migration of microsoft workloads
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Wayne Saxe AWS Ecosystem Solutions Architect
29 July 2015
AWS Summit Chicago
Migration of Microsoft Workloads
Agenda
Architecture Overview Design and Deployment of Infrastructure Services Instance Migration and Upgrade Management and Maintenance
Architecture Best Practices
Design for failure and nothing fails Loose coupling sets you free Implement elasticity Build security in every layer Leverage different storage options
Design Considerations
Your VPC is Your Home • Transition from Subnet Based Design to Security Groups and
NACLs
The Principals of Security Don’t Change Much Remember You’re Always Working Remote
Availability Zone
Private Subnet Public Subnet
NAT
10.0.0.0/24 10.0.2.0/24
DC DB APP WEB
Domain Controller
SQL Server
App Server
IIS Server
RDGW
Availability Zone
Private Subnet Public Subnet
NAT
10.0.0.0/24 10.0.2.0/24
DC DB APP WEB
Domain Controller
SQL Server
App Server
IIS Server
RDGW
Remote Users / Admins
Your VPC Is Your Home
The Principals of Security Don’t Change Much
• Roles Based Access Control and Least Privilege Apply • Use Security Groups
Availability Zone
Web Security Group SQL Security Group
Private Subnet Public Subnet
Accept TCP Port 80 from Internet
Accept TCP Port 1433 from Web SG
User
WEB SQL TCP 80 TCP 1433
10.0.0.0/24 10.0.1.0/24
Remember, You’re Always Working Remote
Clients can use the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection
Bastion hosts can run Windows PowerShell Web Access for remote command line administration
Deploying a bastion host in each Availability Zone can provide highly available and secure remote access over the Internet
SQL Server on AWS
Two primary deployment paths:
Amazon RDS Amazon EC2 • You Manage Your Infrastructure • Advanced Deployments: WSFC +
Always On Availability Groups
• Fully Managed by AWS • No Administrative Intervention • Uses SQL Server Mirroring
Many Versions and Editions of SQL Server including Express, Web, Standard and Enterprise and SQL 2005, 2008 and 2012 and more
Highly Available SQL Server
Availability Zone 1
Private Subnet
Primary Replica
Availability Zone 2
Private Subnet
Secondary Replica
Synchronous-commit Synchronous-commit
Primary: 10.0.2.100 WSFC: 10.0.2.101 AG Listener: 10.0.2.102
Primary: 10.0.3.100 WSFC: 10.0.3.101 AG Listener: 10.0.3.102
AG Listener: ag.awslabs.net
Automatic Failover
SQL Server WSFC Failover: The Quorum
Availability Zone 1
Private Subnet
Primary Replica
Availability Zone 2
Private Subnet
Secondary Replica
Synchronous-commit Synchronous-commit
Automatic Failover
Witness Server
SQL Server HA With Read Replica
Availability Zone 1
Private Subnet
Primary Replica
Availability Zone 2
Private Subnet
Secondary Replica 1
Synchronous-commit Synchronous-commit
AG Listener: ag.awslabs.net
Automatic Failover
Asynchronous-commit
Secondary Replica 2
(Readable)
Reporting Application
Availability Zone 1
Private Subnet
Primary Replica
Availability Zone 2
Secondary Replica 1
Private Subnet
AG Listener: ag.awslabs.net
Corporate Network
VPN Automatic Failover
Secondary Replica 2
(Readable)
Reporting Application
Backups
Manual Failover
SQL Server HA With Disaster Recovery
Web tier is made highly available through load balancing
Application-tier load balancing is native to SharePoint
• Database-tier high availability can be achieved with SQL AlwaysOn
• Install SharePoint using SQL Client Alias
• Update alias after making DBs highly available, and point to an Availability Group Listener fully qualified domain name (FQDN)
SharePoint 2013 on AWS
10.0.2.0/24
Availability Zone
Availability Zone
Public Subnet
NAT
10.0.0.0/24
DC DB Primary APP WEB
Domain Controller
App Server
Web Front-End
RDGW
Public Subnet
NAT
10.0.0.0/24 10.0.2.0/24
DC DB Secondary APP WEB
Domain Controller
App Server
Web Front-End
RDGW
Users
Availability Group
SQL Server
SQL Server
Private Subnet
Private Subnet
SharePoint 2013 on AWS: Example Architecture
SharePoint Migration Strategies
Create SharePoint
Farm • Create the New Target Farm to Spec
Copy Database to the Target
Farm
• Place Source Farm and Database in Read-Only Mode • Backup Content and Service Application Database • Restore the Databases to the Target Farm
Upgrade Service
Applications
• Configure Service Applications for the Target Farm
• Create New Web Applications matching the Source Farm
Upgrade Content
Databases • Upgrade and Mount the
New Content Databases
Upgrade Site Collections
• Site Owners Responsibility
Active Directory on AWS
Two High Level Deployment Paths
Amazon EC2 AWS Directory Services
• Fully Managed by You • Isolated, Stretched or Federated
• Managed By AWS • Simple AD and AD Connector
AD Connector
Connect to your on-premises Active Directory • Via existing VPC VPN connection, or AWS Direct Connect
Users access AWS applications with existing credentials Administrators can access AWS Management Console with existing credentials Integrate with existing RADIUS MFA solutions
Simple AD
Launch managed stand-alone directories Powered by Samba 4 Active Directory Compatible Server Supports common AD features
• User accounts/group memberships/domain-joining EC2 instances running Windows, Kerberos based SSO, and Group Policies
Use existing AD management tools with Simple AD Simple AD accounts can access AWS applications
• Amazon WorkSpaces • Amazon Zocalo
Directories Managed For You
AWS does the heavy lifting directory management tasks • Patch management • Host monitoring
Simple AD includes snapshot backups and point-in-time recovery Directories are deployed multi-AZ for availability
Hybrid Active Directory
• Connectivity via VPN or Direct Connect
• Security groups must allow traffic to and from DCs on-premises
• Properly define AD sites and subnets
• Configure site-link costs
• Enable domain members for "Try Next Closest Site“ group policy setting
Hybrid Active Directory Architecture
Availability Zone
Private Subnet
DC3
Corporate Network
Virginia
DC1
VPN
Washington DC
DC2
Instance Migration and Upgrade
• Two primary paths: Migrate and Upgrade • A fleet migration is a more complex task that may take
longer but better for a complex production environment • A variety of Technology Partner tools and techniques can
help here
• A system upgrade is suitable for a smaller number of instances or to get moving quickly
• Native AWS tools apply
Management and Maintenance: CloudWatch
Log Types: • Event Logs • IIS Logs • Any Event Tracing for
Windows(ETW) Logs • Any Performance Counter data • Any text-based log files
Enables customers to easily monitor instance activity in real time and create alarms on these events
Management and Maintenance: Simple Systems Manager
Simple Systems Manager provides native AWS tools to manage your Windows EC2 Instances • Join an AWS Directory • Install software using MSI packages • Run PowerShell Scripts • Configure CloudWatch Logs
Management and Maintenance: Simple Systems Manager
Simple Systems Manger manages instances while they are running • Create a configuration document describing tasks (install
software) • Attach document to instance and either run it manually
or schedule a task • Disassociate a document when you no longer need it –
but the configuration doesn’t go away!