# AWS Launch Wizard for SQL Server
AWS Launch Wizard is a service that guides you through the sizing, configuration, and deployment of Microsoft SQL Server applications on AWS, following the [AWS Well-Architected Framework](https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html). AWS Launch Wizard supports both single instance and high availability (HA) application deployments.
AWS Launch Wizard reduces the time it takes to deploy SQL Server solutions to the cloud. You input your application requirements, including performance, number of nodes, and connectivity, on the service console. AWS Launch Wizard identifies the right AWS resources to deploy and run your SQL Server application. AWS Launch Wizard provides an estimated cost of deployment, and you can modify your resources and instantly view the updated cost assessment. When you approve, AWS Launch Wizard provisions and configures the selected resources in a few hours to create a fully-functioning production-ready SQL Server application. It also creates custom AWS CloudFormation templates, which can be reused and customized for subsequent deployments.
Once deployed, your SQL Server application is ready to use and can be accessed on the EC2 console. You can manage your SQL Server application with [AWS SSM](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html).
## Supported operating systems and SQL versions
AWS Launch Wizard supports the following operating systems and SQL Server versions:
**Deployments on Windows**
+ Windows Server 2025/2022/2019
+ Enterprise and Standard Editions of Microsoft SQL Server 2025/2022/2019
+ Developer Edition of Microsoft SQL Server 2025/2022
**Amazon FSx for Failover Clustering (FCI) deployments on Windows**
+ Windows Server 2025/2022/2019
+ Enterprise and Standard Editions of Microsoft SQL Server 2025/2022/2019
CUs are installed at the same time as public AMIs for SQL license-included AMIs. CUs and service packs are not installed for license-included Windows AMIs and BYOL AMIs.
**Deployments on Ubuntu**
+ Ubuntu 18.04
+ Enterprise and Standard Edition of Microsoft SQL Server 2019
## Features of AWS Launch Wizard
**Topics**
+ [
### Simple application deployment
](#launch-wizard-features-app-deployment)
+ [
### AWS resource selection
](#launch-wizard-features-resource-selection)
+ [
### Cost estimation
](#launch-wizard-features-cost)
+ [
### Reusable code templates
](#launch-wizard-features-code-templates)
+ [
### SNS notification
](#launch-wizard-features-sns)
+ [
### Always On Availability Groups (SQL Server)
](#launch-wizard-features-allways-on)
+ [
### Dedicated Hosts (deployment on Windows)
](#launch-wizard-features-dedicated-hosts)
+ [
### Early input validation
](#launch-wizard-features-input-validation)
+ [
### Application resource groups for easy discoverability
](#launch-wizard-features-resource-groups)
+ [
### One-click monitoring
](#launch-wizard-features-application-insights)
+ [
### Amazon FSx for Failover Clustering (FCI)
](#launch-wizard-features-fci)
### Simple application deployment
AWS Launch Wizard makes it easy for you to deploy third-party applications on AWS, such as Microsoft SQL Server. When you input the application requirements, AWS Launch Wizard deploys the necessary AWS resources for a production-ready application. This means that you do not have to manage separate infrastructure pieces or spend time provisioning and configuring your SQL Server application.
### AWS resource selection
Launch Wizard considers performance, memory, bandwidth, and other application features to determine the best instance type, EBS volumes, and other resources for your SQL Server application. You can modify the recommended defaults.
### Cost estimation
Launch Wizard provides a cost estimate for a complete deployment. The cost estimate is itemized for each individual resource to deploy. The estimated cost automatically updates each time you change a resource type configuration in the wizard. The provided estimates are for general comparisons only. The estimates are based on On-Demand costs and actual costs may be lower.
### Reusable code templates
Launch Wizard creates a CloudFormation stack that can be reused to customize and replicate your infrastructure in multiple environments. Code in the template helps you provision resources. You can access and use the templates created by your Launch Wizard deployment from the CloudFormation console. For more information about CloudFormation stacks, see [Working with stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html).
### SNS notification
You can provide an [SNS topic](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) so that Launch Wizard will send you notifications and alerts about the status of a deployment.
### Always On Availability Groups (SQL Server)
Always On Availability Groups (AG) is a Microsoft SQL Server feature that is supported by the AWS SQL Server installation. AG augments the availability of a set of user databases. An availability group supports a failover environment for a discrete set of user databases, known as availability databases. If one of these databases fails, another database takes over its workload with no impact on availability. Always On Availability improves database availability, enabling more efficient resource usage. For more information about the concepts and benefits of Always On Availability, see [ Always On Availability Groups (SQL Server)](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/always-on-availability-groups-sql-server?view=sql-server-2017).
### Dedicated Hosts (deployment on Windows)
You can deploy SQL Server Always On Availability Groups (AG) or basic availability groups on your Dedicated Hosts to leverage your existing SQL Server Licenses (BYOL). From the Launch Wizard console, select **Dedicated Host** tenancy, and then select the Dedicated Hosts for your VPC. For more information about Amazon EC2 Dedicated Hosts, see [Dedicated Hosts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html).
### Early input validation
You can leverage your existing infrastructure (such as VPC or Active Directory) with Launch Wizard. This may lead to deployment failures if your existing infrastructure does not meet certain deployment prerequisites. For example, for a SQL Server Always On deployment in your existing VPC, the VPC must have at least one public subnet and two private subnets. It must also have outbound connectivity to Amazon S3, Systems Manager, and AWS CloudFormation service endpoints. If these requirements are not met, the deployment will fail. If you are in a later stage of a deployment, this failure can take more than an hour to detect. To detect these types of issues early in the application deployment process, Launch Wizard's validation framework verifies key application and infrastructure specifications before provisioning. Verification takes approximately 15 minutes. If necessary, you can take appropriate actions to adjust your VPC configuration.
Launch Wizard performs the following infrastructure validations:
**Resource limit validations at the AWS account level:**
+ VPC
+ Internet gateway
+ Number of CloudFormation stacks
**Additionally, Launch Wizard performs the following application-specific validations:**
+ Active Directory credentials (deployment on Windows)
+ Public subnet outbound connectivity
+ Private subnet outbound connectivity
+ Custom Windows AMIs:
+ SQL Server installed and running on instance
+ Compliant versions of Windows and SQL Server
+ Dedicated Hosts (deployment on Windows)
+ AMIs are filtered according to the billing code. This filtering behavior is the result of restrictions described in the [ Dedicated Host restrictions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html#dedicated-hosts-limitations) page.
+ Supported instance type
+ Sufficient capacity to launch number of nodes and instances
+ Selected subnet and corresponding Dedicated Host are in the same Availability Zone for any additional nodes beyond the primary and first secondary nodes
**Note**
Some validations, for example for valid Active Directory credentials, require Application Wizard to launch a `t2.large` EC2 instance in your account for a few minutes. After it runs the necessary validations, Launch Wizard terminates the instance.
### Application resource groups for easy discoverability
Launch Wizard creates a resource group for all of the AWS resources created for your SQL Server application. You can manage the resources through the EC2 console or with Systems Manager. When you access Systems Manager through Launch Wizard, the resources are automatically filtered for you based on your resource group. You can manage, patch, and maintain your SQL Server applications in Systems Manager.
### One-click monitoring
Launch Wizard integrates with [CloudWatch Application Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-application-insights.html) to provide a one-click monitoring setup experience for deploying SQL Server HA workloads on AWS. When you select the option to set up monitoring and insights with Application Insights on the Launch Wizard console, Application Insights automatically sets up relevant metrics, logs, and alarms on CloudWatch, and starts monitoring newly deployed workloads. You can view automated insights and detected problems, along with the health of your SQL Server HA workloads, on the CloudWatch console.
Counters that you can configure using Application Insights include:
+ Mirrored Write Transaction/sec
+ Recovery Queue Length
+ Transaction delay
+ Windows Event Logs on CloudWatch
You can also get automated insights when a failover event or problem, such as a restricted access to query a target database, is detected on your workload.
### Amazon FSx for Failover Clustering (FCI)
Launch Wizard uses Amazon FSx to provide Failover Clustering for SQL Server deployments. Failover Clustering is a high availability solution for SQL that puts all database and log files in shared storage (Amazon FSx). The Amazon FSx file share spans multiple Availability Zones and is highly redundant, which allows for automatic failover between SQL nodes in the event of failure.
Launch Wizard offers two storage options for your FCI deployments: Amazon FSx for Windows or Amazon FSx for NetApp ONTAP. If you choose NetApp ONTAP as the storage type for FCI, License Manager creates the user name `FSXAdmin` and a password during the deployment. The user name and password are stored in AWS Secrets Manager to manage ONTAP.
## Related services
**Topics**
+ [
### CloudFormation
](#launch-wizard-related-services-cloudformation)
+ [
### Amazon Simple Notification Service (SNS)
](#launch-wizard-related-services-sns)
+ [
### Amazon CloudWatch Application Insights
](#launch-wizard-related-services-application-insights)
+ [
### Linux-only technologies
](#launch-wizard-related-services-linux)
### CloudFormation
[CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) is a service for modeling and setting up your AWS resources, enabling you to spend more time focusing on your applications that run in AWS. You create a template that describes all of the AWS resources that you want to use (for example, Amazon EC2 instances or Amazon RDS DB instances), and CloudFormation takes care of provisioning and configuring those resources for you. With Launch Wizard, you don’t have to sift through CloudFormation templates to deploy your application. Instead, Launch Wizard combines infrastructure provisioning and configuration (with a CloudFormation template) and application configuration (with code that runs on EC2 instances to configure the application) into a unified SSM Automation document. The SSM document is then invoked by Launch Wizard’s backend service to provision a SQL Server application in your account. For more information, see the * [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/)*.
### Amazon Simple Notification Service (SNS)
[Amazon Simple Notification Service (SNS)](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) is a highly available, durable, secure, fully managed pub/sub messaging service that provides topics for high-throughput, push-based, many-to-many messaging. Using Amazon SNS topics, your publisher systems can fan out messages to a large number of subscriber endpoints and send notifications to end users using mobile push, SMS, and email. You can use SNS topics for your Launch Wizard deployments to stay up-to-date on deployment progress. For more information, see the [https://docs.aws.amazon.com/sns/latest/dg/welcome.html](https://docs.aws.amazon.com/sns/latest/dg/welcome.html).
### Amazon CloudWatch Application Insights
[Amazon CloudWatch Application Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-application-insights.html) facilitates observability for .NET and SQL Server applications. It can help you set up the best monitors for your application resources to continuously analyze data for signs of problems with your applications. Application Insights, which is powered by [Sagemaker](https://docs.aws.amazon.com/sagemaker/latest/dg/whatis.html) and other AWS technologies, provides automated dashboards that show potential problems with monitored applications, helping you to quickly isolate ongoing issues with your applications and infrastructure. The enhanced visibility into the health of your applications that Application Insights provides can help you reduce your mean time to repair (MTTR) so that you don't have to pull in multiple teams and experts to troubleshoot your application issues.
### Linux-only technologies
The following key technologies are used when you deploy a SQL Server application with Amazon Launch Wizard to the Linux platform.
+ **[Pacemaker](http://manpages.ubuntu.com/manpages/lunar/man8/crm_node.8.html)** is an open source cluster resource manager (CRM), which is a system that coordinates managed resources and services made highly available by a cluster.
+ **[Corosync](https://corosync.github.io/corosync/)** is an open source program that provides cluster membership and messaging capabilities, often referred to as the messaging layer, to client servers. In contrast to Pacemaker, which allows you to control cluster behavior, Corosync makes it possible for servers to communicate as a cluster.
+ **[Transact-SQL](https://docs.microsoft.com/en-us/sql/t-sql/language-reference?view=sql-server-ver15)** is an extension to the SQL language. It is used to interact with relational databases. Transact-SQL is platform-agnostic and can be used to configure the AlwaysOn Availability Group and listener.
+ **[Fencing](https://ubuntu.com/server/docs/ubuntu-ha-introduction)** is used to isolate a malfunctioning server from the cluster in order to protect and secure the synced resources. The recommended solution to use in the case of a malfucntioning server is the "Shoot the other node in the head" (STONITH) method. STONITH is a fencing technique that isolates a failed node so that it does not disrupt a computer cluster. The STONITH method fences failed nodes by resetting or powering down the failed node. Fencing is also used when a clustered service cannot be stopped. In this case, the cluster uses fencing to force the whole node offline, which makes it safe to start the service from a different server. Fencing can be performed at two levels: the node or resource level. Launch Wizard only supports node-level fencing.
## Default quotas
Launch Wizard allows for a maximum of 50 active applications (with status `in progress` or `completed`) for any given application type. If you want to increase this limit, contact [Support](https://aws.amazon.com/contact-us). Launch Wizard supports three parallel, in-progress deployments per account.
## AWS Regions
Launch Wizard uses various AWS services during the provisioning of the application's environment. Not every workload is supported in all AWS Regions. For a current list of Regions where the workload can be provisioned, see [AWS Launch Wizard workload availability](launch-wizard-workload-availability.md).
## Components
**Topics**
+ [
### Windows
](#windows)
+ [
### Linux
](#linux)
### Windows
A SQL Server application deployed on Windows with Launch Wizard includes the following components:
+ A **virtual private cloud (VPC)** configured with [public and private subnets](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html#what-is-vpc-subnet) across two Availability Zones. A public subnet is a subnet whose traffic is routed to an internet gateway. If a subnet does not have a route to the internet gateway, then it is a private subnet. The VPC provides the network infrastructure for your SQL Server deployment. You can choose an optional third Availability Zone for additional SQL cluster nodes, as shown below.
+ An **internet gateway** to provide access to the internet.
+ In the public subnets, **Windows Server-based Remote Desktop Gateway (RDGW) instances and network address translation (NAT) gateways** for outbound internet access. If you are deploying in your preexisting VPC, Launch Wizard uses the existing NAT gateway in your VPC. For more information about NAT gateways, see [NAT Gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html).
+ **Elastic IP addresses** associated with the NAT gateway and RDGW instances. For more information about Elastic IP addresses, see [Elastic IP addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html).
+ In the private subnets, **Active Directory domain controllers**.
+ In the private subnets, **Windows Server-based instances as Windows Server Failover Clustering (WSFC) nodes**. For more information, see [Windows Server Failover Clustering with SQL Server](https://docs.microsoft.com/en-us/sql/sql-server/failover-clusters/windows/windows-server-failover-clustering-wsfc-with-sql-server?view=sql-server-2017).
+ **SQL Server Enterprise edition with SQL Server Always On Availability Groups on each WSFC node**. This architecture provides redundant databases and a witness server to ensure that a quorum can vote for the node to be promoted to the controlling resource. The default architecture mirrors an on-premises architecture of two SQL Server instances spanning two subnets placed in two different Availability Zones. For more information about SQL Server Always On Availability Groups, see [Overview of Always On Availability Groups (SQL Server)](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server?view=sql-server-2017).
+ **Security groups** to ensure the secure flow of traffic between the instances deployed in the VPC. For more information, see [Security Groups for Your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html).
**Note**
If you choose to deploy SQL Server Always On through Launch Wizard into your existing VPC, there is an additional mandatory check box on the console to indicate whether VPC and public/private subnet requirements have been met.
+ **Amazon FSx** to provide highly available and redundant storage across Availability Zones for clustering.
**Note**
Launch Wizard uses two Availability Zones.
You can build a SQL HA installation, as shown in the following diagram.
![\[Deploy SQL Server HA with Launch Wizard\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/images/sql-server-on-aws-architecture_mod-3.png)
You can also choose to build an architecture with SQL Server Always On FCI, as shown in the following diagram.
![\[Deploy SQL Server Always On FCI\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/images/ms-sql-fci-fsx-architecture_diagram.png)
### Linux
A SQL Server application deployed on Linux with Launch Wizard includes the following components:
+ A **virtual private cloud (VPC)** configured with [public and private subnets](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html#what-is-vpc-subnet) across three Availability Zones. A public subnet is a subnet whose traffic is routed to an internet gateway. If a subnet does not have a route to the internet gateway, then it is a private subnet. The VPC provides the network infrastructure for your SQL Server deployment.
+ An **internet gateway** to provide access to the internet.
+ In the public subnets, **network address translation (NAT)** for outbound internet access. If you are deploying in your preexisting VPC, Launch Wizard uses the existing NAT gateway in your VPC. For more information about NAT gateways, see [NAT Gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html).
+ Two of the private subnets each run a SQL Server **replica node**. One acts as the primary node, and the other as secondary node. The third private subnet is used to run the configuration replica. Launch Wizard deployments on Linux use [Pacemaker](http://manpages.ubuntu.com/manpages/lunar/man8/crm_node.8.html) as the cluster resource manager. Pacemaker differs from Windows Server Failover Cluster (WSFC), which is used for Windows deployments, in terms of how it handles quorum. For Always On availability groups (AG) on Linux, arbitration happens in SQL Server where the metadata is stored. This is where the configuration-only replica is relevant. In order to maintain quorum and enable automatic failovers, Launch Wizard sets up a third node that acts as the configuration-only replica.
