Active Directory Domain Services on AWS
Active Directory DS Quick Start

VPC Configuration

With Amazon VPC, you can define a virtual network topology closely resembling a traditional network that you might operate on your own premises. A VPC can span multiple Availability Zones, which enables you to place independent infrastructure in physically separate locations. A Multi-AZ deployment provides high availability and fault tolerance. In the scenarios in this guide, we place domain controllers in two Availability Zones to provide highly available, low latency access to AD DS services in the AWS Cloud.

Each scenario is automated by two templates: one that builds a new VPC for the deployment, and the other that deploys into an existing VPC. To accommodate highly available AD DS in the AWS Cloud, the Quick Start builds (or requires, in the case of the existing VPC template) a base Amazon VPC configuration that complies with the following AWS best practices:

  • Domain controllers should be placed in a minimum of two Availability Zones to provide high availability.

  • Domain controllers and other non-internet facing servers should be placed in private subnets.

  • Instances launched by the deployment templates provided in this guide will require internet access to connect to the AWS CloudFormation endpoint during the bootstrapping process. To support this configuration, public subnets are used to host NAT gateways for outbound internet access. Remote Desktop Gateways are also deployed into the public subnets for remote administration. Other components such as reverse proxy servers can be placed into these public subnets, if needed.

This VPC architecture uses two Availability Zones, each with its own distinct public and private subnets. We recommend that you leave plenty of unallocated address space to support the growth of your environment over time and to reduce the complexity of your VPC subnet design. This Quick Start uses a default VPC configuration that provides plenty of address space by using the minimum number of private and public subnets. By default, this Quick Start uses the following CIDR ranges.

Private subnets A
  Availability Zone 1         
  Availability Zone 2
Public subnets
  Availability Zone 1
  Availability Zone 2

In addition, the Quick Start provides spare capacity for additional subnets, to support your environment as it grows or changes over time. If you have sensitive workloads that should be completely isolated from the internet, you can create new VPC subnets using these optional address spaces. For background information and more details on this approach, see Building a Modular and Scalable Virtual Network Architecture with Amazon VPC.