# Understand licensing options and considerations for Microsoft SQL Server on Amazon EC2 Licensing options and considerations There are two ways in which you can license Microsoft SQL Server on Amazon EC2 on the Amazon Web Services Cloud. You acquire your own existing SQL Server licenses, or those which are provided by Amazon. The most cost-effective license strategy for your workload will depend on multiple factors. For more information on comparing the costs of SQL Server editions, see [Compare SQL Server editions](https://docs.amazonaws.cn/prescriptive-guidance/latest/optimize-costs-microsoft-workloads/sql-server-editions.html) on the Amazon Prescriptive Guidance website. **Topics** + [ ## Licensing options ](#sql-server-on-ec2-licensing-options) + [ ## Licensing considerations ](#sql-server-on-ec2-licensing-considerations) + [ # Amazon EC2 High Availability for SQL Server on Amazon EC2 ](sql-high-availability.md) ## Licensing options You can launch Amazon Elastic Compute Cloud (Amazon EC2) instances with Microsoft SQL Server licenses included from Amazon, or you can bring your own SQL Server licenses for use on Amazon. You can perform a license type conversion for SQL Server in certain configurations if your needs change. For the most license flexibility, you can import your VM into Amazon. For more information, see [Eligible license types for license type conversion](https://docs.amazonaws.cn/license-manager/latest/userguide/conversion-types.html) in the *Amazon License Manager User Guide*. **Topics** + [License-included](#sql-server-on-ec2-licensing-options-included) + [BYOL](#sql-server-on-ec2-licensing-options-byol) ### License-included License-included Windows Server with currently supported versions of Microsoft SQL Server AMIs are available from Amazon in a variety of combinations. Amazon provides these AMIs with SQL Server software and operating system updates already installed. When you purchase an Amazon EC2 instance with a Windows Server AMI, licensing costs and compliance are handled for you. For more information, see [Find a SQL Server license-included AMI](sql-server-on-ec2-amis.md). Amazon EC2 offers a variety of instance types and sizes that you can configure for your target workload. Amazon EC2 AMIs with Windows Server require no Client Access Licenses (CALs). They also include two Microsoft Remote Desktop Services licenses for administrative purposes. For SQL Server license-included AMIs, use the installation and setup media included in `C:\SQLServerSetup` to perform in-place SQL Server version upgrades, make changes to the default installation, add new features, or install additional named instances. ### BYOL BYOL When you launch a SQL Server instance from an imported AMI, you can bring your existing licenses with the Bring Your Own License model (BYOL), and let Amazon manage them to ensure compliance with licensing rules that you set. To import your own licensed image, you can use a service such as [VM Import/Export](https://docs.amazonaws.cn/vm-import/latest/userguide/what-is-vmimport.html) or [Amazon Application Migration Service](https://docs.amazonaws.cn/mgn/index.html). After you import your licensed image, and it is available as a private AMI in your Amazon account on the Amazon EC2 console, you can use the Amazon License Manager service to create a license configuration. After you create the license configuration, you must associate the AMI that contains your licensed operating system image with the configuration. Then, you must create a host resource group and associate it with the license configuration. After you associate your host resource group with the configuration, License Manager automatically manages your hosts when you launch instances into a host resource group, and ensures that you do not exceed your configured license count limits. For more information, see the [Getting started](https://docs.amazonaws.cn/license-manager/latest/userguide/getting-started.html) section of the *License Manager User Guide*. You can also bring your own SQL Server licenses with Active Software Assurance to default (shared) tenant Amazon EC2 through Microsoft License Mobility through Software Assurance. For information about how to sign up for Microsoft License Mobility, see [License Mobility](https://www.amazonaws.cn/windows/resources/licensemobility/). ## Licensing considerations There are many considerations for cost effectively licensing your Microsoft SQL Server on Amazon EC2 workload. Your use case, and existing license agreements, will determine whether to bring your own license to Amazon with the Bring Your Own License model (BYOL) or to use license included AMIs from Amazon. The following topics should help determine which approach you might take. For more information, see [Licensing - SQL Server](https://www.amazonaws.cn/windows/faq/#licensing-sql-q) on the *Amazon Web Services and Microsoft Frequently Asked