+ **Security groups** to ensure the secure flow of traffic between the instances deployed in the VPC. For more information, see [Security Groups for Your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html).
The high-level architecture of a SQL Server high availability solution on Linux is similar to the architecture for deployment on Windows. The main differences are the low-level components and technologies. The architecture for Linux deployments provides redundant databases and a configuration-only replica node to verify that a quorum can vote for the node to be promoted to the controlling resource. The default architecture mirrors an on-premises architecture of two SQL Server instances spanning two subnets placed in two different Availability Zones. For more information about SQL Server Always On Availability Groups (AG), see [Overview of Always On Availability Groups (SQL Server)](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server?view=sql-server-2017) in the Microsoft documentation.
![\[Deploy SQL Server Always On with Launch Wizard with three Availability Zones\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/images/sql-server-on-aws-architecture-3az_linux-2.png)
# Get started with AWS Launch Wizard for SQL Server
This section contains information to help you set up your environment to deploy SQL Server with Launch Wizard, including:
+ Active Directory permissions
+ How to create an IAM policy and assign the permissions
+ OS and SQL version requirements
+ Configuration settings
When your environment is set up, you can deploy a SQL Server Always On application with Launch Wizard by following the [steps and parameter specification details](launch-wizard-deploying.md) provided in this section.
**Topics**
+ [
## AWS Identity and Access Management (IAM)
](#launch-wizard-iam)
+ [
## Active Directory (Windows deployment)
](#launch-wizard-ad)
+ [
## Requirements for Windows and Linux AMIs
](#launch-wizard-amis)
+ [
## Requirements for using Amazon FSx
](#launch-wizard-sql-prerequisites-fsx)
+ [
## Configuration settings (deployment on Windows)
](#launch-wizard-config)
## AWS Identity and Access Management (IAM)
The following steps to establish the AWS Identity and Access Management (IAM) role and set up the user for permissions are typically performed by an IAM administrator for your organization.
**Topics**
+ [
### Sign up for an AWS account
](#launch-wizard-sql-aws-account)
+ [
### Assign permissions to use Launch Wizard
](#launch-wizard-user-setup)
+ [
### One-time creation of IAM Role
](#launch-wizard-iam-role)
+ [
### AWS Secrets Manager permissions
](#launch-wizard-sql-prerequisites-secrets-manager)
### Sign up for an AWS account
#### Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).
AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.
#### Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
**Secure your AWS account root user**
1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.
1. Turn on multi-factor authentication (MFA) for your root user.
For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.
**Create a user with administrative access**
1. Enable IAM Identity Center.
For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.
1. In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.
**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.
**Assign access to additional users**
1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.
1. Assign users to a group, and then assign single sign-on access to the group.
For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.
### Assign permissions to use Launch Wizard
To deploy a SQL Server Always On application with Launch Wizard, your user must have the permissions provided by the `AmazonLaunchWizardFullAccessV2` policy. The following guidance is provided for IAM administrators to provide permissions for users to access and deploy applications from Launch Wizard using the `AmazonLaunchWizardFullAccessV2` policy.
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
**Important**
Log in with the user associated with the above policy when you use Launch Wizard.
### One-time creation of IAM Role
On the **Choose Application** page of Launch Wizard, under **Permissions**, Launch Wizard displays the IAM role required for the Amazon EC2 instances created by Launch Wizard to access other AWS services on your behalf. When you select **Next**, Launch Wizard attempts to discover the IAM role in your account. If the role exists, it is attached to the instance profile for the EC2 instances that Launch Wizard will launch into your account. If the role does not exist, Launch Wizard attempts to create the role with the same name, `AmazonEC2RoleForLaunchWizard`. This role is comprised of two IAM managed policies: `AmazonSSMManagedInstanceCore` and `AmazonEC2RolePolicyForLaunchWizard`. After the role is created, the IAM administrator can delegate the application deployment process to another user who, in turn, must have the Launch Wizard IAM managed policy described in the following section.
### AWS Secrets Manager permissions
Launch Wizard uses AWS Secrets Manager to manage your domain and SQL Server account passwords. Your username and password is stored in Secrets Manager and is retrieved during the build process. The following resource policy is added to the secret so that the `AmazonEC2RoleForLaunchWizard` IAM role used by Launch Wizard can retrieve the secret. For more information about Secrets Manager, see the [AWS Secrets Manager User Guide](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS":
"arn:aws:iam::111122223333:role/service-role/AmazonEC2RoleForLaunchWizard"
},
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:CreateSecret",
"secretsmanager:GetRandomPassword"
],
"Resource": "*"
}
]
}
```
------
## Active Directory (Windows deployment)
Launch Wizard can deploy SQL Server using AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD), or your Self Managed Active Directory.
**Topics**
### AWS Managed Active Directory
If you are [deploying SQL Server into an existing VPC with an existing Active Directory](), Launch Wizard uses your Managed Active Directory (AD) domain user credentials to set up a fully functional SQL Server Always On Availability Group in the Active Directory. Launch Wizard supports this deployment option only for AWS Managed Active Directory. Your Managed Active Directory does not have to be in the same VPC as the one in which SQL Server Always On is deployed. If it is in a different VPC than the one in which SQL Server Always On is deployed, verify that you set up connectivity between the two VPCs. The domain user requires the following permissions in the [Active Directory Default organizational unit (OU)](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/creating-an-organizational-unit-design) to enable Launch Wizard to perform the deployment successfully:
+ `Reset password`
+ `Write userAccountControl`
+ `Create user accounts`
+ `Create computer objects`
+ `Read all properties`
+ `Modify permissions`
The following key operations are performed against your Active Directory by Launch Wizard. These operations result in the creation of new records or entries in Active Directory.
+ SQL Server service user added as a new Active Directory user if it does not already exist in Active Directory.
+ SQL Server instance and Remote Desktop Gateway Access instance joined to the Active Directory domain.
+ `CreateChild` role added to Windows Server Failover Cluster as part of `ActiveDirectoryAccessRule`.
+ `FullControl` role added to SQL Server Service user as part of `FileSystemRights`.
### Self Managed Active Directory
If you are [ deploying SQL Server into an existing VPC across multiple Availability Zones and connecting to a Self Managed Active Directory ]() or [deploying SQL Server into an existing VPC on a single node and connecting to a Self Managed Active Directory](), verify the following prerequisites.
+ If your Self Managed Active Directory resides in another network than where you are deploying SQL Server, make sure you have connectivity between your VPC and the Self Managed Active Directory network. You must also be able to connect to any DNS servers you specify during deployment from your VPC. For more information, see [Network-to-Amazon VPC connectivity options](https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/network-to-amazon-vpc-connectivity-options.html).
+ Your SQL Server resources must be able to perform DNS resolution from within the VPC to any DNS servers you specify. For options on how to set this up, see [ How to Set Up DNS Resolution Between On-Premises Networks and AWS Using Directory Service and Amazon Route 53](https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-amazon-route-53/) or [How to Set Up DNS Resolution Between On-Premises Networks and AWS Using Directory Service and Microsoft Active Directory](https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-microsoft-active-directory/).
+ The domain functional level of your Active Directory domain controller must be Windows Server 2019 or later.
+ The firewall on the Active Directory domain controllers should allow the connections from the Amazon VPC from which you will create the Launch Wizard deployment. At a minimum, your configuration should include the ports mentioned in [How to configure a firewall for Active Directory domains and trusts](https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts).
+ The domain user requires the following permissions in the [Active Directory Default organizational unit (OU)](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/creating-an-organizational-unit-design) to enable Launch Wizard to perform the deployment successfully:
+ `Reset password`
+ `Write userAccountControl`
+ `Create user accounts`
+ `Create computer objects`
+ `Read all properties`
+ `Modify permissions`
## Requirements for Windows and Linux AMIs
Launch Wizard has requirements for using custom Windows and Linux AMIs as well as Windows license-included AMIs in certain deployment scenarios.
**Topics**
### Requirements for using Windows license-included AMIs (deployment on Windows)
When you use Windows license-included AMIs, note the following:
+ You can use Windows license-included AMIs with SQL Bring-Your-Own-License (BYOL).
+ Your SQL media must meet certain requirements to use Windows license-included AMIs with SQL BYOL. The SQL media must be:
+ An ISO file.
+ Hosted in an Amazon S3 bucket prefixed with `LaunchWizard-*`.
+ Included in a folder within the Amazon S3 bucket.
+ Included in a public folder so that Launch Wizard can download and install the media.
### Requirements for using custom Windows AMIs (deployment on Windows)
We recommend that you use Amazon Windows license-included AMIs whenever possible. There are scenarios for which you may want to use a custom Windows AMI. For example, you may have existing licenses (BYOL), or you may have made changes to one of our public images and re-imaged it.
If you use Amazon Windows license-included AMIs, you are not required to perform any pre-checks on the AMI to ensure that it meets Launch Wizard requirements.
Launch Wizard relies on user data to begin the process of configuring SQL Server or RGW instances to launch in your account. For more information, see [User Data Scripts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html). By default, all AWS Windows AMIs have user data execution enabled for the initial launch. To ensure that your custom AMIs are set up to run the User Data script at launch, follow the AWS recommended method to prepare your AMIs using [EC2Launch v2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2launch-v2.html). For more information about how to prepare your custom AMI using the options to `Shutdown with Sysprep` or `Shutdown without Sysprep`, see [Create a Standard Amazon Machine Image Using Sysprep](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/Creating_EBSbacked_WinAMI.html#ami-create-standard) or [EC2Launch v2 and Sysprep](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2launch.html#ec2launch-v2-sysprep). If you want to directly enable user data as part of the custom AMI creation process, follow the steps for `Subsequent Reboots` or `Starts` under [Run commands on your EC2 instance at launch](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html).
If you use a custom Windows AMI, the volume drive letter for the root partition should be `C:` because EC2Launch v2 relies on this configuration to install the components.
While not exhaustive, the following requirements cover most of the configurations whose alteration might impact the successful deployment of a SQL Server Always On application using Launch Wizard.
**Support matrix**
| SQL Server Version | Windows Server 2019 | Windows Server 2022 | Windows Server 2025 |
| --- | --- | --- | --- |
| SQL Server 2019 | YES | YES | YES |
| SQL Server 2022 | YES | YES | YES |
| SQL Server 2025 | YES | YES | YES |
**OS and SQL requirements**
+ Windows Server 2019 (Datacenter) (64-bit only)
+ Windows Server 2022 (Datacenter) (64-bit only)
+ MBR-partitioned volumes and GUID Partition Table (GPT) partitioned volumes that are formatted using the NTFS file system
+ English language pack only
+ SQL Server Enterprise Edition 2019 or Standard Edition 2019
+ SQL Server Enterprise Edition 2022, Standard Edition 2022, or Developer Edition 2022
+ SQL Server Standard Developer Edition 2025
+ SQL Server Enterprise Developer Edition 2025
+ The root volume drive for the custom AMI should be `C:`
+ SQL Server is installed on the root drive
**AWS software and drivers**
+ EC2Launch v2
+ AWS SSM ([SSM agent must be installed](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-win.html))
+ AWS Tools for Windows PowerShell
+ Network drivers (SRIOV, ENA)
+ Storage drivers (NVMe, AWS PV)
### Requirements for using custom Linux AMIs (deployment on Linux)
There are occasions when you may want to use a custom Linux AMI. For example, you may have existing licenses (BYOL), or you may have made changes to one of our public images and re-imaged it.
If you use a custom Linux AMI, you must adhere to the following requirements:
+ The operating system must be Ubuntu version 18.04 LTS.
+ The system installer and administrator must be a sudo user and be able to log in to the cluster nodes using SSH.
+ SQL Server for Linux must be a default installation.
+ The SQL Server for Linux version must be 2019.
+ The latest Microsoft SQL tools must be installed.
## Requirements for using Amazon FSx
Launch Wizard uses continuously available Amazon FSx file shares to host clustered databases. The Amazon FSx file shares are accessible from within an instance joined to the domain. You can either create a new Active Directory or connect to an existing Active Directory (managed or Self Managed). If you connect to an existing Active Directory, you can use preexisting security groups . The security groups must satisfy port and security requirements for FSx to communicate with the domain, as described in [Using Amazon FSx with your Self Managed Microsoft Active Directory](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/Self Managed-AD.html) and [Using Amazon FSx with AWS Directory Service for Microsoft Active Directory](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/fsx-aws-managed-ad.html).
If you are using an existing AWS Managed Active Directory instance, you must specify the ID of the managed Active Directory instance for FSx to be able to join the domain. The account must have the same access rights in the domain as described in [Using Amazon FSx with your Self Managed Microsoft Active Directory](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/self-managed-AD.html) and [Using Amazon FSx with AWS Directory Service for Microsoft Active Directory](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/fsx-aws-managed-ad.html).
For Amazon FSx using NetApp ONTAP, Launch Wizard creates security groups in order to access the ONTAP file system and to set up failover clustering. For port requirements, see [File System Access Control with Amazon VPC](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/limit-access-security-groups.html) in the *Amazon FSx for NetApp ONTAP User Guide*.
**Note**
This Launch Wizard deployment relies on the instances that are being deployed to be able to connect to your ONTAP endpoint from within the VPC. For more information on the connectivity requirements, see [Accessing data from within AWS](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/access-environments.html) in the *Amazon FSx for NetApp ONTAP User Guide*.
**Backup schedule**
Launch Wizard uses FSx defaults for setting up the backup schedule. You can change the default settings in the FSx console after the build completes.
The `WeeklyMaintenanceStartime` follows the format `day of the week:time`, where Monday is indicated by `1`. The maintenance start time is set to begin on Saturday at 10pm.
```
WeeklyMaintenanceStartTime: '6:22:00'
DailyAutomaticBackupStartTime: '01:00'
AutomaticBackupRetentionDays: 7
```
**Amazon FSx using NetApp ONTAP**
Amazon FSx using NetApp ONTAP creates a new ONTAP file system for use with your Launch Wizard SQL deployment. We use the formulas in the following table to calculate volume and LUN storage for optimal performance.
These values can be modified post deployment.
| Storage type | Size in GB | Sizing calculations |
| --- | --- | --- |
| FSx storage | 1024 | Size in GB |
| Volume storage | 870.4 | 85% of total storage FSx capacity |
| LUN storage | 696.32 | 80% of volume storage (65% of total FSx storage) |
| SQL data LUN size | 522.24 | 60% of LUN storage |
| SQL log LUN size | 139.264 | 20% of SQL Data LUN size |
**Backup schedule for ONTAP**
By default, ONTAP backups are disabled during builds. You can set your own backup schedule from the Amazon FSx console. Choose the **Backup** tab. Then, choose **Update** to update the backup settings.
**Note**
When you delete a Launch Wizard deployment that uses ONTAP, FSx creates a backup of the ONTAP volume before deleting the file system. You can delete the backup from the Amazon FSx console if it is not required. For more information, see [Deleting backups](https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/using-backups.html#delete-backups) in the *FSx for ONTAP User Guide*.
## Configuration settings (deployment on Windows)
The following configuration settings are applied when deploying a SQL Server Always On application with Launch Wizard.
| Setting | Applies to |
| --- | --- |
| Current EC2Launch v2 and SSM Agent | Windows Server 2022 and 2019\$1 |
| Current EC2Launch and SSM Agent | Windows Server 2019\$1 |
| Current AWS PV, ENA, and NVMe drivers | Windows Server 2022 and 2019 |
| Current SRIOV drivers | Windows Server 2022 and 2019 |
| Microsoft SQL Server: Latest service pack SQL Service configured to start automatically SQL Service running `BUILTIN\Administrators` added to the `SysAdmin` server role TCP port `1433` and UDP port `1434` open | Windows Server 2022 and 2019 |
| Allow ICMP traffic through the firewall | Windows Server 2022 and 2019 |
| Allow RDP traffic through host firewall | Windows Server 2022 and 2019 |
| `RealTimeIsUniversal` registry key set | Windows Server 2022 and 2019 |
| SQL Server FCI | Windows Server 2022 and 2019 SQL Server 2022 and 2019 |
\$1 Windows Server 2019 can use either EC2Launch or EC2Launch v2 depending on what is configured in the AMI. For more information, see [Supported AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2launch-v2.html).The following AMI settings can impact the Launch Wizard deployment:
**System Time**
**RealTimeIsUniversal**. If disabled, Windows system time drifts when the time zone is set to a value other than UTC.
**Windows Firewall**
In most cases, Launch Wizard configures the correct protocols and ports. However, custom Windows Firewall rules could impact the cluster service. To ensure that your custom AMI works with Launch Wizard, see [Service overview and network port requirements for Windows](https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows).
