SlideShare a Scribd company logo

SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Windows Workloads

Amazon Web Services
Amazon Web Services

Do you have questions on how to best use Microsoft Active Directory with your AWS Windows workloads? Do you need a deep-dive on securely setting up trusts between your on-premises Active Directory and your AWS Directory Services for Microsoft Active Directory? This session will help you understand the differences between AWS Directory Service for Microsoft AD, building your own Microsoft Active Directory on Amazon EC2, or joining your cloud resources to your on-premises Active Directory over a direct network connection. After this session you will be an expert on how to setup single sign-on for your cloud applications and resources, using Group Policy for your EC2 systems, and how to securely configure trusts across your on-premises and AWS Cloud Active Directories.

Technology
1 of 39
Download to read offline
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ron Cully, Senior Product Manager AWS Directory Service July 27, 2017 Using Microsoft Active Directory Across On-Premises and AWS Cloud Windows Workloads SEC306
What to expect from the session How AD is used – Why AD is important in the cloud Deployment Options – Supporting Windows workloads in the cloud How to choose – Considerations for selection Trusts vs. Sync – Alternatives to replication
How AD is used – Why AD is important in the cloud
Why AD is important in the cloud Migration path Source: Implementing an Identity Strategy for Amazon Web Services, Gartner Group, 24 Feb 2017
How AD works with computers Domain Join/Machine AuthN/GPO/LDAP AuthN – Authentication GPO – Group Policy Object LDAP – Lightweight Directory Access Protocol
How AD works with users User AuthN/Group Membership/Login Scripts Domain Join/Machine AuthN/GPO/LDAP AuthN – Authentication GPO – Group Policy Object LDAP – Lightweight Directory Access Protocol
How AD works with services User AuthN/Group Mbrshp/Login Scripts Domain Join/Machine AuthN/GPO/LDAP
How AD works in federated SaaS solutions App DB App User AuthN/Group Mbrshp/Login Scripts Federated AuthN (SAML) Kerb AuthN Domain Join/Machine AuthN/GPO/LDAP
Amazon EC2 Amazon DynamoDB Amazon WorkSpaces Amazon EC2 What if you migrate these parts to AWS? App User AuthN/Group Mbrshp/Login Scripts Federated AuthN (SAML) Kerb AuthN Domain Join/Machine AuthN/GPO/LDAP ?RDS for SQL Server
Deployment Options – Supporting Windows workloads in the cloud
AD options – Where to run AD On-premises Windows Server DC AD You Manage 1 DC – Active Directory Domain Controller VPC – Amazon Virtual Private Cloud Endpoint – Accessed via IP address in your VPC
AD options – On-premises Create VPN or Amazon Direct Connect link to your VPC Manually domain join EC2 instances to on-premises Use VPC as an extension of your network • Security considerations Latency considerations? On-premises Windows Server DC AD You Manage 1 DC – Active Directory Domain Controller VPC – Amazon Virtual Private Cloud Endpoint – Accessed via IP address in your VPC
AD options – Where to run AD On-premises Windows Server DC AD You Manage 1 VPC EC2 for Windows Server DC AD You Manage 2 DC – Active Directory Domain Controller VPC – Amazon Virtual Private Cloud Endpoint – Accessed via IP address in your VPC
AD options – EC2 self-managed Your responsibilities • Availability deployment strategy • EC2 DC configuration • DNS configuration • Sites and Services configuration • Monitoring • DC recovery • Backup • Restore • Security group configuration • Manual EC2 domain joining • Patch Tuesday management AWS Directory Service required for AWS enterprise applications and services to authenticate to your self-managed AD On-premises Windows Server DC AD You Manage 1 VPC EC2 for Windows Server DC AD You Manage 2
AD AD options – Where to run AD On-premises Windows Server DC AD You Manage 1 VPC EC2 for Windows Server DC AD You Manage 2 VPC Endpoint AWS Microsoft AD AWS Manages 3 AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. AWS Microsoft AD DC – Active Directory Domain Controller VPC – Amazon Virtual Private Cloud Endpoint – Accessed via IP address in your VPC
AD AD options – AWS Microsoft AD Windows 2012 R2 domain controllers (DC) • ~3-click setup • 2 DCs each in a different Availability Zone (AZ) Standalone or connected to your AD with trusts AWS apps and services integration • EC2 seamless domain join • RDS for SQL Server authentication, authorization • WorkSpaces, QuickSight Enterprise, Chime Plus/Pro provisioning and authentication VPC Endpoint AWS Microsoft AD AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. AWS Microsoft AD
AD options – AWS Microsoft AD Some constraints • AWS is domain admin • You get an OU and delegated admin over the OU • AWS apps/services/EC21 must be in same VPC • Conservative delegated permissions2 to your OU admin account • Application enablement blocks some apps • Some admin functions unavailable AD VPC Endpoint AWS Microsoft AD AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. AWS Microsoft AD 1EC2 can domain join manually in peered VPC configurations 2Delegations are being expanded over time
AD options – AWS Microsoft AD Amazon responsibilities - Operate • Multi-AZ deploy, patch, monitor, DC recovery, snapshot, restore Your responsibilities - Administer • Administration via Active Directory Users and Computers (ADUC) and other standard AD tools • Administer users, groups, GPOs, other AD content AD VPC Endpoint AWS Microsoft AD AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. AWS Microsoft AD
AD options – Connecting AD in cloud to on-premises AD 1 Replication Your DCs only On-premises Windows Server DC AD VPC EC2 for Windows Server DC AD On-premises Windows Server DC AD VPC EC2 for Windows Server DC AD2 1-way Trust 2-way Trust Your DCs or AWS Managed Microsoft AD On-premises Windows Server DC AD VPC EC2 for Windows Server DC AD3 Sync Users Depends (third-party sync)
Application Availability Zone Private Subnet 10.0.2.0/24 SQL Server App Server IIS Server Availability Zone Private Subnet 10.0.3.0/24 SQL Server App Server IIS Server Remote Users/Admins Domain Controllers Corporate data center DBAPPWEB DBAPPWEB Auth/ LDAP Auth/ LDAP VPN Direct Connect Example: On-premises AD AD
Availability Zone Private Subnet 10.0.2.0/24 DBAPPWEB SQL Server App Server IIS Server Availability Zone Private Subnet 10.0.3.0/24 DBAPPWEB SQL Server App Server IIS Server Remote Users/Admins Domain Controllers Corporate data center Example: AD on EC2 with replication or AD trust Domain Controller Domain Controller Trust or Replication Auth/ LDAP Auth/ LDAP Application Auth/ LDAP VPN Direct Connect AD EC2 AD EC2 AD
Auth/ LDAP Auth/ LDAP DB RDS for SQL Server Availability Zone Private Subnet 10.0.2.0/24 APPWEB App Server IIS Server Availability Zone Private Subnet 10.0.3.0/24 APPWEB App Server IIS Server Remote Users/Admins Domain Controllers Corporate data center Example: AWS Microsoft AD trust to on-premises DB RDS SQL Server AWS Managed Services AWS Managed Services AWS Managed Microsoft AD DC AWS Managed Microsoft AD Trust Application Auth/ LDAP VPN Direct Connect AD DC DC
Availability Zone Private Subnet 10.0.2.0/24 DBAPPWEB SQL Server App Server IIS Server Availability Zone Private Subnet 10.0.3.0/24 DBAPPWEB SQL Server App Server IIS Server Remote Users / Admins Domain Controllers Corporate data center Example: AD on EC2 with sync Domain Controller Domain Controller Sync Auth/ LDAP Auth/ LDAP Application Auth/ LDAP Third-party sync tool Users lose single sign-on to cloud (same sign-on) VPN Direct Connect AD EC2 AD EC2 AD Sync Tool Password Changes