Questions* page. **Topics** + [ ### Choose a SQL Server edition ](#sql-server-on-ec2-licensing-considerations-editions) + [ ### Purchase SQL Server from Amazon ](#sql-server-on-ec2-licensing-considerations-purchasing) + [ ### Use BYOL for SQL Server on Amazon ](#sql-server-on-ec2-licensing-considerations-byol) + [Quantify license requirements](#sql-server-on-ec2-licensing-considerations-quantify) + [ ### License Mobility with SQL Server ](#sql-server-on-ec2-licensing-considerations-mobility) + [ ### Track BYOL license consumption ](#sql-server-on-ec2-licensing-considerations-track) + [SQL Server CALs](#sql-server-on-ec2-licensing-considerations-cals) + [ ### Licensing for passive failover ](#sql-server-on-ec2-licensing-considerations-failover) ### Choose a SQL Server edition The edition of SQL Server that is used will determine the supported features your implementation will have available. For example, the edition determines the maximum compute capacity used by a single instance of the SQL Server Database Engine, and the high availability options you might implement. For a comparison of SQL Server editions and supported features, see [Editions and supported features of SQL Server 2022](https://learn.microsoft.com/en-us/sql/sql-server/what-s-new-in-sql-server-2022?view=sql-server-ver16) in the Microsoft documentation. ### Purchase SQL Server from Amazon You can utilize Microsoft SQL Server licenses included from Amazon. You can choose any of the following editions for your use on Amazon EC2 instances. + SQL Server Web + SQL Server Standard + SQL Server Enterprise **Note** SQL Server Express AMIs are available for use from Amazon. This free edition of SQL Server doesn’t incur additional charges as there is no licensing fee. SQL Server Developer edition is eligible for use in non-production, development, and test workloads. Once downloaded from Microsoft, you can bring and install SQL Server Developer edition on Amazon EC2 instances in the Amazon Web Services Cloud. Dedicated infrastructure is not required for SQL Server Developer edition. For more information, see [https://www.microsoft.com/en-us/sql-server/sql-server-downloads](https://www.microsoft.com/en-us/sql-server/sql-server-downloads). ### Use BYOL for SQL Server on Amazon You can use BYOL licenses for SQL Server on Amazon. The requirements differ depending on if the licenses have active Software Assurance. **SQL Server licenses with active Software Assurance** You can bring your SQL Server licenses with active Software Assurance to default (shared) tenant Amazon EC2 through License Mobility benefits. Microsoft requires that you complete and send a License Mobility verification form which can be downloaded [here](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-license-mobility?activetab=software-assurance-license-mobility-pivot%3aprimaryr2). For more information, see [License Mobility](https://www.amazonaws.cn/windows/resources/licensemobility/). **SQL Server licenses without active Software Assurance** SQL Server licenses without Software Assurance can be deployed on Elastic Compute Cloud Dedicated Hosts if the licenses are purchased prior to 10/1/2019 or added as a true-up under an active Enterprise Enrollment that was effective prior to 10/1/2019. In these specific BYOL scenarios, the licenses can only be upgraded to versions that were available prior to 10/1/2019. For more information, see [Dedicated Hosts](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html) in the *Amazon EC2 User Guide*, and the [Amazon EC2 Dedicated Hosts FAQs](https://www.amazonaws.cn/ec2/dedicated-hosts/faqs/). ### Quantify the required SQL Server licenses for BYOL Quantify license requirements If you are licensing SQL Server under Microsoft License Mobility through Software Assurance, the number of licenses required varies based on the instance type, version of SQL Server, and the Microsoft licensing model you choose. For assistance with virtual core licensing calculations under the Microsoft Product Terms based on the instance type, see [SQL License Mobility](https://www.amazonaws.cn/windows/resources/licensemobility/sql/). If you are using Dedicated Hosts, Amazon EC2 provides you with the number of physical cores installed on the Dedicated Host. Using this information, you can calculate the number of SQL Server licenses that you need to bring in. For more information, see [Amazon EC2 Dedicated Hosts Pricing](https://www.amazonaws.cn/ec2/dedicated-hosts/pricing/#host-configuration) and the [SQL Server 2022 licensing guide](https://download.microsoft.com/download/9/3/d/93d32de6-f268-45ed-ba25-2f9a6756b6af/SQL_Server_2022_Licensing_guide.pdf). ### License Mobility with SQL Server SQL Server licenses with active Software Assurance are eligible for Microsoft License Mobility and can be deployed on default or dedicated tenant Amazon EC2. For more information on bringing SQL Server licenses with active