Microsoft Exchange on the AWS Cloud

Quick Start Reference Deployment

QS

November 2020
Dragos Madarasan and Aaron Lima, AWS Quick Start team

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

This Quick Start reference deployment guide includes infrastructure information, architectural considerations, and configuration steps for planning and deploying a Microsoft Exchange Server environment on the AWS Cloud. It uses AWS CloudFormation templates to automate the deployment.

Note This Quick Start supports Exchange Server 2016 and Exchange Server 2019.

This Quick Start is for IT infrastructure architects, administrators, and DevOps professionals who are planning to implement or extend their Exchange Server workloads on the AWS Cloud.

Included are best practices for configuring a highly available, fault-tolerant, and secure Exchange environment. This guide doesn’t cover general installation and software configuration tasks for Exchange Server. For general guidance and best practices, consult the Microsoft Exchange Server documentation.

Microsoft Exchange on AWS

Exchange Server is a messaging and collaboration solution that Microsoft developed, with support for mailboxes, calendars, compliance, and e-archival. In an Exchange Server environment, your users can collaborate and—when you deploy the environment in AWS—you can scale your environment based on demand.

The AWS Cloud provides infrastructure services that enable you to deploy Exchange Server in a highly available, fault-tolerant, and affordable way. By deploying on AWS, you get the functionality of Exchange Server and the flexibility and security of AWS.

In addition to this Quick Start, we’ve published a set of Microsoft-based Quick Starts that you can use to deploy other common Microsoft workloads on AWS, including:

  • Microsoft Active Directory

  • Remote Desktop Gateway (RD Gateway)

  • Microsoft SharePoint Server

  • Microsoft Web Application Proxy with Active Directory Federation Services (ADFS)

  • Microsoft SQL Server

  • Windows Server Update Services

Each of those Quick Starts includes a virtual private cloud (VPC) environment, which is deployed based on AWS best practices. To read more about deploying Microsoft workloads by using our Quick Starts, see the Quick Starts in the Microsoft Technologies category.

AWS costs

You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

Software licenses

Exchange Server can be deployed and licensed through the Microsoft License Mobility through Software Assurance program. For development and test environments, you can use your existing MSDN licenses for Exchange Server using Amazon Elastic Compute Cloud (Amazon EC2) Dedicated Instances. For details, see the MSDN on AWS page.

This Quick Start deployment uses an evaluation copy of Exchange Server. To upgrade your version, see the Microsoft Exchange Server website.

This Quick Start launches the Amazon Machine Image (AMI) for Microsoft Windows Server 2016 and Windows Server 2019, and includes the license for the Windows Server operating system. The AMI is updated on a regular basis with the latest service pack for the operating system, so you don’t have to install any updates. The Windows Server AMI doesn’t require client access licenses (CALs) and includes two Microsoft Remote Desktop Services licenses. For details, see Microsoft Licensing on AWS.

Architecture

Before you deploy the template in this Quick Start, decide whether to use two Availability Zones or three, and whether to use a file share witness or a full node.

By default, the Exchange Server Quick Start uses two Availability Zones, with one Exchange node in each zone. The file share witness is launched in the same Availability Zone as the first Exchange node.

Note: Where possible, we recommend deploying the Exchange Server Quick Start using three Availability Zones. This enables automatic failover of database availability groups (DAGs), without the need for manual intervention.

You can deploy a full Exchange node instead of a file share witness. In addition, you can specify whether to deploy the full node or the file share witness in a third Availability Zone.

To learn more about Exchange DAGs and quorum models, see TechNet – database availability groups.

In addition, you can deploy an internal Application Load Balancer (ALB) to provide high availability and distribute traffic to the Exchange nodes. In this configuration, you need to import a Secure Sockets Layer (SSL) certificate into AWS Certificate Manager (ACM) before you launch the template.

AWS Secrets Manager is used to securely store the Exchange administrative account credentials. AWS Systems Manager Parameter Store is used to retrieve the credentials.

Deploying this Quick Start for a new virtual private cloud (VPC) with default parameters builds the following Exchange environment in the AWS Cloud.

Architecture
Figure 1. Quick Start architecture for Exchange on AWS

You can also choose to build an architecture with three Availability Zones, as shown in the following figure:

Architecture
Figure 2. Quick Start architecture for Exchange across three Availability Zones on AWS

As shown in Figure 1, the Quick Start sets up the following:

  • A highly available architecture that spans two or three Availability Zones.*

  • A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*

  • In the public subnets:

    • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*

    • A Remote Desktop Gateway in an Auto Scaling group to allow inbound Remote Desktop Protocol (RDP) access to EC2 instances in public and private subnets.*

  • In the private subnets:

    • Active Directory domain controllers.

    • Windows Server EC2 instances as Exchange nodes.

    • (Optional) In the public subnets, Exchange Edge Transport servers for routing internet email in and out of your environment.

*The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

Implementation Details

Storage on the Exchange Nodes

Storage capacity and performance are key aspects of any production installation. Although capacity and performance vary from one deployment to the next, this Quick Start provides a reference configuration that you can use as a starting point. The AWS CloudFormation template deploys the Exchange nodes using the memory-optimized r5.xlarge instance type by default.

To provide highly performant and durable storage, we’ve also included Amazon EBS volumes in this reference architecture. EBS volumes are network-attached disk storage, which you can create and attach to EC2 instances. Once these are attached, you can create a file system on top of these volumes, run a mailbox database, or use them in any other way you would use a block device. EBS volumes are placed in a specific Availability Zone, where they are automatically replicated to protect you from the failure of a single component.

