Configure a remote desktop gateway for Windows server workloads
This Guidance demonstrates how to deploy Remote Desktop Gateway to the AWS Cloud. RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish an encrypted connection between remote users and Amazon Elastic Compute Cloud (Amazon EC2) instances running Microsoft Windows, without a virtual private network. This helps reduce attacks on your Windows-based instances while providing a remote administration solution for administrators. You can choose to deploy RD Gateway into a new virtual private cloud (VPC) in your AWS account, or into an existing VPC, either standalone or domain-joined.
Please note: [Disclaimer]
Architecture Diagram
[Architecture diagram description]
Step 1
Use the AWS CloudFormation template to deploy RD Gateway in a new or existing Amazon Virtual Private Cloud (Amazon VPC) spanning two Availability Zones with public and private subnets. Use the separate CloudFormation template to deploy Active Directory domain-joined (requiring an existing VPC) or non-domain joined Windows instances in the private subnets.
Step 2
AWS Secrets Manager securely stores credentials (such as username and password) used for accessing RD Gateway instances. Note: We strongly recommend enabling multi-factor authentication (MFA) on RD Gateway instances for additional security.
Step 3
AWS Systems Manager automates the deployment of the Amazon EC2 Auto Scaling group spanning the two public subnets by fetching username and password values from Secrets Manager and configuring RD Gateway instances.
Step 4
Each public subnet has up to four RD Gateway instances in an Auto Scaling group to provide secure remote access to instances in the private subnets. Each RD Gateway instance is assigned an Elastic IP address so that it’s reachable directly from the internet.
Step 5
An empty application tier for instances in the private subnets, including a security group for the instances, allows access to necessary RD Gateway ports.
Step 6
A Network Load Balancer allows remote access to the RD Gateway Auto Scaling group.
Step 7
An internet gateway allows access to the internet. This gateway is used by the RD Gateway instances to send and receive traffic.
Step 8
Managed network address translation (NAT) gateways allow outbound internet access for resources in the private subnets.
Step 9
An Amazon EventBridge resource removes decommissioned instances from the Active Directory domain.
Step 1
Use the AWS CloudFormation template to deploy RD Gateway in a new or existing Amazon Virtual Private Cloud (Amazon VPC) spanning two Availability Zones with public and private subnets. Use the separate CloudFormation template to deploy Active Directory domain-joined (requiring an existing VPC) or non-domain joined Windows instances in the private subnets.
Step 2
AWS Secrets Manager securely stores credentials (such as username and password) used for accessing RD Gateway instances. Note: We strongly recommend enabling multi-factor authentication (MFA) on RD Gateway instances for additional security.
Step 3
AWS Systems Manager automates the deployment of the Amazon EC2 Auto Scaling group spanning the two public subnets by fetching username and password values from Secrets Manager and configuring RD Gateway instances.
Step 4
Each public subnet has up to four RD Gateway instances in an Auto Scaling group to provide secure remote access to instances in the private subnets. Each RD Gateway instance is assigned an Elastic IP address so that it’s reachable directly from the internet.
Step 5
An empty application tier for instances in the private subnets, including a security group for the instances, allows access to necessary RD Gateway ports.
Step 6
A Network Load Balancer allows remote access to the RD Gateway Auto Scaling group.
Step 7
An internet gateway allows access to the internet. This gateway is used by the RD Gateway instances to send and receive traffic.
Step 8
Managed network address translation (NAT) gateways allow outbound internet access for resources in the private subnets.
Step 9
An Amazon EventBridge resource removes decommissioned instances from the Active Directory domain.
Well-Architected Pillars
The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
-
Operational ExcellenceRead the Operational Excellence whitepaper
CloudFormation templates describe your desired resources and their dependencies in a single stack and allow you to create, update, and delete an entire stack as a single unit, making it easy for you to manage cloud resources for the public and private subnets across Availability Zones.
Systems Manager centralizes operational data in a hub from multiple AWS services and automates tasks across your resources on AWS. It offers operations management for monitoring health and performance, application management to streamline operational workflows, change management to simplify operational changes to application configuration, and node management to accelerate troubleshooting and automate patching.
-
SecurityRead the Security whitepaper
Secrets Manager securely encrypts and centrally audits secrets in combination with fine-grained AWS Identity and Access Management (IAM) and resource-based policies. This protects access to your applications, services, and IT resources and enables you to meet regulatory and compliance requirements for data security and privacy. For additional security, enable MFA on RD Gateway instances.
The private subnet in Amazon VPC contains a security group for the instances to allow access to the necessary ports. Public subnets contain RD Gateway instances for secure remote access to instances in the private subnets. The public subnet has a direct route to an internet gateway allowing for access to the public internet; the private subnet has no direct route to an internet gateway and requires a NAT gateway to access the public internet.
-
ReliabilityRead the Reliability whitepaper
Network Load Balancer is capable of handling millions of requests per second while maintaining ultra-low latencies. It is also optimized to handle sudden and volatile traffic patterns while using a single static IP address per Availability Zone. Network Load Balancer operates at the connect level (Level 4) so you can load balance both TCP and UDP traffic, routing connections to targets, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, microservices, and containers.
-
Performance EfficiencyRead the Performance Efficiency whitepaper
Amazon EC2 Auto Scaling helps you ensure that you have the correct number of EC2 instances available to handle the load for your application. You create collections of EC2 instances called Auto Scaling groups. Amazon EC2 Auto Scaling makes sure your group always has the number of instances that you have specified to meet your desired capacity. If you specify scaling policies, then Amazon EC2 Auto Scaling can launch or terminate instances on demand as your application load increases or decreases.
-
Cost OptimizationRead the Cost Optimization whitepaper
Amazon EC2 Auto Scaling optimizes workload performance and cost by combining purchase options and instance types. This service lets you provision and automatically scale instances across purchase options, Availability Zones, and instance families in a single application to optimize scale, performance, and cost. You can include Amazon EC2 Spot instances with On-Demand and Reserved instances in a single Auto Scaling group to save up to 90 percent on compute.
-
SustainabilityRead the Sustainability whitepaper
Together, Amazon EC2 Auto Scaling and Network Load Balancer automatically scale in and out based on the elasticity of the workload traffic. An EventBridge resource removes decommissioned instances from the Active Directory domain. This architecture automatically adds and removes instances, effectively optimizing the workload’s environmental impact.
Implementation Resources
A detailed guide is provided to experiment and use within your AWS account. Each stage of building the Guidance, including deployment, usage, and cleanup, is examined to prepare it for deployment.
The sample code is a starting point. It is industry validated, prescriptive but not definitive, and a peek under the hood to help you begin.
Related Content
CloudFormation Remote Desktop Gateway
Remote Desktop Gateway on AWS
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.
References to third-party services or organizations in this Guidance do not imply an endorsement, sponsorship, or affiliation between Amazon or AWS and the third party. Guidance from AWS is a technical starting point, and you can customize your integration with third-party services when you deploy the architecture.