SQL Server on the AWS Cloud

Using Windows Server Failover Clustering

(WSFC) and SQL Server Always On Availability
Groups
Quick Start Reference Deployment

Santiago Cardenas and Jay McConnell

Amazon Web Services

July 2014
Last updated: December 2017 (see revisions)

This guide is also available in HTML format at

https://docs.aws.amazon.com/quickstart/latest/sql/.
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Contents
About This Guide ................................................................................................................... 3
Quick Links ............................................................................................................................ 3
About Quick Starts ................................................................................................................. 4
Overview .................................................................................................................................... 4
SQL Server and WSFC on AWS ............................................................................................. 4
Costs and Licenses ................................................................................................................. 5
AWS Services..........................................................................................................................6
Architecture ............................................................................................................................... 7
Best Practices .........................................................................................................................9
High Availability and Disaster Recovery ...........................................................................9
Automatic Failover .............................................................................................................9
Security Groups and Firewalls ..........................................................................................11
Implementation Details ...........................................................................................................11
SQL Server Enterprise Edition .............................................................................................11
Storage on the WSFC Nodes ................................................................................................ 12
IP Addressing on the WSFC Nodes ..................................................................................... 14
Windows Server Failover Clustering ................................................................................... 14
Always On Configuration ..................................................................................................... 15
Deployment Options ............................................................................................................... 16
Deployment Steps ................................................................................................................... 17
Step 1. Prepare an AWS Account ......................................................................................... 17
Step 2. Launch the Quick Start ........................................................................................... 20
Step 3. Configure a SQL Server Always On Availability Group ......................................... 30
Log in to a Node as a Domain Administrator ................................................................. 30
Set up Permissions for the Cluster Object ....................................................................... 31
Create a Test Database or Attach an Existing Database .................................................. 31
Create an Availability Group ............................................................................................ 33

Page 2 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Step 4: Test the Cluster and Availability Group ................................................................. 38

Troubleshooting ......................................................................................................................43
Security ....................................................................................................................................44
Additional Resources .............................................................................................................. 45
GitHub Repository ..................................................................................................................46
Document Revisions................................................................................................................46

About This Guide

This Quick Start deployment guide discusses architectural considerations and configuration
steps for deploying a Microsoft Windows Server Failover Clustering (WSFC) cluster and a
SQL Server Always On Availability Group on the Amazon Web Services (AWS) Cloud. It
also provides links for viewing and launching AWS CloudFormation templates that
automate the deployment.

Note Always On Availability Groups is a feature supported by SQL Server Enterprise

edition. Running WSFC nodes in the same subnet is currently not supported on the
AWS Cloud.

The guide is for IT infrastructure architects, administrators, and DevOps professionals who
are planning to implement or extend their WSFC and SQL Server workloads on AWS.

This Quick Start supports SQL Server versions 2014, 2016, and 2017.

Quick Links
The links in this section are for your convenience. Before you launch the Quick Start, please
review the architecture, configuration, network security, and other considerations discussed
in this guide.

Note You are responsible for the costs related to your use of any AWS services used
while running this Quick Start reference deployment. See the pricing pages of the AWS
services you will be using for full details.

 If you have an AWS account, and you’re already familiar with AWS services, SQL Server,
and WSFC, you can launch the Quick Start to build the architecture shown in Figure 1 in
a new or existing virtual private cloud (VPC). The deployment takes approximately

Page 3 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

three hours. If you’re new to AWS or to SQL Server, please review the implementation
details and follow the step-by-step instructions provided later in this guide.

Launch Launch
(for new VPC) (for existing VPC)

 If you want to take a look under the covers, you can view the AWS CloudFormation
templates that automate the deployment.

View template View template

(for new VPC) (for existing VPC)

About Quick Starts

Quick Starts are automated reference deployments for key workloads on the AWS Cloud.
Each Quick Start launches, configures, and runs the AWS compute, network, storage, and
other services required to deploy a specific workload on AWS, using AWS best practices for
security and availability.

Overview
SQL Server and WSFC on AWS
This Quick Start implements a high availability solution built with Microsoft Windows
Server and SQL Server running on Amazon Elastic Compute Cloud (Amazon EC2), using
the Always On Availability Groups feature of SQL Server Enterprise edition. This
infrastructure provides the underpinnings for many Microsoft technology-based solutions
for the enterprise, including Microsoft SharePoint and .NET Framework applications.

A prerequisite for deploying a SQL Server Always On Availability Group is Windows Server
Failover Clustering (WSFC). SQL Server Always On uses WSFC to increase application
availability. WSFC provides infrastructure features that complement the high availability
and disaster recovery scenarios supported in the AWS Cloud.

Implementing WSFC in the AWS Cloud is very similar to deploying it in an on-premises

setting as long as you meet two key requirements:
 You must deploy the cluster nodes inside a virtual private cloud (VPC).
 You must deploy the cluster nodes in separate subnets.

Page 4 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

This Quick Start provides an automated deployment of WSFC that meets these
requirements and handles some of the configuration steps for you.

This guide provides step-by-step instructions and discusses AWS-specific considerations.

The guide doesn’t provide general configuration and usage information for WSFC and SQL
Server. For general guidance and best practices, consult the product documentation.

Costs and Licenses

The Quick Start provides three licensing options for SQL Server Enterprise edition. You
can:
 Install a trial version of SQL Server 2014, 2016, or 2017 Enterprise edition from the
Microsoft download site.
 Use the Amazon Machine Image (AMI) with license costs for SQL Server Enterprise
edition included.
 Use your volume licensing software and mobilize the license. For details, see the
Microsoft License Mobility through Software Assurance program. For development and
test environments, you can leverage your existing MSDN licenses for SQL Server using
Amazon EC2 Dedicated Instances. For details, see the MSDN on AWS webpage.

This Quick Start launches one of the following Windows Server AMIs, depending on which
version of SQL Server you choose to deploy, and includes the license for the Windows
Server operating system:
 AMI for Windows Server 2012 R2, if you choose to deploy SQL Server 2014 or 2016
 AMI for Windows Server 2016, if you choose to deploy SQL Server 2017

The AMI is updated on a regular basis with the latest service pack for the operating system.

You are responsible for the cost of the AWS services used while running this Quick Start
reference deployment. There is no additional cost for using the Quick Start.

The AWS CloudFormation template for this Quick Start includes configuration parameters
that you can customize. Some of these settings, such as instance type, volume size, or opting
to use the Amazon-provided AMI for SQL Server, will affect the cost of deployment. See the
pricing pages for each AWS service you will be using for cost estimates.

Page 5 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

AWS Services
The core AWS components used by this Quick Start include the following AWS services. (If
you are new to AWS, see the Getting Started Resource Center.)
 Amazon EC2 – The Amazon Elastic Compute Cloud (Amazon EC2) service enables you
to launch virtual machine instances with a variety of operating systems. You can choose
from existing AMIs or import your own virtual machine images.
 Amazon EBS – Amazon Elastic Block Store (Amazon EBS) provides persistent block-
level storage volumes for use with Amazon EC2 instances in the AWS Cloud. Each
Amazon EBS volume is automatically replicated within its Availability Zone to protect
you from component failure, offering high availability and durability. Amazon EBS
volumes provide the consistent and low-latency performance needed to run your
workloads.
 Amazon VPC – The Amazon Virtual Private Cloud (Amazon VPC) service lets you
provision a private, isolated section of the AWS Cloud where you can launch AWS
services and other resources in a virtual network that you define. You have complete
control over your virtual networking environment, including selection of your own IP
address range, creation of subnets, and configuration of route tables and network
gateways.

