AWS Active Directory: Cannot access from another VPC

amazon-vpcaws-directory-servicevpc-peering

I've setup an Active Directory service in AWS in 2 private subnets in a VPC.

I have another VPC in the same account that I want to be able to access the AD from. However for some reason it just isn't accessible from anywhere outside it's own VPC.

I've setup peering between the VPC's, and confirmed that EC2 instances in the VPC's can communicate.

Is there something particular to Active Directory that prevents it from being reached from outside it's own VPC? I can't see any other configuration I can make to fix this. I've confirmed the routing tables, ACL's etc. are all correct.

Any help would be greatly appreciated.

Best Answer

I found the issue. It was quite non-intuitive.

When the Active Directory is created, AWS automatically creates an associated security group.

The SG was called "d-9462#####_controllers" and had the description "AWS created security group for d-9462##### directory controllers". (d-9462##### being the ID for the directory)

What makes it counter-intuitive is that this SG is not displayed anywhere (as far as I can tell) within the Directory Services console. You would have to know that it existed, and know to search for it within the VPC security groups.

By default this SG grants access only to the VPC in which the Directory resides.

To fix the issue you need to explicitly grant access to whatever other VPC's you need.

Related Solutions

Using AWS Nat Gateway from diferrent VPC across VPC peering

This type of configuration is not supported by AWS. VPC Peering does not support "multiple hop" routing. The following configurations are not supported through VPC Peering.

VPC A -> VPC B -> Internet
VPC A -> VPC B -> VPC C

Reference: Invalid VPC Peering Connection Configurations

AWS DNS Resolution Only Resolves Internal IP One Way – Troubleshooting

The console doesn't seem to allow you to configure this on both sides of the connection when the same AWS account owns both the "requester" and "accepter" VPCs, so one-way resolution appears to be the only thing you can actually configure from the console -- only the requester VPC's hosts can be resolved.

It appears that you can fix this with aws-cli.

aws ec2 modify-vpc-peering-connection-options \
    --vpc-peering-connection-id 'pcx-xxxxxxxx" \
    --requester-peering-connection-options '{"AllowDnsResolutionFromRemoteVpc":true}' \
    --accepter-peering-connection-options '{"AllowDnsResolutionFromRemoteVpc":true}' \
    --region us-east-1

Line breaks for clarity, supply your VPCs' region with the --region option and your peering connection ID with --vpc-peering-connection-id.

Indeed, the above does change the value returned by aws ec2 describe-vpc-peering-connections, which previously showed false on one side and true on the other after checking the box in the console.

It's somewhat unusual but not unheard-of for capabilities not to be included in the console, but to be accessible only via the APIs.

Best Answer

Related Solutions

Using AWS Nat Gateway from diferrent VPC across VPC peering

AWS DNS Resolution Only Resolves Internal IP One Way – Troubleshooting

Related Topic