Amazon EC2 Dedicated Hosts for Microsoft Windows on AWS

Partner Solution Deployment Guide

QS

August 2021
Sudhir Amin, AWS for Microsoft Workloads
Dave May, AWS Integration & Automation team

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.

This Partner Solution was created by Example Company Name, Ltd. in collaboration with Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Overview

Dedicated Hosts provide dedicated hardware to support existing software licenses, with an identifiable number of physical cores required for licensing some Microsoft products such as Windows Server. Using Dedicated Hosts, you can take advantage of the flexibility and cost effectiveness of using your own licenses and licensing for maximum virtualization, but with the resiliency, simplicity, and elasticity of AWS.

To learn more, see Amazon EC2 Dedicated Hosts.

AWS License Manager

License Manager can help you simplify the management of software licenses when using Dedicated Hosts. License Manager allows you to specify your licensing terms for governing license usage, and you can configure your Dedicated Hosts management preferences for host allocation and host capacity usage. After configuration is completed, AWS takes care of these administrative tasks on your behalf, so that you can seamlessly launch virtual machines (instances) on Dedicated Hosts, similar to how you would launch an EC2 instance with an AWS-provided license.

To learn more, see AWS License Manager.

Host resource group

A host resource group is a collection of Dedicated Hosts that you can manage as a single entity. As you launch instances, License Manager allocates the hosts and launches instances on them based on your configuration settings. You can add existing Dedicated Hosts to a host resource group and take advantage of automated host management through License Manager.

You can use host resource groups to separate hosts by purpose (for example, development test hosts versus production, organizational unit, or license constraints). After you add a Dedicated Host to a host resource group, you cannot launch instances directly on the Dedicated Host. Instead, you must launch them using the host resource group.

The Partner Solution provides parameters for the host resource group. These parameters automate the following:

  • Host allocation

  • Instance placement

  • Allowed instance family to create a collection of Dedicated Hosts per your license limit

  • Host release

  • Host recovery

To learn more about host resource groups, see Host resource groups in AWS License Manager.

This guide provides instructions for deploying an Amazon Elastic Compute Cloud (Amazon EC2) Dedicated Hosts for Microsoft Windows Partner Solution reference architecture on the AWS Cloud.

This Partner Solution is for IT infrastructure architects, administrators, and DevOps professionals who are planning to implement a Dedicated Hosts environment while bringing their own eligible Microsoft software licenses to AWS.

The Partner Solution automates the process of setting up the AWS License Manager license configuration and associating it with a host resource group. Next, it creates an Auto Scaling group of EC2 Dedicated Hosts instances, which are then assigned to the host resource group. The host resource group lets you manage the instances as a single entity based on your License Manager configuration settings. As you add new licenses to the License Manager configuration, the licenses are automatically applied to the new instances.

Advantages

When deploying this Partner Solution, you can:

  • Benefit from the efficiencies of the AWS Cloud while using existing investments in on-premises software

  • Extend the lifecycle of prior software versions

  • Import your existing Windows images to the AWS Cloud

  • Easily track licenses using License Manager

  • Enforce licensing rules, stay compliant, and control overages

  • Centrally report usage and discover installed software

Eligible software

You can use a variety of existing software licenses on AWS using Dedicated Hosts, for example:

  • Microsoft Windows Server 2008*, 2008 R2*, 2012, 2016, or 2019

  • Microsoft SQL Server

  • Microsoft Remote Desktop Services

  • Microsoft Exchange Server

  • Microsoft SharePoint Server

* Windows Server 2008 and 2008 R2 are no longer supported. If using these versions, you must bring your own image. For more information, see End-of-Support Migration Program for Windows Server.

For more information about licenses that you can bring to or purchase from AWS, see Amazon Web Services and Microsoft Frequently Asked Questions.

Costs and licenses

The use of Microsoft software is subject to Microsoft’s terms. You are responsible for complying with Microsoft licensing. This document does not provide legal advice. If you have questions about your licensing or rights to Microsoft software, consult your legal team, Microsoft, or your Microsoft reseller. For more information, see Microsoft Product Terms.

The Partner Solution is configured to accept the following two licensing options.

Bring Your Own License (BYOL) AMI

Use your volume licensing software and bring the license. When using your own Window Server license, you must either import your own VM images or use host-based replication software to create the AMI.

Several Amazon Machine Images (AMIs) that support a variety of operating system platforms and features are available to choose when launching your instances. To understand how the AMI affects your AWS bill, you can research the associated operating system platform and billing information.

License Manager helps you with license reporting, governance, and managing true-ups and audits. However, Microsoft licensing requires you to bring your own media, which involves managing patching, updates, and golden AMI creation.

To learn more about creating a BYOL AMI, see How to create Windows Server Bring-Your-Own-License AMIs from on-premises with VM Import/Export.

The following platform details and usage operation values can be displayed on the instances or AMI pages in the Amazon EC2 console, or in the response that is returned by the describe-images command.

