High availability and security best practices for AWS Launch Wizard for Active Directory - AWS Launch Wizard

High availability and security best practices for AWS Launch Wizard for Active Directory

The domain controller architecture created by AWS Launch Wizard supports AWS best practices for high availability and security as promoted by the AWS Well-Architected Framework.

High availability

With Amazon EC2, you can set the location of instances in multiple locations composed of AWS Regions and Availability Zones. Regions are dispersed and located in separate geographic areas. Availability Zones are distinct locations within a Region that are engineered to be isolated from failures in other Availability Zones. Availability Zones provide inexpensive, low-latency network connectivity to other Availability Zones in the same Region.

When you launch your instances in different Regions, you can set your domain controllers to be closer to specific customers, or to meet legal or other requirements. When you launch your instances in different Availability Zones, you can protect your domain controllers from the failure of a single location.

Security in Launch Wizard for Active Directory

Launch Wizard creates a number of security groups and rules for you. When Amazon EC2 instances are launched, they must be associated with a security group, which acts as a stateful firewall. You have complete control over the network traffic entering or leaving the security group. You can also build granular rules that are scoped by protocol, port number, and source or destination IP address or subnet. By default, all outbound traffic from a security group is permitted. Inbound traffic, on the other hand, must be configured to allow the appropriate traffic to reach your instances.

The Securing the Microsoft Platform on Amazon Web Services whitepaper discusses the different methods for securing your AWS infrastructure. Recommendations include providing isolation between application tiers using security groups. We recommend that you tightly control inbound traffic to reduce the attack surface of your EC2 instances.

Launch Wizard configures the necessary security groups for you, which are listed in the following table.

Security group Associated with Inbound source Port(s)

DomainControllerSG

DC1, DC2, DC3, CA VPCCIDR UDP53, TCP3389, TCP445, All ICMP-IPV4, IpProtocol-1, FromPort-1, ToPort-1
DomainControllerSG IpProtocol-1, FromPort-1, ToPort-1
DomainMemberTCPSG TCP49152-65535, TCP445, ICMP-1, TCP135, TCP139, TCP3269, TCP464, TCP5722, TCP389, TCP9389, TCP3268, TCP88, TCP636
DomainMemberUDPSG UDP49152-65535, UDP53, UDP389, UDP445, UDP138, UDP5355, UDP123, UDP88
DomainMemberTCPSG RDGW ADServer1PrivateIp, ADServer2PrivateIp, ADServer3PrivateIp TCP464, TCP5722, TCP 49152-65535, TCP 389, TCP 445, TCP 3389, TCP9389, TCP3268, TCP123, TCP5985, TCP88, TCP139, TCP135, TCP636, TCP3269, TCP53
DomainMemberUDPSG RDGW ADServer1PrivateIp, ADServer2PrivateIp, ADServer3PrivateIp UDP445, UDP138, UDP49152-65535, UDP464, UDP5355, UDP137, UDP53, UDP389, UDP88
RDGWSecurityGroup RDGW1, RDGW2 RDGWCIDR TCP3389
Important

Always restrict ports and source traffic to the minimum necessary to support the functionality of the application.