In addition, you should be familiar with the following:

 Windows Server 2012 R2 or 2016, depending on the SQL Server version
 Windows Server Active Directory and DNS
 Windows Server Failover Clustering (WSFC)
 SQL Server Always On Availability Groups

For information, see the Microsoft product documentation for these technologies.

Page 6 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Architecture
Deploying this Quick Start for a new VPC with the default parameters builds the
following environment in the AWS Cloud.

Figure 1: WSFC and SQL Server architecture on AWS (default configuration)

Page 7 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

You can also choose to build an architecture with three Availability Zones, as shown in
Figure 2.

Figure 2: WSFC and SQL Server architecture on AWS with three Availability Zones

The deployment includes the following components.

Note If you use the option to deploy the Quick Start into your existing VPC and AD
DS infrastructure, the components marked by asterisks are skipped. For details about
the underlying Active Directory and network design, see the Quick Start for Active
Directory Domain Services.

 A virtual private cloud (VPC) configured with public and private subnets across two
Availability Zones. This provides the network infrastructure for your SQL Server
deployment. You can optionally choose a third Availability Zone for the file share
witness or for an additional SQL cluster node, as shown in Figure 2.*
 An internet gateway to provide access to the internet.*

Page 8 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

 In the public subnets, Windows Server-based Remote Desktop Gateway (RDGW)

instances and network address translation (NAT) gateways for outbound internet
access.*
 Elastic IP addresses associated with the NAT gateway and RDGW instances.*
 In the private subnets, Active Directory domain controllers.*
 In the private subnets, Windows Server-based instances as WSFC nodes.
 SQL Server Enterprise edition with SQL Server Always On Availability Groups on each
WSFC node. This architecture provides redundant databases along with a witness server
to ensure that a quorum can vote for the node to be promoted to master. The default
architecture mirrors an on-premises architecture of two SQL Server instances spanning
two subnets placed in two different Availability Zones, as shown in Figure 3.
 Security groups to ensure the secure flow of traffic between the instances deployed in
the VPC.

Best Practices
The architecture built by this Quick Start supports AWS best practices for high availability
and security.

High Availability and Disaster Recovery

Amazon EC2 provides the ability to place instances in multiple locations composed of AWS
Regions and Availability Zones. Regions are dispersed and located in separate geographic
areas. Availability Zones are distinct locations within a region that are engineered to be
isolated from failures in other Availability Zones and that provide inexpensive, low-latency
network connectivity to other Availability Zones in the same region.

By launching your instances in separate regions, you can design your application to be
closer to specific customers or to meet legal or other requirements. By launching your
instances in separate Availability Zones, you can protect your applications from the failure
of a single location. WSFC provides infrastructure features that complement the high
availability and disaster recovery scenarios supported in the AWS Cloud.

Automatic Failover
Deploying the Quick Start with the default parameters configures a two-node automatic
failover cluster with a file share witness. On this cluster, it deploys an Always On
Availability Group with two availability replicas.

Page 9 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Figure 3: SQL Server Always On Availability Groups and automatic failover

The Quick Start implementation supports the following scenarios:

 Protection from the failure of a single instance
 Automatic failover between the cluster nodes
 Automatic failover between Availability Zones
However, the Quick Start default implementation doesn’t provide automatic failover in
every case. For example, the loss of Availability Zone 1, which contains the primary node
and file share witness, would prevent automatic failover to Availability Zone 2. This is
because the cluster would fail as it loses quorum. In this scenario, you could follow manual
disaster recovery steps that include restarting the cluster service and forcing quorum on the
second cluster node (e.g., WSFCNode2) to restore application availability. The Quick Start
also provides an option to deploy into three Availability Zones. This deployment option can
mitigate this loss of quorum in the case of a failure of a single node. However, you can select
this option only in AWS Regions that include three or more Availability Zones; for a current
list, see the AWS Global Infrastructure webpage.

We recommend that you consult the Microsoft SQL Server documentation and customize
some of the steps described in this guide or add additional ones (e.g., deploy additional

Page 10 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

cluster nodes and configure them as readable secondary replicas) to deploy a solution that
best meets your business, IT, and security requirements.

Security Groups and Firewalls

When the EC2 instances are launched, they must be associated with a security group, which
acts as a stateful firewall. You have complete control over the network traffic entering or
leaving the security group, and you can build granular rules that are scoped by protocol,
port number, and source or destination IP address or subnet. By default, all traffic
egressing a security group is permitted. Ingress traffic, on the other hand, must be
configured to allow the appropriate traffic to reach your instances.

The Securing the Microsoft Platform on Amazon Web Services whitepaper discusses the
different methods for securing your AWS infrastructure. Recommendations include
providing isolation between application tiers using security groups. We recommend that
you tightly control ingress traffic in order to reduce the attack surface of your EC2
instances.

Domain controllers and member servers require several security group rules to allow traffic
for services such as AD DS replication, user authentication, Windows Time services, and
Distributed File System (DFS), among others. The WSFC nodes running SQL Server will
need to permit several additional ports to communicate with each other as well. Finally,
instances launched into the application server tier will need to establish SQL client
connections to the WSFC nodes.

The Quick Start creates a number of security groups and rules for you. For a detailed list of
port mappings, see the Security section of the Active Directory deployment guide, and the
Security section of this guide.

In addition to security groups, the Windows firewall also needs to be modified on the SQL
Server instances. During the bootstrapping process, a script will run on each instance that
opens the TCP ports 1433, 1434, 4022, 5022, 5023, and 135 on the Windows firewall.

Implementation Details
SQL Server Enterprise Edition
Amazon Machine Images (AMIs) for the SQL Server 2014 and 2016 Enterprise edition are
available for launch on AWS, with the limitations discussed in the Costs and Licenses
section. If you keep the default (no) setting for the Amazon-Provided SQL License
(SQLLicenseProvided) parameter, this Quick Start automatically connects to the

Page 11 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Microsoft download site and installs the trial software for SQL Server Enterprise edition. If
you set the parameter to yes, the Quick Start uses the Amazon-provided AMI, which
includes a license for SQL Server Enterprise edition.

You’ll find the installation software on each node in the C:\sqlinstall\ folder. If you have
to re-run the installation, make sure you select Run as Administrator to start the
installation.

The SQL services are configured to run under the sqlsa account that is created in Active
Directory. This account is also added to the local administrators groups on each WSFC
node.

Note AWS does not provide installation media for Microsoft software. If you are not
using the AWS CloudFormation templates, you can set up a test or evaluation
environment by downloading a trial version of SQL Server at
http://www.microsoft.com/evalcenter/.

Storage on the WSFC Nodes

Storage capacity and performance are key aspects of any production SQL Server
installation. Although capacity and performance will vary from one deployment to the next,
this Quick Start provides a reference configuration that you can use as a starting point. The
AWS CloudFormation template deploys the WSFC nodes using the memory-optimized
r4.2xlarge instance type by default.

In an effort to provide highly performant and durable storage, we’ve also included Amazon
Elastic Block Store (Amazon EBS) volumes in this reference architecture. EBS volumes are
network-attached disk storage, which you can create and attach to EC2 instances. Once
these are attached, you can create a file system on top of these volumes, run a database, or
use them in any other way you would use a block device. EBS volumes are placed in a
specific Availability Zone, where they are automatically replicated to protect you from the
failure of a single component.

Provisioned IOPS EBS volumes offer storage with consistent and low-latency performance.
They are backed by solid state drives (SSDs) and are designed for applications with I/O-
intensive workloads such as databases.

Amazon EBS-optimized instances, such as the R4 instance type, deliver dedicated

throughput between Amazon EC2 and Amazon EBS. The dedicated throughput minimizes

Page 12 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

contention between Amazon EBS I/O and other traffic from your EC2 instance, and
provides the best performance for your EBS volumes.