Provisioned IOPS EBS volumes offer storage with consistent and low-latency performance. They are backed by solid state drives (SSDs) and are designed for applications with I/O-intensive workloads such as databases.

Amazon EBS-optimized instances, such as the R5 instance type, deliver dedicated throughput between Amazon EC2 and Amazon EBS. The dedicated throughput minimizes contention between Amazon EBS I/O and other traffic from your Amazon EC2 instance, and provides the best performance for your EBS volumes.

By default, on each Exchange node, the Quick Start deploys three 500-GiB General Purpose (GP2) SSD volumes to store mailbox databases and transaction logs. The database and log partitions are formatted using GUID Partition Table ( GPT).

By default, partitions are created using Resilient File System (ReFS), which is the Preferred Architecture (PA) choice for Exchange Server 2016 and Exchange Server 2019. If you set the Enable or disable ReFS parameter to false, the partitions are formatted using NTFS.

The GP2 volume type delivers a consistent baseline of 3 IOPS/GiB, which provides a total of 1,500 IOPS per volume for Exchange database and transaction log volumes. You can customize the volume size, and you can switch to using dedicated IOPS volumes.

If you need more IOPS per volume, consider using Provisioned IOPS SSD volumes by changing the Exchange Server Volume Type and Exchange Server Volume IOPS parameters, or use disk striping within Windows.

The default disk layout in this Quick Start uses the following EBS volumes:

  • One General Purpose SSD volume (100 GiB) for the operating system (C:)

  • One General Purpose SSD volume (500 GiB) to host the Exchange Server database files (D:)

  • One General Purpose SSD volume (500 GiB) to host the Exchange Server transaction log files (E:)

The following figure shows the disk layout on each Exchange Server node:

Architecture
Figure 3. Disk layout on Exchange Server node

Note You’ll find the installation software on each node in the C:\Exchangeinstall folder.

Depending on the instance type selected, you might see additional drives for instance store (ephemeral) volumes such as (Z:). Data on instance storage will be lost when you stop your EC2 instance.

IP Addresses on the Exchange nodes

By default, the Microsoft Exchange Quick Start template deploys two Exchange nodes with two IP addresses each:

  • One IP address is used as the primary IP address for the instance.

  • A second IP address acts as the Failover Cluster IP resource.

When you launch the AWS CloudFormation template, you can specify the addresses for each node, as shown in Figure 4. By default, the 10.0.0.0/19, 10.0.32.0/19, and 10.0.64.0/19 CIDR blocks are used for the private subnets.

Architecture
Figure 4. Configuring IP addresses on the Exchange node

Database Availability Group

A failover cluster is automatically created for the database availability group (DAG). The AWS CloudFormation templates carry out this task when deploying the second node. If you use the default parameter settings in the template, the Quick Start runs the following Windows PowerShell commands to complete this task:

Install-WindowsFeature failover-clustering –IncludeManagementTools

New-DatabaseAvailabilityGroup -Name DAG -WitnessServer FileServer

-WitnessDirectory C:\DAG

Add-DatabaseAvailabilityGroupServer -Identity DAG

-MailboxServer ExchangeNode1

Add-DatabaseAvailabilityGroupServer -Identity DAG

-MailboxServer ExchangeNode2

Note: By default, the database availability group is created with the name DAG. To change this value, modify the DAGName default parameter value in the Configure-ExchangeDAG.ps1 file.

The first command runs on each instance during the bootstrapping process. It installs the required components and management tools for the failover clustering services. The rest of the commands run near the end of the bootstrapping process on the second node and are responsible for creating the cluster and for defining the server nodes and IP addresses.

By default, the Quick Start configures an even number of servers in the cluster. You need a third resource to maintain a majority vote to keep the cluster online if an individual server fails. For this, the Quick Start uses a dedicated file share witness instance, which can be either a domain-joined server or a third Exchange node (which cannot be part of the DAG itself). By default, the Quick Start creates a Dedicated Instance in the first Availability Zone to act as the file share witness. For production environments, you can also set the Third AZ parameter to witness to create a Dedicated Instance with a file share in a third Availability Zone.

Alternatively, you can use any domain-joined server for this task. (This isn’t included in the Quick Start.) If you set the Third AZ parameter to full, the Quick Start keeps the quorum settings to the default node majority and creates a third Exchange Server node in the third Availability Zone. Note that some AWS Regions support only two Availability Zones; for a current list, see AWS Global Infrastructure.

The Quick Start automated solution ends after creating the DAG and adding the two Exchange nodes to the DAG. When the deployment is complete, you can create additional databases and make them highly available by creating copies on the second nodes. This process is covered in step 3 of the deployment instructions.

Edge Transport Nodes

Edge Transport nodes relay inbound and outbound emails and provide smart host services within the Exchange organization. The Edge nodes are installed in the public subnets and aren’t domain-joined. However, they do require information from Active Directory, and configuring an Edge sync subscription is needed.

Because Edge Transport role nodes aren’t required for end-to-end mail flow, by default, Edge nodes aren’t deployed. For this to occur, you must select yes on the Deploy Edge servers launch option, as shown in the following figure:

Architecture
Figure 5. Deploying Edge servers

A pair of Edge servers is deployed in the public subnets (which must be defined), and the Exchange Server Edge Transport role is installed using default settings. The EC2 instances aren’t domain-joined, but the DNS suffix that corresponds to the domain name is configured on the network interface cards (NICs). Also, DNS records are created in Active Directory corresponding to their hostname.

