Take a technical deep dive into reference architecture for setting up integrated Microsoft Active Directory-based Identity and Access Management on VMware Cloud on AWS. The architecture demonstrates how to extend on-prem infrastructure and enable user authentication.
Secure, efficient, highly available, cost effective, and tightly integrated Identity and Access Management (IAM) is the essence of any modern IT Infrastructure. With the advent of hybrid cloud and multi cloud architecture – where IT resources are distributed across various locations (including hybrid cloud deployments such as VMware Cloud on AWS) – integrated IAM has become paramount.
While there are various ways an integrated IAM can be implemented, this reference architecture is an attempt to showcase one of many approaches that an organization could take to integrate their existing Microsoft Active Directory (AD)-based IAM with a hybrid cloud deployment with VMware Cloud on AWS.
This reference architecture details how on-premises AD infrastructure can be extended to VMware Cloud on AWS infrastructure. It also shows how the AWS IAM service – along with STS and AWS AD Connector – can be integrated with Windows AD server hosted on VMware Cloud on AWS for user authentication and management of native AWS resources.
Extending on-prem AD infrastructure to VMware Cloud on AWS
Connecting an on-prem SDDC to a VMware Cloud on AWS SDDC in order to integrate AD infrastructure between the two locations is much like the solution we describe in reference architecture for “Getting started with VMware Cloud on AWS”. Deploy your Cloud SDDC on VMware Cloud on AWS in the AWS region and Availability Zone (AZ) where most of the AWS native resources (e.g. RDS database, EMR cluster, Redshift Data Warehouse, S3 buckets etc) are currently located. This helps to avoid data egress charges that crop up when data traffic traverses between different AZs.
Once all necessary networking components (including VPN, Direct Connect, Firewall rules, Amazon Security Group rules etc) are configured appropriately between on-premises, VMware Cloud on AWS, and customer VPC in AWS, you’re ready to install two Windows servers in the VMware Cloud on AWS infrastructure network segment. The intention here is to extend the existing AD infrastructure from on-premises to VMware Cloud on AWS and use the AD servers for local user/application authentication within VMware Cloud on AWS and Native AWS resources such as EC2 instances and RDS DB instances.
It should be noted that there are different firewall requirements for AD integration between different versions of Windows Server, and different requirements between clients and servers than between servers. The firewall rules shown in this reference architecture should give you a starting point, but you may need to consult the Microsoft documentation for the specific versions of your Windows clients and servers.
To make AD DS highly available in the VMware Cloud on AWS Cloud, promote the newly deployed Windows servers to domain controllers in the on-prem AD forest. Configure AD replication between on-prem and the VMware Cloud on AWS hosted Windows AD server. All network traffic between the on-prem AD Server and the VMware Cloud on AWS AD Server in SDDC – including AD DS communication, authentication requests and ADreplication – is secured across the VPN tunnel or Direct Connect link.
Once AD is appropriately configured in the cloud SDDC, you can configure servers in VMware Cloud on AWS and also Amazon EC2 instances in the customer VPC to join the AD domain and use private DNS servers that are hosted on VMware Cloud on AWS. All network traffic – including AD DS communication and authentication requests between EC2 instances and other Native AWS services – flows through Cross VPC ENI with low latency high bandwidth connectivity. As stated earlier, there will be no extra data egress charges for the data traffic passing through Cross VPC ENI and AWS resources that reside on the same AZ as the VMware Cloud SDDC.
The servers hosted on VMware Cloud on AWS and EC2 instances in the customer VPC can now access AD domain controllers sitting on VMware Cloud on AWS for secure, low-latency directory services and DNS requests. This avoids AD authentication traffic going out to on-premises and also speeds up the user authentication for resources in VMware Cloud on AWS and AWS VPC.
Extending authentication capabilities to AWS IAM
The second part of this reference architecture shows how to extend the authentication capability to AWS IAM and start using newly created AD servers on VMware Cloud on AWS for AWS IAM authentication. There are various ways you can get the same result – for this configuration we’re leveraging Amazon AD Connector, setting it up to perform LDAP authentication to AD servers that are hosted on VMware Cloud on AWS. With this configuration, AD Connector can locate the nearest domain controllers by querying the SRV DNS records for the domain.
We also need to set up AD Connector to call the STS AssumeRole method to assume IAM role and get temporary security credentials for user authentication. Using those temporary security credentials, AD Connector can construct a sign-in URL so that users can access the AWS management console. If a user is mapped to multiple IAM roles, they will be presented with a choice at the sign-in screen to select the appropriate IAM role for that session. Connected sessions last for one hour.
With the above integrated IAM setup, users can now authenticate themselves to the AD servers closest to them, regardless of their location. VMware Cloud Admins are also enabled with integrated AD authentication for AWS management console logins and can manage AWS native resources effectively and conveniently without having to remember multiple passwords.