By default, on each WSFC node, the Quick Start deploys three 500-GiB General Purpose
SSD volumes to store databases, logs, tempdb, and backups. This is in addition to the root
General Purpose SSD volume used by the operating system. This volume type delivers a
consistent baseline of 3 IOPS/GiB, which provides a total of 1,500 IOPS per volume for SQL
Server database and log volumes. You can customize the volume size, and you can also
switch to using dedicated IOPS volumes with the volume you specify. If you need more
IOPS per volume, consider using Provisioned IOPS SSD volumes by changing the SQL
Server Volume Type and SQL Server Volume IOPS parameters, or use disk striping
within Windows.

The default disk layout for SQL Server in this Quick Start uses the following EBS volumes:
 One General Purpose SSD volume (100 GiB) for the operating system (C:)
 One General Purpose SSD volume (500 GiB) to host the SQL Server database files (D:)
 One General Purpose SSD volume (500 GiB) to host the SQL Server log files (E:)
 One General Purpose SSD volume (500 GiB) to host the SQL Server tempdb and backup
files (F:)

Figure 4 shows the disk layout on each SQL Server node. The Z: drive is instance storage
that can be used for ephemeral data, such as the operating system page file. Keep in mind
that data on instance storage will be lost when you stop your EC2 instance.

Figure 4: WSFC node disk layout

Page 13 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

IP Addressing on the WSFC Nodes

In order to support WSFC and Always On Availability Group listeners, each node hosting
the SQL Server instances participating in the cluster will need to have three IP addresses
assigned:
 One IP address is used as the primary IP address for the instance.
 A second IP address acts as the WSFC IP resource.
 A third IP address is used to host the Always On Availability Group listener.

When you launch the AWS CloudFormation template, you can specify the addresses for
each node. By default, the 10.0.0.0/19, 10.0.32.0/19, and 10.0.64.0/19 CIDR blocks are
used for the private subnets.

Figure 4: Defining WSFC node IP addresses

Windows Server Failover Clustering

Once your Windows Server instances have been deployed and domain-joined, you’re ready
to build the cluster. The AWS CloudFormation templates carry out this task when deploying
the second node. If you use the default template parameter settings, the Quick Start
executes the following Windows PowerShell commands to complete this task:

Install-WindowsFeature failover-clustering –IncludeManagementTools

New-Cluster -Name WSFCluster1 -Node WSFCNODE1,WSFCNODE2

-StaticAddress 10.0.0.101,10.0.64.101

The first command runs on each instance during the bootstrapping process. It installs the
required components and management tools for the failover clustering services. The second

Page 14 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

command runs near the end of the bootstrapping process on the second node and is
responsible for creating the cluster and for defining the server nodes and IP addresses.

By default, the Quick Start configures an even number of servers in the cluster. You’ll need
a third resource to maintain a majority vote to keep the cluster online in the event of an
individual server failure. For this, the Quick Start uses a dedicated file share witness
instance, which requires modifying the cluster settings to NodeAndFileShareMajority.
The first step in making this configuration change is to create the share. By default, the
Quick Start creates a dedicated instance in the first Availability Zone to host this share. For
production environments, you can also set the Third AZ parameter to witness to create a
dedicated instance with a file share in a third Availability Zone. Alternatively, you can use
any domain-joined server for this task. (This isn’t included in the Quick Start.) If you set the
Third AZ parameter to full, the Quick Start will keep the quorum settings to the default
node majority and will create a third SQL Server node in the third Availability Zone. Note
that some AWS Regions support only two Availability Zones; for a current list, see the AWS
Global Infrastructure webpage.

By default, the witness file share is \\WSFCFileServer\witness. The Active Directory

computer account that is created when forming the cluster (e.g., WSFCNODE1) is given
NTFS permissions to access the share. After that, the cluster is updated to use the share as
the file share witness resource.

Set-ClusterQuorum -NodeAndFileShareMajority \\WSFCFileServer\witness

Always On Configuration
After SQL Server Enterprise edition has been installed and the Windows Server failover
cluster has been built, the Quick Start enables SQL Server Always On with the following
PowerShell command:

Enable-SqlAlwaysOn -ServerInstance WSFCNODE1

The Quick Start runs this command on each node, and the proper server name is provided
as a value for the ServerInstance parameter.

The Quick Start automated solution ends after enabling SQL Server Always On. When the
deployment is complete, you can create your databases and make them highly available by
creating an Always On Availability Group. This process is covered in step 3 of the
deployment instructions.

Page 15 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

When you create an availability group, you’ll need to provide a network share used to
perform an initial data synchronization. As you progress through the New Availability
Group wizard, a full backup for each selected database is taken and placed in the share.
The secondary node connects to the share and restores the database backups before joining
the availability group.

To accommodate this initial synchronization, the Quick Start creates a folder called
C:\replica on the first domain controller, using the share name replica. By default, the file
share is defined as \\WSFCFileServer\replica. If you set the Third AZ parameter to
full, the Quick Start creates the replica share on the first WSFC node in the first
Availability Zone. Since SQL services run in this account, the sqlsa Active Directory user
account is given NTFS permissions to this share.

Deployment Options
This Quick Start provides two deployment options:
 Deploy SQL Server into a new VPC (end-to-end deployment). This option builds
a new AWS environment consisting of the VPC, subnets, NAT gateways, security
groups, domain controllers, and other infrastructure components, and then deploys
WSFC and SQL Server into this new VPC.

 Deploy SQL Server into an existing VPC. This option provisions WSFC in your
existing AWS infrastructure. It creates one Windows Server–based instance to host a
sample application that can test your cluster and allow you to see the failover occur
between the different nodes in your deployment. Your AWS environment must
include a VPC with two or three Availability Zones, public and private subnets in each
Availability Zone, Remote Desktop Gateway and NAT gateways deployed into the
public subnet, and Active Directory Domain Services deployed into the private
subnet.

The Quick Start provides separate templates for these options. It also lets you configure
additional settings such as the version of SQL Server you’d like to install, CIDR blocks,
instance types, and software settings, as discussed later in this guide.

Page 16 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Deployment Steps
The procedure for deploying SQL Server on AWS consists of the following steps. For
detailed instructions, follow the links for each step.
Step 1. Prepare an AWS account
This involves signing up for an AWS account, choosing a region, creating a key pair, and
requesting increases for account limits, if necessary.

Step 2. Launch the Quick Start

In this step, you’ll launch the AWS CloudFormation template into your AWS account,
specify parameter values, and create the stack. The Quick Start provides separate templates
for end-to-end deployment and deployment into an existing VPC.

Step 3. Configure a SQL Server Always On Availability Group

After deployment is complete, you’ll configure the WSFC nodes with a SQL Server database
and create an Always On Availability Group.

Step 4. Test the cluster and availability group

Before putting the availability group into production, you’ll test your deployment and the
cluster’s behavior during an automatic failover or a disaster recovery event.

Step 1. Prepare an AWS Account

1. If you don’t already have an AWS account, create one at https://aws.amazon.com by
following the on-screen instructions. Part of the sign-up process involves receiving a
phone call and entering a PIN using the phone keypad.
2. Use the region selector in the navigation bar to choose the AWS Region where you want
to deploy the software on AWS. For more information, see Regions and Availability
Zones. Regions are dispersed and located in separate geographic areas. Each Region
includes at least two Availability Zones that are isolated from one another but connected
through low-latency links. Deploying your cloud applications across multiple
Availability Zones helps you achieve high availability, even in the face of natural
disasters that might impact a single Availability Zone.

