Web Application Proxy and AD FS on AWS
Web Application Proxy and AD FS Quick Start

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Step 1. Prepare an AWS Account

  1. If you don't already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

  2. Use the region selector in the navigation bar to choose the AWS Region where you want to deploy Web Application Proxy and AD FS on AWS.

    For more information, see Regions and Availability Zones. Regions are dispersed and located in separate geographic areas. Each Region includes at least two Availability Zones that are isolated from one another but connected through low-latency links. This Quick Start uses the c4.2xlarge instance type for the Web Application Proxy and AD FS portion of the deployment.

                        Choosing an AWS Region

    Figure 2: Choosing an AWS Region


    Consider choosing a region closest to your data center or corporate network to reduce network latency between systems running on AWS and the systems and users on your corporate network.

  3. Create a key pair in your preferred region. To do this, in the navigation pane of the Amazon EC2 console, choose Key Pairs, Create Key Pair, type a name, and then choose Create.

                        Creating a key pair

    Figure 3: Creating a key pair

    Amazon EC2 uses public-key cryptography to encrypt and decrypt login information. To be able to log into your instances, you must create a key pair. With Windows instances, we use the key pair to obtain the administrator password via the Amazon EC2 console and then log in using Remote Desktop Protocol (RDP) as explained in the step-by-step instructions in the Amazon Elastic Compute Cloud User Guide.

  4. If necessary, request a service limit increase for the Amazon EC2 c4.2xlarge instance type. To do this, in the AWS Support Center, choose Create Case, Service Limit Increase, EC2 instances, and then complete the fields in the limit increase form, as shown in Figure 4. The current default limit is 20 instances.

    You might need to request an increase if you already have an existing deployment that uses this instance type, and you think you might exceed the default limit with this reference deployment. It might take a few days for the new service limit to become effective. For more information, see Amazon EC2 Service Limits in the AWS documentation.


    The Quick Start uses five Elastic IP addresses by default: two for the NAT gateways, two for the proxies, and one for the RD Gateway instance. The default limit for Elastic IP addresses is five per AWS Region. If you’re planning to deploy multiple RD Gateway instances by configuring the Number of RDGW Hosts parameter, we recommend that you also request an increase in the Elastic IP address limit: In the AWS Support Center, choose Create Case, Service Limit Increase, Elastic IPs, and then complete the fields.

                        Requesting a service limit increase

    Figure 4: Requesting a service limit increase