Provision Windows Server in Amazon Web Services using PowerShell

In light of the recent Microsoft Azure outage, you might be considering taking a look at other cloud service providers to use for backup or disaster recovery. In this how-to article, I’ll show you how to provision Windows Server 2012 R2 using PowerShell on Amazon’s Elastic Compute (EC) platform so that you can quickly create test or production environments.

For information on provisioning VMs using the EC2 management console and how to sign up for AWS, see Provisioning Windows Server 2012 on Amazon Web Services (AWS) on the Petri IT Knowledgebase.

Install AWS Tools for Windows PowerShell

I’m going to configure AWS Tools for Windows PowerShell on Windows 8.1. If you are using an earlier version of Windows, additional steps may be required. AWS Tools for Windows PowerShell requires Windows PowerShell 2.0 or later and Windows XP or later. The instructions also assume that you already have an AWS account.

  • Download the AWS Tools for Windows.
  • Click through the installer and on the Custom Setup screen deselect all the components apart from SDK for .NET 4.5, SDK for .NET 3.5 and AWS Tools for Windows PowerShell, and then click Next.
  • Click Install to complete the procedure.
  • If you haven’t done it already, start the PowerShell console as an administrator and set the script execution policy to RemoteSigned by typing Set-ExecutionPolicy RemoteSigned and pressing ENTER.

TIP: To start the PowerShell console as an administrator in Windows 8.1, switch to the Start screen, type powershell, make sure that Windows PowerShell is selected in the search results and then press CTRL+SHIFT+ENTER. Enter the credentials for an administrator account in the UAC elevation prompt.

Check the installed version of AWS Tools for Windows PowerShell (Image Credit: Russell Smith)
Check the installed version of AWS Tools for Windows PowerShell (Image Credit: Russell Smith)
  • In the PowerShell console, type get-awspowershellversion and press ENTER to check the version number and that the tools have installed correctly.

Configure access to AWS

As with the PowerShell tools for Microsoft Azure, you need to establish a connection to your AWS subscription.

Adding a user name in the Identity and Access Management console (Image Credit: Russell Smith)
Adding a user name in the Identity and Access Management console (Image Credit: Russell Smith)
  • Sign in to the Identity and Access Management console using your AWS username and password.
  • On the left of the console, click Users.
  • Click Create New Users.
  • Enter a new username in the first box, make sure that Generate an access key for each user is checked, and click Create.
  • Now click Download Credentials at the bottom of the console and open the .csv file. Here you’ll see the Access Key ID and Secret Access Key for the user. Make sure that you keep the .csv file safe, because you won’t be able to download the Secret Access Key for the user again.

Before we can use the account to do anything useful in AWS, we need to assign it administrator permissions.

  • On the left of the console, click Users again and then click the new username on the right.
  • Now click Attach User Policy under Permissions.
  • On the Set Permissions screen, make sure that Select Policy Template is checked and then click Select to the right of Administrator Access.
  • Click Apply Policy at the bottom of the window, and the policy should appear under User Policies for the given user.
Giving the new user administrative access (Image Credit: Russell Smith)
Giving the new user administrative access (Image Credit: Russell Smith)

Now we have some access credentials for a user, we need to store the information securely in the AWS SDK Store using the Set-AWSCredentials cmdlet. Credentials are sent to AWS whenever you run a cmdlet, but you can specify this to be automatic for each session or for all PowerShell sessions.

  • In the PowerShell console, type Set-AWSCredentials -AccessKey MyAccessKey -SecretKey MySecretKey -StoreAs default and press ENTER, replacing MyAccessKey and MySecretKey with the information from the .csv file as appropriate. The console should display INFO: Credentials loaded from the supplied key parameters if successful.
  • Now type Initialize-AWSDefaults -ProfileName default -Region us-west-2 and press ENTER to use the stored credentials for every PowerShell session.

Most AWS cmdlets require a region to be specified, so I’ve included that information in the initialize-awsdefaults cmdlet. You can override the set region for the current session at any time by using Set-DefaultAWSRegion us-west-1, replacing us-west-1 with the required region. View the set region using Get-DefaultAWSRegion, and view all the available regions using Get-AWSRegion.

