AWS Quick Starts

Web Application Proxy on AWS

Using AD FS for identity federation, SSO, reverse proxy, and pre-authentication

Deploy on AWS into a new VPC

(or deploy into an existing VPC)

View guide  — HTML | PDF

Quick Start architecture for WAP and AD FS on the AWS Cloud

To deploy Web Application Proxy with AD FS on AWS, view the Quick Start deployment guide. To install these technologies with other Windows servers on AWS in a single deployment, see the Quick Start for Microsoft servers, or view our complete Quick Start catalog.


This Quick Start deploys Web Application Proxy and Active Directory Federation Services (AD FS) on the AWS Cloud.

AD FS is a Windows Server role that authenticates users and provides security tokens to applications or federated partner applications that trust AD FS.

The Web Application Proxy role on Windows Server makes AD FS accessible to external users by proxying requests without requiring VPN connectivity. You can also use Web Application Proxy to selectively publish and pre-authenticate connections to internal web applications, allowing users outside your organization to access those applications over the Internet.

The Quick Start includes AWS CloudFormation templates that automate the deployment of AD FS and Web Application Proxy, to provide seamless external access to web applications running in AWS.

  • What you'll build

    • A virtual private cloud (VPC) configured with public and private subnets across two Availability Zones.*
    • An Internet gateway to provide access to the Internet.*
    • In the public subnets, network address translation (NAT) instances for outbound Internet access, and Remote Desktop Gateway (RD Gateway) instances for inbound remote administrative access.*
    • In the public subnets, Web Application Proxy servers to help provide secure inbound connectivity to web applications.
    • Elastic IP addresses associated with the instances in the public subnets.*
    • In the private subnets, Active Directory domain controllers, which act as enterprise certificate authorities (CAs) that issue the required SSL certificates to the AD FS infrastructure.*
    • In the private subnets, two AD FS servers running on Windows Server 2012 R2.
    • Your choice to create a new VPC or deploy into your existing VPC and AD DS environment on AWS. The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks above.


    For details, see the Quick Start deployment guide.

  • Deployment details

    Review the design considerations for your AD FS implementation, and then build your highly available AWS environment in a few simple steps:

    1. Prepare your AWS account.
    2. Launch the Quick Start to deploy the Web Application Proxy and AD FS stack. You can choose one of the following options:
      Launch the Quick Start into a new VPC, if you want to build a new AWS infrastructure. (View template)
      -or-
      - Launch the Quick Start into an existing VPC that has AD DS and RDGW installed; for details, see the guide. (View template)
      The deployment takes approximately 1.5 hours.


    To customize your deployment, you can choose different instance types for your resources, and configure CIDR blocks and IP addresses.  

    For detailed deployment and configuration instructions, see the Quick Start deployment guide.

  • Cost and licenses

    You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, will affect the cost of deployment. See the pricing pages for each AWS service you will be using or the AWS Simple Monthly Calculator for cost estimates.

    This Quick Start launches the Amazon Machine Image (AMI) for Windows Server 2012 R2. The AMI is updated on a regular basis with the latest service pack for the operating system, so you don't have to install any updates.

    AD FS and Web Application Proxy are server roles within Windows Server 2012 R2. The architecture deployed by this Quick Start does not require any additional licenses from Microsoft. The pay-as-you-go hourly cost for each EC2 instance covers your Windows Server license along with the Web Application Proxy and AD FS components.