Software Assurance to default tenant EC2, see [Microsoft License Mobility](https://www.amazonaws.cn/windows/resources/licensemobility/). It is also possible to bring SQL Server licenses without active Software Assurance to EC2 Dedicated Hosts. To be eligible, the licenses must be purchased prior to October 1, 2019 or added as a true-up under an active Enterprise Enrollment that was effective prior to October 1, 2019. For additional FAQs about Dedicated Hosts, see the [Dedicated Hosts](https://www.amazonaws.cn/windows/faq/#dedicated-hosts) section of the *Amazon Web Services and Microsoft FAQ*. ### Track BYOL license consumption You can use Amazon License Manager to manage your software licenses for SQL Server. With License Manager, you can create license configurations, take inventory of your license-consuming resources, associate licenses with resources, and track inventory and compliance. For more information, see [What is Amazon License Manager?](https://docs.amazonaws.cn/license-manager/latest/userguide/license-manager.html) in the *Amazon License Manager User Guide*. ### SQL Server client access licenses (CALs) SQL Server CALs When you are using SQL Server on Amazon EC2, license included instances do not require client access licenses (CALs) for SQL Server. An unlimited number of end users can access SQL Server on a license-included instance. When you bring your own SQL Server licenses to Amazon EC2 through Microsoft License Mobility or BYOL, you must continue to follow the licensing rules in place on-premises. If you purchased SQL Server under the Server/CAL model, you still require CALs to meet Microsoft licensing requirements, but these CALs would remain on-premises and enable end user access SQL Server running on Amazon. ### Licensing for passive failover There are various factors to consider when licensing passive failover for SQL Server. The information in this section pertains only to the SQL Server licenses and not the Windows Server licenses. In all cases, you must license Windows Server. **Using instances that include the license for SQL Server** When you purchase SQL Server license included instances on EC2, you must license passive failover instances. **Bringing SQL Server licenses with active Software Assurance to default tenant Amazon EC2** When you bring SQL Server 2014 and later versions with Software Assurance to default tenant EC2, you must license the virtual cores (vCPUs) on the active instance. In return, Software Assurance permits one passive instance (equal or lesser size) where SQL Server licensing is not required. **Bringing SQL Server to Amazon EC2 Dedicated Instances** SQL Server 2014 and later versions require Software Assurance for SQL Server passive failover benefits on dedicated infrastructure. When you bring SQL Server with Software Assurance, you must license the cores on the active instance/host and are permitted one passive instance/host (equal or lesser size) where SQL Server licensing is not required. SQL Server 2008 - SQL Server 2012R2 are eligible for passive failover on an Amazon EC2 Dedicated Hosts infrastructure without active Software Assurance. In these scenarios, you will license the active instance/host, and it will be permitted one passive instance/host of equal or lesser size where SQL Server licensing is not required. There are specific BYOL scenarios that do not require Microsoft License Mobility through Software Assurance. An Amazon EC2 Dedicated Hosts infrastructure is always required in these scenarios. To be eligible, the licenses must be purchased prior to October 1, 2019 or added as a true-up under an active Enterprise Enrollment that was effective prior to October 1, 2019. In these specific BYOL scenarios, the licenses can only be upgraded to versions that were available prior to October 1, 2019. # Amazon EC2 High Availability for SQL Server on Amazon EC2 Amazon EC2 High Availability for SQL Server (SQL HA) allows you to configure Amazon EC2 instances running license-included SQL Server as part of a HA cluster to reduce licensing costs. This feature identifies the SQL Server standby (also known as passive) instances in your SQL HA deployments and waives SQL Server licensing fees for them, allowing you to pay only Windows rates for these standby instances while maintaining your HA configuration. ## Supported SQL Server High Availability deployments Supported deployments SQL HA supports two SQL Server High Availability deployments, including: + Always On Availability Groups + Always On Failover Cluster Instances For Always On Availability Groups, SQL HA identifies primary and secondary (also knows as standby or passive) replicas and waives the SQL Server licenses on the secondary replicas (Amazon EC2 instances) that are not actively serving read traffic. For Failover Cluster Instances, SQL HA recognizes which instances are active and which are standing by for failover scenarios and waives