Foundational best practices

Establishing a scalable and secure foundation for your AWS migration can enable you to easily manage and efficiently run your Windows environment on AWS. Before you migrate your Microsoft workloads to AWS, we recommend that you consider the following foundational best practices:

Optimize your spending on Microsoft licensing – Licensing is a critical factor in your cloud migration because it impacts all other decisions moving forward. We recommend that you understand licensing options as early as possible. For more information about licensing, see the Microsoft licensing on AWS section of this guide.
Streamline your cloud architecture – The AWS Well-Architected Framework helps you run your workloads reliably in the cloud. You receive guidance and strategies to help you follow the framework, avoid serious issues, and scale to meet your organization's needs. This guidance also covers billing, access control, and security controls.
Build an integrated, easy-to-manage cloud network – AWS Transit Gateway can help you more easily manage networks and prevent overlapping networks—for example, Classless Inter-Domain Routing (CIDR) range planning—from being created with your on-premises or other cloud environments. That way, you can route traffic to each network as needed. You must determine how accounts route to each other and to on-premises environments and the internet. This enables you to set up proper controls to protect your network traffic. For example, you must decide to make the AWS accounts an extension of existing on-premises data centers and use their perimeter defenses, such as firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS), or set up an AWS network account encompassing these perimeter defenses to protect your AWS resources.
Prioritize cloud security – We recommend moving from a single-account to a multi-account environment while adhering to the security best practice of applying least-privilege permissions. We also recommend that you have a thorough understanding of the AWS shared responsibility model and plan how you can secure your environment while maintaining your organization's agility. To improve and maintain security, you can use Amazon API Gateway, AWS WAF, Application Load Balancers, Amazon CloudWatch, AWS CloudTrail, Amazon GuardDuty, and other services. To learn more about multi-account strategy, see Transitioning to multiple AWS accounts in the AWS Prescriptive Guidance documentation.
Manage shared IT services in the cloud – To efficiently manage workloads in the cloud, it's critical to identify all shared services used by your workloads and plan how they will be provided in the cloud. For example, these include Active Directory, file servers, SQL databases, Domain Name System (DNS), virtual private network (VPN), Simple Mail Transfer Protocol (SMTP), backup, and monitoring services. After you take an inventory, you can decide between extending existing services to the cloud, setting up a completely new instance of the service, or using an alternative managed cloud service. Subsequent sections of this guide will cover these considerations in more detail.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Why choose AWS for Microsoft workloads?

Paths to the cloud