August 2020 – thetrainit

The above slide is from the Advanced Architecting on AWS course

Most AWS customers use multiple AWS accounts, which enables account isolation from a security perspective.

In order to make managing multiple accounts easier, AWS organisations was introduced.

However, before VPC sharing, each account had its own VPCs, and in order to connect VPCs together, VPC Peering was introduced, then later, the more scalable Transit Gateway.

VPC sharing allows the sharing of VPCs with other accounts in the Organisation or external to the organisation, including the following benefits, especially for highly interconnected applications:

Centrally controlled VPC structure, routing and IP address allocation
Efficient use of VPN and DX

VPC sharing within an Organization makes use of Resource Access Manager, a feature of AWS Organisations.

For a walkthrough, I will use two accounts in an organisation. I will refer to them as Account A and Account B.

Account A will create a shared subnet.

Both accounts will launch an instance in the shared subnet

To verify communication, the Account A instance will be used to ping the Account B instance.

One concept that you will notice in the walkthrough is to do with AZs. If Account A launches an instance in AZ A, this is not necessarily the same group of physical datacentres that Account B is using when Account B also chooses AZ A. The AZ letters are randomized by AWS in order to spread the workloads, otherwise if all customers chose AZ A, then that AZ would be over utilized compared to the others. So now, each AZ is allocated an ID. If you select a subnet, and look at the description, you see something similar to: eu-west-1a (euw1-az3).

Now for the walkthrough, which takes about 15 minutes.

Pre-requisites:

An AWS organisation with 2 accounts. I will call them Account A and Account B.
An existing VPC (not the default VPC as you cannot share that one) and a Public Subnet.

From the Master account (for me this is Account A), choose the Resource Access Manager service:

At the organisation level, Resource Sharing needs to be enabled.

Choose Settings: Enable Resource Sharing, Save

From Account A

Create Resource Share. I named it “My Shared Subnet”

Select an existing subnet to share. I used a Public Subnet in AZ A . Choosing a public subnet will make it easier to logon to an instance later to verify communication. In my case the AZ ID was eiw1-az3

Add Principal (note that it could also be an account external to the organization). Add the account number of Account B, Add, Create Resource Share.

From Account B:

Select Shared with me, Resource Shares. You should see the Shared Subnet.

To verify:

Now we will launch an instance in the Shared Subnet in each Account to test that they can communicate. I will use a ping for the test.

From Account A:

Launch an instance. I used AMZ Linux 2, t2.micro. Choose the existing shared VPC and subnet. Enable public IP so we can login to it. I tagged it “Account A instance”. For the security group, I enabled SSH.

From Account B:

Launch an instance. Note that when selecting a VPC and subnet, the shared VPC and subnet will appear (sharing a subnet makes the VPC a shared VPC). Choose the shared VPC and subnet. I tagged it Account B instance. For SG, I allowed All ICMP – ipV4 from anywhere. We will not need to login to it.

Take a note of the private IP of the instance.

From Account A

Note that Account A cannot see the Account B instance from the console. Account A has no permissions to access the resources of Account B, even for resources launched in the shared VPC.

Using the public IP of Account A instance, log in to the instance.

Ping the private IP of the Account B instance. It should work. That proves communication. The data transfer cost is free, as is the case whenever both instances are in the same AZ. Using VPC sharing, the performance is good as both instances are in the same AZ.

To clean up:

Terminate the instances

From Account A

From the RAM console

Select the Shared Subnet and Delete.

AD Connector is designed to give you an easy way to establish a trusted relationship between your Active Directory and AWS. When AD Connector is configured, the trust allows you to:

Sign in to AWS applications such as Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail by using your Active Directory credentials.
Seamlessly join Windows instances to your Active Directory domain either through the Amazon EC2 launch wizard or programmatically through the EC2 Simple System Manager (SSM) API.
Provide federated sign-in to the AWS Management Console by mapping Active Directory identities to AWS Identity and Access Management (IAM) roles.

In this walkthrough, I demonstrate the use case of seamlessly joining Windows instances to your on premises AD.

To keep it simple, rather than use an on-premises AD, this will be simulated using an EC2 instance. In real life, you would need a VPN or Direct Connect. I used a Windows 2012 R2 Base, with an instance type of t2.medium, choosing the default VPC and subnet in AZ A. In real life it would have a static IP address, but the test worked fine using the dynamic private address.

For the Security Group, which in real life would be the on premises firewall, and just for the short duration of the test, I opened up all inbound traffic. See the link below for the actual required ports, which need to allow DNS, Kerberos and LDAP from the CIDR ranges of the AD Connector subnets.

Once ready, RDP to the public address of the instance and configure it as a domain controller.

As it is a while since I worked with AD, I followed the following article.

https://social.technet.microsoft.com/wiki/contents/articles/12370.windows-server-2012-set-up-your-first-domain-controller-step-by-step.aspx

I used the domain name onprem.com.

Create a service account which will be used by the AD connector. Follow the instructions here:

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/prereq_connector.html

Alternatively, you could use a Domain Admin account when creating the AD connector later, but creating a service account with the minimum necessary privileges is best practice.

Now for main part of the walkthrough: creating an AD Connector.

In the AWS console, choose Directory Service, Set up a Directory, AD Connector, Small option. Note that its about $0.05 an hour, but free trail eligible for a month. I chose the default VPC and subnets in AZ A and AZ B.

Supply the Directory name onprem.com and Netbios name onprem.

Supply the IP address of the Domain Controller

Supply the Service Account Username and Password that you created earlier.

It takes about 5 minutes to create the AD Connector.

Now to test it by joining a new Windows Server to the on-premises domain.

Launch a Windows instance. I used 2012 R2 Base again, launching it into the default VPC, subnet in AZ A.

The interesting bit is on the Configure Instance page, where you choose Domain Join Directory and see the onprem.com domain name available. Note that it say that for the domain join to succeed, select an IAM role that has the AWS managed policies AmazonSSMManagedInstanceCore and AmazonSSMDirectoryServiceAccess attached to it. You can choose to have it create the role you, and supply a name. I called it ADConnectorRole.

I tagged the instance “Member Server”

You can now RDP into it using the credentials of a Domain User account. I used onprem\administrator.

To clean up:

Delete the AD Connector Directory

Terminate the member server and the domain controller