Set up for Amazon Launch Wizard for SQL Server - Amazon Launch Wizard
IAMActive Directory (Windows)Requirements for AMIs Amazon FSxConfiguration settings (deployment on Windows)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Set up for Amazon Launch Wizard for SQL Server

Verify the relevant prerequisites are met for the deployment model you intend to use to create a SQL Server Always On application with Amazon Launch Wizard.

Amazon Identity and Access Management (IAM)

The following steps to establish the Amazon Identity and Access Management (IAM) role and set up the user for permissions are typically performed by an IAM administrator for your organization.

Sign up for an Amazon Web Services account

Sign up for an Amazon Web Services account

If you do not have an Amazon Web Services account, use the following procedure to create one.

To sign up for Amazon Web Services

  1. Open http://www.amazonaws.cn/ and choose Sign Up.

  2. Follow the on-screen instructions.

Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to http://www.amazonaws.cn/ and choosing My Account.

Secure IAM users

After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see Enable a virtual MFA device for an IAM user (console) in the IAM User Guide.

To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.

For more information about creating and securing IAM users, see the following topics in the IAM User Guide:

Assign permissions to use Launch Wizard

To deploy a SQL Server Always On application with Launch Wizard, your user must have the permissions provided by the AmazonLaunchWizardFullAccessV2 policy. The following guidance is provided for IAM administrators to provide permissions for users to access and deploy applications from Launch Wizard using the AmazonLaunchWizardFullAccessV2 policy.

To provide access, add permissions to your users, groups, or roles:

Important

Log in with the user associated with the above policy when you use Launch Wizard.

One-time creation of IAM Role

On the Choose Application page of Launch Wizard, under Permissions, Launch Wizard displays the IAM role required for the Amazon EC2 instances created by Launch Wizard to access other Amazon services on your behalf. When you select Next, Launch Wizard attempts to discover the IAM role in your account. If the role exists, it is attached to the instance profile for the EC2 instances that Launch Wizard will launch into your account. If the role does not exist, Launch Wizard attempts to create the role with the same name, AmazonEC2RoleForLaunchWizard. This role is comprised of two IAM managed policies: AmazonSSMManagedInstanceCore and AmazonEC2RolePolicyForLaunchWizard. After the role is created, the IAM administrator can delegate the application deployment process to another user who, in turn, must have the Launch Wizard IAM managed policy described in the following section.

Amazon Secrets Manager permissions

Launch Wizard uses Amazon Secrets Manager to manage your domain and SQL Server account passwords. Your username and password is stored in Secrets Manager and is retrieved during the build process. The following resource policy is added to the secret so that the AmazonEC2RoleForLaunchWizard IAM role used by Launch Wizard can retrieve the secret. For more information about Secrets Manager, see the Amazon Secrets Manager User Guide.

  {
    "Version" : "2012-10-17",
    "Statement" : [ {
      "Effect" : "Allow",
      "Principal" : {
        "AWS" : 
        "arn:aws:iam::<account-id>:role/service-role/AmazonEC2RoleForLaunchWizard"
      },
      "Action" : [ 
        "secretsmanager:GetSecretValue", 
        "secretsmanager:CreateSecret", 
        "secretsmanager:GetRandomPassword" 
      ],
      "Resource" : "*"
    } ]
  }
Show moreShow less

Active Directory (Windows deployment)

Launch Wizard can deploy SQL Server using Amazon Directory Service for Microsoft Active Directory (Amazon Managed Microsoft AD), or your self-managed Active Directory.

Topics

    If you are deploying SQL Server into an existing VPC with an existing Active Directory, Launch Wizard uses your Managed Active Directory (AD) domain user credentials to set up a fully functional SQL Server Always On Availability Group in the Active Directory. Launch Wizard supports this deployment option only for Amazon Managed Active Directory. Your Managed Active Directory does not have to be in the same VPC as the one in which SQL Server Always On is deployed. If it is in a different VPC than the one in which SQL Server Always On is deployed, verify that you set up connectivity between the two VPCs. The domain user requires the following permissions in the Active Directory Default organizational unit (OU) to enable Launch Wizard to perform the deployment successfully:

    • Reset password

    • Write userAccountControl

    • Create user accounts

    • Create computer objects

    • Read all properties

    • Modify permissions

    The following key operations are performed against your Active Directory by Launch Wizard. These operations result in the creation of new records or entries in Active Directory.

    • SQL Server service user added as a new Active Directory user if it does not already exist in Active Directory.

    • SQL Server instance and Remote Desktop Gateway Access instance joined to the Active Directory domain.

    • CreateChild role added to Windows Server Failover Cluster as part of ActiveDirectoryAccessRule.

    • FullControl role added to SQL Server Service user as part of FileSystemRights.