The Local Administrator password is reset to the Domain Admin password, and an Edge subscription file is created, which can be found in C:\EdgeServerSubscription.xml.

Copy the subscription file to a mailbox server, and import the subscription by running the following command:

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\EdgeServerSubscription.xml" -Encoding Byte -ReadCount 0)) -Site "AZ1"

Load balancer

Exchange servers running with the Client Access/Transport roles are usually situated behind a network load balancer (NLB) with a unified Exchange namespace such as “mail.example.com.” The namespace resolves to the load balancer, which in turns distributes traffic to the Exchange servers.

The Exchange Server Quick Start contains an option to deploy an Application Load Balancer that distributes the traffic to the Exchange nodes.

By default, the load balancer isn’t deployed because it requires an existing SSL certificate to be imported in AWS Certificate Manager.

For a load balancer to be deployed, you must:

  1. Import or generate a certificate in AWS Certificate Manager.

  2. Specify the full Amazon Resource Name (ARN) in the CertificateARN option.

  3. Select true in Deploy Load Balancer, when you launch the Quick Start.

Volume Encryption

As part of the default setup, the Exchange Server Quick Start creates and attaches two EBS volumes to each Exchange node. One EBS volume (corresponding to the D:\ drive) holds the Exchange mailbox databases, while the other EBS volume (E:\) holds the Exchange transaction logs.

Optionally, the Quick Start provides an option to encrypt the EBS volumes with either the default AWS Key Management Service (AWS KMS) encryption key or a custom KMS key, as shown in the following figure:

Architecture
Figure 6. Encrypting the EBS volumes

Note The root volume of the Exchange nodes (C:\) isn’t encrypted, if Encrypt data volumes is selected.

Planning the deployment

Specialized knowledge

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

Before you deploy this Quick Start, we recommend that you become familiar with the following AWS services. (If you are new to AWS, see Getting Started with AWS.)

In addition, you should be familiar with the following:

  • Windows Server 2016 or Windows Server 2019

  • Microsoft Active Directory and Domain Name System (DNS)

  • Windows Server Failover Clustering (WSFC)

  • Exchange database availability groups (DAGs)

For information, see the Microsoft product documentation for these technologies.

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, review the following information and ensure that your account is properly configured. Otherwise, deployment might fail.

Resource quotas

If necessary, request service quota increases for the following resources. You might request quota increases to avoid exceeding the default limits for any resources that are shared across multiple deployments. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.

Resource This deployment uses

VPCs

1

Elastic IP addresses

1

Security groups

5

AWS Identity and Access Management (IAM) roles

3

Auto Scaling groups

1

Network Load Balancers

1

EC2 instances

7

Supported Regions

This Quick Start supports deployment in either two or three Availability Zones, however some AWS Regions support only two Availability Zones; for a current list, see AWS Global Infrastructure.

Certain Regions are available on an opt-in basis. For more information, see Managing AWS Regions.

EC2 key pairs

Make sure that at least one Amazon EC2 key pair exists in your AWS account in the Region where you plan to deploy the Quick Start. Make note of the key pair name. You need it during deployment. To create a key pair, see Amazon EC2 key pairs and Linux instances.

For testing or proof-of-concept purposes, we recommend creating a new key pair instead of using one that’s already being used by a production instance.

IAM permissions

Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Prepare for the deployment

Microsoft has released Exchange Server 2019 only via Volume Licensing Service Center, so if you are deploying Exchange 2019 you need to provide your own installation media. The Exchange2019Source parameter takes as an input the full URL to the installation media (ISO file).

The Exchange2019Source parameter value should always end in an ISO file extension, although the file name itself is not important as the scripts have built-in logic to determine it from the URL.

Acceptable paths:

https://[yourbucket].s3-us-east-1.amazonaws.com/SW_DVD9_Exchange_Svr_2019.ISO

Improper path:

https://[yourbucket].s3-us-east-1.amazonaws.com/SW_DVD9_Exchange_Svr_2019.zip

Note: Upload the Exchange 2019 installation media to an S3 bucket and temporarily make the installation media public. This will ensure that the file is quickly downloaded to the EC2 instances.

Deployment options

This Quick Start provides two deployment options:

  • Deploy Exchange into a new VPC. This option builds a new AWS environment consisting of the VPC, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components. It then deploys Exchange into this new VPC.

  • Deploy Exchange into an existing VPC. This option provisions Exchange in your existing AWS infrastructure.

The Quick Start provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Exchange settings, as discussed later in this guide.

Deployment steps

Sign in to your AWS account

  1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For details, see Planning the deployment earlier in this guide.

  2. Make sure that your AWS account is configured correctly, as discussed in the Technical requirements section.

Launch the Quick Start

If you’re deploying Exchange into an existing VPC, make sure that your VPC has two private subnets in different Availability Zones for the workload instances and that the subnets aren’t shared. This Quick Start doesn’t support shared subnets. These subnets require NAT gateways in their route tables to allow the instances to download packages and software without exposing them to the internet. Also make sure that the domain name option in the DHCP options is configured as explained in DHCP options sets. You provide your VPC settings when you launch the Quick Start.
You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service used by this Quick Start. Prices are subject to change.

Each deployment takes about 3 hours to complete.

  1. Sign in to your AWS account, and choose one of the following options to launch the AWS CloudFormation template. For help with choosing an option, see Deployment options earlier in this guide.

