Active Directory (AD) is a powerful identity and asset management infrastructure that is widely used as a central identity database for Authentication and Authorization of users and devices in the Enterprise network. One of the most significant challenges faced by organizations during cloud migration is maintaining the migrated resources under the same level of control as the on-premise network. AD is, therefore, one of the key IT systems to consider during a cloud migration process.
Amazon Web Services (AWS) has recently introduced the AWS Directory Service. AWS Directory Service is a managed service that allows organizations to connect their AWS resources with their on-premises Active Directory infrastructure, or alternatively, to quickly set up a simple Active Directory service in their AWS VPC. This is another step AWS is doing in making enterprises’ move to the cloud smoother and less disruptive.
Once you have a cloud-enabled directory service you can take it one step further and use it also to authenticate and authorize cloud network access for your organization’s employees. Namely, to enable remote access for employees to the AWS VPCs according to the AD policies. To complete this network access control functionality you would need a new network entity that is not part of the AWS offering. This entity, called Access Gateway, should support three functions:
- VPN gateway to allow secure remote access for employees (using VPN clients)
- Integration with the AWS directory service for authenticating of VPN users and loading the right authorization policies (per user).
- Firewall to enforce the authorization policies.
This post has two parts. The first is a quick step by step guide how to set up a simple AD using the AWS directory service, and the second part explains how to integrate the AWS Directory Service with the 40Cloud Gateway to enable VPC network access control using VPN. Note that for quick and easy installation of the 40Cloud solution, use the 40Cloud AMIs available on the AWS Marketplace.
Figure 1 depicts the overall VPC architecture with the Access Gateway and the Directory Service Integration.
Setting Up Simple AWS Directory Service
In order to keep things simple, we will use the “Plain Directory Service” feature offered by AWS to setup a simple Active Directory service in an AWS VPC. Following are the steps
- Go to the AWS Management Console, navigate to Amazon Web Services, and there under the Administration & Security section, choose Directory Service.
- Click on the Set up Directory button and choose one of the following options:
- Create a Simple AD (which I chose here) – to set up a directory service.
- Connect using AD Connector – which is good for organizations with an on-premise domain.
- Set up a Samba-based directory with a subset of the capabilities of Active Directory:
- Fill in the following fields:
- Directory DNS name – I chose “fc.testonaws.com”
- NetBIOS name – I entered “simplead”
- Administrator password – ********
- Confirm password – ********
- Optional Description – “my First Simple AD”
- Directory Size – I chose Small, which is enough for testing purposes
- VPC details – there is a need for a VPC with 2 subnets over 2 availability zones for redundancy purposes (as Amazon deploys it with 2 instances, the instances will not show up on your running instances view).
NOTE :If you have not defined 2 subnets over different availability zones, the console will not let you proceed, an error message in red will appear. If you prefer, leave the default “No preferences” value, and let Amazon choose the subnets. In case you have not created a VPC, Amazon provides Create New VPC and Create New Subnet links for your convenience.
- Click on Next Step. A summary page with all the details that you entered appears. If the details are correct, confirm them.
- Click Create Simple AD, and wait for 2 or 3 minutes while your directory is created in the cloud.
NOTE: While the directory is being created, the console displays the status – either “Requested”, “Creating”, or “Active” when done. You can press on the Directory link to see more details and to continue by adding an access URL, and enabling Amazon Workspaces / Amazon Zocalo / AWS Management Console, or on the Snapshots link to manage your directory snapshots.
You now own an Amazon-maintained Directory in the cloud.
In order to manage your Directory, add groups, set user passwords, etc., install Microsoft Active Directory Administration Tools:
You can install the administration tools on either Windows Server 2008 or Windows Server 2012. I recommend using 2008. On 2012, I had problems creating users (when consulting Amazon, they confirmed that there might be problems with 2012, and recommended using versions prior to 2012).
For details on installing the administration tools, check out this simple, excellent manual:
NOTE: Make sure to install the tools on a server located within the VPC.
Following the installation, logout and login again with the user/password:
[the NetBIOS name you provided]\Administrator
Open the administration tools by accessing Start >> Administrative Tools >> Active Directory Users and Computers.
Change the domain name to yours (mine was “fc.testonaws.com”), and you will be connected to the directory.
Now you can manage your directory, allowing you to add groups, users etc.
In order to test the integration with the 40Cloud Gateway, I added (under “Groups”):
And under Users:
- usera (added to the group “groupA” as a member)
- userb (added to the group “groupB” as a member)
The figure below shows a Remote Desktop view of the Active Directory Users and Computers view. You can see the users and groups that were added.
Enabling Network Access Control
As discussed above, we are now adding an Access Gateway to our VPC and integrating it with the already configured directory service.
The way network access control works with an Access gateway is illustrated in the Figure below. Specifically, the gateway terminates user-based VPN tunnels, authenticates the end-user against the AD infrastructure, and once authenticated, acts as a virtual router and a firewall that allows users to access the network and virtual resources they are allowed to.
In this example, we’re using the 40Cloud Gateway which provides Access Gateway functionality as well as other cloud security and network functions.
If you haven’t set up the 40Cloud Gateway yet, you should do that now. If you don’t have an active 40Cloud account, you can set up one for free.
To set up identity infrastructure (i.e. to connect with the AWS directory service) using the 40Cloud web console, follow the next steps:
- Using the 40Cloud web admin console’s menu, select Manage >> LDAP Servers. On the LDAP Server configuration page, click on Add new, and enter a name for the server (I called mine “LDAP Server”.
- Enter the relevant configuration details, such as LDAP server IP address, and where (directory-wise) to find groups and users.
- Point the 40Cloud Gateway to work with the LDAP server.
- Define a security scheme using the management console. I defined a test scheme as follows:
- Users that are part of “groupA” should be identified as “Users”. I added a policy: “Users can SSH Servers” (“servers” is a 40Cloud resource group, which is a group of AWS instances and/or subnets that can be defined by the admin using the 40Cloud web admin console or APIs).
- Users that are part of “groupB” should be identified as “Guests”. I added a policy: “Guests can ping Servers” (I know this doesn’t make too much sense, but I wanted to keep it simple).
- Now we need to make sure the network access control function works as anticipated :
- I initiated a VPN session with the 40Cloud Gateway. I used user credentials assigned to the AWS Directory Service as “usera”, who was identified as part of “Users”, and was able to initiate SSH sessions with VPC instances that were defined as “Servers” (in the 40Cloud scheme).
- I also establishing another VPN connection with the user “userb”, who was identified as part of “Guests”, and was able to ping VPC instances that were defined as “Servers” (in the 40Cloud scheme)
- I then performed negative testing, making sure that “usera” cannot ping “Servers” and that “userb” cannot SSH “Servers”
The above example is, of course, a very simple scenario. Much more complicated policies and network scenarios (for example multiple VPCs on multiple AWS regions integrated with the cloud-based Directory Service) can be easily configured with the 40Cloud solution. If you have any questions on AWS Directory Service integration or network access control, feel free to send us questions. You can also try it for yourself – Join a free trial and get our experts to help you build your on cloud-based AD and network access solution.