Page 17 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Figure 5: Choosing an AWS Region

Consider choosing a region closest to your data center or corporate network to reduce
network latency between systems running on AWS and the systems and users on your
corporate network.
If you’re planning to use a third Availability Zone for a file share witness instance or a
third SQL Server node, choose an AWS Region that includes three or more Availability
Zones; see the AWS Global Infrastructure webpage for a list.
3. Create a key pair in your preferred region. To do this, in the navigation pane of the
Amazon EC2 console, choose Key Pairs, Create Key Pair, type a name, and then
choose Create.

Page 18 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Figure 6: Creating a key pair

Amazon EC2 uses public-key cryptography to encrypt and decrypt login information. To
be able to log in to your instances, you must create a key pair. With Windows instances,
we use the key pair to obtain the administrator password via the Amazon EC2 console
and then log in using Remote Desktop Protocol (RDP) as explained in the step-by-step
instructions in the Amazon EC2 User Guide.
4. If necessary, request a service limit increase for the Amazon EC2 r4.2xlarge instance
type. To do this, in the AWS Support Center, choose Create Case, Service Limit
Increase, EC2 instances, and then complete the fields in the limit increase form.
You might need to request an increase if you already have an existing deployment that
uses this instance type, and you think you might exceed the default limit with this
reference deployment. It might take a few days for the new service limit to become
effective. For more information, see Amazon EC2 Service Limits in the AWS
documentation.

Page 19 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Figure 7: Requesting a service limit increase

Step 2. Launch the Quick Start

1. Choose one of the following options to launch the AWS CloudFormation template into
your AWS account. For help choosing an option and prerequisites for deploying the
software into an existing VPC, see deployment options earlier in this guide.

Option 1 Option 2
Deploy software into Deploy software into
a new VPC on AWS an existing VPC on AWS

Launch Launch

Each stack takes approximately three hours to create.

Page 20 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Note You are responsible for the cost of the AWS services used while running this
Quick Start reference deployment. There is no additional cost for using this Quick
Start. For full details, see the pricing pages for each AWS service you will be using in
this Quick Start.

2. Check the region that’s displayed in the upper-right corner of the navigation bar, and
change it if necessary. This is where the network infrastructure will be built. The
template is launched in the US East (Ohio) Region by default.
3. On the Select Template page, keep the default setting for the template URL, and then
choose Next.
4. On the Specify Details page, change the stack name if needed. Review the parameters
for the template. Provide values for the parameters that require input. For all other
parameters, review the default settings and customize them as necessary. When you
finish reviewing and customizing the parameters, choose Next.
In the following tables, parameters are listed and described separately for the two
deployment scenarios:
– Parameters for deployment into a new VPC
– Parameters for deployment into an existing VPC

 Scenario 1: Parameters for deployment into a new VPC

View the template for a new VPC

Network Configuration:
Parameter label (name) Default Description

Availability Zones Requires input The list of Availability Zones to use for the subnets in
(AvailabilityZones) the VPC. You must specify two zones if the Third AZ
parameter is set to no, or three zones if the Third AZ
parameter is set to yes. The Quick Start preserves the
logical order you specify.

Third AZ no Change this setting if you’d like to use three Availability

(ThirdAZ) Zones in your deployment. Choose witness to use the
third zone for the file share witness, or full to use the
third zone as a full SQL Server cluster node. If you
choose witness, you must set the File Server Private
IP Address parameter under Failover Cluster
Configuration to an IP in the third subnet range.

VPC CIDR 10.0.0.0/16 CIDR block for the VPC to create.

(VPCCIDR)

Page 21 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Parameter label (name) Default Description

Public Subnet 1 CIDR 10.0.128.0/20 CIDR block for the public (DMZ) subnet located in
(PublicSubnet1CIDR) Availability Zone 1.

Public Subnet 2 CIDR 10.0.144.0/20 CIDR block for the public (DMZ) subnet located in
(PublicSubnet2CIDR) Availability Zone 2.

Public Subnet 3 CIDR 10.0.160.0/20 CIDR block for the optional public (DMZ) subnet
(PublicSubnet3CIDR) located in Availability Zone 3, if you’ve chosen to use a
third zone.

Private Subnet 1 CIDR 10.0.0.0/19 CIDR block for the private subnet located in Availability
(PrivateSubnet1CIDR) Zone 1.

Private Subnet 2 CIDR 10.0.32.0/19 CIDR block for the private subnet located in Availability
(PrivateSubnet2CIDR) Zone 2.

Private Subnet 3 CIDR 10.0.64.0/19 CIDR block for the optional private subnet located in
(PrivateSubnet3CIDR) Availability Zone 3, if you’ve chosen to use a third zone.

Amazon EC2 Configuration:

Parameter label (name) Default Description

Key Pair Name Requires input Public/private key pair, which allows you to connect
(KeyPairName) securely to your instance after it launches. When you
created an AWS account, this is the key pair you created
in your preferred region.

Tenancy Shared Host type. If you choose Dedicated or Dedicated

(HostType) Host, hosts will be created in each Availability Zone.

BYOL AMI to Use on Requires input Your imported bring your own license (BYOL) AMI ID,
Dedicated Host if you set the Tenancy parameter to Dedicated or
(DedicatedHostAMI) Dedicated Host.

Standard Active Directory Configuration:

Parameter label (name) Default Description

AD Scenario Type AWS Directory The type of Active Directory deployment to use. You can
(ADScenarioType) Service for use AWS Directory Service for Active Directory,
Microsoft AD or choose Microsoft AD on Amazon EC2 to manage
your own EC2 instances for Active Directory.

Domain DNS Name example.com Fully qualified domain name (FQDN) of the forest root
(DomainDNSName) domain.

Domain NetBIOS Name example NetBIOS name of the domain for users of earlier
(DomainNetBIOSName) versions of Windows. This can be up to 15 characters
long.

Domain Admin Password Requires input Password for the domain administrator user. This must
(DomainAdminPassword) be a complex password that’s at least 8 characters long.

Page 22 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Self-Managed Active Directory Configuration (for non-AWS Directory Service

architecture):

Note The parameters in this section are ignored if you have selected AWS Directory
Service for Microsoft AD as the AD Scenario Type.

Parameter label (name) Default Description

Domain Admin User Name StackAdmin User name for the account that is added as domain
(DomainAdminUser) administrator. This is separate from the default
administrator account.

Domain Controller 1 Instance m4.xlarge EC2 instance type for the first Active Directory instance.
Type
(ADServer1InstanceType)

Domain Controller 1 NetBIOS DC1 NetBIOS name of the first Active Directory server. This
Name can be up to 15 characters long.
(ADServer1NetBIOSName)

Domain Controller 1 Private IP 10.0.0.10 Fixed private IP for the first Active Directory server
Address located in Availability Zone 1.
(ADServer1PrivateIP)

Domain Controller 2 Instance m4.xlarge EC2 instance type for the second Active Directory
Type instance.
(ADServer2InstanceType)

Domain Controller 2 NetBIOS DC2 NetBIOS name of the second Active Directory server.
Name This can be up to 15 characters long.
(ADServer2NetBIOSName)

Domain Controller 2 Private 10.0.32.10 Fixed private IP for the second Active Directory server
IP Address located in Availability Zone 2.
(ADServer2PrivateIP)

Restore Mode Password Requires input Password for a separate administrator account when
(RestoreModePassword) the domain controller is in restore mode. This must be a
complex password that’s at least 8 characters long.

Remote Desktop Configuration:

Parameter label (name) Default Description

Allowed Remote Desktop Requires input Allowed CIDR block for external access to the Remote
Gateway External Access CIDR Desktop Gateway instances. We recommend that you
(RDGWCIDR) set this value to a trusted CIDR block.

