Microsoft Exchange on AWS

Partner Solution Deployment Guide

QS

March 2022
Dragos Madarasan, Aaron Lima, and Dave May, AWS Integration & Automation team

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.

This Partner Solution was created by Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Overview

This Partner Solution deploys Microsoft Exchange on the AWS Cloud. If you are unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

In addition to this Partner Solution, we published a set of Microsoft-based Partner Solutions that you can use to deploy other common Microsoft workloads on AWS, which include the following:

  • Microsoft Active Directory

  • Remote Desktop Gateway (RD Gateway)

  • Microsoft SharePoint Server

  • Microsoft Web Application Proxy with Active Directory Federation Services (ADFS)

  • Microsoft SQL Server

  • Windows Server Update Services

Each of these Partner Solutions includes a virtual private cloud (VPC) environment, which is deployed based on AWS best practices. For more information about using Partner Solutions to deploy Microsoft workloads, refer to AWS Partner Solutions.

Costs and licenses

Exchange Server can be deployed and licensed through Microsoft License Mobility. For development and test environments, you can use your existing MSDN licenses for Exchange Server using Amazon Elastic Compute Cloud (Amazon EC2)–dedicated instances. For more information, refer to Licensing—MSDN.

This Partner Solution deployment uses an evaluation copy of Exchange Server. To upgrade your version, see the Microsoft Exchange Server website.

This Partner Solution launches the Amazon Machine Image (AMI) for Microsoft Windows Server 2016 and Windows Server 2019, and it includes the license for Windows Server. The AMI is regularly updated with the latest service pack, so there’s no need update it. The Windows Server AMI doesn’t require client access licenses (CALs) and includes two Microsoft Remote Desktop Services licenses. For more information, refer to Microsoft Licensing on AWS.

There is no cost to use this Partner Solution, but you will be billed for any AWS services or resources that this Partner Solution deploys. For more information, refer to the AWS Partner Solution General Information Guide.

Architecture

Deploying this Partner Solution for a new virtual private cloud (VPC) with default parameters builds the following Exchange environment in the AWS Cloud:

Architecture
Figure 1. Partner Solution architecture for Exchange on AWS

As shown in Figure 1, this Partner Solution sets up the following:

  • A highly available architecture that spans two or three Availability Zones.*

  • A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*

  • In the public subnets:

    • Elastic IP addresses associated with the NAT gateway and RD Gateway instances.*

    • Microsoft Windows Server–based RD Gateway instances, in an Auto Scaling group, and network address translation (NAT) gateways for outbound internet access.*

    • (Optional) Exchange Edge Transport servers for routing email in and out of your environment.

  • In the private subnets:

    • Microsoft Active Directory domain controllers.*

    • Windows Server–based Amazon EC2 instances as Exchange nodes.

    • Exchange Server Enterprise on each node. This architecture provides redundancy and a witness server to ensure that a quorum is established.

  • An internet gateway that connects the VPC to the internet.

  • A Network Load Balancer that distributes incoming traffic across the Exchange Amazon EC2 instances.

  • Amazon Simple Storage Service (Amazon S3) to store and retrieve data.

  • AWS Secrets Manager to encrypt, store, and retrieve credentials for your databases and other services.

  • A Parameter Store resource to provide hierarchical storage for configuration data management and secrets management.

  • AWS Certificate Manager to provision, manage, and deploy SSL/TLS certificates on AWS managed resources.

*The template that deploys the Partner Solution into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

Deployment options

This Partner Solution provides the following deployment options:

  • Deploy Exchange into a new VPC. This option builds a new AWS environment that consists of the VPC, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components. It then deploys Exchange into this new VPC.

  • Deploy Exchange into an existing VPC. This option provisions Exchange in your existing AWS infrastructure.

This Partner Solution provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Exchange settings.

Predeployment steps

Before you deploy the Partner Solution template, decide whether to use two Availability Zones or three, and whether to use a file share witness or a full node. By default, this deployment creates one Exchange node in each Availability Zone. The file share witness launches in the same Availability Zone as the first Exchange node.

Where possible, deploy this Partner Solution using three Availability Zones. This enables automatic failover of database availability groups (DAGs) without the need for manual intervention.

You can deploy a full Exchange node instead of a file share witness. In addition, you can specify whether to deploy the full node or the file share witness in a third Availability Zone. For more information about quorum models, refer to Database availability group quorum models.

In addition, you can deploy an internal Application Load Balancer to provide high availability that distributes traffic to the Exchange nodes. For this configuration, you must import a Secure Sockets Layer (SSL) certificate into AWS Certificate Manager (ACM) before you launch the template.

Deployment steps

  1. Sign in to your AWS account, and launch this Partner Solution, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template.

  2. Choose the correct AWS Region, and then choose Next.

  3. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

    Unless you’re customizing the Partner Solution templates or are instructed otherwise in this guide’s Predeployment section, don’t change the default settings for the following parameters: QSS3BucketName, QSS3BucketRegion, and QSS3KeyPrefix. Changing the values of these parameters will modify code references that point to the Amazon Simple Storage Service (Amazon S3) bucket name and key prefix. For more information, refer to the AWS Partner Solutions Contributor’s Guide.

  5. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select all of the check boxes to acknowledge that the template creates AWS Identity and Access Management (IAM) resources that might require the ability to automatically expand macros.