Considerations for AWS apps/services and many VPCs AWS Microsoft AD requires a trust when used with on-premises AD* WorkSpaces and RDS for SQL must be in same VPC as AWS Microsoft AD, QuickSight in the same account • Option 1 – Least cost, fewest trusts • Deploy AWS Microsoft AD in one VPC • Deploy all RDS for SQL and WorkSpaces instances in same VPC • Use tagging for internal billing • Option 2 – Easiest billing, complex trust configuration, high cost • Deploy AWS Microsoft AD in each VPC • Deploy RDS for SQL and WorkSpaces instance(s) in each VPC *1-way trust for RDS for SQL Server, 2-way trust to provision Amazon WorkSpaces, Amazon QuickSight etc.
How to choose – Considerations for selection
Deployment differences AWS Microsoft AD EC2 AD instances On-premises AD Operation management +AWS managed in the cloud -Customer managed in the cloud -Customer managed own hardware Availability +Built-in redundancy and replication -Customer must design for high availability -Customer must design for high availability Networking Trust1 ports from cloud to on-premises (least exposed) Trust1 or replication2 ports from cloud to on-premises AD -Open ports to support cloud to on-premises AD3 (most exposed) Admin control Designated OU control; some apps unsupported +Full control +Full control 1 If trust to on-premises is used, open ports from DCs to on-premises DCs are needed 2 AD replication requires more open ports than forest trusts, but limited to DC-to-DC communications 3 Ports for domain joining, AD interactions, LDAP etc., plus other firewall decisions for cloud to on-premises access
How to select an Active Directory option AWS Microsoft AD EC2 AD instances On-premises AD • Minimize cost, effort to run AD • RDS for SQL Server1 • AWS Enterprise Applications1 • Windows workloads on EC22 E.g. SharePoint, SQL Server AlwaysOn Availability Groups, .NET applications • Require a replicated, multi- region AD solution • Need NetBIOS name resolution support • Require permissions not yet delegated by AWS Microsoft AD3 E.g. Exchange, ADFS • Minimal EC2 instances require access to AD • Latency to AD over on-premises link is acceptable • Comfortable with connectivity availability to on-premises AD 1RDS for SQL, WorkSpaces, QuickSight, and Chime require trusts only if users are on-premises via trust 2Subject to delegation constraints (e.g. password sync, special AD containers) 3AWS adding more delegations and application enablement over time
Deployment differences – Which connection model? AWS Microsoft AD with Sync AWS Microsoft AD with Trust EC2 AD with Sync EC2 AD with Trust EC2 AD Replicated On- premises App Access SSO to cloud No Yes No Yes Yes Yes Complexity/Effort EC2 seamless domain join Yes Yes No No No No DC configuration Medium Low Highest High High None Incremental maintenance High Low Highest Low Medium None Incremental system Medium Low Highest High High None Incremental entitlement High Low High Low None None Sites and Services No No No No Yes None Untested Recommended If necessary
Trusts vs. Sync – Alternatives to replication
Customer Feedback: Why sync vs. trusts Trusts seem scary • Many admins are unfamiliar with the model and how to secure • Perception that a trust gives all cloud resources access to on-premises • Perception that trusts give cloud admins control over on-premises directory • Trusts require setup coordination (security review, firewall ports, trust setup) • “Breaks principle” of communication initiation only from on-premises to the cloud “We are isolating our on-premises from the cloud and need a few users sync’d” • Only deploying SaaS applications in cloud (built on Windows) • Only need subset of Windows users with “same sign-on” to manage AWS resources via AD
Considerations for syncing identities to the cloud Do your on-premises users need access to cloud resources that use AD group-based authorization? • If yes, will users object to having to log out of on-premises and log in to the cloud? (Same sign-on, not single sign-on) Requires third-party sync tool • Special configuration for what gets synced • Must map from on-premises directory to AD structure in the cloud With AWS Microsoft AD, the tool must not require domain admin • User creations must be in your OU Sync adds configuration complexity and latency for managing users • Incremental entitlements for sync • What about security groups? How does sync map them to the cloud?
Amazon EC2 Amazon DynamoDB Amazon EC2 Appropriate for sync – Admins’ user names for RDP App Federated AuthN (SAML) Kerb AuthN Domain Join/Machine AuthN/GPO/LDAP AD On-premises or Internet Cloud User AuthN/Group Membership/Login Scripts AWS Resource Admin Sync only admin users
Amazon EC2 Amazon DynamoDB Amazon EC2 Complex for sync – Many users to many cloud services App Federated AuthN (SAML) Kerberos AuthZ Domain Join/Machine AuthN/GPO/LDAP AD On-premises or Internet Cloud SQL Server AlwaysOn SharePoint Exchange .NET
Forest trusts Time tested, secure model The trusting forest has no admin control over the trusted forest Trusted users have cloud resource access, only if entitled by trusting admins (you control both sides) Resources in the cloud have no access to on-premises resources unless on- premises trusts the cloud AND on- premises admins grant permissions to user identities in the cloud AD AD On-premises network VPC Trust AWS Managed Microsoft AD DC Windows AD DC Access Security group (access entitlements here) Security group Trusting Trusted Cloud On-premises
No trust vs. 1-way vs. 2-way trusts Do you need users from one forest to access resources in another forest? • If no, use no trust Can you use only a 1-way trust? • If yes, only use 1-way • RDS for SQL Server with on-premises users requires at least 1-way Is a 2-way trust required? • If yes, use 2-way trust • WorkSpaces, QuickSight Enterprise Edition, and Chime use 2-way trusts • On-premises to AWS Microsoft AD trust used only to read users/groups to provision them into the application Always Secure Your Trust
Securing trusts Leave SID filtering on when setting up the on-premises side of a trust Turn on selective authentication on the on-premises side of a trust • https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx#w2k3tr_trust_security_zyzk Only permit AD trust ports to the DCs in the cloud • https://technet.microsoft.com/en-us/library/cc756944(v=ws.10).aspx For cloud-client-to-AD, only permit AD authentication ports to on-premises AD; minimize all other ports from cloud to on-premises (e.g., WorkSpaces login using on-premises credentials) • https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts Don’t grant groups in the cloud access to on-premises resources
Recap AD is used in many ways and is often required in the cloud • Where AD-dependent systems exist affects where you place AD AD on EC2 and AWS Microsoft AD have advantages over using on-premises AD domain controllers AD on EC2 is appropriate when you require full domain admin permissions or a replicated AD in the cloud AWS Microsoft AD is • Appropriate to support resources in the cloud • Required to support AWS applications and services with on-premises users Trusts are secure and appropriate when you need SSO from on-premises to AD-dependent workloads in the cloud Synchronization may be appropriate for isolation with a small set of users • Sync requires a compatible third-party solution and has many considerations
References Documentation • AWS Directory Service – aws.amazon.com/directoryservice • AWS Microsoft AD – aws.amazon.com/documentation/directory-service/ • RDS for SQL Server – aws.amazon.com/documentation/rds/ AWS Quick Starts – aws.amazon.com/quickstart/ • Active Directory Domain Services • Exchange Server 2013 • SharePoint Server 2016 Enterprise • Lync Server 2013 • SQL Server 2014 AlwaysOn • Windows PowerShell DSC
Thank you!

