Migrating & Operating Microsoft Applications in AWS – Tools & Services

Just another WordPress site

Migrating & Operating Microsoft Applications in AWS – Tools & Services

Hi everyone good good afternoon Again my name is Imran and I’m a cloud infrastructure architect with the AWS Canada in professional services. Just this afternoon we’ll be talking about migrating and operating Microsoft applications on AWS. I’d like you to take away three things from this session today. One what patterns practices and tools does AWS offer in terms of migrating Microsoft applications to AWS Then how do you build and use infrastructure as code to build repeatable architectures. And then we’ll talk about how do you achieve continuous compliance once you have or during and after you move migrated Microsoft applications at AWS. We’ll do this by addressing three typical questions that get asked First of all why use AWS for Microsoft applications and secondly what are the migration accelerators. We’ll talk about the landing zone in that context as well and as well as how do you move fast and stay stay secure because you’re migrating at a very fast pace in the cloud how do you stay secure while you’re moving fast. Quick show of hands for me how many here are running Windows workloads in the cloud in general any any cloud provider ok. Those who picked raise their hands how many are running or willing to admit they’re running it on AWS. Good so from a quick calculations here’s the results from your site survey I just did I’m just joking. This is a survey that IDC did for covering to 2017 of all Windows workloads running in the public infrastructure or a service cloud AWS accounted for fifty seven point seven percent of those workloads and I just he also noted that this market is growing as enterprises are actually moving their windows were closed into the public eye as market and from the AWS standpoint we have seen growth in the enterprise at 400 percent as of November of last year in Enterprises running Windows workloads on EC2 our compute so pretty significant numbers there. So why customers use AWS for Microsoft applications. We have the most experience in doing this we’ve been doing this since we’ve been hosting Windows guests or Windows tenants since 2008, more than 10 years running. We have the scale of our global infrastructure simply we have 64 zonin collections of our data centers across 21 global regions, for those who don’t know what a availability zone is it specific basically a collection of data centers which is completely isolated and independent of others own collection or other availability zone that same region they’re highly connected with the high speed low latency network typically 1 to 2 milliseconds apart. So we have and we have planned announced plans for adding 12 more availability zones across 4 more regions Bahrai,n Indonesia, Italy, and South Africa. So we’re growing our global infrastructure as we speak and we have 50 plus security and compliance certifications and these also include third party frameworks assurance frameworks such as ISO 27001 we have ISO 27000 18 for cloud security we also have the ISO 27 27 thousand a 17 for privacy and also nine ISO 9001 which primarily applies to healthcare and life sciences and aerospace and automotive. But in my opinion and equally important is what’s on this slide our pace of innovation are We innovating in the cloud space. Just give you an idea in 2017 we introduced 1430 news features and services in AWS that number last year was 1957 and windows were closed are no exception there we continued to improve on this space and that’s one of the reasons why customers choose AWS also for Microsoft applications. We have 90 plus instance types across 22 instance families we call them instance families and as well as 40 plus windows specific AMIs, Amazon

