Author: Dean Suzuki (Last Updated: 8/23/20)
The first step to building a Windows infrastructure in AWS is to build out the network infrastructure. In this lab, you will leverage an AWS Quick Start to build out a secure highly available network infrastructure show below.
AWS has created a series of Quick Starts to help our customers deploy solutions quickly. The AWS Quick Start that you will be using can be found (here) which will deploy the above network infrastructure and a remote desktop gateway server.
Depending upon the amount of time available for the lab, the Quickstart may have been already deployed into your environment. Please check with the lab proctor.
AWS Quick Starts leverage AWS CloudFormation which is AWS’s Infrastructure as Code (IaC) service that allows you to create infrastructure based upon a template (written in YAML or JSON). The template is uploaded to the CloudFormation service and itc creates the infrastructure described in the template.
In order to secure access to your EC2 instances, AWS uses private/public key technology and this takes the form of an AWS key pair. With Windows instances, the key pair is used to obtain the administrator password via the Amazon EC2 console. In this section, you will create the key pair.
In the Key pair screen,
a. For Name, enter WinLab-KeyPair
b. For File format, check pem.
c. Press Create key pair
Important: AWS downloads the private key portion of the key pair. It will have a name like WinLab-KeyPair.pem. Be sure to save the PEM file and record the location of this file. You will use this file later to decrypt the administrator password. You won’t be able to re-download this file later.
In this section, you are going to get hands-on experience with AWS CloudFormation to build out the base network infrastructure.
In the Create stack screen, enter the values as shown below and click on Next.
Prepare Template: Template is ready
Template Source: Amazon S3 URL
Amazon S3 URL:
For the stack name, enter WinVPC.
For the Availability Zones, select us-east-1a and us-east-1b.
For VPC CIDR, Private Subnet 1 & 2 CIDR, and Public Subnet 1 & 2 CIDR, leave the default values.
For the Allowed Remote Desktop Gateway External Access CIDR, enter 0.0.0.0/0. This will allow any IP to be able to RDP into the RDP gateway. This is not a secure configuration and it is not recommended for a production deployment. We will go back and tighten this down after the CloudFormation stack has been deployed.
In the Key Pair Name, select the Key Pair that you created earlier (e.g. WinLab-KeyPair).
For the Remote Desktop Gateway Instance Type, leave the default (t2.large).
For the Number of RDGW Hosts, leave the default (1). Please note that the above diagram shows two RDGW hosts (one in each Availablity Zone (AZ)). For the purposes of the lab, we are starting with one RDGW host to reduce the amount of time that the CloudFormation process takes to run. However in the diagram, you can see that the RDGW hosts are deployed into an AutoScaling group. After the CloudFormation process finishes, you can examine the AutoScaling group. Ask the instructor how Autoscaling groups work. Autoscaling groups are a key service tha can provide scalability and availability to your application.
For Admin User Name, leave the default (StackAdmin).
For Admin Password, set a password that you will remember. Note, the password complexity requirements (8 characters minimum, and needs letters, numbers, and symbols)
For Domain DNS Name, leave the default (example.com).
For the remaining options, leave the default values and click Next.
On the Configure Stack Options, review the options. Click Next.
On the Review WinVPC screen, review the settings. Check the two checkboxes and click Create Stack.
The template takes about 15 minutes to complete. During this time, we will review what the CloudFormation template is creating.
Once stack creation is completed, the status on the stack creation will change to CREATE_COMPLETE.
In this section, you got a glimpse of the power of Infrastructure as Code (IaC) and how it enables you to quickly create repeatedly infrastructure. With IaC, you can check-in the CloudFormation template into a code library and have a history of your infrastructure. If you need to roll back to a previous version of your infrastructure, you can run the prior version of the CloudFormation template. If you need to deploy the infrastructure into a new environment, then run the template in the new environment. For example, you could create the CloudFormation template in a Development environment. When you have debugged your template and are ready to deploy it to a Staging, Testing, or Production environment, you just need to run the CloudFormation template in that environment and you will have an exact implementation of the infrastructure as documented in your template.
We are going to tighten the security of the RDGW access.
When securing your application, you want to make sure to only open the ports that your application needs. In this example, you removed port 3391 and 443, since you will not be using those ports in these labs. Also, you have locked down the access so that the RDP and ICMP connections can only originate from your public IP address. Some customers lock down access so that RDP and ICMP connections can only originate from the public IP addresses of their corporate network. Please ask a question if this is not clear.
You will next login to the RDGW server using Remote Desktop Protocol (RDP). If you connecting from a Windows computer, RDP should be already present. If you are using a Mac, please download the RDP client here.
You should be logged into the RDGW server. This is one approach to providing your administrator the ability to remote desktop into your AWS environment.
In recap in this lab, you learned about:
AWS Regions and Availability Zones
Virtual Private Cloud (VPC)
Public and Private Subnets
Infrastructure as Code (IaC)
How to secure your environment using Security Groups
How to RDP login to a Windows RDGW host
An architectural pattern to access your AWS environment using a RDGW host/jump server.
Although not specifically highlighted, the architecture that you deployed also included an Internet Gateway and Route Tables.
Please reflect on the above concepts and ask your lab facilitator if any of the above concepts are not clear.