Deploy Exchange into a new VPC on AWS

View template

Deploy Exchange into an existing VPC on AWS

View template

  1. Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This Region is where the network infrastructure for Exchange is built. The template is launched in the us-east-1 Region by default.

  1. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  2. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. For details on each parameter, see the Parameter reference section of this guide. When you finish reviewing and customizing the parameters, choose Next.

  3. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re finished, choose Next.

  4. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  5. Choose Create stack to deploy the stack.

  6. Monitor the status of the stack. When the status is CREATE_COMPLETE, the Exchange deployment is ready.

  7. Use the values displayed in the Outputs tab for the stack, as shown in Figure 7, to view the created resources.

cfn_outputs
Figure 7. Exchange outputs after successful deployment

Post-deployment steps

Run Windows Updates

In order to ensure the deployed servers' operating systems and installed applications have the latest Microsoft updates, run Windows Update on each server.

  1. Create an RDP session from the Remote Desktop Gateway server to each deployed server.

  2. Open the Settings application.

  3. Open Update & Security.

  4. Click Check for updates.

  5. Install any updates and reboot if necessary.

(Optional) Create database copies

The Quick Start creates a database availability group (DAG) and adds the Exchange nodes to the DAG. As part of the Exchange installation, each Exchange node contains a mailbox database. The first node contains a database called DB1, and the second node contains a database called DB2.

As part of configuring high availability for the mailbox roles, you can add mailbox database copies on the other Exchange nodes. Alternatively, you can create entirely new databases and only then create additional copies.

To create a second copy for the initial databases, use the following commands:

Add-MailboxDatabaseCopy -Identity DB1 –MailboxServer ExchangeNode2 -ActivationPreference 2

Add-MailboxDatabaseCopy -Identity DB2 –MailboxServer ExchangeNode1 -ActivationPreference 2

(Optional) Create a DNS entry for the load balancer

  1. If you chose the option to deploy a load balancer, the Network Load Balancer (NLB) will have an endpoint address such as [elb.amazonaws.com].

  2. To use the load balancer with your Exchange namespace, create a CNAME record in Active Directory that points to the ALB.

  3. Before proceeding, go to the Amazon EC2 console and, under Load balancer, select the load balancer that the Quick Start created.

  4. Copy the value listed under the DNS name, as shown in Figure 7.

Architecture
Figure 8. Creating a DNS entry for the load balancer
  1. To create the DNS record, connect using Remote Desktop to one of the domain controllers using domain credentials, and open the DNS console by going to the Start menu and typing “DNS”.

  2. In the DNS console, navigate to the Active Directory zone, right-click, and select New Alias (CNAME), as shown in Figure 8.

Architecture
Figure 9. Selecting New Alias (CNAME)
  1. Create the DNS entry such as “mail” and in fully qualified domain name (FQDN) for target host, paste the value of the Application Load Balancer endpoint, as shown in Figure 9.

Architecture
Figure 10. Creating the DNS entry (“mail”)
  1. Verify that the DNS entry is resolved successfully by performing an nslookup. Go to Start and type “cmd”. In the command line window, type the following:

Nslookup mail.example.com

Where mail is the name of the CNAME record you created, and “example.com” is your Active Directory domain name.

  1. Ensure that the record resolves to the load balancer DNS record, such as shown in Figure 10.

Architecture
Figure 11. Verifying the DNS record

Best practices for using Exchange on AWS

The architecture built by this Quick Start supports AWS best practices for high availability and security.

High availability and disaster recovery

Amazon EC2 provides the ability to place instances in multiple locations composed of AWS Regions and Availability Zones. Regions are dispersed and located in separate geographic areas. Availability Zones are distinct locations within a Region that are engineered to be isolated from failures in other Availability Zones and that provide inexpensive, low-latency network connectivity to other Availability Zones in the same Region.

By launching your instances in separate Regions, you can design your application to be closer to specific customers or to meet legal or other requirements. By launching your instances in separate Availability Zones, you can protect your applications from the failure of a single location. Exchange provides infrastructure features that complement the high availability and disaster recovery scenarios supported in the AWS Cloud.

Automatic failover

Deploying the Quick Start with the default parameters configures a two-node database availability group (DAG) with a file share witness. The DAG uses Windows Server Failover Clustering for automatic failover.

The Quick Start implementation supports the following scenarios:

  • Protection from the failure of a single instance

  • Automatic failover between the cluster nodes

  • Automatic failover between Availability Zones

However, the Quick Start default implementation doesn’t provide automatic failover in every case. For example, the loss of Availability Zone 1, which contains the primary node and file share witness, would prevent automatic failover to Availability Zone 2. This is because the cluster would fail as it loses quorum. In this scenario, you could follow manual disaster recovery steps that include restarting the cluster service and forcing quorum on the second cluster node (e.g., ExchangeNode2) to restore application availability.

The Quick Start also provides an option to deploy into three Availability Zones. This deployment option can mitigate the loss of quorum in the case of a failure of a single node. However, you can select this option only in AWS Regions that include three or more Availability Zones; for a current list, see AWS Global Infrastructure.

We recommend that you consult the Microsoft Exchange Server documentation and customize some of the steps described in this guide or add ones (e.g., deploy additional cluster nodes and configure mailbox database copies) to deploy a solution that best meets your business, IT, and security requirements.

Security groups and firewalls

When the EC2 instances are launched, they must be associated with a security group, which acts as a stateful firewall. You have complete control over the network traffic entering or leaving the security group, and you can build granular rules that are scoped by protocol, port number, and source or destination IP address or subnet. By default, all traffic egressing a security group is permitted. Ingress traffic, on the other hand, must be configured to allow the appropriate traffic to reach your instances.