**Remote Desktop**
**Service Start**. Remote Desktop service must be enabled.
**Remote Desktop Connections**. Must be enabled.
**Network Interface**
**DHCP Service Startup**. DHCP service should be enabled.
**DHCP on Ethernet**. DHCP should be enabled.
**Microsoft SQL Server**
**TCPIP**. Must be enabled for protocols in SQL Configuration Manager.
**PowerShell**
**Execution Policy**. The execution policy in all AWS license-included AMIs is set to `Unrestricted`. We recommend that you set this policy to `Unrestricted` when you set up SQL Server Always On Availability Groups using Launch Wizard. You can change the policy when setup is complete.
# Deploy an application with AWS Launch Wizard for SQL Server on Windows (Console)
## Access AWS Launch Wizard
You can launch AWS Launch Wizard from the [AWS Launch Wizard console](https://console.aws.amazon.com/launchwizard).
## Deploy AWS Launch Wizard on Windows
### Deploy SQL Server Always On application
The following steps guide you through a SQL Server Always On application deployment with AWS Launch Wizard after you have launched it from the console.
1. When you select **Workload library** from the AWS Launch Wizard landing page, you are directed to the **Workload library** wizard, where you are prompted to select the type of application that you want to deploy. Select **Microsoft SQL Server**, then **Launch new deployment**.
1. From the **Choose deployment pattern** list of available deployment patterns, choose **SQL Server Always On - Windows** and then **Configure deployment**.
1. Under ** Review Permissions**, Launch Wizard displays the AWS Identity and Access Management (IAM) role required for Launch Wizard to access other AWS services on your behalf. For more information about setting up IAM for Launch Wizard, see [AWS Identity and Access Management (IAM)](launch-wizard-getting-started.md#launch-wizard-iam). Choose **Next** .
1. On the **Configure application settings** page, select the **Operating System** on which you want to install SQL Server — in this case, **Windows**.
1. **Deployment model**. Choose **High availability deployment** to deploy your SQL Server Always On application across multiple Availability Zones or **Single instance deployment** to deploy your SQL Server application on a single node.
1. You are prompted to enter the specifications for the new deployment. The following tabs provide information about the specification fields.
------
#### [ General ]
+ **Deployment name**. Enter a unique application name for your deployment.
+ (Optional) **Simple Notification Service (SNS) topic ARN**. Specify an SNS topic where AWS Launch Wizard can send notifications and alerts. For more information, see the [https://docs.aws.amazon.com/sns/latest/dg/welcome.html](https://docs.aws.amazon.com/sns/latest/dg/welcome.html).
+ (Optional for HA deployments) **CloudWatch application monitoring**. Select the check box to set up monitors and automated insights for your deployment using CloudWatch Application Insights. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-application-insights.html).
+ **Enable rollback on failed deployment**. By default, if a deployment fails, your provisioned resources will not be rolled back/deleted. This default configuration helps you to troubleshoot errors at the resource level as you debug deployment issues. If you want your provisioned resources to be immediately deleted if a deployment fails, select the check box.
------
#### [ Connectivity ]
Enter specifications for how you want to connect to your instance and configure your Virtual Private Cloud (VPC).
**Key pair name**
+ Select an existing key pair from the dropdown list or create a new one. If you select **Create new key pair name**, you are directed to the Amazon EC2 console. From there, under **Network and Security**, choose **Key Pairs**. Choose **Create a new key pair**, enter a name for the key pair, and then choose **Download Key Pair**.
**Important**
This is the only opportunity for you to save the private key file. Download it and save it in a safe place. You must provide the name of your key pair when you launch an instance and provide the corresponding private key each time that you connect to the instance.
Return to the Launch Wizard console and choose the refresh button next to the **Key Pairs** dropdown list. The newly created key pair appears in the dropdown list. For more information about key pairs, see [Amazon EC2 Key Pairs and Windows Instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html).
**Tenancy model (HA deployments only)**
Select your preferred tenancy. Each instance that you launch into a VPC has a tenancy attribute. The **Shared** tenancy option means that the instance runs on shared hardware. The **Dedicated Host (HA deployments)** tenancy option means that the instance runs on a Dedicated Host, which is an isolated server with configurations that you can control. For more information, see [Dedicated Hosts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html).
**Virtual Private Cloud (VPC)**. Choose whether you want to use an existing VPC or create a new VPC.
+ **Select Virtual Private Cloud (VPC)** option. Choose the VPC that you want to use from the dropdown list. If you choose to enable Remote Desktop Gateway access on single-node deployments, then your VPC must include one public subnet and one private subnet. It must include at least two private subnets for HA deployments . Your VPC must be associated with a [DHCP Options Set](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) to enable DNS translations to work. The private subnets must have outbound connectivity to the internet and other AWS services (S3, CFN, SSM, Logs). We recommend that you enable this connectivity with a NAT Gateway. For more information about NAT Gateways, see [NAT Gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) in the Amazon VPC User Guide.
+ **Public Subnet**. If you choose to enable Remote Desktop Gateway access on single-node deployments, then your VPC must include one public subnet and one private subnet. It must include at least two private subnets for HA deployments. Choose a public subnet for your VPC from the dropdown list. To continue, you must select the check box that indicates that the public subnet has been set up and the private subnets have outbound connectivity enabled.
**To add a new public subnet**
If a subnet's traffic is routed to an internet gateway, the subnet is known as a public subnet. If, however, a subnet doesn't have a route to the internet gateway, the subnet is known as a private subnet. To use an existing VPC that does not have a public subnet, you can add a new public subnet using the following steps.
+ Follow the steps in [Creating a Subnet in the Amazon VPC User Guide](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Create_Subnet) using the existing VPC you intend to use AWS Launch Wizard.
+ To add an internet gateway to your VPC, follow the steps in [Attaching an Internet Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Attach_Gateway) in the Amazon VPC User Guide.
+ To configure your subnets to route internet traffic through the internet gateway, follow the steps in [Creating a Custom Route Table](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Routing) in the Amazon VPC User Guide. Use IPv4 format (0.0.0.0/0) for Destination.
+ The public subnet should have the “auto-assign public IPv4 address” setting enabled. To enable this setting, follow the steps in [Modifying the Public IPv4 Addressing Attribute for Your Subnet](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip) in the Amazon VPC User Guide.
+ **Availability Zone (AZ) configuration**. You must choose at least two Availability Zones for High Availability (HA) deployments and one Availability Zone for single-node deployments, with one private subnet for each zone that you select. For HA deployments, select the **Availability Zones** within which you want to deploy your **primary** and **secondary** SQL nodes. Depending on the number of secondary nodes that you plan to use to set up a SQL Server Always On deployment, you may have to specify a ** private subnet** for each of them. Cross-Region replication is not supported.
**To create a private subnet**
If a subnet doesn't have a route to an internet gateway, the subnet is known as a private subnet. To create a private subnet, you can use the following steps. We recommend that you enable the outbound connectivity for each of your selected private subnets using a NAT Gateway. To enable outbound connectivity from private subnets with public subnet, see the steps in [Creating a NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) to create a NAT Gateway in your chosen public subnet. Then, follow the steps in [Updating Your Route Table ](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-create-route)for each of your chosen private subnets.
+ Follow the steps in [Creating a Subnet](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html#AddaSubnet) in the Amazon VPC User Guide using the existing VPC you will use in AWS Launch Wizard.
+ When you create a VPC, it includes a main route table by default. On the **Route Tables** page in the Amazon VPC console, you can view the main route table for a VPC by looking for Yes in the Main column. The main route table controls the routing for all subnets that are not explicitly associated with any other route table. If the main route table for your VPC has an outbound route to an internet gateway, then any subnet created using the previous step, by default, becomes a public subnet. To ensure the subnets are private, you may need to create separate route table(s) for your private subnets. These route tables must not contain any routes to an internet gateway. Alternatively, you can create a custom route table for your public subnet and remove the internet gateway entry from the main route table.
If you selected **Dedicated host** tenancy, you must select a Dedicated Host for each Availability Zone. If you have not allocated any dedicated hosts to your account, you can choose **Create new dedicated host** to do so from the EC2 console.
+ **Remote Desktop Gateway preferences (single-node deployments only)**. When you select **Set up Remote Desktop Gateway**, enter the public subnet into which to deploy the RDGW instance.
+ (Optional) **Remote Desktop Gateway access**. Select **Custom IP** from the dropdown list. Enter the CIDR block. If you do not specify any value for the Custom IP parameter, Launch Wizard does not set the inbound RDP access (Port 3389) from any IP. You can choose to do this later by modifying the security group settings via the Amazon EC2 console. See [Adding a Rule for Inbound RDP Traffic to a Windows Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html#add-rule-authorize-access) for instructions on adding a rule that allows inbound RDP traffic to your RDGW instance.
+ **Create new Virtual Private Cloud (VPC)** option. Launch Wizard creates your VPC. You can optionally enter a **VPC name tag**. If you selected **Dedicated Host** tenancy for high availability deployments, select a primary and secondary Dedicated Host. If you haven't allocated any Dedicated Hosts to your account, select **Create a new dedicated host**. You will be directed to the EC2 console to create the new host.
+ **Remote Desktop Gateway preferences (single-node deployments only)**. When you select **Set up Remote Desktop Gateway**, only the Remote Desktop Gateway access information will be taken from the VPC.
+ (Optional) **Remote Desktop Gateway access**. Select **Custom IP** from the dropdown list. Enter the CIDR block. If you do not specify any value for the Custom IP parameter, Launch Wizard does not set the inbound RDP access (Port 3389) from any IP. You can choose to do this later by modifying the security group settings via the Amazon EC2 Console. See [Adding a Rule for Inbound RDP Traffic to a Windows Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html#add-rule-authorize-access) for instructions on adding a rule that allows inbound RDP traffic to your RDGW instance.
------
#### [ Active Directory ]
You can connect to an existing Active Directory or, for high availability deployments, you can create a new one. If you selected the **Create new Virtual Private Cloud (VPC)** option for high availability deployments, you must select **Create a new Active Directory**.
**Connecting to existing AWS Managed Active Directory or Self Managed Active Directory**
From the dropdown list, select whether you want to use **AWS Managed Active Directory**, or **Self Managed Active Directory**. If you select **Self Managed Active Directory**, select the check box to verify that you have ensured a connection between the Active Directory and the VPC.
Follow the steps for granting permissions in the Active Directory Default Organizational Unit (OU).
+ **Domain user name and password**. Enter the user name and password for your directory. For required permissions for the domain user, see [Active Directory (Windows deployment)Active Directory (Windows)](launch-wizard-getting-started.md#launch-wizard-ad). Launch Wizard stores the password in AWS Secrets Manager as a secure string parameter. It does not store the password on the service side. To create a functional SQL Server Always On deployment, it reads from AWS Secrets Manager.
+ **DNS address**. Enter the IP address of the DNS servers to which you are connecting. These servers must be reachable from within the VPC that you selected.
+ **Optional DNS address**. If you would like to use a backup DNS server, enter the IP address of the DNS server that you want to use as backup. These servers must be reachable from within the VPC that you selected.
+ **Domain DNS name**. Enter the Fully Qualified Domain Name (FQDN) of the [ forest root domain ](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain) used for the Active Directory. When you choose to create a new Active Directory, Launch Wizard creates a domain admin user on your Active Directory.
**Creating a new AWS Managed Active Directory through Launch Wizard**
+ **Domain user name and password**. The domain user name is preset to “admin.” Enter a password for your directory. Launch Wizard stores the password in AWS Secrets Manager as a secure string parameter. It does not store the password on the server side. To create a functional SQL Server Always On deployment, it reads from AWS Secrets Manager.
+ **Domain DNS name**. Enter a Fully Qualified Domain Name (FQDN) of the forest root domain used for the Active Directory. When you choose to create a new Active Directory, Launch Wizard creates a domain admin user on your Active Directory.
**Connecting to a Self Managed Active Directory through Launch Wizard**
Launch Wizard allows you to connect to a Self Managed Active Directory environment during deployment. For more information, see [Self Managed Active Directory](launch-wizard-getting-started.md#launch-wizard-ad-onprem).
------
#### [ SQL Server ]
When you use an existing Active Directory, you have the option of using an existing SQL Server service account or creating a new account. If you create a new Active Directory account, you must create a new SQL Server account.
+ **User name and password**. If you are using an existing SQL Server service account, provide your user name and password. This SQL Server service account should be part of the Managed Active Directory in which you are deploying. If you are creating a new SQL Server service account through Launch Wizard, enter a user name for the SQL Server service account. Create a complex Password that is at least 8 characters long, and then reenter the password to verify it. See [Password Policy](https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy?view=sql-server-2017) for more information.
+ **SQL Server install type**. Select the version of SQL Server Enterprise that you want to deploy. You can select an AMI from either the License-included AMI or Custom AMI dropdown lists.
+ **License-included AMI**. Choose an AMI for your SQL Server deployment which determines the version and edition of Windows Server and SQL Server that will be deployed.
+ (Optional) **tempdb configuration**. To improve performance, you can opt for the SQL Server tempdb system database to reside on a local NVMe SSD ephemeral storage device, also called the (instance store volume). NVMe SSD instance store volumes are available only on instance types that provide these local storage devices. Additionally, only data that changes frequently should ever reside on these volumes. They are not intended to store data long-term. For more information, see [Amazon EC2 instance store](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html).
+ (Optional) **Additional SQL Server settings**. You can specify the following:
+ **Nodes**. Enter a **Primary SQL node name** and a **Secondary SQL node name (HA deployments only)**.
+ **Additional secondary SQL node (HA deployments only, maximum of 5)**. Enter a secondary **Node name**, and select the **Access type**, the **Private subnet**, and the **Dedicated host**, if applicable, for the additional secondary SQL node from the dropdown lists. You can add more secondary nodes by selecting **Add additional secondary node**.
+ (Optional, HA deployments only) **Witness node**. For improved fault tolerance, select the check box to add a file share quorum witness node.
+ **Additional naming**. Enter a **Database name**. For HA deployments, enter an **Availability group name**, a **Listener name**, and a **Windows cluster virtual network name**.
------
1. When you are satisfied with your configuration selections, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**.
1. After configuring your application, you are prompted to define the infrastructure requirements for the new deployment on the **Define infrastructure requirements** page. The following tabs provide information about the input fields.
------
#### [ Define infrastructure requirements ]
You can choose to select your instances and volume types, or to use AWS recommended resources. If you choose to use AWS recommended resources, you have the option of defining your high availability cluster needs. If no selections are made, default values are assigned.
+ **Number of instance cores**. Choose the number of CPU cores for your infrastructure. The default value assigned is 4.
+ **Network performance**. Choose your preferred network performance in Gbps.
+ **Memory (GB)**. Choose the amount of RAM that you want to attach to your EC2 instances. The default value assigned is 4 GB.
+ **Type of storage drive**. Select the storage drive type for the SQL data and tempdb volumes. If you chose to place your tempdb on local storage, only the SQL data will be on the storage drive you select. The default value assigned is SSD.
+ **SQL Server throughput**. Select the sustained SQL Server throughput that you need.
+ **Recommended resources**. Launch Wizard displays the system-recommended resources based on your infrastructure selections. If you want to change the recommended resources, select different infrastructure requirements.
**Infrastructure requirements based on instance type**
You can choose to select your instance and volume type, or to use AWS recommended resources. If no selections are made, default values are assigned.
+ **Instance type**. Select your preferred instance type from the dropdown list.
+ **Volume type**. Choose your preferred EBS volume type. For more information about volume types, see [Amazon EBS volume types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html).
**Drive letters and volume size**
+ **Drive letter**. Select the storage drive letter for **Root drive**, **Logs**, **Data**, and **Backup** volumes.
**Important**
For custom AMIs, Launch Wizard assumes the root volume drive is `C:`.
+ **Volume size**. Select the size of the SQL Server data volume in Gb for **Root drive**, **Logs**, **Data**, and **Backup** volumes. SQL Server logs and data will be staged on the same data volume for this deployment. Make sure that you select an adequate size for the data volume.
**Note**
For Launch Wizard deployments created after January 2023, IMDSv1 is disabled on all instances. If your software or scripts use IMDSv1, you will have to meet the requirements to use IMDSv2. For more information, see [Use IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).
------
#### [ (Optional) Tags ]
You can provide optional custom tags for the resources Launch Wizard creates on your behalf. For example, you can set different tags for EC2 instances, EBS volumes, VPC, and subnets. If you select **All**, you can assign a common set of tags to your resources. Launch Wizard assigns tags with a fixed key `LaunchWizardResourceGroupID` and value that corresponds to the ID of the AWS resource group created for a deployment. Launch Wizard does not support custom tagging for root volumes.
------
#### [ Estimated on-demand cost to deploy additional resources ]
AWS Launch Wizard provides an estimate for application charges incurred to deploy the selected resources. The estimate updates each time you change a resource type in the Wizard. The provided estimates are only for general comparisons. They are based upon On-Demand costs and your actual costs may be lower.
------
1. When you are satisfied with your infrastructure selections, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**.
1. On the **Review and deploy** page, review your configuration details. If you want to make changes, select **Previous**. To stop, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. When you choose **Deploy**, you agree to the terms of the **Acknowledgment**.
1. Launch Wizard validates the inputs and notifies you of any issues you must address.
1. When validation is complete, Launch Wizard deploys your AWS resources and configures your SQL Server Always On application. Launch Wizard provides you with status updates about the progress of the deployment on the **Deployments** page. From the **Deployments** page, you can view the list of current and previous deployments.
1. When your deployment is ready, a notification informs you that your SQL Server application is successfully deployed. If you have set up an SNS notification, you are also alerted through SNS. You can manage and access all of the resources related to your SQL Server Always On application by selecting the deployment, and then selecting **Manage** from the **Actions** dropdown list.
1. When the SQL Server Always On application is deployed, you can access your Amazon EC2 instances through the EC2 console. You can also use [AWS SSM](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) to manage your SQL Server Always On application for future updates and patches through built-in integration via resource groups.
### Deploy SQL Failover Clustering application
The following steps guide you through a SQL Failover Clustering application deployment with AWS Launch Wizard after you have launched it from the console.
1. When you select **Workload library** from the AWS Launch Wizard landing page, you are directed to the **Workload library** wizard, where you are prompted to select the type of application that you want to deploy. Select **Microsoft SQL Server**, then **Launch new deployment**.
1. From the **Choose deployment pattern** list of available deployment patterns, choose **SQL Server Failover Clustering - Windows** and then **Configure deployment**.
1. Under ** Review Permissions**, Launch Wizard displays the AWS Identity and Access Management (IAM) role required for Launch Wizard to access other AWS services on your behalf. For more information about setting up IAM for Launch Wizard, see [AWS Identity and Access Management (IAM)](launch-wizard-getting-started.md#launch-wizard-iam). Choose **Next** .
1. On the **Configure application settings** page, select the **Operating System** on which you want to install SQL Server — in this case, **Windows**.
1. **Deployment model**. Choose **High availability deployment**, and then choose **Always On Failover Cluster Instances** to deploy a SQL Server Failover Clustering (FCI) application across multiple Availability Zones.
1. You are prompted to enter the specifications for the new deployment The following tabs provide information about the specification fields.
------
#### [ General ]
+ **Deployment name**. Enter a unique application name for your deployment.
+ (Optional) **Simple Notification Service (SNS) topic ARN**. Specify an SNS topic where AWS Launch Wizard can send notifications and alerts. For more information, see the [https://docs.aws.amazon.com/sns/latest/dg/welcome.html](https://docs.aws.amazon.com/sns/latest/dg/welcome.html).
+ (Optional for HA deployments) **CloudWatch application monitoring**. Select the check box to set up monitors and automated insights for your deployment using CloudWatch Application Insights. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-application-insights.html).
+ **Enable rollback on failed deployment**. By default, if a deployment fails, your provisioned resources will not be rolled back/deleted. This default configuration helps you to troubleshoot errors at the resource level as you debug deployment issues. If you want your provisioned resources to be immediately deleted if a deployment fails, select the check box.
------
#### [ Connectivity ]
Enter the specifications for how you want to connect to your instance and configure your Virtual Private Cloud (VPC).
**Key pair name**
+ Select an existing key pair from the dropdown list or create a new one. If you select **Create new key pair name**, you are directed to the Amazon EC2 console. From there, under **Network and Security**, choose **Key Pairs**. Choose **Create a new key pair**, enter a name for the key pair, and then choose **Download Key Pair**.
**Important**
This is the only opportunity for you to save the private key file. Download it and save it in a safe place. You must provide the name of your key pair when you launch an instance and provide the corresponding private key each time that you connect to the instance.
Return to the Launch Wizard console and choose the refresh button next to the **Key Pairs** dropdown list. The newly created key pair appears in the dropdown list. For more information about key pairs, see [Amazon EC2 Key Pairs and Windows Instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html).
**Tenancy model (HA deployments only)**
Select your preferred tenancy. Each instance that you launch into a VPC has a tenancy attribute. The **Shared** tenancy option means that the instance runs on shared hardware. The **Dedicated Host (HA deployments)** tenancy option means that the instance runs on a Dedicated Host, which is an isolated server with configurations that you can control. For FCI deployments, select **Shared** tenancy.
**Virtual Private Cloud (VPC)**. Choose whether you want to use an existing VPC or create a new VPC.
+ **Select Virtual Private Cloud (VPC)** option. Choose the VPC that you want to use from the dropdown list. If you choose to enable Remote Desktop Gateway access, then your VPC must include at least one public subnet and two private subnets for HA deployments . Your VPC must be associated with a [DHCP Options Set](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) to enable DNS translations to work. The private subnets must have outbound connectivity to the internet and other AWS services (S3, CFN, SSM, Logs). We recommend that you enable this connectivity with a NAT Gateway. For more information about NAT Gateways, see [NAT Gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) in the Amazon VPC User Guide.
+ **Public Subnet**. If you choose to enable Remote Desktop Gateway access, then your VPC must include at least one public subnet and two private subnets for HA deployments. Choose a public subnet for your VPC from the dropdown list. To continue, you must select the check box that indicates that the public subnet has been set up and the private subnets have outbound connectivity enabled.
If a subnet's traffic is routed to an internet gateway, the subnet is known as a public subnet. If, however, a subnet doesn't have a route to the internet gateway, the subnet is known as a private subnet.
To use an existing VPC that does not have a public subnet, you can add a new public subnet using the following steps:
+ Follow the steps in [Creating a Subnet in the Amazon VPC User Guide](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Create_Subnet) using the existing VPC you intend to use AWS Launch Wizard.
+ To add an internet gateway to your VPC, follow the steps in [Attaching an Internet Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Attach_Gateway) in the Amazon VPC User Guide.
+ To configure your subnets to route internet traffic through the internet gateway, follow the steps in [Creating a Custom Route Table](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Routing) in the Amazon VPC User Guide. Use IPv4 format (0.0.0.0/0) for Destination.
+ The public subnet should have the “auto-assign public IPv4 address” setting enabled. To enable this setting, follow the steps in [Modifying the Public IPv4 Addressing Attribute for Your Subnet](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip) in the Amazon VPC User Guide.
+ **Availability Zone (AZ) configuration**. You must choose at least two Availability Zones for High Availability (HA) deployments, with one private subnet for each zone that you select. For HA deployments, select the **Availability Zones** within which you want to deploy your **primary** and **secondary** SQL nodes. Depending on the number of secondary nodes that you plan to use to set up a SQL Server Always On deployment, you may have to specify a ** private subnet** for each of them. Cross-Region replication is not supported.
**To create a private subnet**
If a subnet doesn't have a route to an internet gateway, the subnet is known as a private subnet. To create a private subnet, you can use the following steps. We recommend that you enable the outbound connectivity for each of your selected private subnets using a NAT Gateway. To enable outbound connectivity from private subnets with public subnet, see the steps in [Creating a NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) to create a NAT Gateway in your chosen public subnet. Then, follow the steps in [Updating Your Route Table ](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-create-route)for each of your chosen private subnets.
+ Follow the steps in [Creating a Subnet](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html#AddaSubnet) in the Amazon VPC User Guide using the existing VPC you will use in AWS Launch Wizard.
+ When you create a VPC, it includes a main route table by default. On the **Route Tables** page in the Amazon VPC console, you can view the main route table for a VPC by looking for Yes in the Main column. The main route table controls the routing for all subnets that are not explicitly associated with any other route table. If the main route table for your VPC has an outbound route to an internet gateway, then any subnet created using the previous step, by default, becomes a public subnet. To ensure the subnets are private, you may need to create separate route table(s) for your private subnets. These route tables must not contain any routes to an internet gateway. Alternatively, you can create a custom route table for your public subnet and remove the internet gateway entry from the main route table.
+ **Remote Desktop Gateway preferences**. When you select **Set up Remote Desktop Gateway**, enter the public subnet into which to deploy the RDGW instance.
+ (Optional) **Remote Desktop Gateway access**. Select **Custom IP** from the dropdown list. Enter the CIDR block. If you do not specify any value for the Custom IP parameter, Launch Wizard does not set the inbound RDP access (Port 3389) from any IP. You can choose to do this later by modifying the security group settings via the Amazon EC2 console. See [Adding a Rule for Inbound RDP Traffic to a Windows Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html#add-rule-authorize-access) for instructions on adding a rule that allows inbound RDP traffic to your RDGW instance.
+ **Create new Virtual Private Cloud (VPC)** option. Launch Wizard creates your VPC. You can optionally enter a **VPC name tag**.
+ **Remote Desktop Gateway preferences**. When you select **Set up Remote Desktop Gateway**, only the Remote Desktop Gateway access information will be taken from the VPC.
+ (Optional) **Remote Desktop Gateway access**. Select **Custom IP** from the dropdown list. Enter the CIDR block. If you do not specify any value for the Custom IP parameter, Launch Wizard does not set the inbound RDP access (Port 3389) from any IP. You can choose to do this later by modifying the security group settings via the Amazon EC2 Console. See [Adding a Rule for Inbound RDP Traffic to a Windows Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html#add-rule-authorize-access) for instructions on adding a rule that allows inbound RDP traffic to your RDGW instance.
------
#### [ Active Directory ]
You can connect to an existing Active Directory or create a new one. If you selected the **Create new Virtual Private Cloud (VPC)** option for high availability deployments, you must select **Create a new Active Directory**.
**Connecting to existing AWS Managed Active Directory or Self Managed Active Directory**
From the dropdown list, select whether you want to use **AWS Managed Active Directory**, or **Self Managed Active Directory**. If you select **Self Managed Active Directory**, select the check box to verify that you have ensured a connection between the Active Directory and the VPC.
Follow the steps for granting permissions in the Active Directory Default Organizational Unit (OU).
+ **Domain user name and password**. Enter the user name and password for your directory. For required permissions for the domain user, see [Active Directory (Windows deployment)Active Directory (Windows)](launch-wizard-getting-started.md#launch-wizard-ad). Launch Wizard stores the password in AWS Secrets Manager as a secure string parameter. It does not store the password on the service side. To create a functional SQL Server FCI deployment, Launch Wizard reads from AWS Secrets Manager.
+ **DNS address**. Enter the IP address of the DNS servers to which you are connecting. These servers must be reachable from within the VPC that you selected.
+ **Optional DNS address**. If you would like to use a backup DNS server, enter the IP address of the DNS server that you want to use as backup. These servers must be reachable from within the VPC that you selected.
+ **Domain DNS name**. Enter the Fully Qualified Domain Name (FQDN) of the [ forest root domain ](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain) used for the Active Directory. When you choose to create a new Active Directory, Launch Wizard creates a domain admin user on your Active Directory.
+ (Optional) **Domain User security group**. To specify an existing security group, select one from the dropdown list. The prerequisites for adding security groups can be viewed by selecting **Info**.
**Creating a new AWS Managed Active Directory through Launch Wizard**
+ **Domain user name and password**. The domain user name is preset to “admin.” Enter a password for your directory. Launch Wizard stores the password in AWS Secrets Manager as a secure string parameter. It does not store the password on the server side. To create a functional SQL Server FCI deployment, Launch Wizard reads from AWS Secrets Manager.
+ **Domain DNS name**. Enter a Fully Qualified Domain Name (FQDN) of the forest root domain used for the Active Directory. When you choose to create a new Active Directory, Launch Wizard creates a domain admin user on your Active Directory.
**Connecting to a Self Managed Active Directory through Launch Wizard**
Launch Wizard allows you to connect to a Self Managed Active Directory environment during deployment. For more information, see [Self Managed Active Directory](launch-wizard-getting-started.md#launch-wizard-ad-onprem).
------
#### [ SQL Server ]
When you use an existing Active Directory, you have the option of using an existing SQL Server service account or creating a new account. If you create a new Active Directory account, you must create a new SQL Server account.
+ **User name and password**. If you are using an existing SQL Server service account, provide your user name and password. This SQL Server service account should be part of the Managed Active Directory in which you are deploying. If you are creating a new SQL Server service account through Launch Wizard, enter a user name for the SQL Server service account. Create a complex Password that is at least 8 characters long, and then reenter the password to verify it. See [Password Policy](https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy?view=sql-server-2017) for more information.
+ **SQL Server install type**. Select the version of SQL Server Enterprise that you want to deploy. You can select an AMI from either the License-included AMI or Custom AMI dropdown lists.
+ **License-included AMI**. Choose an AMI for your SQL Server deployment which determines the version and edition of Windows Server and SQL Server that will be deployed.
+ (Optional) **Additional SQL Server settings**. You can optionally specify the following:
+ **Nodes**. Enter a **Primary SQL node name** and a **Secondary SQL node name**.
+ **Additional naming**. Enter a **SQL Server virtual network name** and a **Windows cluster virtual network name**.
------
1. When you are satisfied with your configuration selections, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**.
1. After configuring your application, you are prompted to define the infrastructure requirements for the new deployment on the **Define infrastructure requirements** page. The following tabs provide information about the input fields.
------
#### [ Define infrastructure requirements ]
You can choose to select your instances and volume types, or to use AWS recommended resources. If you choose to use AWS recommended resources, you have the option of defining your high availability cluster needs. If no selections are made, default values are assigned.
**Instances**
+ **Cores**. Choose the number of CPU cores for your infrastructure. The default value assigned is 4.
+ **Network performance**. Choose your preferred network performance in Gbps.
+ **Memory (GB)**. Choose the amount of RAM that you want to attach to your EC2 instances. The default value assigned is 4 GB.
**Storage and performance**
+ **Type of storage drive**. The default value assigned is SSD for FCI application deployments.
+ **Average and peak IOPS**. Select the average and peak IOPS required for your FSx share.
+ **Allocated storage space**. Select the amount of storage required for your FSx drive.
+ **Recommended resources**. Launch Wizard displays the system-recommended resources based on your infrastructure selections. If you want to change the recommended resources, select different infrastructure requirements.
**Infrastructure requirements based on instance type**
You can choose to select your instance and storage capacity, or to use AWS recommended resources. If no selections are made, default values are assigned.
+ **Instance type**. Select your preferred instance type from the dropdown list.
+ **Storage capacity**. Choose your preferred EBS volume type. For more information about volume types, see [Amazon EBS volume types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html).
+ **Throughput capacity**. Select the required sustained SQL Server throughput.
**Note**
For Launch Wizard deployments created after January 2023, IMDSv1 is disabled on all instances. If your software or scripts use IMDSv1, you will have to meet the requirements to use IMDSv2. For more information, see [Use IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).
------
#### [ Tags-Optional ]
You can provide optional custom tags for the resources Launch Wizard creates on your behalf. For example, you can set different tags for EC2 instances, EBS volumes, VPC, and subnets. If you select **All**, you can assign a common set of tags to your resources. Launch Wizard assigns tags with a fixed key `LaunchWizardResourceGroupID` and value that corresponds to the ID of the AWS resource group created for a deployment. Launch Wizard does not support custom tagging for root volumes.
------
#### [ Estimated on-demand cost to deploy additional resources ]
AWS Launch Wizard provides an estimate for application charges incurred to deploy the selected resources. The estimate updates each time you change a resource type in the Wizard. The provided estimates are only for general comparisons. They are based upon On-Demand costs and your actual costs may be lower.
------
1. When you are satisfied with your infrastructure selections, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**.
1. On the **Review and deploy** page, review your configuration details. If you want to make changes, select **Previous**. To stop, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. When you choose **Deploy**, you agree to the terms of the **Acknowledgment**.
1. Launch Wizard validates the inputs and notifies you of any issues you must address.
1. When validation is complete, Launch Wizard deploys your AWS resources and configures your SQL Server FCI application. Launch Wizard provides you with status updates about the progress of the deployment on the **Deployments** page. From the **Deployments** page, you can view the list of current and previous deployments.
1. When your deployment is ready, a notification informs you that your SQL Server application is successfully deployed. If you have set up an SNS notification, you are also alerted through SNS. You can manage and access all of the resources related to your SQL Server FCI application by selecting the deployment, and then selecting **Manage** from the **Actions** dropdown list.
