Post on 11-Apr-2017
Planning and Deploying SharePoint 2016 on AzureThuan Nguyen
About Me8+ years focused on Microsoft StackSolution Architecture, Technical Evangelism, Product Development, Pre-sales Consulting, Security Architecture, Public SectorMicrosoft MVP (2011 – Now)SharePointOffice Severs and Services
Microsoft Association of Practicing Architects (MAPA)Level: Associate Twitter: @nnthuan
Blog: http://thuansoldier.net
Azure – a powerful cloud platform for modern business
Azure Landscape
http://azureplatform.azurewebsites.net/en-us/
Cloud ModelOn Premises
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
You
man
age
Infrastructure(as a Service)
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Managed by M
icrosoft
You
man
age
Platform(as a Service)
Managed by M
icrosoft
You
man
age
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
Software(as a Service)
Managed by M
icrosoft
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
Why Azure for SharePoint?Capacity on demand, quick resource provisionGeographical deploymentSimplified infrastructure managementIntegration with computer PaaSEasy application migrationCost saving
Deployment ScenarioDevelopment & POCDisaster RecoveryInternet-facing SitesHybrid DeploymentSharePoint Intranet hosted on Azure
Deployment & PoCQuick resource provisionQuickly create a SharePoint Server 2016 farm with a few stepsCost savingTurn off every time you are not using.Azure DevTest Lab Recommended service for building a dev/test environment.
Disaster Recovery of On-premisesCost saving with Azure hosted secondary datacenterInstead of preparing a costly on-premises datacenter
Maintain and pay for resources you use in Azure with scaling demand.
Internet facing siteOn-premises deployment requires huge investmentHigh availability, fault tolerance hardwareDeprecation of Office 365 Public Website featuresAs of January 2015, SharePoint OnlineExternal collaboration with Azure AD
(Three-zone design — separation of internal and customer accounts)
Hybrid DeploymentHybrid IdentityActive Directory on-premises to SharePoint on AzureAzure StorageConnect with Azure-hosted app in which data is stored on Azure StorageAzure Media ServicesFor digital asset management in SharePoint
Plan for your SharePoint (without Azure in mind)
Keys to SharePoint 2016 on AzureFarm Topology
Physical ArchitectureLogical Architecture
Capacity PlanningComputeMemoryStorage
Identity MangementAuthenticationFederation
Business ContinuityHigh AvailabilityDisaster Recovery
SecurityNetworkVMApplication
New architecture of SP 2016MinRole is a new farm topology based on a set of predefined server roles Front end roleDistributed cache roleApplication roleSearch role
MinRole TopologyEach type of SharePoint farm requires different MinRole server roles to function properly. Refer to the table below for the list of server roles required for each type of farm.
Server Role Required for Content Farm?
Required for Services Farm?
Required for Search Farm?
Front-end Yes No NoApplication Yes Yes NoDistributed Cache
Yes Yes No
Search Yes, if hosting Search
Yes, if hosting Search
Yes
Farm Topology PlanningType of farms (content, service, search…)Front-End Tier SizingApplication Tier SizingSearch Tier SizingDistributed Cache Sizing
No. Item Value Remark
1 Total number of users 16,0002 Total number of unique users per day 12,800 Would be 80% of the user population3 Concurrency rate 0.15 15% of usage in peak hour4 Requests per day per user 480 Assume one user having 60 requests/hour5 Peak usage ratio 3 There are 3 peak times in a working day6 Hours in the business day 247 Average peak RPS 96 (2) * (3) * (4) * (5)/(480 * 60 * 60)8 % Low-cost request 0.25 Assume end users only perform simple tasks in
SharePoint9 % Medium-cost requests 0.8 Assume end users request or operate in
SharePoint10 % High-cost requests 0.35 Everything else11 Weighted peak RPS 230.4 (7) * (9) * 3 (medium-cost weight)12 Number of WFE 3-4 3 – 4 WFE
Search SizingSearch Component RAM Hard Disk ProcessorIndex Component (*) 32 GB for
dedicated500 GB if large amount of data
8 cores minimum
Analytics Processing 8 – 16 GB 200GB 4 cores minimum
Other Component 16 - 24 200 GB
(*) 20 millions item requires 1 index component, 2 analytics processing, 1 crawl,1 query.
Come out your SharePoint FarmThe farm looks like?4 x Front-End Roles Servers (12 GB RAM, 250 GB Space)2 x Search Index Role Servers (24 GB RAM, 550 GB Space)2 x Search Other Role Servers (16 GB RAM, 250 GB Space)2 x Application Role Server (12 GB RAM, 200 GB Space)3 x Distributed Cache Role Server (8 GB RAM, 100 GB Space)4 x Database Server (24 GB RAM, 500 GB)
How many cores do you need?
