active directory on aws to support windows workloads...claims based auth –ad integration aws cloud...
TRANSCRIPT
© 2020, Amazon Web Services, Inc. or its Affiliates.
Hans Moser
Senior Partner Solutions Architect – Microsoft Workloads
Active Directory on AWS to
Support Windows Workloads
© 2020, Amazon Web Services, Inc. or its Affiliates.
About me
Hans Moser
• Tyrolean/Austrian
• Not a relative to the Austrian actor
• 2 years AWS
• 5 years Microsoft
• 13 years in various companies across Austria
• Infra, Identity, Exchange, PowerShell
• Website/Twitter/LinkedIn/Xing etc exists, but not
really active
© 2020, Amazon Web Services, Inc. or its Affiliates.
What we’ll cover today
• Why Windows Workloads on AWS are AWSome
• Basics
• Active Directory Options on AWS
• DNS in a hybrid world
• AWS SSO
© 2020, Amazon Web Services, Inc. or its Affiliates.
Why are customers choosing
AWS for Windows Workloads?
© 2020, Amazon Web Services, Inc. or its Affiliates.
.NET Core & PowerShell on AL2/UbuntuWindows Deep Learning AMI
.NET Core on Linux AMIs
Lambda Support for PowerShell Core
Amazon ECS for Windows Containers
Amazon EKS for Windows
Mono support on AL2
App Modernization
AWS Tools for Windows PowerShell
.NET SDK
DynamoDB Accelerator SDK for .NET
.NET on Lambda & AWS CodeBuild
.NET Core 2.1 Support with Lambda & X-Ray
X-Ray .NET SDK
.NET Developer Hub
AWS X-Ray .NET Core Support
CloudWatch AppInsights for .NET and SQL
.NET Developer Hub
.NET
SQL 2017 AMI AL2/Ubuntu
SQL Server 2008 R2 Amazon RDS adds SQL Server
SQL Server 2017
SQL Server 2012
SQL Server 2008 R2
SQL Server 2016
SQL Server 2008 Upgrade
AWS Launch Wizard for SQL ServerSQL Server 2019 on EC2
SQL Server
AWS Directory Service
Visual Studio Toolkit
Microsoft SCOM plug-in release.
Microsoft SharePoint 2016 (Marketplace)
Microsoft SCVMM Plug-in
SAP instance on AWS 2012
Trusted Advisor checks for Windows
Hyper-V support in SMS
Windows for Lightsail
Application-consistent Snapshots through VSS
Sessions Manager
Dedicated Host Enhancement Tag-On
EC2 Dedicated Hosts (BYOL)
EC2 Run Command
EC2 Systems Manager
EC2 Dedicated
Instances (BYOL)
EC2 Windows on Bare Metal/Hyper-V AMI
WS 2008 & SQL Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2016
Windows Server 1803
Windows Server 2003
Application migration using AWS SMS
Active Directory Cross VPC SupportAWS License Manager
Amazon FSx for Windows File Server
Windows Server & EC2
2008 2010 2012 2014 2016 2018 Today
12Years of experience
AWS is the best place to run Windows workloads
instance types, 22 instance families
different AMIs for Windows workloads
Windows ISV listings
in AWS Marketplace
90+
40+
750+
© 2020, Amazon Web Services, Inc. or its Affiliates.
Plans for nine more Availability Zones and three more AWS Regions in
Indonesia, Japan, and Spain
Scale globally with resilience in every region
AWS Availability Zone (AZ)AWS Region
A Region is a physical location
in the world where we have
multiple Availability Zones.
Availability Zones consist of one
or more discrete data centers,
each with redundant power,
networking, and connectivity,
housed in separate facilities.
Transit
Transit AZ
AZ
AZ
AZ
Datacenter Datacenter
Datacenter
© 2020, Amazon Web Services, Inc. or its Affiliates.
What do customers need to
think about before migrating?
© 2020, Amazon Web Services, Inc. or its Affiliates.
Network Design
VPC
Design
Subnet
Design
Access Control Lists &
Security Groups
Logging and
Monitoring
VPN /
AWS Direct Connect
AWS Cloud
© 2020, Amazon Web Services, Inc. or its Affiliates.
What Does Every Enterprise Microsoft Service Depend On?
Identities
• Users
• Groups
• Computer Accounts
• Service Accounts
• ….
Microsoft Active Directory on AWS provides
• Choice
• Managed Service
• Familiar management tools
• Easy integration
© 2020, Amazon Web Services, Inc. or its Affiliates.