The Securing the Microsoft Platform on Amazon Web Services whitepaper discusses the different methods for securing your AWS infrastructure. Recommendations include providing isolation between application tiers using security groups. We recommend that you tightly control ingress traffic, so that you reduce the attack surface of your EC2 instances.

Domain controllers and member servers require several security group rules to allow traffic for services such as AD DS replication, user authentication, Windows Time service, and Distributed File System (DFS), among others. The nodes running Exchange Server permit full communication between each other, as recommended by Microsoft best practices. For more information, see Exchange, Firewalls, and Support.

Edge node servers (if configured to be deployed) allow port 25 TCP (SMTP) from the entire internet.

The Quick Start creates certain security groups and rules for you. For a detailed list of port mappings, see the Security section of the Active Directory Domain Services Quick Start deployment guide, and the Security section of this guide.

Security

AWS provides a set of building blocks (for example, Amazon EC2 and Amazon VPC) that you can use to provision infrastructure for your applications. In this model, some security capabilities, such as physical security, are the responsibility of AWS and are highlighted in the AWS security whitepaper. Other areas, such as controlling access to applications, fall on the application developer and the tools provided in the Microsoft platform.

This Quick Start configures the following security groups for Exchange Server:

Security group Associated with Inbound source Ports

DomainMemberSGID

Exchange nodes, FileServer, RD Gateway, Domain controllers

VPC CIDR

Standard AD ports

EXCHClientSecurityGroup

Exchange nodes, FileServer

VPC CIDR

25, 80, 443, 143, 993, 110, 995, 587

ExchangeSecurityGroup

Exchange nodes

ExchangeSecurityGroup

All ports

EXCHEdgeSecurityGroup

EXCHEdgeSecurityGroup

Private subnets CIDR, 0.0.0.0/0

50636, 25

LoadBalancerSecurityGroup

Load balancer

0.0.0.0/0

0.0.0.0/0

FAQ

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, relaunch the template with Rollback on failure set to Disabled. This setting is under Advanced in the AWS CloudFormation console on the Configure stack options page. With this setting, the stack’s state is retained and the instance is left running, so you can troubleshoot the issue. (For Windows, look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)

When you set Rollback on failure to Disabled, you continue to incur AWS charges for this stack. Delete the stack when you finish troubleshooting.

For more information, see Troubleshooting AWS CloudFormation.

Q. I encountered a size limitation error when I deployed the AWS CloudFormation templates.

A. Launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a location other than an S3 bucket, you might encounter template size limitations. For more information, see AWS CloudFormation quotas.

Parameter reference

Unless you are customizing the Quick Start templates for your own deployment projects, we recommend that you keep the default settings for the parameters labeled Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these parameter settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide.

Launch into a new VPC

Table 1. Network Configuration
Parameter label (name) Default value Description

Availability Zones (AvailabilityZones)

Requires input

List of Availability Zones to use for the subnets in the VPC. Note: You must specify two Availability Zones, unless you specify the Third AZ parameter. In this case, you must specify three Availability Zones. The Quick Start preserves the logical order you specify.

Number of Availability Zones (NumberOfAZs)

2

Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.

Third Availability Zone (ThirdAZ)

no

Enable a 3 AZ deployment, the 3rd AZ can either be used just for the witness, or can be a full Exchange node. Note that if witness is chosen, the WFC File Server Private IP Address parameter must be set to an IP in the 3rd subnet range.

VPC CIDR (VPCCIDR)

10.0.0.0/16

CIDR Block for the VPC.

Public Subnet 1 CIDR (PublicSubnet1CIDR)

10.0.128.0/20

CIDR Block for the public DMZ subnet 1 located in Availability Zone 1.

Public Subnet 2 CIDR (PublicSubnet2CIDR)

10.0.144.0/20

CIDR Block for the public DMZ subnet 2 located in Availability Zone 2.

Public Subnet 3 CIDR (PublicSubnet3CIDR)

10.0.160.0/20

(Optional) CIDR Block for the public DMZ subnet 3 located in Availability Zone 3.

Private Subnet 1 CIDR (PrivateSubnet1CIDR)

10.0.0.0/19

CIDR Block for private subnet 1 located in Availability Zone 1.

Private Subnet 2 CIDR (PrivateSubnet2CIDR)

10.0.32.0/19

CIDR Block for private subnet 2 located in Availability Zone 2.

Private Subnet 3 CIDR (PrivateSubnet3CIDR)

10.0.64.0/19

(Optional) CIDR Block for private subnet 3 located in Availability Zone 3.

Table 2. Amazon EC2 Configuration
Parameter label (name) Default value Description

Key pair name (KeyPairName)

Requires input

Public/private key pairs allow you to securely connect to your instance after it launches.

Table 3. Microsoft Active Directory Configuration
Parameter label (name) Default value Description

Domain DNS name (DomainDNSName)

example.com

The fully qualified domain name (FQDN) of the forest root domain e.g. example.com.

Domain NetBIOS name (DomainNetBIOSName)

example

The NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows e.g. EXAMPLE.

Domain Admin user name (DomainAdminUser)

StackAdmin

The user name for the account that will be added as Domain Administrator. This is separate from the default Administrator account.

Domain Admin password (DomainAdminPassword)

Requires input

The password for the domain admin user. Must be at least 8 characters containing letters, numbers and symbols.

