {
// Process message then delete
sqsClient.DeleteMessage(queueUrl, message.ReceiptHandle);
}
}
Amazon SQS
AWS Also Provides Extended Support
AWS Elastic Beanstalk• Deploy from within Visual Studio / Automatic Log Rotation to Amazon S3
AWS CodeCommit / CodePipeline / CodeDeploy• Manage a large (on-premises and cloud-based) fleet
.NET SDK and PowerShell CmdLets• Integration in custom build pipelines in TFS or CruiseControl.NET
AWS is the de-facto standard• Jenkins, Bamboo have native integration to AWS
• Other IDE Support AWS (Unity, Xamarin Studio, Eclipse…)
Secure remote administration architecture
Availability Zone
Gateway Security Group Web Security Group
Private SubnetPublic Subnet
Accept TCP Port
443 from Admin IP
Accept traffic from
Gateway SG
AWS Administrator
Corporate Data Center
WEB2
TCP 443 WEB1RDGW
Requires one connection:
• Connect to the RD Gateway, and the gateway proxies the RDP or PowerShell connection to the back-
end instance.
One step further: Go DevOps
• AWS Tools for Windows PowerShell
• Leverage AWS Simple Systems Manager
• Auto-Domain Join
• No machine access
• Full traceability
• Fine-grained control
• http://tinyurl.com/AWS-SSM-Home
Automated Log Management
Amazon
CloudWatch Logs
AWS Lambda
Amazon Kinesis
Amazon EC2
Amazon Elasticsearch
Service
Amazon S3
Automation for every use case
IAAS*
Amazon EC2
AWS CloudFormation
AWS OpsWorks AWS Elastic
BeanStalk
AWS Lambda
PAAS*DEVOPS DEVOPS
AUTOMATION* Definition may vary
License Mobility is a Microsoft Program that allows
customers to move their existing license from on premises
to the cloud
• Leverage their Enterprise Agreement
• Must have Software Assurance
License Mobility through Software Assurance
Microsoft Workloads on AWS
Pay-as-you-go – AMI pricing provides access to
software
• Windows Server
• SQL Server Standard
• SQL Server Web
• SQL Server Enterprise
Leverage Microsoft’s License Mobility Program
(BYOL)
• SQL Server
• SharePoint Server
• Exchange
• Lync
• RDS
• Dynamics
Leveraged Dedicated Host
• Windows Server
• SQL Server - no SA
• SharePoint – no SA
• Exchange – no SA
• Lync – no SA
• Dynamics – No SA
Licensing Continuum
License Included
• Amazon manages the licenses
• Pay-as-you-go pricing
• Multi-tenant or dedicated
• No license management overhead
Hybrid
• Baseline in BYOL
• Leverage scalability and pay-as-you-go where applicable
• Limit management overhead
BYOL
• Import and use your own software
• Reduce your spend if you already pay an ISV for licensing
• You manage licensing costs and compliance with your ISV
• Committed contracts with your ISVs
Supportability on AWS
Microsoft workloads are supported on AWS. Amazon Web Services fully supports Microsoft Windows Server as both infrastructure and a platform. Our customers have successfully deployed in the AWS cloud virtually every Microsoft application available, including Microsoft Exchange, SharePoint, Lync, Dynamics, and Remote Desktop Services.
If you have support related issues you should contact AWS Support.
Every immaginable use case
Collaboration
Full/Partial Franchise Migration
Web / Mobile / Media
ERP
VDI
BI
AWS Training and Certification
Certification
aws.amazon.com/certification
Demonstrate your skills,
knowledge, and expertise
with the AWS platform
Self-Paced Labs
aws.amazon.com/training/
self-paced-labs
Try products, gain new
skills, and get hands-on
practice working with
AWS technologies
aws.amazon.com/training
Training
Skill up and gain
confidence to design,
develop, deploy and
manage your applications
on AWS