    If you are deploying SQL Server into an existing VPC across multiple Availability Zones and connecting to a self-managed Active Directory or deploying SQL Server into an existing VPC on a single node and connecting to a self-managed Active Directory, verify the following prerequisites.

    Requirements for Windows and Linux AMIs

    Launch Wizard has requirements for using custom Windows and Linux AMIs as well as Windows license-included AMIs in certain deployment scenarios.

    Topics

      When you use Windows license-included AMIs, note the following:

      • You can use Windows license-included AMIs with SQL Bring-Your-Own-License (BYOL).

      • Your SQL media must meet certain requirements to use Windows license-included AMIs with SQL BYOL. The SQL media must be:

        • An ISO file.

        • Hosted in an Amazon S3 bucket prefixed with LaunchWizard-*.

        • Included in a folder within the Amazon S3 bucket.

        • Included in a public folder so that Launch Wizard can download and install the media.

      We recommend that you use Amazon Windows license-included AMIs whenever possible. There are scenarios for which you may want to use a custom Windows AMI. For example, you may have existing licenses (BYOL), or you may have made changes to one of our public images and re-imaged it.

      If you use Amazon Windows license-included AMIs, you are not required to perform any pre-checks on the AMI to ensure that it meets Launch Wizard requirements.

      Launch Wizard relies on user data to begin the process of configuring SQL Server or RGW instances to launch in your account. For more information, see User Data Scripts. By default, all Amazon Windows AMIs have user data execution enabled for the initial launch. To ensure that your custom AMIs are set up to run the User Data script at launch, follow the Amazon recommended method to prepare your AMIs using EC2Launch v2. For more information about how to prepare your custom AMI using the options to Shutdown with Sysprep or Shutdown without Sysprep, see Create a Standard Amazon Machine Image Using Sysprep or EC2Launch v2 and Sysprep. If you want to directly enable user data as part of the custom AMI creation process, follow the steps for Subsequent Reboots or Starts under Running Commands on Your Windows Instance at Launch.

      If you use a custom Windows AMI, the volume drive letter for the root partition should be C: because EC2Launch v2 and EC2Config rely on this configuration to install the components.

      While not exhaustive, the following requirements cover most of the configurations whose alteration might impact the successful deployment of a SQL Server Always On application using Launch Wizard.

      Support matrix
      SQL Server Version Windows Server 2016 Windows Server 2019 Windows Server 2022

      SQL Server 2016

      YES

      YES

      		 YES

      SQL Server 2017

      YES

      YES

      		 YES
      SQL Server 2019 YES YES YES
      SQL Server 2022 YES YES YES
      OS and SQL requirements

      • Windows Server 2016 (Datacenter) (64-bit only)

      • Windows Server 2019 (Datacenter) (64-bit only)

      • Windows Server 2022 (Datacenter) (64-bit only)

      • MBR-partitioned volumes and GUID Partition Table (GPT) partitioned volumes that are formatted using the NTFS file system

      • English language pack only

      • SQL Server Enterprise Edition 2017/2016 or Standard Edition 2017/2016

      • SQL Server Enterprise Edition 2019 or Standard Edition 2019

      • SQL Server Enterprise Edition 2022 or Standard Edition 2022

      • The root volume drive for the custom AMI should be C:

      • SQL Server is installed on the root drive

      Amazon software and drivers

      • EC2Launch v2 (supported AMIs)

      • EC2Config service (Windows Server 2012 R2)

      • EC2Launch (Windows Server 2016)

      • Amazon SSM (SSM agent must be installed)

      • Amazon Tools for Windows PowerShell

      • Network drivers (SRIOV, ENA)

      • Storage drivers (NVMe, Amazon PV)

      There are occasions when you may want to use a custom Linux AMI. For example, you may have existing licenses (BYOL), or you may have made changes to one of our public images and re-imaged it.

      If you use a custom Linux AMI, you must adhere to the following requirements:

      • The operating system must be Ubuntu version 18.04 LTS.

      • The system installer and administrator must be a sudo user and be able to log in to the cluster nodes using SSH.

      • SQL Server for Linux must be a default installation.

      • The SQL Server for Linux version must be 2019.

      • The latest Microsoft SQL tools must be installed.

      Requirements for using Amazon FSx

      Launch Wizard uses continuously available Amazon FSx file shares to host clustered databases. The Amazon FSx file shares are accessible from within an instance joined to the domain. You can either create a new Active Directory or connect to an existing Active Directory (managed or self-managed). If you connect to an existing Active Directory, you can use preexisting security groups . The security groups must satisfy port and security requirements for FSx to communicate with the domain, as described in Using Amazon FSx with your self-managed Microsoft Active Directory and Using Amazon FSx with Amazon Directory Service for Microsoft Active Directory.

