How to upgrade Windows Server 2008R2 using CloudEndure and AWS Managed Services

This post was contributed by Asif Fouzi, Sr. Solutions Architect, and Michael McGarvey, Sr. Service Delivery Manager, Amazon Managed Services.

Many enterprises host mission-critical applications that run on Windows Server 2008R2 or older versions of Windows Server. Microsoft ended support for these older versions of SQL Server on January 14, 2020, including Windows Server 2008 and 2008R2. If these application environments are not upgraded, customers are at risk of exposing these servers to security vulnerabilities and other risks. Thankfully, you can use AWS to spin up thousands of instances to support your upgrade projects.

In this tutorial, we explain how to migrate your Windows Server 2008R2 workloads to AWS, leveraging AWS Managed Services, and upgrade the operating system in lieu of purchasing extended support.

Prerequisites

Make sure that AWS Managed Services (AMS) is enabled in your AWS account, and that your account is onboarded to AMS. For more information on AMS, please visit the AMS page or contact AWS sales. CloudEndure automates the process of importing out-of-support AMIs (Amazon Machine Images) to the secure AMS Landing Zone.

Once the account is on-boarded to AMS and an AMS Landing Zone is established, you can migrate your Windows Server 2008R2 workload. CloudEndure is an ideal solution to migrate the server into the AMS Landing Zone. With CloudEndure, enterprise customers can install a lightweight agent on the on-premises server and perform a block-level replication into the AMS Landing Zone. Since the migrated EC2 instance is no longer supported, it is important to minimize its blast radius, or the limits to which a compromise can impact other resources. A Security Group can provide East/West isolation to solve this problem (sample provided in the following image). Thereafter, the Security Group will need to be modified to enable the connectivity needed to manage the instance which hosts the application. The final step is to execute the upgrade followed by testing and cut-over.

Solution Walkthrough

Step 1: Migrate server from on premises to AWS Managed Services Landing Zone

Source Windows Server 2008R2 system

Check your CloudEndure Agent prerequisites. This includes disk space, source to target connectivity, minimum software versions, and other requirements.

CloudEndure actions

Install CloudEndure agent on Windows Server 2008R2 source server and configure replication. For detailed instructions, see this link.

Server migrated to AWS/AMS 

1. Work with your AMS team to ensure your Windows 2008R2 servers are ready to be ingested into an AMS Landing Zone.

a. This includes removing incompatible software (i.e. antivirus software), updating software to minimum requirements (i.e. PowerShell, .Net), and ensuring there is adequate disk space.

2. Navigate to the “Managed Services” console within the AWS Management Console, click on “RFCs” on the left menu bar.

a. Change management is the process the AMS service uses to implement ‘Requests for Change’. An RFC is a request created by either you or AMS through the AMS interface to make a change to your managed environment and includes a change type (CT) ID for a particular operation.

3. In the upper right-hand corner, click on “Create RFC” to begin the process of creating a Request for Change.

4. Select an RFC Change Type to initiate a Workload Ingestion. In this case, the Category would be Deployment, Subcategory would be Advanced stack components, Item would be EC2 stack, and Operation would be Create.

This RFC will ingest the Windows Server 2008R2 instance from the staging subnet to the Customer Application Subnet within the AMS Landing Zone.

5. Once the instance is ingested, apply the East/West isolation Security Group.

{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"Windows2008R2SG": {   
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Windows 2008 R2 Workloads SG”,
“GroupName” : “Windows2008R2SG",
"SecurityGroupEgress" : [ 
{ 88
"IpProtocol": "-1",
"Description": "Outgoing ALL",
"CidrIp": "0.0.0.0/0"
} 
],
"SecurityGroupIngress" : [ 
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"Description": "mc-bastion-customer-ssh",
"SourceSecurityGroupId": {"Fn::ImportValue" : {"Fn::Sub" : "BastionCustomerSSHSG-${AWS::Region}"}}
},
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"Description": "mc-bastion-dmz-ssh",
"SourceSecurityGroupId": {"Fn::ImportValue" : {"Fn::Sub" : "BastionDMZSSHSG-${AWS::Region}"}}
},
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"Description": "ams-controller",
"SourceSecurityGroupId": {"Fn::ImportValue" : { "Fn::Sub": "ControllerSG-${AWS::Region}"}}
},
{
"IpProtocol": "tcp",
"FromPort": 3389,
"ToPort": 3389,
"Description": "mc-bastion-customer-rdp",
"SourceSecurityGroupId": {"Fn::ImportValue" : {"Fn::Sub" : "BastionCustomerRDPSG-${AWS::Region}"}}
},
{
"IpProtocol": "tcp",
"FromPort": 3389,
"ToPort": 3389,
"Description": "mc-bastion-customer-ssh",
"SourceSecurityGroupId": {"Fn::ImportValue" : {"Fn::Sub" : "BastionCustomerSSHSG-${AWS::Region}"}}
},
{
"IpProtocol": "tcp",
"FromPort": 3389,
"ToPort": 3389,
"Description": " mc-bastion-dmz-ssh",
"SourceSecurityGroupId": {"Fn::ImportValue" : {"Fn::Sub" : "BastionDMZSSHSG-${AWS::Region}"}}
},
{
"IpProtocol": "tcp",
"FromPort": 5985,
"ToPort": 5985,
"Description": "ams-controller",
"SourceSecurityGroupId": {"Fn::ImportValue" : {"Fn::Sub" : "ControllerSG-${AWS::Region}"}}
}              
],
"VpcId" : {"Fn::ImportValue" : {"Fn::Sub" : "VPCId-${AWS::Region}"}}
}
}
},
"Outputs" : {
"Windows2008R2SecurityGroup" : {
"Description" : "The security group ID to used for legacy Windows 2008 R2 instances",
"Value" :  { "Fn::GetAtt" : [ "Windows2008R2SG" , "GroupId" ] },
"Export" : { "Name" : {"Fn::Sub": "Windows2008R2SG-${AWS::Region}" }}
}
}
}

