Professional Documents
Culture Documents
Best Practices For Active Directory With AWS Workloads: Michael Cotton Senior Solutions Architect
Best Practices For Active Directory With AWS Workloads: Michael Cotton Senior Solutions Architect
AWS Workloads
Michael Cotton
Senior Solutions Architect
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect from the session
Source: Implementing an Identity Strategy for Amazon Web Services, Gartner Group, 24 Feb 2017
How Active Directory authentication works across the
spectrum
Kerberos
AuthZ
Federated AuthN
(SAML) App
DB
App
What if you migrate these parts to AWS?
Domain join/Machine AuthN/GPO/LDAP
Amazon EC2
User AuthN/Group membership/Login scripts Kerberos AuthN
Amazon
WorkSpaces RDS for
SQL Server
Kerberos
?
AuthZ
Federated AuthN
(SAML)
App
Amazon
Amazon EC2
DynamoDB
Deployment options – Supporting Windows
workloads in the cloud
Active Directory options – On-premises
On-premises
• Create a VPN or AWS Direct
Connect link to your VPC.
AD
Windows Server
• Manually join EC2 instances
domain controller
to the on-premises domain.
You manage
• Use VPC as an extension of
1 your network.
• Security considerations
• Latency considerations?
AWS Directory Service is required for AWS enterprise applications and services
to authenticate to your self-managed Active Directory.
Active Directory options – AWS manages
On-premises VPC VPC endpoint
AWS Directory Service
for Microsoft Active Directory
AD AD AD (Enterprise Edition)
1 2 3
AWS Directory Service is required for AWS enterprise applications and services
DC – Active Directory Domain Controller to your self-managed Active Directory.
to authenticate
VPC – Amazon Virtual Private Cloud
Endpoint – Accessed via IP address in your VPC
Active Directory options – AWS Microsoft
Active Directory VPC endpoint
AWS Directory Service
• Windows Server 2012 R2 domain controllers for Microsoft Active Directory
• ~3-click setup AD (Enterprise Edition)
• 2 DCs each in a different Availability Zone (AZ) AMAD a.k.a. “AMAD”
• Standalone or connected to your Active
Directory with trusts
• AWS apps and services integration
• EC2 seamless domain join
• RDS for SQL Server authentication, authorization
• Amazon WorkSpaces, Amazon QuickSight
Enterprise Edition, Amazon Chime Plus/Pro
provisioning, and authentication
AWS Directory Service is required for AWS enterprise applications and services
to authenticate to your self-managed Active Directory.
Active Directory options – AWS Microsoft
Active Directory VPC endpoint
AWS Directory Service
Some constraints
for Microsoft Active Directory
• AWS is domain admin.
AD (Enterprise Edition)
• You get an OU and delegated
admin over the OU.
AMAD a.k.a. “AMAD”
• AWS apps/services/EC21 must
be in the same VPC.
• Conservative delegated permissions2 to your OU
admin account:
• Application enablement limits some apps.
• Some admin functions are not available.
Amazon responsibilities - operate
• Multi-AZ deploy, patch, monitor,
domain controller recovery, snapshot, and restore.
Your responsibilities - administer
• Administration through Active Directory Users and
Computers (ADUC) and other standard Active Directory
tools.
• Administer users, groups, GPOs, other Active Directory
content.
1EC2
Active Directory options – Connecting Active Directory
in the cloud to on-premises Active Directory
On-premises VPC
Replication
Your DCs only
1 AD AD
Windows Server EC2 for Windows
DC Server DC
Your DCs or
2 AD 2-way trust AD AMAD
Windows Server EC2 for Windows
DC Server DC
On-premises VPC
Sync users Depends
3 AD AD (third-party sync)
Windows Server EC2 for Windows
DC Server DC
Example:
Availability Zone
On-premises Active
Directory Private Subnet
WEB APP DB
Private Subnet
Auth/
LDAP
AD VPN
Domain
WEB APP DB
Controllers
10.0.3.0/24
Availability Zone
Example: Active
Directory on EC2 with Availability Zone
Private Subnet
Auth/
LDAP
AD VPN
Domain
Controllers
WEB APP DB EC2
AD
Corporate Data Center
IIS Application SQL Domain
Server Server Server Controller
10.0.3.0/24
Availability Zone
Example:
Availability Zone
AMAD with Active Directory
trust to on-premises Private Subnet AWS Managed Services
RDS
SQL Server DB
WEB APP
Auth/
LDAP
IIS Application Domain
Server Server Controller DC
AMAD
Application
10.0.2.0/24
Remote
Users/Admins
Auth/ Direct
LDAP Connect Trust
AD VPN
Auth/ Domain
Domain
WEB APP LDAP Controller AMAD
Controllers
Availability Zone
Considerations for AWS apps/services and many VPCs
• AMAD with a trust is required to use on-premises Active Directory
credentials*.
• Technical and security issues
• Amazon WorkSpaces and RDS for SQL must be in the same VPC as
AMAD.
• Option 1 – least cost, fewest trusts
• Deploy AMAD in one VPC.
• Deploy all RDS for SQL/WorkSpaces instances in same VPC.
• Use tagging for internal billing.
• Option 2 – Easiest billing, complex trust configuration, high cost
• Deploy AMAD in each VPC.
• Deploy RDS for SQL/WorkSpaces instance(s) in each VPC.
• Amazon QuickSight Enterprise Edition must be in the same account as
AMAD.
*1-way trust for RDS for SQL Server, 2-way trust for Amazon WorkSpaces and Amazon Chime Plus/Pro
How to choose – Considerations for selection
Deployment differences
EC2 Active On-Premises Active
AMAD
Directory Instances Directory
Operation +AWS managed -Customer managed -Customer managed
management in the cloud in the cloud own hardware
+Built-in redundancy -Customer must design -Customer must design
Availability and replication for high availability for high availability
Trust1 or replication2 -Open ports to support
Trust1 ports from cloud
ports from cloud to cloud to on-premises
Networking to on-premises
on-premises Active Active Directory3
(least exposed)
Directory (most exposed)
Designated OU control;
Admin control some apps unsupported
+Full control +Full control
1 If
you use trust to on-premises, open ports from domain controllers to on-premises domain controllers are needed.
2 Active Directory replication requires more open ports than forest trusts, but is limited to DC-to-DC communications.
3 Ports for domain joining, Active Directory interactions, LDAP etc., plus other firewall decisions for cloud to on-premises access.
How to select an Active Directory option
EC2 Active Directory On-Premises Active
AMAD
Instances Directory
• Minimize cost, effort to run • Require a replicated, multi- • Requires access to Active
Active Directory region Active Directory solution Directory for minimal EC2
• RDS for SQL Server1 • Need NetBIOS name resolution instances
1RDS for SQL, Amazon WorkSpaces, Amazon QuickSight, and Amazon Chime require trusts only if users are on-premises via trust.
2This
is subject to delegation constraints (for example, managed service account creation).
3AWS is adding more delegations and application enablement over time.
Forest trusts Trusting
VPC
Trusted
On-premises
network
• Only permit Active Directory trust ports to the domain controllers in the
cloud.
• https://technet.microsoft.com/en-us/library/cc756944(v=ws.10).aspx
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.