reference deployment

Web Application Proxy on AWS

Using AD FS for identity federation, SSO, reverse proxy, and pre-authentication

This Quick Start deploys Web Application Proxy and Active Directory Federation Services (AD FS) on the AWS Cloud.

AD FS is a Windows Server role that authenticates users and provides security tokens to applications or federated partner applications that trust AD FS.

The Web Application Proxy role on Windows Server makes AD FS accessible to external users by proxying requests without requiring VPN connectivity. You can also use Web Application Proxy to selectively publish and pre-authenticate connections to internal web applications, allowing users outside your organization to access those applications over the internet.

The Quick Start includes AWS CloudFormation templates that automate the deployment of AD FS and Web Application Proxy, to provide seamless external access to web applications running in AWS.


This Quick Start was developed by
AWS solutions architects.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • Use this Quick Start to automatically set up the following on AWS:

    • A virtual private cloud (VPC) configured with public and private subnets across two Availability Zones.*
    • An internet gateway to provide access to the internet.*
    • In the public subnets, network address translation (NAT) instances for outbound internet access, and Remote Desktop Gateway (RD Gateway) instances in an Auto Scaling group for inbound remote administrative access.*
    • In the public subnets, Web Application Proxy servers to help provide secure inbound connectivity to web applications.
    • Elastic IP addresses associated with the instances in the public subnets.*
    • In the private subnets, Active Directory domain controllers, which act as enterprise certificate authorities (CAs) that issue the required SSL certificates to the AD FS infrastructure.*
    • In the private subnets, two AD FS servers running on Windows Server 2012 R2.

    *  The template that deploys the Quick Start into an existing VPC skips the tasks marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • Review the design considerations for your AD FS implementation, and then build your highly available AWS environment in a few steps:

    1. If you don't already have an AWS account, sign up at
    2. Launch the Quick Start. Each deployment takes about 1.5 hours. You can choose from two options:

    To customize your deployment, you can choose different instance types for your resources, and configure CIDR blocks and IP addresses.

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using.

    This Quick Start launches the Amazon Machine Image (AMI) for Microsoft Windows Server 2012 R2. The AMI is updated on a regular basis with the latest service pack for the operating system, so you don’t have to install any updates.

    AD FS and Web Application Proxy are server roles within Windows Server 2012 R2. The architecture deployed by this Quick Start does not require any additional licenses from Microsoft. The pay-as-you-go hourly cost for each EC2 instance covers your Windows Server license along with the Web Application Proxy and AD FS components.