Active Directory Options on
AWS
© 2020, Amazon Web Services, Inc. or its Affiliates.
AD
Active Directory Architecture Options
On-premises
Windows Server DC
AD
You Manage
1
AWS
AD on EC2
AD
You Manage
2
AWS
AWS Managed AD
AWS Manages
3
AD
AWS
AD on Premises
AWS AD
Connector
4
AD
AWS
CBA-Integration
With AD
SAML – AD
Integration
5
© 2020, Amazon Web Services, Inc. or its Affiliates.
AD
Active Directory Architecture Options
On-premises
Windows Server DC
AD
You Manage
1
AWS
AD on EC2
AD
You Manage
2
AWS
AWS Managed AD
AWS Manages
3
AD
AWS
AD on Premises
AWS AD
Connector
4
AD
AWS
CBA-Integration
With AD
SAML – AD
Integration
5
© 2020, Amazon Web Services, Inc. or its Affiliates.
AD On-premises Overview
• Establish network connectivity between your on-premises environment and AWS either via
VPN or Direct Connect
• AWS resources use your on-premises AD domain controllers for any AD operations.
• Usually a first step to a longer term solution.
AWS CloudCorporate data centerAWS Direct Connect
AWS Site-to-Site VPN
or
AD on-premises
EC2 Instances
© 2020, Amazon Web Services, Inc. or its Affiliates.
AD On-premises Considerations
Benefits
• Leverage on-premises AD
Considerations
• Latency across the network
connection to on-premises AD
servers
• Will need to add AD Connector or
Managed AD to support AWS
services (e.g. SSO, Workspaces,
RDS, Chime, Connect, domain
auto join, etc.)
© 2020, Amazon Web Services, Inc. or its Affiliates.
AD
Active Directory Architecture Options
On-premises
Windows Server DC
AD
You Manage
1
AWS
AD on EC2
AD
You Manage
2
AWS
AWS Managed AD
AWS Manages
3
AD
AWS
AD on Premises
AWS AD
Connector
4
AD
AWS
CBA-Integration
With AD
SAML – AD
Integration
5
© 2020, Amazon Web Services, Inc. or its Affiliates.
AD on EC2 Overview
• You create EC2 Instances in AWS
• You promote instances to be Microsoft Active Directory domain controllers in the same on-
premises AD forest.
• Could be in the same AD domain as on-premises or a new AD domain.
AWS Cloud
Corporate data center
AWS Direct Connect
AWS Site-to-Site VPN
or
AD on-premises AD on EC2
© 2020, Amazon Web Services, Inc. or its Affiliates.
AD on EC2 Overview
Benefits
• Leverage same AD as on-premises
• You are domain administrators and
have full permissions in the
environment.
• Use same AD schema, users, and
configuration as on-premises AD
• Can load applications that require
extensive AD permissions (e.g. MS
Exchange)
• Supports multiple regions
Considerations
• You are responsible for patching,
managing, and maintaining the AD
domain.
• Will need to add AD Connector or
Managed AD to support AWS
services (e.g. AWS SSO, Amazon
Workspaces, Amazon RDS,
Amazon Connect, EC2 domain
auto join, etc.)
© 2020, Amazon Web Services, Inc. or its Affiliates.
General Design Considerations
• Customer responsible for patching,
monitoring, backups, and high
availability
• Place domain controllers in a
minimum of two Availability Zones to
provide high availability
• Treat Availability Zones as you would
distinct data centers (e.g. AD Sites)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Security / Network Considerations
• Active Directory best practices still apply in AWS
• Control access to your domain controller instances
• Domain controllers should not be internet-facing
• Place domain controllers and other non-
internet facing servers in private subnets
• Use NACLs and security groups to control what ports
are open in Active Directory
• EC2 instances have dynamic IPs (and that’s fine, also
for DCs; DHCP reservation on ENI)
• DHCP Option Sets / VPC
© 2020, Amazon Web Services, Inc. or its Affiliates.
AD Backup and Recovery Considerations
Do not use snapshots for AD DS Backups
• Crash-consistent, not application consistent
• VM ID not supported in Amazon EC2
Use Windows System State backups
Create dedicated EBS volume for system state
backups
• Snapshot system state backups to Amazon
S3/Amazon Glacier for long-term retention
• AWS Backup Plans via Tags
© 2020, Amazon Web Services, Inc. or its Affiliates.
