Microsoft Workloads on AWS
Accelerate Microsoft Exchange Server deployments with AWS Launch Wizard
Managing your infrastructure as code improves consistency and reliability of your deployments. Using the AWS Launch Wizard for Exchange Server, you can deploy a reference architecture for Exchange Server according to best practices with minimal effort. In this post, we will discuss options available within the Launch Wizard and then deploy a fully functional Exchange Server environment with the default options. We will then show you how to connect to the Exchange Control Panel through the Remote Desktop Gateway.
Solution overview
AWS Launch Wizard for Exchange Server guides you through the sizing, configuration, and deployment of Exchange Server 2016 and Exchange Server 2019 environments on AWS, adhering to the AWS Well-Architected Framework. Launch Wizard provisions and configures the selected resources to create a production-ready Exchange Server deployment. In this walkthrough, we will deploy an Exchange Server architecture (refer to Figure 1). The options chosen in Launch Wizard will generate AWS CloudFormation templates, which can be reused and customized for subsequent deployments.
AWS Launch Wizard for Exchange Server supports deploying Exchange Server 2016 or Exchange Server 2019 into a new Amazon Virtual Private Cloud (VPC) with options to configure backups, internet mail flow, storage options (the file system, volume type, size, encryption), and load balancing.
Launch Wizard is available at no additional charge. You only pay for the AWS resources that are provisioned to run your workload.
AWS Launch Wizard for Exchange Server – Getting Started
Step 1: Select the application and deployment type (refer to Figure 2)
To get started with an Exchange Server deployment, in the console, select Choose application.
Select Exchange Server for Available workloads dropdown, followed by the Deploy into a new VPC option for Deployment Type, and finally, choose Create deployment (refer to Figure 3).
Step 2: Review and ensure your IAM permissions are sufficient to deploy the workload (refer to Figure 4)
Next, you’ll be directed to the Review permissions page. Here, you can verify that your current user role has sufficient AWS Identity and Access Management (IAM) permissions for this deployment. Choose Next.
Step 3: Configure application settings (refer to Figure 5)
The Configure application settings step enables you to configure all features of this workload, including general settings, network, Active Directory, RD Gateway, Exchange Server, load balancer and failover cluster configuration.
3.1 General settings (refer to Figure 5)
- Enter a custom Deployment name for your workload.
- Select an existing or create a new Amazon Simple Notification Service (SNS) topic ARN to receive notifications of application state changes, if desired.
- If required for troubleshooting purposes, the option to Deactivate rollback on failed deployment is available within this section.
- Add any custom tags for the deployed resources in the Tags section.
3.2 Network configuration (refer to Figure 6)
The network topology of an Exchange Server cluster influences how quorum (i.e., the voting majority of nodes and the file share witness) is maintained. By spanning across multiple Availability Zones (AZ), the cluster can maintain quorum in an event where network connectivity or other resources are impaired in one AZ.
Select an existing or create a new key pair for Key pair name. You may use this key pair to securely access any deployed Amazon Elastic Compute Cloud (Amazon EC2) resources.
- Launch Wizard can deploy Exchange Server in two or three AZs. Enter 2 for the Number of Availability Zones to use for this deployment.NOTE: In a three-AZ deployment, you have the option to configure the third AZ with a full Exchange Server node.
- Next, choose the specific Availability Zones into which the Launch Wizard will place your resources.
- Enter the VPC CIDR block, followed by all the CIDR ranges for the private and public subnets. The default selections allow these entries to be skipped if you prefer a quicker deployment.
- For Allowed Remote Desktop Gateway external access, enter the CIDR IP range that is permitted to access the RD Gateway instances. If you are unsure of which range to use at this time, you can identify your public IP address, and add ‘/32’ to the end to indicate a single IP address.
3.3 Active Directory configuration (refer to Figure 7)
Exchange Server requires an Active Directory domain. In this step, you will configure the administrator account, name of the domain, and domain controllers.
- Enter a user name for Domain administrator user name and a password for Domain administrator password.
- Enter values for the Domain NetBIOS name and Domain DNS name. For example, you could use ‘example’ for the Domain NetBIOS name and ‘example.local’ for Domain DNS name.
- If desired, update the Domain Controller NetBIOS Name and Domain Controller private IP addresses for each of the domain controllers to use values other than the defaults.
3.4 Microsoft Remote Desktop Gateway configuration (refer to Figure 8)
Remote Desktop Gateway (RDGW) uses the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users and Windows-based EC2 instances, without needing to configure a virtual private network (VPN) connection. This helps reduce the attack surface on your Windows-based EC2 instances while providing a remote administration solution for administrators.
To reduce administrative overhead or to take the approach of maintaining a minimal deployment, you can alternatively use Session Manager port forwarding sessions or RDP with Fleet Manager to securely access your EC2 instances directly. For this walkthrough, we will use a single RDGW instance to serve as a bastion host.
Leave the default value of 1 as the Number of Remote Desktop Gateway hosts to deploy.
3.5 Exchange Server configuration (refer to Figure 9)
Take note of the options here to customize backups, Exchange Server version, internet mail flow, and the storage configuration.
- Enable AWS Backups – Configures application-consistent backups of the Exchange Server nodes using AWS Backup.
- Exchange Server version – Configures the deployment with either Exchange Server 2016 or Exchange Server 2019.
- Deploy Edge Transport servers – The Edge Transport servers provide protection against spam and apply transport rules to messages. They are deployed to public subnets to enable inbound/outbound internet mail flow.
- Enable ReFS – Microsoft recommends the Resilient File System (ReFS) for all volumes that host Exchange Server data (database, log and content indexes). Disabling this option uses the NT File System (NTFS) for these volumes.
- Exchange Server volume type – Amazon Elastic Block Storage (Amazon EBS) provides flexible storage options for Exchange Server volumes. Use gp3 for general purpose use cases or st1 when you need to configure additional throughput or require increased durability.
- Exchange Server volume IOPS – If gp3 is selected as your EBS volume type, set the desired value for provisioned IOPS for the Exchange Server data and log volumes.
- Exchange Server volume size (GiB) – To accommodate your Exchange Server database availability design, volume sizes of up to 16 TiB are available for gp3 and st1.
- Encrypt data volumes – Amazon EBS encryption offers a straightforward solution to meet data at rest encryption requirements for Exchange Server volumes.
For this deployment, accept the defaults and continue to “Load Balancer configuration.”
3.6 Load Balancer configuration (refer to Figure 10)
A Network Load Balancer (NLB) allows high availability of client connections to the Exchange Server nodes. To add the NLB option, a certificate stored in AWS Certificate Manager is a prerequisite.
For this deployment, a NLB is not required. Proceed to the next section, “Failover Cluster Configuration”.
3.7 Failover Cluster configuration (refer to Figure 11)
The Exchange Server cluster provides automated failover capabilities. In maintaining a quorum, the cluster determines if enough nodes are available to bring the Database Availability Group (DAG) online. When a DAG contains an even number of nodes, the witness serves as a tiebreaker in this process.
If desired, update the NetBIOS Names and private IP addresses for each node or file share witness server to use values other than the defaults.
Step 4: Configure infrastructure settings (refer to Figure 12)
The Configure infrastructure settings step allows you to define the infrastructure requirements related to storage and compute resources for your deployment. You can define your infrastructure settings by either choosing to use AWS’ Infrastructure suggestion or you can define your own Static values that meet your performance needs.
Step 5: Review post-deployment steps (refer to Figure 13)
For each application offered by Launch Wizard, there may be additional actions or configuration needed to complete the deployment. We will review the post-deployment steps after connecting to the Exchange Server environment through the Remote Desktop Gateway in Step 7.
When ready to proceed, click the Next button and you will be taken to the last step in the deployment – review and deploy!
Step 6: Review your configuration selections and deploy (refer to Figure 14)
This page, provides a consolidated review of all configuration details entered up to this point. You can review each section in order to determine whether any changes are required.
If you opt to make any changes, select Previous, update any fields necessary, and return to the review page. When you choose Deploy, you agree to the terms of the Acknowledgment. The Launch Wizard then validates the inputs and notifies you of any issues you must address.
The Launch Wizard will begin the deployment, requiring no further action until its completion. While waiting, you may monitor the progress of the deployment through multiple perspectives. You can review the current event statuses of the deployment directly from the Launch Wizard console (refer to Figure 16) or, if you’re curious to see the current active step, you can opt to check the stack progress directly within the CloudFormation console.
Step 7: Post-deployment steps and testing your Exchange Server deployment (refer to Figure 17)
When the deployment completes successfully, the Launch Wizard console will display a Completed status.
The Launch Wizard creates a resource group for the resources in the deployment. Access this by selecting the radio button for the deployment in the Exchange Server Launch Wizard console, then Actions -> View Resource Group with SSM. On the Resource Groups page, select the Group Name to list the resources (refer to Figure 18).
Now we will connect to the Exchange admin center using Remote Desktop Gateway (RDGW). Navigate to the CloudFormation console and select the Launch Wizard stack. Ensure the option for View nested is enabled in the Stacks pane, then locate the nested RDGW stack (refer to Figure 19). The full stack name is represented in the following format:
LaunchWizard-<Deployment Name>-RDGWStack-<Random String>
From the Outputs tab, copy the value of RDPURL. This is the address of the ELB for RDGW.
Launch the Remote Desktop Connection client, enter the value of RDPURL in the Computer field and select Connect (refer to Figure 20). When prompted, enter the Domain Admin credentials specified in the Active Directory Configuration step and select OK (refer to Figure 21).
Within the RDGW instance, access the Exchange admin center console by entering the following URL using your preferred web browser:
- https://<Name of Exchange Server Node>.<Domain Name>/ecp
To further configure the new environment, review the post-deployment steps to configure Windows update, create additional database copies, or create a DNS entry for the network load balancer.
Cleaning up
To avoid incurring unintended charges, when your testing is complete, proceed with the following steps to clean up the resources you created in this tutorial:
- Within the AWS console, navigate to AWS Launch Wizard, choose Deployments and then select Exchange Server.
- Select the Application name (Exchange) and choose Delete (refer to Figure 24).
- Confirm when prompted to delete the application by typing delete (refer to Figure 25).
- Refresh the web page within your browser and check the Provisioning status – initially, it will display Delete in Progress. When all associated resources have been deleted, the status will change to Deleted (refer to Figure 26).
Summary
In this blog post, we introduced the AWS Launch Wizard for Exchange Server and sample configuration for Remote Desktop, AWS Backup, ReFS, Amazon EBS gp3 and st1 storage classes, data encryption, and the network load balancer. Using the Launch Wizard, we deployed a new Exchange Server environment across multiple availability zones for high availability and fault tolerance. We then connected to the Exchange Control Panel using the deployed Remote Desktop Gateway.
Deploying an Exchange Server environment through AWS Launch Wizard removes the need for manual resource provisioning, networking configuration, and OS-level configuration required for Exchange Server setup. While the same process performed manually can take multiple days, Launch Wizard only requires a few minutes of your time entering the configuration details. The subsequent provisioning of all resources is then fully automated and finishes in about 2.5 hours.
Besides the Microsoft Exchange Server, AWS Launch Wizard also supports many more enterprise applications, such as SAP-based workloads, Microsoft SQL Server, Microsoft Active Directory, Microsoft IIS, and Remote Desktop Gateway as a standalone workload.
To learn more about other available Launch Wizard enterprise application deployments, see the AWS Launch Wizard documentation. For best practices on running Windows on AWS, please review the best practices for Windows on Amazon EC2 documentation.
AWS can help you assess how your company can get the most out of cloud. Join the millions of AWS customers that trust us to migrate and modernize their most important applications in the cloud. To learn more on modernizing Windows Server or SQL Server, visit Windows on AWS. Contact us to start your modernization journey today.