Initializing AWS defaults for PowerShell (Image Credit: Russell Smith)
Initializing AWS defaults for PowerShell (Image Credit: Russell Smith)

The default credentials for a session can be overridden by using Set-AWSCredentials -ProfileName MyProfileName and replacing MyProfileName with the required profile name, or specify the -ProfileName parameter followed by the required profile name at the end of a cmdlet to override the default credentials for individual commands.

Create a new key pair and security group

Now it’s time to get down to the nitty-gritty and provision a VM. Before doing so, you’ll need a key pair to connect to the new instance. In the PowerShell console, type the following command and press ENTER.

Later in the process, you will need the key material from this key pair to retrieve the administrator password for the VM, which you can get using the command below:
Obtaining the key material for the key pair (Image Credit: Russell Smith)
Obtaining the key material for the key pair (Image Credit: Russell Smith)
Alternatively, save the key pair as a file:
​
Note that once you end the current PowerShell session, you won't be able to retrieve the key material again, so you must either save the key pair as a file, or copy and paste the key material and save it. You won't be able to get a password to connect to the VM without the key material.


Configure a security group for remote access

To control remote access to the VM, a security group is required. You can create a security group for EC2-Classic or EC2-VPC VMs. Click here for information on the differences between the two types of VM. In this article, we'll use EC2-Classic because it's simpler to configure. Run the command below, and a GroupID for the new security group will be returned in the console.
​
Now run the code that follows to allow remote connections from any IP address. While this configuration is not recommended, it gives us the same default configuration that we get when configuring VMs in Microsoft Azure.
​
$ipPermissions = New-Object Amazon.EC2.Model.IpPermission –Property @{IpProtocol = “tcp”; FromPort = “3389”; ToPort = “3389”; IpRanges = $cidrBlocks}

Grant-EC2SecurityGroupIngress -GroupName myVMsecuritygroup –IpPermissions $ipPermissions

To verify the configuration for the new group:

Creating a security group to control remote access to the instance (Image Credit: Russell Smith)
Creating a security group to control remote access to the instance (Image Credit: Russell Smith)

Find an image for the new VM

To see the list of available image types, run the Get-EC2ImageByName cmdlet. To set the ImageID for a specific Windows Server 2012 R2 image, run the code below and make a note of the ImageID.
Obtaining information about Windows Server images (Image Credit: Russell Smith)
Obtaining information about Windows Server images (Image Credit: Russell Smith)

Launch a new EC2 instance

AWS refers to virtual machines as instances. New instances are launched using images (AWIs). Use the new-ec2instance cmdlet to launch a new instance using the ImageID identified above, and the key pair and security group created earlier. The t2.micro instance type is part of the free tier, which includes 750 hours of compute time per month. The –MinCount and –MaxCount parameters are set to 1 to provision just one running instance from the given image.
​ ​New-EC2Instance -ImageId ami-21f0bc11 -MinCount 1 -MaxCount 1 –KeyName myPSKeyPair -SecurityGroups myVMsecuritygroup -InstanceType t2.micro 
Creating a new instance using the New-EC2Instance cmdlet (Image Credit: Russell Smith)
Creating a new instance using the New-EC2Instance cmdlet (Image Credit: Russell Smith)
Using the reservation ID returned by the new-ec2instance cmdlet, you can view information about the instance using a filter. The output includes the public IP address and DNS name of the instance so that you can connect remotely using RDP.
​$reservation = New-Object 'collections.generic.list[string]' $reservation.add("r-bdb88ab0") $filter_reservation = New-Object Amazon.EC2.Model.Filter -Property @{Name = "reservation-id"; Values = $reservation}
(Get-EC2Instance -Filter $filter_reservation).Instances 
Obtaining information about the new EC2 instance (Image Credit: Russell Smith)
Obtaining information about the new EC2 instance (Image Credit: Russell Smith)

Connect to the instance using RDP

For more information on connecting to instances using RDP, see Provisioning Windows Server 2012 on Amazon Web Services (AWS) on the Petri IT Knowledgebase. You will need either the key material or .pem file of the key pair generated earlier in this tutorial to get the administrator password. Once you've retrieved the password for the VM, you can remove the key pair if desired: