AWS Directory Service
Administration Guide (Version 1.0)

Adding IP Routes When Using Public IP Addresses

You can use AWS Directory Service for Microsoft Active Directory to take advantage of many powerful Active Directory features, including establishing trusts with other directories. However, if the DNS servers for the networks of the other directories use public (non-RFC 1918) IP addresses, you must specify those IP addresses as part of configuring the trust. Instructions for doing this can be found in When to Create a Trust Relationship.

Similarly, you must also enter the IP address information when routing traffic from your AWS Managed Microsoft AD on AWS to a peer AWS VPC, if the VPC uses public IP ranges.

When you add the IP addresses as described in When to Create a Trust Relationship, you have the option of selecting Add routes to the security group for this directory's VPC. This option should be selected unless you have previously customized your security group to allow the necessary traffic as shown below. For more information, see Understand Your Directory’s AWS Security Group Configuration and Use.

This option configures the security groups for your directory’s VPC as follows:

Inbound rules

Type Protocol Port Range Source
Custom UDP Rule UDP 88
Custom UDP Rule UDP 123
Custom UDP Rule UDP 138
Custom UDP Rule UDP 389
Custom UDP Rule UDP 445
Custom UDP Rule UDP 464
Custom TCP Rule TCP 88
Custom TCP Rule TCP 135
Custom TCP Rule TCP 445
Custom TCP Rule TCP 464
Custom TCP Rule TCP 636
Custom TCP Rule TCP 1024 - 65535
Custom TCP Rule TCP 3268 - 3269
All ICMP All N/A

Outbound rules

Type Protocol Port Range Destination
All traffic All All

These security rules affect an internal network interface that is not exposed publicly.