machine images that you can just launch Quite a few of those come with SQL pre-installed my SQL server pre-installed others have machine learning models already installed in them and in our marketplace we have 700 plus listings of our software windows software listed under marketplace so you can pick a solution and just launch it so now that we’re talking talked about why people use our customers our customers are using picking Microsoft obvious for marks of applications let’s talk about one of the migration accelerators so migration is really a journey right and here at AWS we have a very well-defined plan to or one well-defined process to help you through that journey. We begin by doing a migration assessment where we not only look at your current infrastructure and where the gaps exist but also help you with the cost component where you can build a business case for your stakeholders and that comes in the form of discovery report as well as TCO analysis. In the migration phase which is a much longer phase we actually help you design plans detail plans around each of your applications by rationalizing them and looking at each of your applications and help you build design and build a solid foundation a core landing zone we’ll talk about the landing zone quite a bit in this session today. And then it’s off to the races for a full-scale migration but what happens sometimes is there’s a gap between the MRA which is the assessment piece and the migration piece with the planning piece but because maybe customers are not comfortable yet they don’t have enough data or they just don’t know where to start, so we’ve designed a few accelerators MRP or pre MRP accelerators to help customers do that, and those come in the form of briefings where you we go through cloud economic briefing we have a migration governance briefing we also have workshops around how to build your centers of excellence and operating models for example we have immersion days and we have also have workshops around security to help you guys build those infrastructures and models. With with the last two the security infrastructure and security and I’m sorry landing zone we actually get deeper into the technology and get our hands dirty with our customer to get them comfortable with the technology. And our experience has shown that this approach has helped our customers going into MRP phase with successful outcomes. Now in this session I’m going to I’m going to concentrate on the landing zone and how it accelerates in reference to how it accelerates a migration and then we’ll talk about how it how you can leverage the landing zone for Microsoft applications and deploying Microsoft application. I’m going to the next few slides build out our network infrastructure and then build out our Active Directory infrastructure. So basically when you it’s a fully automated solution that we have basically when you run the automated scripts in the landing zone it creates a core account structure. At the very top you see it obvious organizations I hope because you guys can see it clearly here it’ll be us organizations we’ll talk about a robust organization at the end of the presentation but it’s a master account. We then have a security account which really has access to every other account the ones that you see here and the ones that do get created after we create them in order to action upon to monitor an action upon any events that happen and for example in a break glass scenario then we have a log archive account single source of truth. All your logs from all your accounts API logs your network logs your car wash logs all these get pumped into an S3 bucket there and you actually we have guardrails in this for infrastructure to prevent it from tampering or even deleting of logs. So that’s what this account is for. We’ll focus mostly on this here services account I don’t share Services has a different connotation here in Ottawa so I’m trying to I’m going to try to use the common services where I can. So this account has infrastructure to control egress and ingress from the internet. So we have two VPCs here so these VPCs typically hold your third party solution filtering solutions for example web firewalls Internet gateways NAT gateways your other ids/ips devices you can place in these, then you also have a common services VPC which is created to host your common services such as Active Directory a major one in the context of our landing zone here also DNS Bastion

hosts to get into the infrastructure and very restricted access and all these accounts have like I mentioned guard rails already built with the landing zone automation. In the middle we draw what we call in transit gateway I’m not sure how many are familiar with the transit VPC solution that we had this is really a successor to that a solution with a facelift and a lot more functionality and a lot of scale. So basically we drop the transit gateway in the middle and establish connectivity it’s a giant router basically if you can think about it as a giant router sitting in the middle, so once we do that we create routes and we light up the internet. So we have a core infrastructure set up with access to in and out from the internet in a very controlled way next step is very critical for migrations Windows migrations is establishing on-prem connectivity. So this isn’t in in the form of either VPN or a Direct Connect which is a dedicated connection as a physical cross connect in fact from a facility that we go in and the customer goes in and it’s 1 to 10 gigabit of of connectivity that you can pick from. You can also have sub-q become a sub gig connectivity but that you have to go through through AWS partner for that so once we have on Prem connectivity established in the landing zone solution itself we have what we call account vending machine. this is where we start to spin up your accounts for your workloads for Windows workloads and those accounts when they’re spun up they actually abide by the rules of the landing zone and the guardrails are around them. So once you start spinning up those accounts used to establish the routes there so basically you have your core network architecture now created Let’s talk about Active Directory very critical for Microsoft loads during before during and after the migration let’s talk about what options we have for micro directory Microsoft Active Directory. So I’m going to squeeze over the edge services VPC on the side if we talk about we drop in the gateway transit gateway and then we’ll zoom in on the directory services piece. So obviously with the on-prem connectivity one most optimal option for Active Directory would be to extend your Active Directory into AWS meaning installing your domain controllers from one pram domain controllers into EC2. I can see that may not be an option for some organizations so the other option is really to create another AD in AWS where you can install it on EC2 or use our managed service Active Directory managed services. You can create trusts either way depending on where your identity’s live either you know it could be a two-way trust or one-way trust depending on where identities are you can use a DMT or tool like that to move your identity to AWS. If you are doing Federation with sam’l Federation with office 365 you can do the same in AWS. We have a better option though if you look at if you don’t want to manage the ADFS infrastructure in your environment then it AWS SSO is a great tool, not only it federates with office 365 you have options for multitude of cloud-based applications and you can also connect it to any custom and custom sam’l applications. So those are some of the options and if you’re using a DAT as your connect server on Prem you can do the same in AWS ad connected Azure connect server Services is really a successor to what you used to be called der sync. So those are some of the options you have for Active Directory and let’s talk about data now on the SQL server side what are your options One is to run SQL server on EC2 This is when you need full control over your SQL instance as well as you have RDS option now in this option we retake over AWS takes over the undifferentiated heavy-lifting that you have to do we do the patching we do the automated backups and all that you don’t have to worry about those things. The options for migration depends depend on what’s your tolerance for downtime the first option is a full backup and restore or import you can pump those we can use the AWS snowball device which is a device that you provision we ship it to you you put your data on it ship it back we pump it into S3 and there from there you can restore or import it into SQL server on EC2 or even an RDS but a lot of downtime involved there. The second option is a lesser downtime using a SQLs native functionality of always-on availability groups. The third