Number of RDGW hosts 1 The number of RD Gateway instances to create. You can
(NumberOfRDGWHosts) choose 1-4 instances.

Remote Desktop Gateway t2.large EC2 instance type for the Remote Desktop Gateway
Instance Type instances.
(RDGWInstanceType)

Page 23 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Microsoft SQL Server Configuration:

Parameter label (name) Default Description

SQL Server Version 2016 The version of SQL Server Enterprise edition to install
(SQLServerVersion) on the cluster nodes: 2014, 2016, or 2017.

Service Account Name sqlsa User name for the SQL Server service account. This
(SQLServiceAccount) account is a domain user.

Service Account Password Requires input Password for the SQL Server service account. This must
(SQLServiceAccountPassword) be a complex password that’s at least 8 characters long.

Amazon-Provided SQL no Set to yes to use the license-included SQL Server AMI
Server License from AWS. For more information about licensing
(SQLLicenseProvided) options, see the Cost and Licenses section.

SQL Server Volume IOPS 1000 Provisioned IOPS for the SQL Server data, logs, and
(VolumeIops) tempdb volumes. This setting applies only when the
SQL Server Volume Type parameter is set to io1.

SQL Server Volume Size 500 Volume size for the SQL Server data, logs, and tempdb
(VolumeSize) volumes, in GiB.

SQL Server Volume Type gp2 Volume type (gp2 or io1) for the SQL Server data, logs,
(VolumeType) and tempdb volumes.

Failover Cluster Configuration:

Parameter label (name) Default Description

Instance Type for Cluster r4.2xlarge EC2 instance type for the WSFC nodes.
Nodes
(WSFCNodeInstanceType)

Cluster Node 1 NETBIOS Name WSFCNode1 NetBIOS name of the first WSFC node. This can be up
(WSFCNode1NetBIOSName) to 15 characters long.

Cluster Node 1 Private IP 10.0.0.100 Primary private IP for the first WSFC node.
Address 1
(WSFCNode1PrivateIP1)

Cluster Node 1 Private IP 10.0.0.101 Secondary private IP for the first WSFC node.
Address 2
(WSFCNode1PrivateIP2)

Cluster Node 1 Private IP 10.0.0.102 Third private IP for the first WSFC node.
Address 3
(WSFCNode1PrivateIP3)

Cluster Node 2 NETBIOS Name WSFCNode2 NetBIOS name of the second WSFC node. This can be
(WSFCNode2NetBIOSName) up to 15 characters long.

Cluster Node 2 Private IP 10.0.32.100 Primary private IP for the second WSFC node.
Address 1
(WSFCNode2PrivateIP1)

Page 24 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Parameter label (name) Default Description

Cluster Node 2 Private IP 10.0.32.101 Secondary private IP for the second WSFC node.
Address 2
(WSFCNode2PrivateIP2)

Cluster Node 2 Private IP 10.0.32.102 Third private IP for the second WSFC node.
Address 3
(WSFCNode2PrivateIP3)

Cluster Node 3 NETBIOS Name WSFCNode3 NetBIOS name of the third (optional) WSFC node. This
(WSFCNode3NetBIOSName) can be up to 15 characters long.

Cluster Node 3 Private IP 10.0.64.100 Primary private IP for the third (optional) WSFC node.
Address 1
(WSFCNode3PrivateIP1)

Cluster Node 3 Private IP 10.0.64.101 Secondary private IP for the third (optional) WSFC
Address 2 node.
(WSFCNode3PrivateIP2)

Cluster Node 3 Private IP 10.0.64.102 Third private IP for the third (optional) WSFC node.
Address 3
(WSFCNode3PrivateIP3)

File Server Instance Type t2.small EC2 instance type for the file server used to share
(WSFCFileServerInstanceType) installation media, witness, and replication folders.

File Server Private IP Address 10.0.0.200 Primary private IP for the file server located in
(WSFCFileServerPrivateIP) Availability Zone 1. If you choose witness for the
Third AZ parameter in the Network Configuration
section, you must specify an IP in the third subnet
range.

AWS Quick Start Configuration:

Parameter label (name) Default Description

Quick Start S3 Bucket Name aws-quickstart S3 bucket where the Quick Start templates and scripts
(QSS3BucketName) are installed. Use this parameter to specify the S3
bucket name you’ve created for your copy of Quick Start
assets, if you decide to customize or extend the Quick
Start for your own use. The bucket name can include
numbers, lowercase letters, uppercase letters, and
hyphens, but should not start or end with a hyphen.

Quick Start S3 Key Prefix quickstart- The S3 key name prefix used to simulate a folder for
(QSS3KeyPrefix) microsoft-sql/ your copy of Quick Start assets, if you decide to
customize or extend the Quick Start for your own use.
This prefix can include numbers, lowercase letters,
uppercase letters, hyphens, and forward slashes.

Page 25 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

 Parameters for deployment into an existing VPC

View the template for existing VPC

Network Configuration:
Parameter label (name) Default Description

Third AZ no Change this setting if you’d like to use three Availability

(ThirdAZ) Zones in your deployment. Choose witness to use the
third zone for the file share witness, or full to use the
third zone as a full SQL Server cluster node. If you
choose witness, you must set the File Server Private
IP Address parameter under Failover Cluster
Configuration to an IP in the third subnet range.

VPC ID Requires input ID of your existing VPC (e.g., vpc-0343606e).

(VPCID)

Private Subnet 1 ID Requires input ID of the private subnet in Availability Zone 1 in your
(PrivateSubnet1ID) existing VPC (e.g., subnet-a0246dcd).

Private Subnet 2 ID Requires input ID of the private subnet in Availability Zone 2 in your
(PrivateSubnet2ID) existing VPC (e.g., subnet-b58c3d67).

Private Subnet 3 ID — ID of the private subnet in Availability Zone 3 in your

(PrivateSubnet3ID) existing VPC (e.g., subnet- 7f16e910), if you’re using
three Availability Zones.

Amazon EC2 Configuration:

Parameter label (name) Default Description

Key Pair Name Requires input Public/private key pair, which allows you to connect
(KeyPairName) securely to your instance after it launches. When you
created an AWS account, this is the key pair you created
in your preferred region.

Tenancy Shared Host type. If you choose Dedicated or Dedicated

(HostType) Host, hosts will be created in each Availability Zone.

BYOL AMI to Use on Requires input Your imported bring your own license (BYOL) AMI ID,
Dedicated Host if you set the Tenancy parameter to Dedicated or
(DedicatedHostAMI) Dedicated Host.

Microsoft Active Directory Configuration:

Parameter label (name) Default Description

Domain DNS Name example.com Fully qualified domain name (FQDN) of the forest root
(DomainDNSName) domain.

Page 26 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Parameter label (name) Default Description

Domain NetBIOS Name example NetBIOS name of the domain for users of earlier
(DomainNetBIOSName) versions of Windows. This can be up to 15 characters
long.

Domain Admin User Name StackAdmin User name for the account that is added as domain
(DomainAdminUser) administrator. This is separate from the default
administrator account.

Domain Admin Password Requires input Password for the domain administrator user. This must
(DomainAdminPassword) be a complex password that’s at least 8 characters long.

Security Group ID for AD Requires input ID of the domain name security group (e.g., sq-
Domain Members 7f16e910).
(DomainMemberSGID)

Microsoft SQL Server Configuration:

Parameter label (name) Default Description

SQL Server Version 2016 The version of SQL Server Enterprise edition to install
(SQLServerVersion) on the cluster nodes: 2014, 2016, or 2017.

