Active Directory Domain Services on AWS
Active Directory DS Quick Start

Scenario 2: Extend On-Premises AD DS Installation to the AWS Cloud

This scenario is for users who want to use their existing installation of AD DS and extend their on-premises network to the VPC, when a new deployment of AD DS is not an option. The AWS CloudFormation templates that automate this deployment perform these tasks:

  • Sets up the Amazon VPC, including private and public subnets in two Availability Zones.*

  • Configures two NAT gateways in the public subnets.*

  • Configures private and public routes.*

  • Enables ingress traffic into the VPC for administrative access to Remote Desktop Gateway.*

  • Launches Windows Server 2016 AMIs.

  • Configures security groups and rules for traffic between instances.

* The template that deploys the Quick Start into an existing VPC skips the tasks marked by asterisks.

The AWS CloudFormation template deploys the architecture shown in Figure 2, except for the virtual private gateway and VPN connection, which you can create manually.

				Quick Start architecture for extending your on-premises AD DS to AWS

Figure 2: Quick Start architecture for extending your on-premises AD DS to AWS

This scenario provides an example of using a VPC and a virtual private gateway to enable communication with your own network over an IPsec VPN tunnel. Active Directory is deployed in the customer data center, and Windows servers are deployed into two VPC subnets. After deploying the VPN connection, you can promote the Windows instances to domain controllers in the on-premises Active Directory forest, making AD DS highly available in the AWS Cloud.

After you deploy the VPN connection and promote your servers to domain controllers, you can launch additional instances into the empty VPC subnets in the web, application, or database tier. These instances will have access to cloud-based domain controllers for secure, low-latency directory services and DNS. All network traffic, including AD DS communication, authentication requests, and Active Directory replication, is secured either within the private subnets or across the VPN tunnel.