architecting active directory on aws · aws managed vpc customer vpc app1 2 app 1 app 2 aws managed...

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Architecting Active Directory on

AWS

Dean Suzuki

4/7/2020


Active Directory Options on AWS


AD

Active Directory Architecture Options

On-premises

Windows Server

DC

AD

You Manage

1

AWS

AD on EC2

AD

You Manage

2

AWS

AWS Managed AD

AWS Manages

3

AD

AWS

AD on Premises

AWS AD

Connector

4

AD

AWS

SAML-Integration

With AD

SAML – AD

Integration

5


AD On-premises Overview

• Establish network connectivity between your on-premises environment and AWS either via

VPN or Direct Connect

• AWS resources use your on-premises AD domain controllers for any AD operations.

• Usually a first step to a longer term solution.

AWS CloudCorporate data centerAWS Direct Connect

AWS Site-to-Site VPN

or

AD on-premises


Benefits• Leverage on-premises AD

AD On-premises Considerations

Considerations

• Latency across the network connection

to on-premises AD servers

• Will need to add AD Connector or

Managed AD to support AWS services

(e.g. SSO, Workspaces, RDS, Chime,

Connect, domain auto join, etc.)



AD

On-premises

Windows Server

DC

AD

You Manage

1

AWS

AD on EC2

AD

You Manage

2

AWS

AWS Managed AD

AWS Manages

3

AD

AWS

AD on Premises

AWS AD

Connector

4

AD

AWS

SAML-Integration

With AD

SAML – AD

Integration

5


AD on EC2 Overview• You create EC2 Instances in AWS

• You promote instances to be Microsoft Active Directory domain controllers in

the same on-premises AD forest.

• Could be in the same AD domain as on-premises or a new AD domain.

AWS Cloud

Corporate data center

AWS Direct Connect


or

AD on-premises

AD on EC2


Benefits• Leverage same AD as on-premises

• You are domain administrators and

have full permissions in the

environment.

• Use same AD schema, users, and

configuration as on-premises AD

• Can load applications that require

domain admin permissions (e.g. MS

Exchange)

• Supports multiple regions

AD on EC2 Overview

Considerations

• You are responsible for patching,

managing, and maintaining the AD

domain.

• Will need to add AD Connector or

Managed AD to support AWS services

(e.g. SSO, Workspaces, RDS,

Connect, domain auto join, etc.)



AD

On-premises

Windows Server

DC

AD

You Manage

1

AWS

AD on EC2

AD

You Manage

2

AWS

AWS Managed AD

AWS Manages

3

AD

AWS

AD on Premises

AWS AD

Connector

4

AD

AWS

SAML-Integration

With AD

SAML – AD

Integration

5


AWS Managed Microsoft Active Directory Service

Customer—administer and configure

• Administer users, groups, GPOs, other AD content

• Administration via Active Directory Users and

Computers (ADUC) and other standard AD tools

• Configure password policies

• Add domain controllers as needed

• Configure trusts (resource forest deployment)

• Configure certificate authorities (for LDAPS)

• Configure federation

Amazon—Fully managed AD directory service

• Sets up 2 AD domain controllers in a new AD forest

• Manages (patches, monitors, backs up)

• Comes in 2 editions (Standard and Enterprise)

AWS Managed VPC Customer VPC

App 1 App 2

App 1 App 2

AWS Managed

Microsoft AD DC

AWS Managed

Microsoft AD DC

D

C

Availability Zone 1 Availability Zone 1

10.0.2.0/24

10.0.3.0/24

Availability Zone 2 Availability Zone 2


Benefits• AWS manages the hardware and

software (patching, backing up,

monitoring)

• Can establish an AD trust with your on-

premises AD to leverage the existing

AD users and groups

• Support AWS services (e.g. SSO,

Workspaces, RDS, Connect, domain

auto join, etc.)


Considerations

• Get a delegated Admin (not domain

admin) and delegated groups

• Each AWS managed Microsoft AD

supports one AWS region.

• Each AWS managed Microsoft AD is a

new AD forest.