option is an AWS service called DMS database migration services this is another very very good service minimal downtime the source database stays intact and it’s heterogeneous is not homogeneous or homogeneous depending on where you from you can migrate from different flavors of databases to AWS and from SQL to SQL for that matter From an optimization standpoint how do you optimize SQL to run on AWS so SQL requires a lot of memory footprint and what we have done is we have these drives on our new hype nitrile hypervisor we have non-volatile memory Express instance drawer drives or volumes these are actually drives on the rack and it’s a one of the best options with our i3 instances in the Nitro hypervisor to gain the best performance you can get from SQL server. And then you can also do throughput volumes that we offer to do the backups and things like that at a lower cost. I love this option of optimized CPUs nNw since SQL server is very memory hungry but for larger databases you in AWS it used to be where you had to pick a instance with the higher memory footprint but along with it came the matching CPUs v CPUs so in this case it’s r4 for excel which is 16 V CPUs and a lot of memory. We what we did was we changed it to where you can actually have the flexibility to pick a higher in memory instance but only activate the CPV CPUs that you need. for example in this case and you know that SQL server will license you based on the BPPV CPU so in this case you are but that just small feature you cut down your SQL licensing cost to 50 by 50 percent it’s a great option there. let’s talk about applications no excuse me so to the my MRP process for Migration radius planning process we help you rationalize your applications into buckets some are cots applications commercial off-the-shelf applications you may have dotnet applications and you you know and so we help you you may have regulatory applications where you know you would require pre-approval to may be rearchitect there or something. So we help you through that process sorry about my cheesy animation there we use a strategy of 6 hours which is rhe platform Rijos to refactor retain retard and repurchase but we’ll focus on the ones on the left for an up for this session now I’m gonna build this out quickly for the fastest is Rijo stting so for you cots applications for example and for some of your regulatory apps you don’t want to go to that pre-approval process or a reproval process if you will and you would use just a Rijo stop ssin. for your application that you want to gain cloud economies with you can host those using managed services that we have ECS which is our container service yes we do support the windows containers now unspecialized easy to mis so you can launch you know windows containers on them and you can actually launch those and use you know Bluegreen deployments to actually put those in on EC2 still EC2 you can also use Fargate our fully managed dcs solution which is elastic container services. Then for the last one if you want to you have some bad jobs for example you can reaaargh attack them and we are protecting or in sorry refactoring you’re actually changing the core architecture of the application with real platform you’re not really changing the core architecture of the application we just manage your just putting on a different platform to get economies for example we have elastic beanstalk or or we have what i mentioned RDS which is a relational database service you can use those to gain those economies all right and also we have a migration hub service which is really an end-to-end view of your migration from discovery all the way to tracking how their applications are being monitored even with tools that sit outside of the migration hub i just wanted to highlight this in terms of how it can help you accelerate your migration by having good tracking on the on the entire process all right from a migration accelerator standpoint there’s a whole bunch of tools on this slide partner tools i’m going to highlight the ones that AWS has in this portfolio now you may be aware that to be just purchased or acquired tso logic as well as on the on the discovery side and in cloud and here on on the

