Active Roles 8.0 LTS - Azure and AWS User Guide

In the Hybrid on-premises setup, some of the resources for Active Roles can be on cloud and on-premises.

NOTE:

Currently, Active Roles support AWS or Azure with on-premises platforms.
One Identity recommends to use Active Roles and SQL Server to be in the same region.
One Identity recommends to setup a Site-to-Site VPN between the cloud (Azure or AWS) and on-premises. A Site-to-Site VPN gateway connection is used to connect your on-premises network to a cloud virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.

Before you begin to create a Site-to-Site VPN connection on Azure, ensure the following aspects:

A compatible VPN device is available and the administrator can configure it.
An externally facing public IPv4 address is available for the VPN device.
Familiarity with the IP address ranges located on the on-premises network configuration.
Choose the same location or region for all Azure resources.

Configuring a Site-to-Site VPN

Create a resource group in desired region
Create a virtual network with required address space
Create a Gateway subnet in the above virtual network
Create a Public IP address
Create the VPN gateway using the above Public IP address
Create the local network gateway using the Public IP Address of on-premises and mention the IP address space of on-premises network
Configure your VPN device
Create the VPN connection under Local network Gateway created above
Ensure Shared Key provided in Connection matches with on-premises
Verify the VPN connection status shows Connected

For more information on creating a Site-to-Site VPN gateway connection from the on-premises network to the Azure VNet, see https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal.

Configuring Active Roles with on-premises domain controller

After the Site-to-Site VPN connection is set and running, configure Active Roles with on-premises domain controller.

Before you begin to create a Site-to-Site VPN connection on AWS, ensure the following aspects:

A compatible VPN device is available and the administrator can configure it.
An externally facing public IPv4 address is available for the VPN device.
Familiarity with the IP address ranges located on the on-premises network configuration.
Choose the same location or region for all AWS resources.

Configuring a Site-to-Site VPN

Create a Customer Gateway using the Public IP address of on-premises network
Create a Virtual Private Gateway and attach it to the VPC.
Enable Route Propagation in the route table.
Update the Security Group.
Create a Site-to-Site VPN connection by choosing Customer Gateway and Virtual Private Gateway created above.
After the VPN connection is available, click Download Configuration to download the configuration. Download the file with the following options:
- Vendor- Generic
- Platform- Generic
- Software- Vendor Agnostic
Configure the Customer Gateway/VPN Device.
Ensure the AWS Site-to-Site VPN connection Tunnel status displays UP.

For more information on creating a Site-to-Site VPN gateway connection from the on-premises network to AWS, see https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html.

After the Site-to-Site VPN is created and running configure Active Roles with the on–premise domain controller.