AWS Directory Service – AD Connector – A Short Overview

I really like the types of Services Amazon is concentrating these days – Directory Services, Zocalo, Containers, Lambda etc.; this clearly shows the length and breadth of Innovation Areas in AWS. Lets look into what is AWS Directory Service AD Connector, this time.

What is AD Connector ?

  • AD Connector is SaaS-like offering – Plug and Play Service; fully managed by Amazon
  • Make use of existing Active Directory Running On-Premises / Cloud to Authenticate and Authorize AWS Console and AWS Resources; this means you don’t need to create & manage IAM users from AWS Console, but make use of the AD which is already configured in your data center.
  • Continue using centralized credentials, users, access, policy from the same Corporate Directory; but this time for the AWS Console & AWS Resources.
  • The Directory Synchronization, Availability, Connectivity, Federation are taken care by the service
  • The MFA authentication can also be enabled if required.

What are the Prerequisites ?

  • VPC with 2 Subnets in different Availability Zone
  • Hardware VPN Connection to AWS VPC 
  • Firewall & Ports opened for 53 (DNS), 88 (Kerberos), 389(LDAP) – TCP / UDP appropriately

What are your Responsibilities ?

  • Creation of IAM Roles to map the Active Directory Users / Groups
  • Ensure the Uptime & Connectivity of the On-Premises Active Directory

What are the AWS Resources created by AD Connector in the Account ?

I was able to observer the following automatically created in my account when successfully finished creating & configuring AD Connector.
  • 2 ENIs ( Places in the specified Subnets )
  • 2 Security Groups ( Each having All Traffic enabled between themselves )

Can it be used for AD already running in EC2 ?

  • Yes, Actually this post illustrates that exact use case.

Architecture 

Installation & Setup

  • Once the Active Directory Domain Services are installed in the EC2 instance; you will need the details like user name & password, Net BIOS name, Directory DNS name.
  • The important thing to note here is to use the PRIVATE IP of the EC2 Instance ( for this scenario )
  • Once the the Setup is completed you get to see the status.

The access URL would be configured as the entry point to AWS Console ( and / or Amazon Workspaces, Amazon Zocalo ). Once done, you need explicitly enable the AWS Management Console Access.
You would now be prompted with a dialogue box to start the wizard for IAM Role and AD User Association
Click on New Role – this would be an IAM Role
Both new IAM Role Creation and Modifying existing Role(s) can be done in this step
When choosing on the Create New Role, you would notice similar predefined IAM Role templates as in Identity and Access Control in AWS Management Console.
On Navigation to the next step ; you can search for existing Users / Group which is populated from your Active Directory.

Now, the specified IAM Role and AD User ( or Group ) are associated. With this your AD users can start using AWS Management with the same AD credentails.

https://ADConnectorEndPoint.awsapp.com/console

When you login to the Access URL – you would be prompted to enter the Organization Name (public endpoint – without the .awsapps.com in the URL), user name and password ( from your AD )
AWS Management Console
Advertisements
Categories AWS

3 thoughts on “AWS Directory Service – AD Connector – A Short Overview

  1. We have our AD hosted on AWS and Physical server on datacenters. I was creating a AD Connector for AWS Workspace but its getting failed with error unable to find SRV records (LDAP and Kerberos authentication). I have allowed AD ports via Security Groups and Network ACLS is all allowed. We have created a new subnet on AWS and same subnet we have created in AD and mapped a AWS AD Site to it.
    Please help …

    Like

    1. Based on what you had mentioned, I would start with allowing all access between the AD Connector and AD instances and try the handshake – if that succeeds, please check the rules again. If not the problem is else where.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s