Draw your own the topology
Search Index Search Index
Other Other
SA Roles SA Roles
Search DB Search DB
Main DB Main DB
Active Directory
Federation
Email Messaging
Starting your mapping
What to map initially?Map logical component first for base infrastructureVirtual machine, storage, network…
Deep into Azure perspective with non-functional requirementResource group, subnet, network security group, availability set, premium storage Farm Component Azure
CategoryAzure Service
Virtual machine Compute Azure Virtual Machine
Storage Storage Storage, Disk Storage
Network Networking Virtual NetworkVPN Networking VPN Gateway
Planning for Compute & MemoryMapping your required hardware capacity to what is available in AzureThis is not 1-1 mappingThe memory size is fixed per instance sizeWhat if you need X cores with Y GB?Pick the size that is the closest match with your requirement
Planning for Compute & MemoryFront-EndSKU #Cor
esGB RAM
A3 4 7A4 8 14SearchSKU #Cor
esGB RAM
DS4 4 28DS13 8 56
DatabaseSKU #Cor
esGB RAM
A4 8 16DS3 4 14DS4 8 28DS13 8 56
Distributed CacheSKU #Cor
esGB RAM
A3 4 7A4v2 4 8
AD (If any)SKU #Cor
esGB RAM
A4v2 4 8D2v2 2 7
Other application roleSKU #Cor
esGB RAM
A4 8 14A4v2 4 8
Requires justification if > 20 cores
Compute for SharePointUse A3 or A4 for front-end roleNotes the Max NICs supported. A5 only support 1 NICUse DS4 or DS13 for Search role, Application roleMinimum requirement for IOPS of Search Index is 200 MB/s (*)Premium Storage is required for Search roleUse A3 for Distributed Cache role40% of the total RAM is used for cache if using MinRole (**)
(*)https://technet.microsoft.com/en-us/library/dn342836.aspx(**) http://www.harbar.net/archive/2016/04/15/SharePoint-2016-Nugget-2-Distributed-Cache-Size-in-MinRole-Farms.aspx
Planning for StorageAzure Premium Storage required for production developmentHigh-performance, low-latency disk support for virtual machines (VMs) running I/O-intensive workloadsAvailable in DS, DSv2, GS and Fs series Take benefit from Azure Managed DiskSimplify disk management for your VM without creating many storage accountsSeparate storage accounts for high performance workloadsSharePoint only supports LRS
SQL Server Workload
WFE Tier
Storage Acct 1
(20K IOPS)
Storage Acct 2
(20K IOPS)
Planning for NetworkDetermine your hybrid model if anyIf connecting to on-prem infrastructure (e.g OWA), site-to-site is required
Use static IP addresses, assign to appropriate virtual network subnetAvoid IP change every reboot
If security is a concernUse NSG and different subnet for different tier
Speed up with ExpressRoute if nessessary
ARM or ASM?Must understand characteristics & differences between ARM & ASMDifferent concept, supported migration approach, region availability (**)If you are an MSPA customer, you only have ARM in the pocketAs of February 1, 2017, MPSA customers purchasing Azure for the first time will be guided to CSP for pay-as-you-go Azure. (*)Azure Resource Manager is the way to goBetter management, migration and automation but somewhat complicated
(*) Source: https://blogs.technet.microsoft.com/volume-licensing/2017/01/10/modern-licensing-for-digital-transformation/(**) Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-supported-services
Resource GroupClassify resource group per tierSimplify the migration and troubleshootingPut Availability Set, Storage Account, NIC, VMPlan for naming conversionIt’s hard to change name laterRecommendation: dw2017-prod-wfe-rg-seaUse tags for your resource groupsEnvironment: ProductionTier: SearchProject Code: DW2017Contact: thuan@outlook.com
Identity ManagementWhat is the primary identity provider of your farm?On-premises Active Directory Azure-hosted Active DirectoryAzure Active Directory Domain Services
Is there a requirement of federation trust?SharePoint users from On-premises Active Directory having access to fully Azure-hosted SharePoint farmOffice 365 usersPartner authentication in extranet collaboration scenario
What about HADR for your SharePoint farm on Azure?
Business Continuity Availability, Scalability, and fault toleranceKey requirements of any business continuity and disaster recovery plan
To have availability, you need scalability To handle the workload as the needs of the workload increase
ScalabilityAvailabilityFault Tolerance
Availability SetAn availability set (SLA of 99.95%) helps keep your VM available during downtimeFault DomainUpdate Domain Create availability set for tier and role (Web, App, Database, Search…)
HA for Front-End Role Azure Load Balancer Distributes incoming traffic among virtual machines defined in a load-balancer set.