AD
Active Directory Architecture Options
On-premises
Windows Server DC
AD
You Manage
1
AWS
AD on EC2
AD
You Manage
2
AWS
AWS Managed AD
AWS Manages
3
AD
AWS
AD on Premises
AWS AD
Connector
4
AD
AWS
CBA-Integration
With AD
SAML – AD
Integration
5
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Managed Microsoft Active Directory Service
Amazon—Fully managed AD directory service
• Sets up 2 AD domain controllers in a new AD
forest
• Manages (patches, monitors, backs up)
• Comes in 2 editions*
Customer—administer and configure
• Administer users, groups, GPOs, other AD
content
• Administration via Active Directory Users
and Computers (ADUC) and other
standard AD tools
• Configure password policies
• Add domain controllers as needed
• Configure trusts (resource forest deployment)
• Configure certificate authorities (for LDAPS)
• Configure federation
* Standard: 1GB, ~5k employees, ~ 30k objects
Enterprise: 17GB, > 5k employees, ~500k objects
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Managed Microsoft Active Directory Service
Benefits
• AWS manages the hardware
and software (patching,
backing up, monitoring)
• Can establish an AD trust with
your on-premises AD to
leverage the existing AD users
and groups
• Support AWS services (e.g.
AWS SSO, Amazon
Workspaces, Amazon Connect,
EC2 domain auto join, etc.)
Considerations
• Get a delegated Admin (not
domain admin) and delegated
groups
• Each AWS managed Microsoft
AD supports one AWS region.
• Each AWS managed Microsoft
AD is a new AD forest.
© 2020, Amazon Web Services, Inc. or its Affiliates.
AD
Active Directory Architecture Options
On-premises
Windows Server DC
AD
You Manage
1
AWS
AD on EC2
AD
You Manage
2
AWS
AWS Managed AD
AWS Manages
3
AD
AWS
AD on Premises
AWS AD
Connector
4
AD
AWS
CBA-Integration
With AD
SAML – AD
Integration
5
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS AD Connector
• Proxy solution to AD domain controllers (either on-premises or Managed AD)
• Sign in to AWS applications (e.g. AWS SSO, Amazon WorkSpaces, Amazon WorkDocs)
• Seamless domain join for Windows instances
• Federated sign-in to AWS Console
AWS Cloud
Corporate data centerAWS Direct Connect
AWS Site-to-Site VPN
or
AD on-premises
AD Connector
Amazon EC2
Managed AD
Potentially Another AWS
Account or Region
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS AD Connector
Benefits
• AWS manages the hardware
and software
• Support AWS services (e.g.
AWS SSO, Amazon
Workspaces, Amazon Connect,
EC2 domain auto join, etc.)
• Leverages your on-premises
AD
Considerations
• Provides a proxy connection to
Active Directory
• Application compatibility
• Requires a self managed AD or
AWS Managed AD
© 2020, Amazon Web Services, Inc. or its Affiliates.
AD
Active Directory Architecture Options
On-premises
Windows Server DC
AD
You Manage
1
AWS
AD on EC2
AD
You Manage
2
AWS
AWS Managed AD
AWS Manages
3
AD
AWS
AD on Premises
AWS AD
Connector
4
AD
AWS
CBA-Integration
With AD
CBA – AD
Integration
5
© 2020, Amazon Web Services, Inc. or its Affiliates.
Claims Based Auth – AD Integration
AWS Cloud
AD Connector,
Managed AD
Amazon EC2
AWS Single Sign-On
Office365
Ping
Okta
On-Premises
Active Directory
• AWS SSO provides integration to 3rd party Identity Providers
(e.g. Azure AD, Google, Okta, Ping).
ADFS
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS SAML – AD Integration
Benefits
• Can leverage existing
customer’s Identity Provider.
• AWS SSO supports SCIM sync
from Azure AD
Considerations
• Some AWS services don’t
support a SAML integration
(e.g. Amazon Workspaces,
Amazon RDS, Amazon
Connect, EC2 domain auto join,
etc.)
• These services will still need a
AD integration
© 2020, Amazon Web Services, Inc. or its Affiliates.
Demo
Managed Active Directory Administration
© 2020, Amazon Web Services, Inc. or its Affiliates.
Migration
SMS, DMS, CloudEndure?
© 2020, Amazon Web Services, Inc. or its Affiliates.
