Datacenter A

Welcome to Part 1 in setting up Windows Server Update Services (WSUS) infrastructure for environments without internet connectivity. Today, we’ll focus on deploying an internet-connected WSUS server (Exporter) using a Windows Server 2022 AMI through AWS CloudFormation. This setup is for downloading and exporting updates to a WSUS server (Importer) located in an internet-disconnected environment.

The Objective

The goal is to automate Microsoft monthly updates configured on the Exporter and only keep the EC2 running during this time. The Exporter will connect to the internet to download updates, which we’ll later transfer to the disconnected Importer using physical media.

Step 1: Define the CloudFormation Template

We begin by defining our AWS CloudFormation template. This YAML template will provision a Windows Server 2022 instance and set up the necessary configurations for WSUS in the UserData.

AWSTemplateFormatVersion: '2010-09-09'
Description: Deploy Windows Server 2022 with WSUS Role

Resources:
  WSUSInstance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t2.large
      ImageId: ami-12345678  # Example AMI ID for Windows Server 2022
      KeyName: your-key-pair
      SecurityGroups: [your-security-group]
      UserData:
        Fn::Base64: |
          <powershell>
          Install-WindowsFeature -Name UpdateServices -IncludeManagementTools
          </powershell>

Outputs:
  InstanceId:
    Description: The Instance ID of the WSUS Server
    Value: !Ref WSUSInstance

Explanation:

  • InstanceType: t2.large is chosen for demonstration; adjust based on your needs.
  • ImageId: Replace ami-12345678 with the actual AMI ID for Windows Server 2022 in your AWS region.
  • UserData: Utilizes PowerShell to install the WSUS role on the server upon initialization.

Step 2: Deploy the Template

Deploy the template via the AWS Management Console, AWS CLI, or SDKs. Check the Outputs section of your CloudFormation stack to obtain the Instance ID of your newly deployed WSUS server.

Step 3: Initial Configuration

Once deployed, connect to your server via RDP to perform the initial WSUS setup. This includes configuring the WSUS database and selecting the updates you wish to download based on your environment’s needs.

Conclusion

You now have a fully operational, internet-connected WSUS server ready to synchronize and download updates. In Part 2, we’ll cover how to export these updates to S3 using a simple powershell script.