Increase idle connection timeout to handle long duration connections from SharePoint clientsSet-AzureLoadBalancedEndpoint –IdleTimeoutInMinutes 15
3rd party Load Balancer with advanced featureSSL Termination (*)
(*)https://kemptechnologies.com/solutions/microsoft-load-balancing/loadmaster-azure/
HA for Application RoleNot too much of what Azure could doMinRole would almost do for youApplication Discovery and Load Balancer Service works internallyDoes depend on how your services are associated (MinRole, Custome Role)HA for Search is requiredRedundant Search components
HA + DR for Database RoleSQL Server AlwaysOn Availability GroupSQL Server Database MirroringLog ShippingBackup & RestoreAzure Site RecoverySQL Server AlwaysOn FCI
HA with SQL Server AlwaysOn AG
Fully supported on Microsoft Azure for HARequire AD Domain Controller to use Windows FC
DR with Log ShippingLog Shipping is supported in Azure IaaS for DR scenarioTwo SQL Server VMs with Azure File StorageBetter to set up a File Share VM to avoid latencyOnly used if required
DR with Database MirroringDatabase Mirroring is fully supported for DR scenarioUsing server certificates because an active directory domain cannot span multiple datacenters.
Consider alternative DR strategy Database Mirroring is deprecated (SQL Server 2016)Use AlwaysOn Availability Group with FileSh
DR with Backup and RestoreWhile RTO is not so importantBack up production database to Azure Blob Storage for further recoveryAutomate the backup with Agent Service.
Sample Planning ReportRole vm name resource group
namestatic IP subnet availabilit
y setsize
1st DC dw-prod-dc01 dw-prod-ad-rg-sea 192.168.1.4 snet-ad prod-as-ad Standard_D2
2nd DC dw-prod-dc02 dw-prod-ad-rg-sea 192.168.1.5 snet-ad prod-as-ad Standard_D2
1st Database dw-prod-db01 dw-prod-data-rg-sea 192.168.2.5 snet-data
prod-as-data
Standard_DS4
2nd Database dw-prod-db02 dw-prod-data-rg-sea 192.168.2.6 snet-data
prod-as-data
Standard_DS4
Witness majority dw-prod-mn01 dw-prod-data-rg-sea 192.168.2.7 snet-data
prod-as-data
Standard_D2
1st App & Search dw-prod-app01 dw-prod-app-rg-sea 192.168.3.4 snet-app
prod-as-appStandard_DS4
2nd App & Search dw-prod-app02 dw-prod-app-rg-sea 192.168.3.5 snet-app
prod-as-appStandard_DS4
1st Web & D-Cache dw-prod-wfe01 dw-prod-wfe-rg-sea 192.168.4.5 snet-wfe
prod-as-wfeStandard_D4
2nd Web & D-Cache dw-prod-wfe02 dw-prod-wfe-rg-sea 192.168.4.6 snet-wfe
prod-as-wfeStandard_D4
How does it look like?Availability set
Front-End
4 x
Subnet
Availability set
D-Cache
3 x
Availability set
Search
4 x
Subnet
Subnet
Availability set
DB
4 x
Subnet
Virtual Network
Microsoft Azure
Azure VPN Gateway
VPN Gateway
On-Premises
Domain controller
Client PC
Storage Storage Storage Storage Storage Storage
..and if I need more secure?
Azure IaaS Security Architecture
Azure Supscription
Azure Portal
User Management
Identity Access ManagementVirtual Network
Storage Account
Storage
Virtual Machine
Compute
Azure Fabric
Security Center
Log Analytics
What to secure on Azure IaaS?
StorageDataIdentityVirtual MachineResource Group
What is your responsibility?Apply Security By Default ruleNetwork isolation, 3-tier architecture…Apply security feature on each resource typeMicrosoft provides several security feature for each resource (RABC, Encryption, Monitoring, Anomoly Prevention…)Apply Security By Design for SharePointValidation, regression, OWASP….
My Security MantraSecurity must come firstly from your awarenessSecurity By Default before Security By DesignNo Pain No Gain
Security on AzureSecurity is still your responsibilitySecurity Compliance needs your awarenessNo guarantee if your VM is compromisedSharePoint Security is your responsibilityAzure IaaS SecurityRole-based Access ControlVM AccessStorage EncryptionSecurity Monitoring Center
Come to discuss more security!
