Security Group Ingress Traffic - Active Directory Domain Services on AWS

Security Group Ingress Traffic

When launched, Amazon EC2 instances must be associated with a security group, which acts as a stateful firewall. You have complete control over the network traffic entering or leaving the security group, and you can build granular rules that are scoped by protocol, port number, and source/destination IP address or other security groups. By default, all egress traffic from the security group is permitted. However, ingress traffic must be configured to allow the appropriate traffic to reach your instances.

The Securing the Microsoft Platform on Amazon Web Services whitepaper discusses the different methods for securing your AWS infrastructure. Recommendations include providing isolation between application tiers by using security groups. We recommend that you tightly control ingress traffic in order to reduce the attack surface of your Amazon EC2 instances.

If you're deploying and managing your own AD DS installation domain controllers and member servers will require several security group rules to allow traffic for services such as AD DS replication, user authentication, Windows Time services, and Distributed File System (DFS), among others. You should also consider restricting these rules to specific IP subnets that are used within your VPC.

We provide an example of how to implement these rules for each application tier later in this guide as part of the AWS CloudFormation template for each scenario. For a detailed list of port mappings used by the AWS CloudFormation templates, see the Security section of this guide.

For a complete list of ports, see Active Directory and Active Directory Domain Services Port Requirements in the Microsoft TechNet Library. For step-by-step guidance for implementing rules, see Adding Rules to a Security Group in the Amazon EC2 User Guide.