Join the ECS instance (host) to the domain - Replatform .NET Applications with Windows Containers

This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

Join the ECS instance (host) to the domain

There are many ways to join the ECS instance to an Active Directory domain. It can be done manually (by connecting to the instance through RDP) or automatically. AWS enables you to save costs by automatically reducing compute capacity in times of low demand, and provision more capacity when demand increases. To take advantage of this elasticity, a best practice is to use Auto Scaling groups for provisioning ECS instances.

The User Data section in the launch template/configuration that is used with the Auto Scaling group can include domain join commands. If your Active Directory domain is based on AWS Directory Service or you use AD Connector to connect to an on-premises Active Directory domain, you can use AWS Systems Manager Run Command and run the AWS-JoinDirectoryServiceDomain document. There are two prerequisites to using this approach that are described as follows.

  1. If the ECS instances and the Active Directory domain are provisioned in different VPCs, make sure they that the VPCs can communicate through VPC peering or transit gateway.

  2. The ECS instances need permissions (through IAM policies) to communicate to the Systems Manager and Directory Service APIs. AWS recommends creating custom policies that take into account your system needs and security requirements. However, as a starting point, you can use the following policies:

    • AmazonSSMManagedInstanceCore — This AWS managed policy enables an instance to use Systems Manager service core functionality.

    • AmazonSSMDirectoryServiceAccess — This AWS managed policy allows AWS Systems Manager Agent (SSM Agent) to access AWS Directory Service on your behalf for requests to join the Active Directory domain by the managed instance.