Berlin
Best Practices for Running Enterprise Applications
Philipp Behre
Agenda
• Cloud Adoption goes in stages and various flavors
• Running business applications on AWS
• Foster agility and gain transparency without losing control
Cloud Adoption goes in stages
Dev & Test True Production Mission Critical All-in
The journey we’re seeing with AWS customers
Dev & Test True Production Mission Critical All-in
Build production apps Migrate production apps
Run production apps
Build mission-critical apps Migrate mission-critical apps
Run mission-critical apps
Development and test environments
Corporate standard
What sets AWS apart?
Building and managing cloud since 2006
40+ services to support any cloud workload
History of rapid, customer-driven releases
11 regions, 28 availability zones, 52 edge locations
45+ proactive price reductions to date
8,000+ SIs and ISVs; 2,000+ Marketplace products
Experience
Service Breadth & Depth
Pace of Innovation
Global Footprint
Pricing Philosophy
Ecosystem
*as of July 31, 2014
To name a few …
Running Dev & Test on AWS - an example
VPN or AWS Direct Connect
Virtual Private Cloud
DEV QAS
ECC
BW
SRM
ECC
BW
SRM
BW
ECC
SRM
PRD
Corporate Data Center Amazon Web Services
Microsoft Applications on AWS Some Microsoft Applications running on AWS
… Customer Success
The AWS advantage
Easy Deployment Cost Efficiency & Reduction Reliability Fast Performance
Microsoft Windows architecture on AWS
• Place application servers in private subnets to prevent direct access from the Internet
• Deploy bastion hosts, reverse proxies, and other Internet-facing servers in public subnets
• Install critical workloads in at least two Availability Zones to provide high availability
Architectural considerations
• Virtual Private Cloud (Amazon VPC)
• The principle of least privilege
• Security groups & NetworkACLs
• Remote administration
Availability Zone
Private Subnet Public Subnet
NAT
10.0.0.0/24 10.0.2.0/24
DC DB APP WEB
Domain Controller
SQL Server
App Server
IIS Server
RDGW
Availability Zone
Private Subnet Public Subnet
NAT
10.0.0.0/24 10.0.2.0/24
DC DB APP WEB
Domain Controller
SQL Server
App Server
IIS Server
RDGW
Remote Users / Admins
Windows architecture on AWS
Active Directory hybrid deployments
• Properly define AD sites and subnets
• Configure site-link costs
• Enable domain members for "Try Next Closest Site“ group policy setting
• Connectivity via VPN or Direct Connect
• Security groups must allow traffic to and from DCs on-premises
Availability Zone
Private Subnet
DC3
Corporate Network
Seattle
DC1
VPN
AD forest spanning AWS and corporate data center
Tacoma
DC2
Availability Zone
Private Subnet
DC3
Corporate Network
Seattle
DC1
VPN
AD forest spanning AWS and corporate data center
Tacoma
DC2
XDC1 goes down, where do clients in Seattle go for Directory Services?
Availability Zone
Private Subnet
DC3
Corporate Network
Seattle / AD Site 1
DC1
VPN
AD forest spanning AWS and corporate data center
Tacoma / AD Site 2
DC2
AD Site 3
Cost 100
Cost 100
Cost 50
Properly implemented site topology and “Try Next Closest Site” policy enabled. Clients use least cost path to DC.