Standard

Edition

Enterprise

Edition

Storage Capacity 1GB 17GB

PerformanceOptimized

~5,000

employees

Over 5,000

employees


DBRDS for

SQL Server

Availability Zone

Availability Zone

Remote

Users/Admins

Domain

Controllers

Corporate data center

Hybrid Active Directory

DBRDS

SQL Server

AWS Managed Services

AWS Managed Services

Domain

Controller

DC

Domain

Controller

Application

Auth/

LDAP

VPN

Direct

Connect

AD

Managed AD

Managed AD

• Run AWS Managed Microsoft

AD in AWS

• Run AD on-premises

• Establish 1-way AD trust from

AWS Managed Microsoft

(trusting) to on-premises AD

(trusted)

• Enables single-signon into AWS

resources using on-premises

AD accounts


Managed AD and AD on EC2 Comparison

ManagedActive Directory Service

Active Directory on EC2 Instances

Customer managedAWS managed

Power, HVAC, net

OS Install/Maintenance

OS Patching

AD Backups

Schema Extensions

High Availability

Scaling

Power, HVAC, net

OS Install/Maintenance

OS Patching

AD Backups

Schema Extensions

High Availability

Scaling• Consider Managed AD first

• Focus on business value tasks

• Reduced O&M tasks

• Need full control overActive Directory

• Multi-Region Solution

Customer managedAWS managed

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

A W S M a n a g e d M i c r o s o f t A D u s e c a s e s

Azure AD

Connect

AD FS

Amazon

Connect

Amazon

WorkMailAmazon

WorKSpaces

RDS for SQL

Server

Amazon

WorkDocsAmazon

QuickSight

Amazon

Chime

Compatible AWS Applications and Services

AWS SSO

User Directory

Traditional AD ApplicationsActive Directory

Extend Existing AD

Remote

Desktop

Licensing

.NET

Apps

SharePoint SQL Server Certificate

Services

SAML

Use AWS SSO with

Web Applications

Sync

Azure AD

AWS Managed

Microsoft AD

Use Microsoft Tools

with Web Applications

Azure AD

Connect



AD

On-premises

Windows Server

DC

AD

You Manage

1

AWS

AD on EC2

AD

You Manage

2

AWS

AWS Managed AD

AWS Manages

3

AD

AWS

AD on Premises

AWS AD

Connector

4

AD

AWS

SAML-Integration

With AD

SAML – AD

Integration

5


AWS AD Connector• Proxy solution to AD domain controllers (either on-premises or Managed AD)

• Authentication and LDAP forwarded to target AD

• Applications can look up users and groups in target AD

• Users authenticate using existing corporate credentials

AWS Cloud

Corporate data centerAWS Direct Connect


or

AD on-premises

AD Connector

Amazon EC2

AWS Directory Service

Managed AD

Potentially Another AWS

Account or Region


Benefits• AWS manages the hardware and

software

• Support AWS services (e.g. SSO,

Workspaces, RDS, Connect, domain

auto join, etc.)

• Leverages your on-premises AD

AWS AD Connector

Considerations

• Provides a proxy connection to Active

Directory. Need an self managed AD

or AWS managed AD



AD

On-premises

Windows Server

DC

AD

You Manage

1

AWS

AD on EC2

AD

You Manage

2

AWS

AWS Managed AD

AWS Manages

3

AD

AWS

AD on Premises

AWS AD

Connector

4

AD

AWS

SAML-Integration

With AD

SAML – AD

Integration

5


AWS SAML – AD Integration

AWS Cloud

AD Connector,

Managed AD, or

ADFSAmazon EC2

AWS Single Sign-On

Office365

Google

Ping

Okta

On-Premises

Active Directory

• AWS SSO provides integration to 3rd party Identity Providers (e.g. Azure AD, Google,

Okta, Ping).


Benefits• Can leverage existing customer’s

Identity Provider.

• SSO supports SKIM sync from Azure

AD

AWS SAML – AD Integration

Considerations

• Some AWS services don’t support a

SAML integration (e.g. Workspaces,

RDS, Connect, domain auto join, etc.).

These services will still need an AD

integration


References

Active Directory on AWS Whitepaperhttps://d1.awsstatic.com/whitepapers/adds-on-aws.pdf

AWS AD DS Quick Starthttps://aws.amazon.com/quickstart/architecture/active-directory-ds/

AWS Managed AD Administration Guidehttps://docs.aws.amazon.com/directoryservice/latest/admin-

guide/what_is.html

https://d1.awsstatic.com/whitepapers/adds-on-aws.pdf

https://aws.amazon.com/quickstart/architecture/active-directory-ds/

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html

architecting active directory on aws · aws managed vpc customer vpc app1 2 app 1 app 2 aws managed...

Documents