migration side I’m going to single out cloud and your for two reasons I like it number two I like it I’m just kidding it’s a great tool we also have our own service which is a server migration service but I’ve I’m using this today for an example in fact I was courageous enough to do a live demo I’m going to do a live demo for you guys so help me God we’ll see how that goes but you can migrate from any source and minimal downtime and it’s this basically it works the way where you set up your application settings and then you install an agent on the source machine it could be database servers – it creates a staging area in the target region or the target or the target VPC or an account for that matter and then it synchronizes you can launch an instance from that with a blueprint in that target architecture that will be your target VPC for example and it’s very quick so the staging area and then it really launches in a matter of minutes regardless of the disk size all right who wants to see a demo are you guys with me all right can we switch to the demo please all right so I’m sorry if you could switch back one more one more time sorry I forgot to cover something this will be confusing can you switch back please before I go into the demo let me cover what the demo covers and it will be easier so what I’ve done in this demo is created a source VPC with the public and private subnet in the public subnet we were actually have a asp.net online bookstore very simple app net application we have the Remote Desktop gateway the way I get in and I have in the private subnet actual directory and SQL server and DNS pointing to the application right now now I have established all bazan because for the time purposes that was a quickest option I had and a great option to this native functionality in SQL server always-on availability group to replicate to a secondary in this in the same infrastructure I have setup on the other side and the transit gateway connects the 2 VPCs so what I’m really trying to do here is it’s simulating an on-prem infrastructure where you connected with a VPN or a direct connect to your infrastructure on the other side so once we do that I’m going to use cloud and deer to actually move or migrate the web server to the target infrastructure will point DNS to it and make sure the application is working and then will failover completing the migration when your master database is actually failed over and you can start to build upon that SQL infrastructure but that’s basically how it looks like from a demo standpoint let’s go do it can you switch back please all right so what I’m going to showing you here now I hope it’s big enough but none can zoom in and zoom in a little bit so here’s my source web server and you can see it’s running on is and when it zoom back it’s pointing to a SQL server with the IP address with the connection string here which is right here this is a source side if you look at the SQL server itself you can you will notice that there’s always on availability established it’s synchronous commit my books online is my database in this SQL server and it’s been replicated to the secondary in the second VPC that I created so I’ve created those to be pcs or applications happening fine and what I’m going to do now is since we have the web server looked at I’m going to switch over to the app application and show you how applications working so here’s the URL for the application books online that it’ll do stat fat for serve comm and if you it’s a very simple web application you can browse to it you can you know there’s authors there’s books you can actually go in and edit details of an author this is going to be making changes to the the database underlying database so I’m going to change the code here to maybe 777 and say it’s changes so it’s an online database which

actually is interacting with SQL in the backend now what I’m going to do is I’m going to use a two-letter light if you guys don’t know by now cloud and your so let me show you the console in the AWS console I have all these emphases and all this infrastructure running with the source web server right here so it’s a source web server I have a previous implementation on when I was testing but that will be replaced when I once I do another application that server of this instance we’ll actually get replaced with the new one and we’ll see that so if I go to cloud renderer my machines are listed here and here is my web server it’s in the staging area remember those boxes it’s in the staging area right now what I’m going to do is define parameters so it knows my source everything that’s running in that source the blueprint actually allows you to place it where you want to place and define what kind of machine it’s going to be so I’m picking pretty much what I had in the in the source side which is a t2 large it’s an on demand which subnet VPC it’s going into as target security groups this is our switch which is our stateful firewall so it’s going into there and I’m going to assign a private IP address customized you can do random one two with the DHCP I’m doing it because I’m going to connect to this instance through our motives our gateway it’s avoiding that step of reassigning it and then I’m going to assign a public IP address to it an ephemeral IP address that it will be as a science to an instance and then we’ll put that address in in DNS so this is where you actually let’s tag this differently so may a fifteenth demo I’m going to save this little print and I want to actually launch this machine so this will take about six to eight minutes we’re not going to wait six to eight minutes just you know like that so once I have this machine launched you can see it’s updating the status in progress so while this is happening while that’s cooking we’ll go back to the presentation and we’ll cover a few topics more topics and we’ll come back and do the rest sounds fair alright alright so we talked about why Microsoft applications for Microsoft applications we talked about what other migration accelerators let’s talk about how you can stay secure and move fast while you move in fast actually the answer is in infrastructure as code cloud formation it’s a it’s a service in fact the landing zone solution itself uses this service extensively it’s basically JSON or llamó based templates which interact with our cloud formation service and then you create a stack set of resources and cloud formation and the stacks that is service aware event aware so for example it has rollback capabilities as well so if you were to assign it something for example elastic IP address I’ve run into the situation that’s why I’m sharing it if you create an elastic IP address there’s a soft limit of five that you can see IP that you can create in an account it will stop there and roll back and give you the error codes an error that you need to fix that before you go so it’s all service aware there’s many other examples of that and so that’s one way you achieve compliance at a very massive scale one other thing we’ve talked about the landing zone I’m talking about a diverse organization remember that top box we saw it with AWS organization in the master account this is why we have this service so as it’ll be as grows and within an organization especially larger organizations you became to see accounts for all like this different departments different groups different different functions they start to begin deploying AWS since it’s so easy to just spin up an account and start using it you run into this problem not only from a cost standpoint but also security standpoint as well billing ism almost unmanageable and unimaginable in this kind of scenario so we have an answer to that which is AWS organizations basically you can take all those accounts kind of organize them into OU’s organizational units so you have a good organization you can have central building all reporting up to a master account and you can address building that way and then not only that you can organize them and centrally build them but you can also put what we call service control policies on those

