New #AWS Directory Service

Virtually every organization uses a directory service
such as Active Directory
to allow computers to join domains, list and authenticate users, and to locate and connect to
printers, and other network services including SQL Server databases. A centralized
directory reduces the amount of administrative work that must be done when an employee
joins the organization, changes roles, or leaves.

With the advent of cloud-based services, an interesting challenge has arisen. By design,
the directory is intended to be a central source of truth with regard to user identity. Administrators
should not have to maintain one directory service for on-premises users and services, and a separate,
parallel one for the cloud. Ideally, on-premises and cloud-based services could share and make use
of a single, unified directory service.

Perhaps you want to run
Microsoft Windows on EC2 or centrally
control access to applications such as Amazon WorkSpaces or
Amazon Zocalo. Setting up and then running a directory can be a fairly
ambitious undertaking once you take in to account the need to
procure and run hardware, install, configure and patch the operating
system, and the directory, and so forth. This might be overkill if
you have a user base of modest size and just want to use the AWS
applications and exercise centralized control over users and

The New AWS Directory Service
Today we are introducing the AWS Directory Service to address these challenges! This managed service
provides two types of directories. You can connect to an existing on-premises directory or you can set up and
run a new, Samba-based directory in the Cloud.

If your organization already has a directory, you can now make use
of it from within the cloud using the
AD Connector directory type. This is a gateway technology that serves as a cloud proxy to your
existing directory, without the need for complex synchronization technology or federated sign-on. All communication
between the AWS Cloud and your on-premises directory takes place over AWS Direct Connect or a secure VPN connection
within a Amazon Virtual Private Cloud. The AD Connector is easy to set up (just a few parameters) and needs very little
in the way of operational care and feeding. Once configured, your users can use their existing
credentials (user name and password, with optional RADIUS authentication) to log in to WorkSpaces,
Zocalo, EC2 instances running Microsoft Windows, and the AWS Management Console. The AD Connector
is available in Small (up to 10,000 users, computers, groups, and other directory objects) and
Large (up to 100,000 users, computers, groups, and other directory objects).

If you don’t currently have a directory and don’t want to be
bothered with all of the care and feeding that’s traditionally been
required, you can quickly and easily provision and run a Samba-based directory in the
cloud using the Simple AD directory type. This directory supports most of the
common Active Directory features including joins to Windows domains,
management of Group Policies, and single sign-on to directory-
powered apps. EC2 instances that run Windows can join domains and
can be administered en masse using Group Policies for consistency.
Amazon WorkSpaces and Amazon Zocalo can make use of the directory. Developers and
system administrators can use their directory credentials to sign in to
the AWS Management Console in order to manage AWS resources such as EC2 instances or
S3 buckets.

Getting Started
Regardless of the directory type that you choose, getting started is quick and easy. Keep in
mind, of course, that you are setting up an important piece of infrastructure and choose
your names and passwords accordingly. Let’s walk through the process of setting up
each type of directory.

I can create an AD Connector as a cloud-based proxy to an existing Active Directory
running within my organization. I’ll have to create a VPN connection from my Virtual Private Cloud
to my on-premises network, making use of AWS Direct Connect if necessary. Then I will need to
create an account with sufficient privileges to allow it handle lookup,
authentication, and domain join requests. I’ll also need the DNS name of the existing
directory. With that information in hand, creating the AD Connector is a simple
matter of filling in a form:

I also have to provide it within information about my VPC, including the subnets where I’d like the
directory servers to be hosted:

The AD Connector will be up & running and ready to use within minutes!

Creating a Simple AD in the cloud is also very simple and straightforward. Again, I need to
choose one of my VPCs and then pick a pair of subnets within it for my directory servers:

Again, the Simple AD will be up, running, and ready for use within minutes.

Managing Directories
Let’s take a look at the management features that are available for the AD Connector and
Simple AD. The Console shows me a list of all of my directories:

I can dive in to the details with a click. As you can see at the bottom of this
screen, I can also create a public endpoint for my directory. This will allow it
to be used for sign-in to AWS applications such as Zocalo and WorkSpaces, and to the
AWS Management Console:

I can also configure the AWS applications and the Console to use the directory:

I can also create, restore, and manage snapshot backups of my Simple AD (backups
are done automatically every 24 hours; I can also initiate a manual backup at any
desired time):

Get Started Today
Both types of directory are available now and you can start creating and using them today
in the US East (Northern Virginia), US West (Oregon), Asia Pacific (Sydney), Asia Pacific (Tokyo), and Europe (Ireland) Regions. Prices start at $0.05 per hour for Small directories
of either type and $0.15 per hour for Large directories of either type
in the US East (Northern Virginia) Region. See the
AWS Directory Service page for pricing information in the other AWS Regions.


Related posts