Recommended

SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...Amazon Web Services
 
SRV302 Deep Dive on Serverless Application Development
SRV302 Deep Dive on Serverless Application DevelopmentSRV302 Deep Dive on Serverless Application Development
SRV302 Deep Dive on Serverless Application DevelopmentAmazon Web Services
 
Productos de redes con AWS
Productos de redes con AWSProductos de redes con AWS
Productos de redes con AWSAmazon Web Services LATAM
 
Deep Dive on Microservices and Docker
Deep Dive on Microservices and DockerDeep Dive on Microservices and Docker
Deep Dive on Microservices and DockerKristana Kane
 
AWS re:Invent 2016: Wild Rydes Takes Off – The Dawn of a New Unicorn (SVR309)
AWS re:Invent 2016: Wild Rydes Takes Off – The Dawn of a New Unicorn (SVR309)AWS re:Invent 2016: Wild Rydes Takes Off – The Dawn of a New Unicorn (SVR309)
AWS re:Invent 2016: Wild Rydes Takes Off – The Dawn of a New Unicorn (SVR309)Amazon Web Services
 
SMC301 The State of Serverless Computing
SMC301 The State of Serverless ComputingSMC301 The State of Serverless Computing
SMC301 The State of Serverless ComputingAmazon Web Services
 
AWS re:Invent 2016: Industry Opportunities for AWS Partners: Healthcare, Fina...
AWS re:Invent 2016: Industry Opportunities for AWS Partners: Healthcare, Fina...AWS re:Invent 2016: Industry Opportunities for AWS Partners: Healthcare, Fina...
AWS re:Invent 2016: Industry Opportunities for AWS Partners: Healthcare, Fina...Amazon Web Services
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWSAmazon Web Services
 

Recommended

SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...
SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Wind...Amazon Web Services
 
SRV302 Deep Dive on Serverless Application Development
SRV302 Deep Dive on Serverless Application DevelopmentSRV302 Deep Dive on Serverless Application Development
SRV302 Deep Dive on Serverless Application DevelopmentAmazon Web Services
 
Productos de redes con AWS
Productos de redes con AWSProductos de redes con AWS
Productos de redes con AWSAmazon Web Services LATAM
 
Deep Dive on Microservices and Docker
Deep Dive on Microservices and DockerDeep Dive on Microservices and Docker
Deep Dive on Microservices and DockerKristana Kane
 
AWS re:Invent 2016: Wild Rydes Takes Off – The Dawn of a New Unicorn (SVR309)
AWS re:Invent 2016: Wild Rydes Takes Off – The Dawn of a New Unicorn (SVR309)AWS re:Invent 2016: Wild Rydes Takes Off – The Dawn of a New Unicorn (SVR309)
AWS re:Invent 2016: Wild Rydes Takes Off – The Dawn of a New Unicorn (SVR309)Amazon Web Services
 
SMC301 The State of Serverless Computing
SMC301 The State of Serverless ComputingSMC301 The State of Serverless Computing
SMC301 The State of Serverless ComputingAmazon Web Services
 
AWS re:Invent 2016: Industry Opportunities for AWS Partners: Healthcare, Fina...
AWS re:Invent 2016: Industry Opportunities for AWS Partners: Healthcare, Fina...AWS re:Invent 2016: Industry Opportunities for AWS Partners: Healthcare, Fina...
AWS re:Invent 2016: Industry Opportunities for AWS Partners: Healthcare, Fina...Amazon Web Services
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWSAmazon Web Services
 
Escalando para sus primeros 10 millones de usuarios
Escalando para sus primeros 10 millones de usuariosEscalando para sus primeros 10 millones de usuarios
Escalando para sus primeros 10 millones de usuariosAmazon Web Services LATAM
 
Getting Started with Managed Database Services on AWS
Getting Started with Managed Database Services on AWSGetting Started with Managed Database Services on AWS
Getting Started with Managed Database Services on AWSAmazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 
The Best of re:invent 2016
The Best of re:invent 2016The Best of re:invent 2016
The Best of re:invent 2016Amazon Web Services
 
SRV409 Deep Dive on Microservices and Docker
SRV409 Deep Dive on Microservices and DockerSRV409 Deep Dive on Microservices and Docker
SRV409 Deep Dive on Microservices and DockerAmazon Web Services
 
AWS Services Overview and Quarterly Update - April 2017 AWS Online Tech Talks
AWS Services Overview and Quarterly Update - April 2017 AWS Online Tech TalksAWS Services Overview and Quarterly Update - April 2017 AWS Online Tech Talks
AWS Services Overview and Quarterly Update - April 2017 AWS Online Tech TalksAmazon Web Services
 