  • Platform: Windows License Included, Usage operation: RunInstances:0002

  • Platform: Windows BYOL, Usage operation: RunInstances:0800

To learn more about billing codes and AMIs, see AMI billing information fields.

AMI for Windows Server

You have the option to use Windows Server AMIs that include the cost for licensing. When using AWS-provided Windows Server licensing, you don’t need to import your own Windows images (unless you are using Windows Server 2008 or 2008 R2).

Run Windows Server instances on Dedicated Hosts and use existing compliant Windows Server software licenses from AWS with a pay-as-you-go model. This helps in scenarios where you have eligible software licenses to use on Dedicated Hosts but do not have accompanying Windows Server licenses to run the eligible software to the Dedicated Hosts environment.

You can use the Windows Server AMIs via the AWS Management Console, APIs, and the command line interface (CLI).

Architecture

Deploying this Partner Solution with default parameters builds the following Dedicated Hosts environment in the AWS Cloud.

Architecture
Figure 1. Partner Solution architecture for Dedicated Hosts on AWS

As shown in Figure 1, this Partner Solution sets up the following:

  • A highly available architecture that spans two Availability Zones.*

  • A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*

  • In the public subnets:

    • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*

    • An optional Remote Desktop Gateway in an Auto Scaling group to allow inbound Remote Desktop Protocol (RDP) access to EC2 instances in public and private subnets.*

  • In the private subnets:

    • An optional Auto Scaling group of Dedicated Host instances. The instances host your Microsoft-licensed products (such as Windows Server and SQL Server) and are combined into a single host resource group that you manage as a single entity.

  • AWS License Manager for tracking and managing licenses and their associated AMIs in a host resource group.

* The template that deploys this Partner Solution into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

Deployment options

This Partner Solution provides the following deployment options:

This Partner Solution provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Dedicated Hosts settings.

Predeployment steps

Microsoft Windows AMIs provided by AWS include AWS-provided licenses. Since the purpose of this Partner Solution is to allow Dedicated Hosts users to bring their own Windows licenses, you must create a Windows AMI. For more information, see Importing a VM as an image using VM Import/Export.

If you are looking to combine AWS-provided licenses for Windows Server and run eligible application software such Microsoft SQL Server or SharePoint, you can bypass the preceding step and use an AWS-provided, license-included Windows Server AMI.

Dedicated Hosts configuration option

When planning your Dedicated Hosts configuration, identify the instance capacity per host and supported instance size on the host. These values vary between different instance families that are available when building your Dedicated Hosts environment.

Powered by the AWS Nitro System, Dedicated Hosts support multiple instance types within the same instance family on a host. For example, when you allocate an R5 Dedicated Host, you can use a host with two sockets and 48 physical cores to run different R5 instance types such as r5.2xlarge, r5.4xlarge, and others on the same host. You can run any number of instances up to the core capacity that is associated with the host.

Support for multiple instance types on the same Dedicated Host is available for the following instance families: c5, m5, r5, c5n, r5n, and m5n.

Instance families that come with Instant Store (local NVme) support only a single instance size on the same Dedicated Host. If using the r5d instance family, choose a single instance size during allocation.

The following table shows instance capacity and size for r5d. For example, the r5d.2xlarge instance type provides a capacity of a 12-instance capacity on the host.

Instance family Sockets Physical cores large xlarge 2xlarge 4xlarge 8xlarge 16xlarge 24xlarge

r5d

2

48

48

24

12

6

2

2

1

r5

2

48

48

24

12

6

2

2

1

For more information, see Amazon EC2 Dedicated Hosts Configuration.

Maintain license count

The Partner Solution uses the LicenseCount parameter to configure the optional License Manager License Count parameter. This value represents the total number of licenses managed by the configuration rule.

License Manager can track license counts by core or vCPU. The Partner Solution LicenseType parameter selects this preference during deployment.

To learn more about License Manager parameters and rules, see License configuration parameters and rules.

License affinity to host

The Partner Solution is configured to follow the 90 days clause, which states that a Microsoft license cannot be reassigned within 90 days. This ability to enforce assignment rules further simplifies the Windows Server and SQL Server BYOL experience on AWS.

Within License Manager configuration, the Partner Solution sets the License affinity to host (in days) rule to 90 days. This rule restricts license usage to the host for 90 days. After the affinity period is over, you can reuse the license within 24 hours.

To learn more, see License configuration parameters and rules.

Deployment steps

  1. Sign in to your AWS account, and launch this Partner Solution, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template.

  2. Choose the correct AWS Region, and then choose Next.

  3. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

    Unless you’re customizing the Partner Solution templates or are instructed otherwise in this guide’s Predeployment section, don’t change the default settings for the following parameters: QSS3BucketName, QSS3BucketRegion, and QSS3KeyPrefix. Changing the values of these parameters will modify code references that point to the Amazon Simple Storage Service (Amazon S3) bucket name and key prefix. For more information, refer to the AWS Partner Solutions Contributor’s Guide.

