Upload
others
View
9
Download
1
Embed Size (px)
Citation preview
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Architecting Active Directory on
AWS
Dean Suzuki
4/7/2020
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Active Directory Options on AWS
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD
Active Directory Architecture Options
On-premises
Windows Server
DC
AD
You Manage
1
AWS
AD on EC2
AD
You Manage
2
AWS
AWS Managed AD
AWS Manages
3
AD
AWS
AD on Premises
AWS AD
Connector
4
AD
AWS
SAML-Integration
With AD
SAML – AD
Integration
5
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD
Active Directory Architecture Options
On-premises
Windows Server
DC
AD
You Manage
1
AWS
AD on EC2
AD
You Manage
2
AWS
AWS Managed AD
AWS Manages
3
AD
AWS
AD on Premises
AWS AD
Connector
4
AD
AWS
SAML-Integration
With AD
SAML – AD
Integration
5
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD On-premises Overview
• Establish network connectivity between your on-premises environment and AWS either via
VPN or Direct Connect
• AWS resources use your on-premises AD domain controllers for any AD operations.
• Usually a first step to a longer term solution.
AWS CloudCorporate data centerAWS Direct Connect
AWS Site-to-Site VPN
or
AD on-premises
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits• Leverage on-premises AD
AD On-premises Considerations
Considerations
• Latency across the network connection
to on-premises AD servers
• Will need to add AD Connector or
Managed AD to support AWS services
(e.g. SSO, Workspaces, RDS, Chime,
Connect, domain auto join, etc.)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Active Directory Architecture Options
AD
On-premises
Windows Server
DC
AD
You Manage
1
AWS
AD on EC2
AD
You Manage
2
AWS
AWS Managed AD
AWS Manages
3
AD
AWS
AD on Premises
AWS AD
Connector
4
AD
AWS
SAML-Integration
With AD
SAML – AD
Integration
5
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD on EC2 Overview• You create EC2 Instances in AWS
• You promote instances to be Microsoft Active Directory domain controllers in
the same on-premises AD forest.
• Could be in the same AD domain as on-premises or a new AD domain.
AWS Cloud
Corporate data center
AWS Direct Connect
AWS Site-to-Site VPN
or
AD on-premises
AD on EC2
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits• Leverage same AD as on-premises
• You are domain administrators and
have full permissions in the
environment.
• Use same AD schema, users, and
configuration as on-premises AD
• Can load applications that require
domain admin permissions (e.g. MS
Exchange)
• Supports multiple regions
AD on EC2 Overview
Considerations
• You are responsible for patching,
managing, and maintaining the AD
domain.
• Will need to add AD Connector or
Managed AD to support AWS services
(e.g. SSO, Workspaces, RDS,
Connect, domain auto join, etc.)
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Active Directory Architecture Options
AD
On-premises
Windows Server
DC
AD
You Manage
1
AWS
AD on EC2
AD
You Manage
2
AWS
AWS Managed AD
AWS Manages
3
AD
AWS
AD on Premises
AWS AD
Connector
4
AD
AWS
SAML-Integration
With AD
SAML – AD
Integration
5
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Managed Microsoft Active Directory Service
Customer—administer and configure
• Administer users, groups, GPOs, other AD content
• Administration via Active Directory Users and
Computers (ADUC) and other standard AD tools
• Configure password policies
• Add domain controllers as needed
• Configure trusts (resource forest deployment)
• Configure certificate authorities (for LDAPS)
• Configure federation
Amazon—Fully managed AD directory service
• Sets up 2 AD domain controllers in a new AD forest
• Manages (patches, monitors, backs up)
• Comes in 2 editions (Standard and Enterprise)
AWS Managed VPC Customer VPC
App 1 App 2
App 1 App 2
AWS Managed
Microsoft AD DC
AWS Managed
Microsoft AD DC
D
C
Availability Zone 1 Availability Zone 1
10.0.2.0/24
10.0.3.0/24
Availability Zone 2 Availability Zone 2
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits• AWS manages the hardware and
software (patching, backing up,
monitoring)
• Can establish an AD trust with your on-
premises AD to leverage the existing
AD users and groups
• Support AWS services (e.g. SSO,
Workspaces, RDS, Connect, domain
auto join, etc.)
AWS Managed Microsoft Active Directory Service
Considerations
• Get a delegated Admin (not domain
admin) and delegated groups
• Each AWS managed Microsoft AD
supports one AWS region.