1. When the SQL Server FCI application is deployed, you can access your Amazon EC2 instances through the EC2 console. You can also use [AWS SSM](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) to manage your SQL Server FCI application for future updates and patches through built-in integration via resource groups.
### Deploy SQL Server Developer Edition application
The following steps guide you through a SQL Server Developer Edition application deployment with AWS Launch Wizard after you have launched it from the console.
1. When you select **Workload library** from the AWS Launch Wizard landing page, you are directed to the **Workload library** wizard, where you are prompted to select the type of application that you want to deploy. Select **Microsoft SQL Server**, then **Launch new deployment**.
1. From the **Choose deployment pattern** list of available deployment patterns, choose **SQL Server Developer Edition - Single Node - Windows** and then **Configure deployment**.
1. Under **Review Permissions**, Launch Wizard displays the AWS Identity and Access Management (IAM) role required for Launch Wizard to access other AWS services on your behalf. For more information about setting up IAM for Launch Wizard, see [AWS Identity and Access Management (IAM)](launch-wizard-getting-started.md#launch-wizard-iam). Choose **Next** .
1. On the **Configure application settings** page, you are prompted to enter the specifications for the new deployment. The following tabs provide information about the specification fields.
------
#### [ General ]
+ **Deployment name**. Enter a unique application name for your deployment.
+ **CloudWatch application monitoring**. Select the check box to set up monitors and automated insights for your deployment using CloudWatch Application Insights. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-application-insights.html).
+ **Enable rollback on failed deployment**. By default, if a deployment fails, your provisioned resources will not be rolled back/deleted. This default configuration helps you to troubleshoot errors at the resource level as you debug deployment issues. If you want your provisioned resources to be immediately deleted if a deployment fails, select the check box.
+ **AWS Service Catalog product creation**. Select the check box to export the CloudFormation template to create AWS Service Catalog for this deployment. When enabled, you must specify an S3 bucket location to store the CloudFormation templates and application configuration scripts for Service Catalog. You can select an existing bucket or create a new one using the provided link.
+ (Optional) **Amazon Simple Notification Service (SNS) topic ARN**. Specify an SNS topic where AWS Launch Wizard can send notifications and alerts. For more information, see the [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/welcome.html).
------
#### [ Connectivity ]
Enter specifications for how you want to connect to your instance and configure your Virtual Private Cloud (VPC).
**Key pair name**
+ Select an existing key pair from the dropdown list or create a new one. If you select **Create new key pair name**, you are directed to the Amazon EC2 console. From there, under **Network and Security**, choose **Key Pairs**. Choose **Create a new key pair**, enter a name for the key pair, and then choose **Download Key Pair**.
**Important**
This is the only opportunity for you to save the private key file. Download it and save it in a safe place. You must provide the name of your key pair when you launch an instance and provide the corresponding private key each time that you connect to the instance.
Return to the Launch Wizard console and choose the refresh button next to the **Key Pairs** dropdown list. The newly created key pair appears in the dropdown list. For more information about key pairs, see [Amazon EC2 Key Pairs and Windows Instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html).
**Virtual Private Cloud (VPC)**. Choose whether you want to use an existing VPC or create a new VPC.
+ **Select Virtual Private Cloud (VPC)** option. Choose the VPC that you want to use from the dropdown list. If you choose to enable Remote Desktop Gateway access, then your VPC must include one public subnet and one private subnet. Your VPC must be associated with a [DHCP Options Set](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) to enable DNS translations to work. The private subnets must have outbound connectivity to the internet and other AWS services (S3, CFN, SSM, Logs). We recommend that you enable this connectivity with a NAT Gateway. For more information about NAT Gateways, see [NAT Gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) in the Amazon VPC User Guide.
+ **Public Subnet**. If you choose to enable Remote Desktop Gateway access, then your VPC must include one public subnet and one private subnet. Choose a public subnet for your VPC from the dropdown list. To continue, you must select the check box that indicates that the public subnet has been set up and the private subnet has outbound connectivity enabled.
If a subnet's traffic is routed to an internet gateway, the subnet is known as a public subnet. If, however, a subnet doesn't have a route to the internet gateway, the subnet is known as a private subnet.
To use an existing VPC that does not have a public subnet, you can add a new public subnet using the following steps:
+ Follow the steps in [Creating a Subnet in the Amazon VPC User Guide](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Create_Subnet) using the existing VPC you intend to use for AWS Launch Wizard.
+ To add an internet gateway to your VPC, follow the steps in [Attaching an Internet Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Attach_Gateway) in the Amazon VPC User Guide.
+ To configure your subnets to route internet traffic through the internet gateway, follow the steps in [Creating a Custom Route Table](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Routing) in the Amazon VPC User Guide. Use IPv4 format (0.0.0.0/0) for Destination.
+ The public subnet should have the “auto-assign public IPv4 address” setting enabled. To enable this setting, follow the steps in [Modifying the Public IPv4 Addressing Attribute for Your Subnet](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip) in the Amazon VPC User Guide.
+ **Availability Zone (AZ) configuration**. You must choose an Availability Zone and a private subnet for that zone. Cross-Region replication is not supported.
If a subnet doesn't have a route to an internet gateway, the subnet is known as a private subnet. To create a private subnet, you can use the following steps. We recommend that you enable the outbound connectivity for your selected private subnet using a NAT Gateway.
To enable outbound connectivity from the selected private subnet with public subnet, see the steps in [Creating a NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) to create a NAT Gateway in your chosen public subnet.
Then, follow the steps in [Updating Your Route Table ](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-create-route)for your chosen private subnet.
+ Follow the steps in [Creating a Subnet](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html#AddaSubnet) in the Amazon VPC User Guide using the existing VPC you will use in AWS Launch Wizard.
+ When you create a VPC, it includes a main route table by default. On the **Route Tables** page in the Amazon VPC console, you can view the main route table for a VPC by looking for Yes in the Main column. The main route table controls the routing for all subnets that are not explicitly associated with any other route table. If the main route table for your VPC has an outbound route to an internet gateway, then any subnet created using the previous step, by default, becomes a public subnet. To ensure the subnets are private, you may need to create separate route table(s) for your private subnets. These route tables must not contain any routes to an internet gateway. Alternatively, you can create a custom route table for your public subnet and remove the internet gateway entry from the main route table.
+ **Remote Desktop Gateway preferences (single-node deployments only)**. When you select **Set up Remote Desktop Gateway**, enter the public subnet into which to deploy the RDGW instance.
+ (Optional) **Remote Desktop Gateway access**. Select **Custom IP** from the dropdown list. Enter the CIDR block. If you do not specify any value for the Custom IP parameter, Launch Wizard does not set the inbound RDP access (Port 3389) from any IP. You can choose to do this later by modifying the security group settings via the Amazon EC2 console. See [Adding a Rule for Inbound RDP Traffic to a Windows Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html#add-rule-authorize-access) for instructions on adding a rule that allows inbound RDP traffic to your RDGW instance.
+ **Create new Virtual Private Cloud (VPC)** option. Launch Wizard creates your VPC. You can optionally enter a **VPC name tag**.
+ **Remote Desktop Gateway preferences**. When you select **Set up Remote Desktop Gateway**, only the Remote Desktop Gateway access information will be taken from the VPC.
+ (Optional) **Remote Desktop Gateway access**. Select **Custom IP** from the dropdown list. Enter the CIDR block. If you do not specify any value for the Custom IP parameter, Launch Wizard does not set the inbound RDP access (Port 3389) from any IP. You can choose to do this later by modifying the security group settings via the Amazon EC2 Console. See [Adding a Rule for Inbound RDP Traffic to a Windows Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html#add-rule-authorize-access) for instructions on adding a rule that allows inbound RDP traffic to your RDGW instance.
------
#### [ (Optional) Active Directory ]
SQL Server Developer Edition can be deployed with or without Active Directory integration. To enable Active Directory with the SQL Server Developer Edition Single Node deployment, set the **Enable Active Directory** toggle to on.
You can connect to an existing Active Directory or, when creating a new VPC, you can create a new one. If you selected the **Create new Virtual Private Cloud (VPC)** option and want to enable Active Directory, you must select **Create a new Active Directory**.
**Connecting to existing AWS Managed Active Directory or Self Managed Active Directory**
From the dropdown list, select whether you want to use **AWS Managed Active Directory**, or **Self Managed Active Directory**. If you select **Self Managed Active Directory**, select the check box to verify that you have ensured a connection between the Active Directory and the VPC.
Follow the steps for granting permissions in the Active Directory.
+ **Domain user name and password**. Enter the user name and password for your directory. For required permissions for the domain user, see [Active Directory (Windows deployment)Active Directory (Windows)](launch-wizard-getting-started.md#launch-wizard-ad). Launch Wizard stores the password in AWS Secrets Manager as a secure string parameter. It does not store the password on the service side. To create a functional SQL Server Developer Edition deployment, it reads from AWS Secrets Manager.
+ **DNS address**. Enter the IP address of the DNS servers to which you are connecting. These servers must be reachable from within the VPC that you selected.
+ **Optional DNS address**. If you would like to use a backup DNS server, enter the IP address of the DNS server that you want to use as backup. These servers must be reachable from within the VPC that you selected.
+ **Domain DNS name**. Enter the Fully Qualified Domain Name (FQDN) of the [ forest root domain ](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain) used for the Active Directory. When you choose to create a new Active Directory, Launch Wizard creates a domain admin user on your Active Directory.
+ (Optional) **Organization Unit (OU) Path**. Specify the distinguished path name of the Organizational Unit (OU) within which you want to join for the Active Directory. For example: OU=org,DC=example,DC=com
**Creating a new AWS Managed Active Directory through Launch Wizard**
+ **Domain user name and password**. The domain user name is preset to “admin.” Enter a password for your directory. Launch Wizard stores the password in AWS Secrets Manager as a secure string parameter. It does not store the password on the server side. To create a functional SQL Server Developer Edition deployment, it reads from AWS Secrets Manager.
+ **Domain DNS name**. Enter a Fully Qualified Domain Name (FQDN) of the forest root domain used for the Active Directory. When you choose to create a new Active Directory, Launch Wizard creates a domain admin user on your Active Directory.
+ (Optional) **Organization Unit (OU) Path**. Specify the distinguished path name of the Organizational Unit (OU) within which you want to join for the Active Directory. For example: OU=org,DC=example,DC=com
**Connecting to a Self Managed Active Directory through Launch Wizard**
Launch Wizard allows you to connect to a Self Managed Active Directory environment during deployment. For more information, see [Self Managed Active Directory](launch-wizard-getting-started.md#launch-wizard-ad-onprem).
------
#### [ SQL Server configuration ]
When you use an existing Active Directory (if Active Directory is enabled), you have the option of using an existing SQL Server service account or creating a new account. If you create a new Active Directory account, you must create a new SQL Server account. If Active Directory is disabled, skip this section and SQL Server authentication will be configured.
+ **User name and password**. If you are using an existing SQL Server service account, provide your user name and password. This SQL Server service account should be part of the Managed Active Directory in which you are deploying. If you are creating a new SQL Server service account through Launch Wizard, enter a user name for the SQL Server service account. Create a complex password that is at least 8 characters long, and then reenter the password to verify it. See [Password Policy](https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy?view=sql-server-2017) for more information.
+ **SQL Server install type**. Select the version of SQL Server that you want to deploy. You can select an AMI from either the License-included AMI or Custom AMI dropdown lists.
+ **License-included AMI**. Choose an AMI for your SQL Server deployment which determines the version and edition of Windows Server that will be deployed. Available options include:
+ Windows Server 2022: Full-base AMI with Windows Server 2022
+ Windows Server 2025: Full-base AMI with Windows Server 2025
+ (Optional) **tempdb configuration**. To improve performance, you can opt for the SQL Server tempdb system database to reside on a local NVMe SSD ephemeral storage device, also called the (instance store volume). NVMe SSD instance store volumes are available only on instance types that provide these local storage devices. Additionally, only data that changes frequently should ever reside on these volumes. They are not intended to store data long-term. For more information, see [Amazon EC2 instance store](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html).
+ (Optional) **Additional SQL Server settings**. You can specify the following:
+ **Node name**. Enter a **SQL node name** for the single instance deployment.
------
1. When you are satisfied with your configuration selections, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**.
1. After configuring your application, you are prompted to define the infrastructure requirements for the new deployment on the **Configure infrastructure settings** page. The following tabs provide information about the input fields.
------
#### [ Define SQL Server Developer Edition settings ]
Configure the SQL Server Developer Edition software settings including version selection, license agreement, and installation media source. You must accept the Microsoft EULA and provide installation media either through S3 or a direct download URL.
+ **SQL Server Developer Edition Version —** Select the version of SQL Server Developer Edition you want to install:
+ SQL Server 2022 Developer Edition
+ **Microsoft EULA Agreement —** You must review and agree to the license terms for the Microsoft software you are providing to AWS Launch Wizard. This is a mandatory requirement and the deployment cannot proceed without acceptance.
+ **Installation method —** Choose how you want to provide the SQL Server Developer Edition installation media.
+ *Bring Your Own Media*
+ Provide a SQL Developer Edition installation media to be used for installing SQL Server Developer Edition.
+ Select the S3 bucket that starts with "launchwizard" (e.g., launchwizard-sql-media-bucket) containing your SQL Server installation files.
+ *Bring Your Own URL*
Launch Wizard will download the SQL Server Developer Edition installation media from a customer provided public URL.
------
#### [ Define compute and storage requirements ]
You can choose to select your instances and volume types, or to use AWS recommended resources. If you choose to use AWS recommended resources, you have the option of defining your infrastructure needs. If no selections are made, default values are assigned.
+ **Number of instance cores**. Choose the number of CPU cores for your infrastructure. The default value assigned is 4.
+ **Network performance**. Choose your preferred network performance in Gbps.
+ **Memory (GB)**. Choose the amount of RAM that you want to attach to your EC2 instance. The default value assigned is 4 GB.
+ **Type of storage drive**. Select the storage drive type for the SQL data and tempdb volumes. If you chose to place your tempdb on local storage, only the SQL data will be on the storage drive you select. The default value assigned is SSD.
+ **SQL Server throughput**. Select the sustained SQL Server throughput that you need.
+ **Recommended resources**. Launch Wizard displays the system-recommended resources based on your infrastructure selections. If you want to change the recommended resources, select different infrastructure requirements.
**Infrastructure requirements based on instance type**
You can choose to select your instance and volume type, or to use AWS recommended resources. If no selections are made, default values are assigned.
+ **Instance type**. Select your preferred instance type from the dropdown list.
+ **Volume type**. Choose your preferred EBS volume type. For more information about volume types, see [Amazon EBS volume types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html).
**Drive letters and volume size**
+ **Drive letter**. Select the storage drive letter for **Root drive**, **Logs**, **Data**, and **Backup** volumes.
**Important**
For custom AMIs, Launch Wizard assumes the root volume drive is `C:`.
+ **Volume size**. Select the size of the SQL Server data volume in Gb for **Root drive**, **Logs**, **Data**, and **Backup** volumes. SQL Server logs and data will be staged on the same data volume for this deployment. Make sure that you select an adequate size for the data volume.
**Note**
For Launch Wizard deployments created after January 2023, IMDSv1 is disabled on all instances. If your software or scripts use IMDSv1, you will have to meet the requirements to use IMDSv2. For more information, see [Use IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).
------
#### [ (Optional) Tags ]
You can provide optional custom tags for the resources Launch Wizard creates on your behalf. For example, you can set different tags for EC2 instances, EBS volumes, VPC, and subnets. If you select **All**, you can assign a common set of tags to your resources. Launch Wizard assigns tags with a fixed key `LaunchWizardResourceGroupID` and value that corresponds to the ID of the AWS resource group created for a deployment. Launch Wizard does not support custom tagging for root volumes.
------
#### [ Estimated on-demand cost to deploy additional resources ]
AWS Launch Wizard provides an estimate for application charges incurred to deploy the selected resources. The estimate updates each time you change a resource type in the Wizard. The provided estimates are only for general comparisons. They are based upon On-Demand costs and your actual costs may be lower.
------
1. When you are satisfied with your infrastructure selections, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**.
1. On the **Review and deploy** page, review your configuration details. If you want to make changes, select **Previous**. To stop, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. When you choose **Deploy**, you agree to the terms of the **Acknowledgment**.
1. Launch Wizard validates the inputs and notifies you of any issues you must address.
1. When validation is complete, Launch Wizard deploys your AWS resources and configures your SQL Server Developer Edition application. Launch Wizard provides you with status updates about the progress of the deployment on the **Deployments** page. From the **Deployments** page, you can view the list of current and previous deployments.