the SQL Server licenses on the standby instances. For more information about the SQL HA configurations, see [Deploy SQL Server on Amazon EC2](create-sql-server-on-ec2-instance.md) ## Considerations and requirements + SQL HA supports two Amazon EC2 instances (also known as nodes) per SQL Server HA cluster. + The SQL HA active instance should have equal or more vCPUs than the standby instance. + SQL HA saves license costs for SQL Server license-included only. For more information, see [SQL Server licensing options](sql-server-on-ec2-licensing.md#sql-server-on-ec2-licensing-options-included). + SQL HA only supports multi-AZ deployments within the same region. Cross-region deployments are not supported. + The SQL Server standby node must meet requirements to receive the license savings, including: 1. Does not serve incoming traffic; 2. Does not run active SQL Server workloads; 3. Is not a readable secondary (except master, msdb, tempdb, or model databases); 4. For Always On Availability Groups, there is no standalone database running outside of the Availability Group. + SQL HA supports SQL Server (Standard and Enterprise Editions) 2017 and later on Windows Server 2019 and later. + Windows PowerShell must be 5.1 or above. + Amazon EC2 Reserved Instances are not supported by SQL HA. If you are using Reserved Instances, discounts may not be applied to these instances in the same payer account. We recommend using Savings Plans instead to benefit from both SQL HA license savings and Savings Plans compute cost savings. For more information, see the [Savings Plans User Guide](https://docs.amazonaws.cn/savingsplans/latest/userguide/what-is-savings-plans.html). + This feature may be terminated at any time, in which case Amazon will provide you with as much prior notice as is reasonably practicable under the circumstances. ## Prerequisites To get the license savings for your SQL HA workload, your environment must meet several requirements: + You have SQL Server license-included HA workloads on Amazon EC2. You can use Amazon Launch Wizard to simplify the SQL Server deployment on Amazon EC2. For more information, see [Amazon Launch Wizard for SQL Server](https://docs.amazonaws.cn/launchwizard/latest/userguide/launch-wizard-sql.html). + Amazon Systems Manager Agent (SSM Agent) must be installed and running on the instances in the SQL HA deployment. For more information, see [Working with SSM Agent](https://docs.amazonaws.cn/systems-manager/latest/userguide/ssm-agent.html). + You must attach the **AWSEC2SqlHaInstancePolicy** managed policy to your instance role or use a custom role with the required permissions for the Amazon EC2 to access your instances, including permissions for Amazon Systems Manager to run commands, access to Amazon Secrets Manager for retrieving SQL Server credentials, and Amazon EC2 permissions to read instance metadata. + By default, Amazon Systems Manager uses the built-in `[NT AUTHORITY\SYSTEM]` user to access SQL Server HA metadata. You will need to store secrets in Amazon Secrets Manager only when your security policies have restricted or disabled the `[NT AUTHORITY\SYSTEM]` account. + Network connectivity allows Amazon Systems Manager commands to reach your instances. # How Amazon EC2 High Availability for SQL Server works How it works Upon registration, Amazon EC2 High Availability for SQL Server (SQL HA) automatically monitors your Amazon EC2 instances running Windows SQL Server License Included AMIs and classifies them as either active or standby based on their current role in your SQL Server deployment. For High Availability configurations containing an active SQL Server instance, one standby failover instance in the same cluster may receive a SQL Server licensing fee waiver, meaning you pay only the Windows Server licensing fee. You can monitor your current SQL HA status through the Amazon EC2 console, which displays the latest records of which instances are receiving license savings and historical status changes. SQL HA continuously monitors your enabled SQL Server instances to determine their active or standby status. Using Amazon Systems Manager (SSM) commands, it collects metadata from your SQL Server installations and applies classification logic to identify which instances are actively serving traffic and which are functioning as standby failover nodes. Standby instances are billed as Windows instances rather than Windows SQL Server instances, providing license cost savings. Billing changes take effect when an SQL HA standby detection enabled instance is classified as standby and eligible for the benefit, with no manual intervention required. This classification adapts to changes in your environment, such as failover events where a standby instance becomes active. The system detects these transitions and updates billing accordingly. # Getting started with Amazon EC2 High Availability for SQL Server Getting started To get