Domain Controller 1 instance type (ADServer1InstanceType)

m5.xlarge

The Amazon EC2 instance type for the first Active Directory instance.

Domain Controller 1 NetBIOS name (ADServer1NetBIOSName)

DC1

The NetBIOS name of the first Active Directory server (up to 15 characters).

Domain Controller 1 private IP address (ADServer1PrivateIP)

10.0.0.10

The private IP for the first Active Directory server located in Availability Zone 1.

Domain Controller 2 instance type (ADServer2InstanceType)

m5.xlarge

The Amazon EC2 instance type for the second Active Directory instance.

Domain Controller 2 NetBIOS name (ADServer2NetBIOSName)

DC2

The NetBIOS name of the second Active Directory server (up to 15 characters).

Domain Controller 2 private IP address (ADServer2PrivateIP)

10.0.32.10

The private IP for the second Active Directory server located in Availability Zone 2.

Table 4. Remote Desktop Gateway Configuration
Parameter label (name) Default value Description

Allowed Remote Desktop Gateway external access CIDR (RDGWCIDR)

Requires input

The allowed CIDR Block for external access to the Remote Desktop Gateways.

Remote Desktop Gateway instance type (RDGWInstanceType)

t2.large

The Amazon EC2 instance type for the Remote Desktop Gateway instances.

Number of RDGW Hosts (NumberOfRDGWHosts)

1

The number of Remote Desktop Gateway hosts to create.

Table 5. Exchange Server Configuration
Parameter label (name) Default value Description

Enable AWS Backups (EnableBackups)

yes

Creates a default daily/weekly backup schedule using AWS Backup

Exchange Server version (ExchangeServerVersion)

2016

Version of Exchange Server to install. Options include either "2016" or "2019".

Exchange Server 2019 source (ISO) (Exchange2019Source)

https://

(Optional) Full URL (including https://) for Exchange 2019 ISO.

Deploy Edge servers (IncludeEdgeTransportRole)

no

Choose yes to deploy Exchange Edge Transport servers in the public subnets.

Edge Role instance type (EdgeInstanceType)

m5.large

The Amazon EC2 instance type for the Exchange Edge Transport servers.

Edge Node 1 NetBIOS name (EdgeNode1NetBIOSName)

EdgeNode1

The NetBIOS name of the first Edge server (up to 15 characters).

Edge Node 1 private IP address (EdgeNode1PrivateIP1)

10.0.128.12

The primary private IP for the first Edge server located in Availability Zone 1.

Edge Node 2 NetBIOS name (EdgeNode2NetBIOSName)

EdgeNode2

The NetBIOS name of the second Edge server (up to 15 characters).

Edge Node 2 private IP address (EdgeNode2PrivateIP1)

10.0.144.12

The primary private IP for the second Edge server located in Availability Zone 1.

Enable or disable ReFS (EnableReFSVolumes)

true

Choose false to format the data and log volumes on Exchange nodes using NTFS instead of ReFS.

Encrypt data volumes (EncryptDataVolumes)

false

Choose true to encrypt the data and log volumes on Exchange nodes.

KMS key to encrypt volumes (EncryptionKmsKey)

Blank string

(Optional) Specify the KMS encryption arn in format arn:aws:kms:[REGION]:[ACCOUNTNUMBER]:key/[GUID]. Leave blank to use default EBS encryption key.

Exchange Server volume IOPS (VolumeIops)

1000

The provisioned IOPS for the Exchange Data and Logs volumes. This parameter is only applicable when Exchange Server Volume Type is set to "io2".

Exchange Server volume size (GiB) (VolumeSize)

500

The volume size for the Exchange Data and Logs volumes.

Exchange Server volume type (VolumeType)

gp2

The volume type for the Exchange Data and Logs volumes.

Table 6. Load Balancer Configuration
Parameter label (name) Default value Description

Deploy Network Load Balancer (DeployLoadBalancer)

false

Choose true to deploy a Network Load Balancer (NLB).

Network Load Balancer Certificate (CertificateArn)

Blank string

(Conditional) If 'true' was chosen in Deploy Network Load Balancer option, specify the Certificate arn to be used by load balancer in arn:aws:acm:[REGION]:[ACCOUNTNUMBER]:certificate/[GUID] format.

Table 7. Failover Cluster Configuration
Parameter label (name) Default value Description

Instance type for Exchange nodes (ExchangeNodeInstanceType)

r5.xlarge

The Amazon EC2 instance type for the Exchange nodes.

Exchange Node 1 NetBIOS name (ExchangeNode1NetBIOSName)

ExchangeNode1

The NetBIOS name of the first Exchange node (up to 15 characters).

Exchange Node 1 private IP address 1 (ExchangeNode1PrivateIP1)

10.0.0.100

The primary private IP for Exchange node 1.

Exchange Node 1 private IP address 2 (ExchangeNode1PrivateIP2)

10.0.0.101

The secondary private IP for Exchange node 1.

Exchange Node 2 NetBIOS name (ExchangeNode2NetBIOSName)

ExchangeNode2

The NetBIOS name of the second Exchange node (up to 15 characters).

Exchange Node 2 private IP address 1 (ExchangeNode2PrivateIP1)

10.0.32.100

The primary private IP for Exchange node 2.

Exchange Node 2 private IP address 2 (ExchangeNode2PrivateIP2)

10.0.32.101

The secondary private IP for Exchange node 2.

Exchange Node 3 NetBIOS name (ExchangeNode3NetBIOSName)

ExchangeNode3

(Optional) The NetBIOS name of the third Exchange node (up to 15 characters).