accounts on those accounts on those OU’s I’m sorry So these policies dictate the accounts that are in that oh you they have to comply with by those policies there are typically white and black lists what an account can do and not do for example services you can you can prevent it for use if we’re using certain services if you could types of services types of types of instances and also you can share resources across account if you needed to so and then you have the problem of the central billing also resolve billing also resolved with this so many features and the icing on the cake is a tool is free there’s no cost of using at those organizations. So that’s one answer to how we do account governance or governance at scale how we move fast and if you have this infrastructure set up you will be just spinning up new accounts in those or use and you would have to because the landing zone would not allow you to put accounts elsewhere. The other thing is identity and access management how do you do that scale I mean if you have a few accounts you can always obviously do cross account roles you can set up roles on your account and give people in the other accounts assume role permission then they can go interact with your services and play with your services and manage those services in your account But how do you do that scale answer again is to through confirmation you can have a stack set it defines your security templates sorry about the cheesy animation again again here but you define that and in fact you can also integrate it with your CI/CD pipeline for your software deployment you’re actually managing your infrastructure and your security throughout you through your CI CD pipeline you can use Visual Studio for that if you want Eclipse or other tools that your that you use. So that’s how we do IAM at scale Now one approach in the past has been you know when you deploy infrastructure you do a security blessing the security departments does blessing on it and then you’re off right I mean there’s no continuous effort in keeping it up to date not so much in the cloud you cannot get away with that in the cloud the compliance and the tire security has to be continuous because bad guys are always there 24 by 7 and they’re attacking in 24 by 7 and one of the biggest components is the cloud infrastructure is so dynamic you’re you’re building things up and you’re tearing them down and there’s opportunities for these guys to get at it while it’s being built but when you have appropriate controls placed in there and I’m going to single out dark we have many other security tools in our portfolio I am singling out guard duty here because it’s deployed as part of the landing zone That security count on top that actually has a security group masked guard duty master role actually installed in there and only limited people have access to those two accounts log archive account in the security account that’s how the the landing zone controls everything in terms of how we detect. Now guarded itself is the threat detection service we have it uses machine learning integrated threat intelligence and anomaly detection to predict and and prioritize your secure alerts and you can action upon them. So great tool and these lines of course are just rules and here to just intimidate you guys basically. So that’s pretty much how you control or have do compliance at scale and the landing zone solution allows you to do all that with the with the Adobe ascend structure and the Microsoft application that you move into that infrastructure. All right so I’ve talked about why AWS talked about what are the migration accelerators and we just covered how to do secure yet at scale now let’s get back to the demo that’s the relevancy if the machine is up. can you switch to the demo please okay very good yeah let’s see if that finished So I see that is still running in the background or this process still running I think I covered the community role too fast since I have some time any questions you guys want to ask. go ahead I can check for you for I think right off as of now I’m gonna have to check for you if it’s available in the yul region or not good question. the sorry the question was if guard duty service