started with Amazon EC2 High Availability for SQL Server (SQL HA), perform the following steps: **Topics** + [ ## Step 1: Set up SSM Agent ](#sql-high-availability-ssm) + [ ## Step 2: Attach Amazon managed policy to instances ](#sql-high-availability-role) + [ ## Step 3: (*Optional*) Store SQL Server credentials in Amazon Secrets Manager ](#sql-high-availability-secret) + [ ## Step 4: EnableSQL HA license savings ](#sql-high-availability-register) + [Windows user setup](sql-high-availability-windows-user-setup.md) ## Step 1: Set up SSM Agent The Systems Manager Agent (SSM Agent) must be installed and running on the Amazon EC2 SQL Server instances with the High Availability deployments. The SSM Agent executes an SSM document to determine and report the SQL HA state for the instance. The SSM Agent is preinstalled, by default, on the Amazon Machine Images (AMIs) for Windows and SQL Server provided by Amazon. For more information, see [Amazon Windows AMIs](https://docs.amazonaws.cn/ec2/latest/windows-ami-reference/windows-amis.html). To check if SSM Agent is correctly configured on your instances, you can use the System Manager console, or call [ DescribeInstanceInformation](https://docs.amazonaws.cn/systems-manager/latest/APIReference/API_DescribeInstanceInformation.html) to verify the SSM Agent [ PingStatus](https://docs.amazonaws.cn/systems-manager/latest/APIReference/API_InstanceInformation.html#systemsmanager-Type-InstanceInformation-PingStatus) is Online. If necessary, you can manually download and install the latest version of SSM Agent on your Amazon EC2 SQL Server instances. For more information, see [ Manually install the SSM Agent on Amazon EC2 instances for Windows Server](https://docs.amazonaws.cn/systems-manager/latest/userguide/manually-install-ssm-agent-windows.html). ## Step 2: Attach Amazon managed policy to instances To ensure that your instance has the required IAM permissions, you must attach the following Amazon managed policies to the instance: + **AWSEC2SqlHaInstancePolicy** — grants permissions for SQL HA to execute Amazon Systems Manager (SSM) Run Command document `AWSEC2-DetectSqlHaState` to automatically detect the standby state of your SQL Server instances. + **AmazonSSMManagedInstanceCore** — enables Amazon Systems Manager service core functionality. For more information, see Attach an IAM role to an Amazon EC2 instance. **Note** If needed, you can create and attach your own custom IAM role. However, at a minimum, the role must include all of the permissions that are included in the **AWSEC2SqlHaInstancePolicy** Amazon managed policy. ## Step 3: (*Optional*) Store SQL Server credentials in Amazon Secrets Manager **By default**, Amazon Systems Manager uses the built-in `[NT AUTHORITY\SYSTEM]` user to access SQL Server HA metadata. If you choose to use the built-in `[NT AUTHORITY\SYSTEM]` user, you may need to configure Windows user permissions to ensure the service can obtain High Availability metadata from your SQL Server instances. For more information, see [Windows user setup for Amazon EC2 High Availability for SQL Server](sql-high-availability-windows-user-setup.md). **Alternatively**, if your security policies have restricted or disabled the `[NT AUTHORITY\SYSTEM]` account, you will need to store and use your SQL Server credentials in Amazon Secrets Manager. For more information, see [ Create a secret in Amazon Secrets Manager with appropriate SQL Server permissions](https://docs.amazonaws.cn/secretsmanager/latest/userguide/create_secret.html). ## Step 4: EnableSQL HA license savings You must enable SQL HA standby detection for Windows SQL Server license-included instances to receive SQL Server license savings. Use one of the following methods: ------ #### [ Console ] 1. Open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/). 1. In the navigation panel, choose **Instances**. 1. Select the instances in the High Availability deployment to enable SQL HA standby detection monitoring, choose **Actions**, **Instance settings**, **Modify SQL High Availability settings**. 1. In the **Review prerequisites** step, review each instance to make sure it is configured correctly. + The **SSM agent status** column indicates the state of the SSM Agent on the instance. **Online** indicates that the SSM Agent is running and accessible. + The **Recommended IAM policies** column indicates whether the instance has an attached IAM role with the required permissions. We recommend attaching the service managed policy AWSEC2SqlHaInstancePolicy to the instance or you can use any equivalent custom inline policy. **Verified** indicates that the instance has the managed policy attached while it doesn't verify the permission if you use other custom policies. The **IAM role** column indicates the currently attached IAM role. To attach a different role, choose **Modify IAM role**. 1. Choose **Next**. 