Exchange Node 3 private IP address 1 (ExchangeNode3PrivateIP1)

10.0.64.100

(Optional) The primary private IP for the Exchange node 3.

Exchange Node 3 private IP address 2 (ExchangeNode3PrivateIP2)

10.0.64.101

(Optional) The secondary private IP for the Exchange node 3.

File Server instance type (FileServerInstanceType)

t3.small

The Amazon EC2 instance type for the file-share witness server.

File Server NetBIOS name (FileServerNetBIOSName)

FileServer

The NetBIOS name of the file-share witness server (up to 15 characters).

File Server private IP address (FileServerPrivateIP)

10.0.0.200

The primary private IP for the file-share witness server.

Table 8. AWS Quick Start Configuration
Parameter label (name) Default value Description

Quick Start S3 bucket name (QSS3BucketName)

aws-quickstart

The S3 bucket you’ve created for your copy of Quick Start assets, if you decide to customize or extend the Quick Start for your own use. The bucket name can include numbers, lowercase letters, uppercase letters, and hyphens, but should not start or end with a hyphen.

Quick Start S3 key prefix (QSS3KeyPrefix)

quickstart-microsoft-exchange/

The S3 key name prefix used to simulate a folder for your copy of Quick Start assets, if you decide to customize or extend the Quick Start for your own use. This prefix can include numbers, lowercase letters, uppercase letters, hyphens, and forward slashes, but should not start or end with a forward slash (which is automatically added).

Quick Start S3 bucket region (QSS3BucketRegion)

us-east-1

The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.

Launch into an existing VPC

Table 9. Network Configuration
Parameter label (name) Default value Description

Third Availability Zone (ThirdAZ)

no

Enables you to deploy three Availability Zones. The third Availability Zone can either be used just for the witness, or can be a full Exchange node. If you use the Availability Zone for the witness, you must set the File Server Private IP Address parameter to an IP in the third subnet range.

VPC for Exchange deployment (VPCID)

Requires input

The ID of the VPC (e.g., vpc-0343606e).

CIDR block of VPC (VPCCidrBlock)

10.0.0.0/16

The CIDR block for the VPC.

Private Subnet 1 ID (PrivateSubnet1ID)

Requires input

The ID of the private subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd).

Private Subnet 1 CIDR (PrivateSubnet1CIDR)

10.0.0.0/19

The CIDR block for the private subnet 1 located in Availability Zone 1.

Private Subnet 2 ID (PrivateSubnet2ID)

Requires input

The ID of the private subnet 2 in Availability Zone 2 (e.g., subnet-a0246dcd).

Private Subnet 2 CIDR (PrivateSubnet2CIDR)

10.0.32.0/19

The CIDR block for the private subnet 2 located in Availability Zone 2.

Private Subnet 3 ID (PrivateSubnet3ID)

Blank string

(Optional) The ID of the private subnet 3 in Availability Zone 3 (e.g., subnet-a0246dcd)

Private Subnet 3 CIDR (PrivateSubnet3CIDR)

10.0.64.0/19

(Optional) The CIDR block for private subnet 3 located in Availability Zone 3.

Public Subnet 1 ID (PublicSubnet1ID)

Requires input

(Optional) The ID of the public subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd).

Public Subnet 2 ID (PublicSubnet2ID)

Requires input

(Optional) The ID of the public subnet 2 in Availability Zone 2 (e.g., subnet-a0246dcd).

Table 10. Amazon EC2 Configuration
Parameter label (name) Default value Description

Key Pair Name (KeyPairName)

Requires input

The public/private key pair, which allows you to connect securely to your instance after it launches. When you created an AWS account, this is the key pair you created in your preferred region.

Windows Server 2016 AMI name (WS2016FULLBASE)

/aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base

The image name for the AWS Systems Manager Windows Server 2016 AMI ID lookup

Windows Server 2019 AMI name (WS2019FULLBASE)

/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base

The image name for the AWS Systems Manager Windows Server 2019 AMI ID lookup

Table 11. Microsoft Active Directory Configuration
Parameter label (name) Default value Description

Domain DNS name (DomainDNSName)

example.com

The fully qualified domain name (FQDN) of the forest root domain (e.g. example.com).

Domain NetBIOS name (DomainNetBIOSName)

EXAMPLE

The NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows (e.g. EXAMPLE).

Domain Admin user name (DomainAdminUser)

StackAdmin

The user name for the account that will be used as Domain Administrator. This is separate from the default "Administrator" account.

Domain Admin password (DomainAdminPassword)

Requires input

The password for the domain admin user. Must be at least 8 characters containing letters, numbers and symbols.

Domain Controller 1 NetBIOS name (ADServer1NetBIOSName)

DC1

The NetBIOS name of the first Active Directory server (up to 15 characters).

Domain Controller 1 private IP address (ADServer1PrivateIP)

10.0.0.10

The private IP for the first Active Directory server located in Availability Zone 1.

Domain Controller 2 NetBIOS name (ADServer2NetBIOSName)

DC2

The NetBIOS name of the second Active Directory server (up to 15 characters).

Security Group ID for AD domain members (DomainMemberSGID)

Requires input

The ID of the Domain Member Security Group (e.g., sg-7f16e910).

Table 12. Microsoft Exchange Server Configuration
Parameter label (name) Default value Description

Exchange Server version (ExchangeServerVersion)

2016

Version of Exchange Server to install. Options include either "2016" or "2019"

Deploy Edge servers (IncludeEdgeTransportRole)

no

Choose yes to deploy Exchange Edge Transport servers in the public subnets.