6. Open ports/protocols to allow application to run.

a. This connectivity should be known via discovery mapping. VPC Flow Logs can be used for this.

7. Perform User Acceptance Testing to validate the application(s) hosted on the Windows Server 2008R2 instance is/are functioning properly.

Step 2: Upgrade the instance to a supported Operating System

Upgrade using the publicly available AWS snapshot with the Windows Server 2012 R2 media

Before you upgrade, we recommend to create a tag on the instance with the key OriginalAMI and value of the AMIid of the Windows Server 2008 R2 instance. This is useful for recovering the instance, in the event the upgrade is unsuccessful.

1. Submit an RFC requesting a snapshot of the source (Windows Server 2008 R2) instance to be upgraded.

2.  Submit an RFC requesting the Windows Server 2012 R2 publicly available snapshot to be attached to the Windows Server 2008 R2 instance.

3. Create a volume using the Windows Server 2012 R2 installation media in the AWS publicly available snapshot (snapshot ID: snap-b305b7b7).

4. Attach the volume to the instance by submitting an automated RFC. In the parameters of the RFC, indicate the instance ID of the running Windows Server 2008 R2 instance, the availability zone where the instance is located, a device name where the volume is attached to the instance and the publicly available snapshot id of the Windows Server 2012 R2 media in AWS.

5.     Once the above RFC is executed, submit another RFC to obtain RDP access to the Windows 2008R2 Server.

6.Verify that the Windows Server 2012 R2 media is mounted and attached to the machine.

7. Open the media drive inside the machine and execute the setup install program.

8. Accept the installation of updates. Make sure you are keeping the files and programs, and selecting the appropriate Windows version.

Your instance will be restarted and upgraded.

Step 3: Update

Once the upgrade is complete, the server requires additional updates such as security updates. Upgrade your server by running an on-demand patching job with AMS to ensure that it is up to date with security updates.

To execute an on-demand patching job, submit the following RFC:  Category: Management | Subcategory: Patching | Item: On demand patching | Operation: Run.

Step 4: Validate

Now that the server is up-to-date, validate that the application(s) hosted on the server are functioning properly.

Step 5: Cutover

Once validation and testing are complete, perform a cutover to direct traffic to the upgraded and supported Windows Server 2012 R2 instance. This is done as part of the overall migration plan and should be coordinated with application and support teams.

Recommendations

As part of this overall solution, AMS recommends the below steps be taken. These are carried out by the AMS delivery team supporting the customer, with support from the AMS security team.

1. Send risk awareness communication security leadership.

a. Windows Server 2008 R2 became end-of-life on January 14, 2020. Without extended support, patches will not be released by Microsoft and will not be made available by AWS/AMS. If extended support has not been procured for the Windows Server 2008 R2 servers being migrated to AWS/AMS will not be patched.

2. Publish a compliance plan.

a. AWS/AMS will work jointly with customer leadership to document the compliance plan for the migrated Windows Server 2008 R2 servers. This includes a plan to upgrade these servers and corresponding dates and timelines. AWS/AMS will work with customer leadership to track against this plan.

3. Schedule a security gameday.

a. Because Windows Server 2008 R2 is end-of-life, AWS/AMS will coordinate a security gameday with the customer to cover potential security scenarios.

Conclusion

Running out-of-support versions of Windows Server instances poses a security risk to enterprises. On-premises upgrade projects require substantial investment in procuring the swing space and creating an isolated environment to run at-risk servers with a minimal blast radius. upgrading your Windows servers on AWS, you can mitigates security concerns by leveraging AWS’s vast infrastructure. Additionally, by upgrading your servers, you can create a path to modernize out-of-support Windows Server 2008 servers to retire technical debt and access the scalability and agility of cloud-native technology.

About the authors

Asif Fouzi is a Senior Solutions Architect with over 20 years of experience across various technologies and industries. When he is not solving customer problems, he likes to play guitar, travel and spend time with his kids.

Michael McGarvey is a Senior Delivery Manager with AWS Managed Services. He has led a number of enterprise migrations and managed services delivery programs across various industry verticals and technologies. In his spare time, Michael likes to spend time with his wife and two small children, play golf, and travel.

AWS can help you assess how your company can get the most out of cloud. Join the millions of AWS customers that trust us to migrate and modernize their most important applications in the cloud. To learn more on modernizing Windows Server or SQL Server, visit Windows on AWS. Contact us to start your migration journey today.