1. In the **Manage SQL High Availability license savings** step, for each instance do the following: + For **SQL High Availability license savings**, select **Enable**. + (*Optional*) For **SQL Server credentials**, select the secret that has the SQL Server credentials for that instance . 1. Choose **Next**. 1. In the **Review and apply changes** step, review the configuration and then choose **Apply changes**. ------ #### [ Amazon CLI ] Use the [ enable-instance-sql-ha-standby-detections](https://docs.amazonaws.cn/cli/latest/reference/ec2/enable-instance-sql-ha-standby-detections.html) command. For `instance-ids` specify the IDs of the instances to opt in. If you choose to perform Step 3: Create secret for SQL Server credentials, specify the optional `--sql-server-credentials` with the Amazon Web Services secret arn that has the SQL Server credentials in. ``` aws ec2 enable-instance-sql-ha-standby-detections \ --instance-ids instance_ids \ --sql-server-credentials secret_manager_secret_arn ``` ------ # Windows user setup for Amazon EC2 High Availability for SQL Server Windows user setup **Note** You only need to perform the steps in this section if you choose to use the default, built-in `[NT AUTHORITY\SYSTEM]` user as described in [ Step 3: Store SQL Server credentials in Amazon Secrets Manager](sql-high-availability-get-started.md#sql-high-availability-secret). If you choose to store custom SQL Server credentials in Amazon Secrets Manager, these Windows user setup steps are not required. Amazon EC2 High Availability for SQL Server uses Amazon Systems Manager (SSM) to connect to Amazon EC2 instances and obtain SQL Server High Availability metadata. The SSM command runs under the context of the default local user on the Amazon EC2 instance: `NT AUTHORITY\SYSTEM`. If you performed post-launch lockdowns on your SQL Server instances by removing certain default SQL Server permissions and built-in groups, you may need to perform a few steps to grant required permissions to `NT AUTHORITY\SYSTEM`. Additionally, when enabling your Amazon EC2 instances for SQL HA standby detection, you can optionally provide an Amazon secret containing credentials to a Windows domain user or local user on your Amazon EC2 instances other than the default local user, `NT AUTHORITY\SYSTEM`. The service uses this provided Windows user to connect to all SQL Server instances on the Amazon EC2 instance and run SQL Server queries to obtain High Availability metadata. This guide explains how to either grant required permissions to `NT AUTHORITY\SYSTEM`, or how to create a Windows domain or local user with least permissions required for the service to process Amazon EC2 instances enabled for SQL HA standby detection, and how to create an Amazon secret containing credentials for this user. **Topics** + [ ## Option 1: Grant required permissions to the [NT AUTHORITY\$1SYSTEM] user ](#sql-ha-default-local-user) + [ ## Option 2: Create new domain user with required permissions ](#sql-ha-domain-user) + [ ## Option 3: Create new local user with require permissions ](#sql-ha-local-user) ## Option 1: Grant required permissions to the [NT AUTHORITY\$1SYSTEM] user This section covers the most straightforward setup to begin enabling Amazon EC2 instances for SQL HA standby detection. If you follow this section, you need not provide an Amazon secret when enabling your Amazon EC2 instances for SQL HA standby detection, since SSM will use the default local user `NT AUTHORITY\SYSTEM` to authenticate into SQL Server. Since SQL Server license-included AMIs allow `NT AUTHORITY\SYSTEM` to authenticate into SQL Server by default, the following steps may not be required to enable your instances for SQL HA standby detection. However, if you performed post-launch lockdowns on your SQL Server instances, you may need to grant least permissions back to `NT AUTHORITY\SYSTEM` for the service to obtain High Availability metadata. **To grant SQL Server access for NT AUTHORITY\$1SYSTEM** The following steps need to be repeated on every SQL Server instance on the Amazon EC2 instance. Amazon EC2 SQL HA obtains High Availability metadata on all SQL Server installs on the Amazon EC2 instance, so the default local user needs to be able to query SQL Server across all SQL Server instances. + Connect to your Amazon EC2 instance and open SQL Server Management Studio, then run the following SQL Server command on each SQL Server instance. This command creates a SQL Server login for `NT AUTHORITY\SYSTEM` and grants minimal read-only SQL Server permissions for this user. ``` -- Create SQL Server login for default local user IF NOT EXISTS (SELECT name FROM master.sys.server_principals WHERE name = 'NT AUTHORITY\SYSTEM') BEGIN CREATE LOGIN [NT AUTHORITY\SYSTEM] FROM WINDOWS WITH DEFAULT_DATABASE=[master] END USE [master] GO IF NOT EXISTS (SELECT name FROM master.sys.sysusers WHERE name = 'NT AUTHORITY\SYSTEM') BEGIN CREATE USER [NT AUTHORITY\SYSTEM] FOR LOGIN [NT