Menu
Active Directory Domain Services on AWS
Quick Start Reference Deployment Guide

Security

AWS provides a set of building blocks, including the Amazon EC2 and Amazon VPC services, that you can use to provision infrastructure for your applications. In this model, some security capabilities such as physical security are the responsibility of AWS and are highlighted in the AWS security whitepaper. Other capabilities, such as controlling access to applications, are the responsibility of the application developer and the tools provided in the Microsoft platform.

If you have followed the automated deployment options in this guide, the necessary security groups are configured for you by the provided AWS CloudFormation templates and are listed here for your reference.

Security group Associated with Inbound source Port(s)
DomainControllerSG1 DC1 VPCCIDR TCP5985, TCP53, UDP53, TCP80
DomainMemberSG UDP123, TCP135, UDP138, TCP445, UDP445, TCP464, UDP464, TCP49152-65535, UDP49152-65535, TCP389, UDP389, TCP636, TCP3268, TCP3269, TCP88, UDP88, UDP67, UDP2535, TCP9389
PrivateSubnet2CIDR (subnet where the second DC is deployed) UDP123, TCP135, UDP137, UDP138, TCP445, UDP445, TCP464, UDP464, TCP49152-65535, UDP49152-65535, TCP389, UDP389, TCP636, TCP3268, TCP3269, TCP88, UDP88, UDP67, UDP2535, UDP5355, UDP137, TCP139, TCP5722, TCP9389
PublicSubnet1CIDR (subnet where the Remote Desktop Gateway is deployed in Availability Zone 1) TCP3389, (ICMP -1)
PublicSubnet2CIDR (subnet where the Remote Desktop Gateway is deployed in Availability Zone 2) TCP3389, (ICMP -1)
DomainControllerSG2 DC2 VPCCIDR TCP5985, TCP53, UDP53, TCP80
DomainMemberSG UDP123, TCP135, UDP138, TCP445, UDP445, TCP464, UDP464, TCP49152-65535, UDP49152-65535, TCP389, UDP389, TCP636, TCP3268, TCP3269, TCP88, UDP88, UDP67, UDP2535, TCP9389
PrivateSubnet1CIDR (subnet where the first DC is deployed) UDP123, TCP135, UPD137, UDP138, TCP445, UDP445, TCP464, UDP464, TCP49152-65535, UDP49152-65535, TCP389, UDP389, TCP636, TCP3268, TCP3269, TCP88, UDP88, UDP67, UDP2535, UDP5355, UDP137, TCP139, TCP5722, TCP9389
PublicSubnet1CIDR (subnet where the Remote Desktop Gateway is deployed in Availability Zone 1) TCP3389, (ICMP -1)
PublicSubnet2CIDR (subnet where the Remote Desktop Gateway is deployed in Availability Zone 2) TCP3389, (ICMP -1)
DomainMemberSG RDGW1, RDGW2 PrivateSubnet1CIDR (subnet where the primary DC is deployed) TCP5985, TCP53, UDP53, TCP49152-65535, UDP49152-65535
PrivateSubnet2CIDR (subnet where the secondary DC is deployed) TCP5985, TCP53, UDP53, TCP49152-65535, UDP49152-65535
PublicSubnet1CIDR (subnet where the Remote Desktop Gateway is deployed in Availability Zone 1) TCP3389
PublicSubnet2CIDR (subnet where the Remote Desktop Gateway is deployed in Availability Zone 2) TCP3389
RDGWSecurityGroup RDGW1, RDGW2 RDGWCIDR (see note) TCP3389

Important

RDP should never be opened up to the entire Internet, not even temporarily or for testing purposes. For more information, see this Amazon security bulletin. Always restrict ports and source traffic to the minimum necessary to support the functionality of the application. For more about securing Remote Desktop Gateway, see the Securing the Microsoft Platform on Amazon Web Services whitepaper.