SRV412 Deep Dive on CICD and Docker
SRV412 Deep Dive on CICD and DockerSRV412 Deep Dive on CICD and Docker
SRV412 Deep Dive on CICD and DockerAmazon Web Services
 
Deep Dive on Serverless Stack
Deep Dive on Serverless StackDeep Dive on Serverless Stack
Deep Dive on Serverless StackAmazon Web Services
 
NEW LAUNCH! Introducing AWS Batch: Easy and efficient batch computing on Amaz...
NEW LAUNCH! Introducing AWS Batch: Easy and efficient batch computing on Amaz...NEW LAUNCH! Introducing AWS Batch: Easy and efficient batch computing on Amaz...
NEW LAUNCH! Introducing AWS Batch: Easy and efficient batch computing on Amaz...Amazon Web Services
 
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot Instances
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot InstancesWKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot Instances
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot InstancesAmazon Web Services
 
AWS APAC Webinar Week - Introduction to Cloud Computing With Amazon Web Services
AWS APAC Webinar Week - Introduction to Cloud Computing With Amazon Web ServicesAWS APAC Webinar Week - Introduction to Cloud Computing With Amazon Web Services
AWS APAC Webinar Week - Introduction to Cloud Computing With Amazon Web ServicesAmazon Web Services
 
Getting Started with Serverless Architectures - August 2016 Monthly Webinar S...
Getting Started with Serverless Architectures - August 2016 Monthly Webinar S...Getting Started with Serverless Architectures - August 2016 Monthly Webinar S...
Getting Started with Serverless Architectures - August 2016 Monthly Webinar S...Amazon Web Services
 
Migrate from Oracle to Amazon Aurora using AWS Schema Conversion Tool & AWS D...
Migrate from Oracle to Amazon Aurora using AWS Schema Conversion Tool & AWS D...Migrate from Oracle to Amazon Aurora using AWS Schema Conversion Tool & AWS D...
Migrate from Oracle to Amazon Aurora using AWS Schema Conversion Tool & AWS D...Amazon Web Services
 
HSBC and AWS Day - AWS foundations
HSBC and AWS Day - AWS foundationsHSBC and AWS Day - AWS foundations
HSBC and AWS Day - AWS foundationsAmazon Web Services
 
Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech Talks
Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech TalksDesign, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech Talks
Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech TalksAmazon Web Services
 
Content Delivery: accelerare in modo sicuro e flessibile siti web e applicazioni
Content Delivery: accelerare in modo sicuro e flessibile siti web e applicazioniContent Delivery: accelerare in modo sicuro e flessibile siti web e applicazioni
Content Delivery: accelerare in modo sicuro e flessibile siti web e applicazioniAmazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 
Serverless Workshop
Serverless WorkshopServerless Workshop
Serverless WorkshopAmazon Web Services
 
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot Instances
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot InstancesWKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot Instances
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot InstancesAmazon Web Services
 
AWS APAC Webinar Week - Training & Certification Masterclass
AWS APAC Webinar Week - Training & Certification MasterclassAWS APAC Webinar Week - Training & Certification Masterclass
AWS APAC Webinar Week - Training & Certification MasterclassAmazon Web Services
 
Best Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS WorkloadsBest Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS WorkloadsAmazon Web Services
 
Best practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWSBest practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWSAmazon Web Services
 

More Related Content

What's hot

Escalando para sus primeros 10 millones de usuarios
Escalando para sus primeros 10 millones de usuariosEscalando para sus primeros 10 millones de usuarios
Escalando para sus primeros 10 millones de usuariosAmazon Web Services LATAM
 
Getting Started with Managed Database Services on AWS
Getting Started with Managed Database Services on AWSGetting Started with Managed Database Services on AWS
Getting Started with Managed Database Services on AWSAmazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 
SRV409 Deep Dive on Microservices and Docker
SRV409 Deep Dive on Microservices and DockerSRV409 Deep Dive on Microservices and Docker
SRV409 Deep Dive on Microservices and DockerAmazon Web Services
 
AWS Services Overview and Quarterly Update - April 2017 AWS Online Tech Talks
AWS Services Overview and Quarterly Update - April 2017 AWS Online Tech TalksAWS Services Overview and Quarterly Update - April 2017 AWS Online Tech Talks
AWS Services Overview and Quarterly Update - April 2017 AWS Online Tech TalksAmazon Web Services
 
SRV412 Deep Dive on CICD and Docker
SRV412 Deep Dive on CICD and DockerSRV412 Deep Dive on CICD and Docker
SRV412 Deep Dive on CICD and DockerAmazon Web Services
 
NEW LAUNCH! Introducing AWS Batch: Easy and efficient batch computing on Amaz...
NEW LAUNCH! Introducing AWS Batch: Easy and efficient batch computing on Amaz...NEW LAUNCH! Introducing AWS Batch: Easy and efficient batch computing on Amaz...
NEW LAUNCH! Introducing AWS Batch: Easy and efficient batch computing on Amaz...Amazon Web Services
 
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot Instances
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot InstancesWKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot Instances
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot InstancesAmazon Web Services
 
AWS APAC Webinar Week - Introduction to Cloud Computing With Amazon Web Services
AWS APAC Webinar Week - Introduction to Cloud Computing With Amazon Web ServicesAWS APAC Webinar Week - Introduction to Cloud Computing With Amazon Web Services
AWS APAC Webinar Week - Introduction to Cloud Computing With Amazon Web ServicesAmazon Web Services
 
Getting Started with Serverless Architectures - August 2016 Monthly Webinar S...
Getting Started with Serverless Architectures - August 2016 Monthly Webinar S...Getting Started with Serverless Architectures - August 2016 Monthly Webinar S...
Getting Started with Serverless Architectures - August 2016 Monthly Webinar S...Amazon Web Services
 
Migrate from Oracle to Amazon Aurora using AWS Schema Conversion Tool & AWS D...
Migrate from Oracle to Amazon Aurora using AWS Schema Conversion Tool & AWS D...Migrate from Oracle to Amazon Aurora using AWS Schema Conversion Tool & AWS D...
Migrate from Oracle to Amazon Aurora using AWS Schema Conversion Tool & AWS D...Amazon Web Services
 
HSBC and AWS Day - AWS foundations
HSBC and AWS Day - AWS foundationsHSBC and AWS Day - AWS foundations
HSBC and AWS Day - AWS foundationsAmazon Web Services
 
Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech Talks
Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech TalksDesign, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech Talks
Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech TalksAmazon Web Services
 
Content Delivery: accelerare in modo sicuro e flessibile siti web e applicazioni
Content Delivery: accelerare in modo sicuro e flessibile siti web e applicazioniContent Delivery: accelerare in modo sicuro e flessibile siti web e applicazioni
Content Delivery: accelerare in modo sicuro e flessibile siti web e applicazioniAmazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot Instances
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot InstancesWKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot Instances
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot InstancesAmazon Web Services
 
AWS APAC Webinar Week - Training & Certification Masterclass
AWS APAC Webinar Week - Training & Certification MasterclassAWS APAC Webinar Week - Training & Certification Masterclass
AWS APAC Webinar Week - Training & Certification MasterclassAmazon Web Services
 

What's hot (20)

Escalando para sus primeros 10 millones de usuarios
Escalando para sus primeros 10 millones de usuariosEscalando para sus primeros 10 millones de usuarios
Escalando para sus primeros 10 millones de usuarios
 
Getting Started with Managed Database Services on AWS
Getting Started with Managed Database Services on AWSGetting Started with Managed Database Services on AWS
Getting Started with Managed Database Services on AWS
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
 
The Best of re:invent 2016
The Best of re:invent 2016The Best of re:invent 2016
The Best of re:invent 2016
 
SRV409 Deep Dive on Microservices and Docker
SRV409 Deep Dive on Microservices and DockerSRV409 Deep Dive on Microservices and Docker
SRV409 Deep Dive on Microservices and Docker
 
AWS Services Overview and Quarterly Update - April 2017 AWS Online Tech Talks
AWS Services Overview and Quarterly Update - April 2017 AWS Online Tech TalksAWS Services Overview and Quarterly Update - April 2017 AWS Online Tech Talks
AWS Services Overview and Quarterly Update - April 2017 AWS Online Tech Talks
 
SRV412 Deep Dive on CICD and Docker
SRV412 Deep Dive on CICD and DockerSRV412 Deep Dive on CICD and Docker
SRV412 Deep Dive on CICD and Docker
 
Deep Dive on Serverless Stack
Deep Dive on Serverless StackDeep Dive on Serverless Stack
Deep Dive on Serverless Stack
 
NEW LAUNCH! Introducing AWS Batch: Easy and efficient batch computing on Amaz...
NEW LAUNCH! Introducing AWS Batch: Easy and efficient batch computing on Amaz...NEW LAUNCH! Introducing AWS Batch: Easy and efficient batch computing on Amaz...
NEW LAUNCH! Introducing AWS Batch: Easy and efficient batch computing on Amaz...
 
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot Instances
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot InstancesWKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot Instances
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot Instances
 
AWS APAC Webinar Week - Introduction to Cloud Computing With Amazon Web Services
AWS APAC Webinar Week - Introduction to Cloud Computing With Amazon Web ServicesAWS APAC Webinar Week - Introduction to Cloud Computing With Amazon Web Services
AWS APAC Webinar Week - Introduction to Cloud Computing With Amazon Web Services
 
Getting Started with Serverless Architectures - August 2016 Monthly Webinar S...
Getting Started with Serverless Architectures - August 2016 Monthly Webinar S...Getting Started with Serverless Architectures - August 2016 Monthly Webinar S...
Getting Started with Serverless Architectures - August 2016 Monthly Webinar S...
 
Migrate from Oracle to Amazon Aurora using AWS Schema Conversion Tool & AWS D...
Migrate from Oracle to Amazon Aurora using AWS Schema Conversion Tool & AWS D...Migrate from Oracle to Amazon Aurora using AWS Schema Conversion Tool & AWS D...
Migrate from Oracle to Amazon Aurora using AWS Schema Conversion Tool & AWS D...
 
HSBC and AWS Day - AWS foundations
HSBC and AWS Day - AWS foundationsHSBC and AWS Day - AWS foundations
HSBC and AWS Day - AWS foundations
 
Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech Talks
Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech TalksDesign, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech Talks
Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech Talks
 
Content Delivery: accelerare in modo sicuro e flessibile siti web e applicazioni
Content Delivery: accelerare in modo sicuro e flessibile siti web e applicazioniContent Delivery: accelerare in modo sicuro e flessibile siti web e applicazioni
Content Delivery: accelerare in modo sicuro e flessibile siti web e applicazioni
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
 
Serverless Workshop
Serverless WorkshopServerless Workshop
Serverless Workshop
 
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot Instances
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot InstancesWKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot Instances
WKS401 Deploy a Deep Learning Framework on Amazon ECS and EC2 Spot Instances
 
AWS APAC Webinar Week - Training & Certification Masterclass
AWS APAC Webinar Week - Training & Certification MasterclassAWS APAC Webinar Week - Training & Certification Masterclass
AWS APAC Webinar Week - Training & Certification Masterclass
 

Similar to SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Windows Workloads

Best Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS WorkloadsBest Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS WorkloadsAmazon Web Services
 
Best practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWSBest practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWSAmazon Web Services
 
Best Practices for Integrating Active Directory with AWS Workloads
Best Practices for Integrating Active Directory with AWS WorkloadsBest Practices for Integrating Active Directory with AWS Workloads
Best Practices for Integrating Active Directory with AWS WorkloadsAmazon Web Services
 
AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...
AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...
AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...Amazon Web Services
 
Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...
Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...
Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...Amazon Web Services
 
Using Active Directory in AWS
Using Active Directory in AWSUsing Active Directory in AWS
Using Active Directory in AWSTriNimbus
 
Using Active Directory in AWS
Using Active Directory in AWSUsing Active Directory in AWS
Using Active Directory in AWSAllice Shandler
 
Using Microsoft Active Directory across On-premises and Cloud Workloads
Using Microsoft Active Directory across On-premises and Cloud WorkloadsUsing Microsoft Active Directory across On-premises and Cloud Workloads
Using Microsoft Active Directory across On-premises and Cloud WorkloadsAmazon Web Services
 
Hybride Cloud Infrastrukturen durch Integration mit Active Directory - AWS Cl...
Hybride Cloud Infrastrukturen durch Integration mit Active Directory - AWS Cl...Hybride Cloud Infrastrukturen durch Integration mit Active Directory - AWS Cl...
Hybride Cloud Infrastrukturen durch Integration mit Active Directory - AWS Cl...AWS Germany
 
Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...
Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...
Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...Amazon Web Services
 