Microsoft Active Directory migration using ADMT
Availability Zone B
Department Network
Trust relationship
Availability Zone A
department.local
VPNDomain
client
AWS Managed Active Directory
PES Install
ADMT
DC1
Direct
Connect
© 2020, Amazon Web Services, Inc. or its Affiliates.
Hybrid DNS Design
© 2020, Amazon Web Services, Inc. or its Affiliates.
DNS and Windows EC2 Seamless Domain Join
With seamless domain join
• Static DNS Servers are set inside
the Windows instance
• DNS servers IPs are provided by
Managed AD or AD Connector
Without seamless domain join
• 'Obtain DNS sever address
automatically’ within instance
• DHCP setting controlled by DHCP
option set for the particular VPC
• By default points to Route53
address (VPC +2)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Route 53 Resolver Endpoints
Inbound endpoints
• Allow on-premises resolvers query Route 53 Resolver
• Creates routable ENIs in VPC reachable over AWS Direct Connect or VPN
Outbound endpoints
• Path for the Route 53 Resolver to query your DNS Resolvers
• Creates source ENIs in your VPC
• Usable by many VPCs
Limit: 10,000 QPS per ENI
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Cloud
Corporate
Network
VPC
Availability Zone
Availability Zone
Direct
Connect
Clients
DNS
Resolver
ServersInstances
Instances
Inbound
Resolver
Resolver
Inbound
VPC +2
VPC +2
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Cloud
Corporate
Network
VPC
Availability Zone
Availability Zone
Direct
Connect
Clients
DNS
Resolver
ServersInstances
Instances
Resolver
Resolver
VPC +2
VPC +2
Outbound
Outbound
Zones
mycompany.com
168.192.in-addr.arpa
Query: foo.mycompany.com/A
© 2020, Amazon Web Services, Inc. or its Affiliates.
1. Private DNS
DNS Resolver 1
DNS Resolver 2
Route 53 Resolver Processing Order
Route 53 Resolver Rules
• Configure how Route 53 Resolver makes queries
• Two types: FORWARD and SYSTEM
© 2020, Amazon Web Services, Inc. or its Affiliates.
Hybrid DNS Summary
• Multiple options when using AWS Managed AD or AD on EC2
• Microsoft AD best practices still apply (e.g. DCs as DNS, Secure dynamic updates, AD integrated zones etc.)
• Conditional forwards can point to .2 Route 53 resolver (e.g. Route 53 private zones)
• Keep DNS resolution local to the region
For more details see:
AWS re:Invent 2019: Deep dive on DNS in the hybrid cloud (NET410)
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS Single Sign-On (SSO)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Centrally manage access
External SAML IdPs
(e.g. AzureAD, Okta,
Ping, OneLogin, etc)SAML apps (SaaS, On-prem,
custom in AWS)
AWS SSO
Multiple AWS accounts
© 2020, Amazon Web Services, Inc. or its Affiliates.
AzureAD & AWS SSO: Inbound SAML & SCIM
SCIM: System for Cross domain Identity Management.
Think: Provisioning users & groups (minus creds)
Multiple AWS accounts (console, CLI, API)
AWS & app
entitlements
Azure AD
User & group
information
AWS Single
Sign-On
SCIM
Replicated user & group information (no creds)
In advance/on-going
SAML: Security Assertion Markup Language
Think: Runtime authenticationSAML
At runtime
© 2020, Amazon Web Services, Inc. or its Affiliates.
AWS SSO - Looking ahead
AWS Single
Sign-On
AWS & app
entitlements
AWS 1st party applications
Multiple AWS accounts (console, CLI, API)
SSO native identities
External IdP identities
(e.g. AzureAD, Okta,
Ping, OneLogin, etc)
Active Directory identities
SmartAuth
SAML apps (SaaS, On-prem, custom in AWS)
Choice of Identities Cloud ready & integrated 1 identity, use everywhere
© 2020, Amazon Web Services, Inc. or its Affiliates.
Demo
AWS SSO
© 2020, Amazon Web Services, Inc. or its Affiliates.
Summary
Today we covered
• Microsoft Active Directory Options on AWS
• DNS Options when using Active Directory on AWS
• How AWS SSO can help you with central access management
• For more details see:
AWS re:Invent 2019: Managing user permissions at scale with AWS
SSO (SEC308)
© 2020, Amazon Web Services, Inc. or its Affiliates.
Thank You
Q&A
Feel free to use the chat for your questions, or reach out to us directly