is actually available in Canadian region the yul region. Okay it seems like the replication is done and I’m going to switch over to the console and refresh it. So if you noticed here’s the source machine and it terminated and created already see this okay I think it hasn’t shown up in the console yet All right here sorry right here May 15 demo so the machine is has been synchronized it has been deployed to the target region and are we gonna go get at that machine first thing I want to get from that machine is public IP address right here. What I’m gonna do now let me zoom out of this quickly please sorry and I’m going to go place that address I believe in DNS is right here so this is my route 52 DNS I have my zones here I want to pick out so this zone right here is the target zone the previous one below is actually the source .So I’m going to update the IP address of this machine there oops but I just to copy a little too much It seems like it the IP address has not been yet been assigned to the machine sir I saw that there it is All right let’s go back to our DNS and see if you can assign it there there you go so I’m gonna see if this record set I’m going to go back to my desktop here sorry about that Alright so now I said that the IP address has been assigned remember I kept the private IP to the same IP so I’m going to connect to this machine to the target one I just already yet all right And that’s what it had picked yep Hmm okay what we’ll do is let that cook there but what will come I’ll do is go to the database though let’s go to the database will do the database first and see if the machine comes back and we’ll do the matter this is the web service which afterward. From a database standpoint if I go to our SQL server what I’m going to do is force a failover I’m going to fail over to the secondary connect to it first All right so our database has moved over We actually did a migration of database

from a primary to secondary in the target region now we want to see if this machine is up. There you go it just took some time i I finished my content a little bit earlier so that’s why it had not completely finished All right seems like the machine is up If I look at the connections training remember let’s go back to the part where it’s checking so if I switch my DNS or my URL to so remember this was my target URL for the target application let’s see if it comes back okay That’s airing out because we have moved the database but since we replicated the source machine it still has the IP of the secondary which is not read-only which is not even read-only so what I’m going to do is switch the connection string on the target side to point it to now the new master. So the IP of the new master is 0.71 so I’ve changed a connections training to the new master the migrated database whoa that wasn’t planned All right well while I wait for this to come up any question I can answer sorry go ahead So this is talking about in particular this one So you can do it several ways the second we recovered a few ways of doing it you can do it through Federation also we can do it through SSO as well AWS SSO as well so what you do is you create your identities in unless you migrate them using a DMT or something you can actually create your identities and it AWS and AWS managed ad and then you can use AWS SSO to actually map those to AWS roles and that that way you manage your AWS infrastructure using that managed ad so roles in that ad so you can map it that way or you can also have a trust right I mean you don’t have to use AWS SSO you can also use you know a trust from your on-prem identities. So there’s several ways of how you want to connect to those out between those two ATS if you have not extended your on-prem ad does that answer the question okay good Okay I want to now change it again hopefully one reboot again on me sorry guys a blind person here So I’m pointing it to the new master now save alright now let’s go check our application so remember it aired out this is a target URL if you this is a target URL that we defined in DNS. Now we’re gonna see if it works I’m gonna double homepage first and voila so you’ve actually moved to my

your web server application server to the target region. You failed over your database to the target region using always-on SQL ABBA’s on groups availability groups and now you’re pointing to the new target system so essentially migrating the whole application now you can you know basically stop the website and the SQL server if you will on that side and you can start build out your SQL infrastructure in the new environment They’re always on availability groups or if you want to use different kind of mechanisms to do that. So you go back to the slide I think I don’t have any more slides so I think that’s that’s pretty much it. Many accelerators to help you migrate Windows applications I’ve just come or I’ve just covered a few tools and with you there are many other migration tools that I wasn’t able to cover here SMS is one of our services, it takes hyper-v or VMware images there’s a connector you can actually connect to the vCenter and it’s also a tool that does synchronous replication and you can actually create application groups and and there’s many third-party tools so as I shared with you in that one slide many options to migrate and you know you saw the reasons why you would run Microsoft applications in on AWS. Thank you I appreciate it