ENT201 Simplifying Microsoft Architectures with AWS Services
ENT201 Simplifying Microsoft Architectures with AWS ServicesENT201 Simplifying Microsoft Architectures with AWS Services
ENT201 Simplifying Microsoft Architectures with AWS ServicesAmazon Web Services
 
Running Active Directory in the AWS Cloud
Running Active Directory in the AWS Cloud Running Active Directory in the AWS Cloud
Running Active Directory in the AWS Cloud Amazon Web Services
 
Migrating Microsoft Applications to AWS like an Expert
Migrating Microsoft Applications to AWS like an ExpertMigrating Microsoft Applications to AWS like an Expert
Migrating Microsoft Applications to AWS like an ExpertAmazon Web Services
 
Running Microsoft Workloads on AWS
Running Microsoft Workloads on AWSRunning Microsoft Workloads on AWS
Running Microsoft Workloads on AWSAmazon Web Services
 
ECS 19 Anil Erduran - simplifying microsoft architectures with aws services
ECS 19 Anil Erduran - simplifying microsoft architectures with aws servicesECS 19 Anil Erduran - simplifying microsoft architectures with aws services
ECS 19 Anil Erduran - simplifying microsoft architectures with aws servicesEuropean Collaboration Summit
 
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveWIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveAmazon Web Services
 
AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WI...
AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WI...AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WI...
AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WI...Amazon Web Services
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions
WIN302-Deep Dive on Active Directory From One to Many AWS RegionsWIN302-Deep Dive on Active Directory From One to Many AWS Regions
WIN302-Deep Dive on Active Directory From One to Many AWS RegionsAmazon Web Services
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfWIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfAmazon Web Services
 

Similar to SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Windows Workloads (20)

Best Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS WorkloadsBest Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS Workloads
 
Best practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWSBest practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWS
 
Best Practices for Integrating Active Directory with AWS Workloads
Best Practices for Integrating Active Directory with AWS WorkloadsBest Practices for Integrating Active Directory with AWS Workloads
Best Practices for Integrating Active Directory with AWS Workloads
 
AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...
AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...
AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS ...
 
Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...
Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...
Best Practices for Active Directory with AWS Workloads | AWS Public Sector Su...
 
Using Active Directory in AWS
Using Active Directory in AWSUsing Active Directory in AWS
Using Active Directory in AWS
 
Using Active Directory in AWS
Using Active Directory in AWSUsing Active Directory in AWS
Using Active Directory in AWS
 
Using Microsoft Active Directory across On-premises and Cloud Workloads
Using Microsoft Active Directory across On-premises and Cloud WorkloadsUsing Microsoft Active Directory across On-premises and Cloud Workloads
Using Microsoft Active Directory across On-premises and Cloud Workloads
 
Microsoft Workloads on AWS
Microsoft Workloads on AWSMicrosoft Workloads on AWS
Microsoft Workloads on AWS
 
Hybride Cloud Infrastrukturen durch Integration mit Active Directory - AWS Cl...
Hybride Cloud Infrastrukturen durch Integration mit Active Directory - AWS Cl...Hybride Cloud Infrastrukturen durch Integration mit Active Directory - AWS Cl...
Hybride Cloud Infrastrukturen durch Integration mit Active Directory - AWS Cl...
 
Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...
Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...
Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...
 
ENT201 Simplifying Microsoft Architectures with AWS Services
ENT201 Simplifying Microsoft Architectures with AWS ServicesENT201 Simplifying Microsoft Architectures with AWS Services
ENT201 Simplifying Microsoft Architectures with AWS Services
 
Running Active Directory in the AWS Cloud
Running Active Directory in the AWS Cloud Running Active Directory in the AWS Cloud
Running Active Directory in the AWS Cloud
 
Migrating Microsoft Applications to AWS like an Expert
Migrating Microsoft Applications to AWS like an ExpertMigrating Microsoft Applications to AWS like an Expert
Migrating Microsoft Applications to AWS like an Expert
 
Running Microsoft Workloads on AWS
Running Microsoft Workloads on AWSRunning Microsoft Workloads on AWS
Running Microsoft Workloads on AWS
 
ECS 19 Anil Erduran - simplifying microsoft architectures with aws services
ECS 19 Anil Erduran - simplifying microsoft architectures with aws servicesECS 19 Anil Erduran - simplifying microsoft architectures with aws services
ECS 19 Anil Erduran - simplifying microsoft architectures with aws services
 
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveWIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
 
AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WI...
AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WI...AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WI...
AWS re:Invent 2016: Simplifying Microsoft Architectures with AWS services (WI...
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions
WIN302-Deep Dive on Active Directory From One to Many AWS RegionsWIN302-Deep Dive on Active Directory From One to Many AWS Regions
WIN302-Deep Dive on Active Directory From One to Many AWS Regions
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfWIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

Recently uploaded (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 

SEC306 Using Microsoft Active Directory Across On-Premises and AWS Cloud Windows Workloads

