Sydney AWS Consulting: Connecting your AD to AWS in 5 minutes

At Peninsula IT our customers in Sydney and around Australia are moving Windows workloads to the AWS and Azure clouds en masse.  A common task carried out by the AWS Consulting Partner team in our Cloud Migration practice is connecting an Active Directory to allow AWS authentication for server workloads and increasingly for desktop workloads through Amazon Workspaces.  For people new to AWS, this AD connection process can seem a bit fiddly.  But in reality, once you understand the steps, it should take about 5 minutes.

Pre-requisites for connecting an existing Active Directory

  1. Your VPC needs to be properly configured and secured.
  2. An Active Directory is available for your AWS environment – this can be an AD created on an EC2 domain controller instance within AWS, or one that has been connected from the customer datacentre via a Direct Connect or via an IPSec VPN connection.  If there is link latency between your VPC and the customer datacentre, we find it’s best to locate a domain controller EC2 instance within your VPC.
  3. TCP ports must be open to allow access from the VPC subnet CIDR addresses to the domain controller DNS (TCP 53) and LDAP (TCP 389).
  4. A service account with read permissions for the AD connector.
  5. An internal subnet in two availability zones (AZ’s). Make sure the IP ranges in each subnet do not overlap.

Creating the AWS AD Connector

  1. Within the AWS console, select > Services > Security, Identity and Compliance > Directory Service
  2. Select AD Connector > Set Up Directory

AWS Active Directory Connector : Peninsula IT

  1. Complete the details shown below – using the service account mentioned in the pre-requisite section of this article for “Connector account username”.
    • Note in the image below where it says connecting to “your on-premises directory”, this also works just fine for a Directory running on EC2 instances within your VPC.  This is often a cheaper alternative to signing up to the AWS managed “Microsoft AD” service.
    • Also note that for this setup I chose a small directory size – this sized AWS AD connector is good for up to 500 users (see the Amazon website here for more info on pricing).  In addition, it can be free of charge if you are using Amazon Workspaces (see the footnote at the end of this article).

AWS DIrectory Connector Details : Peninsula IT

  1. Complete your VPC details when prompted – specifying the VPC name and a separate subnet for each availability zone.  Review the settings on the summary page, and choose “Create AD Connector”.
  2. After a few minutes, the connection should be ready, indicated by a Green “Active” status. If there are problems it will show as “Inoperable”.  This is often caused by network access problems or the service account details being incorrectly specified.  The AD connector performs an LDAP query on Port 389 against the Domain Controller found by the DNS query (at present the AD Connector from Amazon does not support secure LDAP).

From this point, your AD connector is ready to use for federated authentication to the AWS console through IAM role mapping.  It can also be used for automated domain joining for new EC2 instances.  What is of particular interest to some of our customers is authentication to Amazon applications, such as Amazon Workspaces.  If you choose “Register” from the Action menu of the Directories console, you can enable the AD connector you have just created for use with Amazon Workspaces.  You will be prompted to register for signup to Amazon WorkDocs initially – while this is a useful tool, it is a chargeable service (see the AWS website here for pricing – $8 per month at the time of writing), so I did not select WorkDocs in this demo.

AWS Register Directory for Workspaces : Peninsula IT

After a minute or so, the Directory should show as “Registered”

AWS Registered Directory : Peninsula IT

Now you are ready to start provisioning Amazon apps such as Amazon Workspaces using your own Active Directory!  As a side note, at the time of writing be aware that Amazon AppStream does not support the Amazon AD Connector – see the Appstream FAQ for more info and alternatives.

Further reading

Some important articles you will need are shown below:

AWS AD Connector HowTo:  https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/

AWS AD Connect Prerequisites:  http://docs.aws.amazon.com/directoryservice/latest/admin-guide/prereq_connector.html

Pricing guide:  https://aws.amazon.com/directoryservice/other-directories-pricing/

Footnote:  Small AD Connector Fees are waived for Amazon Workspaces customers

A little known fact at the time of writing this blog is that Amazon does not charge for small AD Connector directories if you are an Amazon Workspaces customer.  You just need to have at least one Amazon Workspaces subscriber each month, and your AD connector fees will be waived – read the AWS website here for more info.