Instance type for Edge server (EdgeInstanceType)

t3.large

The Amazon EC2 instance type for the Exchange Edge Transport servers.

Edge Node 1 NetBIOS Name (EdgeNode1NetBIOSName)

EdgeNode1

The NetBIOS name of the first Edge Server (up to 15 characters).

Edge Node 1 private IP address (EdgeNode1PrivateIP1)

10.0.128.12

The primary private IP for the first Edge Server located in Availability Zone 1.

Edge Node 2 NetBIOS name (EdgeNode2NetBIOSName)

EdgeNode2

The NetBIOS name of the second Edge Server (up to 15 characters).

Edge Node 2 private IP address (EdgeNode2PrivateIP1)

10.0.144.12

The primary private IP for the second Edge Server located in Availability Zone 2.

Enable or disable ReFS (EnableReFSVolumes)

true

Choose false to format the data and log volumes on Exchange nodes using NTFS instead of ReFS.

Encrypt Data volumes (EncryptDataVolumes)

false

Choose true to encrypt the data and log volumes on Exchange nodes.

KMS key to encrypt volumes (EncryptionKmsKey)

Blank string

(Optional) Specify the KMS encryption arn in format arn:aws:kms:[REGION]:[ACCOUNTNUMBER]:key/[GUID]. Leave blank to use default EBS encryption key.

Data Volume size (GiB) (VolumeSize)

500

The volume size for the Exchange data drive.

Data Volume type (VolumeType)

gp2

The volume type for the Exchange data drive.

Data Volume IOPS (VolumeIops)

1000

The Iops for the Exchange Data drive (Only used when volume type is io2).

Path to Exchange 2016 ISO (Exchange2016Source)

https://download.microsoft.com/download/0/b/7/0b702b8b-03ab-4553-9e2c-c73bb0c8535f/ExchangeServer2016-x64-CU20.ISO

Full URL (including https://) for Exchange 2016 ISO.

Path to Exchange 2019 ISO (Exchange2019Source)

https://download.microsoft.com/download/d/7/b/d7bcf78a-00d2-4a46-a3d2-7d506116bcd2/ExchangeServer2019-x64-CU9.ISO

Full URL (including https://) for Exchange 2019 ISO.

Enable AWS Backups (EnableBackups)

yes

Creates a default daily/weekly backup schedule using AWS Backup

Table 13. Load Balancer Configuration
Parameter label (name) Default value Description

Deploy Network Load Balancer (DeployLoadBalancer)

false

Choose true to deploy an Network Load Balancer (NLB).

Network Load Balancer Certificate (CertificateArn)

Blank string

(Conditional) If 'true' was chosen in Deploy Network Load Balancer option, specify the Certificate arn to be used by load balancer in arn:aws:acm:[REGION]:[ACCOUNTNUMBER]:certificate/[GUID] format.

Table 14. Failover Cluster Configuration
Parameter label (name) Default value Description

File Server instance type (FileServerInstanceType)

t3.small

The Amazon EC2 instance type for the file-share witness server.

File Server NetBIOS name (FileServerNetBIOSName)

FileServer

The NetBIOS name of the file-share witness server (up to 15 characters).

File Server private IP address (FileServerPrivateIP)

10.0.0.200

The primary private IP for the file-share witness server.

Instance type for Exchange nodes (ExchangeNodeInstanceType)

r5.xlarge

The Amazon EC2 instance type for the Exchange nodes.

Exchange Node 1 NetBIOS name (ExchangeNode1NetBIOSName)

ExchangeNode1

The NetBIOS name of the first Exchange Node (up to 15 characters).

Exchange Node 1 private IP address 1 (ExchangeNode1PrivateIP1)

10.0.0.100

The primary private IP for Exchange node 1.

Exchange Node 1 private IP address 2 (ExchangeNode1PrivateIP2)

10.0.0.101

The secondary private IP for Exchange node 1.

Exchange Node 2 NetBIOS name (ExchangeNode2NetBIOSName)

ExchangeNode2

The NetBIOS name of the second Exchange Node (up to 15 characters).

Exchange Node 2 private IP address 1 (ExchangeNode2PrivateIP1)

10.0.32.100

The primary private IP for Exchange node 2.

Exchange Node 2 private IP address 2 (ExchangeNode2PrivateIP2)

10.0.32.101

The secondary private IP for Exchange node 2.

Exchange Node 3 NetBIOS Name (ExchangeNode3NetBIOSName)

ExchangeNode3

(Optional) The NetBIOS name of the third Exchange node (up to 15 characters).

Exchange Node 3 private IP address 1 (ExchangeNode3PrivateIP1)

10.0.64.100

(Optional) The primary private IP for the Exchange node 3.

Exchange Node 3 private IP address 2 (ExchangeNode3PrivateIP2)

10.0.64.101

(Optional) The secondary private IP for the Exchange node 3.

Table 15. AWS Quick Start Configuration
Parameter label (name) Default value Description

Quick Start S3 Bucket Name (QSS3BucketName)

aws-quickstart

S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).

Quick Start S3 bucket region (QSS3BucketRegion)

us-east-1

The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.

Quick Start S3 Key Prefix (QSS3KeyPrefix)

quickstart-microsoft-exchange/

S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, see the Quick Start Contributor’s Guide.

Quick Start reference deployments

GitHub repository

Visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.


Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.