1. When your deployment is ready, a notification informs you that your SQL Server application is successfully deployed. If you have set up an SNS notification, you are also alerted through SNS. You can manage and access all of the resources related to your SQL Server Developer Edition application by selecting the deployment, and then selecting **Manage** from the **Actions** dropdown list.
1. When the SQL Server Developer Edition application is deployed, you can access your Amazon EC2 instance through the EC2 console. You can also use [AWS SSM](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) to manage your SQL Server Developer Edition application for future updates and patches with built-in integration through resource groups.
# Deploy an application with AWS Launch Wizard for SQL Server on Ubuntu (Console)
**Topics**
+ [
## Access AWS Launch Wizard
](#accessing-launch-wizard-linux)
+ [
## Deploy AWS Launch Wizard on Ubuntu
](#deploy-console-launch-wizard-linux)
+ [
## Post-deployment cluster tasks
](#launch-wizard-linux-post-deployment)
## Access AWS Launch Wizard
You can launch AWS Launch Wizard from the [AWS Launch Wizard console](https://console.aws.amazon.com/launchwizard).
## Deploy AWS Launch Wizard on Ubuntu
The following steps guide you through a SQL Server application deployment with AWS Launch Wizard on the Ubuntu platform after you have launched it from the console. For SQL Server deployments on Ubuntu, you must use an instance type built on the [Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances). EBS volumes are exposed as NVMe block devices on instances built with the Nitro System. Device names that are specified for NVMe EBS volumes in a block device mapping are renamed using NVMe device names (`/dev/nvme[[0-26]n1`). Launch Wizard deployments on Ubuntu do not support block devices on Xen-virtualized instances.
1. When you select **Choose application** from the AWS Launch Wizard landing page, you are directed to the **Choose application** wizard, where you are prompted to select the type of application that you want to deploy. Select **Microsoft SQL Server**, then **Create deployment**.
1. Under ** Review Permissions**, Launch Wizard displays the AWS Identity and Access Management (IAM) role required for Launch Wizard to access other AWS services on your behalf. For more information about setting up IAM for Launch Wizard, see [AWS Identity and Access Management (IAM)](launch-wizard-getting-started.md#launch-wizard-iam). Choose **Next** .
1. On the **Configure application settings** page, select the **Operating System** on which you want to install SQL Server — in this case, **Ubuntu**.
1. **Deployment model**. Choose **High availability deployment** to deploy your SQL Server Always On application across multiple Availability Zones or **Single instance deployment** to deploy your SQL Server application on a single node.
1. You are prompted to enter specifications for the new deployment. The following tabs provide information about the input fields.
------
#### [ General ]
+ **Deployment name**. Enter a unique application name for your deployment.
+ **Simple Notification Service (SNS) topic ARN (Optional)**. Specify an SNS topic where AWS Launch Wizard can send notifications and alerts. For more information, see the [https://docs.aws.amazon.com/sns/latest/dg/welcome.html](https://docs.aws.amazon.com/sns/latest/dg/welcome.html).
+ **Enable rollback on failed deployment**. By default, if a deployment fails, your provisioned resources will not be rolled back/deleted. This default configuration helps you to troubleshoot errors at the resource level as you debug deployment issues. If you want your provisioned resources to be immediately deleted if a deployment fails, select the check box.
------
#### [ Connectivity ]
Enter your requirements for how you want to connect to your application instance and what kind of Virtual Private Cloud (VPC) you want to set up.
**Key pair name**
+ Select an existing key pair from the dropdown list or create a new one. If you select **Create new key pair name** to create a new key pair, you are directed to the Amazon EC2 console. From there, under **Network and Security**, choose **Key Pairs**. Choose **Create a new key pair**, enter a name for the key pair, and then choose **Download Key Pair**.
**Important**
This is your only opportunity to save the private key file. Download it and save it in a safe place. You must provide the name of your key pair when you launch an instance, and provide the corresponding private key each time that you connect to the instance.
Return to the Launch Wizard console and choose the refresh button next to the **Key Pairs** dropdown list. The newly created key pair appears in the dropdown list. For more information about key pairs, see [Amazon EC2 Key Pairs and Windows Instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html).
**Virtual Private Cloud (VPC)**. Choose whether you want to use an existing VPC or create a new VPC.
+ **Select Virtual Private Cloud (VPC)** option. Choose the VPC that you want to use from the dropdown list. Your VPC must contain one public subnet. For HA deployments, it must also contain, at least, three private subnets. For single node deployments, it must contain one private subnet. The private subnets must have outbound connectivity to the internet and other AWS services (S3, CFN, SSM, Logs). We recommend that you enable this connectivity with a NAT Gateway. For more information about NAT Gateways, see [NAT Gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) in the Amazon VPC User Guide.
+ **Public Subnet**. Your VPC must contain one public subnet. For HA deployments it must also contain three private subnets. For single node deployments, it must contain one private subnet. Choose a public subnet for your VPC from the dropdown list. To continue, you must select the check box that indicates that the public subnet has been set up and each of the selected private subnets have outbound connectivity enabled.
**To add a new public subnet**
If the traffic of a subnet is routed to an internet gateway, the subnet is known as a public subnet. If, however, a subnet doesn't have a route to the internet gateway, the subnet is known as a private subnet. To use an existing VPC that does not have a public subnet, you can add a new public subnet using the following steps.
+ Follow the steps in [Creating a Subnet in the Amazon VPC User Guide](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Create_Subnet) using the existing VPC you intend to use AWS Launch Wizard.
+ To add an internet gateway to your VPC, follow the steps in [Attaching an Internet Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Attach_Gateway) in the Amazon VPC User Guide.
+ To configure your subnets to route internet traffic through the internet gateway, follow the steps in [Creating a Custom Route Table](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Routing) in the Amazon VPC User Guide. Use IPv4 format (`0.0.0.0/0`) for **Destination**.
+ The public subnet should have the “auto-assign public IPv4 address” setting enabled. To enable this setting, follow the steps in [Modifying the Public IPv4 Addressing Attribute for Your Subnet](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip) in the Amazon VPC User Guide.
+ **Availability Zone (AZ) configuration**. You must choose at least three Availability Zones for High Availability (HA) deployments and one Availability Zone for single-node deployments, with one private subnet for each Availability Zone that you select. From the dropdown lists, select the **Availability Zones** within which you want to deploy your **primary**, **secondary**, and **configuration** nodes.
**To create a private subnet**
If a subnet doesn't have a route to an internet gateway, the subnet is known as a private subnet. To create a private subnet, perform the following steps. We recommend that you enable the outbound connectivity for each of your selected private subnets using a NAT Gateway. To enable outbound connectivity from private subnets to public subnets, see the steps in [Creating a NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) to create a NAT Gateway in your chosen public subnet. Then, follow the steps in [Updating Your Route Table ](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-create-route)for each of your chosen private subnets.
+ Follow the steps in [Creating a Subnet](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html#AddaSubnet) in the Amazon VPC User Guide using the existing VPC you will use in AWS Launch Wizard.
+ When you create a VPC, it includes a main route table by default. On the **Route Tables** page in the Amazon VPC console, you can view the main route table for a VPC by looking for **Yes** in the **Main** column. The main route table controls the routing for all subnets that are not explicitly associated with any other route table. If the main route table for your VPC has an outbound route to an internet gateway, then any subnet created using the previous step, by default, becomes a public subnet. To ensure the subnets are private, you may need to create one separate route table for all of your private subnets. This route table must not contain any routes to an internet gateway. Verify that all of the private subnets have the same route table association.
+ **Create new Virtual Private Cloud (VPC)** option. Launch Wizard creates your VPC. You can optionally enter a VPC name tag.
------
#### [ SQL Server ]
**SQL Server configuration**
+ **User name and password**. By default, Launch Wizard applies the user name `sa` . This system administrator account is used for SQL Server management. Create a complex password that is at least 8 characters long, and then reenter the password to verify it. See [Password Policy](https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy?view=sql-server-2017) for more information.
+ **Floating IP Address (HA and existing VPC deployments only)**. This field is available when you select a Virtual Private Cloud (VPC). The IP address that you enter is used as the endpoint for your SQL Server Availability Group listener. Launch Wizard creates a route from this IP address to the SQL primary node in your route table. Verify that the IP address is not already in use within your VPC and is outside of all of the provided subnet CIDRs.
+ **Amazon Machine Image (AMI)**. Select the version of Microsoft SQL Server Enterprise to deploy. You can select an AMI from the lists of either license-included or custom AMIs.
**Pacemaker cluster configuration (HA deployments only)**
Pacemaker is a high-availability cluster resource manager. This software runs on a set of hosts, or cluster of nodes, to preserve integrity and minimize the downtime of selected services or resources. Pacemaker is maintained by the [ClusterLabs](https://www.clusterlabs.org/) community.
+ **Pacemaker cluster name**. Enter a name to identify your pacemaker cluster.
+ **Pacemaker cluster username**. By default, Launch Wizard applies the pacemaker username `hacluster`. This username is used to securely communicate between cluster nodes.
+ **Pacemaker cluster password**. Create a complex password that is at least 8 characters long, and then reenter the password to verify it. See [Password Policy](https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy?view=sql-server-2017) for more information.
**SQL - Pacemaker cluster connection settings (HA deployments only)**
After you configure Pacemaker cluster and SQL Server, you must create a user in SQL Server to communicate with Pacemaker.
+ **SQL Pacemaker user name and password**. Enter a user name for SQL Server to communication with the Pacemaker cluster. Create a complex password that is at least 8 characters long, and then reenter the password to verify it. See [Password Policy](https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy?view=sql-server-2017) for more information.
+ **S3 location for node certificates**. An Amazon S3 bucket location is required by the SQL nodes to share self-signed certificates with each other. Provide the bucket or object locations and verify that the names begin with `launchwizard-`.
**Additional SQL Server settings (optional)**
+ **Nodes**. Enter a **Primary SQL node name**, a **Secondary SQL node name**, and a **Configuration node name**.
+ **Additional naming**. Enter a **Database name** and an **Availability group name**.
------
1. When you are satisfied with your configuration selections, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**.
1. After configuring your application, you are prompted to define the infrastructure requirements for the new deployment on the **Define infrastructure requirements** page. The following tabs provide information about the input fields.
------
#### [ Define infrastructure requirements ]
You can choose to select your instances, storage and performance, and volume types, or to use AWS recommended resources. If you choose to use AWS recommended resources, you have the option of defining your high availability cluster needs. If no selections are made, default values are assigned.
+ **Number of instance cores**. Choose the number of CPU cores for your infrastructure. The default value assigned is 4.
+ **Network performance**. Choose your preferred network performance in Gbps.
+ **Memory (GB)**. Choose the amount of RAM that you want to attach to your EC2 instances. The default value assigned is 4 GB.
+ **Type of storage drive**. Select the storage drive type for the SQL data and tempdb volumes. The default value assigned is SSD.
+ **SQL Server throughput**. Select the sustained SQL Server throughput that you need.
+ **Recommended resources**. Launch Wizard displays the system-recommended resources based on your infrastructure selections. If you want to change the recommended resources, select different infrastructure requirements.
**Infrastructure requirements based on instance type**
You can choose to select your instance and volume type, or to use AWS recommended resources. If no selections are made, default values are assigned.
+ **Instance type**. Select your preferred instance type from the dropdown list.
+ **Volume type**. Choose your preferred EBS volume type. For more information about volume types, see [Amazon EBS volume types](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html)
**Volume sizes**
+ **Volume size**. Select the size of the SQL Server data volume in Gb for **Temporary database**, **Logs**, **Data**, and **Backup** volumes. SQL Server logs and data will be staged on the same data volume for this deployment. Make sure that you select an adequate size for the data volume.
**Note**
For Launch Wizard deployments created after January 2023, IMDSv1 is disabled on all instances. If your software or scripts use IMDSv1, you will have to meet the requirements to use IMDSv2. For more information, see [Use IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).
------
#### [ Tags-Optional ]
You can provide optional custom tags for the resources Launch Wizard creates on your behalf. For example, you can set different tags for EC2 instances, EBS volumes, VPC, and subnets. If you select **All**, you can assign a common set of tags to your resources. Launch Wizard assigns tags with a fixed key `LaunchWizardResourceGroupID` and value that corresponds to the ID of the AWS resource group created for a deployment. Launch Wizard does not support custom tagging for root volumes.
------
#### [ Estimated on-demand cost to deploy additional resources ]
AWS Launch Wizard provides an estimate for application charges incurred to deploy the selected resources. The estimate updates each time you change a resource type in the wizard. The provided estimates are for general comparisons only. They are based upon On-Demand costs and your actual costs may be lower.
------
1. When you are satisfied with your infrastructure selections, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**.
1. On the **Review and deploy** page, review your configuration details. If you want to make changes, select **Previous**. To stop, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the service landing page. When you choose **Deploy**, you agree to the terms of the **Note** at the bottom of the page.
1. Launch Wizard validates the inputs and notifies you if you must update a specification.
1. When validation is complete, Launch Wizard deploys your AWS resources and configures your SQL Server Always On application. Launch Wizard provides you with status updates about the progress of the deployment on the **Deployments** page. From the **Deployments** page, you can view the list of current and previous deployments.
1. When your deployment is ready, a notification informs you that your SQL Server application is successfully deployed. If you have set up an SNS notification, you are also alerted through SNS. You can manage and access all of the resources related to your SQL Server Always On application by selecting the deployment, and then selecting **Manage** from the **Actions** dropdown list.
1. When the SQL Server Always On application is deployed, you can access your Amazon EC2 instances through the EC2 console. You can also use [AWS SSM](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) to manage your SQL Server Always On application for future updates and patches through built-in integration via resource groups.
## Post-deployment cluster tasks
The Launch Wizard Pacemaker implementation includes three cluster nodes: primary, secondary, and configuration only. The primary node provides the Microsoft SQL Server for Ubuntu resource and the floating IP address. To ensure that the cluster operates correctly, some administrative tasks must be performed in a specific way. If these tasks are performed incorrectly, then Pacemaker may identify the activity as a resource failure and attempt to fail over the resources to the secondary node. If the resources are failed over to the secondary node, the cluster can remain in an unknown state, which can impact user access.
There are four primary tasks: **Start Cluster**, **Stop Cluster**, **Move Resources**, and **Recovery**. These tasks must be carried out by a sudo user with an SSH connection to any of the cluster nodes. Before performing any of these tasks, verify the cluster status using `pcs resource status --all`. This command returns all cluster issues. All issues must be addressed prior to performing any administrative tasks.
**Start cluster**
1. Log in to a cluster node using a sudo user over an SSH connection.
1. Verify that all cluster nodes are available.
1. Verify cluster status using the following command: `pcs resource --all`.
Address all issues before attempting to start the cluster.
1. Start all cluster nodes using the following command: `pcs cluster start --all --wait`.
1. Verify that the cluster has started using the following command: `pcs resource --all`.
The output provides information about the cluster nodes and cluster resources. All cluster nodes should be online and all resource agents should be visible and allocated to their assigned cluster nodes.
1. Verify that the availability group listener is available by pinging the floating IP address.
**Manually move cluster resources**
1. Log in to a cluster node using a sudo server over an SSH connection.
1. Verify that all cluster nodes are available.
1. Verify cluster status using the following command: `pcs resource --all`.
Address all issues before attempting to start the cluster.
1. Run the following command: `pcs resource move -master --force`.
This command moves the resource agent to **** and starts the resource. All cluster constraints will be applied. If the Microsoft SQL Server resource agent is moved, then the availability group listener will follow.
1. Verify cluster status using the following command: `pcs resource --all`.
The resource that was moved should be located on the ****.
1. Clear temporary constraints using the following command: `pcs resource clear `.
**Stop cluster**
1. Log in to a cluster node using a sudo server over an SSH connection.
1. Verify that all cluster nodes are available.
1. Verify cluster status using the following command: `pcs resource --all`.
Address all issues before attempting to start the cluster.
1. Stop the cluster using the following command: `pcs cluster stop --ALL`. This will gracefully shut down all of the cluster nodes.
1. Verify the shut down status using the following command: `pcs status --all`.
This command should return that the cluster is no longer running.
**Recovery**
If a node is restarted from the operating system or the AWS Management Console, the Pacemaker node and its related services will not automatically start. This prevention protects the high availability database replicas from split-brain corruption.
The following steps are required to restore the cluster to normal operations.
1. Log in to a cluster node using a sudo server over an SSH connection.
1. Determine the node that was restarted using the following command: `pcs resource --ALL`. The restarted node will be offline.
1. Verify cluster status using the following command: `pcs resource --all`.
Address all issues before attempting to start the cluster.
1. Start the restarted node using the following command: `pcs cluster start --`.
1. Verify cluster status using the following command: `pcs resource --all`.
Address all issues before attempting to start the cluster.
1. If the restarted node is the primary node of the cluster, then the Availability Group resource must be returned to the primary node.
1. Remove all temporary constraints using the following commands: `pcs resource clear ` and `pcs resource clear `.
1. Run the following command: `pcs resource move --force`.
This command moves the resources to `` and starts the resource. Any cluster constraints are applied. In this scenario, if the Microsoft SQL Server resource agent is moved, then the availability group listener follows.
1. Verify cluster status using the following command: `pcs resource --all`. The restarted node will be located on ``.
# Deploy SQL Server to a new or existing VPC (AWS CLI)
You can use the AWS Launch Wizard [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_CreateDeployment.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_CreateDeployment.html) API operation to deploy SQL Server. To create a deployment, you must provide values for various *specifications*. Specifications are a collection of settings that define how your deployment should be created and configured. A workload will have one or more deployment patterns with differing required and optional specifications.
If you want to use the **Clone deployment** action on your deployment, you must create your deployment using the Launch Wizard console.
## Prerequisites for deploying SQL Server with the AWS CLI
Before deploying SQL Server with the AWS CLI, ensure you have met the following prerequisites:
+ Install and configure the AWS CLI. For more information, see [Install or update to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
+ Complete the steps in the previous section titled **Set up**. Some deployment patterns have requirements that must be met for a deployment to be successful.
## Create a SQL Server deployment with the AWS CLI
You can create a deployment for your SQL Server application using the `CreateDeployment` Launch Wizard API operation.
**To create a deployment for SQL Server using the AWS CLI**
1. List the available workload names using the [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListWorkloads.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListWorkloads.html) Launch Wizard API operation.
The following example shows listing the available workloads:
```
aws launchwizard list-workloads --region us-east-1
{
"workloads": [
{
"displayName": "Remote Desktop Gateway",
"workloadName": "RDGW"
},
{
"displayName": "MS SQL Server",
"workloadName": "SQL"
},
{
"displayName": "SAP",
"workloadName": "SAP"
},
{
"displayName": "Microsoft Active Directory",
"workloadName": "MicrosoftActiveDirectory"
}
...
]
}
```
1. Specify the desired workload name with the [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListWorkloadDeploymentPatterns.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListWorkloadDeploymentPatterns.html) operation to describe the supported values for the deployment pattern names.
The following example lists the available workload patterns for a given workload:
```
aws launch-wizard list-workload-deployment-patterns --workload-name SQL --region us-east-1
{
"workloadDeploymentPatterns": [
{
"deploymentPatternName": "SQLHAAlwaysOn",
"description": "Example description.",
"displayName": "ExampleDisplayName",
"status": "ACTIVE",
"workloadName": "SQL",
"workloadVersionName": "2024-05-03-00-00-00"
},
...
]
}
```
1. Use the workload and deployment pattern names you discovered with the [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_GetWorkloadDeploymentPattern.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_GetWorkloadDeploymentPattern.html) operation to list the specification details.
The following example lists the workload specifications of a given workload and deployment pattern:
```
aws launchwizard get-workload-deployment-pattern --workload-name SQL --deployment-pattern-name SQLHAAlwaysOn --region us-east-1
{
"workloadDeploymentPattern": {
"deploymentPatternName": "SQLHAAlwaysOn",
"description": "Example description.",
"displayName": "ExampleDisplayName",
"specifications": [
{
"description": "Enter an SNS topic for AWS Launch Wizard to send notifications and alerts.",
"name": "AWS:LaunchWizard:TopicArn",
"required": "No"
},
{
"description": "When a deployment fails, your provisioned resources will be deleted/rolled back by default. If deactivated, the provisioned resources will be deleted when you delete your deployment from the Launch Wizard console.",
"name": "AWS:LaunchWizard:DisableRollbackFlag",
"required": "No"
},
{
"allowedValues": [
"true",
"false"
],
"description": "Cloud Watch Application Insights monitoring",
"name": "SetupAppInsightsMonitoring",
"required": "Yes"
},
...
]
}
}
```
1. With the workload specifications retrieved, you must provide values for any specification `name` with a `required` value of `Yes`. You can also provide any optional specifications you require for your deployment. We recommend that you pass inputs to the `specifications` parameter for your deployment as a file for easier usage.
Your JSON file's format should resemble the following:
```
{
"ExampleName1": "ExampleValue1",
"ExampleName2": "ExampleValue2",
"ExampleName3": "ExampleValue3"
}
```
1. With the specifications file created, you can create a deployment for your chosen workload and deployment pattern.
The following example creates a deployment with specifications defined in a file:
```
aws launch-wizard create-deployment --workload-name SQL --deployment-pattern-name SQLHAAlwaysOn --name ExampleDeploymentName --region us-east-1 --specifications file://specifications.json
```
# Manage application resources with AWS Launch Wizard for SQL Server
After your SQL Server Always On application is deployed, you can manage it by following these steps.
1. From the navigation pane, under **Deployments**, choose **MS SQL Server**.
1. From the **Deployments — SQL** page, select the deployment you want to manage and then select **Actions**. You can select to do the following:
1. **Manage resources on the EC2 console**. You are taken to the Amazon EC2 console, where you can view and manage your SQL Server Always On application resources. For example, you can view and manage EC2, Amazon EBS, Active Directory, Amazon VPC, Subnets, NAT Gateways, and Elastic IPs. For SQL Server on Linux deployments, you can use AWS Systems Manager Session Manager to manage your deployed EC2 instances. For more information about SSM Session Manager, see [AWS Systems Manager Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html).
1. **Access SQL Server using RDGW instance (Windows deployments)**. Connect to SQL Server via Remote Desktop Protocol. For more information, see [Connecting to your Windows Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connecting_to_windows_instance.html) in the *User Guide for Windows Instances*.
1. **View resource group with SSM**. You are taken to the Systems Manager console to view your resource groups.
1. **View SSM deployment template (Windows deployments)**. You are taken to the Systems Manager console to view your documents.
1. **View CloudWatch application logs**. You are taken to CloudWatch Logs, where you can monitor, store, and access your SQL Server Always On application log files.
1. **View your CloudFormation template**. This is the CloudFormation template created by your most recent deployment, and it can be accessed through the CloudFormation console. For help with finding and using your CloudFormation template, see [Viewing CloudFormation Stack Data and Resources on the AWS Management Console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-view-stack-data-resources.html).
1. If you have not set up monitoring for your application on CloudWatch Application Insights, you have the option to **Set up monitoring on CloudWatch Application Insights**. You are taken to the CloudWatch Application Insights console to set up monitoring for your application.
If you have set up monitoring for your application on CloudWatch Application Insights, you can **View insights on Amazon CloudWatch**. You are taken to the application monitoring dashboards on the CloudWatch Application Insights console.
1. To delete a deployment, select the application that you want to delete and select **Delete**. You are prompted to confirm your action.
**Important**
You lose all specification settings for the SQL Server Always On application when you delete a deployment. Launch Wizard attempts to delete only the AWS resources that it created in your account as part of the deployment. If you created resources outside of Launch Wizard, for example, resources that reside in a VPC created by Launch Wizard, the deletion may fail. Launch Wizard does not delete any Active Directory objects in your Active Directory, nor any of the records in your DNS server. Launch Wizard has no control over your Active Directory domain user password over time, which is required to clean up Active Directory objects or DNS records. We recommend that you remove these entries from your Active Directory after Launch Wizard deletes the deployment. For key operations performed against your Active Directory resulting in new records or entries, see [AWS Managed Active Directory](launch-wizard-getting-started.md#launch-wizard-ad-managed).
1. To drill down into details regarding your SQL Server Always On application resources, select the **Application name**. You can then view the **Deployment events** and **Configuration summary** details for your application by using the tabs at the top of the page.
# Manage Launch Wizard application resources with AWS Systems Manager Application Manager
AWS Systems Manager Application Manager, a capability of AWS Systems Manager, helps you to investigate and remediate issues with your AWS resources that make up an application. Application Manager aggregates operations information from multiple AWS services and Systems Manager capabilities to a single console.
Application Manager automatically imports application resources created by Launch Wizard. From the Application Manager console, you can view operations details and perform operations tasks. You can also use runbooks, or SSM Automation documents, provided by Launch Wizard from the Application Manager console to manage or remediate issues with application components or resources.
For general information about AWS Systems Manager Application Manager, see [AWS SSM Application Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/application-manager.html) in the AWS Systems Manager User Guide.
The following information is specific to the management of Launch Wizard application resources from the Application Manager console.
**Topics**
+ [Use runbooks](#launch-wizard-sql-app-manager-runbooks)
+ [
## Onboard existing applications
](#launch-wizard-sql-app-manager-ops-metadata)
+ [
## Patch management
](#launch-wizard-sql-app-manager-patch-manager)
## Use SSM Application Manager to run Automation workflows on your Launch Wizard applications
You can perform operations tasks and remediate issues with your Launch Wizard application resources by using AWS Systems Manager Automation runbooks.
Application Manager automatically imports all of your Launch Wizard resources and lists them in the Launch Wizard category. From the Application Manager console, choose **Launch Wizard** from the list of **Applications**. Select an application to view its information. On the **Application information** page, choose **Start runbook**. A dropdown list displays all of the runbooks available for your Launch Wizard application. This list includes runbooks provided by AWS, as well as any custom runbooks you own or are shared with you.
When you select a runbook, you are taken to the SSM Automation document console, where the resource group that makes up your application is preselected.
For descriptions of the runbooks provided by **Launch Wizard**, see [AWS Launch Wizard Systems Manager Automation documents](launch-wizard-sql-provided-runbooks.md).
**Add custom runbooks**
To add your own runbooks, you must modify the service setting value for the supported type.
1. The service setting value is a list of document Amazon Resource Names (ARNs). You can view this list using the following AWS Command Line Interface (AWS CLI) command, and adding the type to the `setting id` path.
There are four supported types for which there are service settings:
+ `AWS-SQLServerWindows`
+ `AWS-SQLServerLinux`
+ `AWS-SAP`
+ `AWS-SelfManagedActiveDirectory`
The following command lists the service settings for `AWS-SQLServerWindows`.
```
aws ssm get-service-setting --setting-id /launchwizard/AWS-SQLServerWindows
```
The following is the example output.
```
{
"ServiceSetting": {
"SettingId": "/launchwizard/AWS-SQLServerWindows",
"SettingValue": "arn:aws:ssm:us-east-1::document/AWSSQLServer-Backup,arn:aws:ssm:us-east-1::document/AWSSQLServer-Restore,arn:aws:ssm:us-east-1::document/AWSSQLServer-Index,arn:aws:ssm:us-east-1::document/AWSSQLServer-DBCC",
"LastModifiedDate": "2020-11-13T13:36:09.527000-05:00",
"LastModifiedUser": "System",
"ARN": "arn:aws:ssm:us-east-1:012345678901:servicesetting/launchwizard/AWS-SQLServerWindows",
"Status": "Default"
}
}
```
1. You can modify the list of document ARNs by running the following command.
```
aws ssm update-service-setting \
--setting-id /launchwizard/AWS-SQLServerWindows \
--setting-value \
"arn:aws:ssm:us-east-1::document/AWSSQLServer-Backup,arn:aws:ssm:us-east-1::document/AWSSQLServer-Restore,arn:aws:ssm:us-east-1::document/AWSSQLServer-Index,arn:aws:ssm:us-east-1::document/Document"
```
1. To reset the service setting value, run the following AWS CLI command. This command resets the service setting value for `AWS-SQLServerWindows`.
```
aws ssm reset-service-setting --setting-id /launchwizard/AWS-SQLServerWindows
```
The following is the example output.
```
{
"ServiceSetting": {
"SettingId": "/launchwizard/AWS-SQLServerWindows",
"SettingValue": "arn:aws:ssm:us-east-1::document/AWSSQLServer-Backup,arn:aws:ssm:us-east-1::document/AWSSQLServer-Restore,arn:aws:ssm:us-east-1::document/AWSSQLServer-Index,arn:aws:ssm:us-east-1::document/AWSSQLServer-DBCC",
"LastModifiedDate": "2020-11-13T13:36:09.527000-05:00",
"LastModifiedUser": "System",
"ARN": "arn:aws:ssm:us-east-1:012345678901:servicesetting/launchwizard/AWS-SQLServerWindows",
"Status": "Default"
}
}
```
The document lists correspond to the application type level. Therefore, when you add a new `AWS-SQLServerWindows` document, it will show up in all `AWS-SQLServerWindows` deployments. You can't add documents to a specific application.
**Note**
Verify that you use the correct Region for the added document ARNs.
## Onboard existing applications
When you deploy an application with Launch Wizard, the resource groups that make up the application are automatically assigned metadata showing that they are provisioned by Launch Wizard. Application Manager uses this metadata to display all of your resource groups and CloudFormation stacks created by Launch Wizard on one page. When you deploy an application, Launch Wizard calls the `CreateOpsMetadata` API to assign the provisioning metadata.
**Onboard existing applications**
You can manually call the `CreateOpsMetadata` API using the AWS CLI so that existing application deployments appear on the Application Manager Launch Wizard page. The following example shows the `create-ops-metadata` AWS CLI command.
```
aws ssm create-ops-metadata \
--resource-id "arn:aws:resource-groups:us-east-1:123456789012:group/LaunchWizard-SQLHAAlwaysOn-test" \
--metadata '{"application-type": {"Value": "AWS-SQLServerWindows"}, "provisioned-by": {"Value": "AWS-LaunchWizard"}}'
```
You must provide the following information:
+ The resource group ARN of the resource that you want to be visible on the Launch Wizard page in Application Manager.
+ A metadata JSON file that contains the `application-type` and `provisioned-by` key values. The `application-type` is the application type of the deployment, for example `AWS-SQLServerWindows` or `AWS-SAP`. The `provisioned-by` value is `AWS-LaunchWizard`.
When the command is successful, the output will be an `OpsMetadataArn`. If the output is an `OpsMetadataAlreadyExistsException`, then the resource group has already been tagged.
**View all `OpsMetadata` values**
You can call the `ListOpsMetadata` API to view all of your `OpsMetadata` values. To display only Launch Wizard-related metadata objects, you can use filtering. The following example shows the `list-ops-metadata` AWS CLI command.
```
aws ssm list-ops-metadata \
--filters '[{"Key":"provisioned-by","Values":["AWS-LaunchWizard"]}]' \
--max-results 20
```
The following is the example output.
```
{
"OpsMetadataList": [
{
"ResourceId": "arn:aws:resource-groups:us-east-1:123456789012:group/LaunchWizard-SQLHAAlwaysOn-test",
"OpsMetadataArn": "arn:aws:ssm:us-east-1:123456789012:opsmetadata/aws/ssm/LaunchWizard-SQLHAAlwaysOn-test/appmanager",
"LastModifiedDate": "2020-11-16T22:41:43.035000-05:00",
"LastModifiedUser": "arn:aws:sts::123456789012:assumed-role/Admin",
"CreationDate": "2020-11-16T22:41:43.035000-05:00"
}
]
}
```
**Filter by application type**
The following example shows the `list-ops-metadata` AWS CLI command to filter by application type:
```
aws ssm list-ops-metadata \
--filters '[{"Key":"application-type","Values":["AWS-SQLServerWindows","AWS-SAP"]}]' \
--max-results 20
```
To get information about an `OpsMetadataArn` object, use the following command and enter the `OpsMetadataArn`.
```
aws ssm get-ops-metadata \
--ops-metadata-arn "arn:aws:ssm:us-east-1:123456789012:opsmetadata/aws/ssm/LaunchWizard-SQLHAAlwaysOn-test/appmanager"
```
The following is the example output.
```
{
"ResourceId": "arn:aws:resource-groups:us-east-1:123456789012:group/LaunchWizard-SQLHAAlwaysOn-test",
"Metadata": {
"application-type": {
"Value": "AWS-SQLServerWindows"
},
"provisioned-by": {
"Value": "AWS-LaunchWizard"
}
}
}
```
**Delete metadata object**
You can delete the metadata object if you make a mistake when using the `create-ops-metadata` AWS CLI command. Run the following command, entering the `OpsMetadataArn`, and then run the `create-ops-metadata` command again.
```
aws ssm delete-ops-metadata \
--ops-metadata-arn "arn:aws:ssm:us-east-1:123456789012:opsmetadata/aws/ssm/LaunchWizard-SQLHAAlwaysOn-test/appmanager"
```
For more information about `CreateOpsMetadata` and related APIs, see the [Amazon EC2 Systems Manager API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreateOpsMetadata.html).