Topic - Design A Secure Azure IaaS - Lesson Learnt from Government CloudEvent - Singapore AzureBootcamp 2017 – Aprial 22nd 2017 - Microsoft SingaporeWebsite: http://sgazurebootcamp.azurewebsites.net/
Monitoring and Diagnostic Service MetricsAll Azure services track key metrics for monitoring health, performance and availabilityCan be viewed in the port or via REST APIConfigurable via ARMOperational InsightsSingle pane of glass for monitoring VMsBig data solution for logsInteract with log data via Search and SolutionsCustomizable dashboardNear real-time log monitoring
Solution Gallery
PricingVirtual MachineStorageBandwidthIP AddressVPN GatewayExpressRoute
Azure DNSBackupSite RecoveryAzure ADStorSimpleAzure AutomationInsight AnalyticsSecurity Center
SharePoint on Azure gotcha AlwaysOn Failover Cluster Instances (FCI) with Azure File Storage is not supported currentlyAttached storage using WS 2016 Storage Space Direct (S2D)SIOS DataKeeperiSCSI Target shared block with NetApp Private Storage via ExpressRouteMicrosoft does not provide warranty of 3rd party with FCI.WAN Deployment is not supported. Metalogix Replicator is an alternative
OWA Server is not supported in Azure IaaS due to licensing modelDeploy Hybrid model
Deploying SharePoint Farm on Azure
SP Server 2016 Quick DeploymentCreate a single SharePoint Server 2016 Farmhttp://bit.ly/azuresp2016ps
Azure Resource Manager TemplateCreate a template with declarative representation of the solutionThe template consists of JSON and expressions
Use Azure Visualize to design yourtemplate URL: http://armviz.io/
Azure Quick TemplateURL: http://bit.ly/azurequicktemplate
Azure DSC with xSharePointInstall prerequisites and binariesCreate a farm and join servers to itCreate web apps and site collectionsCreate some service applications, and provision instances of servicesManage logging, managed accounts, and other configuration settings
Manual Deployment StepCreate resource group
Create virtual network
Create different subnet
Create network security group
Create Azure Internal LBs
Create different storage account
Create Active Directory VM
Configure Active Directory DC
Create SQL Server VM
Join SQL Server to AD DC
Create SharePoint VM
Join SharePoint to AD DC
Add more extra disk on each VM
Create SharePoint farm
Configure AlwaysOn AG
Step 1 Step 2 Step 3 Step 4 Step 5
Step 6 Step 7 Step 8 Step 9 Step 10
Step 15
Advanced Configuration…
Step 11 Step 12 Step 13 Step 14
Deployment Consideration per Role
Active Directory DeploymentDeploy a site-to-site VPN connections between workloadsOn-premises Active Directory and Azure-hosted SharePoint farmSetup replica domain controllers using Azure virtual machinesIncrease proximity and improve authenticationDeploy a stand-alone domain controllers in AzureNot common in real-world scenario
Active Directory DeploymentUse D2 for domain controller VMDNS configuration and deploymentUse reserved IP addressDCs need static IPs but VMs use DHCPIn a hybrid scenario - for replicationConfigure the AD Sites and services to ensure that you are not incurring additional network traffic due to bad routesData AllocationPlace the Active Directory database, logs, and SYSVOL on additional Azure data disks. Do not place these on the operating system disk (C drive) or the temporary disks (D drive) provided by Azure.
SQL Server DeploymentGo with SQL Server on Azure IaaSAzure SQL Database (PaaS) works with SharePoint 2016 for testing purpose
Run TempDB on Non-Persistent DriveConsider using P30 (Premium Storage) to store TempDBNeed to ensure folder structure is re-created on VM start-up
Data and File AllocationDo not put data and files you care about on D: driveDo not put data and files you care about OS performance on C:
Disk Stripping when you need more IOPS on Standard StorageManage disk inside the VM with Storage Spaces
Finally!SharePoint on Azure is not SharePoint on cloudSharePoint on cloud is SharePoint Online (Office 365)Carefully plan for SharePoint farm before the deploymentSome things you must convert or migrate if wrongly deployingTry to automate your deployment as much as possibleTake to the next level of DevOpsKeep calm if something still went wrong!
Additional ResourcesHigh availability and disaster recovery for SQL Server in Azure Virtual Machines http://bit.ly/hadrsqlsazureUnderstanding Windows Azure Storage Billing – Bandwidth, Transactions, and Capacity http://bit.ly/azurestoragepricingMicrosoft Azure Cost Estimator Tool http://bit.ly/azurecostestimatorDeploying SharePoint Server 2016 with SQL Server AlwaysOn Availability Groups in Azurehttp://bit.ly/sp2016farmazure (must read but some variables & configuration mistake)
Q & AFeel free to discuss with me via thuan@outlook.com or @nnthuan (Twitter)
DEMO
PLEASE COMPLETE THE
SESSION EVALUATION
FEEDBACK TO US +LUCKY DRAW
PRIZES FOR YOU!
Insert QR Code here
Thank You
www.expertslive.asia#expertsliveasia