Service Account Name sqlsa User name for the SQL Server service account. This
(SQLServiceAccount) account is a domain user.

Service Account Password Requires input Password for the SQL Server service account. This must
(SQLServiceAccountPassword) be a complex password that’s at least 8 characters long.

Amazon-Provided no Set to yes to use the license-included SQL Server AMI

SQL Server License from AWS. For more information about licensing
(SQLLicenseProvided) options, see the Cost and Licenses section.

Data Volume Size 500 Volume size for the SQL Server data drive, in GiB.
(Volume1Size)

Data Volume Type gp2 Volume type (gp2 or io1) for the SQL Server data drive.
(Volume1Type)

Data Volume IOPS 1000 Provisioned IOPS for the SQL Server data drive. This
(Volume1Iops) setting applies only when the Data Volume Type
parameter is set to io1.

Logs Volume Size 500 Volume size for the SQL Server Logs drive, in GiB.
(Volume2Size)

Logs Volume Type gp2 Volume type (gp2 or io1) for the SQL Server Logs drive.
(Volume2Type)

Logs Volume IOPS 1000 Provisioned IOPS for the SQL Server Logs drive. This
(Volume2Iops) setting applies only when the Logs Volume Type
parameter is set to io1.

TempDB Volume Size 500 Volume size for the SQL Server tempdb drive, in GiB.
(Volume3Size)

Page 27 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Parameter label (name) Default Description

TempDB Volume Type gp2 Volume type (gp2 or io1) for the SQL Server tempdb
(Volume3Type) drive.

TempDb Volume IOPS 1000 Provisioned IOPS for the SQL Server tempdb drive. This
(Volume3Iops) setting applies only when the TempDB Volume Type
parameter is set to io1.

Failover Cluster Configuration:

Parameter label (name) Default Description

File Server Instance Type t2.small EC2 instance type for the file server used to share
(WSFCFileServerInstanceType) installation media, witness, and replication folders.

File Server NetBIOS Name WSFCFileServer NetBIOS name of the WSFC file server (up to 15
(WSFCFileServerNetBIOSName) characters).

File Server Private IP Address 10.0.0.200 Primary private IP for the file server in Availability Zone
(WSFCFileServerPrivateIP) 1. If you choose witness for the Third AZ parameter
in the Network Configuration section, you must specify
an IP in the third subnet range.

Instance Type for Cluster Node 1 r4.2xlarge EC2 instance type for the first WSFC node.
(WSFCNode1InstanceType)

Cluster Node 1 NETBIOS Name WSFCNode1 NetBIOS name of the first WSFC node. This can be up
(WSFCNode1NetBIOSName) to 15 characters long.

Cluster Node 1 Private IP 10.0.0.100 Primary private IP for the first WSFC node.
Address 1
(WSFCNode1PrivateIP1)

Cluster Node 1 Private IP 10.0.0.101 Secondary private IP for the first WSFC node.
Address 2
(WSFCNode1PrivateIP2)

Cluster Node 1 Private IP 10.0.0.102 Third private IP for the first WSFC node.
Address 3
(WSFCNode1PrivateIP3)

Dedicated Host ID for Node 1 — Dedicated host ID for the first WSFC node. This
(DedicatedHostIDNode1) parameter is used only if you set the Tenancy
parameter to Dedicated Host.

Instance Type for Cluster r4.2xlarge EC2 instance type for the second WSFC node.
Node 2
(WSFCNode2InstanceType)

Cluster Node 2 NETBIOS Name WSFCNode2 NetBIOS name of the second WSFC node. This can be
(WSFCNode2NetBIOSName) up to 15 characters long.

Cluster Node 2 Private IP 10.0.32.100 Primary private IP for the second WSFC node.
Address 1
(WSFCNode2PrivateIP1)

Page 28 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Parameter label (name) Default Description

Cluster Node 2 Private IP 10.0.32.101 Secondary private IP for the second WSFC node.
Address 2
(WSFCNode2PrivateIP2)

Cluster Node 2 Private IP 10.0.32.102 Third private IP for the second WSFC node.
Address 3
(WSFCNode2PrivateIP3)

Dedicated HostID for Node 2 — Dedicated host ID for the second WSFC node. This
(DedicatedHostIDNode2) parameter is used only if you set the Tenancy
parameter to Dedicated Host.

Instance Type for Cluster r4.2xlarge EC2 instance type for the third (optional) WSFC node.
Node 3
(WSFCNode3InstanceType)

Cluster Node 3 NETBIOS Name WSFCNode3 NetBIOS name of the third (optional) WSFC node. This
(WSFCNode3NetBIOSName) can be up to 15 characters long.

Cluster Node 3 Private IP 10.0.64.100 Primary private IP for the third (optional) WSFC node.
Address 1
(WSFCNode3PrivateIP1)

Cluster Node 3 Private IP 10.0.64.101 Secondary private IP for the third (optional) WSFC
Address 2 node.
(WSFCNode3PrivateIP2)

Cluster Node 3 Private IP 10.0.64.102 Third private IP for the third (optional) WSFC node.
Address 3
(WSFCNode3PrivateIP3)

Dedicated HostID for Node 3 — Dedicated host ID for the optional third WSFC node.
(DedicatedHostIDNode3) This parameter is used only if you set the Tenancy
parameter to Dedicated Host.

AWS Quick Start Configuration:

Parameter label (name) Default Description

Quick Start S3 Bucket Name aws-quickstart S3 bucket where the Quick Start templates and scripts
(QSS3BucketName) are installed. Use this parameter to specify the S3
bucket name you’ve created for your copy of Quick Start
assets, if you decide to customize or extend the Quick
Start for your own use. The bucket name can include
numbers, lowercase letters, uppercase letters, and
hyphens, but should not start or end with a hyphen.

Quick Start S3 Key Prefix quickstart- The S3 key name prefix used to simulate a folder for
(QSS3KeyPrefix) microsoft-sql/ your copy of Quick Start assets, if you decide to
customize or extend the Quick Start for your own use.
This prefix can include numbers, lowercase letters,
uppercase letters, hyphens, and forward slashes.

Page 29 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

5. On the Options page, you can specify tags (key-value pairs) for resources in your stack
and set advanced options. When you’re done, choose Next.
6. On the Review page, review and confirm the template settings. Under Capabilities,
select the check box to acknowledge that the template will create IAM resources.
7. Choose Create to deploy the stack.
8. Monitor the status of the stack. When the status is CREATE_COMPLETE, the WSFC
cluster is ready.
9. You can use the URLs displayed in the Outputs tab for the stack to view the resources
that were created.

Step 3. Configure a SQL Server Always On Availability

Group
Note If you’re using a third Availability Zone as a full SQL Server cluster node (that is,
if you set the Third AZ parameter to full), take that into consideration when following
the steps in this section.

After you have successfully deployed the Quick Start, you can set up permissions for AWS
Directory Service (if applicable), configure the WSFC nodes by choosing and backing up a
database, and create and configure an availability group.

Log in to a Node as a Domain Administrator

Before you continue, log in to one of the nodes as a domain administrator. (Note that the
domain administrator account is different from the local administrator account.) For
credentials, use the default user name StackAdmin or the user name you set for the
Domain Admin User Name (DomainAdminUser) parameter, and use the password
you set for the Domain Admin Password (DomainAdminPassword) parameter in
step 2.

If you’re using AWS Directory Service, the delegated domain administrator user name is
Admin and the password is the one you set for the Domain Admin Password
(DomainAdminPassword) parameter.

