Menu
PowerShell DSC on the AWS Cloud
Quick Start Deployment Reference Guide

Overview

What We'll Cover

This Quick Start reference deployment includes architectural considerations and configurations used to build a highly available Windows PowerShell Desired State Configuration (PowerShell DSC) pull server environment on the Amazon Web Services (AWS) cloud. We discuss how to use the necessary AWS services, such as Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing (Elastic Load Balancing), and Amazon Virtual Private Cloud (Amazon VPC) together with PowerShell DSC to deploy a highly available enterprise application across separate AWS Availability Zones.

The intent with this guide is to give you a point of reference for implementing your own configuration management solution using the PowerShell DSC platform, and to provide an understanding of the following key topics:

  • How to use AWS CloudFormation and PowerShell DSC to bootstrap your servers and applications from scratch

  • How to deploy a highly available PowerShell DSC pull server environment using AWS resources

  • How to make sure that your instances are resilient to configuration drift once your application stack has been deployed

This guide explores the deployment and management of an internal enterprise web application infrastructure running on the AWS cloud. You can use the patterns in this guide to deploy your own application stack in a similar fashion. You can also deploy automatically the environment outlined in this guide in order to test a fully configured PowerShell DSC pull server infrastructure.

After deploying this Quick Start with the default input parameters, you will have built the following PowerShell DSC pull server environment on the AWS cloud:


    Highly Available PowerShell DSC Pull Server Infrastructure on AWS

Figure 1: Highly Available PowerShell DSC Pull Server Infrastructure on AWS

Architecture Overview

The core AWS components used by this reference include the following AWS services:

  • Amazon VPC – The Amazon Virtual Private Cloud service lets you provision a private, isolated section of the AWS cloud where you can launch AWS services and other resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

  • Amazon EC2 – The Amazon Elastic Compute Cloud service allows you to launch virtual machine instances with a variety of operating systems. You can choose from existing Amazon Machine Images (AMIs) or import your own virtual machine images.

  • Elastic Load Balancing – The Elastic Load Balancing service automatically distributes incoming traffic across multiple Amazon EC2 instances. It enables you to achieve greater levels of fault tolerance in your applications.

  • Amazon S3 – The Amazon Simple Storage Service provides highly durable and available cloud storage for a variety of content, ranging from web applications to media files. It allows you to offload your entire storage infrastructure onto the cloud.

When deploying a Windows-based environment on the AWS cloud, we recommend an architecture that supports the following requirements:

  • Critical workloads should be placed in a minimum of two Availability Zones to provide high availability.

  • Internal application servers and other non-Internet facing servers should be placed in private subnets to prevent direct access to these instances from the Internet.

  • Remote Desktop Gateways should be deployed into public subnets in each Availability Zone for remote administration. Other components, such as reverse proxy servers, can also be placed into these public subnets if needed.

A Very Brief Overview of Windows PowerShell DSC

If you are new to PowerShell DSC, we highly recommend that you consult the additional resources at the end of this guide for a deeper look at the topic. For now, we'll quickly cover what PowerShell DSC is and how it works.

PowerShell DSC was introduced in Windows Management Framework 4.0. It provides a configuration management platform native to Windows Server 2012 R2 and Windows 8.1, and available to Windows Server 2008 R2, Windows 7, and Linux. PowerShell DSC allows you to express the desired state of your systems using declarative language syntax instead of configuring servers with complex imperative scripts. If you've worked with configuration management tools like Chef or Puppet, you'll notice that PowerShell DSC provides a familiar framework.

When using DSC to apply a desired configuration for a system, you create a configuration script with PowerShell that explains what the system should look like. You then generate a Management Object Format (MOF) file using that configuration script, which is then pushed or pulled by a node to apply the desired state. PowerShell DSC uses vendor-neutral MOF files to enable cross-platform management, and nodes refer to either Windows or Linux systems.


    High Level DSC Architecture

Figure 2: High Level DSC Architecture

Windows systems running Windows Management Framework 4.0 or later include an engine called the Local Configuration Manager, which acts as a DSC client. The Local Configuration Manager calls the DSC resources required by the configuration defined in the MOF files. These DSC resources perform the work of applying the desired configuration.


    Basic DSC Configuration Script

Figure 3: Basic DSC Configuration Script

Figure 3 shows an example of a very simple DSC configuration script that can be used to push a desired configuration to a computer.

  • Line 1 – We use the Configuration keyword to define a name (MyService) for the configuration.

  • Line 2 – The Node keyword is used to define the desired state for a server named Server1.

  • Lines 3 through 6 – We're creating an instance of the service resource called bits. As you can see, within the resource, we're declaring that the service actually named bits should be in a running state.

  • Line 10 – The configuration is executed, which generates a MOF file called Server1.mof in a folder called MyService.

  • Line 11 – The Start-DscConfiguration cmdlet is used to push the MOF file in the MyService folder to the computer Server1. When doing this interactively, it's useful to use the -Wait and -Verbose parameters to get detailed information.

As we will see later in this guide, the configuration scripts used to deploy the reference architecture will include several resources for each server in the topology. Some of those will be native to the operating system, some of them will be additional resources provided by Microsoft, and others will be custom written resources to fill in the gaps.

Note

Keep in mind that this guide is not a complete tutorial on DSC. It's simply a reference architecture for how systems can be deployed and configured in tandem with DSC and AWS CloudFormation. For a complete understanding of the mechanics of DSC pull servers and writing custom DSC resources, we highly recommend consulting the supplemental reading at the end of this guide.