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ron Cully, Senior Product Manager AWS Directory Service July 27, 2017 Using Microsoft Active Directory Across On-Premises and AWS Cloud Windows Workloads SEC306
  • 2. What to expect from the session How AD is used – Why AD is important in the cloud Deployment Options – Supporting Windows workloads in the cloud How to choose – Considerations for selection Trusts vs. Sync – Alternatives to replication
  • 3. How AD is used – Why AD is important in the cloud
  • 4. Why AD is important in the cloud Migration path Source: Implementing an Identity Strategy for Amazon Web Services, Gartner Group, 24 Feb 2017
  • 5. How AD works with computers Domain Join/Machine AuthN/GPO/LDAP AuthN – Authentication GPO – Group Policy Object LDAP – Lightweight Directory Access Protocol
  • 6. How AD works with users User AuthN/Group Membership/Login Scripts Domain Join/Machine AuthN/GPO/LDAP AuthN – Authentication GPO – Group Policy Object LDAP – Lightweight Directory Access Protocol
  • 7. How AD works with services User AuthN/Group Mbrshp/Login Scripts Domain Join/Machine AuthN/GPO/LDAP
  • 8. How AD works in federated SaaS solutions App DB App User AuthN/Group Mbrshp/Login Scripts Federated AuthN (SAML) Kerb AuthN Domain Join/Machine AuthN/GPO/LDAP
  • 9. Amazon EC2 Amazon DynamoDB Amazon WorkSpaces Amazon EC2 What if you migrate these parts to AWS? App User AuthN/Group Mbrshp/Login Scripts Federated AuthN (SAML) Kerb AuthN Domain Join/Machine AuthN/GPO/LDAP ?RDS for SQL Server
  • 10. Deployment Options – Supporting Windows workloads in the cloud
  • 11. AD options – Where to run AD On-premises Windows Server DC AD You Manage 1 DC – Active Directory Domain Controller VPC – Amazon Virtual Private Cloud Endpoint – Accessed via IP address in your VPC
  • 12. AD options – On-premises Create VPN or Amazon Direct Connect link to your VPC Manually domain join EC2 instances to on-premises Use VPC as an extension of your network • Security considerations Latency considerations? On-premises Windows Server DC AD You Manage 1 DC – Active Directory Domain Controller VPC – Amazon Virtual Private Cloud Endpoint – Accessed via IP address in your VPC
  • 13. AD options – Where to run AD On-premises Windows Server DC AD You Manage 1 VPC EC2 for Windows Server DC AD You Manage 2 DC – Active Directory Domain Controller VPC – Amazon Virtual Private Cloud Endpoint – Accessed via IP address in your VPC
  • 14. AD options – EC2 self-managed Your responsibilities • Availability deployment strategy • EC2 DC configuration • DNS configuration • Sites and Services configuration • Monitoring • DC recovery • Backup • Restore • Security group configuration • Manual EC2 domain joining • Patch Tuesday management AWS Directory Service required for AWS enterprise applications and services to authenticate to your self-managed AD On-premises Windows Server DC AD You Manage 1 VPC EC2 for Windows Server DC AD You Manage 2
  • 15. AD AD options – Where to run AD On-premises Windows Server DC AD You Manage 1 VPC EC2 for Windows Server DC AD You Manage 2 VPC Endpoint AWS Microsoft AD AWS Manages 3 AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. AWS Microsoft AD DC – Active Directory Domain Controller VPC – Amazon Virtual Private Cloud Endpoint – Accessed via IP address in your VPC
  • 16. AD AD options – AWS Microsoft AD Windows 2012 R2 domain controllers (DC) • ~3-click setup • 2 DCs each in a different Availability Zone (AZ) Standalone or connected to your AD with trusts AWS apps and services integration • EC2 seamless domain join • RDS for SQL Server authentication, authorization • WorkSpaces, QuickSight Enterprise, Chime Plus/Pro provisioning and authentication VPC Endpoint AWS Microsoft AD AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. AWS Microsoft AD
  • 17. AD options – AWS Microsoft AD Some constraints • AWS is domain admin • You get an OU and delegated admin over the OU • AWS apps/services/EC21 must be in same VPC • Conservative delegated permissions2 to your OU admin account • Application enablement blocks some apps • Some admin functions unavailable AD VPC Endpoint AWS Microsoft AD AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. AWS Microsoft AD 1EC2 can domain join manually in peered VPC configurations 2Delegations are being expanded over time
  • 18. AD options – AWS Microsoft AD Amazon responsibilities - Operate • Multi-AZ deploy, patch, monitor, DC recovery, snapshot, restore Your responsibilities - Administer • Administration via Active Directory Users and Computers (ADUC) and other standard AD tools • Administer users, groups, GPOs, other AD content AD VPC Endpoint AWS Microsoft AD AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. AWS Microsoft AD
  • 19. AD options – Connecting AD in cloud to on-premises AD 1 Replication Your DCs only On-premises Windows Server DC AD VPC EC2 for Windows Server DC AD On-premises Windows Server DC AD VPC EC2 for Windows Server DC AD2 1-way Trust 2-way Trust Your DCs or AWS Managed Microsoft AD On-premises Windows Server DC AD VPC EC2 for Windows Server DC AD3 Sync Users Depends (third-party sync)
  • 20. Application Availability Zone Private Subnet 10.0.2.0/24 SQL Server App Server IIS Server Availability Zone Private Subnet 10.0.3.0/24 SQL Server App Server IIS Server Remote Users/Admins Domain Controllers Corporate data center DBAPPWEB DBAPPWEB Auth/ LDAP Auth/ LDAP VPN Direct Connect Example: On-premises AD AD
  • 21. Availability Zone Private Subnet 10.0.2.0/24 DBAPPWEB SQL Server App Server IIS Server Availability Zone Private Subnet 10.0.3.0/24 DBAPPWEB SQL Server App Server IIS Server Remote Users/Admins Domain Controllers Corporate data center Example: AD on EC2 with replication or AD trust Domain Controller Domain Controller Trust or Replication Auth/ LDAP Auth/ LDAP Application Auth/ LDAP VPN Direct Connect AD EC2 AD EC2 AD
  • 22. Auth/ LDAP Auth/ LDAP DB RDS for SQL Server Availability Zone Private Subnet 10.0.2.0/24 APPWEB App Server IIS Server Availability Zone Private Subnet 10.0.3.0/24 APPWEB App Server IIS Server Remote Users/Admins Domain Controllers Corporate data center Example: AWS Microsoft AD trust to on-premises DB RDS SQL Server AWS Managed Services AWS Managed Services AWS Managed Microsoft AD DC AWS Managed Microsoft AD Trust Application Auth/ LDAP VPN Direct Connect AD DC DC
  • 23. Availability Zone Private Subnet 10.0.2.0/24 DBAPPWEB SQL Server App Server IIS Server Availability Zone Private Subnet 10.0.3.0/24 DBAPPWEB SQL Server App Server IIS Server Remote Users / Admins Domain Controllers Corporate data center Example: AD on EC2 with sync Domain Controller Domain Controller Sync Auth/ LDAP Auth/ LDAP Application Auth/ LDAP Third-party sync tool Users lose single sign-on to cloud (same sign-on) VPN Direct Connect AD EC2 AD EC2 AD Sync Tool Password Changes
  • 24. Considerations for AWS apps/services and many VPCs AWS Microsoft AD requires a trust when used with on-premises AD* WorkSpaces and RDS for SQL must be in same VPC as AWS Microsoft AD, QuickSight in the same account • Option 1 – Least cost, fewest trusts • Deploy AWS Microsoft AD in one VPC • Deploy all RDS for SQL and WorkSpaces instances in same VPC • Use tagging for internal billing • Option 2 – Easiest billing, complex trust configuration, high cost • Deploy AWS Microsoft AD in each VPC • Deploy RDS for SQL and WorkSpaces instance(s) in each VPC *1-way trust for RDS for SQL Server, 2-way trust to provision Amazon WorkSpaces, Amazon QuickSight etc.