Page 30 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Set up Permissions for the Cluster Object

If you’re using the AWS Directory Service (that is, if the AD Scenario Type parameter in
step 2 is set to AWS Directory Service for Microsoft AD, which is the default), follow
these steps to set up permissions:
1. Run Windows PowerShell as an administrator, and use the following command to
install Active Directory Management Services:

Add-WindowsFeature RSAT-ADDS-Tools

2. Open Active Directory Users and Computers on one of your two cluster node
instances.
3. In the navigation bar, choose View, Advanced Features to see the advanced features
for Active Directory Users and Computers.
4. Expand the organizational unit (OU) for your domain name.
5. Open the context (right-click) menu for the Computers OU within your domain name,
and then choose Properties.
6. On the Security tab, choose Advanced.
7. In the Advanced Security Settings dialog box, choose Add.
8. Next to Principal, choose Select a principal.
9. Choose Object Types, select Computers, and then choose OK.
10. Type the name of your cluster object (WSFCLUSTER1 for the default name), choose
Check Names, and then choose OK.
11. When your object has been verified, choose OK.
12. Add the Create Computer objects permission to this principal, and then choose OK.
13. In the Advanced Security Settings for Computers screen, choose OK.
14. In the Computer Properties screen, choose OK.

Create a Test Database or Attach an Existing Database

1. Open the Desktop Connection application (mstsc.exe) and connect to the first cluster
node (e.g., WSFCNode1).
2. Open SQL Server Management Studio (SSMS).

Page 31 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

3. In the Connect to Server dialog box, connect to the first cluster node (e.g.,
WSFCNode1).
4. Create a new database or attach a test database.
5. Make sure that the Recovery model on the database is set to Full.

Figure 8: Creating a new database in SQL Server Management Studio

6. Open the context (right-click) menu for the database in SSMS, and then choose Tasks,
Backup.

Page 32 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Create an Availability Group

1. In Object Explorer, open the context (right-click) menu for AlwaysOn High
Availability and launch the New Availability Group wizard.

Figure 9: Creating a new availability group in SSMS

2. Complete the New Availability Group wizard:

a. On the Introduction page, choose Next.
b. On the Specify Availability Group Name page, type SQLAG1, and then choose
Next.
c. On the Select Databases page, choose the database you created or attached in the
previous section, and then choose Next.
d. On the Specify Replicas page, add the second cluster node (e.g., WSFCNode2),
and then choose Automatic Failover.

Page 33 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Figure 10: Specifying replicas

e. On the Listener tab, choose Create an availability group listener, provide a

Listener DNS Name (e.g., AG1-Listener), and then specify the TPC port used by
this listener (e.g., 1433). Add the two private subnets the cluster nodes were
deployed into and a corresponding IPv4 address.

Note We will use the secondary private IP addresses we assigned earlier to the nodes
(e.g., 10.0.0.102 and 10.0.32.102). If you’re using the third Availability Zone with a SQL
node, you’ll also want to add 10.0.64.102.

Page 34 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Figure 11: Creating an availability group listener

f. On the Select Initial Data Synchronization page, choose Full. In the shared
network location box, type \\WSFCFileServer\replica if you’re using a file share
witness, or \\WSFCNode1\replica if you have three SQL nodes (that is, if you set
the Third AZ parameter to full). Then choose Next.
g. On the Validation page, choose Next.
h. On the Summary page, choose Finish, and then close the wizard.
3. Run Windows PowerShell as an administrator and change the availability group listener
host record TTL to 300.

Page 35 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Figure 12: Modifying the TTL in Windows PowerShell

4. Open DNS Manager:

 If you’re using AWS Directory Service:
a. On the Remote Desktop Gateway instance, install Remote Server Administration
Tools for DNS Server, by running this command in a PowerShell window with
administrator privileges:

Install-WindowsFeature RSAT-DNS-Server

b. In the same PowerShell window, run the command:

Get-NetIPConfiguration

c. Select one of the DNS server addresses from the command output.
d. Use that address to connect to the DNS server when you open DNS Manager.
 If you’re not using AWS Directory Service:
a. Open the Desktop Connection application (mstsc.exe) and connect to the primary
domain controller in Availability Zone 1, using its NetBIOS name (e.g., DC1).

Page 36 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

b. Use the credentials of the domain admin user and domain admin password to log
into the instance.
c. Open DNS Manager.
5. In DNS Manager, check to make sure that all availability group listener (e.g., AG1-
Listener) IP addresses are listed.

Figure 13: Verifying DNS configuration

Note Client connectivity to an availability group database can be established via the
availability group listener. The availability group listener (in this case, AG1-Listener) is a
virtual network name that clients can connect to. This configuration allows clients to
connect to a database without knowing the name of an individual server in the WSFC
cluster. The availability group listener can share TCP port 1433 with an individual SQL
Server instance. However, when running multiple side-by-side SQL Server instances,
you will need to use a non-standard port to avoid a port conflict.

Page 37 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

The security groups and ingress rules created by the AWS CloudFormation template permit
all required traffic between WSFC nodes and client connections to TCP port 1433 from the
remaining server tiers within the VPC. See the Security section of this guide for a detailed
list of port mappings.

When you complete the steps in this section, you will have a WSFC cluster and SQL Server
Always On Availability Group successfully deployed in the AWS Cloud, as illustrated
previously in Figure 1.

Step 4: Test the Cluster and Availability Group

Note If you’re using a third Availability Zone as a full SQL Server cluster node (that is,
if you set the Third AZ parameter to full), take that into consideration when following
the steps in this section.

Before you put the availability group into production, you should test your deployment and
familiarize yourself with the cluster’s behavior during a high availability automatic failover
or a disaster recovery event.

1. Open the Remote Desktop Connection application (mstsc.exe), connect to the Remote
Desktop Gateway instance, and then connect to the WSFC node (e.g., WSFCNode1) in
that zone.
2. On the first cluster node instance, open the Failover Cluster Manager to view the cluster
core resources. Make sure the cluster, one of the two listed IP addresses, and the file
share witness are online.

Page 38 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Figure 14: Viewing the Failover Cluster Manager

3. Open SQL Server Management Studio. In Object Explorer, open the context (right-click)
menu for the AlwaysOn High Availability node, and launch the dashboard for the
availability group you created earlier (e.g., SQLAG1).
4. In the dashboard, view the availability replicas and make sure their synchronization
state is Synchronized.

Page 39 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Figure 15: Viewing the Always On High Availability dashboard with all nodes synchronized

5. Make sure that the primary instance and the IP address in the Cluster Core
Resources pane of Failover Cluster Manager are coordinated. That is, if the primary
instance is WSFCNode1, the IP address 10.0.0.101 should be online. If you need to move
the cluster core resources to WSFCNode1, you can do so through PowerShell by using
the command:
Get-ClusterGroup 'Cluster Group' | Move-ClusterGroup -Node WSFCNode1

6. Sign in to the AWS Management Console, and open the Amazon EC2 console at
https://console.aws.amazon.com/ec2/.
7. Stop the primary instance (e.g., WSFCNode1).
8. Open the Remote Desktop Connection application (mstsc.exe), connect to the second
cluster node (e.g., WSFCNode2) in Availability Zone 2.
9. On the second cluster node instance, use the Failover Cluster Manager to view the
cluster core resources. Note that the IP address that was previously offline (e.g.,
10.0.32.101) is now online.

Page 40 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Figure 16: Viewing the Failover Cluster Manager with WSFCNode1 offline

10. Open SQL Server Management Studio. In Object Explorer, open the context (right-click)
menu for the AlwaysOn High Availability node, and launch the dashboard for the
availability group you created earlier (e.g., SQLAG1).
11. In the dashboard, view the availability replicas. Note that now the primary instance has
switched to WSFCNode2, and that the synchronization state of WSFCNode1 is Not
Synchronizing.

