A company is planning to move its on-premises workloads to AWS.
They are planning to set up their own Active Directory setup on a set of EC2 Instances.
They need to ensure that, for the time being, resources from their on-premises data center can access the Active Directory setup.
Which of the following implementation steps need to be carried out? Choose 2 answers from the options given below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A and C.
This is mentioned in the AWS Documentation.
If you're deploying and managing your own AD DS installation, domain controllers and member servers will require several security group rules to allow traffic for services such as AD DS replication, user authentication, Windows Time services, and Distributed File System (DFS), among others.
You should also consider restricting these rules to specific IP subnets that are used within your VPC.Options B and D are incorrect since these are not key requirements for having the Active Directory setup in place.
For more information on ingress traffic for Active Directory, please visit the below URL.
https://docs.aws.amazon.com/quickstart/latest/active-directory-ds/ingress.htmlThe correct answers for the question are A and C.
Explanation:
The scenario presented in this question is a common use case for organizations that are migrating their on-premises workloads to the AWS cloud. To allow resources in the on-premises data center to access the Active Directory setup, the following steps need to be taken:
A. Ensure that the Network ACLs have been set for allowing traffic: Network ACLs are stateless, which means that they do not keep track of the state of traffic. As a result, inbound and outbound rules need to be explicitly allowed to ensure that traffic is allowed to flow from the on-premises data center to the Active Directory setup running on EC2 instances. Therefore, the Network ACLs must be configured to allow traffic to and from the on-premises data center.
B. Ensure that VPC Flow logs have been enabled: VPC Flow logs are used to capture information about the traffic flowing through a VPC. While they are a useful tool for troubleshooting and auditing purposes, they are not required for this use case.
C. Ensure that the Security Groups have been set for allowing traffic: Security groups act as virtual firewalls that control the traffic flowing to and from the EC2 instances running the Active Directory setup. To allow traffic from the on-premises data center, a security group needs to be created that allows inbound traffic from the IP address range of the on-premises data center.
D. Ensure that the AD connector is in place: An AD connector is used to enable AWS applications to access an on-premises Active Directory. It is not required in this use case since the goal is to allow resources from the on-premises data center to access the Active Directory setup running on EC2 instances.
In summary, the correct steps that need to be carried out in this scenario are to ensure that the Network ACLs have been set for allowing traffic, and that the Security Groups have been set for allowing traffic.