      If you are using an existing Amazon Managed Active Directory instance, you must specify the ID of the managed Active Directory instance for FSx to be able to join the domain. The account must have the same access rights in the domain as described in Using Amazon FSx with your self-managed Microsoft Active Directory and Using Amazon FSx with Amazon Directory Service for Microsoft Active Directory.

      For Amazon FSx using NetApp ONTAP, Launch Wizard creates security groups in order to access the ONTAP file system and to set up failover clustering. For port requirements, see File System Access Control with Amazon VPC in the Amazon FSx for NetApp ONTAP User Guide.

      Note

      This Launch Wizard deployment relies on the instances that are being deployed to be able to connect to your ONTAP endpoint from within the VPC. For more information on the connectivity requirements, see Accessing data from within Amazon in the Amazon FSx for NetApp ONTAP User Guide.

      Backup schedule

      Launch Wizard uses FSx defaults for setting up the backup schedule. You can change the default settings in the FSx console after the build completes.

      The WeeklyMaintenanceStartime follows the format day of the week:time, where Monday is indicated by 1. The maintenance start time is set to begin on Saturday at 10pm.

      WeeklyMaintenanceStartTime: '6:22:00'
DailyAutomaticBackupStartTime: '01:00'
AutomaticBackupRetentionDays: 7
      Amazon FSx using NetApp ONTAP

      Amazon FSx using NetApp ONTAP creates a new ONTAP file system for use with your Launch Wizard SQL deployment. We use the formulas in the following table to calculate volume and LUN storage for optimal performance.

      These values can be modified post deployment.

      Storage type Size in GB Sizing calculations

      FSx storage

      1024

      		 Size in GB

      Volume storage

      870.4

      		 85% of total storage FSx capacity

      LUN storage

      696.32

      		 80% of volume storage (65% of total FSx storage)
      SQL data LUN size 522.24 60% of LUN storage
      SQL log LUN size 139.264 20% of SQL Data LUN size
      Backup schedule for ONTAP

      By default, ONTAP backups are disabled during builds. You can set your own backup schedule from the Amazon FSx console. Choose the Backup tab. Then, choose Update to update the backup settings.

      Note

      When you delete a Launch Wizard deployment that uses ONTAP, FSx creates a backup of the ONTAP volume before deleting the file system. You can delete the backup from the Amazon FSx console if it is not required. For more information, see Deleting backups in the FSx for ONTAP User Guide.

      Configuration settings (deployment on Windows)

      The following configuration settings are applied when deploying a SQL Server Always On application with Launch Wizard.

      Setting Applies to

      Current EC2Launch v2 and SSM Agent

      Windows Server 2022, 2019, and 2016 *

      Current EC2Launch and SSM Agent

      Windows Server 2019 and 2016 *

      Current Amazon PV, ENA, and NVMe drivers

      Windows Server 2022, 2019, and 2016

      Current SRIOV drivers

      Windows Server 2022, 2019, and 2016

      Microsoft SQL Server:

      Latest service pack

      SQL Service configured to start automatically

      SQL Service running

      BUILTIN\Administrators added to the SysAdmin server role

      TCP port 1433 and UDP port 1434 open

      Windows Server 2022, 2019, and 2016

      Allow ICMP traffic through the firewall

      Windows Server 2022, 2019, and 2016

      Allow RDP traffic through host firewall

      Windows Server 2022, 2019, and 2016

      RealTimeIsUniversal registry key set

      Windows Server 2022, 2019, and 2016
      SQL Server FCI

      Windows Server 2022, 2019, and 2016

      SQL Server 2022, 2019, 2017, and 2016

      * Windows Server 2019 and 2016 can use either EC2Launch or EC2Launch v2 depending on what is configured in the AMI. For more information, see Supported AMIs in the Amazon EC2 User Guide for Windows Instances.

      The following AMI settings can impact the Launch Wizard deployment:
      System Time

      RealTimeIsUniversal. If disabled, Windows system time drifts when the time zone is set to a value other than UTC.

      Windows Firewall

      In most cases, Launch Wizard configures the correct protocols and ports. However, custom Windows Firewall rules could impact the cluster service. To ensure that your custom AMI works with Launch Wizard, see Service overview and network port requirements for Windows.

      Remote Desktop

      Service Start. Remote Desktop service must be enabled.

      Remote Desktop Connections. Must be enabled.

      EC2Config (Server 2012 R2)

      Installation. We recommend using the latest version of EC2Config.

      Service Start. EC2Config service should be enabled.

      Network Interface

      DHCP Service Startup. DHCP service should be enabled.

      DHCP on Ethernet. DHCP should be enabled.

      Microsoft SQL Server

      TCPIP. Must be enabled for protocols in SQL Configuration Manager.

      PowerShell

      Execution Policy. The execution policy in all Amazon license-included AMIs is set to Unrestricted. We recommend that you set this policy to Unrestricted when you set up SQL Server Always On Availability Groups using Launch Wizard. You can change the policy when setup is complete.