Page 41 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Figure 17: Always On High Availability dashboard with the first cluster node offline

12. At this point, you can start the WSFCNode1 instance again in the Amazon EC2 console.
When the instance is online, use the Failover wizard in the Availability Group
dashboard and switch the primary instance back to WSFCNode1.

Note We recommend that you use MultiSubnetFailover=true in your SQL client

connection string. This property enables faster failover for all availability groups in SQL
Server and will significantly reduce failover time for single and multi-subnet Always On
topologies. If you have legacy clients that need to connect to an availability group
listener and cannot use MultiSubnetFailover, we recommend that you change the
RegisterAllProvidersIP setting to 0 by using the Set-ClusterParameter cmdlet.

Page 42 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Troubleshooting
Q. I encountered a CREATE_FAILED error when I launched the Quick Start.
A. If AWS CloudFormation, we recommend that you relaunch the template with Rollback
on failure set to No. (This setting is under Advanced in the AWS CloudFormation
console, Options page.) With this setting, the stack’s state will be retained and the instance
will be left running, so you can troubleshoot the issue. (You’ll want to look at the log files in
%ProgramFiles%\Amazon\EC2ConfigService and in the C:\cfn\log folder.)

Important When you set Rollback on failure to No, you’ll continue to

incur AWS charges for this stack. Please make sure to delete the stack when
you’ve finished troubleshooting.

The following table lists specific CREATE_FAILED error messages you might encounter.

Error message Possible cause What to do

API: ec2: RunInstances Not The template is We refresh AMIs on a regular basis, but our schedule
authorized for images: referencing an AMI that isn’t always synchronized with AWS AMI updates. If
ami-ID has expired you get this error message, notify us, and we’ll update
the template with the new AMI ID.
If you’d like to fix the template yourself, you can
download it and update the Mappings section with
the latest AMI ID for your region.

We currently do not have The WSFC node requires Switch to an instance type that supports higher
sufficient r4.2xlarge a larger instance type capacity, or complete the request form in the AWS
capacity in the AZ you Support Center to increase the Amazon EC2 limit for
requested the instance type or region. Limit increases are tied to
the region they were requested for.

Instance ID did not You have exceeded your Request a limit increase by completing the request
stabilize IOPS for the region form in the AWS Support Center.

System Administrator The master password Change the password for the domain administrator or
password must contain at contains $ or other SQL Server service account, and then relaunch the
least 8 characters special characters Quick Start.
The password must be at least 8 characters, consisting
of uppercase and lowercase letters and numbers. Avoid
using special characters such as @ or $.

For additional information, see Troubleshooting AWS CloudFormation on the AWS

website. If the problem you encounter isn’t covered on that page or in the table, please visit
the AWS Support Center. If you’re filing a support ticket, please attach the install.log file

Page 43 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

from the master instance (this is the log file that is located in the /root/install folder) to the
ticket.

Q. I encountered a size limitation error when I deployed the AWS Cloudformation

templates.
A. We recommend that you launch the Quick Start templates from the location we’ve
provided or from another S3 bucket. If you deploy the templates from a local copy on your
computer, you might encounter template size limitations when you create the stack. For
more information about AWS CloudFormation limits, see the AWS documentation.

Security
AWS provides a set of building blocks (e.g., Amazon EC2 and Amazon VPC) that customers
can use to provision infrastructure for their applications. In this model, some security
capabilities, such as physical security, are the responsibility of AWS and are highlighted in
the AWS security whitepaper. Other areas, such as controlling access to applications, fall on
the application developer and the tools provided in the Microsoft platform.

This Quick Start configures the following security groups for SQL Server:

Security group Associated Inbound source Port(s)

with

WSFCSecurityGroup WSFCNode1, WSFCSecurityGroup ICMP-1, TCP135, TCP137,

WSFCNode2, UDP137, TCP445, TCP1433,
WSFCNode3, TCP1434, UDP1434, TCP3343,
WSFCFileServer UDP3343, TCP5022, TCP5985

WSFCClientSecurityGroup WSFCNode1, SQLServerAccessSecurity TCP1433

WSFCNode2, Group
WSFCNode3,
WSFCFileServer

SQLServerAccessSecurity Add instances

Group that require
access to SQL to
this security
group

Page 44 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

Additional Resources
AWS services
 AWS CloudFormation
https://aws.amazon.com/documentation/cloudformation/
 Amazon EBS
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html
 Amazon EC2
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/
 Amazon VPC
https://aws.amazon.com/documentation/vpc/

WSFC with SQL Server

 Windows Server Failover Clustering (WSFC) with SQL Server
https://msdn.microsoft.com/library/79d2ea5a-edd8-4b3b-9502-96202057b01a
 Always On Availability Groups
https://msdn.microsoft.com/en-us/library/hh510230.aspx

Deploying Microsoft software on AWS

 Microsoft on AWS
https://aws.amazon.com/microsoft/
 Secure Microsoft applications on AWS
https://d0.awsstatic.com/whitepapers/aws-microsoft-platform-security.pdf
 Microsoft Licensing Mobility
https://aws.amazon.com/windows/mslicensemobility/
 MSDN on AWS
https://aws.amazon.com/windows/msdn/
 AWS Windows and .NET Developer Center on AWS
https://aws.amazon.com/net/

Quick Start reference deployments

 AWS Quick Start home page
https://aws.amazon.com/quickstart/

Page 45 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

 Microsoft Active Directory DS on the AWS Cloud

https://docs.aws.amazon.com/quickstart/latest/active-directory-ds/
 Microsoft Remote Desktop Gateway on the AWS Cloud
https://docs.aws.amazon.com/quickstart/latest/rd-gateway/

GitHub Repository
You can visit our GitHub repository to download the templates and scripts for this Quick
Start, to post your comments, and to share your customizations with others.

Document Revisions
Date Changes In sections

December 2017 Added support for SQL Server 2017; deprecated Template updates and changes
SQL Server 2012. throughout guide
Added instructions for setting up permissions for Set up permissions
the cluster object.
August 2017 Refactored templates with submodules following Template updates and changes
Quick Start best practices, and added support for: throughout guide
 AWS Directory Service for Microsoft Active
Directory (set as default)
 SQL Server 2016 and license-included AMI
provided by Amazon
 Three tenancy options (default, dedicated,
dedicated hosts)
 Choice of two or three Availability Zones
 Choice of two SQL nodes plus dedicated file
share witness, or three SQL nodes
 Customizable EBS volume types (gp2, io1)
and adjustable IOPS (for io1)
 New R4 instance types

September 2015 Changed the default type for Active Directory and Template parameters
RD Gateway instances to m4.xlarge for better
performance and price.

April 2015 Updated the storage configuration on the WSFC Storage on the WSFC Nodes
nodes.

March 2015 Optimized the underlying VPC design to support Architecture diagram and
expansion and to reduce complexity. template updates

November 2014 In the sample template, changed the default type Template parameters
for NATInstanceType to t2.small to support the
EU (Frankfurt) region.

July 2014 Initial publication —

Page 46 of 47
Amazon Web Services – SQL Server on the AWS Cloud December 2017

© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings
and practices as of the date of issue of this document, which are subject to change without notice. Customers
are responsible for making their own independent assessment of the information in this document and any
use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether
express or implied. This document does not create any warranties, representations, contractual
commitments, conditions or assurances from AWS, its affiliates, suppliers or licensors. The responsibilities
and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of,
nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, Version 2.0 (the "License"). You
may not use this file except in compliance with the License. A copy of the License is located at
http://aws.amazon.com/apache2.0/ or in the "license" file accompanying this file. This code is distributed on
an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and limitations under the License.

Page 47 of 47