reference deployment

Windows Server Update Services on AWS

Download and manage required updates and patches

Windows Server Update Services (WSUS) is a server role included with Windows Server at no additional cost. It can perform the following functions:

  • Download required updates and patches from the internet and act as an internally managed proxy server.
  • Manage clients, including other Windows servers, by defining policies that approve or decline updates and patches, and report compliance status of clients.

Amazon Web Services (AWS) customers can deploy WSUS as a centralized Microsoft update repository.

This Quick Start deploys a WSUS endpoint for downloading updates. Client and policy management can be performed by AWS Systems Manager or by the traditional WSUS console with Microsoft Active Directory Group Policy.

This Quick Start is for system administrators and IT engineers who need to use WSUS as the endpoint where Windows servers and other Microsoft applications are authorized to acquire updates.

 

AWS-Logo_Full-Color_100x60

This Quick Start was developed by
AWS solutions architects.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • This Quick Start sets up the following WSUS environment on AWS:

    • A vrtual private cloud (VPC) configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*
    • In the public subnets:
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
      • Optionally, a Remote Desktop Gateway (RD Gateway) in an Auto Scaling group in the public subnets for remote access to the WSUS instance.
    • In the private subnet, a Windows instance with the WSUS role configured on it. WSUS can then be managed by using either AWS Systems Manager Automation or the traditional WSUS console.

    * The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy your WSUS environment on AWS, follow the instructions in the deployment guide. The deployment process includes these steps:

    1. If you don't already have an AWS account, sign up at https://aws.amazon.com, and sign in to your account.
    2. Launch the Quick Start. Each deployment takes about 30 minutes. You can choose from the following options:
    3. Test the deployment, using the best practices that are detailed in the deployment guide.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using. Prices are subject to change.

    Tip     After you deploy the Quick Start, we recommend that you enable the AWS Cost and Usage Report to track costs associated with the Quick Start. This report delivers billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. It provides cost estimates based on usage throughout each month, and finalizes the data at the end of the month. For more information about the report, see the AWS documentation.

    By default, this Quick Start deploys WSUS on a single Windows instance, using a license-included Amazon Machine Image (AMI). Windows licensing cost is paid through a Service Provider Licensing Agreement (SPLA) and is included in your monthly AWS bill.

    You can optionally choose to use Microsoft SQL Server Standard Edition for the WSUS database. In this case, WSUS is deployed on a single Windows instance, using the license-included SQL Server Standard on Windows AMI. All licensing costs are added to your monthly AWS bill.

    For more information on license-included AMIs, see the Microsoft Licensing on AWS page.

    In either case, all the licensing costs use an on-demand model. You stop paying as soon as the WSUS instance is stopped or terminated. For more information, see the pricing page for Amazon Elastic Compute Cloud (Amazon EC2).

    This Quick Start also downloads and deploys the sqlcmd.exe tool for management of either Windows Internal Database (WID) or SQL Server Standard Edition.

    The deployment uses Systems Manager, which is available at no additional cost, to manage WSUS. You pay only for consumption of underlying resources, such as compute times or storage capacity used to store automation scripts, trace logs, and any other files.