SQL Server High Availability
• Amazon RDS Multi-AZ Deployments
– Fully managed by AWS
– No administrative intervention
– Uses SQL Server mirroring
• SQL Server Enterprise 2012/2014
– Managed by you
– HA achieved using WSFC & AlwaysOn Availability Groups
SQL Server High Availability (HA)
Availability Zone 1
Private Subnet
Primary Replica
Availability Zone 2
Private Subnet
Secondary Replica
Synchronous-commit Synchronous-commit
Primary: 10.0.2.100 WSFC: 10.0.2.101 AG Listener: 10.0.2.102
Primary: 10.0.3.100 WSFC: 10.0.3.101 AG Listener: 10.0.3.102
AG Listener: ag.awslabs.net
Automatic Failover
WSFC Quorum
Availability Zone 1
Private Subnet
Primary Replica
Availability Zone 2
Private Subnet
Secondary Replica
Synchronous-commit Synchronous-commit
Automatic Failover
Witness Server
WSFC Quorum
Availability Zone 1
Primary Replica
Availability Zone 2
Secondary Replica
Automatic Failover
Witness Server
Availability Zone 3
SQL Server HA with Readable Replica
Availability Zone 1
Private Subnet
Primary Replica
Availability Zone 2
Private Subnet
Secondary Replica 1
Synchronous-commit Synchronous-commit
AG Listener: ag.awslabs.net
Automatic Failover
Asynchronous-commit
Secondary Replica 2
(Readable)
Reporting Application
SQL Server Disaster Recovery & Backup
Availability Zone 1
Private Subnet
Primary Replica
Availability Zone 2
Secondary Replica 1
Private Subnet
AG Listener: ag.awslabs.net
Corporate Network
VPN Automatic Failover
Secondary Replica 2
(Readable)
Reporting Application
Backups
Manual Failover
SharePoint 2013 High Availability
• Web tier is made highly available through load balancing
• Application-tier load balancing is native to SharePoint
• Database-tier high availability can be achieved with SQL AlwaysOn
Private Subnet
Private Subnet
10.0.2.0/24
Availability Zone
Availability Zone
Public Subnet
NAT
10.0.0.0/24
DC DB Primary APP WEB
Domain Controller
App Server
Web Front-End
RDGW
Public Subnet
NAT
10.0.0.0/24 10.0.2.0/24
DC DB Secondary APP WEB
Domain Controller
App Server
Web Front-End
RDGW
Users
Internet facing SharePoint farm on AWS
Availability Group
SQL Server
SQL Server
Remote administration
• Clients can use the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection
• Bastion hosts can run Windows PowerShell Web Access for remote command line administration
Deploying a bastion host in each Availability Zone can provide highly available and secure remote access over the Internet
Secure remote administration architecture
Availability Zone
Gateway Security Group Web Security Group
Private Subnet Public Subnet
Accept TCP Port 443 from Admin IP
Accept TCP Port 3389 from Gateway SG
AWS Administrator
Corporate Data Center
WEB2
TCP 443 TCP 3389
Requires one connection: • Connect to the RD Gateway, and the gateway proxies the
RDP connection to the back-end instance.
WEB1 RDGW TCP 3389
Remote Administration High Availability
• Remote Desktop Gateway Server Farm – Still requires load balancing – Farm members must have identical policies – Farm members must be domain joined
• Amazon Route 53 Health Checks and DNS Failover – Active-active failover – Active-passive failover
Quick Start reference deployments
• Lync Server 2013
• Active Directory domain services
• SQL Server 2012 & 2014 with WSFC
• SharePoint 2013 Enterprise
• PowerShell DSC
• Exchange Server 2013
aws.amazon.com/quickstart
Foster agility and gain transparency without losing control
Today, IT and Project Teams often lack common ground
Agility Self-service
Time to market
IT Service Team Project Teams
Control Visibility
Compliance
IT Service Team Project Teams
Empower agile teams with standardized self-service
Create custom services and grant access to developers
Use a personalized portal to find & launch
services
An integrated approach to gain transparency
change change
publish Service Catalog
notifies
Monitor Change Monitors AWS
& application
initiates
notifies
Monitor Alert monitors
Secures audit data
Captures all API interaction
Capture Audit Logs
Durable Storage
template
Create/Update Validate provision
Resource stack
Select & provision
An integrated approach to gain transparency
AWS ServiceCatalog
publish
AWS CloudTrail
Amazon S3
monitors
Secures audit data
Captures all API interaction
AWS CloudWatch
alarm
Monitors AWS & application
initiates
notifies
AWS Config
Catalog (resources & changes)
notifies
change change
template
Create/Update Validate provision
Resource stack
Select & provision
Key Takeaways
• Customer today run mission critical enterprise application successful on AWS
• Deploy enterprise applications securely and reliably in the cloud
• AWS is open and ready to run mission critical applications from Microsoft, Oracle, SAP, IBM, and others
• centrally control and govern your cloud environment without sacrificing the agility and flexibility of the cloud