reference deployment

Web Application Proxy with AD FS on AWS

Configure external access to web applications

This solution deploys Web Application Proxy (WAP) and Active Directory Federation Services (AD FS) to the Amazon Web Services (AWS) Cloud. It's for organizations that want to to provide seamless external access to their web applications running on AWS.

AD FS is a Windows Server role that authenticates users and provides security tokens to applications or federated partner applications that trust AD FS. The Web Application Proxy role on Windows Server uses proxy requests to make AD FS accessible to external users, removing the need for virtual private network (VPN) connectivity. By selectively publishing and preauthenticating connections, you can manage access by users outside your corporate network to internal web applications.

This solution was developed by AWS.

  •  What you'll build
  • This solution sets up the following:

    • A highly available architecture that spans two Availability Zones.*
    • A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
    • An internet gateway to provide access to the internet.*
    • In the public subnets:
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
      • Microsoft Remote Desktop Gateway (RD Gateway) instances in an Auto Scaling group to provide inbound remote administrative access.*
      • Web Application Proxy servers to provide secure inbound connectivity to web applications.
    • In the private subnets:
      • Two Active Directory domain controllers in a security group. These act as enterprise certificate authorities (CAs) to issue required SSL certificates to the AD FS infrastructure.
      • Two AD FS servers in a security group running on Windows Server 2022.

    The template that deploys the solution into an existing VPC skips the tasks marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy this solution, follow the instructions in the deployment guide, which includes these steps.

    1. Complete the predeployment steps in the deployment guide.
    2. Sign in to your AWS account. If you don't have an account, sign up at https://aws.amazon.com.
    3. Complete the predeployment steps in the deployment guide.
    4. Launch the solution. The stack takes about 1.5 hours to deploy. Before you create the stack, choose the AWS Region from the top toolbar. You can choose from the following options:
    5. Complete the postdeployment steps in the deployment guide.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Costs and licenses
  • You are responsible for the cost of the AWS services and any third-party licenses used while running this solution. There is no additional cost for using the solution.

    This solution includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, refer to the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy a solution, create AWS Cost and Usage Reports to track associated costs. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, refer to What are AWS Cost and Usage Reports?