• Each AWS managed Microsoft AD is a
new AD forest.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Managed Microsoft Active Directory Service
Standard
Edition
Enterprise
Edition
Storage Capacity 1GB 17GB
PerformanceOptimized
~5,000
employees
Over 5,000
employees
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DBRDS for
SQL Server
Availability Zone
Availability Zone
Remote
Users/Admins
Domain
Controllers
Corporate data center
Hybrid Active Directory
DBRDS
SQL Server
AWS Managed Services
AWS Managed Services
Domain
Controller
DC
Domain
Controller
Application
Auth/
LDAP
VPN
Direct
Connect
AD
Managed AD
Managed AD
• Run AWS Managed Microsoft
AD in AWS
• Run AD on-premises
• Establish 1-way AD trust from
AWS Managed Microsoft
(trusting) to on-premises AD
(trusted)
• Enables single-signon into AWS
resources using on-premises
AD accounts
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managed AD and AD on EC2 Comparison
ManagedActive Directory Service
Active Directory on EC2 Instances
Customer managedAWS managed
Power, HVAC, net
OS Install/Maintenance
OS Patching
AD Backups
Schema Extensions
High Availability
Scaling
Power, HVAC, net
OS Install/Maintenance
OS Patching
AD Backups
Schema Extensions
High Availability
Scaling• Consider Managed AD first
• Focus on business value tasks
• Reduced O&M tasks
• Need full control overActive Directory
• Multi-Region Solution
Customer managedAWS managed
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
A W S M a n a g e d M i c r o s o f t A D u s e c a s e s
Azure AD
Connect
AD FS
Amazon
Connect
Amazon
WorkMailAmazon
WorKSpaces
RDS for SQL
Server
Amazon
WorkDocsAmazon
QuickSight
Amazon
Chime
Compatible AWS Applications and Services
AWS SSO
User Directory
Traditional AD ApplicationsActive Directory
Extend Existing AD
Remote
Desktop
Licensing
.NET
Apps
SharePoint SQL Server Certificate
Services
SAML
Use AWS SSO with
Web Applications
Sync
Azure AD
AWS Managed
Microsoft AD
Use Microsoft Tools
with Web Applications
Azure AD
Connect
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Active Directory Architecture Options
AD
On-premises
Windows Server
DC
AD
You Manage
1
AWS
AD on EC2
AD
You Manage
2
AWS
AWS Managed AD
AWS Manages
3
AD
AWS
AD on Premises
AWS AD
Connector
4
AD
AWS
SAML-Integration
With AD
SAML – AD
Integration
5
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS AD Connector• Proxy solution to AD domain controllers (either on-premises or Managed AD)
• Authentication and LDAP forwarded to target AD
• Applications can look up users and groups in target AD
• Users authenticate using existing corporate credentials
AWS Cloud
Corporate data centerAWS Direct Connect
AWS Site-to-Site VPN
or
AD on-premises
AD Connector
Amazon EC2
AWS Directory Service
Managed AD
Potentially Another AWS
Account or Region
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits• AWS manages the hardware and
software
• Support AWS services (e.g. SSO,
Workspaces, RDS, Connect, domain
auto join, etc.)
• Leverages your on-premises AD
AWS AD Connector
Considerations
• Provides a proxy connection to Active
Directory. Need an self managed AD
or AWS managed AD
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Active Directory Architecture Options
AD
On-premises
Windows Server
DC
AD
You Manage
1
AWS
AD on EC2
AD
You Manage
2
AWS
AWS Managed AD
AWS Manages
3
AD
AWS
AD on Premises
AWS AD
Connector
4
AD
AWS
SAML-Integration
With AD
SAML – AD
Integration
5
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS SAML – AD Integration
AWS Cloud
AD Connector,
Managed AD, or
ADFSAmazon EC2
AWS Single Sign-On
Office365
Ping
Okta
On-Premises
Active Directory
• AWS SSO provides integration to 3rd party Identity Providers (e.g. Azure AD, Google,
Okta, Ping).
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits• Can leverage existing customer’s
Identity Provider.
• SSO supports SKIM sync from Azure
AD
AWS SAML – AD Integration
Considerations
• Some AWS services don’t support a
SAML integration (e.g. Workspaces,
RDS, Connect, domain auto join, etc.).
These services will still need an AD
integration
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
References
Active Directory on AWS Whitepaperhttps://d1.awsstatic.com/whitepapers/adds-on-aws.pdf
AWS AD DS Quick Starthttps://aws.amazon.com/quickstart/architecture/active-directory-ds/
AWS Managed AD Administration Guidehttps://docs.aws.amazon.com/directoryservice/latest/admin-
guide/what_is.html
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.