## Patch management
You can automate the process of patching your Launch Wizard instances with security and other types of updates. From the **Application information** page of the Application Manager console, choose **Patch**. You are taken to the SSM Patch Manager console **Patch now** page, where patch management options for your application instances are preselected.
For more information about how Patch Manager determines which patches to install and how it installs them, see [How Patch Manager operations work](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-how-it-works.html).
# AWS Launch Wizard Systems Manager Automation documents
A Systems Manager Automation document defines the actions that Systems Manager performs on your managed instances and other AWS resources when an automation workflow runs. A document contains one or more steps that run in sequential order.
Launch Wizard provides predefined Automation documents that are maintained by AWS. This topic describes each of the predefined Automation documents provided for AWS Launch Wizard.
For more information about SSM Automation documents, see [AWS SSM Automation](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html) in the *AWS Systems Manager User Guide*.
**Topics**
+ [
## AWSSQLServer-DBCC
](#launch-wizard-sql-runbooks-sqldbcc)
+ [
## AWSSQLServer-Backup
](#launch-wizard-sql-runbooks-sqlbackup)
+ [
## AWSSQLServer-Index
](#launch-wizard-sql-runbooks-sqlindex)
+ [
## AWSSQLServer-Restore
](#launch-wizard-sql-runbooks-sqlrestore)
## AWSSQLServer-DBCC
The `AWSSQLServer-DBCC` Automation document includes the steps to perform database integrity checks on a specified database. You can control the type of database checks that are run. You can also adjust the execution parameters, such as specific tables to check, maximum CPU utilization, and more. For more information about the operations performed by DBCC checks, see the [SQL Server documentation](https://www.sqlservercentral.com/blogs/how-to-run-dbcc-checkdb-to-check-sql-database-integrity).
## AWSSQLServer-Backup
The `AWSSQLServer-Backup` Automation document includes the steps to back up a specified database in either full, differential, or transactional mode. After the backup is completed, you can upload it to a specified folder within an S3 bucket.
The backup modes are defined as follows:
+ **Full** — a complete backup of the database.
+ **Differential** — the delta of changes since the last full backup.
+ **Transactional** — a log of changes from the last full or differential backup, depending on the last backup type taken.
To help ensure that the `AWSSQLServer-Backup` document can successfully back up a database that resides on resources provisioned with Launch Wizard, make sure the following is in place:
+ SQL Server was provisioned on a single node or with Always On availability groups (AG).
+ The `@@SERVERNAME` property in SQL Server matches the hostname of the operating system where the automation runs.
+ The backup file is staged to a local disk.
+ The size of the backup file for uploading to an S3 bucket is 500 GB or less.
**Required IAM actions that must be added to your IAM policy to successfully run `AWSSQLServer-Backup`:**
+ `s3:GetBucketPolicyStatus`
+ `s3:PutObject`
For more information about backup modes, see the [Microsoft documentation](https://docs.microsoft.com/en-us/sql/relational-databases/backup-restore/backup-overview-sql-server?view=sql-server-ver15).
## AWSSQLServer-Index
The `AWSSQLServer-Index` Automation document includes steps to perform index maintenance operations on a specified database. You can choose a configuration, which includes the specific actions to take based on the level of fragmentation.
For more information about index maintenance operations, see the [Microsoft documentation](https://docs.microsoft.com/en-us/sql/relational-databases/indexes/clustered-and-nonclustered-indexes-described?view=sql-server-ver15).
## AWSSQLServer-Restore
The `AWSSQLServer-Restore` Automation document includes steps to download a backup database from a specified S3 bucket and folder to local storage. You can also optionally restore the backup to a copy of the database. The default behavior is to use the latest backup, and you can specify a time range to perform a point-in-time restore. The following conditions must be met for the `AWSSQLServer-Restore` document to successfully restore a database:
+ The backup to use must have been performed by the `AWSSQLServer-Backup` document.
+ There must be at least one full backup that occurred during the specified time range.
**Required IAM actions that must be added to your IAM policy to successfully run `AWSSQLServer-Restore`:**
+ `s3:GetBucketPolicyStatus`
+ `s3:PutObject`
# Monitoring SQL Server Always On deployments
You can monitor your SQL Server Always On deployments using Amazon CloudWatch Application Insights. When you [select the option to monitor your deployment](launch-wizard-deploying.md#deploy-console-launch-wizard) using the Launch Wizard console, Application Insights identifies and sets up key metrics, logs, and alarms across your application resources and technology stack for your Microsoft SQL Server database. Anomalies and errors are detected and correlated as Application Insights continuously monitors metrics and logs. When errors and anomalies are detected, Application Insights generates [CloudWatch Events](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html) that you can use to set up notifications or take action. To help with troubleshooting, Application Insights creates automated dashboards for detected problems, which include correlated metric anomalies and log errors, along with additional insights to point you to a possible root cause. Use the automated dashboards to take remedial actions to keep your applications healthy and prevent end-user impact. You can also resolve problems with [AWS SSM OpsCenter](https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html) using generated OpsItems.
For Microsoft SQL Server High Availability (HA) workloads, you can use CloudWatch Application Insights to configure important counters, such as Mirrored Write Transaction/sec, Recovery Queue Length, Transaction Delay, and Windows Event Logs on CloudWatch. You can also get automated insights whenever a failover event or problem, such as restricted access to query a target database, is detected with SQL HA workloads. See the Amazon CloudWatch Application Insights documentation for a complete list of [Logs and metrics supported by Application Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/appinsights-logs-and-metrics.html).
# High availability and security best practices for AWS Launch Wizard for SQL Server
The application architecture created by AWS Launch Wizard supports AWS best practices for high availability and security as promoted by the [AWS Well-Architected Framework](https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf).
**Topics**
+ [
## High availability
](#launch-wizard-ha)
+ [
## Automatic failover
](#launch-wizard-failover)
+ [
## Security groups and firewalls
](#launch-wizard-sql-security)
## High availability
Using Amazon EC2, you can set the location of instances in multiple locations composed of AWS Regions and Availability Zones. Regions are dispersed and located in separate geographic areas. Availability Zones are distinct locations within a Region that are engineered to be isolated from failures in other Availability Zones. Availability Zones provide inexpensive, low-latency network connectivity to other Availability Zones in the same Region.
When you launch your instances in different Regions, you can set your SQL Server Always On application to be closer to specific customers, or to meet legal or other requirements. When you launch your instances in different Availability Zones, you can protect your SQL Server Always On applications from the failure of a single location.
## Automatic failover
When you deploy AWS Launch Wizard with the default parameters, it configures a two-node, automatic failover cluster with a file share witness. An Always On Availability Group is deployed on this cluster with two availability replicas, as shown in the following diagram.
![\[Deploy a two-node automatic failover cluster with a file share witness.\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/images/sql-server-automatic-failover-2.png)
Launch Wizard implementation supports the following scenarios:
+ Protection from the failure of a single instance
+ Automatic failover between the cluster nodes
+ Automatic failover between Availability Zones
The default implementation of Launch Wizard does not provide automatic failover in every case. For example, the failure of Availability Zone 1, which contains the primary node and file share witness, would prevent automatic failover to Availability Zone 2 because the cluster would fail as it loses quorum. In this scenario, you could follow manual disaster recovery steps that include restarting the cluster service and forcing quorum on the second cluster node (for example, WSFCNode2) to restore application availability. Launch Wizard also provides an option to deploy to three Availability Zones. This deployment option can mitigate the loss of quorum if a single node fails. However, you can select this option only in AWS Regions that include three or more Availability Zones. For a current list of supported Regions, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/).
## Security groups and firewalls
Launch Wizard creates a number of security groups and rules for you. When Amazon EC2 instances are launched, they must be associated with a security group, which acts as a stateful firewall. You have complete control over the network traffic entering or leaving the security group. You can also build granular rules that are scoped by protocol, port number, and source or destination IP address or subnet. By default, all outbound traffic from a security group is permitted. Inbound traffic, on the other hand, must be configured to allow the appropriate traffic to reach your instances.
The [Securing the Microsoft Platform on Amazon Web Services](https://d1.awsstatic.com/whitepapers/aws-microsoft-platform-security.pdf) whitepaper discusses the different methods for securing your AWS infrastructure. Recommendations include providing isolation between application tiers using security groups. We recommend that you tightly control inbound traffic in order to reduce the attack surface of your EC2 instances.
Domain controllers and member servers require several security group rules to allow traffic for services such as AD DS replication, user authentication, Windows Time services, and Distributed File System (DFS), among others. The WSFC nodes running SQL Server must permit several additional ports to communicate with each other. Finally, instances launched into the application server tier must establish SQL client connections to the WSFC nodes.
In addition to security groups, the Windows Firewall must also be modified on the SQL Server instances. During the bootstrapping process, a script runs on each instance that opens the TCP ports 1433, 1434, 4022, 5022, 5023, and 135 on the Windows Firewall.
# Troubleshoot AWS Launch Wizard for SQL Server
Each application in your account in the same AWS Region can be uniquely identified by the application name specified at the time of a deployment. The application name can be used to view the details related to the application launch.
For SQL Server deployments on Linux, you must use an instance type built on the [Nitro System](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances). EBS volumes are exposed as NVMe block devices on instances built with the Nitro System. Device names that are specified for NVMe EBS volumes in a block device mapping are renamed using NVMe device names (`/dev/nvme[[0-26]n1`). Launch Wizard deployments on Linux do not support block devices on Xen-virtualized instances.
**Topics**
+ [
## Active Directory objects and DNS record clean up (deployment on Windows)
](#launch-wizard-ad-dns-clean)
+ [
## Launch Wizard provisioning events
](#launch-wizard-provisioning)
+ [
## CloudWatch Logs
](#launch-wizard-logs)
+ [
## CloudFormation stack
](#launch-wizard-cloudformation)
+ [
## Pacemaker on Ubuntu (deployment on Linux)
](#launch-wizard-pacemaker)
+ [
## SQL Server Management Studio
](#launch-wizard-troubleshooting-ssms)
+ [
## Errors
](#launch-wizard-errors)
## Active Directory objects and DNS record clean up (deployment on Windows)
When you delete a deployment, you lose all specification settings for the SQL Server Always On application. Launch Wizard attempts to delete only the AWS resources that it created in your account as part of the deployment. If you created resources outside of Launch Wizard, for example, resources in a VPC created by Launch Wizard, the deletion can fail. Launch Wizard does not delete Active Directory objects in your Active Directory, nor does it delete any of the records in your DNS server. Launch Wizard has no control over your Active Directory domain user password over time, which is required to clean up Active Directory objects or DNS records. We recommend that you remove these entries from your Active Directory after Launch Wizard deletes the deployment.
If the initial Active Directory objects or DNS records are not cleaned up, when you attempt to deploy Launch Wizard on an existing Active Directory using a deployment name that has already been used or availability group/listener/cluster name that has already been used, the deployment may fail with the following error.
**Error message**
`System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server xxxxxx failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet.`
To address this error, we recommend that you remove the initial entries from your Active Directory.
To clean up Active Directory Objects, run the following example PowerShell commands as a domain user with the appropriate authorization to perform these operations.
`$Pwd = ConvertTo-SecureString $password -AsPlainText –Force`
`$cred = New-Object System.Management.Automation.PSCredential $domainUser, $Pwd`
`$ADObject = Get-ADObject -Filter 'DNSHostName -eq “SQLnode.example.com”`
`Remove-ADObject -Recursive -Identity $ADObject -Credential $cred`
To remove a DNS Record, the name of the record that you want to delete (SQL Server node name), the DNS server FQDN, and the DNS zone within which the record is residing are required. The following are example PowerShell commands to perform the DNS record removal.
`$NodeDNS = Get-DnsServerResourceRecord -ZoneName $ZoneName -ComputerName $DNSServer -Node $NodeToDelete -RRType A -ErrorAction SilentlyContinue`
`Remove-DnsServerResourceRecord -ZoneName $ZoneName -ComputerName $DNSServer -InputObject $NodeDNS -Force`
## Launch Wizard provisioning events
Launch Wizard captures events from SSM Automation and CloudFormation to track the status of an ongoing application deployment. If an application deployment fails, you can view the deployment events for this application by selecting **Deployments** from the navigation pane. A failed event shows a status of **Failed** along with a failure message.
## CloudWatch Logs
Launch Wizard streams provisioning logs from all of the AWS log sources, such as CloudFormation, SSM, and CloudWatch Logs. CloudWatch Logs for a given application name can be viewed on the CloudWatch console for the log group name `LaunchWizard-APPLICATION_NAME` and log stream `ApplicationLaunchLog`.
## CloudFormation stack
Launch Wizard uses CloudFormation to provision the infrastructure resources of an application. CloudFormation stacks can be found in your account using the CloudFormation `describe-stacks` API. Launch Wizard launches various stacks in your account for validation and application resource creation. The following are the relevant filters for the `describe-stacks` API.
+ **Validation**
`LaunchWizard-APPLICATION_NAME-checkCredentials-SSM_execution_id`
+ **Validation**
`LaunchWizard-APPLICATION_NAME-checkVPCConnectivity-SSM_execution_id`
+ **Application resources**
`LaunchWizard-APPLICATION_NAME`. This stack also has nested stacks for VPC, AD, the RDGW node, and SQL nodes.
You can view the status of these CloudFormation stacks. If any of them fail, you can view the cause of failure.
## Pacemaker on Ubuntu (deployment on Linux)
To troubleshoot Pacemaker cluster resource issues, take the following actions as an administrator.
+ Inspect the system log files for operating system errors and address the errors, as needed.
+ Inspect the cluster log files for errors, including for errors that relate to Pacemaker, Corosync, or SQL Server. Check the log files carefully because the related services may provide only one or two related log entries.
+ Verify resource configuration, and configuration of cluster-related functions.
+ The following commands display the configuration details:
+ To display all resources, use: `pcs resource show -full`.
+ Or, you can use: `pcs resource show `.
+ The following command will display the cluster constraints: `pcs constraints –full`.
+ The following command displays the cluster properties: `pcs property list –all`.
+ Manually start the resource with `debug-start`.
+ Clear failed actions with the following command: `pcs resource cleanup `.
## SQL Server Management Studio
If you encounter issues when you attempt to add databases with SQL Server Management Studio, perform the following to add databases to the availability group:
1. Log in to the primary node using SQL Server Management Studio (SSMS) and record the name of the availability group.
1. Verify that the database that you want to add to the availability group is backed up.
1. Add the database to the availability group by running the following command in SSMS:
```
ALTER AVAILABILITY GROUP ag-name ADD DATABASE db
```
1. Refresh the availability group and verify that the database was created.
## Errors
**Directory fails to create**
+ **Cause:** An internal service error has been encountered during the creation of the directory.
+ **Solution:** Retry the operation. For this scenario, you must retry the deployment from the initial page of the Launch Wizard console.
**Your requested instance type is not supported in your requested Availability Zone**
+ **Cause:** This failure might happen during the launch of either your RDGW instance or your SQL Server instance, or during the validation of the instances that Launch Wizard launches in your selected subnets.
+ **Solution:** For this scenario, you must choose a different Availability Zone and retry the deployment from the initial page of the Launch Wizard console.
**Validate connectivity for subnet. The following resource(s) failed to create: [ValidationNodeWaitCondition]**
This failure can occur for multiple reasons. The following list shows known causes and solutions.
+
**VPC or subnet configuration does not meet prerequisites**
+ **Cause:** This failure occurs when your VPC or subnet configuration does not meet the prerequisites documented in the VPC Connectivity Section under [Deploy an application with AWS Launch Wizard for SQL Server on Windows (Console)](launch-wizard-deploying.md). If the failure message points to your selected public subnet, then the public subnet is not configured for outbound internet access. If the failure message points to one of your selected private subnets, then the specified private subnet does not have outbound connectivity.
+ **Solution:** Check that your VPC includes one public subnet and, at least, two private subnets. Your VPC must be associated with a DHCP Options Set to enable DNS translations to work. The private subnets must have outbound connectivity to the internet and other AWS services (S3, CFN, SSM, and Logs). We recommend that you enable this connectivity with a NAT Gateway. Note that, in the console, when you select a private subnet for the public subnet dropdown or you select a public subnet for the private subnet dropdown, you will encounter the same error. Please refer to the VPC Connectivity section under [Deploy an application with AWS Launch Wizard for SQL Server on Windows (Console)](launch-wizard-deploying.md) for more information about how to configure your VPC.
+
**EC2 instance stabilization error**
+ **Cause:** Failure can occur if the EC2 instance used for validation fails to stabilize. When this happens, the EC2 instance is unable to communicate to the CloudFormation service to signal completions, resulting in `WaitCondition` errors.
+ **Solution:** Please contact [Support](https://aws.amazon.com/support) for assistance.