  • 25. How to choose – Considerations for selection
  • 26. Deployment differences AWS Microsoft AD EC2 AD instances On-premises AD Operation management +AWS managed in the cloud -Customer managed in the cloud -Customer managed own hardware Availability +Built-in redundancy and replication -Customer must design for high availability -Customer must design for high availability Networking Trust1 ports from cloud to on-premises (least exposed) Trust1 or replication2 ports from cloud to on-premises AD -Open ports to support cloud to on-premises AD3 (most exposed) Admin control Designated OU control; some apps unsupported +Full control +Full control 1 If trust to on-premises is used, open ports from DCs to on-premises DCs are needed 2 AD replication requires more open ports than forest trusts, but limited to DC-to-DC communications 3 Ports for domain joining, AD interactions, LDAP etc., plus other firewall decisions for cloud to on-premises access
  • 27. How to select an Active Directory option AWS Microsoft AD EC2 AD instances On-premises AD • Minimize cost, effort to run AD • RDS for SQL Server1 • AWS Enterprise Applications1 • Windows workloads on EC22 E.g. SharePoint, SQL Server AlwaysOn Availability Groups, .NET applications • Require a replicated, multi- region AD solution • Need NetBIOS name resolution support • Require permissions not yet delegated by AWS Microsoft AD3 E.g. Exchange, ADFS • Minimal EC2 instances require access to AD • Latency to AD over on-premises link is acceptable • Comfortable with connectivity availability to on-premises AD 1RDS for SQL, WorkSpaces, QuickSight, and Chime require trusts only if users are on-premises via trust 2Subject to delegation constraints (e.g. password sync, special AD containers) 3AWS adding more delegations and application enablement over time
  • 28. Deployment differences – Which connection model? AWS Microsoft AD with Sync AWS Microsoft AD with Trust EC2 AD with Sync EC2 AD with Trust EC2 AD Replicated On- premises App Access SSO to cloud No Yes No Yes Yes Yes Complexity/Effort EC2 seamless domain join Yes Yes No No No No DC configuration Medium Low Highest High High None Incremental maintenance High Low Highest Low Medium None Incremental system Medium Low Highest High High None Incremental entitlement High Low High Low None None Sites and Services No No No No Yes None Untested Recommended If necessary
  • 29. Trusts vs. Sync – Alternatives to replication
  • 30. Customer Feedback: Why sync vs. trusts Trusts seem scary • Many admins are unfamiliar with the model and how to secure • Perception that a trust gives all cloud resources access to on-premises • Perception that trusts give cloud admins control over on-premises directory • Trusts require setup coordination (security review, firewall ports, trust setup) • “Breaks principle” of communication initiation only from on-premises to the cloud “We are isolating our on-premises from the cloud and need a few users sync’d” • Only deploying SaaS applications in cloud (built on Windows) • Only need subset of Windows users with “same sign-on” to manage AWS resources via AD
  • 31. Considerations for syncing identities to the cloud Do your on-premises users need access to cloud resources that use AD group-based authorization? • If yes, will users object to having to log out of on-premises and log in to the cloud? (Same sign-on, not single sign-on) Requires third-party sync tool • Special configuration for what gets synced • Must map from on-premises directory to AD structure in the cloud With AWS Microsoft AD, the tool must not require domain admin • User creations must be in your OU Sync adds configuration complexity and latency for managing users • Incremental entitlements for sync • What about security groups? How does sync map them to the cloud?
  • 32. Amazon EC2 Amazon DynamoDB Amazon EC2 Appropriate for sync – Admins’ user names for RDP App Federated AuthN (SAML) Kerb AuthN Domain Join/Machine AuthN/GPO/LDAP AD On-premises or Internet Cloud User AuthN/Group Membership/Login Scripts AWS Resource Admin Sync only admin users
  • 33. Amazon EC2 Amazon DynamoDB Amazon EC2 Complex for sync – Many users to many cloud services App Federated AuthN (SAML) Kerberos AuthZ Domain Join/Machine AuthN/GPO/LDAP AD On-premises or Internet Cloud SQL Server AlwaysOn SharePoint Exchange .NET
  • 34. Forest trusts Time tested, secure model The trusting forest has no admin control over the trusted forest Trusted users have cloud resource access, only if entitled by trusting admins (you control both sides) Resources in the cloud have no access to on-premises resources unless on- premises trusts the cloud AND on- premises admins grant permissions to user identities in the cloud AD AD On-premises network VPC Trust AWS Managed Microsoft AD DC Windows AD DC Access Security group (access entitlements here) Security group Trusting Trusted Cloud On-premises
  • 35. No trust vs. 1-way vs. 2-way trusts Do you need users from one forest to access resources in another forest? • If no, use no trust Can you use only a 1-way trust? • If yes, only use 1-way • RDS for SQL Server with on-premises users requires at least 1-way Is a 2-way trust required? • If yes, use 2-way trust • WorkSpaces, QuickSight Enterprise Edition, and Chime use 2-way trusts • On-premises to AWS Microsoft AD trust used only to read users/groups to provision them into the application Always Secure Your Trust
  • 36. Securing trusts Leave SID filtering on when setting up the on-premises side of a trust Turn on selective authentication on the on-premises side of a trust • https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx#w2k3tr_trust_security_zyzk Only permit AD trust ports to the DCs in the cloud • https://technet.microsoft.com/en-us/library/cc756944(v=ws.10).aspx For cloud-client-to-AD, only permit AD authentication ports to on-premises AD; minimize all other ports from cloud to on-premises (e.g., WorkSpaces login using on-premises credentials) • https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts Don’t grant groups in the cloud access to on-premises resources
  • 37. Recap AD is used in many ways and is often required in the cloud • Where AD-dependent systems exist affects where you place AD AD on EC2 and AWS Microsoft AD have advantages over using on-premises AD domain controllers AD on EC2 is appropriate when you require full domain admin permissions or a replicated AD in the cloud AWS Microsoft AD is • Appropriate to support resources in the cloud • Required to support AWS applications and services with on-premises users Trusts are secure and appropriate when you need SSO from on-premises to AD-dependent workloads in the cloud Synchronization may be appropriate for isolation with a small set of users • Sync requires a compatible third-party solution and has many considerations
  • 38. References Documentation • AWS Directory Service – aws.amazon.com/directoryservice • AWS Microsoft AD – aws.amazon.com/documentation/directory-service/ • RDS for SQL Server – aws.amazon.com/documentation/rds/ AWS Quick Starts – aws.amazon.com/quickstart/ • Active Directory Domain Services • Exchange Server 2013 • SharePoint Server 2016 Enterprise • Lync Server 2013 • SQL Server 2014 AlwaysOn • Windows PowerShell DSC