  5. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select all of the check boxes to acknowledge that the template creates AWS Identity and Access Management (IAM) resources that might require the ability to automatically expand macros.

  7. Choose Create stack. The stack takes about 20 minutes to deploy.

  8. Monitor the stack’s status, and when the status is CREATE_COMPLETE, the Amazon EC2 Dedicated Hosts for Microsoft Windows deployment is ready.

  9. To view the created resources, choose the Outputs tab.

Postdeployment steps

Review License Manager rules

  1. Open the License Manager console at https://console.aws.amazon.com/license-manager/.

  2. In the left navigation pane, choose Customer managed licenses.

  3. Review the rules.

Review host resource group configuration

  1. Open the License Manager console at https://console.aws.amazon.com/license-manager/.

  2. In the left navigation pane, choose Host resource groups.

  3. Review the configuration.

Provisioning

License Manager supports the following deployment options to enforce license rules through provisioning:

  • Auto Scaling group’s launch template and AMI

  • CloudFormation

  • AWS SDKs and tools

  • AWS Service Catalog

After you deploy the Partner Solution, navigate to the Outputs section of the CloudFormation stack to record the following values:

  • GroupArn, the host resource group Amazon Resource Name (ARN)

  • LicenseArn, the license configuration ARN

additional_info

The following sections show you how to provision using the launch template, AWS CLI, and CloudFormation. For other deployment methods, see Mechanisms to govern license usage with AWS License Manager.

Auto Scaling

The Partner Solution creates an Auto Scaling group and associated launch template in two private subnets. Within the template, the LaunchTemplateData parameter is configured with these two properties. Replace the values with the values that you recorded from the Outputs section of the CloudFormation stack.

Placement:
  HostResourceGroupArn: <Replace with host resource group ARN>
LicenseSpecifications:
  - LicenseConfigurationArn: <Replace with license configuration ARN>

The Auto Scaling group takes advantage of the multiple Availability Zones that are represented by the private subnets used by the Auto Scaling group. Therefore, take into account the Auto Scaling group, depending on the workload you plan to run on the Dedicated Hosts infrastructure.

By default, the Auto Scaling value is set to 0. If, for example, you set the desired minimum and maximum values to 2 during the deployment, you will launch two instances that are used within both Availability Zones. This means that one Dedicated Host is allocated per Availability Zone.

AWS CLI

To deploy using AWS CLI, replace the placeholder values with those from the Outputs section of the CloudFormation stack:

aws ec2 run-instances \
--instance-type c5.2xlarge \
--image-id ami-0eXXXXXXXXXXXXef9  \
--subnet-id subnet-0fdbxxxxxxxdcf \
--license-specifications <License configuration ARN> \
--placement HostResourceGroupArn= <Host resource group ARN>

CloudFormation

To deploy using CloudFormation, be sure that the resource properties include values for the HostResourceGroupArn and LicenseSpecifications options.

Type: AWS::EC2::Instance
Properties:
AvailabilityZone: String
BlockDeviceMappings:
    - BlockDeviceMapping
HostResourceGroupArn: String <Replace with host resource group ARN>
IamInstanceProfile: String
ImageId: String
InstanceType: String
KeyName: String
LaunchTemplate:
    LaunchTemplateSpecification
LicenseSpecifications:
    - LicenseSpecification
SecurityGroupIds:
    - String
SecurityGroups:
    - String
SourceDestCheck: Boolean
SsmAssociations:
    - SsmAssociation
SubnetId: String
Tags:
    - Tag
Tenancy: String
UserData: String
Volumes:
    - Volume

Validate the License Manager dashboard

The Dashboard section of the AWS License Manager console provides graphs to track the license consumption associated with each license configuration. The dashboard also displays alerts resulting from license rule violations.

The following information is available in the graph for a license configuration:

  • License configuration name

  • License type

  • Licenses consumed

  • Number of licenses remaining

  • Whether the rules are enforced

  • Number of hosts for each tenancy type

Track usage through the built-in dashboard

  1. Open the License Manager console at https://console.aws.amazon.com/license-manager/.

  2. In the left navigation pane, choose Dashboard.

  3. Locate the license usage data.

Run Windows updates

If you deployed any Windows instances, confirm that each server’s operating system and installed applications have the latest Microsoft updates by running Windows Update.

  1. Create an RDP session from the Remote Desktop Gateway server to the BYOL Windows Server.

  2. Open the Settings application.

  3. Open the Update & Security option.

  4. Choose Check for updates.

  5. Install updates.

  6. Reboot, if needed.

Troubleshooting

For troubleshooting common Partner Solution issues, refer to the AWS Partner Solution General Information Guide and Troubleshooting CloudFormation.

Customer responsibility

After you deploy a Partner Solution, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.