AUTHORITY\SYSTEM] END GO -- Grant database permissions USE [master] GO IF NOT EXISTS (SELECT name FROM master.sys.database_principals WHERE name = 'db_role_ec2_sql_ha') BEGIN CREATE ROLE [db_role_ec2_sql_ha] END GRANT VIEW DATABASE STATE to [db_role_ec2_sql_ha] GO ALTER ROLE [db_role_ec2_sql_ha] ADD MEMBER [NT AUTHORITY\SYSTEM] GO -- Grant server permissions USE [master] GO IF NOT EXISTS (SELECT name FROM master.sys.server_principals WHERE name = 'svr_role_ec2_sql_ha') BEGIN CREATE SERVER ROLE [svr_role_ec2_sql_ha] END GRANT VIEW SERVER STATE TO [svr_role_ec2_sql_ha] GRANT VIEW ANY DEFINITION TO [svr_role_ec2_sql_ha] GRANT VIEW ANY DATABASE TO [svr_role_ec2_sql_ha] GO ALTER SERVER ROLE [svr_role_ec2_sql_ha] ADD MEMBER [NT AUTHORITY\SYSTEM] GO ``` Your default local user setup is complete. You can now enable SQL HA standby detection for your Amazon EC2 instances. ## Option 2: Create new domain user with required permissions This section covers how to create a Windows domain user with the necessary permissions to connect to SQL Server and obtain High Availability metadata. This option is preferred over creating a new local user, as the domain user can be used for any Amazon EC2 instance joined to the domain. This allows you to supply just one Amazon secret for multiple Amazon EC2 instances enabled for SQL HA standby detection. **To create and configure a domain user** 1. **Create a domain user** This step differs based on the type of Active Directory (AD) being used, and assumes the Amazon EC2 instances you wish to enable for SQL HA standby detection are already joined to this domain. For an Amazon managed Microsoft AD, use the following Amazon Amazon CLI commands to create a new domain user. Replace *username* and *password* with your desired username and password. ``` aws ds-data create-user \ --directory-id directory-id \ --sam-account-name "username" ``` Then assign a password to the domain user: ``` aws ds reset-user-password \ --directory-id directory-id \ --user-name "username" \ --new-password "password" ``` 1. **Create an Amazon secret containing credentials** Save the Windows domain user credentials to an Amazon secret. The domain user's username must be saved in the following format: `directory-netBIOS-name\username`. The *directory-netBIOS-name* is the directory NetBIOS name of your AD. ``` aws secretsmanager create-secret \ --name "domain-user-credentials" \ --description "Domain user credentials for EC2 SQL HA standby detection." \ --secret-string "{\"username\":\"directory-netBIOS-name\\username\",\"password\":\"password\"}" ``` 1. **Grant SQL Server access for domain user** Connect to your Amazon EC2 instance and open SQL Server Management Studio, then run the following SQL Server command on each SQL Server instance. Replace *username* with the username you selected and *directory-netBIOS-name* with the AD's directory NetBIOS name. ``` -- Create SQL Server login for domain user IF NOT EXISTS (SELECT name FROM master.sys.server_principals WHERE name = 'directory-netBIOS-name\username') BEGIN CREATE LOGIN [directory-netBIOS-name\username] FROM WINDOWS WITH DEFAULT_DATABASE=[master] END USE [master] GO IF NOT EXISTS (SELECT name FROM master.sys.sysusers WHERE name = 'directory-netBIOS-name\username') BEGIN CREATE USER [directory-netBIOS-name\username] FOR LOGIN [directory-netBIOS-name\username] END GO -- Grant database permissions USE [master] GO IF NOT EXISTS (SELECT name FROM master.sys.database_principals WHERE name = 'db_role_ec2_sql_ha') BEGIN CREATE ROLE [db_role_ec2_sql_ha] END GRANT VIEW DATABASE STATE to [db_role_ec2_sql_ha] GO ALTER ROLE [db_role_ec2_sql_ha] ADD MEMBER [directory-netBIOS-name\username] GO -- Grant server permissions USE [master] GO IF NOT EXISTS (SELECT name FROM master.sys.server_principals WHERE name = 'svr_role_ec2_sql_ha') BEGIN CREATE SERVER ROLE [svr_role_ec2_sql_ha] END GRANT VIEW SERVER STATE TO [svr_role_ec2_sql_ha] GRANT VIEW ANY DEFINITION TO [svr_role_ec2_sql_ha] GRANT VIEW ANY DATABASE TO [svr_role_ec2_sql_ha] GO ALTER SERVER ROLE [svr_role_ec2_sql_ha] ADD MEMBER [directory-netBIOS-name\username] GO ``` Your domain user setup is complete. When enabling Amazon EC2 instances for SQL HA standby detection, you can supply the ARN for the Amazon secret you created. ## Option 3: Create new local user with require permissions This section covers how to create a Windows local user restricted to a single Amazon EC2 instance with the necessary permissions to connect to SQL Server and obtain High Availability metadata. **To create and configure a local user** 1. **Create a local user on the Amazon EC2 instance** Connect to your Amazon EC2 instance and open PowerShell as Administrator, then execute the following command. Replace *username* and *password* with your desired username and password. ``` New-LocalUser -Name "username" -Password (ConvertTo-SecureString "password" -AsPlainText -Force) -Description "Local user for EC2 SQL HA standby detection." ``` 1. **Create an Amazon secret containing credentials** Save the Windows local user credentials to an Amazon secret. ``` aws secretsmanager create-secret \ --name "local-user-credentials" \ --description "Local user credentials for EC2 SQL HA standby detection." \ --secret-string "{\"username\":\"username\",\"password\":\"password\"}" ``` 1. **Grant SQL Server access for local user** Connect to your Amazon EC2 instance and open SQL Server Management Studio, then run the following SQL Server command on each SQL Server instance. Replace *username* with the username you selected and *COMPUTERNAME* with the Amazon EC2 instance computer name. You can retrieve the computer name with the PowerShell command `$env:COMPUTERNAME`. ``` -- Create SQL Server login for local user IF NOT EXISTS (SELECT name FROM master.sys.server_principals WHERE name = 'COMPUTERNAME\username') BEGIN CREATE LOGIN [COMPUTERNAME\username] FROM WINDOWS WITH DEFAULT_DATABASE=[master] END USE [master] GO IF NOT EXISTS (SELECT name FROM master.sys.sysusers WHERE name = 'COMPUTERNAME\username') BEGIN CREATE USER [COMPUTERNAME\username] FOR LOGIN [COMPUTERNAME\username] END GO -- Grant database permissions USE [master] GO IF NOT EXISTS (SELECT name FROM master.sys.database_principals WHERE name = 'db_role_ec2_sql_ha') BEGIN CREATE ROLE [db_role_ec2_sql_ha] END GRANT VIEW DATABASE STATE to [db_role_ec2_sql_ha] GO ALTER ROLE [db_role_ec2_sql_ha] ADD MEMBER [COMPUTERNAME\username] GO -- Grant server permissions USE [master] GO IF NOT EXISTS (SELECT name FROM master.sys.server_principals WHERE name = 'svr_role_ec2_sql_ha') BEGIN CREATE SERVER ROLE [svr_role_ec2_sql_ha] END GRANT VIEW SERVER STATE TO [svr_role_ec2_sql_ha] GRANT VIEW ANY DEFINITION TO [svr_role_ec2_sql_ha] GRANT VIEW ANY DATABASE TO [svr_role_ec2_sql_ha] GO ALTER SERVER ROLE [svr_role_ec2_sql_ha] ADD MEMBER [COMPUTERNAME\username] GO ``` Your local user setup is complete. When enabling Amazon EC2 instances for SQL HA standby detection, you can supply the ARN for the Amazon secret you created. # Disable Amazon EC2 High Availability for SQL Server Disable Amazon EC2 High Availability for SQL Server You can disable Amazon EC2 High Availability for SQL Server (SQL HA). Note only instances enabled by SQL HA can receive the SQL Server license savings. Use one of the following methods to disable SQL HA for your instances: ------ #### [ Console ] 1. Open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/). 1. In the navigation panel, choose **Instances**. 1. Select the instances in the High Availability deployment to enable SQL HA standby detection monitoring, choose **Actions**, **Instance settings**, **Modify SQL High Availability settings**. 1. In the **Review prerequisites** step, choose **Next**. The prerequisites only apply for enabling the monitoring, and it is not necessary to review them for disabling SQL HA standby detection monitoring. 1. In the **Manage SQL High Availability license savings** step, for each instance to disable, for **SQL High Availability license savings**, select **None**. 1. Choose **Next**. 1. In the **Review and apply changes** step, review the configuration and then choose **Apply changes**. ------ #### [ Amazon CLI ] Use the [ disable-instance-sql-ha-standby-detections](https://docs.amazonaws.cn/cli/latest/reference/ec2/disable-instance-sql-ha-standby-detections.html) command. For `instance-ids`, specify the IDs of the instances to disable. ``` aws ec2 disable-instance-sql-ha-standby-detections \ --instance-ids instance_ids ``` ------ # View states for Amazon EC2 High Availability for SQL Server View states You can view the Amazon EC2 High Availability for SQL Server (SQL HA) current and historical states. Use one of the following methods: ------ #### [ Console ] 1. Open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/). 1. In the navigation panel, choose **Instances**. 1. Select the instances in the High Availability deployment for which to view the SQL HA states, then choose the **SQL High Availability** tab. ------ #### [ Amazon CLI ] To view the current SQL HA states for Amazon EC2 instances, use the [describe-instance-sql-ha-states](https://docs.amazonaws.cn/cli/latest/reference/ec2/describe-instance-sql-ha-states.html) command. This command only shows the current SQL HA status of your onboarded instances. ``` aws ec2 describe-instance-sql-ha-states \ --instance-ids instance_ids ``` To view the historical SQL HA states for instances, use the [ describe-instance-sql-ha-history-states](https://docs.amazonaws.cn/cli/latest/reference/ec2/describe-instance-sql-ha-history-states.html) command. This command returns your SQL HA instance state transitions in descending time order. ``` aws ec2 describe-instance-sql-ha-history-states \ --instance-ids instance_ids \ --start-time period_start_timestamp \ --end-time period_end_timestamp ``` ------