  7. Choose Create stack. The stack takes about 3 hours to deploy.

  8. Monitor the stack’s status, and when the status is CREATE_COMPLETE, the Microsoft Exchange deployment is ready.

  9. To view the created resources, choose the Outputs tab.

Postdeployment steps

Update Windows

To help ensure that the deployed servers' operating systems and installed applications have the latest Microsoft updates, run update Windows on each server.

  1. Create an RDP session from the Remote Desktop Gateway server to each deployed server.

  2. Navigate to the Settings application.

  3. Navigate to Update & Security.

  4. Choose Check for updates.

  5. Install any updates and reboot if necessary.

(Optional) Create database copies

This Partner Solution creates a database availability group (DAG) and adds to it the Exchange nodes. As part of the Exchange installation, each node contains a mailbox database. The first node contains a database called DB1, and the second node contains a database called DB2.

As part of configuring high availability for the mailbox roles, you can add mailbox database copies to other Exchange nodes. Alternatively, you can create new databases and then create additional copies. To create a second copy for the initial databases, use the following commands:

Add-MailboxDatabaseCopy -Identity DB1 –MailboxServer ExchangeNode2 -ActivationPreference 2

Add-MailboxDatabaseCopy -Identity DB2 –MailboxServer ExchangeNode1 -ActivationPreference 2

(Optional) Create a DNS entry for the Network Load Balancer

  1. If you deploy a Network Load Balancer, it has an endpoint address, such as elb.amazonaws.com.

  2. To use the load balancer with your Exchange namespace, create a CNAME record in Active Directory that points to the Application Load Balancer.

  3. Before proceeding, navigate to the Amazon EC2 console, and under Load balancer, choose the load balancer that the Partner Solution created.

  4. Copy the value listed under the DNS name, as shown in Figure 7.

Architecture
Figure 2. Creating a DNS entry for the Network Load Balancer

  1. To create the DNS record, use Remote Desktop with your domain credentials to connect to one of the domain controllers, and open the DNS console by navigating to the Start menu and entering DNS.

  2. In the DNS console, navigate to the Active Directory in the applicable Availability Zone, and choose New Alias (CNAME), as shown in Figure 8.

Architecture
Figure 3. Selecting New Alias (CNAME)

  1. Create a DNS entry, such as mail, and in fully qualified domain name (FQDN) for target host, paste the value of the Application Load Balancer endpoint, as shown in Figure 9.

Architecture
Figure 4. Creating the DNS entry ("mail")

  1. Verify that the DNS entry successfully resolves by running nslookup. Navigate to Start and enter cmd. In the command line, enter the following (where mail is the name of your CNAME record and example.com is the domain name of your Active Directory):

Nslookup mail.example.com

  1. Ensure that the record resolves to the load balancer DNS record, as shown in Figure 10.

Architecture
Figure 5. Verifying the DNS record

High availability and disaster recovery

Amazon EC2 provides the ability to place instances in multiple AWS Regions and Availability Zones. For more information, refer to Regions and Zones.

By launching your instances in separate Regions, you can design your application to be closer to specific customers or to meet legal or other requirements. By launching your instances in separate Availability Zones, you can protect your applications from the failure of a single location. Exchange provides infrastructure features that complement the high availability and disaster recovery scenarios supported in the AWS Cloud.

Automatic failover

Deploying this Partner Solution with the default parameters configures a two-node DAG with a file share witness. The DAG uses Windows Server Failover Clustering for automatic failover.

The Partner Solution implementation supports the following scenarios:

  • Protection from the failure of a single instance

  • Automatic failover between the cluster nodes

  • Automatic failover between Availability Zones

This Partner Solution’s default implementation, however, doesn’t provide automatic failover in every case. For example, the loss of Availability Zone 1, which contains the primary node and file share witness, would prevent automatic failover to Availability Zone 2. This is because the cluster would fail as it loses quorum. In this scenario, you could follow manual disaster recovery steps that include restarting the cluster service and forcing a quorum on the second cluster node (for example, ExchangeNode2) to restore application availability.

This Partner Solution can deploy to three Availability Zones, which can mitigate the loss of quorum if a node fails. Note that you can choose this option only in AWS Regions that include three or more Availability Zones. For a current list, refer to Global Infrastructure.

Consult the Exchange Server documentation and customize the steps described (for example, deploy additional cluster nodes and configure mailbox database copies) to deploy a solution that meets your business, IT, and security requirements.

Security groups and firewalls

When the Amazon EC2 instances launch, they must be associated with a security group, which acts as a stateful firewall. You control the network traffic entering or leaving the security group, and you can build granular rules that are scoped by protocol, port number, and source or destination IP address or subnet. By default, all outgoing security-group traffic is permitted. Inbound traffic, however, must be configured to allow the appropriate traffic to reach your instances.

Domain controllers and member servers require several security group rules to allow traffic for services such as AD DS replication, user authentication, Windows Time service (W32Time), and Distributed File System (DFS), among others. The nodes that run Exchange Server permit full communication between each other, as recommended by Microsoft best practices. For more information, refer to Exchange, Firewalls, and Support …​ Oh, my!

Edge node servers (if configured to be deployed) allow port 25 TCP (SMTP) from the entire internet. The Partner Solution creates certain security groups and rules for you.

Troubleshooting

For troubleshooting common Partner Solution issues, refer to the AWS Partner Solution General Information Guide and Troubleshooting CloudFormation.

Customer responsibility

After you deploy a Partner Solution, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.